JWT使用非对称加密 [英] JWT Using Asymmetric Encryption
问题描述
我想问一件事,在使用非对称加密时,我们使用客户端的公钥对数据进行加密,以便客户端可以使用其私钥对数据解密吗?
I want to ask something, while using asymmetric encryption, we encrypt the data using client's public key, so the client can decrypt the data using their private key right?
我刚刚找到了使用RSA签名JWT的教程,但是我发现它们使用服务器私钥而不是客户端的公钥来加密数据,并且服务器的公钥在客户端之间共享.
I just found tutorials for signing JWT using RSA, but I found they encrypt the data using the server private key instead of client's public key, and the server's public key shared among clients.
它甚至安全吗?因为如果公钥由于可共享而落入了不正确的人手中,那么每个人都可以对它解密吗?
Is it even safe? Because if the public key is fall to the wrong hands because it's shareable, everyone can decrypt it right?
那么,可以像这样对jwt签名吗?
so, is it okay to sign the jwt like that?
推荐答案
在这种情况下,其目的不是加密数据,以使其他人无法读取数据(机密性"),而是对数据进行签名,以便其他人使用公钥可以验证您是否拥有私钥,并且您实际上已经对数据进行了签名.在这种情况下,数据是JWT标头和有效负载的哈希.私钥用于签名,因此只有一个实体(身份验证服务器)可以签名JWT.公钥用于签名验证,以便具有公钥的任何第三方都可以验证JWT.公用密钥不能用于创建有效的签名.
In this scenario, the purpose is not to encrypt the data so that others cannot read it ("confidentiality"), it is to sign the data so that others with the public key can verify that you are in possession of the private key and you actually signed the data. The data in this case is a hash of the JWT header and payload. The private key is used for signing so that only one entity - the authentication server - can sign JWTs. The public key is used for signature validation so that any third party with the public key can validate the JWT. The public key cannot be used to create a valid signature.
是的,这很安全!
这篇关于JWT使用非对称加密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
