How do asymmetric signatures work in JSON Webtokens (JWT)?

2

Recently I started to study the possibility of starting to use JSON Webtokens in my projects, given its advantages. From what I understand, there is a symmetric and an asymmetric way of generating the signature for the tokens. The symmetric seems to be the most common, I've seen in several examples, signing from the same key stored somewhere in the system (correct me if I'm talking bullshit), as for example in this line using the package jsonwebtoken with Node.js Express:

 var token = jwt.sign(user, app.get('superSecret'), {
     expiresInMinutes: 1440
 });

Note that all signatures are based on superSecret , previously stored in variable app .

If this is the symmetric method, how would the asymmetric one be? I do not understand much about encryption, but I know that when we talk about asymmetric keys, there must be a pair of keys: a private key and a public key.

How would this fit into the authentication process of a web application? Could someone explain me and / or give an example of how JWT works with asymmetric signature?

And, for that purpose (authentication in a web app), which of the two methods is more secure?

    
asked by anonymous 20.12.2015 / 01:52

2 answers

1

JWT is an asymmetric cryptographic.

JWT stores a private key, which will stay on your server, and when the user requests the public key, JWT uses the private key to generate the public key.

To clarify the concepts involved.

  • Symmetric Encryption

A secret key, which can be a number, a word, or just a sequence of random letters, is applied to the text of a message to change the content in a certain way. For example, changing a vowel by a letter p. Npstp case replaces lptra p by p, vocp p qupm conhpcp to sabp lpr vow to psta mpnsagpm.

  • Asymmetric Cryptography

Any message (text, binary files or documents) that is encrypted using the public key can only be decrypted, applying the same algorithm, and using the corresponding private key.

In this case, supersecret will be the secret key to generate the token and will also be used when the token is sent to tell if the key is valid or not.

You may be confusing the issue of being synchronous and asynchronous to the jwt module. When you use JWT in this way you lock the stream to wait for the token, the code becomes synchronous.

var token = jwt.sign({ foo: 'bar' }, cert, { algorithm: 'RS256'});

And when you send a callback, it becomes asynchronous.

jwt.sign({ foo: 'bar' }, cert, { algorithm: 'RS256' }, function(token) {
  console.log(token);
});

Security

Regarding the most secure methods, the asymmetric method is the safest since they use two keys and one is kept secret on the server. (Be careful not to leak the server keys, or add the key and save it in Github)

Asynchronous or synchronous method makes no difference as far as security, but it makes a difference in performance.

Use cases

  • Symmetric encryption.

In general, it is not advisable in applications, since the key is left with a message. But you can use it to generate your supersecret . The [AES][1] pattern is symmetric and used on some routers.

  • Asymmetric Cryptography.

On the internet where you have to leave public things like the token for your logged in user, it is best way. After all if someone discovers the public key would need the private key to break the information. Most applications use this system.

    
09.02.2016 / 14:57
0

Check the module called jwt-simple in NPM. It can solve your problem easily. NPM's own transcript:


$ npm install jwt-simple

var jwt = require('jwt-simple');
var payload = { foo: 'bar' };
var secret = 'xxx';

// encode 
var token = jwt.encode(payload, secret);

// decode 
var decoded = jwt.decode(token, secret);
console.log(decoded); //=> { foo: 'bar' } 

    
22.12.2015 / 06:13