结合 JWE 和 JWS
Combining JWE and JWS
刚刚了解了JOSE,了解到JWE是加密的,JWS是签名的。我似乎无法找到的示例是既加密又签名的有效负载。
假设我有一个有效载荷 hello world。做这样的事情是正确的吗? JWS(JWE('hello world') 将加密的 JWE 作为 JWS 的有效载荷?
JSON Web Token (JWT) 是一种开放标准,它定义了一种紧凑且独立的方式,用于在各方之间安全地传输信息作为 JSON 对象。 JWT 是以下令牌类型的通用名称:
JSON Web Signature (JWS):有效负载是 编码和签名 因此 完整性 可以验证声明。
JSON Web Encryption (JWE):它们的有效负载是 加密的 因此声明对其他人是 隐藏的 派对。
图像是从这个page中提取的。
Is the correct thing to do something like this? JWS(JWE('hello world') with the encrypted JWE as the payload of the JWS?
这是一个嵌套的 JWT,它的概念在 RFC 7519:
中定义
A JWT in which nested signing and/or encryption are employed. In
Nested JWTs, a JWT is used as the payload or plaintext value of an
enclosing JWS or JWE structure, respectively.
您可以添加一个 JWE 作为 JWS 有效负载的声明,但建议采用相反的方式:首先对消息进行签名,然后对结果进行加密,同文档中提到:
11.2. Signing and Encryption Order
While syntactically the signing and encryption operations for Nested
JWTs may be applied in any order, if both signing and encryption are
necessary, normally producers should sign the message and then
encrypt the result (thus encrypting the signature). This prevents
attacks in which the signature is stripped, leaving just an encrypted
message, as well as providing privacy for the signer. Furthermore,
signatures over encrypted text are not considered valid in many
jurisdictions.
刚刚了解了JOSE,了解到JWE是加密的,JWS是签名的。我似乎无法找到的示例是既加密又签名的有效负载。
假设我有一个有效载荷 hello world。做这样的事情是正确的吗? JWS(JWE('hello world') 将加密的 JWE 作为 JWS 的有效载荷?
JSON Web Token (JWT) 是一种开放标准,它定义了一种紧凑且独立的方式,用于在各方之间安全地传输信息作为 JSON 对象。 JWT 是以下令牌类型的通用名称:
JSON Web Signature (JWS):有效负载是 编码和签名 因此 完整性 可以验证声明。
JSON Web Encryption (JWE):它们的有效负载是 加密的 因此声明对其他人是 隐藏的 派对。
图像是从这个page中提取的。
Is the correct thing to do something like this?
JWS(JWE('hello world')with the encrypted JWE as the payload of the JWS?
这是一个嵌套的 JWT,它的概念在 RFC 7519:
中定义A JWT in which nested signing and/or encryption are employed. In Nested JWTs, a JWT is used as the payload or plaintext value of an enclosing JWS or JWE structure, respectively.
您可以添加一个 JWE 作为 JWS 有效负载的声明,但建议采用相反的方式:首先对消息进行签名,然后对结果进行加密,同文档中提到:
11.2. Signing and Encryption Order
While syntactically the signing and encryption operations for Nested JWTs may be applied in any order, if both signing and encryption are necessary, normally producers should sign the message and then encrypt the result (thus encrypting the signature). This prevents attacks in which the signature is stripped, leaving just an encrypted message, as well as providing privacy for the signer. Furthermore, signatures over encrypted text are not considered valid in many jurisdictions.