问题
I'm new to JWT technology and I've being reading a lot of about it.
I know JWT has 3 parts:
- HEADER:ALGORITHM & TOKEN TYPE
- PAYLOAD:DATA
- SIGNATURE TO BE VERIFIED WITH THE SECRET KEY
Is it possible to encrypt the Payload information? I mean, let's say for instance I have this payload information in my token:
{
"iss": "joe",
"exp": "1300819380",
"data": {
"id": "12",
"userName": "PH",
"qntRed": "7",
"qntGrad": {
"1": "800",
"2": "858",
"3": "950",
"4": "745",
"5": "981"
}
}
And let's say "qntGrad" is sensitive information. Is it possible to encrypt that too with the secret key? Is it still a JWT token?
回答1:
In fact there is not only signed JWT, but several technologies described by RFCs:
- JWS JSON Web Signature (RFC 7515),
- JWT JSON Web Token (RFC 7519),
- JWE JSON Web Encryption (RFC 7516),
- JWA JSON Web Algorithms (RFC 7518).
- JWK JSON Web Key (RFC 7517).
In your case, read the RFC7516 (JWE). These JWE have 5 parts:
- Protected Header
- Encrypted Key
- Initialization Vector
- Ciphertext
- Authentication Tag
Depending on your platform, you may find a library that will help you to create such encrypted JWT. Concerning PHP, I am writting a library that is already able to load and create these jose.
回答2:
Not encrypting the token means that other external services can read and validate that the token is in fact authentic without having access to your private key. (They would only need the public key)
回答3:
Below is a very simple and effective method for encrypting using AES. Note you will need to get your own key (link included in comments).
Note that when you encrypt, it will set an IV for each encryption call. You will need this to decrypt.
public class CustomEncryption
{
public static string Encrypt256(string text, byte[] AesKey256, out byte[] iv)
{
// AesCryptoServiceProvider
AesCryptoServiceProvider aes = new AesCryptoServiceProvider();
aes.BlockSize = 128;
aes.KeySize = 256;
aes.Key = aesKey256();
aes.Mode = CipherMode.CBC;
aes.Padding = PaddingMode.PKCS7;
iv = aes.IV;
byte[] src = Encoding.Unicode.GetBytes(text);
using (ICryptoTransform encrypt = aes.CreateEncryptor())
{
byte[] dest = encrypt.TransformFinalBlock(src, 0, src.Length);
return Convert.ToBase64String(dest);
}
}
public static string Decrypt256(string text, byte[] AesKey256, byte[] iv)
{
AesCryptoServiceProvider aes = new AesCryptoServiceProvider();
aes.BlockSize = 128;
aes.KeySize = 256;
aes.IV = iv;
aes.Key = aesKey256();
aes.Mode = CipherMode.CBC;
aes.Padding = PaddingMode.PKCS7;
byte[] src = System.Convert.FromBase64String(text);
using (ICryptoTransform decrypt = aes.CreateDecryptor())
{
byte[] dest = decrypt.TransformFinalBlock(src, 0, src.Length);
return Encoding.Unicode.GetString(dest);
}
}
private static byte[] aesKey256()
{
//you will need to get your own aesKey
//for testing you can generate one from
//https://asecuritysite.com/encryption/keygen
return new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 1, 2, 3, 4, 5, 6, 7, 8, 9, 1, 2, 3, 4, 5, 6, 7, 8, 9, 1, 2, 3, 4, 5 };
}
}
}
来源:https://stackoverflow.com/questions/34136770/jwt-encrypt-payload-information