stackoom
  简体   繁体   中英

Nimbus JOSE JWT Encryption with RSA, Private and Public Key

 原文  2016-12-27 13:17:25       key/ rsa/ jwt/ nimbus/ jose

Question

Having doubts about a concept applied in the sample code named "JSON Web Token (JWT) with RSA encryption"

for reference see: http://connect2id.com/products/nimbus-jose-jwt/examples/jwt-with-rsa-encryption

The sample code delivers an RSAEncrypter class which is based on use of the public key, as well as an RSADencrypter class which use the opposite, a private key.

In a more practical view, I cannot understand why the JSON Web Token was generated this way, as the encrypted information usually will be sent to a client using the JWE format. In parallel, the client extracts the public key from a shared source, like a digital certificate store, or JWK store and then decrypts the information from the JWE data.

My question: Why does the client side use a private key? Why not use the private key at the Encrypter and the public key at the Decrypter class?

Clarifications about the conceptual side of this RSA sample code are welcome.

1 answers

solution1
 3 ACCPTED  2016-12-27 16:08:49

The objective of encryption, as said in the example, is confidentiality: ensure the data is only read by the intended receiver

An essential security aspect in public key encryption is ensuring the data is encrypted for the intended recipient, and not some for other party, which may compromise the data's confidentiality.

A JSON Web Token issued for authentication between parties is not encrypted, is digitally signed with the private key. The other party can verify authenticity and integrity with the published public key. But the content is not hidden. An observer could read the message but not modify it.

Encryption is done with recipient's public key. Only the owner of the matching private key will be able to decrypt the content of the JWT. Due to size restrictions of the data encrypted with a RSa key, in the example is generated an AES symmetryc encryption key. The message will be encrypted with the AES key, and this key is encrypted with the RSA public key and embedded into the JWT. The recipient will decrypt the AES key with the RSA private one

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question RSA Encryption - Public Key Encryption Public Key Crypto with Private Key Encryption Does RSA Private key always contain the Public key, or is it just .NET? How to Generate Unique Public and Private Key via RSA Backups of RSA public and private keys Finding private key in RSA RSA public/private keys in YAML How to test RSA private key How is this public key == private key private public key is different
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM