One of the main features that an API Manager provides in our business architecture is the ability to add a security layer to our backends in a transparent way, incorporating user authentication and authorization mechanisms (API key, OAuth2, JWT, …).
But what if, in addition to securing our communications, it is also necessary to protect the sensitive data being transmitted? In this case, we must introduce confidentiality as part of our communications at the API Manager layer to protect information in transit through symmetric or asymmetric encryption mechanisms such as JWE (JSON Web Encryption).
Furthermore, confidentiality is the foundation for compliance with standards such as GDPR, CCPA, or HIPAA. Centralizing confidentiality policies in our API Manager allows us to align our API architecture with the regulatory frameworks defined by the business, improving the security of our APIs.
Main Steps Toward Proper API Encryption
1. Apply the JWE (JSON Web Encryption) Policy
JSON Web Encryption is an IETF standard (Request for Comments 7516) that provides a JSON-based specification for data encryption and its transmission across the network, with the goal of ensuring confidentiality.
Just like JWT, a JWE token consists of several Base64-encoded parts separated by dots:
- header: metadata related to how the token was encrypted (algorithm/alg, encryption/enc, …)
- encrypted_key: content encryption key (CEK), the encrypted key used to encrypt the payload
- iv: initialization vector used during the encryption process to ensure that two identical messages do not produce the same ciphertext
- ciphertext: payload that cannot be read without the decryption key
- tag: authentication tag ensuring message integrity
2. Ensure the Confidentiality of Our Data Through an API Manager
The API Manager acts as the single point of entry and control for our APIs, whether consumed internally or externally. It allows us to add governance, mediation, security, and analytics between our API consumers and the backend services they access.
You may be interested in: 11 steps to build a winning API Management strategy
We can add confidentiality to our communications by applying encryption policies in the mediation flow of our API Manager. In this way, the payload can be decrypted in the request flow, raw data can be sent to our backend, and the response can be re-encrypted in the response flow before being returned to the consumer.
Example of Data Encryption via API Manager
1. The consumer encrypts the message information using a JWE token
2. The consumer makes the API call using the encrypted JWE token
3. The API Manager receives the call and, using a JWE policy, decrypts the message content using the secret key (symmetric) or the private key (asymmetric)
4. The API Manager calls the backend with the raw data
5. The API Manager receives the raw response from the backend and, using a JWE policy, encrypts the information into a JWE token using the secret key (symmetric) or the public key (asymmetric)
6. The consumer receives the encrypted JWE token and decrypts the message content using the secret key (symmetric) or the private key (asymmetric)
Conclusion
In this brief use case, we’ve seen how to add JWE policies to our API Manager (Gravitee.io), adding a confidentiality layer to communications with our backends transparently, without needing to refactor any of the services.
Keep learning: How to publish an API in Gravitee API Management and add security with API-KEY
How can we secure our APIs in Gravitee API Management using the OAuth 2.0 standard?
Discover more details about Gravitee API Manager on our website and don’t miss this webinar. If you want to go deeper into this technology or learn how to improve the security of your APIs, contact our team.
