CFP last date
22 July 2024
Call for Paper
August Edition
IJCA solicits high quality original research papers for the upcoming August edition of the journal. The last date of research paper submission is 22 July 2024

Submit your paper
Know more
The week's pick
Responsive image
A semi-parallel data acquisition method in electrical impedance tomography using undersampling technique

Adriano Regis Daniel J. Pagano Francisco R.M. Mota Marduck M. Henao
Random Articles
Reseach Article

New Framework for Securing Web APIs Token-based Authentication / Authorization with Auto Expire Auto Refresh (AEAR) Features

by Mohamed Amer, Tarek S. Sobh
journal cover thumbnail

International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 186 - Number 25
Year of Publication: 2024
Authors: Mohamed Amer, Tarek S. Sobh
10.5120/ijca2024923712

Mohamed Amer, Tarek S. Sobh . New Framework for Securing Web APIs Token-based Authentication / Authorization with Auto Expire Auto Refresh (AEAR) Features. International Journal of Computer Applications. 186, 25 ( Jun 2024), 8-14. DOI=10.5120/ijca2024923712

@article{ 10.5120/ijca2024923712,
author = { Mohamed Amer, Tarek S. Sobh },
title = { New Framework for Securing Web APIs Token-based Authentication / Authorization with Auto Expire Auto Refresh (AEAR) Features },
journal = { International Journal of Computer Applications },
issue_date = { Jun 2024 },
volume = { 186 },
number = { 25 },
month = { Jun },
year = { 2024 },
issn = { 0975-8887 },
pages = { 8-14 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume186/number25/new-framework-for-securing-web-apis-token-based-authentication-authorization-with-auto-expire-auto-refresh-aear-features/ },
doi = { 10.5120/ijca2024923712 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-06-27T00:56:46.499453+05:30
%A Mohamed Amer
%A Tarek S. Sobh
%T New Framework for Securing Web APIs Token-based Authentication / Authorization with Auto Expire Auto Refresh (AEAR) Features
%J International Journal of Computer Applications
%@ 0975-8887
%V 186
%N 25
%P 8-14
%D 2024
%I Foundation of Computer Science (FCS), NY, USA
Abstract

Token-based authentication for Web APIs allows users to verify their unique identity. In return, they receive a unique token that grants access to specific resources for a limited period of time. These tokens are stored on the client's browser with expiration properties [1, 2], making them vulnerable to cyber-attacks such as Stealing Tokens through Redirection, Cross-Site Request Forgery (CSRF), and Cross-Site Scripting (XSS) [3]. The algorithms themselves can also be a source of vulnerabilities, including Weak Symmetric Keys and Incorrect Composition of Encryption and Signature [4]. Various authentication protocols like Open Authorization (OAuth), Security Assertion Markup Language (SAML), OpenID Connect (OIDC), Client Initiated Backchannel Authentication (CIBA), and JSON Web Token (JWT) and their associated attacks are examined. A new framework that incorporate Multi-Factor Authentication (MFA) and One Time Password (OTP) is proposed to address these vulnerabilities, along with detailed analysis and guidelines for its implementation.

References
  1. P. Siriwardena, Advanced API Security OAuth 2.0 and Beyond, Second Edition ed., San Jose, CA, USA: Apress, 2020.
  2. D. Hardt and M. , "Request for Comments: 6749 - The OAuth 2.0 Authorization Framework," October 2012. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc6749. [Accessed 21 4 2022].
  3. S. E. Peyrott, The JWT Handbook, Auth0 Inc, 2016-2018.
  4. Y. Sheffer, D. Hardt and M. Jones, RFC 8725 JSON Web Token Best Current Practices, Internet Engineering Task Force (IETF), February 2020.
  5. Ksenia Peguero and Xiuzhen Cheng, "CSRF protection in JavaScript frameworks and the security of JavaScript applications," High-Confidence Computing, 2021.
  6. Lodderstedt, "OAuth 2.0 Threat Model and Security Considerations RFC 6819," IETF, January 2013. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc6819.
  7. Microsoft, "RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage," October 2012. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc6750.
  8. Fielding, "Request for Comments: 2616," Network Working Group, 1999. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc2616.
  9. D. Rountree, Federated Identity Primer, Elsevier, Ed., Syngress, 2013.
  10. Paul A. Grassi, Michael E. Garcia and James L. Fenton, Digital Identity Guidelines, NIST Special Publication 800-63-3, June 2017.
  11. B. W. S. E. Hans-Jörg Vögela, "Federation solutions for inter- and intradomain security in next-generation mobile service platforms," International Journal of ELectronics and Communications, 2006.
  12. "Extensible Markup Language (XML)," [Online]. Available: https://www.w3.org/XML/. [Accessed 4 2022].
  13. "OASIS Open - OASIS Open," Organization for the Advancement of Structured Information Standards, [Online]. Available: https://www.oasis-open.org/.
  14. Campbell, "Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants RFC 7521," Internet Engineering Task Force (IETF), May 2015. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc7521. [Accessed April 2022].
  15. M. B. Jorge Navas, "Understanding and mitigating OpenID," Computers & Security, 2019.
  16. "OpenID Connect," [Online]. Available: https://openid.net/connect/. [Accessed April 2022].
  17. "OpenID Connect Core," OpenID Connect, November 2014. [Online]. Available: https://openid.net/specs/openid-connect-core-1_0.html. [Accessed April 2022].
  18. R. C. G. S. S. R. Amir Sharif, "Best current practices for OAuth/OIDC Native Apps A study of their adoption in popular providers and top-ranked Android clients," Journal of Information Security and Applications, 2022.
  19. "OpenID Connect Client-Initiated Backchannel Authentication Flow," openid.net, September 2021. [Online]. Available: https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html. [Accessed April 2022].
  20. "JSON Web Token jwt.io," jwt.io, [Online]. Available: https://jwt.io/. [Accessed April 2022].
  21. Tim Bray, "The JavaScript Object Notation (JSON) Data Interchange Format, rfc7159," Internet Engineering Task Force (IETF), March 2014. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc7159. [Accessed April 2022].
  22. S. Josefsson, "RFC 4648 - The Base16, Base32, and Base64 Data Encodings," IETF-Network Working Group, October 2006. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc4648. [Accessed April 2022].
  23. Michael B. Jones, John Bradley and Nat Sakimura, "JSON Web Token (JWT) rfc7519," Internet Engineering Task Force (IETF), May 2015. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc7519. [Accessed April 2022].
  24. D. Fett and Ralf Küsters, "A Comprehensive Formal Security Analysis," in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna Austria, 2016.
  25. K. Munonye1 and Martinek Péter1, "Machine learning approach to vulnerability detection in OAuth 2.0," International Journal of Information Security, p. 223–237, 2021.
  26. Vasyl Bukovetskyi and Vasyl Rizak, "Developing The Algorithm And Software For Access Token Protection Using Request Signing With Temporary Secret," Eastern-European Journal of Enterprise Technologies, 2022.
  27. San-Tsai Sun and Author Picture Konstantin Beznosov, "The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems," in ACM Conference on Computer and Communications Security, 2012.
  28. Marios Argyriou, Nicola Dragoni and Angelo Spognardi, "Security Flows in OAuth 2.0 Framework: A Case Study," in Computer Safety, Reliability, and Security, Trento, Italy, 2017.
  29. Aleksandr Ometov and Sergey Bezzateev, "Multi-Factor Authentication: A Survey †," mdpi Cryptography, 2017.
  30. S. Das, B. Wang, Z. Tingle and a. L. J. Camp, "Evaluating User Perception of Multi-Factor Authentication," School of Informatics, Computing, and Engineering.
  31. K. Abhishek, S. Roshan, P. Kumar and R. Ranjan, "A Comprehensive Study on Multifactor Authentication," in Proceedings of the Second International Conference on Advances in Computing and Information Technology (ACITY) , Chennai, India, 2012.
  32. T. Suleski1, M. Ahmed, W. Yang and E. Wang, "A review of multi-factor authentication," DIGITAL HEALTH, vol. 9, pp. 1-20, 2023.
  33. H. Kim and O. Yi, "Analysis of Distinguishable Security between the One-Time Password Extraction Function Family and Random Function Family," Applied Sciences, 2023.
  34. R. Dubey and J. S.Nair, "A Review on Secured One Time Password Based Authentication and Validation System," International Journal of Computer Sciences and Engineering, vol. 5, no. 6, pp. 232-236, 2017.
  35. Paul A. Grassi , James L. Fenton , Elaine M. Newton, Ray A. Perlner , Andrew R. Regenscheid , William E. Burr , Justin P. Richer , Naomi B. Lefkovitz , Jamie M. Danker , Yee-Yin Choong , Kristen K. Greene and Mary F. Theofanos , Digital Identity Guidelines Authentication and Lifecycle Management, NIST Special Publication 800-63B , June 2017.
  36. M. Robenolt, "jwt-node," npm, 2010. [Online]. Available: https://github.com/mattrobenolt/jwt-node.
  37. Y. Sheffer, Intuit, D. Hardt, M. Jones and Microsoft, "JSON Web Token Best Current Practices," Internet Engineering Task Force (IETF), February 2020.
  38. V. Radha and D. Hitha Reddy, "A Survey on Single Sign-On Techniques," Procedia Technology, vol. 134, no. 139, 2012.
  39. Tarek S. Sobh, "Identity management using SAML for mobile clients and Internet of Things," Journal of High Speed Networks, 2019.
  40. Scott Cantor, John Kemp, Rob Philpott and Eve Maler, "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0," OASIS Standard, 15 March 2005. [Online]. Available: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf. [Accessed April 2022].
  41. M. Jones, "RFC 7797 - JSON Web Signature (JWS) Unencoded Payload Option," Internet Engineering Task Force (IETF), February 2016. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc7797. [Accessed April 2022].
  42. M. Jones, "RFC 7518 - JSON Web Algorithms (JWA)," Internet Engineering Task Force (IETF), May 2015. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc7518. [Accessed April 2022].
  43. M. Jones, "RFC 7517 - JSON Web Key (JWK)," Internet Engineering Task Force (IETF), May 2015. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc7517. [Accessed April 2022].
  44. M. Jones and J. Hildebrand, "RFC 7516 - JSON Web Encryption (JWE)," Internet Engineering Task Force (IETF), May 2015. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc7516. [Accessed April 2022].
  45. R. Barnes, "Use Cases and Requirements for JSON Object Signing and Encryption (JOSE) -RFC 7165," Internet Engineering Task Force (IETF), April 2014. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc7165. [Accessed April 2022].
  46. authlete.com, authlete, [Online]. Available: https://www.authlete.com/developers/ciba/.
  47. Anthony Nadalin, Marc Goodner, Martin Gudgin, David Turner, Abbie Barbir and Hans Granqvist, "WS-Trust 1.4," OASIS , 25 April 2012. [Online]. Available: http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html. [Accessed April 2022].
  48. "Internet Assigned Numbers Authority (IANA)," IANA, [Online]. Available: https://www.iana.org/. [Accessed April 2022].
  49. "SAML Security Cheat Sheet," OWASP , [Online]. Available: https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html. [Accessed 2024].
  50. D. Rountree, Federated Identity Primer, Elsevier Inc, December 10, 2012. decisions", Journal of Systems and Software, 2005, in press.
Index Terms

Computer Science
Information Sciences
Web Development. Secure web apps. Token protocols

Keywords

Tokens; OAuth; SAML; OIDC; CIBA; JWT; XSS CSRF

Powered by PhDFocusTM