gpt4 book ai didi

json - 结合 JWE 和 JWS

转载 作者:行者123 更新时间:2023-12-04 00:29:59 27 4
gpt4 key购买 nike

刚刚了解 JOSE,我知道 JWE 用于加密,而 JWS 用于签名。我似乎无法找到既加密又签名的有效负载的示例。

让我们假设我有一个有效载荷 hello world .做这样的事情是正确的吗? JWS(JWE('hello world')将加密的 JWE 作为 JWS 的有效载荷?

最佳答案

JSON Web Token (JWT) 是一种开放标准,它定义了一种紧凑且自包含的方式,用于在各方之间作为 JSON 对象安全地传输信息。 JWT 是以下类型 token 的通用名称:

  • JSON Web Signature (JWS):有效载荷经过编码和签名,因此可以验证声明的完整性。
  • JSON Web Encryption (JWE):他们的有效载荷是加密的,因此对其他方隐藏了声明。

  • JWT, JWS and JWE
    图像是从这里提取的 page .

    Is the correct thing to do something like this? JWS(JWE('hello world') with the encrypted JWE as the payload of the JWS?


    它是一个嵌套的 JWT,它的概念在 RFC 7519 中定义。 :

    A JWT in which nested signing and/or encryption are employed. InNested JWTs, a JWT is used as the payload or plaintext value of anenclosing JWS or JWE structure, respectively.


    您可以添加 JWE 作为 JWS 有效负载的声明,但建议采用另一种方式:首先对消息进行签名,然后对结果进行加密,如同一文档中所述:

    11.2. Signing and Encryption Order

    While syntactically the signing and encryption operations for NestedJWTs may be applied in any order, if both signing and encryption arenecessary, normally producers should sign the message and thenencrypt the result (thus encrypting the signature). This preventsattacks in which the signature is stripped, leaving just an encryptedmessage, as well as providing privacy for the signer. Furthermore,signatures over encrypted text are not considered valid in manyjurisdictions.

    关于json - 结合 JWE 和 JWS,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52755369/

    27 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com