Performance impact of Hybrid Cryptography in securing RESTful API messages using ECIES

Abstract

As technology advances this past decades, many businesses start to integrating technology into their business, which making transaction more convenience. However, this convenience also introducing several security threats against these transmitted data that often involving highly private data. While ideally payment services should have some security standards for its users, research show that misconfigured TLS could actually expose some security threats caused by flaw on certain revisions, which could then be potentially used in dictionary attack. In this research, the author tries to implements a hybrid cryptography implementation involving use of Elliptic Curve Cryptography algorithm and AES in form of Elliptic Curve Integrated Encryption Scheme to secure highly private message over REST APIs and assess its impact in term of performance. In the proposed system, every data that contains a personal data will be secured using end-to-end approach, where each data sent and received will be encrypted using ECIES with AES on the top HTTPS connection. As the result, there is a slight performance degradation at rate of 57 to 230 milliseconds or about 15.57% of the original implementation without any encryption involved inside the system. Although this degradation may seem minimal, it underscores the critical trade-off between performance and security. This increased duration is also still under the currently accepted standard for any transaction request maximum duration which is 8 seconds, and estimated duration for certain request to be completed by the proposed system can be predicted using following formula: y=0.01156x+1.23 with RMSE of 3.71.