JWT — JWS or JWE? JWK? JWKS?
I have been always impressed by JWTs, the concept overall, the usage, the technicalities around it. In fact it is the thing that forced me to learn details about the key pair(private + public keys), cryptography, etc. In this blog post I would love to share the brief(less is good) details of it.
JWT — JSON Web Token. It is a standard which has the two implementations JWS and JWE. So when we say JWT — it actually is either of these two, it will either be a signed token or an encrypted token.
JWS — JSON Web Signature. In this case the payload is signed. It can be inspected inflight. Content is easily visible.
JWE — JSON Web Encryption. For this one the payload is encrypted. It cannot be inspected in flight, the payload needs decryption to be made visible.
Basics 1st — Symmetric vs Asymmetric?
Symmetric Key
When the same key is used for bidirectional operations then it is known as a Symmetric key. It is a single key that is used for either side of the operation of in case of signing/ validating and encryption/ decryption.
Asymmetric Key
In the case of Asymmetric key it is not the same as symmetric key, for every operation it will be only one key, the reverse operation will be another key from the pair. It uses a key pair — public key + private key.
Signing — private key is used.
Validating the signature — public key is used.
Encryption — public key is used to encrypt data.
Decryption — private key is used to get original content back.
JWS — Json Web Signature
The JWS is created by cryptographically signing the payload using a private key in case of asymmetric key or a common key in case of symmetric key.
While the target system/ application at the receiving end validates the integrity of the token by validating the signature, though payload content can easily be decoded(the JWS token is base64 encoded in parts)
The three parts of the JWS token are:-
- Header
- Payload or Body(some people may call that, though that is not correct)
- Signature
The standard is like below:-
Example : —
JWE — Json Web Encrypted
JWE is created by making use of the public key in case of Asymmetric Key-pair to encrypt the payload and it’s format is like below:-
Just Like JWS, JWE does not have just three parts, but JWE has five parts as below : —
- Header — The Header of the JWE.
- JWE encrypted key — Content encryption key is encrypted with the recipient’s key.
- Initialisation Vector — responsible for randomness during encryption.
- Cipher Text — the payload is part of this.
- Authentication Tag — used for integrity checks.
The format is like below:-
Example :—
Bonus — JWK & JWKS
What is JWK?
JWK stands for JSON Web Key. It is used to represent the Key(Pair) in a JSON format.
For example a RSA based JWK(public key) is as below:-
{
"kty" : "RSA",
"e" : "AQAB",
"use" : "sig",
"kid" : "aba545ad-c922-44e9-8dc0-6ffef90a7ec5",
"n" : "ryG9zry-AiJrwrzsgkGB-GEiCL16ZdC5tZZLbghhrBm7Cie6B4ScpvR9X7AF1AYI2jT9xO5Jkv4jessqce2VA-KE_vatmb1JG_-K9tri2JyZSu2PsZjuXuSUgFxosLB5HO_zHtVH0FHE0a9TJWgGeYRWm305LuNG-LovV2aoLccBMcfIGLcSouch_LHwTsa7JU-_RyRwrad2f_BD2M5Wp_BDvrYcLdXoClrXXaTJ46JsZ368GCmShAmBMUZWNNQIBQCpQawG-SXgsGrnB7gHPES9ABYQonMWmSWgYPC-SYwPJjXYyLgzf5fea-Sx8NKesGj2E6D3SJhFtC8_M6hZjQ"
}while a EC(elliptic curve) based JWK(public key only) is like below:-
{
"kty" : "EC",
"use" : "sig",
"crv" : "P-256",
"kid" : "944e1038-ed07-4f3e-8332-30706a7bc4b9",
"x" : "I-Hdm5CARe7WvMiQS_NmbSyumPQbNz_cyYtyJBFLhgg",
"y" : "3wsi2v1cw46zxrh1RIeF6ZONHfFjADE9WQIAuIgP_vE"
}What is JWKS?
JSON Web Key Set
JWKS is JSON Web Key Set — it is a set(collection) of keys. It is a representation to share(public) keys with the intended parties over the internet.
The format looks like below:-
{
"keys" : [ {
"kty" : "EC",
"use" : "sig",
"crv" : "P-256",
"kid" : "944e1038-ed07-4f3e-8332-30706a7bc4b9",
"x" : "I-Hdm5CARe7WvMiQS_NmbSyumPQbNz_cyYtyJBFLhgg",
"y" : "3wsi2v1cw46zxrh1RIeF6ZONHfFjADE9WQIAuIgP_vE"
},
{
"kty" : "RSA",
"e" : "AQAB",
"use" : "sig",
"kid" : "aba545ad-c922-44e9-8dc0-6ffef90a7ec5",
"n" : "ryG9zry-AiJrwrzsgkGB-GEiCL16ZdC5tZZLbghhrBm7Cie6B4ScpvR9X7AF1AYI2jT9xO5Jkv4jessqce2VA-KE_vatmb1JG_-K9tri2JyZSu2PsZjuXuSUgFxosLB5HO_zHtVH0FHE0a9TJWgGeYRWm305LuNG-LovV2aoLccBMcfIGLcSouch_LHwTsa7JU-_RyRwrad2f_BD2M5Wp_BDvrYcLdXoClrXXaTJ46JsZ368GCmShAmBMUZWNNQIBQCpQawG-SXgsGrnB7gHPES9ABYQonMWmSWgYPC-SYwPJjXYyLgzf5fea-Sx8NKesGj2E6D3SJhFtC8_M6hZjQ"
}]
}In most of the case the PUBLIC JWKS is safe enough to share, but private keys may not safe to share — because you never share something that is private.
Private JWKS on the other side is great when we want to store key-pairs in the backend for decryption of a JWE or during the signing operation of a JWS token. This is better instead of saving the .pem files representing the same set of key-pairs, a much better and cleaner approach.
Thumb rule — private keys need to be secured at the backend level, in a vault or something similar, should not be compromised.
