Encrypting JWT payload

Question

JWTs have 3 parts:

HEADER:ALGORITHM & TOKEN TYPE
PAYLOAD:DATA
SIGNATURE TO BE VERIFIED WITH THE SECRET KEY

Is it possible to encrypt the payload? Following is my token's payload:

{
"iss": "joe",
"exp": "1300819380",
"data": {
    "id": "12",
    "userName": "PH",
    "qntRed": "7",
    "qntGrad": {
        "1": "800",
        "2": "858",
        "3": "950",
        "4": "745",
        "5": "981"
    }
}

If "qntGrad" contains sensitive data. Can I encrypt it using the secret key? Will it still be a valid JWT?

score 27 · Answer 1 · edited Dec 07 '21 at 07:57

27

In fact there is not only signed JWT, but several technologies described by RFCs:

In your case, read the RFC7516 (JWE). These JWE have 5 parts:

Protected Header
Encrypted Key
Initialization Vector
Ciphertext
Authentication Tag

Depending on your platform, you may find a library that will help you to create such encrypted JWT. Concerning PHP, I am writing a library that is already able to load and create these jose.

edited Dec 07 '21 at 07:57

sparkyspider

13,195
10
89
133

answered Dec 08 '15 at 15:51

Spomky-Labs

15,473
5
40
64

1

Hi, @florent-morselli, I'll read about RFC7516! It really fits my need. And by the way, I'm using `PHP` in my backend. Thanks for the help! – Paulo Henrique Queiroz Dec 08 '15 at 18:21
1

You're welcome. Let me now if you decide to use my library. As the documentation is not yet written, you may need help. – Spomky-Labs Dec 08 '15 at 18:47

score -3 · Answer 2 · answered Mar 28 '16 at 16:07

Below is a very simple and effective method for encrypting using AES. Note you will need to get your own key (link included in comments).

Note that when you encrypt, it will set an IV for each encryption call. You will need this to decrypt.

public class CustomEncryption
{
    public static string Encrypt256(string text, byte[] AesKey256, out byte[] iv)
    {
        // AesCryptoServiceProvider
        AesCryptoServiceProvider aes = new AesCryptoServiceProvider();
        aes.BlockSize = 128;
        aes.KeySize = 256;
        aes.Key = aesKey256();
        aes.Mode = CipherMode.CBC;
        aes.Padding = PaddingMode.PKCS7;
        iv = aes.IV;

        byte[] src = Encoding.Unicode.GetBytes(text);

        using (ICryptoTransform encrypt = aes.CreateEncryptor())
        {
            byte[] dest = encrypt.TransformFinalBlock(src, 0, src.Length);

            return Convert.ToBase64String(dest);
        }
    }

    public static string Decrypt256(string text, byte[] AesKey256, byte[] iv)
    {
        AesCryptoServiceProvider aes = new AesCryptoServiceProvider();
        aes.BlockSize = 128;
        aes.KeySize = 256;
        aes.IV = iv;
        aes.Key = aesKey256();
        aes.Mode = CipherMode.CBC;
        aes.Padding = PaddingMode.PKCS7;

        byte[] src = System.Convert.FromBase64String(text);

        using (ICryptoTransform decrypt = aes.CreateDecryptor())
        {
            byte[] dest = decrypt.TransformFinalBlock(src, 0, src.Length);
            return Encoding.Unicode.GetString(dest);
        }
    }

    private static byte[] aesKey256()
    {
        //you will need to get your own aesKey
        //for testing you can generate one from
        //https://asecuritysite.com/encryption/keygen

        return new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 1, 2, 3, 4, 5, 6, 7, 8, 9, 1, 2, 3, 4, 5, 6, 7, 8, 9, 1, 2, 3, 4, 5 };
    }
}

}

score -3 · Answer 3 · answered Dec 15 '17 at 12:27

-3

Not encrypting the token means that other external services can read and validate that the token is in fact authentic without having access to your private key. (They would only need the public key)

answered Dec 15 '17 at 12:27

Dez Udezue

759
1
6
16

Encrypting JWT payload

3 Answers3

Linked