Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is secured about JWT?

I am using JWT in order to produce and consume tokens. After weeks of reading specs and googling, i still don't understand: what is secured about the token if I can produce it on one machine and then open it on another? Is the written token supposed to be encrypted somehow? I am using System.IdentityModel.Tokens and creating token using JwtSecurityToken and JwtSecurityTokenHandler.

Can someone please point me to a focused documentation on subject that mainly explains the security aspect of it please?

like image 294
eddyuk Avatar asked Feb 04 '14 16:02

eddyuk


People also ask

What is JWT security?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

Is JWT best for security?

The general opinion is that they're good for being used as ID Tokens or Access Tokens and that they're secure — as the tokens are usually signed or even encrypted. You have to remember though, that JWT is not a protocol but merely a message format.

How JWT tokens are encrypted?

1) the generated content encryption key is encrypted by the key supplied with the API using the key encryption algorithm such as RSA-OAEP 2) the claims are encrypted by the generated content encryption key using the content encryption algorithm such as A256GCM .

What are the 3 parts of JWT?

Figure 1 shows that a JWT consists of three parts: a header, payload, and signature.


2 Answers

The first two segments of a JWT aren't encrypted, so any app that generates a JWT on the server and sends it back to a client should do so over SSL. This is typically sent to the user as a response to a request to login which should be sent over SSL anyway because it typically contains a username and password combination. Subsequent requests sent to the server should be done over SSL as well, because no matter what sort of token you use - be it JWT or something else - it should not be visible in unencrypted form to packet sniffing, otherwise user sessions can be hijacked.

The security aspect of JWT comes from the third and final segment. It is generated by signing the first two segments with a secret key that only the server knows. When a JWT that a server generated is sent back to that server as part of an authenticated request, the server knows the key and can therefore validate the signature in the third segment and use that signature to ensure the first two segments have not been modified since being signed by the server.

like image 112
Steve Avatar answered Oct 01 '22 03:10

Steve


From what I can tell, the C# implementation of JwtSecurityToken isn't designed to encrypt its contents (as your question seems to imply). It is instead designed to sign its contents. This lines up with the typical security model of a token. It is supposed to be a piece of information that is otherwise secured.

The distinction is that you aren't trying to hide any information, you are just validating the source of the information (as well as the integrity, but that is related).

For instance Twitter could give you a token that has data "eddyuk", "eddyuk's awesome application" and consider that sufficient for authorization. In order to avoid me making my own token for the same purpose, they can sign it so an exact copy of the original token is needed for usage.

This serves two purposes: You don't have to manage to complex mapping scheme, and assuming your signing method is secure, guessing is impossible.

Note that there is a way to store encrypted information in a token using some other implementations, but the C# one does not support that functionality.

like image 43
Guvante Avatar answered Oct 01 '22 03:10

Guvante