Developing the algorithm and software for access token protection using request signing with temporary secret

This paper proposes a method for protecting the access tokens in client-server data exchange without saving the state based on the formation of the signature of the request using a temporary secret. The devised method allows one not to transfer access tokens with each request, which would make it possible for the attacker to authenticate as a valid user when compromising the connection, for example, when using a «person in the middle» attack.Two variants of the method have been proposed and substantiated – simplified and improved, the scope of which depends on the needs for protection and technical capabilities of their implementation. The robustness of both variants is ensured by the practical inability to select the initial input data of the hash function used to form the signature. The improved version also makes it possible to protect access tokens at the stage of receiving them and provides protection against the attack of the recurrence of the request. Initial user authentication protection is achieved by using the Diffie-Hellman protocol to exchange a secret and access token. Using query IDs and time labels prevents the query from being reused.Advanced security for access tokens is important because having an attacker’s access token gives the attacker full control over the user account. The use of SSL/TLS may not produce the desired level of protection for such important data.It was established that the use of the proposed method does not add significant time costs. The SHA-256 hash function example shows that the relationship between message size and extra time to send and receive a message is linear. When using the proposed method in the browser, the absolute value of additional time spent for messages from 100 bytes to 2,048 KB ranges from 0.4 ms to 142 ms. Given this, the proposed method could be used without significant impact on the experience of use.