JWT有多安全 [英] How secure is JWT

问题描述

我知道这个问题并不是什么新鲜事物，可能已经在整个互联网上进行了讨论.

I know this question is not anything new, possibly already been discuss all over the internet.

我是新手，但经过一番研究，我同意它是安全的，因为匿名者可以嗅探令牌但无法在令牌上附加任何内容.我打算将JWT存储在HTML5Storage中，并解码一些不敏感信息的有效负载:DisplayName，email_address和role_info等.

I'm new to it but after some study, I agree that it is safe as anonymous could sniff the Token but unable to append anything on it. I'm planning to store JWT in HTML5Storage, and decode the payload for some in-sensitive information: DisplayName, email_address, and role_info and etc.

这是我的问题，匿名者可以嗅我的JWT令牌并代表我行事吗? 如果可以的话，我该如何避免呢?

Here is my question, could anonymous sniff my JWT Token and act on-behalf of me? If that is possible, how can I avoid that?

推荐答案

简而言之，JWT本身并不安全，因为它只是明文.从基本术语上讲，JWT是一种标准协议，用于定义信息，否则称为在各方之间传递的声明.与JWS(签名)和JWE(加密)结合使用将使其更安全.最重要的主题是JOSE-Javascript Object Signing and Encryption.除了阅读RFC本身以外，您还应该参考RFC，在线上还有大量信息，而没有说明明显或侮辱您的搜索能力.查看 http://jose.readthedocs.io/en/latest/(包括参考链接)到RFC)

In short, JWT by itself is not safe it's just clear text. JWT in basic terms is a standard protocol for how information is defined otherwise known as claims passed between to parties. In combination with JWS (signature) and JWE (encyption) will make it secure. The over arching topic for this is JOSE - Javascript Object Signing and Encryption. Aside from reading the RFC themselves which you should refer to as well there are ton of information online without stating the obvious nor insulting your search abilities. Check out http://jose.readthedocs.io/en/latest/ (includes reference links to RFCs)

因此，如果在飞行中(通过有线)和在静止状态(即数据库)中使用行业安全标准进行签名和加密，那么可以回答您的问题.

So to answer your question if signed and encrypted with industry secure standards in flight (over the wire) and at rest (ie: database) yes it's secure.

就欺骗而言，您需要在会话顶住和/或令牌顶住以及预防彩虹表之类的区域中加倍注意.

In terms of spoofing as you need to pre-cautions in areas of session jacking and/or token jacking and prevention against things like rainbow tables.

无论什么标准，JOSE确实只是一个标准，您真正要问的是有关安全措施的最佳实践，您也应该参考OWASP https://www.owasp.org/

JOSE really is just a standard no matter what standard, what you are really asking is about best practices for security measures, you should refer to OWASP as well https://www.owasp.org/

这有助于澄清您的问题吗?

Does that help clarify your question?

这篇关于JWT有多安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！