Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Encrypting JWT payload

Tags:

JWTs have 3 parts:

  1. HEADER:ALGORITHM & TOKEN TYPE
  2. PAYLOAD:DATA
  3. SIGNATURE TO BE VERIFIED WITH THE SECRET KEY

Is it possible to encrypt the payload? Following is my token's payload:

{
"iss": "joe",
"exp": "1300819380",
"data": {
    "id": "12",
    "userName": "PH",
    "qntRed": "7",
    "qntGrad": {
        "1": "800",
        "2": "858",
        "3": "950",
        "4": "745",
        "5": "981"
    }
}

If "qntGrad" contains sensitive data. Can I encrypt it using the secret key? Will it still be a valid JWT?

like image 457
Paulo Henrique Queiroz Avatar asked Dec 07 '15 15:12

Paulo Henrique Queiroz


People also ask

Can JWT payload be encrypted?

The signature can be generated by using both symmetric (HMAC algorithms) or asymmetric keys (RSA or ECDSA). Additionally JWT can carry encrypted data (JWE, RFC 7516) to protect sensitive data, although we won't see it in this study.

Can JWT token be encrypted?

Signing and encryption orderJSON Web Tokens (JWT) can be signed then encrypted to provide confidentiality of the claims. While it's technically possible to perform the operations in any order to create a nested JWT, senders should first sign the JWT, then encrypt the resulting message.

Why JWT payload is not encrypted?

JWT is a stateless session, so it does not need to be saved in a database in the server-side like cookies, it only exists in the client side. please notice that it is not encrypted it's just encoded which means you can use base64 decode and you will get the JSON object in clear.

Is JWT encoded or encrypted?

A JSON Web Token (JWT, pronounced "jot") is a compact and url-safe way of passing a JSON message between two parties. It's a standard, defined in RFC 7519. The token is a long string, divided into different parts separated with dots, and each part is base64 encoded.


1 Answers

In fact there is not only signed JWT, but several technologies described by RFCs:

  • JWS JSON Web Signature (RFC 7515),
  • JWT JSON Web Token (RFC 7519),
  • JWE JSON Web Encryption (RFC 7516),
  • JWA JSON Web Algorithms (RFC 7518).
  • JWK JSON Web Key (RFC 7517).

In your case, read the RFC7516 (JWE). These JWE have 5 parts:

  • Protected Header
  • Encrypted Key
  • Initialization Vector
  • Ciphertext
  • Authentication Tag

Depending on your platform, you may find a library that will help you to create such encrypted JWT. Concerning PHP, I am writing a library that is already able to load and create these jose.

like image 163
Spomky-Labs Avatar answered Sep 30 '22 00:09

Spomky-Labs