We’ve talked a great deal in recent months about application programming interface (API) security and its importance to the trucking industry. With digitization moving at such a fast pace, and APIs making it possible for so many digital platforms to communicate with each other, the industry simply must keep its APIs secure.
That is why we decided recently to host a webinar to dive deeper into the question of how to secure APIs. Joining us as presenters were Hillary Drake and Josiah Carlson of Minneapolis-based Liminal Network. Their company specializes in simplifying APIs for the trucking industry, and of course, that involves a heavy emphasis on securing APIs.
In their presentation, they shared five things trucking companies can do to secure their APIs. Here is a rundown:
An API key is a unique identifier used to authenticate and authorize a user, developer or calling program to an API. There are various kinds of API keys, but the focus in this presentation was on authenticated and unauthenticated APIs that are used to get bills of lading or proofs of delivery, or to create carrier pickup requests or document tracking numbers for shipping status.
In the course of authenticating a user, an API key partitions what people do from what computers do—saving certain types of web access for each type of activity.
Good practices with API keys are to use randomly generated keys of 12 or more characters, with a show-hide button. Even better is to store them in encrypted form, and to require password re-entry for decryption. Best is to deploy a “slow verification” hash algorithm that has special properties desirable for a cryptographic application.
Frequently replacing a secret-access or encryption key with a new secret key adds a layer of security, so enabling the system to rotate the keys—especially to customers—helps secure your APIs.
It’s good practice to have more than one API key. It’s even better to have different access levels for each key. And the best practice is to deploy both API-based and web-based key management.
APIs are the key to connecting with your customer. Yet Drake shared a story of one trucking professional who admitted he had no idea who was actually using his APIs, which meant there was no one to communicate with about key changes.
JSON web tokens, or JWTs, are a proposed Internet standard for creating data with an optional signature or an optional encryption. JWTs do not always properly verify the credentials and identity of users making a request, which can lead to attackers impersonating or accessing someone else’s account.
It is critical for those using JWTs not to keep plain text either in their own JWTs or in other tokens.
Good practices related to the use of JWTs include storing encrypted data and using a timestamp-prefixed random identifier or a universal unique identifier (UUID). Even better is to store encrypted data on the server. And the best practice is to derive rather than store. The less you store, the better.
A factor is a partial public or secret key that is combined with other known or secret keys. Together they are used to verify identities or generate keys for use in encryption. Using multiple factors protects against imposters posing as those who are supposed to have access.
Good practices include the use of UUID4 or timestamp-prefixed UUID cookie locations, as well as the use of a username or email for logins.
Better practices include the use of secret keys in encrypted data store and password-derived keys that require users to re-enter their passwords—as well as additional keys in encrypted data store.
One specific sharing algorithm the presenters discussed is Shamir’s Secret Sharing (SSS), which Carlson said he has tested extensively. SSS is efficient for distributing information among members of a group, he said, but warned users to be careful because their keys don’t always reconstruct.
Hashing, by contrast, works every time. But if you’re going to use hashing, you need to be sure to have all your factors.
Maybe this seems obvious, but it isn’t a universal practice. It needs to be.
When encrypting codes and data, you can ship it to your servers and decrypt it locally—in which case only the running system has the decrypted data in memory. When it closes, it loses all the encryption keys. That’s a critical layer of security.
Good practices here include enabling TLS with ECDHE-ECDSA-cipher suites in your web and API servers, and all other network connections on public and private networks.
Better is the use of AWS S3 (cloud), BackBlaze (cloud), Minio (self-hosted) and others that offer better encryption at reset for file/runtime image storage, and the use of native local disk encryption offered by all operating systems.
Best is the use of Key Escrow or well-known encrypted database plugins.
We realize a lot of this is very technical, so we’re here to help. Connect with our cybersecurity team for more information at cyber@nmfta.org.
The most important thing is that the trucking industry takes API security seriously. To view the webinar recording, you can access it here.
This is the type of insight we offer during our cybersecurity webinars, which is why it’s so critical for IT professionals to join us on a regular basis. Insight like this could be critical to your ongoing efforts to secure your assets and your enterprises.
Our next cybersecurity webinar is titled Guardians of the Gateway: Unveiling API Security Secrets. Here is where you can sign up!
Additionally, make plans this Fall to attend NMFTA’s Cybersecurity Conference, October 27-29, in Cleveland, OH.
Joe is the chief operating officer at the NMFTA. He brings to the organization over 20 years of experience in engineering product software, gained from roles at Omnitracs, Qualcomm, and Eaton. Ohr has provided strategic guidance, vision, and a roadmap for addressing long-term customer challenges. He has played a key role in accelerating revenue growth and has collaborated closely with IT, product, and engineering teams to foster stronger partnerships with strategic customers and peers.