Synergizing Quantum-Safe Signatures with JWT for Unparalleled Security in Web Applications
Article Sidebar
Main Article Content
Abstract
The surge in internet use has made authentication and authorization essential for protecting users’ privacy and security in web applications. JSON Web Token (JWT), a token-based authentication mechanism, stands out as a desirable choice for its scalability, ease of use, and interoperability. However, existing JWT signing algorithms, which rely on mathematical problems such as factoring large integers and discrete logarithms, are vulnerable to quantum computing breakthroughs, which poses significant security risks. Addressing this challenge requires evaluating quantum-safe alternatives for JWT authentication. While prior research has focused on limited sets of post-quantum algorithms, a comprehensive evaluation of all standardized algorithms remains unexplored. This study presents the first such evaluation within the JWT authentication framework, analysing algorithms recommended by the National Institute of Standards and Technology (NIST), including Falcon, SPHINCS+, and Dilithium, and their hybrid counterparts. We compare their performance against traditional algorithms such as RS256, ES256, PS256, and HS256. Our experimental results reveal that Falcon is the most efficient quantum-safe algorithm, with a token generation time of 18.68 ms and verification time of 0.65 ms, whereas SuperFalcon outperforms hybrid algorithms, with generation and verification times of 1.19 ms and 1.81 ms, respectively. These findings establish a foundation for transitioning JWT systems to quantum-safe cryptographic standards.
Article Details
Issue
Section
This work is licensed under a Creative Commons Attribution 4.0 International License.
How to Cite
References
[1] OWASP, "OWASP Top Ten," OWASP Foundation. [Online]. Available: https://owasp.org/www-project-top-ten/. [Accessed: January 08, 2025].
[2] Akanksha and A. Chaturvedi, "Comparison of different authentication techniques and steps to implement robust JWT authentication," in 7th International Conference on Communication and Electronics Systems (ICCES), 2022.
[3] M. Jones, B. Campbell, and C. Mortimore, "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants," 2015.
[4] M. Jones, J. Bradley, and N. Sakimura, "JSON Web Token (JWT)," 2015.
[5] P. W. Shor, "Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer," SIAM Review, vol. 41, pp. 303–332, 1999.
[6] L. K. Grover, "A fast quantum mechanical algorithm for database search," Proc. 28th Annu. ACM Symp. Theory of Comput. - STOC, 1996.
[7] C. Balamurugan, K. Singh, G. Ganesan, and M. Rajarajan, "Post-quantum and code-based cryptography—some prospective research directions,"Cryptography, vol. 5, p. 38, 2021.
[8] S. Li, Y. Chen, L. Chen, J. Liao, C. Kuang, K. Li, W. Liang, and N. Xiong, "Post-quantum security: Opportunities and challenges," Sensors, vol. 23, p. 8744, 2023.
[9] H. Faria and J. M. Valença, "Post-Quantum Authentication with Lightweight Cryptographic Primitives," Cryptology ePrint Archive, Paper 2021/1298, 2021.
[10] P. Tandel and J. Nasriwala, "Secure authentication framework for IoT applications using a hash-based post-quantum signature scheme," Service- Oriented Computing and Applications (SOCA), 2024.
[11] Y. Ostrianska and Y. Gorbenko, "Current state of standardization of post-quantum cryptography," Physico-Mathematical Modelling and Informational Technologies, pp. 52–56, 2023.
[12] A. A. Giron, "Migrating applications to post-quantum cryptography: Beyond algorithm replacement," in Proc. 20th Int. Conf. Security and Cryptography, 2023.
[13] JWT.io, "JSON Web Tokens," [Online]. Available: https://jwt.io/. [Accessed: January 08, 2025].
[14] IETF, "JSON Web Signature (JWS)," IETF RFC 7518. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc7518. [Accessed: January 08, 2025].
[15] M. Jones, J. Bradley, and N. Sakimura, "JSON Web Signature (JWS)," 2015.
[16] A. Karakaya and A. Ulu, "A survey on post-quantum based approaches for edge computing security," WIREs Computational Statistics, vol. 16, 2024.
[17] G. Yalamuri, P. Honnavalli, and S. Eswaran, "A review of the present cryptographic arsenal to deal with post-quantum threats," Procedia Computer Science, vol. 215, pp. 834–845, 2022.
[18] C. Chen, "The performance analysis of post-quantum cryptography for vehicular communications," 2022.
[19] J. Proos and C. Zalka, "Shor’s discrete logarithm quantum algorithm for elliptic curves," Quantum Information and Computation, vol. 3, pp. 317–344, 2003.
[20] D. Moody, "Fast Fourier sampling over NTRU lattices digital signature standard," 2023.
[21] L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, P. Schwabe, G. Seiler, and D. Stehlé, "CRYSTALS-Dilithium: A lattice-based digital signature scheme," IACR Trans. Cryptographic Hardware and Embedded Systems, pp. 238–268, 2018.
[22] F. Liu, Z. Zheng, Z. Gong, K. Tian, Y. Zhang, Z. Hu, J. Li, and Q. Xu, "A survey on lattice-based digital signatures," Cybersecurity, vol. 7, 2024.
[23] D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, M. Schneider, P. Schwabe, and Z. Wilcox-O’Hearn, "SPHINCS: Practical stateless hash-based signatures," in Advances in Cryptology – EUROCRYPT 2015, Lecture Notes in Computer Science, pp. 368–397, 2015.
[24] D. J. Bernstein, A. Hülsing, S. Kölbl, R. Niederhagen, J. Rijneveld, and P. Schwabe, "The SPHINCS+ signature framework," in Proc. 2019 ACM SIGSAC Conf. Computer and Communications Security, 2019.
[25] F. Hazzaa, M. M. Hasan, A. Qashou, and S. Yousef, “A new lightweight cryptosystem for IoT in smart city environments”, Mesopotamian Journal of CyberSecurity, vol. 4, no. 3, pp. 46–58, 2024.
[26] Mohammed Abbas Fadhil Al-Husainy, Bassam Al-Shargabi, Shadi Aljawarneh, "Lightweight cryptography system for IoT devices using DNA,"Computers and Electrical Engineering, vol. 95, 2021.
[27] A. Bucko, K. Vishi, B. Krasniqi, and B. Rexha, "Enhancing JWT authentication and authorization in web applications based on user behavior history," Computers, vol. 12, p. 78, 2023.
[28] S. Ahmed and Q. Mahmood, "An authentication-based scheme for applications using JSON Web Token," in Proc. 22nd Int. Multitopic Conf. (INMIC), 2019.
[29] A. Rahmatulloh, R. Gunawan, and F. M. S. Nursuwars, "Performance comparison of signed algorithms on JSON Web Token," IOP Conf. Series: Materials Science and Engineering, vol. 550, 2019, p. 012023.
[30] M. Malvin and C. Safitri, "JSON Web Token leakage avoidance using token split and concatenate in RSA256," Indonesian J. Computing, Engineering and Design (IJoCED), vol. 5, pp. 43, 2023.
[31] E. S. Chopra, A. Singh, and A. Singh, "JSON Web Token jumble render technique based authentication scheme for Android applications," Recent Advances in Computing Sciences, pp. 129–133, 2023.
[32] F. A. Shodiq, R. R. Pahlevi, and P. Sukarno, "Secure MQTT authentication and message exchange methods for IoT constrained device," in Proc. Int. Conf. Intelligent Cybernetics Technology and Applications (ICICyTA), 2021.
[33] A. F. Nugraha, H. Kabetta, I. K. S. Buana, and R. B. Hadiprakoso, "Performance and security comparison of JSON Web Tokens (JWT) and platform agnostic security tokens (PASeTo) on RESTful APIs," in Proc. IEEE Int. Conf. Cryptography, Informatics, and Cybersecurity (ICoCICs), 2023.
[34] B. E. Sabir, M. Youssfi, O. Bouattane, and H. Allali, "Authentication and load balancing scheme based on JSON Token for multiagent systems,"Procedia Computer Science, vol. 148, pp. 562–570, 2019.
[35] R. G. K. Babu, A. Badirova, F. F. Moghaddam, P. Wieder, and R. Yahyapour, "Authentication and access control in cloud-based systems," in Proc. 14th Int. Conf. Ubiquitous Future Networks (ICUFN), 2023.
[36] V. Krishnan, C. S. Sreeja, S. Binu, and M. Misbahuddin, "A JSON Web Signature based adaptive authentication modality for healthcare applications," in Proc. IEEE Int. Conf. Public Key Infrastructure and its Applications (PKIA), 2022.
[37] O. Ethelbert, F. F. Moghaddam, P. Wieder, and R. Yahyapour, "A JSON Token-based authentication and access management schema for cloud SaaS applications," in Proc. IEEE 5th Int. Conf. Future Internet of Things and Cloud (FiCloud), 2017.
[38] N. Rasyada, "SHA-512 algorithm on JSON Web Token for RESTful web service-based authentication," J. Applied Data Sciences, vol. 3, pp. 33–43, 2022.
[39] W. Niewolski, T. W. Nowak, M. Sepczuk, and Z. Kotulski, "Token-based authentication framework for 5G MEC mobile networks," Electronics, vol. 10, p. 1724, 2021.
[40] P. Varalakshmi, G. B., V. S. P., and D. T., S. K., "Improvising JSON Web Token authentication in SDN," in Proc. Int. Conf. Communication, Computing and Internet of Things (IC3IoT), 2022.
[41] M. Haekal and Eliyani, "Token-based authentication using JSON Web Token on SIKASIR RESTful web service," in Proc. Int. Conf. Informatics and Computing (ICIC), 2016.
[42] A. R. Ficry Cahya Ramdani and R. N. Shofa, "Implementation of JSON Web Token on authentication with HMAC SHA-256 algorithm,"SISTEMASI, vol. 12, pp. 194, 2023.
[43] M. Raavi, S. Wuthier, P. Chandramouli, Y. Balytskyi, X. Zhou, and S.-Y. Chang, "Security comparisons and performance analyses of post-quantum signature algorithms," Applied Cryptography and Network Security, Lecture Notes in Computer Science, pp. 424–447, 2021.
[44] T. G. Tan, P. Szalachowski, and J. Zhou, "Challenges of post-quantum digital signing in real-world applications: a survey," Int. J. Inf. Secur., vol. 21, pp. 937–952, 2022.
[45] Y. Yuan, J. Xiao, K. Fukushima, S. Kiyomoto, and T. Takagi, "Portable implementation of post-quantum encryption schemes and key exchange protocols on JavaScript-enabled platforms," Secur. Commun. Netw., vol. 2018, pp. 1–14, 2018.
[46] D. Ghinea, F. Kaczmarczyck, J. Pullman, J. Cretin, S. Kölbl, R. Misoczki, J.-M. Picod, L. Invernizzi, and E. Bursztein, "Hybrid post-quantum signatures in hardware security keys," in Lecture Notes Comput. Sci., Appl. Cryptogr. Netw. Secur. Workshops, 2023, pp. 480–499.
[47] I. Tzinos, K. Limniotis, and N. Kolokotronis, "Evaluating the performance of post-quantum secure algorithms in the TLS protocol," J. Surveillance Secur. Safety, vol. 3, pp. 101–127, 2022.
[48] A. Ashraaf, "Analysis of post quantum cryptography algorithms concerning their applicability to IoT devices," 2024.
[49] J. Hekkala, K. Halunen, and V. Vallivaara, "Implementing post-quantum cryptography for developers," in Proc. 8th Int. Conf. Inf. Syst. Secur. Privacy, 2022.
[50] H. C. Ukwuoma, G. Arome, A. Thompson, and B. K. Alese, "Post-quantum cryptography-driven security framework for cloud computing," Open Comput. Sci., vol. 12, pp. 142–153, 2022.
[51] L. Gan and B. Yokubov, "A performance comparison of post-quantum algorithms in blockchain," J. British Blockchain Assoc., vol. 6, pp. 1–10, 2022.
[52] A. Alkhulaifi and E.-S. M. El-Alfy, "Exploring lattice-based post-quantum signature for JWT authentication: Review and case study," in Proc. IEEE 91st Veh. Technol. Conf. (VTC2020-Spring), 2020.
[53] M. G. Y. Albahri, H. A. Aljanabi, and A. K. Ali, "Securing Tomorrow: Navigating the evolving cybersecurity landscape," Mesopotamian Journal of CyberSecurity, vol. 4, no. 1, pp. 1–3, Mar. 2024.
[54] "https://github.com/cyph/pqcrypto.js/," Accessed: January 08, 2025.
[55] "https://www.npmjs.com/," Accessed: January 08, 2025.
[56] O. Aljumaiah, W. Jiang, S. R. Addula, and M. A. Almaiah, "Analyzing cybersecurity risks and threats in IT infrastructure based on NIST framework," J. Cyber Secur. Risk Audit., vol. 2025, no. 2, pp. 12–26, 2025.
[57] A. K. Abed , Tran., “Utilizing Artificial Intelligence in Cybersecurity: A Study of Neural Networks and Support Vector Machines”, BJN, vol. 2025, pp. 14–24, Feb. 2025, doi: 10.58496/BJN/2025/002.