<![CDATA[RESTful API is a client-server communication architecture standard for web services, but low in terms of security. RESTful API data security uses authentication to limit access to the API by not saving the session state, so that token-based authentication is required which is sent via a request header such as JSON Web Token (JWT). JWT tokens can be forged by exploiting None algorithm, utilizing JWT mechanism which always believes in token's header that contains token's algorithm used, and using HMAC algorithm which was already to be exploited. Token forgery can be overcome by not using None algorithm and changing JWT's mechanism. JWT's mechanism can be replaced with a standard that only provides the version and purpose of the cryptographic protocol used and always compares the version and purpose of the cryptographic protocol used with the token's header had sent. HMAC algorithm can be replaced with BLAKE2b algorithm. Its power equivalent to SHA-3, but faster than SHA-1 and MD5. PASETO also uses XChaCha20-Poly1305 algorithm for encryption and Ed25519 algorithm for signatures. PASETO can be implemented using python, using a wrapper for Libsodium library so that it can be used in python, and childprocess with nodeJS.]]>
Copyrights © 2020
