不了解JWT的“加密" [英] Not understanding JWT "Encryption"
问题描述
我在PHP和Angular Client中启动并运行了JWT.
一切正常.但我仍在尝试了解一些信息,从安全角度来看,我的Angular客户端不知道用于在服务器端(PHP)中加密JWT消息的密钥.
那么,为什么没有它就可以解密?
钥匙不重要吗?
I have JWT up and running in PHP and Angular Clients.
Everything works perfectly. But I'm still trying to understand something, security-wise, my Angular client doesen't know the key which was used to encrypt the JWT message in the server-side (PHP).
Then, why can it decrypt without it?
Shouldn't the key be important?
推荐答案
JWT可以被签名,加密或两者都可以签名.如果令牌已签名但未加密,则每个人都可以读取令牌的内容,但是当您不知道私钥时,就无法更改它.否则,接收者会注意到签名不再匹配.
JWTs can be either signed, encrypted or both. If a token is signed, but not encrypted, everyone can read the contents of the token, but when you don't know the private key, you can't change it. Otherwise, the receiver will notice that the signature won't match anymore.
其他:您可以转到 jwt.io ,粘贴令牌并阅读内容.最初,这让很多人感到不安.
additionally: You can go to jwt.io, paste your token and read the contents. This is jarring for a lot of people initially.
简短的回答是,JWT本身与加密无关.它关心验证.也就是说,它总是可以得到是否已操纵了此令牌的内容"的答案?这意味着用户对JWT令牌的操作是徒劳的,因为服务器将知道并忽略该令牌.当向客户端颁发令牌时,服务器会基于有效负载添加签名.稍后,它会验证有效负载和匹配的签名.
The short answer is that JWT doesn't concern itself with encryption. It cares about validation. That is to say, it can always get the answer for "Have the contents of this token manipulated"? This means user manipulation of the JWT token is futile because the server will know and disregard the token. The server adds a signature based on the payload when issuing a token to the client. Later on it verifies the payload and matching signature.
请阅读belove链接以获取更多信息.
Please read belove links for more info.
en.wikipedia.org/wiki/JSON_Web_Token
这篇关于不了解JWT的“加密"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
