How do asymmetric signatures work in JSON Webtokens (JWT)?

Asked

Viewed 1,523 times

3

I recently started to study the possibility of starting to use JSON Webtokens in my projects, given their advantages. From what I understand, there is a symmetrical form and an asymmetric way of generating the signature for the tokens. The symmetric seems to be the most common, which I have seen in several examples, signing from the same key stored somewhere in the system (correct me if I’m talking nonsense), as for example in this line using the package jsonwebtoken with Node.js Express:

 var token = jwt.sign(user, app.get('superSecret'), {
     expiresInMinutes: 1440
 });

Note that all signatures are based on superSecret, previously stored in the variable app.

If this is the symmetrical method, what would the asymmetrical one look like? I don’t know much about cryptography, but I do know that when we talk about asymmetrical keys, there must be a pair of keys: a private and a public key.

How would this fit into the authentication process of a web application? Someone could explain to me and/or give an example of how JWT works with asymmetrical signature?

And yet, for that purpose (authentication in a web app), which of the two methods is safer?

javascript node.js express token jwt

2 answers

3

The JWT he is an asymmetrical cryptographic.

JWT stores a private key, which will stay on your server and when the user requests the public key, JWT uses the private key to generate the public key.

To clarify the concepts involved.

  • Symmetric encryption

A secret key, which can be a number, a word or just a sequence of random letters, is applied to the text of a message to change the content in a certain way. For example, replacing a vowel with a letter p. Npstp if you replace lptra p with p, vocp p qupm conhpcp the vowel sabp lpr a psta mpnsagpm.

  • Asymmetrical cryptography

Any message (text, binary files or documents) that is encrypted using the public key can only be decrypted by applying the same algorithm, and using the corresponding particular key.

In case the supersecret will be the secret key to generate the token(public key) and will also be used when the token is sent to tell whether the key is valid or not.

Maybe you’re confusing the question of being synchronous and asynchronous of the jwt module. When you use JWT this way you lock the flow to wait for the token, the code synchronises. 

var token = jwt.sign({ foo: 'bar' }, cert, { algorithm: 'RS256'});

And when you send a callback, it becomes asynchronous.

jwt.sign({ foo: 'bar' }, cert, { algorithm: 'RS256' }, function(token) {
  console.log(token);
});

Security

Regarding the most secure methods, the asymmetric method is the most secure, since they use two keys and one is kept secret on the server. (Be careful not to leak the server keys. Or add the key and save to Github)

As for the asynchronous or synchronous method it makes no difference, as for safety, but it makes a difference as to performance.

Use cases

  • Symmetric encryption.

In general it is not advisable in applications, since the key gets message. But you can use to generate your supersecret. The pattern [AES][1] is symmetric and used on some routers.

  • Asymmetrical cryptography.

On the internet where you have to leave public things as the token for your user who is logged in, it is best way. After all if someone discovers the public key would need the private key to break the information. A lot of applications use this system.

  • 1

    Thank you very much for the answer. Very enlightening. I could exemplify cases where it would be better for me to use asymmetric rather than symmetric cryptography?

  • I’ll add the answer.

0

Check the NPM module called jwt-simple. It can solve your problem easily. Transcription of the NPM itself:


$ npm install jwt-simple

var jwt = require('jwt-simple');
var payload = { foo: 'bar' };
var secret = 'xxx';

// encode 
var token = jwt.encode(payload, secret);

// decode 
var decoded = jwt.decode(token, secret);
console.log(decoded); //=> { foo: 'bar' }

  • Oops! So, as for this method, I have no doubt as to how it works, and that’s exactly what I was doing in Node.js using the package I mentioned in the question. My question is actually how the Asymmetric signature works. I believe that the one that is commonly done, and that you demonstrated, is the symmetric, where you use the same 'secret' to sign all tokens...

Browser other questions tagged javascript node.js express token jwt

You are not signed in. Login or sign up in order to post.