DEPARTMENT OF COMPUTER SCIENCE

PROPOSAL
UNIVERSITY OF ENGINEERING & TECHNOLOGY TAXILA

WEB API HMAC AUTHENTICATION

SUBMITTED BY: ALEEZA ANJUM
SUBMITTED TO: SIR AWAIS AWAN
REG NO: 20-CS-101
SECTION: ALPHA
 (followed Fyp proposal documentation)
Introduction:

Summary: We present the innovative Lazy Eye App, a cutting-edge mobile

application that harnesses the power of data science and deep learning to
revolutionize amblyopia (lazy eye) therapy. Designed especially for children, this
app offers a holistic solution that combines personalized exercises, gamification
elements, progress tracking, and educational resources, all driven by advanced
data-driven technologies. Objectives: Data-Driven Personalization: Our approach
employs advanced data science algorithms to analyze user profiles, therapy plans,
and historical progress data. This dynamic adaptation of exercises and difficulty
levels optimizes therapy based on individual needs and progress. Deep Learning
for Exercise Enhancement: We integrate deep learning models to refine exercises.
By continuously analyzing user interactions and feedback, the app ensures a
continually improving therapy experience for maximum visual stimulation and
therapeutic impact. Progress Prediction: Our predictive models utilize historical
data to estimate future progress, enhancing user motivation by illustrating
potential improvements and suggesting exercise adjustments. Feedback and
Monitoring: Through computer vision and machine learning, real-time feedback
during exercises enhances user understanding of progress and encourages better
technique. Advanced Gamification: Our data-driven gamification approach tailors
rewards, challenges, and personalized achievements to user preferences,
fostering high engagement. Customized Exercise Generation: Deep learning
algorithms generate exercises that match user preferences, therapy goals, and
historical performance data, providing an ever-evolving and engaging exercise
catalog. Optimized Progress Tracking: We offer data visualization tools that
showcase user progress over time, integrating insights from data analysis to
highlight improvements and areas for focus. Machine Learning-Driven Insights:
By employing machine learning, users gain insights into their therapy journey
through pattern recognition, correlations, and progress-influencing factors.
Collaborative Research: Our app encourages collaboration with data scientists,
researchers, and eye care professionals to refine data-driven approaches, validate
effectiveness, and contribute to scientific advancements in the field. Ethical Data
Handling: Ensuring ethical and secure data handling, our app obtains informed
consent and employs privacy measures to safeguard user information.
Conclusion: The Lazy Eye App with Data Science and Deep Learning Integration
redefines amblyopia therapy through emerging technologies. Combining
personalized exercises, predictive modeling, deep learning-enhanced activities,
and data-driven gamification, our app offers an engaging and effective platform
for vision therapy. This innovative approach not only motivates users but also
advances vision rehabilitation through collaborative research and evidence-based
practices. We invite you to explore this groundbreaking initiative, aligning with
our commitment to improving lives through technology.

he Lazy Eye App is a valuable tool because it uses the latest tech to help people
with lazy eyes. Out of 10 people almost 2 are victim of this disease, and they can't
properly see/focus. This app stands out because it will help them to cure this
disease without costly therapies and it also have a vast scope in ophthalmology. It
combines two emerging technologies: data science and deep learning. Data
science helps the app understand each person's needs and progress, so it can
create exercises that work best for them. Deep learning is like a super-smart
computer that makes the exercises better as people use them more. The app can
even guess how much someone's eyes might improve in the future. And guess
what? It's also like a fun game! The app uses this data to make the exercises feel
like a game personalized just for you. It keeps you interested and wanting to do
the exercises. Plus, it keeps making new exercises that match what you like. So,
this app is a special blend of new technology and fun, all to help people with lazy
eyes see better.
In the rapidly evolving landscape of web API security, the "Web API HMAC
Authentication" stands as a pivotal endeavor, employing the robust Hash-based
Message Authentication Code (HMAC) mechanism. At its core, HMAC ensures
data integrity and authentication by generating a unique Message Authentication
Code, contingent upon a shared Private Secret API Key and a Public Shared APP
ID. The server, responsible for key generation, securely transmits these credentials
to the client, fostering a foundation of trust.
This proposal delves into the intricacies of HMAC authentication, shedding light
on its core components: the generation of HMAC signatures on the client side and
the subsequent verification process on the server side. Through careful
consideration of parameters such as HTTP method, APP ID, nonce, request URI,
and timestamp, HMAC authentication not only fortifies against data tampering but
also safeguards against unauthorized requests and replay attacks. With a nuanced
understanding of HMAC's inner workings, this project positions itself as a reliable
solution for developers seeking to enhance the security posture of their web APIs.

Objectives:

 To ensure robust data integrity and authentication in web API

communications.
 Generate and securely manage Public Shared APP IDs and Private Secret
API Keys to establish trust between clients and servers.
 Mitigate risks of unauthorized access and replay attacks by utilizing HMAC
signatures with parameters like HTTP method, APP ID, nonce, request URI,
and timestamp.
 Create a seamless integration of HMAC authentication into C#-based web
APIs, prioritizing ease of use for developers.

Problem Description:
The existing landscape of web API security is riddled with vulnerabilities, marked
by the persistent threats of unauthorized access and data tampering. Current
authentication methods often prove inadequate, leaving APIs susceptible to
breaches that compromise data integrity. The absence of a standardized and robust
solution exacerbates the challenge, particularly in C# applications using the .NET
framework. Developers grapple with the complexity of integrating effective
security measures seamlessly into their systems. Traditional approaches fall short
in providing foolproof protection, leaving APIs exposed to potential replay attacks.
This project emerges in response to these critical shortcomings, aiming to
implement HMAC authentication to establish a secure and reliable foundation for
web API communication, alleviate developer concerns, and mitigate the risks
associated with contemporary security vulnerabilities.
Methodology:
We are following the Software Engineering Process and according to these
following phases will be covered:
Requirements Gathering:

In this phase we will note the main and basic functional and non-functional
requirements. For example, HMAC Generation, Key Generation, Authentication
process and Secure key handling.
In non-functional requirements we make a user-friendly interface, easy to use,
smooth working, compatible, reliable on all OS, maintain its structure etc. It should
be usable and reliable.
Refine:
Again, do requirements analysis and added all the required functionalities.
Design documentation:
First, we create the UI of all screens on sigma, designing UML diagrams and flow
charts based on the functional requirements.
We will follow the Agile development model for this project as it will allow
flexibility in incorporating changes.
 Data Flow Diagram:

Implementation:
The implementation of design and functional requirements using the backend and
front-end technologies. In this phase, we will mainly go over the technical aspects
of coding.

Testing:
We will create test cases and run application through them to assess each module,
combine them, and subsequently conduct a comprehensive test of the entire
application.

Project Scope:

 Implement a robust HMAC authentication mechanism within the .NET

framework to enhance the security of existing web APIs developed in C#.
 Develop and integrate HMAC generation and verification modules, ensuring
seamless communication between clients and servers while maintaining data
integrity.
 Design a secure key generation process, allowing servers to create and share
unique Public Shared APP IDs and Private Secret API Keys with clients for
authentication purposes.
 Provide comprehensive documentation and integration guidelines for
developers, facilitating the straightforward adoption of HMAC
authentication in both new and existing C#-based web APIs.

Solution Application Areas

 The implementation of HMAC authentication in the "Web API HMAC

Authentication" project ensures a heightened level of security in the
exchange of data between clients and servers. By leveraging unique HMAC
signatures, the project guards against unauthorized access, data tampering,
and potential replay attacks, instilling confidence in the integrity of
information exchanged.

 The solution finds application in diverse sectors, ranging from finance and
healthcare to e-commerce and government services. Its adaptability to
various web service and API scenarios positions it as a versatile security
measure, addressing the specific needs of industries where secure data
communication is paramount.
In conclusion, this implementation not only elevates the level of trust in data
exchanges but also showcases its applicability across different domains. As a
result, developers and organizations can confidently adopt this authentication
mechanism, ensuring a secure and reliable communication channel in the dynamic
landscape of web services and API interactions.

Tools/Technology:

 C#
 ASP.NET Web API.
 Visual Studio.
 .Net Framework

Expertise of the Team Members:

 C#
 .Net Framework
 Visual Studio

Milestones:

Task Start date End date

(DD/MM/YY) (DD/MM/YY)
Requirements 10/11/2022 20/11/2022
Gathering
Requirements 21/11/2022 29/11/2022
Refinement
Design / prototyping 1/12/2022 20/12/2022

Implementing front- 22/12/2022 20/1/2023

end
Creating Database 22/1/2023 15/2/2023
 Normalizing 16/2/2023 20/2/2023

Implementing 22/2/2023 22/3/2023

backend
Testing modules 25/3/2023 15/4/2023

Documentation 20/4/2023 15/5/2023

Final Run 20/5/2023 1/6/2023

References:

 https://dotnettutorials.net/lesson/hmac-authentication-web-api/
 https://developer.infornexus.com/api/api-overview/hmac-
authentication#:~:text=In%20HMAC%20authentication%2C%20every
%20request,it%20in%20the%20Authorization%20header.&text=Your
%20first%20step%20is%20to,a%20Data%20API%20Agent%20User.
 MSDN. "System.Security.Cryptography Namespace."
 https://security.stackexchange.com/questions/98349/securing-rest-api-with-
hmac-and-basic-auth