JSON Web Token Leakage Avoidance Using Token Split and Concatenate in RSA256
DOI:
https://doi.org/10.35806/ijoced.v5i1.325Keywords:
API, Authentication, JSON web token, RSA256, WebAbstract
This research aims to protect users from JWT (JSON Web Token) leakage, which is listed plainly in the Response Header in the web browser console. The risk of malicious attackers stealing the JWT is highly dangerous since the API (Application Programming Interface) will be within the control of malicious attackers, leading to identity theft and data abuse due to the JWT leakage. As a solution, this paper proposed a method in which the JWT bearer token will be split, separately encrypted by RSA256, and concatenated into a new unique token to limit attacker accessibility towards the JWT token. The benefit of this proposed method is envisaged to achieve a more secure web application for user data protection and security optimization. The idea of this method is to modify the bearer token by splitting, encrypting, and concatenating it to be a unique token. The product of the encryption process is an unrecognizable token in the form of letters and punctuation which attackers cannot manipulate. The encrypted code will be returned to the initial location in Response Header. After testing, it is proven that modifying the bearer token by splitting and concatenating provides more security to a web application.
References
Adam, S., Moedjahedy , J., & Maramis, J. (2020). RESTful Web Service Implementation on Unklab Information System Using JSON Web Token (JWT). 2020 2nd International Conference on Cybernetics and Intelligent System (ICORIS).
Adida, B. (2007). BeamAuth: Two-Factor Web Authentication with a Bookmark. Conference on Computer and Communications Security, Alexandria.
Ahmed, A., & Lee, M. (2017). Securing User Credentials in Web Browser: Review and Suggestion. 2017 IEEE Conference on Big Data and Analytics (ICBDA).
Akana. (2022, July 4). What is JWT. Retrieved from https://www.akana.com/blog/what-is-jwt
Barron, T., So, J., & Nikiforakis, N. (2021). Click This, Not That: Extending Web Authentication with Deception. 2021 ACM Asia Conference on Computer and Communications Security. Hong Kong.
Bayardo, R., & Sorensen, J. (2005). Merkle tree authentication of HTTP responses. 14th international conference on World Wide Web.
Boneh, D., & Franklin, M. (2001). Efficient Generation of Shared RSA Keys. Journal of the ACM,, vol. 48, no. 4, 702-722
Chatterjee, A., & Prinz, A. (2022). Applying Spring Security Framework with KeyCloak-Based OAuth2 to Protect Microservice Architecture APIs: A Case Study. Sensors, vol. 22, no. 1703.
Dhamija, R. (2000). Hash Visualization in User Authentication. CHI 2000, The Hague.
Gao, Y., Basney, J., & Withers, A. (2020). SciTokens SSH: Token-based Authentication for Remote Login to Scientific Computing Environments. https://doi.org/10.1145/3311790.3399613
Ghaly, S., & Abdullah, M. (2021). Design and Implementation of a Secured SDN System Based on Hybrid Encrypted Algorithms. TELKOMNIKA (Telecommunication Computing Electronics and Control),.
Idrus, S., & Zulkarnain, S. (2013). A Review on Authentication Methods. Australian Journal of Basic and Applied Sciences, vol. 7, no. 5, 95-107.
Kogan, D., Manohar, N., & Boneh, D. (2017). T/Key: Second-Factor Authentication From Secure Hash Chains. CCS 2017. Dallas.
Lee, C., Li , L., & Hwang, M. (2002). A Remote User Authentication Scheme Using Hash Functions. ACM SIGOPS Operating Systems Review, (pp. 23-29).
MacKenzie, P., Patel, S., & Swaminathan, R. (2000). "Password-Authenticated Key Exchange Based on RSA,". Springer, 599–613.
Mainanwal, V., Gupta, M., & Upadhayay, S. (2015). Zero knowledge protocol with RSA Cryptography Algorithm for Authentication in Web Browser Login System (Z-RSA). 2015 Fifth International Conference on Communication Systems and Network Technologies. Gwalior.
Mallik, A., Ahsan, A., Shahadat, M., & Tsou, J. (2019). Understanding Man-in-the-middle-attack through Survey of Literature. Indonesian Journal of Computing, Engineering and Design (IJoCED), 44-56.
Melton, R. (2021). Securing a Cloud-Native C2 Architecture Using SSO and JWT. 2021 IEEE Aerospace Conference (50100). New South Wales.
Olanrewaju, R., Khan, B., & Morshidi, M. (2021). A Frictionless and Secure User Authentication in Web-Based Premium Applications. IEEE Access vol. 9.
Ometov, A., Bezzateev, S., Mäkitalo, N., Andreev, S., Mikkonen, T., & Koucheryavy, Y. (2018). Multi-Factor Authentication: A Survey. Cryptography.
Park, J. (2019). Design and Implementation of Web Browser Secure Storagefor Web Standard Authentication Based on FIDO,”. The Tenth International Symposium on Information and Communication Technology (SoICT 2019). Hoan Kiem.
Pramono , L., & Javista, Y. (2021). Firebase Authentication Cloud Service for RESTful API Security on Employee Presence System. International Seminar on Research of Information Technology and Intelligent Systems (ISRITI). Yogyakarta.
Sakimura, N., Bradley, J., & Jones, M. (2022). Retrieved from JSON Web Token: https://tools.ietf.org/html/rfc7519
Sasaki, Y. (2011). Meet-in-the-Middle Preimage Attacks on AES Hashing Modes and an Application to Whirlpool. International Association for Cryptologic Research, (pp. 378–396).
Stackpath. (2022, September 20). WHAT IS A WEB APPLICATION? Retrieved from Stackpath: https://www.stackpath.com/edge-academy/what-is-a-web-application/
Soh, B., & Joy, A. (2003). A Novel Web Security Evaluation Model for a One-Time-Password System. IEEE/WIC International Conference on Web Intelligence (WI’03). Halifax.
Syamsuddin, I., Dillon, T., Chang, E., & Han, S. (2008). , "A Survey of RFID Authentication Protocols Based on Hash-Chain Method. International Conference on Convergence and Hybrid Information Technology.
van der Horst, T., & Seamons, K. (2007). "Simple Authentication for the Web,". WWW 2007. Alberta, Canada.
Venkatesha, G., Dinesh, S., & Manjunath, M. (2019). "AES Based Algorithm for Image Encryption and Decryption. Perspectives in Communication Embedded-Systems and Signal-Processing (PiCES) – An International Journal, vol. 2, no. 11.
Wang, S., Wang, J., & Li, Y. (2013). The Web Security Password Authentication based the Single Block Hash Function. International Conference on Electronic Engineering and Computer Science. Yanji.
Zhang, H., & Zhu, Y. (2006). , "Self-Updating Hash Chains and Their Implementations," p. 2006. Springer, 387 – 397.
Adida, B. (2007). BeamAuth: Two-Factor Web Authentication with a Bookmark. Conference on Computer and Communications Security, Alexandria.
Ahmed, A., & Lee, M. (2017). Securing User Credentials in Web Browser: Review and Suggestion. 2017 IEEE Conference on Big Data and Analytics (ICBDA).
Akana. (2022, July 4). What is JWT. Retrieved from https://www.akana.com/blog/what-is-jwt
Barron, T., So, J., & Nikiforakis, N. (2021). Click This, Not That: Extending Web Authentication with Deception. 2021 ACM Asia Conference on Computer and Communications Security. Hong Kong.
Bayardo, R., & Sorensen, J. (2005). Merkle tree authentication of HTTP responses. 14th international conference on World Wide Web.
Boneh, D., & Franklin, M. (2001). Efficient Generation of Shared RSA Keys. Journal of the ACM,, vol. 48, no. 4, 702-722
Chatterjee, A., & Prinz, A. (2022). Applying Spring Security Framework with KeyCloak-Based OAuth2 to Protect Microservice Architecture APIs: A Case Study. Sensors, vol. 22, no. 1703.
Dhamija, R. (2000). Hash Visualization in User Authentication. CHI 2000, The Hague.
Gao, Y., Basney, J., & Withers, A. (2020). SciTokens SSH: Token-based Authentication for Remote Login to Scientific Computing Environments. https://doi.org/10.1145/3311790.3399613
Ghaly, S., & Abdullah, M. (2021). Design and Implementation of a Secured SDN System Based on Hybrid Encrypted Algorithms. TELKOMNIKA (Telecommunication Computing Electronics and Control),.
Idrus, S., & Zulkarnain, S. (2013). A Review on Authentication Methods. Australian Journal of Basic and Applied Sciences, vol. 7, no. 5, 95-107.
Kogan, D., Manohar, N., & Boneh, D. (2017). T/Key: Second-Factor Authentication From Secure Hash Chains. CCS 2017. Dallas.
Lee, C., Li , L., & Hwang, M. (2002). A Remote User Authentication Scheme Using Hash Functions. ACM SIGOPS Operating Systems Review, (pp. 23-29).
MacKenzie, P., Patel, S., & Swaminathan, R. (2000). "Password-Authenticated Key Exchange Based on RSA,". Springer, 599–613.
Mainanwal, V., Gupta, M., & Upadhayay, S. (2015). Zero knowledge protocol with RSA Cryptography Algorithm for Authentication in Web Browser Login System (Z-RSA). 2015 Fifth International Conference on Communication Systems and Network Technologies. Gwalior.
Mallik, A., Ahsan, A., Shahadat, M., & Tsou, J. (2019). Understanding Man-in-the-middle-attack through Survey of Literature. Indonesian Journal of Computing, Engineering and Design (IJoCED), 44-56.
Melton, R. (2021). Securing a Cloud-Native C2 Architecture Using SSO and JWT. 2021 IEEE Aerospace Conference (50100). New South Wales.
Olanrewaju, R., Khan, B., & Morshidi, M. (2021). A Frictionless and Secure User Authentication in Web-Based Premium Applications. IEEE Access vol. 9.
Ometov, A., Bezzateev, S., Mäkitalo, N., Andreev, S., Mikkonen, T., & Koucheryavy, Y. (2018). Multi-Factor Authentication: A Survey. Cryptography.
Park, J. (2019). Design and Implementation of Web Browser Secure Storagefor Web Standard Authentication Based on FIDO,”. The Tenth International Symposium on Information and Communication Technology (SoICT 2019). Hoan Kiem.
Pramono , L., & Javista, Y. (2021). Firebase Authentication Cloud Service for RESTful API Security on Employee Presence System. International Seminar on Research of Information Technology and Intelligent Systems (ISRITI). Yogyakarta.
Sakimura, N., Bradley, J., & Jones, M. (2022). Retrieved from JSON Web Token: https://tools.ietf.org/html/rfc7519
Sasaki, Y. (2011). Meet-in-the-Middle Preimage Attacks on AES Hashing Modes and an Application to Whirlpool. International Association for Cryptologic Research, (pp. 378–396).
Stackpath. (2022, September 20). WHAT IS A WEB APPLICATION? Retrieved from Stackpath: https://www.stackpath.com/edge-academy/what-is-a-web-application/
Soh, B., & Joy, A. (2003). A Novel Web Security Evaluation Model for a One-Time-Password System. IEEE/WIC International Conference on Web Intelligence (WI’03). Halifax.
Syamsuddin, I., Dillon, T., Chang, E., & Han, S. (2008). , "A Survey of RFID Authentication Protocols Based on Hash-Chain Method. International Conference on Convergence and Hybrid Information Technology.
van der Horst, T., & Seamons, K. (2007). "Simple Authentication for the Web,". WWW 2007. Alberta, Canada.
Venkatesha, G., Dinesh, S., & Manjunath, M. (2019). "AES Based Algorithm for Image Encryption and Decryption. Perspectives in Communication Embedded-Systems and Signal-Processing (PiCES) – An International Journal, vol. 2, no. 11.
Wang, S., Wang, J., & Li, Y. (2013). The Web Security Password Authentication based the Single Block Hash Function. International Conference on Electronic Engineering and Computer Science. Yanji.
Zhang, H., & Zhu, Y. (2006). , "Self-Updating Hash Chains and Their Implementations," p. 2006. Springer, 387 – 397.
Downloads
Published
2023-04-03
Issue
Section
Articles
How to Cite
JSON Web Token Leakage Avoidance Using Token Split and Concatenate in RSA256 (M. Malvin & C. Safitri , Trans.). (2023). Indonesian Journal of Computing, Engineering, and Design (IJoCED), 5(1), 43-56. https://doi.org/10.35806/ijoced.v5i1.325
