Menu
I want to secure the hosted Rest services using Token authorization system. So, I decided to go with JWT process. After the following documentation, I got confused how digital signature works. AFAIK we need to encrypt the private key using SignatureAlgorithm. and to verify it we only need public key on our end user application. I will save the public key in an android local database.
Now, Let's talk about reverse engineering. If someone is able to access the client database and figure it out what is the public key . Now they just need to figure out what kind of algorithm server are using for digital signature and it's very simple to do it by just decrypting the header section.
Am I missing something here? If No, Then How JWT is safe to use?
740
I got confused how digital signature works.
Indeed.
AFAIK we need to encrypt the private key using SignatureAlgorithm.
No. You need to encrypt data, and encrypt it with the private key. Usually what you encrypt is an HMAC of the data, to save space.
and to verify it we only need public key on our end user application.
Correct. But what you're verifying is that that data was signed with that private key.
Now, Let's talk about reverse engineering. If someone is able to access the client database and figure it out what is the public key. Now they just need to figure out what kind of algorithm server are using for digital signature and it's very simple to do it by just decrypting the header section.
No, because you didn't encrypt the header section. You encrypted an HMAC.
82
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
