MERU UNIVERSITY OF SCIENCE AND TECHNOLOGY

BACHELOR OF SCIENCE IN COMPUTER SECURUTY

AND FORENSICS

DEPARTMENT OF COMPUTER SCIENCE

JSON WEB TOKEN AUTHENTICATION

CT206/104336/20

JAPHETH MUUSYA KASINYA

DECLARATION

A Research project submitted in partial fulfilment of the requirements of the Bachelor

of Science in Computer Security and Forensics.

November,2023

Name: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Reg. No: _ _ _ _ _ _ _ _ _ _ _ _ _ _

____

Signature: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Date: _ _ _ _ _ _ _ _ _ _ _ _ _ _

____

SUPERVISOR

I the undersigned do hereby certify that this is a true report for the project undertaken

by the above-named students under my supervision and that it has been submitted to

Meru University of Science and Technology with my approval

Name………………………………………………………………………………

Signature…………………………………………………….Date…………………

1. CHAPTER ONE.......................................................................................................................5
 1.1. INTODUCTION............................................................................................................5

1.1.1. BACKGROUND OF STUDY.................................................................................5

1.1.2. MOTIVATION FOR STUDY.................................................................................6

1.1.3. PROBLEM STATEMENT.....................................................................................6

1.1.4. RESEARCH OBJECTIVES.....................................................................................7

1.1.5. SIGNIFICANCE OF THE STUDY...........................................................................8

1.1.6. SCOPE OF THE STUDY.......................................................................................9

1.1.7. ASSUMPTIONS OF THE STUDY.........................................................................9

1.1.8. LIMITATIONS OF THE STUDY..........................................................................10

2. CHAPTER TWO....................................................................................................................11

1.1. LITERATURE REVIEW.................................................................................................11

1.1.1. Overview........................................................................................................11

1.1.2. Function of the current systems....................................................................11

1.1.3. Components of the existing JWT system.......................................................12

1.1.4. Challenges of the existing signature verification system................................12

1.1.5. Related work..................................................................................................13

1.1.6. Summary........................................................................................................15

3. CHAPTER THREE..................................................................................................................15

1.0. METHODOLOGY........................................................................................................15

1.1. Overview..................................................................................................................15
1.2. Research Design.......................................................................................................15

1.3. Population and Sampling..........................................................................................16

1.4. Data collection instrumentation...............................................................................16

1.5. Development tools and materials............................................................................17

1.6. System development methodology..........................................................................17

1.7. Data processing and analysis....................................................................................17

1.8. Ethical consideration................................................................................................18

1.9. Summary..................................................................................................................18

REFERENCES.............................................................................................................18

APPENDED FACTS.....................................................................................................20

Appendix 4: Budget........................................................................................................21
 1. CHAPTER ONE

1.1. INTODUCTION

1.1.1. BACKGROUND OF STUDY

Secure authentication procedures are essential for protecting sensitive data and

guaranteeing flawless user experiences in the ever-expanding digital realm. In the

past, procedures like username-password pairs were used for authentication. The

development of information and communication technology (ICT) has opened the era

of the Internet of Things (IoT), in which many devices can connect to the Internet to

communicate. Recently, various technologies, such as smart grids, connected cars,

and smart farms, have emerged based on IoT, and there is also the smart home, which

is the fastest growing market. The smart home is where devices installed for various

purposes connect to each other through the Internet so that users can use the service

anytime and anywhere. However, while the smart home provides convenience to

users, recently the smart home has been exposed to various security threats, such as

vulnerability of session/cookies and the use of vulnerable OAuth. In addition, attacks

on smart homes by hackers using these vulnerabilities are also increasing.(Namsu

Hong,2017). One of the obstacles still preventing the wide-spread use of JSON Web

Token–based accesscontrol is the problem of invalidating the issued tokens upon

clients leaving the system

1.1.2. MOTIVATION FOR STUDY

The existing system has a lot of shortcomings hence cannot facilitate a free, fair and

credible election. The shortcomings include; inconsistency in data entry, lack of

security, duplication of data entry among others. To make this right, we found it fit to

come up with an electronic voting system using blockchain technology.

1.1.3. PROBLEM STATEMENT

In the existing authentication landscape, the challenge lies in the

time-consuming stateful processes where servers conventionally

manage individual user sessions. This results in constant user logins

and the intricacies of server-side session management, presenting

obstacles to both server performance and the security framework

within microservices architectures. The proposed solution addresses

these challenges by leveraging JSON Web Tokens (JWTs),

introducing a stateless authentication paradigm. This approach

eliminates the need for servers to intricately handle individual user

sessions, leading to a notable enhancement in server efficiency and

ensuring secure communication within microservices environments.

Unlike traditional methods requiring persistent user check-ins, the

use of JWTs allows for seamless and secure communication between

services. Upon successful authentication, APIs generate JWTs

containing all essential information, facilitating access authorization

to protected resources without imposing the burden of frequent user

check-ins. This transformative solution not only streamlines the

authentication process but also significantly improves server

performance and fortifies security, marking a progressive shift in the

authentication paradigm amid the complexities of microservices

architectures.

1.1.4. RESEARCH OBJECTIVES

Develop a stateless authentication mechanism using JSON Web Tokens (JWTs) to

eliminate the need for server-side session management. Implement secure token

generation, validation, and expiration policies to ensure stateless authentication

without compromising security.

1.1.4.1. GENERAL OBJECTIVES

To enhance the security, efficiency, and user experience of authentication within web-

based systems by implementing a stateless authentication approach using JSON Web

Tokens (JWTs). This project aims to eliminate the drawbacks associated with

traditional time stateful authentication methods, providing a scalable and secure

solution for user access control in modern web-based systems.

1.1.4.2. SPECIFIC OBJECTIVES

i. To design stateless authentication application

ii. To create Secure Token Generation:

iii. To Impliment Seamless Token Validation and Verification:

iv. To Test Evaluation and Optimization of Token Expiration Policies:

v. To Impliment Token Revocation and Renewal Mechanisms:

1.1.5. SIGNIFICANCE OF THE STUDY

The JWT (JSON Web Token) project holds paramount significance by addressing

challenges associated with traditional time stateful authentication. In a landscape

burdened by constant user logins and server-side session management within

microservices architectures, this project introduces a transformative shift to stateless

authentication using JWTs. By eliminating the need for servers to intricately handle

individual user sessions, the project significantly enhances server performance and

ensures secure communication. With direct practical implications for organizations

implementing microservices, the project contributes an innovative and original

approach to authentication, aligning closely with its objectives. Stakeholders stand to

gain from improved security and efficiency, justifying the allocation of resources for

this strategic initiative that addresses a pressing challenge in contemporary digital

environments. In essence, the JWT project is poised to redefine authentication

practices, shaping the future of secure communication within microservices

architectures
1.1.6. SCOPE OF THE STUDY

The significance of this study on JSON Web Token (JWT) Authentication lies in its

pivotal role in fortifying online security measures. By offering a robust framework for

secure data transmission, this research advances cybersecurity practices, ensuring the

integrity and confidentiality of information in the digital landscape. Moreover, it

empowers modern digital ecosystems by simplifying user interactions, enhancing user

experiences, and fostering trust among users and entities. Additionally, this study

streamlines development processes for software engineers, providing clear guidelines

for efficient JWT implementation. Ultimately, the study's findings not only elevate

user satisfaction and trust in online platforms but also contribute significantly to the

overall enhancement of cybersecurity practices and the seamless functioning of digital

interactions.

1.1.7. ASSUMPTIONS OF THE STUDY

The project assumes the utilization of standardized JSON Web Token (JWT)

implementations and libraries widely accepted in the industry, ensuring compatibility

and adherence to established security protocols.

1.1.8. LIMITATIONS OF THE STUDY

Vulnerability to hacking

Susceptibility to fraud
Lack of accuracy in capturing voters' intent

Political ties of manufacturers

Physical security of machines might lack

 2. CHAPTER TWO

1.1. LITERATURE REVIEW

1.1.1. Overview

In this section; functions, components, features and challenges of the json web token

authentications are discussed.

1.1.2. Function of the current systems.

Wang, Yan, and Zhang (2021) discussed various types of attacks and corresponding

countermeasures in user authentication systems. The existing systems are prone to

various attacks while both system security and usability are expected to be satisfied.

Biometric systems utilize physiological or behavioral traits, like fingerprints, face

recognition, and speech patterns, to confirm a person's identity. They offer advantages

such as increased security and user convenience compared to traditional methods.

However, biometric authentication also poses challenges, including privacy concerns

and the potential for false positives or negatives(Basare, Bhojak, & Solanki, 2023).

A Hierarchical Bloom Filter (HBF)-based biometric framework was recently

proposed to provide compact storage, noise tolerance, and fast query processing for

resource-constrained environments, e.g., Internet of things (IoT). While security and

privacy were also touted as features of the HBF, it was not thoroughly evaluated.

Compared to the classical BFs, the HBF uses a threshold parameter to make robust

authentication decisions when the HBF encounters noise in the biometric input which

one would think might lead to security issues.(Shomaji et al., 2021,

10.1109/TIFS.2021.3128821)
1.1.3. Components of the existing JWT system.

The proposed stateless authentication system integrates JSON Web Tokens (JWTs) as

a foundational element, streamlining user verification by eliminating the need for

session states.

According to Jánoky, Ekler, and Levendovszky (2021), "JSON Web Tokens (JWT)

provide a scalable, distributed way of user access control for modern web-based

systems

A Stateless Authentication Module ensures seamless user authentication, generating

JWTs that serve as digital passports for accessing protected resources. APIs facilitate

communication between services, with an Access Authorization Module acting as a

gatekeeper, granting or denying access based on embedded token information. A

robust evaluation framework gauges system effectiveness, and a microservices

architecture promotes scalability. To fortify against threats, attack detection

mechanisms are implemented, and future research directions anticipate evolving

cybersecurity challenges, ensuring adaptability in dynamic technological landscapes.

1.1.4. Challenges of the existing signature verification system.

 Token Security Risks: JSON Web Tokens (JWTs) are susceptible to security

risks if not handled carefully, such as the potential for token interception,

tampering, or forgery.

 Token Expiry and Renewal: Managing token expiration and renewal can be

challenging, as expired tokens should be handled appropriately to maintain a

secure authentication process.According to Jánoky, Ekler, and Levendovszky

(2021), "Once issued, there is no trivial way to revoke a JWT token

 Token Storage and Revocation: Securely storing and efficiently revoking JWTs

in case of security incidents or user logout poses a challenge, especially in

distributed systems.

 Scope and Granularity: Balancing the scope and granularity of JWTs to provide

the necessary information for authorization without compromising security or

privacy.

 Key Management: Properly managing cryptographic keys for signing and

verifying JWTs is crucial. Key compromise or mismanagement can lead to

security vulnerabilities.

1.1.5. Related work

OAuth 2.0 and OpenID Connect have been extensively integrated into mobile

applications during recent years to manage access delegation and reduce password

fatigue via a single sign-on experience. To provide a precise specification for mobile
application developers on how to secure their implementations, the OAuth Working

Group has published a set of best current practices called 'OAuth 2.0 for Native Apps'

(Sharif et al., 2022). Nevertheless, many available mobile applications still suffer

from poor implementations leading to serious security issues.

Sharif (2020) offline signature verification system used a novel technique that

involved fusion of geometric features and Gray Level Co-occurrences Matrix

(GLCM) while Tekerek (2021) developed an offline handwritten signature

verification system that used Cycle-GAN as a data argumentation method.

Gellert et al. (2017) implemented computer workstation single sign-on (SSO) at

CHRISTUS Health in 2015. SSO technology employed badge readers at each

workstation, allowing clinicians to swipe or 'tap' their identification badges.

The objective was to assess the impact of SSO implementation on reducing clinician

login time for various clinical software programs and to achieve financial savings by

migrating to a thin client, enabling the replacement of traditional hard drive computer

workstations.

According to Jánoky, Ekler, and Levendovszky (2021), JSON Web Tokens (JWT)

offer a scalable, distributed approach to user access control in contemporary web-

based systems.
Pandey and Nisha (2021) acknowledged the challenges in implementing Single Sign-

On (SSO). The enterprise faces complexities as it not only needs to integrate user

network logon with a local application but also with software-as-a-service (SaaS)

cloud offerings. Simultaneously, the centralized solution of SSO within an enterprise

does not encompass all users, applications, devices, and equipment.

1.1.6. Summary

This chapter represented functions, components and challenges of the Json we token

authentication. Comparisons of related works were also made to determine the

drawbacks addressed by each one of them.

 3. CHAPTER THREE

1.0. METHODOLOGY

1.1. Overview

This chapter deals with research design methodology used in the research on the json

web token authentication system. It provides information on the participants, data

collection and the analysis of the data as well as the conclusions drawn and the ethical

issues that were followed in the process.

1.2. Research Design

According to Abbott (2013), Research design is a plan that provides the underlying

structure to integrate all elements of a quantitative study so that the results are

credible, free from bias and maximally generalizable. Research design provides the

glue that holds the research together. The research design determines how the

participants were selected, what variables were included and how they are

manipulated, how data was collected and analyzed, and how extraneous variability

was controlled so that the overall research problem can be addressed. Regardless of

the sophistication of the statistics, the researcher conclusions could be worthless if an

inappropriate research design was used. This study utilized a quantitative approach, in

this approach the researcher’s focuses on quantifying the data into numerical values

and it adopted a descriptive survey design.

1.3. Population and Sampling

Study population is that population from which it was used to generalize the results of

the study.
According to Hamed (2016), Sampling is a technique of choosing a sub-group from a

targeted population. It is a process of selecting a number of individuals for a research

in such a way that the individuals selected represent the entire population from which

it was selected from. Probability sampling was used in this study. This technique was

best suited for this study since it was easy to carry out and included all respondents

with characteristics to be included in the study. Stratified sampling became suitable

for this study.

1.4. Data collection instrumentation

Data collection is the process of gathering and measuring information on targeted

variables in an established system which then enables one to answer relevant

questions and evaluate outcome Collin (2020).

There several methods of data collection .For this research, questionnaires were used

to obtain information from smartphone users.

1.5. Development tools and materials

The following tools were used to develop the system:

 Laptop (EliteBook g1, 8GBRAM/500GB internal memory)

 Python programming language(Django framework)

 Dart programming language(Flutter Framework)

 Word processing 2016

1.6. System development methodology

SDL is a methodology for designing, building and maintaining information and

industrial system Bassil (2012).

For this research, waterfall model was used because:

 It is easy and simple to understand, utilize and implement

 It is rigid therefore easy to manage

 Phases do not overlap

1.7. Data processing and analysis

In order to process data that was obtained from the questionnaires, the questionnaires

were grouped according to the questions that were related.

Responses from the questionnaires were then analyzed and comparison was made

between responses from different people. It was noted that some mobile applications

authenticate their users every time and others one time. From the above findings, it

was discovered that customers were more comfortable with applications which did

not require them login in every time.

1.8. Ethical consideration

The researchers obtained an informed consent from the relevant authorities in order to

be permitted to conduct the research.

The data collected will only be used for purposes none other than for research and

research only.

1.9. Summary

The above chapter discussed; data collection, data processing and analysis. The SDLC

methodology as well as ethical consideration was also discussed.

 CHAPTER FOUR
SYSTEM ANALYSIS
4.0 Overview
This chapter covers feasibility study done by the researchers to make the project

viable; social feasibility was used to show how Json web tokens was socially

accepted, economic feasibility to show the cost of the project. Feasibility report was

documented and attached as an appendix. Overall description of the current system

such as data flow diagrams is also covered. Requirements necessary for gathering

information; functional requirements (the ones that can be shown), non-functional

requirements (cannot be shown) and summary appear in this chapter.

4.1 Feasibility study

According to (Shah 2012) feasibility study is a preliminary exploration of a proposed

project or undertaking to determine its merits and viability. It aims to provide an

independent assessment that examines all aspects of a proposed project, including

technical, economic, financial, legal and environmental considerations. This

information then helps researchers whether or not to proceed with the project. The

feasibility study results can also be used to create a realistic project plan and budget.

While conducting the feasibility study, it was found out that technically most

smartphone had capabilities to handle token authorization. The current system will

take four and a half months to develop. Legally the current system meets all the legal

and contractual laws of the country. It was also discovered that the proposed system

meets the economic feasibility since the cost that would be incurred to develop the

proposed system would be minimal and can be handled by the organization.

4.2. Overall description of the current system.
The current e-commerce authentication systems is stateful. when a user wants to open

an account, they enters their email, username and password. These details are used to

generate two tokens which are access token and refresh token. The access token is

used when a user wants to access services from the server. The refresh token will be

used to refresh the access token when it expires as long as the users has not less than

30days without using the system a period in which the refresh token also expires.

Users have to log in every time they want to access the system. If the user takes more

than 30 days without login in to the system, both the access and refresh token expires

and they have to log in again. The user enters their email and password the access and

refresh token are generated by their id number, email and user name. The overall the

system is represented using use-case diagrams, class diagrams, sequence diagram,

dataflow diagram and activity diagram are detailed in the sections below.

Authentication
system

user system
 Access Token

Refresh Token

4.2.2. E-commerce authentication system class diagram.

In ("class diagrams," 2009) a class diagram is a type of static structure diagram that

describes the structure of a system by showing the system's classes, their attributes,

operations (or methods), and the relationships among objects. It is important for

translating the models into programming code. Figure 4.2 shows the use class diagram

for the current banking system.

Figure 4.2: The current authentication system class diagram.

4.2.3. Banking system sequence diagram.

According to ("unified modelling language,"2011) a sequence diagram shows process

interactions arranged in time sequence in the field of software engineering. It depicts

the processes involved and the sequence of messages exchanged between the

processes needed to carry out the functionality.

Figure 4.3 shows the sequence diagram for the current authentication system.
 User System

1. create account 1.Generate token

2. Make an order 2. Maintain session

3. Issue receipt

4. Log out

5. Log in

6. Show user activities

7. Maintain session

Figure 4.3: The current authentication system sequence diagram.

4.2.4 Banking system data flow diagram.

A data-flow diagram is a way of representing a flow of data through a process or a

system. ("data flow diagram,"1990). Figure 4.4 shows the Data flow diagram for the

current banking system

Authentication system
 user Authentication Generate Jwt

user

Figure 4.4: The current authentication system data-flow diagram.

4.2.5 E-commerce authentication system activity diagram.

According to (Rumbaugh,1999) activity diagrams are graphical representations of

workflows of stepwise activities and actions with support for choice, iteration and

concurrency. Figure 4.5 shows the activity diagram for the current banking system.

Authentication
system

User
Authentication
 Validate
Credentials

Generate JWT

Provide JWT

Figure 4.5: The current authentication system activity diagram

4.3 Requirement gathering

According to(Boogaard,2022) Requirements gathering is the process of determining

what your projects need to achieve and what needs to be created to make that happen.

4.3.1. Functional requirements.

Functional requirement defines a function of a system or its component, where a

function is described as a specification of behavior between inputs and outputs.

4.3.1.1. Register
To create an account the user is required to enter the name, email, and password. The

system saves the information and generates access tokens for the next login.

4.3.1.2 Report generation.

The system can generate reports on the user activities on the system. The following

reports are generated by the system:

A monthly report showing tall orders and attempts to access the system.
A monthly report of newly registered customers.

4.3.1.3 Verification.
The system verifies the token before allowing access to ensure it’s valid. If expired

the system will request for the refresh token and if the user is blocked they are not

allowed into the system.

4.3.2. Non-functional requirements.

According to (Rowel,1997) a non-functional requirement is a requirement that

specifies criteria that can be used to judge the operation of a system, rather than

specific behaviors. The non-functional requirements will serve as constraints or

restrictions to the bank signature verification system across the different backlogs.

The non-functional requirements will also ensure effectiveness and usability of the

entire system. In usability, it ensures the system functions the way it is supposed to,

while effectiveness ensures the system gives correct output when given some input

values.

4.3.2.1 Security
Security is the protection from or resilience against potential harm caused by others by

restricting the freedom of others to act (Buzan,1998). The system verifies the token before

allowing access to ensure it’s valid. If expired the system will request for the refresh

token and if the user is blocked they are not allowed into the syste

4.4 Summary.
This chapter entails feasibility study and how it affected the current system, the overall

description of the current authentication system. It also covers use-case diagram, class

diagram, sequence diagram, dataflow diagram and activity diagram. It also entails

requirement gathering.
REFERENCES

 Hong, N., Kim, M., Jun, M.-S., & Kang, J. (2017). A Study on a JWT-Based

User Authentication and API Assessment Scheme Using IMEI in a Smart Home

Environment. Sustainability, 9(7), 1099. https://doi.org/10.3390/su9071099.

 Jánoky, L. V., Levendovszky, J., & Ekler, P. (2018). An Analysis on the

Revoking Mechanisms for JSON Web Tokens. International Journal of

Distributed Sensor . https://doi.org/10.1177/1550147718801535

 Wang, NetworksX., Yan, Z., & Zhang, P. (2021). Attacks and defenses in user

authentication systems: A survey. Journal of Network and Computer

Applications.

 Basare, A., Bhojak, D., & Solanki, R. (2023). Biometric Authentication System.

International Journal for Research in Applied Science and Engineering

Technology.

 Shomaji, S., Ghosh, P., & Forte, D. (2021). An Analysis of Enrollment and Query

Attacks on Hierarchical Bloom Filter-Based Biometric Systems. IEEE

Transactions on Information Forensics and Security. Advance online publication.

https://doi.org/10.1109/TIFS.2021.3128821

 Sharif, A., Carbone, R., ... Ranise, S. (2022). Best current practices for

OAuth/OIDC Native Apps: A study of their adoption in popular providers and

 top-ranked Android clients. Journal of Information Security and Applications.

Advance online publication. https://doi.org/10.1016/j.jisa.2021.103097

 Gellert, G. A., Crouch, J. F., ... Gillean, J. A. (2017). Clinical impact and value of

workstation single sign-on. International Journal of Medical Informatics.

Advance online publication. https://doi.org/10.1016/j.ijmedinf.2017.02.008

 Pandey, P., & Nisha, T. N. (2021). Challenges in Single Sign-On. Journal of

Physics: Conference Series, 1964(4), 042016. https://doi.org/10.1088/1742-

6596/1964/4/042016

 Jánoky, L. V., Ekler, P., & Levendovszky, J. (2021). Evaluating the Performance

of a Novel JWT Revocation Strategy. Acta Cybernetica.

https://doi.org/10.14232/ACTACYB.289455

 Barry Buzan, Ole Waever, and Jaap de Wilde,Security: A new Framework for

analysis (Boulder: Lynne Rienner publishers,1998)

 Kat Boogaard. What you need to know about requirements gathering,2022.

APPENDED FACTS

MOBILE APPLICATION AUTHENTICATION QUESTIONNAIRE

1) Which mobile application(s) do you use on a daily basis?

2) Do you have to login every time you access the app?

3) If yes, do you find it comfortable?

4) if no, How long do you take before you have to log in again?

5) what is your general view of your current mobile application authentications.

Appendix 4: Budget

Description Quantity Unit cost Total cost

1. Safaricom 10GB 250 3000

internet bundles

2. Printing and 26 5 300

photocopying

3. Downloading frequently 500 500

coding tools and

code research

4. Visual studio 3 months 500 1500

code IDE

5. Microsoft office 1 600 600

2019

6. Travelling 2 4000 4000

TOTAL 9900
Theschedule was presentent in the form reaserch of Gantt chart.

The Gant chart shaws all the tasks carried out during the course of the project life

cycle.

ACTIVITIESthe project. SEPTEMBER OCTOBER NOVEMBER

CHAPTER ONEINTRODUCTION

CHAPTER TWO LITERATURE RE

VIEW

CHAPTER THREE METHODOLO

GY