Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What are the pros/cons of using JWE or JWS [closed]

Tags:

I'm trying to implement an authentication token system, so I want to know the pros/cons of using JSON Web Encryption (JWE) or JSON Web Signature (JWS), and if it make sense to use both (a JWE inside a JWS).

like image 756
mike83_dev Avatar asked Nov 08 '15 00:11

mike83_dev


People also ask

Should I use JWE?

If you want to implement an authentication system, then JWS must be used to verify authenticity of claims. You can also encrypt your JWS using JWE if some of the claims in your JWS contain sensitive information. But use only JWE is a none sense in your context.

What is JWS and JWE?

JSON Web Signature (JWS) and JSON Web Encryption (JWE) use signature and encryption algorithms defined in JSON Web Algorithm (JWA) as a way of securing themselves. The public key of the signature algorithm defined in the JSON Web Algorithm (JWA) can be hosted as JSON Web Key (JWK).

Is JWS secure?

JWS is used to represent content secured with digital signatures or Hash-based Message Authentication Codes (HMACs) with the help of JSON data structures. It cryptographically secures a JWS Header and JWS Payload with a JWS Signature.


1 Answers

JSON Web Signature (JWS) claims are signed with a signature that can be verified by the server with a secret signing key. This ensures that the claims have not been tampered with when passed between client and server. The contents of JWS token are Base64 encoded and not encrypted (remember encoding is different from encryption!). Base64 encoded data looks encrypted in that it looks like a garbage text but it’s actually trivial to turn back into readable data. Therefore it is always advised to not store any sensitive information in JWT. It is advisable to use JWT only when you want to exchange information between two parties (or between client and server) and no sensitive data is passed as payload in token.

But what if you want to include any private information in a token? You don’t want your sensitive information to be present in a token that is only Base64 encoded that can be easily decoded by any attacker. Fortunately, there is a way to encrypt and guard the claims data with another, a more secure level of protection known as JSON Web Encryption (JWE). It defines a way to encrypt your claims data (which is basically JSON based data structure) so that only intended receiver can read the information present in a token.

The best way to handle a web token is to:

  • Sign it, so that it is well known that the token originated from authorized client.
  • Encrypt it, so that only an authorized server can tell what it says.

We have couple of good libraries available in Java that can encrypt your JSON Web Token:

  1. Jose4J
  2. Nimbus-JOSE-JWT

Both the above libraries are open source (Apache 2.0) implementation of JWT and JOSE (Javascript Object Signing and Encryption) specification suite. They both are quality libraries and you can’t really make a wrong choice. However, JWT.IO has a nice UI to show differences of each available library.

like image 147
Aman Avatar answered Oct 01 '22 12:10

Aman