04Modules
JWT Key Confusion Attacks
Medium30MIN
JWT and Asymmetric Encryption
It is possible to sign JWT with asymmetric encryption, meaning with public key encryption. In this case, instead of using one encryption key, we have two keys: a public key and a private key.
The public key can be freely distributed to the world, as its name suggests. The public key can be used to verify a JWT (JSON Web Token) signed with a private key.
Let's take an example. Let's say we have an HTTP interface api.example.com which is accessed with a JWT token issued by the authentication service auth.example.com.
Authentication and use of the HTTP interface could work like this:
- The user sends their username and password to the authentication service (auth.example.com). Username: "Maija", Password: "kissa123".
- The identification service has a private key that no one else has. The identification service uses its private key to sign a JWT containing the claim with the username "Maija".
- Maija sends the next message to the HTTP interface (api.example.com), with JWT included (typically in the Authorization header).
- The HTTP interface has a public key for the identification service, which it typically retrieves from the identification service's /.well-known/jwks.json path. The HTTP interface validates the JWT token with the public key, and if it is signed with the correct private key, the verification is successful, and it is known that Maija is indeed Maija. At least if the identification service is trustworthy.
1 / 4
Hakatemia Pro
Learn to hack — start here
Hundreds of interactive courses, virtual labs and CTF challenges in your browser. Start a free trial — no card required.