任何人都可以在没有密钥的情况下解码JSON Web令牌(JWT)吗? [英] Can anybody decode a JSON Web Token (JWT) without a secret key?

问题描述

我是这个域的新手，但是我试图使用 JWT nuget包生成一个JWT .

I am new to this domain but I was trying to generate a JWT using the JWT nuget package.

我的理解是，您提供了一个用于对令牌进行签名的秘密密钥，但是当我获得令牌时，我去了 JWT网站对其进行测试，而网站无需我提供密钥即可对其进行解码.

My understanding is that you supply a secret key to sign the Token but when I got the token I went to JWT website to test it and the website was able to decode it without me supplying the secret key.

我认为您先生成令牌，然后对它签名，从而阻止任何人知道令牌的内容，除非他们拥有该秘密密钥.不是吗?

I thought that you generate the token then you sign it and thus prevent anybody from knowing the content of the token unless they have that secret key. Is this not the case?

推荐答案

JSON Web令牌是数据结构的编码表示形式.不需要对此编码数据进行加密，但是这样做是可以接受的.

JSON Web Tokens are an encoded representation of a data structure. It is not required that this encoded data be encrypted, but it is acceptable to do so.

根据代码签名的定义:

代码签名是对可执行文件和脚本进行数字签名以确认软件作者和保证自使用加密散列对其进行签名以来，该代码没有被更改或破坏. .

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.

已加密的JWT通常将具有两个哈希值，第一个用于解密数据，第二个用于验证代码签名.对未加密的JWT进行解码是一个标准化过程，即使未验证代码符号也可以完成.但是，如果代码签名哈希不匹配，建议不要在JWT中使用任何数据，因为这表明数据可能已被篡改.

A JWT which has been encrypted will typically have two hash values, the first to decrypt the data, the second to validate the code signing. Decoding a non-encrypted JWT is a standardized process, and can be done even if the code sign isn't verified. However, it is recommended not to use any data in a JWT if the code signing hash does not match, as this indicates the data may have been tampered with.

并非所有JWT实现都支持加密；值得注意的是，Microsoft的JWT实施中不提供加密支持. https://stackoverflow.com/a/18224381/2495283 .因此，如果您有必须确保保密的数据，则应使用 JWE 加密数据. JWT标准文档显示此过程的一个示例.首先对数据进行加密，然后将加密的字符串和解码算法作为JWT的有效载荷发送.

Not all JWT implementations support encryption; notably, there is no encryption support in Microsoft's JWT implementation. https://stackoverflow.com/a/18224381/2495283. Therefore, if you have data which you must ensure remains secret, you should encrypt the data using JWE. The JWT standards documentation shows an example of this process. The data is first encrypted, then the encrypted string and decoding algorithm are sent as the payload of the JWT.

这篇关于任何人都可以在没有密钥的情况下解码JSON Web令牌(JWT)吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！