1

We are going to have stateless web services which accept JSON as parameter.

Wev'e read JWE's RFC but one thing I can't understand is how can a token (which is a fixed part of each request) be stateless without being hijacked?

Or we should encrypt the whole JSON parameter as the plain text defined in the reference sheet in every request?

Community
  • 1
  • 1
Mohsen
  • 4,000
  • 8
  • 42
  • 73
  • Is your question about how JWT works? Because JWE does nothing with a token? – Janoz Aug 30 '16 at 08:26
  • @Janoz:No, my question is exactly about `JWE`. – Mohsen Aug 30 '16 at 08:29
  • There isn't a single mention of token in the JWE's RFC. So I have no idea what youre hijacking question has to do with JWE. I do however know in what way JWT protects against hijacking. – Janoz Aug 30 '16 at 08:35
  • @Janoz:So you mean it's OK to encrypt the whole `JSON` in requests? `JWT` can be replayed; but it can't be changed. Replaying a request in this situation means hijacking it. – Mohsen Aug 30 '16 at 08:44
  • Aren't JWT's enough to protect the integrity of the data? This data can't be changed without the MAC being changed and invalidating the "signature". The secret is needed to reconstruct the MAC, which an attacker does not know. – SilverlightFox Sep 02 '16 at 08:31
  • @SilverlightFox: As I mentioned changing the token is not only way of hijacking. What if the attacker replays the token? putting MAC at application layer doesn't make sense as long as the routers don't route based on that. – Mohsen Sep 03 '16 at 06:25
  • Sounds like you need https with hsts and an expiry date/time in the jwt. – SilverlightFox Sep 03 '16 at 06:50
  • @SilverlightFox: What about encrypting the whole request by JWE and a public key encryption algorithm? – Mohsen Sep 03 '16 at 11:55
  • @Mohsen Did you solved this? I have the same problem. – TonyY Nov 24 '17 at 03:42
  • @TonyY:Unfortunately no. And if you solved it later.please let me know thanks. – Mohsen Nov 24 '17 at 14:39

0 Answers0