Volume 6 , Issue 1 , PP: PP. 5-17, 2021 | Cite this article as | XML | Html | PDF | Full Length Article
Nihal Salah 1
Doi: https://doi.org/10.54216/JCIM.060101
JSON Web Token (JWT) is a compact and self-contained mechanism, digitally authenticated and trusted, for transmitting data between various parties. They are mainly used for implementing stateless authentication mechanisms. The Open Authorization (OAuth 2.0) implementations are using JWTs for their access tokens. OAuth 2.0 and JWT are used token frameworks or standards for authorizing access to REST APIs because of their statelessness and the signature implementation. The most important cryptographic algorithms were tested namely a symmetric algorithm HS256 (HMAC with SHA-256) and an asymmetric algorithm RS256 (RSA Signature with SHA-256) used to construct JWT for signing token based on several parameters of the speed of generating tokens, the size of tokens, time data transfer tokens and security of tokens against attacks.In this research,we propose an approach used for handling cryptographic key management for signing RS256 tokens to ensure the security of the application's architecture. JWT offer a variety of options to manage keys, the server always needs to verify the validity of the key before trusting it for verify that a JWT implementation is secure.The experimental results show It's better to use the RS256 signature method for handling cryptographic key management for signing tokens to manage a secure JWT Implementation
Authorization, JWT, Security, Cryptographic key management
1. Ong, S.P., et al., The Materials Application Programming Interface (API): A simple, flexible and efficient API for
materials data based on REpresentational State Transfer (REST) principles. Computational Materials Science, 2015.
97: p. 209-215.
2. Hardt, D., The OAuth 2.0 authorization framework. 2012, RFC 6749, October.
3. Jones, M., B. Campbell, and C. Mortimore, JSON Web Token (JWT) profile for OAuth 2.0 client authentication and
authorization Grants. May-2015.[Online]. Available: https://tools. ietf. org/html/rfc7523, 2015.
4. Peyrott, S.E., The JWT Handbook. 2017.
5. Jones, M. JSON Web Key (JWK). May 2015; Available from: https://tools.ietf.org/html/rfc7517.
6. auth0. JSON Web Key Set. Available from: https://auth0.com/docs/jwks.
7. Peyrott, S., The JWT Handbook. Seattle, WA, United States, 2016.
8. Ethelbert, O., et al. A JSON token-based authentication and access management schema for Cloud SaaS applications. in 2017 IEEE 5th International Conference on Future Internet of Things and Cloud (FiCloud). 2017. IEEE.
9. Ehab rushdy, W.K., Nihal salah, Framework to secure the oauth 2.0 and json web token for rest api. Journal of Theoretical and Applied Information Technology, Vol. 99. No. 09 -- 2021
10. Alex, B., et al., Spring Security Reference. URL https://docs. spring. io/springsecurity/site/docs/current/reference/htmlsingle/.[utoljára megtekintve: 2017. 04. 21.], 2004.
