Restful API Security Using JSON Web Token (JWT) With HMAC-Sha512 Algorithm in Session Management

Syabdan Dalimunthe; Emansa Hasri Putra; Muhammad Arif  Fadhly Ridha

doi:10.25299/itjrd.2023.12029

Authors

Syabdan Dalimunthe Departement of Computer Engineering, Politeknik Caltex Riau
Emansa Hasri Putra Departement of Computer Engineering, Politeknik Caltex Riau
Muhammad Arif Fadhly Ridha Departement of Computer Engineering, Politeknik Caltex Riau

DOI:

https://doi.org/10.25299/itjrd.2023.12029

Keywords:

API, Cookies browser, Json Web Token, HMAC-SHA512, Restfull, Web Service

Abstract

Information systems are technologies that can help work systematically. However, the existing systems or applications are not yet integrated with one another, making many processes have the same function on different systems, for example the authentication process is built using the web service concept. Integration or interoperability of information system software involving various components, which may create gaps that can disrupt system security. In this study, security has been implemented in web services using JSON Web Token (JWT) with the HMAC-SHA512 algorithm which is stored in browser cookies. From the research results, this concept is very suitable to be applied to applications or information systems on different platforms that use the same service, JWT tokens are also successfully stored in browser cookies. In addition, a comparison was also made between the HMAC-SHA512 and HMACSHA-256 algorithms and in the final result it was found that the total time difference was 185 ms and the average time difference was 6.17 ms. It can be concluded that the HMAC-SHA512 algorithm is 0.9861% faster than the HMAC-SHA256 algorithm.

Downloads

Download data is not yet available.

References

Y. Yu, J. Lu, J. Fernandez-Ramil, and P. Yuan, “Comparing Web Services with other Software Components,” in IEEE International Conference on Web Services (ICWS 2007), 2007, pp. 388–397. doi: 10.1109/ICWS.2007.64.

I. Indu and P. M. R. Anand, “Identity and access management for cloud web services,” in 2015 IEEE Recent Advances in Intelligent Computational Systems (RAICS), 2015, pp. 406–410. doi: 10.1109/RAICS.2015.7488450.

A. Neumann, N. Laranjeiro, and J. Bernardino, “An Analysis of Public REST Web Service APIs,” IEEE Trans Serv Comput, vol. 14, no. 4, pp. 957–970, Jul. 2021, doi: 10.1109/TSC.2018.2847344.

R. Gunawan and A. Rahmatulloh, “JSON Web Token (JWT) untuk Authentication pada Interoperabilitas Arsitektur berbasis RESTful Web Service,” Jurnal Edukasi dan Penelitian Informatika (JEPIN), vol. 5, no. 1, p. 74, Apr. 2019, doi: 10.26418/jp.v5i1.27232.

A. P. Aldya, A. Rahmatulloh, and M. N. Arifin, “Stateless Authentication with JSON Web Tokens using RSA-512 Algorithm,” JURNAL INFOTEL, vol. 11, no. 2, p. 36, Jun. 2019, doi: 10.20895/infotel.v11i2.427.

B. E. Sabir, M. Youssfi, O. Bouattane, and H. Allali, “Authentication and load balancing scheme based on JSON Token for Multi-Agent Systems,” in Procedia Computer Science, 2019, vol. 148, pp. 562–570. doi: 10.1016/j.procs.2019.01.029.

“Support Microsoft,” https://support.microsoft.com/en-us/topic/description-of-cookies-ad01aa7e-66c9-8ab2-7898-6652c100999d.

S. Dalimunthe, J. Reza, and A. Marzuki, “The Model for Storing Tokens in Local Storage (Cookies) Using JSON Web Token (JWT) with HMAC (Hash-based Message Authentication Code) in E-Learning Systems,” Journal of Applied Engineering and Technological Science (JAETS), vol. 3, no. 2, pp. 149–155, 2022.

R. Gunawan and A. Rahmatulloh, “Optimasi Sistem Informasi Akademik View project Keamanan RESTful Web Service Menggunakan JSON Web Token (JWT) Studi Kasus STIKes BTH Tasikmalaya View project,” 2018. [Online]. Available: https://www.researchgate.net/publication/332278532

A. Rahmatulloh, R. Gunawan, and F. M. S. Nursuwars, “Performance comparison of signed algorithms on JSON Web Token,” in IOP Conference Series: Materials Science and Engineering, Aug. 2019, vol. 550, no. 1. doi: 10.1088/1757-899X/550/1/012023.

A. Neumann, N. Laranjeiro, and J. Bernardino, “An Analysis of Public REST Web Service APIs,” IEEE Trans Serv Comput, vol. 14, no. 4, pp. 957–970, Jul. 2021, doi: 10.1109/TSC.2018.2847344.

G. Alonso, F. Casati, H. Kuno, and V. Machiraju, “Web Services,” in Web Services: Concepts, Architectures and Applications, G. Alonso, F. Casati, H. Kuno, and V. Machiraju, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2004, pp. 123–149. doi: 10.1007/978-3-662-10876-5_5.

J. G. J. M. H. F. L. M. P. L. T. B.-L. Roy Fielding, “Hypertext Transfer Protocol--HTTP/1.1,” RFC Editor, Jun. 1999.

R. T. Fielding, D. Software, and R. N. Taylor, “Principled Design of the Modern Web Architecture,” 2000.

M. Jones, “Internet Engineering Task Force (IETF),” 2015, [Online]. Available: http://www.rfc-editor.org/info/rfc7519.

K. Zheng and W. Jiang, “A Token Authentication Solution for Hadoop Based on Kerberos Pre-Authentication,” 2014.

C. M. Gutierrez and J. M. Turner, “FIPS PUB 198-1 The Keyed-Hash Message Authentication Code (HMAC) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY,” 2008. doi: https://doi.org/10.37385/jaets.v3i2.662.

E. Conrad, S. Misenar, and J. Feldman, “Chapter 6 - Domain 5: Cryptography,” in CISSP Study Guide (Second Edition), E. Conrad, S. Misenar, and J. Feldman, Eds. Boston: Syngress, 2012, pp. 213–255. doi: https://doi.org/10.1016/B978-1-59749-961-3.00006-6.

F. Piper and S. Murphy, Cryptography: A Very Short Introduction. OUP Oxford, 2002. [Online]. Available: https://books.google.co.id/books?id=UR43gHmlI1YC

Antares, “Postman,” 2022. https://antares.id/id/postman.html (accessed Dec. 03, 2022).

Joseph F. Hair, William C. Black, Barry J. Babin, and Rolph E. Anderson, Multivariate Data Analysis. Cornell University: Prentice Hall, 2010.