Abstract
This paper proposes a method for protecting the access tokens in client-server data exchange without saving the state based on the formation of the signature of the request using a temporary secret. The devised method allows one not to transfer access tokens with each request, which would make it possible for the attacker to authenticate as a valid user when compromising the connection, for example, when using a «person in the middle» attack. Two variants of the method have been proposed and substantiated – simplified and improved, the scope of which depends on the needs for protection and technical capabilities of their implementation. The robustness of both variants is ensured by the practical inability to select the initial input data of the hash function used to form the signature. The improved version also makes it possible to protect access tokens at the stage of receiving them and provides protection against the attack of the recurrence of the request. Initial user authentication protection is achieved by using the Diffie-Hellman protocol to exchange a secret and access token. Using query IDs and time labels prevents the query from being reused. Advanced security for access tokens is important because having an attacker’s access token gives the attacker full control over the user account. The use of SSL/TLS may not produce the desired level of protection for such important data. It was established that the use of the proposed method does not add significant time costs. The SHA-256 hash function example shows that the relationship between message size and extra time to send and receive a message is linear. When using the proposed method in the browser, the absolute value of additional time spent for messages from 100 bytes to 2,048 KB ranges from 0.4 ms to 142 ms. Given this, the proposed method could be used without significant impact on the experience of use.
Highlights
Most modern web applications put the function of protecting access tokens that are transmitted with each request to the HTTPS protocol
The increased implementation of the HTTPS protocol has allowed the creation of an Internet network in which most of the transmitted data is encrypted, but these security achievements often stand in the way of a government that seeks to see and control user communications
The purpose of this work is to devise a user identification algorithm in applications that use the HTTP or HTTPS protocol, in which access tokens will not be sent with each new request
Summary
The rapid development of the Internet and related technologies has opened the way to the creation of dynamic web resources and client-server applications that can provide the user with personalized services. Data transmission over the network opens up many opportunities for attacks, the main goal of which can be the access token Obtaining this information would allow the attacker to be represented by the user even without knowing his basic data to log in to the web service (usually a username and password). According to Google, as of August 27, 2021, from 79 % to 98 % (depending on the platform) pages were loaded via HTTPS (based on SSL/TLS cryptographic protocols) [1] It is these cryptographic protocols that the data privacy protection feature relies on in most modern web applications. Studies on the development of improved methods of data protection in data transmission systems without preserving the state are relevant
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
