Volume 7, Issue 5, May – 2022 International Journal of Innovative Science and Research Technology

ISSN No:-2456-2165

Securing Client and Server Connections from

Parameter Tampering Using Time-Based
Hash Encryption
1
Chandra Yogatama, 1*Oktoberty, 1Rita Hariningrum, 1Sri Pramono, 1Riyanto Wibowo
1
Maritime Faculty, Universitas Ivet, Semarang, Central Java, Indonesia

Tjokro Hadi.
2
Politeknik Negeri Semarang, Central Java, Indonesia

Abstract:- This paper proposes a method to prevent II. PARAMETER TEMPERING PREVENTION
parameter tampering on web services. Time based hash
encryption is able to give unpredictable output which Tampering prevention by requiring connection divides
changes periodically ac-cording to input. The proposed authentication into the following.
method uses different parts of function output as
authenti-cation key and parameter order. The A. single line authentication
presented method has several characteristics. Each This method uses one line for requests and
encryption and decryption needs to be able to generate authentication. A season key is given after the login
the same VST. Vst used must have a periodic record so process. A later request will be made using the received
that it is pos-sible to get Vs (t-1).Each used Vst works season key, [10], prone to hijacking.
without trouble on both time variants (tests 1-3) and B. double line authentication
invariant (tests 3-5). From the Decrypt column, we can This method uses a separate connection for the request
see that, as a side effect, each pass parameter is and authentication.
decrypted and cut off. To evaluate proposed work, we a) Token generator.
make software to encrypt and decrypt a request. We This method uses a separate device to generate
limit the test to having no delay. tokens that were previously synchronized with the
Keywords:- Securing Client, Server Connections, server before being handed to the user [7]. This
Tampering, Encryption. method uses one line that serves as a connection
between software and the server, as the token
I. INTRODUCTION connection has already been severed when the user
receives the token.
Online software is software that needs an internet
connection. Each operation uses a request package sent b) SIM card
from online software to the server and replied with data. With SIM cards, the system could use different
This process often uses unsafe connections prone to attacks. communication lines to exchange token information
Online software attacks require four steps [1], which are [11]. It limits It is used in some devices that run SIM
information gathering, assessing vulnerability, launching an cards, such as mobile phones, and will only be
attack, and cleaning up. Information gathering is collecting usable if the SIM card is able to receive a signal.
transported data in a network, TLS (Transport Layer
Security) is able to avert this [2]. Unfortunately, TLS is not c) RFID
reliable and needs a secure endpoint [3]. Encryption can An authentication token using RFID or other
prevent assessment of vulnerability [4]–[6]. Launching an verification objects that can emulate RFID is also
attack and cleaning up is avertable by authentication [7]. viewable. Any device that hosts a client must have
an RFID reader. And because the token is always
One of the known attacks is parameter tampering [8]. the same, if an attacker knows it, a new request from
It works by assessing package vulnerabilities and then an attacker using this token will always be accepted
launching attacks by modifying or creating packages able by the server.
to bypass the rules [9].
C. Common vulnerability
Each method presented is prone to hijacking executed
on the information gathering step of an online software
attack [1]. This vulnerability is caused by each data
package having a common form, which means the attacker
only needs to fill in the authentication parameters [8], [12]
either by interjects or guessing [13]. Guessing includes
repeatedly entering possible text strings, commonly known
as brute force attacks [12].

IJISRT22MAY955 www.ijisrt.com 1144

Volume 7, Issue 5, May – 2022 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
In this paper, we propose a method to prevent From above, we conclude that we should use hash
hijacking and brute-forcing by making the package’s encryption with time-based varia-bles as input. Where Cdh
format randomly generated. It will serve as encryption, denotes dark hash cryptography, Vst denotes a time-based
which will be decrypted when the package arrives. A time variable, and HAs denotes output..
hash is a time-input hash encryption capable of generating
random numbers on a regular basis [14], [15]. A key and HAs = Cdh(Vst) (1)
package format will be generated using the output [9]. The
server will be able to understand it if it knows the exact Dark hash cryptography (Cdh) is multi-ple hashes
time it was encrypted. A time zone was chosen and combined into a function. A time-based variable (Vst) is a
implemented on both the online software and the server to variable that changes according to time. This variable can
do this. The next section will cover the design and testing be called a time-synch variable as this variable is needed to
of our proposed method. generate the same output if calculated at the same time in
dif-ferent locations. If the same VST is used, the function's
III. PROPOSED WORK output (HAs) will always be the same.We use hash because
it’s irre-versible, hence the input will always be un-known.
This section describes our proposed method and how The server needs to process re-quests at the same time to
to put it into action on a package. use the same in-put (Vst). HAs are used as a base to decide
parameter order and authentication key. Pa-rameter order is
A. Design decided by the LSB (less significant bit) and the
The main objective of our method is to create dynamic authentication key by the MSB (most significant bit). This
keys that change from time to time. Our aim isn’t fully pro-cedure encrypts the package before it is re-quested by
random but di-rected randomness, so it is able to be used the server, also calculates HAs to decrypt received
for authentication. packages.

Step Output
0 www.website.com/api.php?service=01&user=0001&pass=3342...E
1 www.website.com/api.php?1=01&2=0001&3=3342...E
2 www.website.com/api.php?1=01&2=0001&33342...E &4=DDDD…54321
3 www.website.com/api.php?1=01&2=0001&3=3342...E&4=FFFF...0&5=DDDD... 54321
4 www.website.com/api.php?1=01&2=0001&3=3342&4= FFFF &5= DDDD
5 www.website.com/api.php?1=DDDD&2=FFFF&3=3342&4=0001&5=01
Table 1: Test result

Here are the 5 steps of the proposed en-cryption. Step 1's goal is to get the parameter’s or-der and
 Change the parameter name authentication key. Step 2 is check-ing the authentication
 Add HAs as a new parameter key before com-municating with the server for further
 Add fake parameter package processing. Step 3 is to get the oth-er parameters
 Reduce the LSB of parameters that aren't as important. from the received package. Step 4 is to try to execute the
 Shuffle parameters using the LSB of Has request using variables extracted from the package. Step 5
is to accommodate the delay in transportation time.
Step 1 is used to disguise the purpose of each
parameter. Step 2 is adding the authentication key as a B. Testing
parameter for authentication. Step 3 is used to make each In this section, we will apply the above method to
operation have the same number of parameters to secure a simple get request. The encryption begins with the
camouflage the type of service. The parameter added is requested form and proceeds for every 5 steps of encryp-
randomly generated as it is not needed later and must be tion, which is decrypted later. Each encryption step output
inserted between the required parameter and authentication is shown on Table 1 with explanations given below.
key. Step 4 is used to equate less important parameters with  Step 0 is a simple Get request serving as encryption
fake parameters by likening their length. target.
 Step 1 is output after changing the pa-rameter name
The designer must understand which pa-rameters are  Step 2 is after adding HAs which become parameter 4.
not allowed to be cut. Step 5 is used to change the HAs calculated using GMT hour-minute (HH:MM) as
parameter order periodi-cally. Vst and MD5 is used as Cdh.
 Step 3 is adding fake parameter between real parameter
Here is the required step to decrypt the encryption above. and HAs. parameter 4 be-come fake parameter and HAs
 Calculate HAs is moved to parameter 5.
 Validation  Step 4 is removing the LSB of other pa-rameters so they
 Extract parameters have the same length as the most important parameter,
 Try to process it which is "us-er" or parameter 2.
 If there is an error, go back to step 1 and use Vs (t-1)  Step 5 is reordering parameters using the LSB of HAs.
Then, this request is sent to the server to be decrypted
later.

IJISRT22MAY955 www.ijisrt.com 1145

Volume 7, Issue 5, May – 2022 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
We follow decryption design to process encrypted  Step 5, if there is a problem faced on step 2, 3, or 4,
request. Which is the output of step 5. repeat from step 1 with Vs (t-1) accommodating a
possible delay re-sulting in wrong HAs.
 Step 1 calculates HAs using the current time, which is
DDDD... 54321. As the au-thentication key, take the We can see from the table that our meth-od is able to
MSB part by the mode of length of the parameter while encrypt a simple GET request and decrypt it to successfully
the order takes the LSB part. So, authentication key = receive each parameter with one parameter received cut.
DDDD and order = 54321. Authenti-cation keys are on
the highest number of orders where service is the lowest, IV. RESULTS AND DISCUSSION
followed by user and pass.
To evaluate proposed work, we make software to
 Step 2 is validation. We can see that the highest number is
encrypt and decrypt a request. We limit the test to having
on the first digit, so the authentication key is on the first
no delay. The results are given in Table 2.
parameter. The request is valid if we both have the same
key. Step 3 is extraction. We get 3 parameters: service = From table 2, our proposed work suc-cessfully
01, user = 0001, and pass = 3342. encrypts and decrypts on any Vst, which in this case means
 Step 4 is executing the parameters. Any service that uses GMT current time. Each used Vst works without trouble on
cut parameters must modi-fy its process so it is capable of both time variants (tests 1-3) and invari-ant (tests 3-5).
using that parameter. From the Decrypt column, we can see that, as a side effect,
 If a process is unable to execute using cut parameters, each pass parameter is decrypted and cut off. To ac-
then those parameters must not be cut on step 4. commodate this, we need to modify the service on the
server side to be able to work with it.

 Test  Request  Encrypted  Decrypt  Vst (GMT)

 service=01  1=01  2=3a13  s=01
1  user=0001  3=d321  4=0001  u=0001  Key=a3d3  20:00
 pass=d321aa  5=a3d3   pass=d321
 service=01  1=27ac  2=01  s=01
2  user=0001  3=d321  4=0001  u=0001  Key=9e34  20:01
 pass=d321aa  5=9e34   pass=d321
 service=01  1=01  2=341e  s=01
3  user=0001  3=d321  4=0001  u=0001  Key=7871  20:03
 pass=d321aa  5=7871   pass=d321
 service=01  1=01  2=c2a8  s=01
4  user=0001  3=d321  4=0001  u=0001  Key=7871  20:03
 pass=d321aa  5=7871   pass=d321
 service=01  1=01  2=17ea  s=01
5  user=0001  3=d321  4=0001  u=0001  Key=7871  20:03
 pass=d321aa  5=7871   pass=d321
Table 2: Experimental results

V. CONCLUSION conjunction with another package encryp-tion method that

targets package.
This paper proposes a method to prevent parameter
tampering on web services. Time based hash encryption is REFERENCES
able to give un-predictable output which changes periodi-
cally according to input. The proposed method uses [1.] N. Hoque, M. H. Bhuyan, R. C. Baishya, D. K.
different parts of function output as authentication key and Bhattacharyya, and J. K. Kalita, “Network attacks:
parameter order. Unpredictable authentication keys and Taxonomy, tools and systems,” J. Netw. Comput.
parameter orders that are only active for a limited time will Appl., vol. 40, no. 1, pp. 307–324, 2014, doi:
prevent hijacking and brute force attacks, effectively 10.1016/j.jnca.2013.08.001.
preventing parameter tampering. [2.] F. De Backere et al., “Design of a security mechanism
for RESTful web service communication through
The presented method has several char-acteristics. mobile clients,” IEEE/IFIP NOMS 2014 - IEEE/IFIP
Each encryption and decryption needs to be able to Netw. Oper. Manag. Symp. Manag. a Softw. Defin.
generate the same VST. Vst used must have a periodic World, 2014, doi: 10.1109/NOMS.2014.6838308.
record so that it is possible to get Vs (t-1). Each pa-rameter [3.] E. Ronen, R. Gillham, D. Genkin, A. Shamir, D.
must be analyzed first to determine whether cutting it is Wong, and Y. Yarom, “The 9 Lives of
possible or not. The presented method encrypts sent Bleichenbacher’s CAT: New Cache ATtacks on TLS
package parameter wise, so it is able to be used in Implementations,” Proc. - IEEE Symp. Secur. Priv.,

IJISRT22MAY955 www.ijisrt.com 1146

Volume 7, Issue 5, May – 2022 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
vol. 2019-May, pp. 435–452, 2019, doi:
10.1109/SP.2019.00062.
[4.] A. Solichin, M. Andika Putra, and K. Diniari,
“RESTful Web Service Optimization with
Compression and Encryption Algorithm,” in
Proceedings - 2018 International Seminar on
Application for Technology of Information and
Communication: Creative Technology for Human
Life, iSemantic 2018, 2018, no. January, pp. 333–337,
doi: 10.1109/ISEMANTIC.2018.8549727.
[5.] Palanivel Rajan D and Dr. S. John Alexis,
“Comparative Study on Data Encryption Algorithms
in Cloud Platform,” Int. J. Eng. Res., vol. V6, no. 10,
pp. 126–129, 2017, doi: 10.17577/ijertv6is100070.
[6.] P. Princy, “a Comparison of Symmetric Key
Algorithms Des , Aes , Blowfish ,” Int. J. Comput.
Sci. Eng. Technol., vol. 6, no. 05, pp. 328–331, 2015,
[Online]. Available:
http://www.ijcset.com/docs/IJCSET15-06-05-055.pdf.
[7.] A. Abdellaoui, Y. I. Khamlichi, and H. Chaoui, “A
Novel Strong Password Generator for Improving
Cloud Authentication,” Procedia Comput. Sci., vol.
85, no. Cms, pp. 293–300, 2016, doi:
10.1016/j.procs.2016.05.236.
[8.] M. E. Korstanje, Advances in Information Security,
Privacy, and Ethics (AISPE), no. February. Argentina:
University of Palermo, 2017.
[9.] Y. Liu, R. Zhang, and Y. Zhou, “Predicate encryption
against master-key tampering attacks,” Cybersecurity,
vol. 2, no. 1, 2019, doi: 10.1186/s42400-019-0039-6.
[10.] T. Kivisaari and others, “Providing Secure Web
Services for Mobile Applications,” 2015.
[11.] M. Le, S. Clyde, and Y. W. Kwon, “Enabling multi-
hop remote method invocation in device-to-device
networks,” Human-centric Comput. Inf. Sci., vol. 9,
no. 1, 2019, doi: 10.1186/s13673-019-0182-9.
[12.] S. Salamatian, W. Huleihel, A. Beirami, A. Cohen,
and M. Medard, “Why botnets work: Distributed
brute-force attacks need no synchronization,” IEEE
Trans. Inf. Forensics Secur., vol. 14, no. 9, pp. 2288–
2299, 2019, doi: 10.1109/TIFS.2019.2895955.
[13.] R. Amin, S. H. Islam, G. P. Biswas, M. K. Khan, and
X. Li, “Cryptanalysis and Enhancement of Anonymity
Preserving Remote User Mutual Authentication and
Session Key Agreement Scheme for E-Health Care
Systems,” J. Med. Syst., vol. 39, no. 11, 2015, doi:
10.1007/s10916-015-0318-z.
[14.] C. Yogatama, R. R. Isnanto, and A. Triwiyanto,
“Aplikasi Algoritma Hash Dalam Pengacakan
Pertemuan Dan Pertarungan Dinamis Pada Perangkat
Lunak Permainan Dengan Sistem Operasi Android,”
Transient, vol. 3, no. 3, pp. 301–308, 2014, [Online].
Available:
https://ejournal3.undip.ac.id/index.php/transient/articl
e/view/6347.
[15.] F. Maqsood, M. Ahmed, M. Mumtaz, and M. Ali,
“Cryptography: A Comparative Analysis for Modern
Techniques,” Int. J. Adv. Comput. Sci. Appl., vol. 8,
no. 6, 2017, doi: 10.14569/ijacsa.2017.080659.

IJISRT22MAY955 www.ijisrt.com 1147