Managing a Secure JSON Web Token Implementation By Handling Cryptographic Key Management for JWT Signature in REST API: : A survey

Abstract

JSON Web Token (JWT) is a compact and self-contained mechanism, digitally authenticated and trusted, for transmitting data between various parties. They are mainly used for implementing stateless authentication mechanisms. The Open Authorization (OAuth 2.0) implementations are using JWTs for their access tokens. OAuth 2.0 and JWT are used token frameworks or standards for authorizing access to REST APIs because of their statelessness and the signature implementation. The most important cryptographic algorithms were tested namely a symmetric algorithm HS256 (HMAC with SHA-256) and an asymmetric algorithm RS256 (RSA Signature with SHA-256) used to construct JWT for signing token based on several parameters of the speed of generating tokens, the size of tokens, time data transfer tokens and security of tokens against attacks.In this research,we propose an approach used for handling cryptographic key management for signing RS256 tokens to ensure the security of the application's architecture. JWT offer a variety of options to manage keys, the server always needs to verify the validity of the key before trusting it for verify that a JWT implementation is secure.The experimental results show It's better to use the RS256 signature method for handling cryptographic key management for signing tokens to manage a secure JWT Implementation