Restful API Security Using JSON Web Token (JWT) With HMAC-Sha512 Algorithm in Session Management
DOI:
https://doi.org/10.25299/itjrd.2023.12029Keywords:
API, Cookies browser, Json Web Token, HMAC-SHA512, Restfull, Web ServiceAbstract
Information systems are technologies that can help work systematically. However, the existing systems or applications are not yet integrated with one another, making many processes have the same function on different systems, for example the authentication process is built using the web service concept. Integration or interoperability of information system software involving various components, which may create gaps that can disrupt system security. In this study, security has been implemented in web services using JSON Web Token (JWT) with the HMAC-SHA512 algorithm which is stored in browser cookies. From the research results, this concept is very suitable to be applied to applications or information systems on different platforms that use the same service, JWT tokens are also successfully stored in browser cookies. In addition, a comparison was also made between the HMAC-SHA512 and HMACSHA-256 algorithms and in the final result it was found that the total time difference was 185 ms and the average time difference was 6.17 ms. It can be concluded that the HMAC-SHA512 algorithm is 0.9861% faster than the HMAC-SHA256 algorithm.
Downloads
References
Y. Yu, J. Lu, J. Fernandez-Ramil, and P. Yuan, “Comparing Web Services with other Software Components,” in IEEE International Conference on Web Services (ICWS 2007), 2007, pp. 388–397. doi: 10.1109/ICWS.2007.64.
I. Indu and P. M. R. Anand, “Identity and access management for cloud web services,” in 2015 IEEE Recent Advances in Intelligent Computational Systems (RAICS), 2015, pp. 406–410. doi: 10.1109/RAICS.2015.7488450.
A. Neumann, N. Laranjeiro, and J. Bernardino, “An Analysis of Public REST Web Service APIs,” IEEE Trans Serv Comput, vol. 14, no. 4, pp. 957–970, Jul. 2021, doi: 10.1109/TSC.2018.2847344.
R. Gunawan and A. Rahmatulloh, “JSON Web Token (JWT) untuk Authentication pada Interoperabilitas Arsitektur berbasis RESTful Web Service,” Jurnal Edukasi dan Penelitian Informatika (JEPIN), vol. 5, no. 1, p. 74, Apr. 2019, doi: 10.26418/jp.v5i1.27232.
A. P. Aldya, A. Rahmatulloh, and M. N. Arifin, “Stateless Authentication with JSON Web Tokens using RSA-512 Algorithm,” JURNAL INFOTEL, vol. 11, no. 2, p. 36, Jun. 2019, doi: 10.20895/infotel.v11i2.427.
B. E. Sabir, M. Youssfi, O. Bouattane, and H. Allali, “Authentication and load balancing scheme based on JSON Token for Multi-Agent Systems,” in Procedia Computer Science, 2019, vol. 148, pp. 562–570. doi: 10.1016/j.procs.2019.01.029.
“Support Microsoft,” https://support.microsoft.com/en-us/topic/description-of-cookies-ad01aa7e-66c9-8ab2-7898-6652c100999d.
S. Dalimunthe, J. Reza, and A. Marzuki, “The Model for Storing Tokens in Local Storage (Cookies) Using JSON Web Token (JWT) with HMAC (Hash-based Message Authentication Code) in E-Learning Systems,” Journal of Applied Engineering and Technological Science (JAETS), vol. 3, no. 2, pp. 149–155, 2022.
R. Gunawan and A. Rahmatulloh, “Optimasi Sistem Informasi Akademik View project Keamanan RESTful Web Service Menggunakan JSON Web Token (JWT) Studi Kasus STIKes BTH Tasikmalaya View project,” 2018. [Online]. Available: https://www.researchgate.net/publication/332278532
A. Rahmatulloh, R. Gunawan, and F. M. S. Nursuwars, “Performance comparison of signed algorithms on JSON Web Token,” in IOP Conference Series: Materials Science and Engineering, Aug. 2019, vol. 550, no. 1. doi: 10.1088/1757-899X/550/1/012023.
A. Neumann, N. Laranjeiro, and J. Bernardino, “An Analysis of Public REST Web Service APIs,” IEEE Trans Serv Comput, vol. 14, no. 4, pp. 957–970, Jul. 2021, doi: 10.1109/TSC.2018.2847344.
G. Alonso, F. Casati, H. Kuno, and V. Machiraju, “Web Services,” in Web Services: Concepts, Architectures and Applications, G. Alonso, F. Casati, H. Kuno, and V. Machiraju, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2004, pp. 123–149. doi: 10.1007/978-3-662-10876-5_5.
J. G. J. M. H. F. L. M. P. L. T. B.-L. Roy Fielding, “Hypertext Transfer Protocol--HTTP/1.1,” RFC Editor, Jun. 1999.
R. T. Fielding, D. Software, and R. N. Taylor, “Principled Design of the Modern Web Architecture,” 2000.
M. Jones, “Internet Engineering Task Force (IETF),” 2015, [Online]. Available: http://www.rfc-editor.org/info/rfc7519.
K. Zheng and W. Jiang, “A Token Authentication Solution for Hadoop Based on Kerberos Pre-Authentication,” 2014.
C. M. Gutierrez and J. M. Turner, “FIPS PUB 198-1 The Keyed-Hash Message Authentication Code (HMAC) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY,” 2008. doi: https://doi.org/10.37385/jaets.v3i2.662.
E. Conrad, S. Misenar, and J. Feldman, “Chapter 6 - Domain 5: Cryptography,” in CISSP Study Guide (Second Edition), E. Conrad, S. Misenar, and J. Feldman, Eds. Boston: Syngress, 2012, pp. 213–255. doi: https://doi.org/10.1016/B978-1-59749-961-3.00006-6.
F. Piper and S. Murphy, Cryptography: A Very Short Introduction. OUP Oxford, 2002. [Online]. Available: https://books.google.co.id/books?id=UR43gHmlI1YC
Antares, “Postman,” 2022. https://antares.id/id/postman.html (accessed Dec. 03, 2022).
Joseph F. Hair, William C. Black, Barry J. Babin, and Rolph E. Anderson, Multivariate Data Analysis. Cornell University: Prentice Hall, 2010.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2023 Syabdan Dalimunthe, Emansa Hasri Putra, Muhammad Arif Fadhly Ridha
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
This is an open access journal which means that all content is freely available without charge to the user or his/her institution. The copyright in the text of individual articles (including research articles, opinion articles, and abstracts) is the property of their respective authors, subject to a Creative Commons CC-BY-SA licence granted to all others. ITJRD allows the author(s) to hold the copyright without restrictions and allows the author to retain publishing rights without restrictions.