Developing the algorithm and software for access token protection using request signing with temporary secret

Authors

DOI:

https://doi.org/10.15587/1729-4061.2022.251570

Keywords:

access token protection, client-server message signature, authentication, session security

Abstract

This paper proposes a method for protecting the access tokens in client-server data exchange without saving the state based on the formation of the signature of the request using a temporary secret. The devised method allows one not to transfer access tokens with each request, which would make it possible for the attacker to authenticate as a valid user when compromising the connection, for example, when using a «person in the middle» attack.

Two variants of the method have been proposed and substantiated – simplified and improved, the scope of which depends on the needs for protection and technical capabilities of their implementation. The robustness of both variants is ensured by the practical inability to select the initial input data of the hash function used to form the signature. The improved version also makes it possible to protect access tokens at the stage of receiving them and provides protection against the attack of the recurrence of the request. Initial user authentication protection is achieved by using the Diffie-Hellman protocol to exchange a secret and access token. Using query IDs and time labels prevents the query from being reused.

Advanced security for access tokens is important because having an attacker’s access token gives the attacker full control over the user account. The use of SSL/TLS may not produce the desired level of protection for such important data.

It was established that the use of the proposed method does not add significant time costs. The SHA-256 hash function example shows that the relationship between message size and extra time to send and receive a message is linear. When using the proposed method in the browser, the absolute value of additional time spent for messages from 100 bytes to 2,048 KB ranges from 0.4 ms to 142 ms. Given this, the proposed method could be used without significant impact on the experience of use.

Author Biographies

Vasyl Bukovetskyi, State Institution of Higher Education "Uzhhorod National University"

Postgraduate Student

Department of Solid State Electronics and Information Security

Vasyl Rizak, State Institution of Higher Education "Uzhhorod National University"

Doctor of Physical and Mathematical Sciences, Professor

Department of Solid State Electronics and Information Security

References

  1. HTTPS Encryption on the Web. Google Transparency Report. Available at: https://transparencyreport.google.com/https/overview?hl=en
  2. Features restricted to secure contexts. Available at: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts
  3. Dorey, K., Chang-Fong, N., Essex, A. (2017). Indiscreet Logs: Diffie-Hellman Backdoors in TLS. Proceedings 2017 Network and Distributed System Security Symposium. doi: https://doi.org/10.14722/ndss.2017.23006
  4. Clark, J., van Oorschot, P. C. (2013). SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements. 2013 IEEE Symposium on Security and Privacy. doi: https://doi.org/10.1109/sp.2013.41
  5. Raman, R. S., Evdokimov, L., Wurstrow, E., Halderman, J. A., Ensafi, R. (2020). Investigating Large Scale HTTPS Interception in Kazakhstan. Proceedings of the ACM Internet Measurement Conference. doi: https://doi.org/10.1145/3419394.3423665
  6. Akhawe, D., Felt, A. P. (2013). Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. 22nd USENIX Security Symposium. Washington, 257–272. Available at: https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/akhawe
  7. Alsharnouby, M., Alaca, F., Chiasson, S. (2015). Why phishing still works: User strategies for combating phishing attacks. International Journal of Human-Computer Studies, 82, 69–82. doi: https://doi.org/10.1016/j.ijhcs.2015.05.005
  8. Chordiya, A. R., Majumder, S., Javaid, A. Y. (2018). Man-in-the-Middle (MITM) Attack Based Hijacking of HTTP Traffic Using Open Source Tools. 2018 IEEE International Conference on Electro/Information Technology (EIT). doi: https://doi.org/10.1109/eit.2018.8500144
  9. Kumar Baitha, A., Smitha Vinod, P. (2018). Session Hijacking and Prevention Technique. International Journal of Engineering & Technology, 7 (2.6), 193. doi: https://doi.org/10.14419/ijet.v7i2.6.10566
  10. Singh, T., Meenakshi (2020). Prevention of session hijacking using token and session id reset approach. International Journal of Information Technology, 12 (3), 781–788. doi: https://doi.org/10.1007/s41870-020-00486-w
  11. Historical trends in the usage statistics of server-side programming languages for websites (2021, November 1). W3Techs. Available at: https://w3techs.com/technologies/history_overview/programming_language
  12. Dougherty, C. R. (2008). MD5 vulnerable to collision attacks. Vulnerability Note VU#836068. Software Engineering Institute. Carnegie Mellon University. Available at: https://www.kb.cert.org/vuls/id/836068/
  13. Wang, X., Yu, H. (2005). How to Break MD5 and Other Hash Functions. Lecture Notes in Computer Science, 19–35. doi: https://doi.org/10.1007/11426639_2
  14. Libed, J. M., Sison, A. M., Medina, R. P. (2018). Enhancing MD5 Collision Susceptibility. Proceedings of the 4th International Conference on Industrial and Business Engineering. doi: https://doi.org/10.1145/3288155.3288173
  15. Wang, X., Yin, Y. L., Yu, H. (2005). Finding Collisions in the Full SHA-1. Lecture Notes in Computer Science, 17–36. doi: https://doi.org/10.1007/11535218_2
  16. Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y. (2017). The First Collision for Full SHA-1. Lecture Notes in Computer Science, 570–596. doi: https://doi.org/10.1007/978-3-319-63688-7_19
  17. Goldreich, O. (2001). Foundations of Cryptography. Volume 1: Basic Tools. Cambridge University Press. doi: https://doi.org/10.1017/cbo9780511546891

Downloads

Published

2022-02-28

How to Cite

Bukovetskyi, V., & Rizak, V. (2022). Developing the algorithm and software for access token protection using request signing with temporary secret. Eastern-European Journal of Enterprise Technologies, 1(9(115), 56–62. https://doi.org/10.15587/1729-4061.2022.251570

Issue

Section

Information and controlling system