Stateless Authentication with JSON Web Tokens using RSA-512 Algorithm

Today's technology needs are getting higher, one of the technologies that continues to grow now is Web Service (WS). WS can increase service flexibility on a system. However, security at WS is one of the things that needs attention. One effort to overcome this problem is JWT (JSON Web Token). JWT is one of the authentication mechanisms in WS, with a standard signature algorithm, HMAC SHA256, RSA-256 or ECDSA. In this research we will discuss the performance of JWT RSA-512 which is implemented on SOAP and RESTful. Because based on previous research the speed performance of the 512-bit algorithm is better, but it is not yet known if applied to JWT. The test results show that the speed of the JWT RSA-512 token on the RESTful process is superior to 24.69% compared to SOAP. Then the speed of the authentication of JWT RSA-512 tokens, RESTful is superior to 11.64% compared to SOAP. Whereas in testing the size of JWT RSA-512 generated tokens, RESTful is only 1.25% superior to SOAP.


INTRODUCTION
Technological developments have a major influence on organizations and individuals. One such technology is Web Service (WS). WS is able to overcome the problem of interoperability because it is stateless and works regardless of the platform used by different sources [1].
The benefit of building a WS for business needs is to improve integration and flexibility, in the interest of integrating services, WS works using internet communication with the HTTP protocol so that it supports any application [2] [3]. However, WS's security problems fall into the top 10 vulnerabilities in the security of the Web Service Application Programming Interface (API) which is less protected according to The Open Web Application Security Project (OWASP) [4].
Various ways to reduce threats to security on web services have been carried out in previous studies, including the Claim based Authentication approach, Token based Authentication, Secure with SSL using ASP.NET MVC web API [5]. The use of token-based authentication has also been done in research [6], [7], [8]. Other studies, claim-based authentication ID (identity) [9], SAML Technology [10], and research conducted [11] show that the use of JWT is safer. One step that can overcome this problem is using JSON Web Token (JWT). The JWT defines a simple and independent method using the data format of objects that are transmitted safely and can be verified because it uses a digital signature.
The current RESTful WS authentication mechanism, JWT SHA-256 is still commonly used, so it can be a threat to RESTful WS [12]. Tests have been carried out regarding the performance between JWT SHA-256 and SHA-512. The test resulted that JWT SHA-512 had better performance than SHA-256 [13]. Attacks on this mechanism have begun to develop, such as Scan-based Side-channel [14]. The attack is certainly a separate threat to the use of authentication mechanisms using JSON Web Tokens with symmetric SHA-256 and SHA-512 algorithms. This research will discuss the implementation of the RESTful WS authentication mechanism using the JSON Web Token with the RSA-512 algorithm that uses an assymetric key. Factor implementation of JWT RSA-512 is an

A. Web Service
Web service is a system designed to support interactions between systems on a network. Web services to provide services in the form of information to other systems so that other systems can interact with the system through the services provided by the web service. Web services are also interpreted as an interface that describes several operations that can be accessed through a network [13]. Examples of web service architecture include Simple Object Access Protocol (SOAP) and Representational State Transfer (REST). The web service architecture can be seen in Fig.1.

B. Representational State Transfer (REST)
The concept of REST is to use resources as components of applications that need to be used or addressed. REST can be explained in five restrictions [9], namely: a) Resource Identification, meaning the web relies on a Uniform Resource Identifier (URI) to identify resources. b) Connectedness, meaning the client from RESTFul Service must know the link to find resources in order to interact with the service. c) Uniform Interface, meaning that resources must be available through a uniform interface with the semantics that defines the interaction. d) Self-Describing Messages, meaning WS exposes existing resources, RESTFul uses more than one data format (XML, JSON, RDF, etc.) compared to SOAP (XML). e) Stateless Interactions, meaning that every request from the client is complete and fulfills the need for a request.

C. JSON Web Token (JWT)
JWT (JSON Web Token) is a token in the form of a JSON string that can be used to perform authentication and information exchange systems. The small form makes JWT transmitted faster. JWT can be verified and trusted because it has been given a digital signature. The signature used can be by using a secret key (HMAC algorithm) or a public key and private key pair (RSA algorithm) [10].
JWT structure consists of 3 parts separated by dots ("."), Namely headers, payloads, and signatures. The header usually consists of 2 parts, namely the type of token and the hashing algorithm that will be used. The second payload contains a claim. Claim contains data that you want to secure. Signature is formed using headers and payload.

D. Rivest-Shamir-Adleman (RSA) Algorithm
The RSA algorithm is an algorithm based on asymmetric key cryptographic scheme. Asymmetric key scheme is a cryptographic scheme using two keys, namely the public key and private key [11].
The stages of the RSA algorithm are as follows: a) Key generation on the RSA algorithm. The process is as follows: 1. Select 2 large prime numbers like p, q where p is not equal to q. 2. Calculate m = p * q 3. Calculate n = (p-1) * (q-1) 4. Select e which is relatively prime to n. 5. Calculate the value of d so that it satisfies (e * d) mod n = 1 6. (e, m) is a public key for encryption purposes. 7. (d, m) is a private key for decryption purposes. b) Encryption. The encryption function is shown in (1), C is ciphertext from plaintext X encryption. c) Decryption. The decryption function is shown in (2), N is the plaintext of ciphertext C decryption.

E. Related Works
Vibha Kumari in a journal published in 2015 regarding Web Service Protocol: SOAP vs. REST. It was found that REST is the most widely used WS, but security in the WS is a matter that must be considered [15]. This research will be researched the implementation of JWT RSA-512 on SOAP and RESTful.
Mukhammad Agus Arianto, Sirojul Munir and Khusnul Khotimah from STT Terpadu Nurul Fikri in a journal published in 2016 concerning Analysis and Design of Representative State Transfer (REST) Web Service Academic Information System STT Terpadu Nurul Fikri Using Yii Framework. Information systems are generated by using RESTful WS but have not implemented a security system, so that it makes its weaknesses [16]. In this research, JWT RSA-512  [12]. However, in this study, the implemented algorithm is SHA-256 which is still very commonly used.
Alam Rahmatulloh, Heni Sulastri and Rizal Nugroho from Siliwangi University in their journals in 2018 regarding Keamanan RESTful Web Service menggunakan JSON Web Token (JWT) HMAC SHA-512. It was found that JWT SHA-512 is better than SHA-256 [13]. In this study, the algorithm used is a symmetric key algorithm. In this research, JWT RSA-512 testing is an asymmetric key algorithm. Signatures. This study [17] produces a Side-channel Scan-based attack that has successfully taken the secret key on HMAC-SHA-256 in a relatively short time. This attack is indeed a separate threat to HMAC-SHA-512 which uses a symmetric key (secret key). This research will implement an authentication mechanism using JWT with the asymmetric RSA-512 algorithm

F. Method
Stages of research methods that are carried out are literature study, prototype design, trial, and comparison, the analysis and conclusions. The stages of the research method can be seen in Fig.2.

A. Literature Review
Literature studies have been carried out in previous studies, and it was found that Web Service security is included in the top 10 vulnerabilities [3]. The results of other studies say that REST WS is in the top position in the protocol that is often used compared to other protocols [4]. However, WS security is one of the critical points that must be considered [2]. Therefore JWT is used to cover up deficiencies in terms of security. In previous studies, JWT SHA testing has been carried out using symmetric key [6]. Apart from algorithms with symmetric keys, other algorithms use the asymmetric key. This research carried out the implementation of JWT RSA-512 using the asymmetric key on RESTful WS.

B. Prototype Design d) Analysis of System Requirements
Based on the results of previous studies regarding the implementation of JWT, in this study, the system specifications used were Intel 1.60GHz ~ 2.30GHz Processor, 64bit Operating System, and Postman Tools.

e) Implementation of RSA-512 on JWT
The JWT works like a password, so when a user successfully logs in, the server will give a token. The token is used to make further requests to the server. The primary purpose of JWT is to secure data between systems that will exchange data by making requests by clients that must be included with tokens. In general, the way JWT works can be seen in Fig.3. As in the implementation of JWT on SOAP WS, JWT was tested using the RSA-512 algorithm on RESTful WS. The RESTful WS created has two main functions, namely getToken to request tokens from the server, then the take_barang function that will verify token before the server gives a response.

A. Testing
This test is done by postman who has a function as the REST  been created. The parameters to be tested in this test are the speed and size of the token in the generate token process and the speed at the token authentication process. This test is carried out with two processes, namely POST and GET. POST on API / restdata / getToken to send parameters in the form of a valid username and password to generate tokens. Then the GET process is to enter the token and public key that has been obtained in the POST process to obtain data by requesting to / API / goods / take_barang. When making a request, the token is generally sent to the HTTP header. For POST results on API / restdata / getToken can be seen in Fig.4. POST on API / restdata / getToken with the username arifin and password 12345, the resulting response is a token and public key. The process of parsing data in the POST process to API / restdata / getToken takes 2275 ms. The size of the token generated can be seen in the token.txt file, which is a file created based on tokens and public keys generated in the JWT generate process. The tokens and the public key generated can be seen in Fig.5. Then the token and public key that was obtained from the POST results were used to GET request for API / items / take_items. The results of the GET process can be seen in Fig.6. JWT authentication on GET API / items / take_items with 134 ms time. The response generated is in the form of data items that exist in the database in JSON format.

B. Test Results
To see the performance of the JWT using the RSA-512 algorithm on RESTful WS, testing is done from the speed and size of the tokens generated, this test is done by testing 50 times of each generate token process and verifying tokens on RESTful WS using Postman tools. The experimental results of generating JWT RSA-512 on RESTful WS can be seen in Table 1.  Table 1 is the result of trying to generate tokens or request tokens on servers that have been done on SOAP and RESTful using postman tools. In this experiment, 50 experiments were conducted with the average speed of SOAP being 3839.58 ms, and the average speed at RESTful was 2891.68 ms. In terms of the size produced in SOAP that is with an average of 1.60 KB and in RESTful which is 1.58 KB. The average speed results in this experiment show that JWT RSA-512 is superior when implemented in RESTful. However, in terms of the size produced, SOAP slightly outperformed RESTful. The graph of the comparison of the speed of the generated token on SOAP and RESTful can be seen in Fig.7. In graph Fig.7, it can be seen that SOAP has a speed that tends to be slower than RESTful. This shows that JWT RSA-512's performance is more optimal when implemented on RESTful WS.
Then a performance comparison is performed on the authentication token process, or token validation and public key on SOAP and RESTful. The results of the experiment verify JWT RSA-512 can be seen in Table 2.  Table 2 is the result of authentication token experiments by making requests using the generated tokens. In this experiment, 50 experiments were conducted with the average speed of SOAP, 140.70 ms, and the average speed at RESTful was 124.32 ms. The average speed in this experiment shows that RESTful is superior to SOAP. Graph comparison of authentication speed of tokens on SOAP and RESTful can be seen in Fig.8.  Fig.8, it can be seen that RESTful has speeds that tend to be faster than SOAP. This shows that JWT RSA-512's performance is more optimal when implemented in RESTful WS.

C. Analysis
The test results of JWT RSA-512 generate speed are 2891.68 ms. The test results of the JWT RSA-512 generated token has an average of 1.60 KB 1.58 KB. Then the JWT RSA-512 authentication test that has been done can be seen that the results of the speed in this test have an average yield of 124.32.

V. CONCLUSION
Based on the research that has been done, it can be concluded that the speed at the JWT RSA-512 token on the RESTful process tends to be slow, but quite stable. The resulting size of JWT RSA-512 token data is relatively small. Overall, JWT RSA-512's performance is very good when implemented in RESTful. For further research, we can test the JWT implementation using other asymmetric algorithms.