1

Topic: JWT a token with the symmetric algorithm.

Explain please which that. I do not catch up a little.
Whether there is a sense to use JWT a token signed by the symmetric algorithm? For what it generally is necessary?
That the client could check up the token received from the server, it is necessary for it to give a key of the symmetric enciphering, and what then prevents malefactors to forge a token, knowing this key? And if not to give a key then the client cannot check up it it turns out.
In what sense of existence of the symmetric algorithm, if at it such problem? I can assume only that a unique output is not to give to the client secret key, giving the chance to check a key validity. But it probably is not so convenient and beautiful.
And other question. Having on hands the total text, knowing the encryption algorithm - unless it is impossible to calculate symmetric key by which it is signed JWT a token?
If to use the asymmetric algorithm. That as it is necessary to transfer to the client public key?

2

Re: JWT a token with the symmetric algorithm.

Whether

WaspNewCore wrote:

There is a sense to use JWT a token signed by the symmetric algorithm? For what it generally is necessary?

You about what generally? What else symmetric algorithm? smile))

WaspNewCore wrote:

And other question. Having on hands the total text, knowing the encryption algorithm - unless it is impossible to calculate symmetric key by which it is signed JWT a token?
If to use the asymmetric algorithm. That as it is necessary to transfer to the client public key?

Go once again esteem about device JWT. There is no there scrambling.

3

Re: JWT a token with the symmetric algorithm.

hVostt;
RS256 - Dissymetric algorithm
HS256 - The symmetric algorithm
Accordingly the question was - what for exists HS256 if we have to or open a key (and to risk that can freely forge a token), or not to open, but then the client will not have a possibility to check up the signature.
Yes speech about the signature instead of enciphering in this case.
PS. Enciphering in JWT a token too, on mine, is. But now it me does not interest. Now I need to understand about the signature.

4

Re: JWT a token with the symmetric algorithm.

RS256 (RSA Signature with SHA-256) is an asymmetric algorithm, and it uses a public/private key pair: the identity provider has a private (secret) key used to generate the signature, and the consumer of the JWT gets a public key to validate the signature. Since the public key, as opposed to the private key, does not need to be kept secured, most identity providers make it easily available for consumers to obtain and use (usually through a metadata URL).
HS256 (HMAC with SHA-256), on the other hand, is a symmetric algorithm, with only one (secret) key that is shared between the two parties. Since the same key is used both to generate the signature and to validate it, care must be taken to ensure that the key is not compromised.
I.e. it is offered not to open symmetric key?
Whether generally it is necessary for the client to have possibility to check, what the token is not forged? It can and is not necessary...

5

Re: JWT a token with the symmetric algorithm.

hVostt unless? There is that what algorithm to process a line that lies in  for example. Well here that it will be possible  that https://jwt.io/
Or https://www.example-code.com/csharp/jwt_rsa_create.asp
WaspNewCore
The client is authorized also to it in the answer the token is given that it then picked up it to request. It is not necessary to the client  a token already. It uses it, concerning symmetric key you do not understand that there is a public key and there is private, generally at you a porridge in a head. Have simply a rest and esteem the literature again.

6

Re: JWT a token with the symmetric algorithm.

WaspNewCore wrote:

Explain please which that. I do not catch up a little.
Whether there is a sense to use JWT a token signed by the symmetric algorithm? For what it generally is necessary?
That the client could check up the token received from the server, it is necessary for it to give a key of the symmetric enciphering, and what then prevents malefactors to forge a token, knowing this key? And if not to give a key then the client cannot check up it it turns out.
In what sense of existence of the symmetric algorithm, if at it such problem? I can assume only that a unique output is not to give to the client secret key, giving the chance to check a key validity. But it probably is not so convenient and beautiful.
And other question. Having on hands the total text, knowing the encryption algorithm - unless it is impossible to calculate symmetric key by which it is signed JWT a token?

JSON Web Token - the dissymetric algorithm is used

WaspNewCore wrote:

If to use the asymmetric algorithm. That as it is necessary to transfer to the client public key?

I so understand that usage of the protected channel is supposed
Each answer from the server can be checked by this key
For sending of request the client simply calculates  from parameters with salt in the form of this key and puts it to each request so the server can be convinced that the client that a coma produced public key
a question of reliability of public key on the client, I so understand is not considered

7

Re: JWT a token with the symmetric algorithm.

handmadeFromRu;
I know as it works.
"It is not necessary to the client  a token already" - here in it and there was a question. Whether it is necessary for the client to be convinced, what the token is not forged?

8

Re: JWT a token with the symmetric algorithm.

WaspNewCore;
The client cannot make it anyway (then the client will know and to store superfluous at itself), and what for if it the client and could become authorized?
Want protection from  that ssl
The server on this token then will be  the answer from the client and it should to the linguistic data base send to the pedestrian the client of the linguistic data base to work with it.

9

Re: JWT a token with the symmetric algorithm.

WaspNewCore wrote:

PS. Enciphering in JWT a token too, on mine, is. But now it me does not interest. Now I need to understand about the signature.

But your question does not concern to JWT, and questions of cryptography and information protection as a whole. JWT does not answer questions as you will exchange keys, secrets, but operates within the limits of standards and recommendations.

10

Re: JWT a token with the symmetric algorithm.

handmadeFromRu wrote:

hVostt unless? There is that what algorithm to process a line that lies in  for example. Well here that it will be possible  that https://jwt.io/
Or https://www.example-code.com/csharp/jwt_rsa_create.asp

It is possible. But ? The exchange of a token goes on the ciphered channel.

11

Re: JWT a token with the symmetric algorithm.

kealon (Ruslan) wrote:

JSON Web Token - the dissymetric algorithm

is used
There  algorithms it is used, but mandatory is normal a hash function hmac sha-256.

12

Re: JWT a token with the symmetric algorithm.

hVostt;
To it I tried to deduce the HARDWARE)

13

Re: JWT a token with the symmetric algorithm.

Whether

WaspNewCore wrote:

It is necessary for the client to be convinced, what the token is not forged?

What for?

14

Re: JWT a token with the symmetric algorithm.

The innocent person behind a board;
If the token is produced by one server, and are used by others there should be a trust to a token. Otherwise can it turns out that Server1 sends Serveru2 request "and translate in this respect pair of billions dollars. Here a token confirming my right".
Accordingly the trust to a token at the client should be.
Probably that the standard approach the Client - server, can and the special trust to a token is not necessary. But too it is disputable.

15

Re: JWT a token with the symmetric algorithm.

WaspNewCore wrote:

Accordingly the trust to a token at the client should be.

This doubtful pleasure,  a token on the client.
To you when the passport produce, you as check it? smile
The trust should be from server side, and the client simply received a piece of paper for access obtaining to resources.

16

Re: JWT a token with the symmetric algorithm.

WaspNewCore;
And you cannot check up a token validity on the client as the secret to the client is not known.

17

Re: JWT a token with the symmetric algorithm.

hVostt;
There are methods, basically https on it
In particular with the passport, it not by mail send,  the worker of passport service at which it appears receive also protection signs

18

Re: JWT a token with the symmetric algorithm.

kealon (Ruslan) wrote:

there are methods, basically https on it
In particular with the passport, it not by mail send,  the worker of passport service at which it appears receive also protection signs

Well and the client receives a token at the authorization server. Thanking HTTPS, it is possible to tell that directly. What for it still ?
At what, it is impossible, as  the server where the client gets access by means of a token can only.

19

Re: JWT a token with the symmetric algorithm.

kealon (Ruslan) wrote:

hVostt;
There are methods, basically https on it
In particular with the passport, it not by mail send,  the worker of passport service at which it appears receive also protection signs

I do not understand, why here it is not accepted to give references to the documentation?

wrote:

JSON Web Token (JWT) is an open standard (RFC 7519) for creation of tokens of the access, based on JSON a format. As a rule, it is used for authorization date transmission in client server applications. Tokens form by the server, subscribe secret key and are transferred to the client who uses further the given token for acknowledgement of the person.

Differently, the token is a substitute  and it for the server instead of for the client.
I.e. that the server learned you at a repeated input.
If the client himself became the server, then another story.
And so, , tokens  it is not necessary.

20

Re: JWT a token with the symmetric algorithm.

hVostt wrote:

WaspNewCore;
And you cannot check up a token validity on the client as the secret to the client is not known.

Dissymetric algorithms work so, it is possible what to check up. Since all is ciphered confidential , and checked opened .

21

Re: JWT a token with the symmetric algorithm.

WaspNewCore;
It is possible to write all, only it any more the standard and with the server is necessary agrees.
It is possible to send fingerprints.

22

Re: JWT a token with the symmetric algorithm.

Petro123 wrote:

it is passed...
I do not understand, why here it is not accepted to give references to the documentation?
it is passed...
Differently, the token is a substitute  and it for the server instead of for the client.
I.e. that the server learned you at a repeated input.
If the client himself became the server, then another story.
And so, , tokens  it is not necessary.

No. It is not simple . And certain "passport" where access rights given to the user (for example) are registered.
The token is necessary not only to the server - to check up that a token did not forge, but also the possible third party.
In  on it much is constructed, here esteem
https://tech.yandex.ru/oauth/
The user logs in in the  only time, and hundreds applications can already use  a token as that passport of the user.
Accordingly there is a necessity  that the token is not forged. That it was generated by Yandex.

23

Re: JWT a token with the symmetric algorithm.

Petro123 wrote:

WaspNewCore;
It is possible to write all, only it any more the standard and with the server is necessary agrees.
It is possible to send fingerprints.

It that the standard.
Normally just  JWT the Token (or OAth the token) can  the authorization server. And  already on other servers. Standard enough approach.
The whole company only it also lives that gives the servers for generation of tokens.
https://auth0.com/
Though all can be made it and most and it is free smile

24

Re: JWT a token with the symmetric algorithm.

WaspNewCore wrote:

Is not present. It is not simple . And certain "passport" where access rights given to the user (for example) are registered.

well  the server reads them since forgot this list at passage on pages.

WaspNewCore wrote:

In  on

Then the subject on oauth should be changed.
And the standard it just to result.

25

Re: JWT a token with the symmetric algorithm.

WaspNewCore;
I to that that jwt should not  and agree with hWostt.
And the HARDWARE let specifies about oauth.