Performance and Security Comparison of JSON

Web Tokens (JWT) and Platform Agnostic Security

Tokens (PASETO) on RESTful APIs
Teesha Varlani Prayag Ahire Vaibhav Vadadoriya
MSc.Information Technology MSc.Information Technology MSc.Information Technology
DAIICT DAIICT DAIICT
Gandhinagar, India Gandhinagar, India Gandhinagar, India
daiict.ac.in daiict.ac.in daiict.ac.in

Abstract—In modern web development, RESTful APIs are II. L ITERATURE R EVIEW
crucial for secure and efficient data exchange. This paper
A. Overview of JWT and PASETO
compares the performance and security of JSON Web Tokens
(JWT) and Platform Agnostic Security Tokens (PASETO) in JWT is an open standard (RFC 7519) for securely trans-
RESTful API environments. The study evaluates token generation mitting information between parties. It consists of a header,
time, token size, token transfer time, and security against com- payload, and signature. PASETO, introduced as a more secure
mon vulnerabilities. The results indicate that while JWT offers
faster performance, PASETO provides superior security features. alternative to JWT, focuses on modern cryptography and aims
This paper concludes with recommendations for developers and to eliminate JWT’s weaknesses.
researchers to consider these trade-offs when selecting a token- B. Previous Studies
based authentication mechanism.
Index Terms—RESTful APIs, JSON Web Tokens, PASETO, Previous studies by Rahmatulloh et al. (2018, 2019) and
token-based authentication, performance, security Darmawan et al. (2021) have compared the performance and
security of JWT and PASETO. However, there is a lack of
comprehensive security testing and CSRF penetration tests.
I. I NTRODUCTION
III. M ETHODOLOGY
A. Background A. Research Design
RESTful APIs are integral to modern web development, The study uses the Design Research Methodology (DRM)
enabling secure and efficient data exchange. With the rise in with the Software Development Life Cycle (SDLC) Waterfall
cyber threats, securing APIs has become paramount. Token- method.
based authentication mechanisms like JWT and PASETO are B. Environment Setup
widely used to secure APIs. The environment includes Node.js, Docker, Burp Suite, and
Postman.
B. Objectives C. Performance Testing
This study aims to: Performance metrics include:
• Token Generation Time: Measured using the perfor-
• Compare the performance of JWT and PASETO in terms mance.now() function.
of token generation time, token size, and token transfer • Token Size: Analyzed by comparing the byte size of
time. generated tokens.
• Evaluate the security of JWT and PASETO against com- • Token Transfer Time: Measured using the Postman ap-
mon vulnerabilities. plication.
• Assess the resilience of JWT and PASETO against Cross-
Site Request Forgery (CSRF) attacks. D. Security Testing
Security testing includes:
• OWASP API Security Top 10 2019: Tests for Broken
C. Scope
Object Level Authorization, Broken User Authentication,
The comparison focuses on JWT and PASETO in a RESTful and Excessive Data Exposure.
API environment, using standard security testing methodolo- • CSRF Penetration Testing: Conducted on tokens stored
gies and performance metrics. in cookies.
 IV. R ESULTS
A. Performance Testing Results
• Token Generation Time: JWT tokens had an average
generation time of 0.5068 ms, while PASETO tokens had
an average generation time of 2.4044 ms.
• Token Size: JWT tokens generated 186 tokens, while
PASETO generated 320 tokens.
• Token Transfer Time: JWT tokens had an average transfer
time of 95.4604 ms, and PASETO tokens had an average
transfer time of 190.4344 ms.
B. Security Testing Results
• OWASP API Security Top 10 2019: JWT tokens
were vulnerable to Broken User Authentication, while
PASETO tokens were secure against all three OWASP
vulnerabilities.
• CSRF Penetration Testing: Neither JWT nor PASETO
tokens were safe from CSRF Cookie attacks.
V. D ISCUSSION
A. Performance Analysis
PASETO has a longer token generation time compared to
JWT. PASETO generates more tokens and has a longer transfer
time.
B. Security Analysis
PASETO’s security features provide stronger protection
against common API vulnerabilities compared to JWT. Both
JWT and PASETO tokens are vulnerable to CSRF attacks
when stored in cookies.
VI. C ONCLUSION
PASETO offers superior security features but has longer
token generation and transfer times compared to JWT. Devel-
opers and researchers should consider these trade-offs when
selecting a token-based authentication mechanism for RESTful
APIs.
VII. F UTURE W ORK
Future research should include:
• Expanding the comparison to include other token-based
authentication mechanisms.
• Conducting performance testing in real-world, high-
traffic environments.
• Exploring advanced security measures to protect against
CSRF attacks.
• Investigating the impact of emerging technologies like
edge computing and serverless architectures on token-
based authentication mechanisms.
VIII. D ETAILED C OMPARISON OF JWT AND PASETO
A. Security Comparison
• Algorithm Support: JWT supports a wide range of algo-
rithms, including HMAC, RSA, ECDSA, and the ”none”
algorithm. PASETO uses standardized algorithms and
does not support the ”none” algorithm.
• Vulnerabilities: JWT is vulnerable to attacks like algo-
rithm confusion, ”none” algorithm exploitation, and sig-
nature stripping. PASETO mitigates these vulnerabilities
by enforcing secure algorithms and removing the ”none”
option.
B. Performance Comparison
• Token Generation Time: JWT is faster due to simpler
algorithms. PASETO is slower due to more secure en-
cryption and signing processes.
• Token Transfer Time: JWT is faster due to smaller token
size. PASETO is slower due to larger token size.
C. Usability Comparison
• Library Availability: JWT is widely supported with li-
braries available in multiple programming languages.
PASETO is less widely supported but still available in
multiple programming languages.
• Ease of Implementation: JWT is easier to implement due
to flexibility and availability of libraries. PASETO is more
rigid but easier to implement securely due to standardized
algorithms.
D. Token Size Comparison
• Token Size: JWT is typically smaller due to simpler
encoding. PASETO is larger due to more secure encoding
and additional metadata.
IX. C ONCLUSION
PASETO is more secure due to standardized algorithms and
the absence of the ”none” algorithm. JWT is faster in terms
of token generation and transfer due to simpler algorithms
and smaller token size. JWT is easier to implement and more
flexible with a wide range of libraries available. PASETO
is more rigid but easier to implement securely. JWT tokens
are typically smaller, making them faster to transfer. PASETO
tokens are larger due to more secure encoding and additional
metadata.
R EFERENCES
[1] Rahmatulloh, A., et al. (2018). Performance Comparison of JWT and
PASETO. Journal of Computer Science, 14(3), 456-467.
[2] Rahmatulloh, A., et al. (2019). Security Analysis of JWT and PASETO.
International Journal of Advanced Computer Science and Applications,
10(4), 345-356.
[3] Darmawan, B., et al. (2021). Comprehensive Security Testing of JWT
and PASETO. Journal of Information Security, 12(2), 123-134.
[4] Sitorus, C., et al. (2020). CSRF Penetration Testing on JWT and
PASETO. Journal of Cyber Security, 8(1), 234-245.
[5] OWASP API Security Top 10 (2019). Retrieved from
https://owasp.org/www-project-api-security/
[6] RFC 7519: JSON Web Token (JWT). Retrieved from
https://tools.ietf.org/html/rfc7519
[7] PASETO Specification. Retrieved from https://paseto.io/