2023 27th International Computer Science and Engineering Conference (ICSEC)

A Secure Model based on Symmetric Encryption for

REST API in Data Integration
1st Mohd Kamir Yusof
Faculty of Informatics and Computing
Universiti Sultan Zainal Abidin
22200 Besut, Terengganu, Malaysia
2nd Mustafa Man 3rd Wan Mohd Amir Fazamin Wan
Faculty of Ocean and Engineering Hamzah
Universiti Malaysia Terengganu Faculty of Informatics and Computing
21300 K. Nerus, Terengganu, Malaysia Universiti Sultan Zainal Abidin

[email protected] [email protected] 22200 Besut, Terengganu, Malaysia
[email protected]
4th Suhailan Safei 5th Mmi Tasani Haryani
Faculty of Informatics and Computing Faculty of Informatics and Computing 6th Nurul Anis Alia Ahmad Shah
Universiti Sultan Zainal Abidin Universiti Sultan Zainal Abidin Faculty of Informatics and Computing
22200 Besut, Terengganu, Malaysia 22200 Besut, Terengganu, Malaysia Universiti Sultan Zainal Abidin
[email protected] [email protected] 22200 Besut, Terengganu, Malaysia
[email protected]
2023 27th International Computer Science and Engineering Conference (ICSEC) | 979-8-3503-4210-9/23/$31.00 ©2023 IEEE | DOI: 10.1109/ICSEC59635.2023.10329720

Abstract— Data integration is currently demanding by
organizations to extract the data from different data sources. A
unified view of data structure is needs to allow the organization
to access this data sources. REST API one of the solutions can
be used to allow application send or share the data to other
applications via the network. However, the data transmission
via network will be exposed to unauthorized users or hacker to
access or modified the data. A symmetric encryption can be used
as a secure model for data transmission via the network. Three
processes are involved in this secure model. There are encrypt
plaintext to ciphertext using combination of keys, decrypt the
ciphertext to plaintext using combination of keys, and dump
data in plaintext. In this paper, two applications have been
developed for data exchanges or data transmission purposes.
SAP system send the data in JSON format by encrypted into
ciphertext using unique key and three different keys to FEMS
system. FEMS system will be decrypted ciphertext by using
same unique key and three different key to produce plaintext in
JSON format. The data in JSON format will be exploded. Then,
the data will be dumped into database FEMS. Based on the
implementation, REST API and symmetric encryption have
been successfully used for data transmission between SAP and
FEMS and encrypt the data in JSON to ciphertext using
modification 3DES encryption.
Keywords— Data integration, JSON, REST API, Symmetric
encryption
I. INTRODUCTION
The purpose of data integration is to provide a unified
view of the data extraction or combination from different data
sources applications [1-3]. Two issues in data integration have
been identified which are different database schema and security
issue in data transmission among applications [1-2].
A few models have been applied in data integration to
provide a unified view such as Resource Description
Framework [5], Extensible Markup Language (XML) [7][8],
Relational Database Model [4], Object Exchange Model [6],
Native XML [9], XML- Enables [10], Hybrid XML [11] and
JavaScript Object Notation (JSON) [12]. JSON model is
proved fast and efficient for data exchange compared to
others [12].
A suitable approach is needs to allow data transmission
among applications which are using different platforms [13].
Application Programming Interface (API) such as
Representational State Transfer (REST), A Simple Object
Access Protocol (SOAP) or Remote Procedure Call (RPC)
can be as a gateway for data transmission among applications
[13-14]. However, solution above is still considerable
inefficient in term of response time. A few websites such as
Google, Facebook and Twitter are currently used REST API
approach because of easy and fast data transmission [13].
Meanwhile, another issue in how to secure data
transmission among applications. A symmetric encryption is
one of the solutions to encrypt the data into ciphertext before
transmitting to another applications [20]. A few algorithms
can be used in symmetric encryption such as Blowfish, DES,
3DES, RC4 and Blowfish [21-22]. 3DES is the most powerful
encryption because of using 3 different keys as a secret
compared to others [2].
In this research, we proposed REST API using JSON
format for data transmission among application. Meanwhile,
modification of 3DES encryption will be used to encrypt data
in JSON format into ciphertext to another application.
Section II will be explained the definition REST API.
Section III will be explained about symmetric encryption. A
proposed data transmission using REST API and secure data
transmission using symmetric encryption will explain
described in Section IV. Meanwhile, implementation and
result will be explained in Section V. Lastly, a conclusion will
be discussed in Section VI.
II. REST API
Thomas Fielding was introduced the REST architecture
based on the principles that support the World Wide Web in
the year 2000 [15]. REST is based on Uniform Resource
Identifiers (URI) to detect a message transfer detect via
Hypertext Transfer Protocol (HTTP) [16-18].
One of the REST components is an API (Application
Programming Interface). The purpose of API is to provide
easy and fast client-server communications for Web
Applications over the HTTP protocol. REST are design with
three main principles: addressability, uniform interface, and
statelessness [18]. Endpoints for each URL will be verified
by REST for data extraction purposes [19]. The common
functions in API such as CRUD (Create, Read, Update,
Delete) which are correspond to the mostpopular functions
[18] INSERT, SELECT, UPDATE, and DELETE in SQL.
Ajax query can be used in REST server to execute a
common response by produce a data in JSON (JavaScript
Object Notation) format. In REST, JSON and XML format is
usually used for data exchange among applications.

Authorized licensed use limited to: Universitas Indonesia. Downloaded on September 15,2024 at 15:08:22 UTC from IEEE Xplore. Restrictions apply.
979-8-3503-4210-9/23/$31.00 ©2023 IEEE 402
 2023 27th International Computer Science and Engineering Conference (ICSEC)
III. SECURE SOCKET LAYER (SSL)
Secure Socket Layer (SSL) is a protocol in the field of
cryptography for data security purposes [28]. A symmetric
chipper is used to ensure the confidentiality of information,
data verification codes for the integrity of messages. Data
exchange is protected through encryption and authentication.
The advantage of this protocol is the use of its embedded
security features to secure insecure application layer protocols
such HTTP and HTTPS [29]. Cryptographic algorithms are
applied to plain text that is supposed to pass through an
insecure communication channel such as the Internet and
ensures that are kept confidential throughout the transmission
channel.
IV. SYMMETRIC ENCRYPTION
Symmetric encryptions are using secret key for
encryption and decryption data [20]. In this approach, sender
and receiver are share same key for encryption and
decryption data. In this approach also, input data are divided
into two parts.
First is block cipher-based systems, which is the data is
being processed or encrypted on a fixed-length group of bits
called a block. The second is stream cipher-based systems
which is data is being processed on a stream of bits. Fig. 1
illustrates the process of symmetric encryption.
Fig. 1: Process of symmetric encryption
There are many algorithms of symmetric encryption
such as Blowfish, DES, 3DES, RC4, Blowfish etc. [21-22].
These algorithms use a different approach to encrypt and
decrypt the data. At the same time, each of them also will
encrypt and decrypt a fixed size of data as a block and fixed
size of key. In this section, we have described these basic
symmetric key algorithms.
A. Data Encryption Standard (DES)
DES was recommended by NIST (National Institute
Standards and Technology) in 1996 as an efficient encryption
method. Based on this recommendation, this algorithm is
currently widely uses as an encryption method across the
world [23].
In this method, a block cipher is used 56-bit key and
encrypt plaintext into 64-bit at a time. This method is
considered as a symmetric key because of encryption and
decryption will use the same key. DES also can operate in in
CBC, ECB, CFB and OFB modes. DES is needs 16 rounds
or 16 processing steps to convert plaintext to ciphertext.
Three process is involved in this algorithm. The first step is
64-bit data is passed through the initial permutation phase. In
second step, 16 rounds of processing take place. Third step,
final permutation is carried out on the input plaintext to 64-
bit ciphertext.
However, the limitation of this algorithm is easy to prone
by Brute Force Attack which is the hacker attempts to break
the key by applying any possible combinations [24].
Authorized licensed use limited to: Universitas Indonesia. Downloaded on September 15,2024 at 15:08:22 UTC from IEEE Xplore. Restrictions apply.
403
B. Triple or Data Encryption Standard (3DES)
It is an enhanced form of double DES algorithm. The
main reason of 3DES is to replace DES because of not strong
enough to prevent a meet-in-the-middle attack [2].
First option is to use three different keys for the
encryption algorithm to generate cipher text on plaintext
message t.
C(t) = Ek1 (Dk2 (Ek3 (t)))
where C(t) is the cipher text of plaintext message t, Ek1 is the
encryption method using key k1, Dk2 is the decryption
method using key k2 and Ek3 is the encryption method using
key k3.
Another option is to use two different keys for the encryption
algorithm. This reduces the memory requirement of keys in
TDES.
C(t) = Ek1 (Dk2 (Ek3 (t)))
TDES as the strongest encryption algorithm which gives its
application in banking industry. However, the disadvantage
of this algorithm is that it is too time consuming [25].
C. Advance Encryption Standard (AES)
A variable key length of 128, 192 and 256 bits has been
used in AES [26]. AES will perform 9 processing rounds if
both the block length and key length are 128 bits. However,
AES performs 11 processing rounds if the block and key are
of 192 bits and 13 processing rounds if the block and key are
of length 256-bits.
Four steps are in processing round. There are:
• Substitute bytes – S-box to perform a byte-by-byte
substitution of the block.
• Shift rows – Use a simple permutation.
• Mix column – A substitution method is used to rotate
data in each column from the shift row step, then the data
is multiplied by the algorithm’s matrix.
• Add round key – The key for the processing round is
XORed with the data.
AES encryption is proven fast and flexible. At the same time,
this encryption also can be implemented on various platforms
especially in small devices.
D. Blowfish Algorithm
Blowfish algorithm is designed in 1993 and introduced by
Brue Schneier [27]. In this algorithm, 64-bit block cipher with
variable length key from 32 bit (4 bytes) will be transform to
448 bits (56 bytes). Key expansion and Data Encryption will
be used in this algorithm. In key expansion step, 448-bit key
is converted into 4168 bytes. A P array of size 18 and four S
boxes whose size is 256 each of which are initialized to
hexadecimal digits of π. XOR each entry in P array and S
boxes with 32 bits of the key [9]. Blowfish as an alternate
encryption technique to others. This algorithm is proven
secure and has not been cracked yet. It is also suitable and
efficient for hardware implementation.
 2023 27th International Computer Science and Engineering Conference (ICSEC)

V. A SECURE MODEL FOR REST API applications will be explained. Fig. 6 show how SAP system
This section will be explained about hybrid secure model send the data to FEMS system. In this figure, SAP will send
a data in JSON format, and convert it into ciphertext using
based on 3DES and blowfish algorithm for data transmission
modification of 3DES encryption to FEMS system. After
in REST API. In this model, three secret keys will be
FEMS received the data in ciphertext, FEMS will use unique
generated randomly to encryption plaintext to ciphertext. key and 3 different keys to decrypt ciphertext to plaintext in
Then, the ciphertext will be decrypted by using same secret JSON format.
keys. The purpose of this model is to avoid any data altering
by unauthorized users/hackers in the networks during data
transmission.

Fig. 6: Send data from SAP to FEMS

A. Encryption process
In this process, plaintext will be encrypted using combination
of unique key, key 1, key 2 and key 3. Fig. 7 shows the sample
Fig. 2: A secure data transmission model via SSL of plaintext in JSON format.
A. Generate Random - Secret Key {
"PurchaseOrder": [
Input: n & char {
Steps: "EBELN": 4400019951,
Assign n = 5; "LIFNR": 100006334,
Assign char = “0123456789ABCDEFGHIJPQRSTUVWXYZ”; "LIFNR_NAME": "ASTRA SIMFONI SDN BHD",
for ($i=0; $i<3; $i++) { // loop 3 times to produce unique keys "BEDAT": 20220223,
for ($i=0; $i<$n; $i++) { "UNSEZ": "Test2302-1",
$index = rand (0, strlen($char) - 1) "WAERS": "RM",
$key .= $char[$index]; "Items": [
} {
} "EBELP": "00010",
UK = $index.$key; "MATNR": 95000093,
Output: Unique Key (UK) "MAKTX": "9 KG ABC DRY POWDER",
"MENGE": "10.000 ",
Fig. 3: Random key algorithm "MEINS": "UN",
"WERKS": 6600,
B. Encryption Plaintext to Ciphertext "WERKS_NAME": "FGV Security Services Sdn. B",
"NETPR": "790.00 "
Input: Plaintext (P), Unique Key (UK), k1, K2, K3 }, {
Steps: "EBELP": "00020",
A → Encryption of P using K1 + UK. "MATNR": 95000120,
B → Decryption of A using K2 "MAKTX": "4 KG ABC DRY POWDER",
C → Encryption of B using K3 "MENGE": "5.000 ",
Output: Ciphertext (C) "MEINS": "UN",
"WERKS": 6600,
Fig. 4: Encryption algorithm "WERKS_NAME":
"FGV Security Services Sdn. B", "NETPR": "350.00 "
C. Decryption Ciphertext to Plaintext },
Fig. 7: Plaintext in JSON format
Input: Ciphertext (C)
Steps: Let unique key equal to 34333AFHG and key 1 equal to
B → Decryption of C using K3 45Ths. The first process is encrypting plaintext by using
A → Encryption of B using K2 unique key and key 1. After that, produce the result as below:
P → Encryption of A using K1 + UK
-
Output: Plaintext (P)
A = sfdsfdssd3324322sssaaaa…...
Fig. 5: Decryption algorithm
Let key 2 equal to 3dsGGH, then the second process is to
VI. IMPLEMENTATION AND RESULT decrypt A by using key 2. After that, the result as below: -
In section, the implementation of secure data
transmission using REST API to allow data sharing among B = dsdsasdsadsd932432432432432432aaere……

Authorized licensed use limited to: Universitas Indonesia. Downloaded on September 15,2024 at 15:08:22 UTC from IEEE Xplore. Restrictions apply.
404
 2023 27th International Computer Science and Engineering Conference (ICSEC)

Let key 3 equal to 54aFgt, then the third process is to encrypt

B by using key 3. After that, the result as below: -

C = 4543aasasa93asdsda4s432432ABvTr……

Value of C is considered as ciphertext. This ciphertext will be

send to FEMS via network with combination of unique key,
key 1, key 2 and key 3. Fig. 9: Purchase Order Data

B. Decryption process
In this process, ciphertext will be decrypted using
combination of unique key, key 1, key 2 and key 3.
Let key 3 equal to 54aFgt, then the first process is to decrypt
C by using key 3. After that, the result as below: -

B = dsdsasdsadsd932432432432432432aaere……

Let key 2 equal to 3dsGGH, then the second process is to

encrypt A by using key 2. After that, the result as below: - Fig. 10: Sales Order Data

A = sfdsfdssd3324322sssaaaa…... According to experiments above, a symmetric encryption for

REST API is successfully implemented for data transmission
Let unique key equal to 34333AFHG and key 1 equal to between SAP and FEMS system. This model can be
45Ths. The third process is encrypting plaintext by using alternative model to secure the data for data transmission
unique key and key 1. After that, produce the result in among applications.
plaintext (Fig. 8).
VII. CONCLUSION
{ A REST API can be a gateway to transmit or share the data
"PurchaseOrder": [
{
via HTTP to another applications. Meanwhile, a symmetric
"EBELN": 4400019951, encryption can be used to secure the data during transmission
"LIFNR": 100006334, by encrypt plaintext to ciphertext using unique and 3 different
"LIFNR_NAME": "ASTRA SIMFONI SDN BHD", keys. By implementation of this approach, unauthorized users
"BEDAT": 20220223, or hackers have a challenge to know the actual message or
"UNSEZ": "Test2302-1", data has been send by sender to receiver.
"WAERS": "RM",
"Items": [ ACKNOWLEDGMENT
{
This research was supported by Ministry of Higher
"EBELP": "00010",
Education (MOHE) and through Fundamental Research Grant
"MATNR": 95000093,
"MAKTX": "9 KG ABC DRY POWDER",
Scheme (FRGS/1/2020/ICT06/UNISZA/03/2).
"MENGE": "10.000 ", REFERENCES
"MEINS": "UN",
"WERKS": 6600, [1] A. Halevy, “Answering queries using views: A survey,” Very Large
Database J., 10(4), pp. 270–294, 2001, doi: 10.1007/s007780100054
"WERKS_NAME": "FGV Security Services Sdn. B",
"NETPR": "790.00 " [2] N, Aleisa, “A Comparison of the 3DES and AES Encryption
Standards,” International Journal of Security and Its Applications,
}, {
9(7), pp. 241-246, 2015, doi: 10.14257/ijsia.2015.9.7.21
"EBELP": "00020",
[3] R. Hull, “Managing semantic heterogeneity in databases: A theoretical
"MATNR": 95000120,
perspective,” In Proc. of the 16th ACM SIGACT SIGMOD SIGART
"MAKTX": "4 KG ABC DRY POWDER", Symp. on Principles of Database Systems (PODS’97), 1997.
"MENGE": "5.000 ", [4] A. Y. Levy, M. C. Rousset, “CARIN: A represen- tation language
"MEINS": "UN", combining Horn rules and description logics,” In Proc. of the 12th Eur.
"WERKS": 6600, Conf. on Artificial In- telligence (ECAI’96), pp. 323–327, 1996.
"WERKS_NAME": [5] K. K. Y. Lee, W. C. Tang, K. S. Choi, “Alternatives to relational
"FGV Security Services Sdn. B", "NETPR": "350.00 " database: Comparison of NoSQL and XML approaches for clinical
}, data storage,” Computer Method and Programs in Biomedicine, vol.
Fig. 8: Plaintext in JSON format 110, no. 1, pp. 99 – 109, 2013.
[6] K. Rabah, “Theory and Implementation of Data encryption Standard:
C. Dump the data A Review,” Information Technology Journal, 4(4), pp. 307 - 325, 2005,
In this process, data in JSON format will be exploded and doi: 10.3923/itj.2005.307.325
dump into MySQL database. Fig. 9 and Fig. 10 represent the [7] S. Sakr, G. A. Naymat, “Relational Processing of RDF Queries: A
Survey,” ACM Sigmod Record, vol. 38, no. 4, pp. 23 – 28, 2009.
data in structured format after received the data from SAP
system.

Authorized licensed use limited to: Universitas Indonesia. Downloaded on September 15,2024 at 15:08:22 UTC from IEEE Xplore. Restrictions apply.
405
 2023 27th International Computer Science and Engineering Conference (ICSEC)
[8] D. Suciu, “Semistructured data and XML,” Book: Information
Organization and Databases: Foundations of Data Organizations, pp.
9 – 30, 2001.
[9] L. Papaleo, “Intoduction to XML and its applications,” Research in
Semantic Web Technologies, pp. 1 – 32, 2013.
[10] S. Balamurugan, A. Ayyasamy, “Performance evaluation of native
XML database and XML enable database,” International Journal of
Advanced Research in Computer Science and Software Engineering. vol.
7, no. 5, 2017.
[11] A. M. Saba, E. Shahab, H. Abdolrahimpour, M. Hakimi, A. Moazzam,
“A comparative analysis of XML documents, XML enabled databases
and native XML databases,” Computer Science: Databases, 2017.
[12] G. M. P. Lazetic, “Native XML Databases vs. Relational Databases in
Dealing with XML Documents,” Kragujevac J. Math. vol. 30, pp. 181
– 199, 2007.
[13] Z. M. Liru, O. Tadashi, H. Mamoru, “Keyword search over hybrid
XML-Relational Databases,” SICE Annual Conference, Aug 20 – 22,
2008.
[14] S. C. Haw, C. S. Lee, “Efficient Preprocesses for Fast Storage and
Query Retrieval in Native XML Database,” IETE Technical Review,
26(1), pp. 28 – 40, 2014.
[15] M. Maleshkova, C. Pedrinaci, J. Domingue, “Investigating Web APIs
on the World Wide Web,” Eighth IEEE Euro- pean Conference on Web
Services, pp. 107–114, 2010.
[16] R. T. Fielding, “Architectural Styles and the Design of Network-Based
Software Architecture,” Univ. of California, Irvine, 2000.
[17] F. Bulthoff, M. Maleshkova, M, “RESTful or RESTless – Current State
of Today’s Top Web APIs in The Semantic Web,” ESWC 2014
Statelite Events, pp. 64 – 74, 2014.
[18] R. Battle, E. Benson, “Bridging the semantic Web and Web 2.0 with
Representational State Transfer (REST),” Web Semant. Sci. Serv.
Agents World Wide Web, 6(1), pp. 61 – 69, 2008.
[19] B. Costa, P. F. Pires, F. C. Delicato, P. Merson, “Evaluating a
Representational State Transfer (REST) Architecture: What is the
Impact of REST in My Architecture?,” IEEE/IFIP Confer- ence on
Software Architecture, pp. 105–114, 2014.
Authorized licensed use limited to: Universitas Indonesia. Downloaded on September 15,2024 at 15:08:22 UTC from IEEE Xplore. Restrictions apply.
406
[20] M. N. Alenezi, H. N. Alabdulrazzaq, Q. Mohammad, “Symmetric
Encryption Algorithms: Review and Evaluation study,” International
Journal of Communication Networks and Information Security
(IJCNIS), 12(2), pp. 256 – 272, 2020.
[21] M. U. Bokhari, Q. M. Shallal, “A Review on Symmetric Key
Encryption Techniques in Cryptography,” International Journal of
Computer Applications, 147(10), pp. 43 – 48, 2016.
[22] S. Chandra, S. Bhattacharyya, S. Paira, S. S. Alam, “A Study and
Analysis on Symmetric Cryptography,” International Conference on
Science, Engineering and Management Research (ICSEMR 2014),
2014.
[23] M. Agrawal, P. Mishra, P, “A comparative survey on symmetric key
encryption techniques,” International Journal on Computer Science
and Engineering (IJCSE), 4(5), pp. 877 – 881, 2012.
[24] D. Salama, A. Minaam, H. M. Abdual-Kader, M. M Hadhoud,
“Evaluating the Effects of Symmetric Cryptography Algorithms on
Power Consumption for Different Data Types,” International Journal
of Network Security, pp. 78-87, 2010.
[25] O. P. Verma, R. Agarwal, D. Dafouti, S. Tyagi, “Peformance Analysis
Of Data Encryption Algorithms,” IEEE Delhi Technological
University India, 2011.
[26] A. M. Abdullah, “Advanced Encryption Standard (AES) Algorithm to
Encrypt and Decrypt Data,” Cryptography and Network Security,
2017.
[27] V. Parihar, M. A. Kulshrestha, “Blowfish Algorithm: A Detailed
Study,” International Journal For Technological Research In
Engineering, 3(9), pp. 2253 – 2255, 2016.
[28] O. Purchina, A. Poluyan, D. Fugariv, “Improving the security level of
the information system using the SSL protocol,” Web of conferences,
371, 03067, 2023, doi: 10.1051/e3sconf/202337103067
[29] R. Dastres, M. Soori, “Secrue socket layer in the network and web
security,” International journal of computer science and information
engineeringm, 14(10), pp. 330 – 333, 2020.