Should I be able to see patterns in a HS256 encoded JWT?Would encrypting a signed JWT prove viable to secure claims payload?Is this authentication scheme using JWT secure?Is a user being able to view their own UID a security risk?jwt in message payload?Storing JWT in SPAJWT: Why is audience important?JWT: In a server-to-server request, should I sign the entire request body?
Why is the time of useful consciousness only seconds at high altitudes?
How to tension rope between two trees?
Was the whistleblower in the Ukraine scandal legally required to make his report?
What's the difference between motherboard and chassis?
How can I find places to store/land a private airplane?
TIKZ Macro to draw hundredth of a square
I've been fired, was allowed to announce it as if I quit and given extra notice, how to handle the questions?
Sci-fi story about aliens with cells based on arsenic or nitrogen, poisoned by oxygen
What is the origin of the minced oath “Jiminy”?
Where does the image of a data connector as a sharp metal spike originate from?
Is there a pattern for handling conflicting function parameters?
"last" command not working properly
What's the correct way to determine turn order in this situation?
Did the Humans find out about Gaius Baltar's role in the sabotage of the fleet?
Driving test in New Zealand?
Has Boris Johnson ever referred to any of his opponents as "traitors"?
In search of a pedagogically simple example of asymmetric encryption routine?
Redirect output on-the-fly - looks not possible in Linux, why?
Enumerating all permutations that are "square roots" of derangements
How to prove (A v B), (A → C), (B → D) therefore (C v D)
Did the Soviet army intentionally send troops (e.g. penal battalions) running over minefields?
Parent asking for money after I moved out
Does Hogwarts have its own anthem?
Can I pay off my mortgage with a new one?
Should I be able to see patterns in a HS256 encoded JWT?
Would encrypting a signed JWT prove viable to secure claims payload?Is this authentication scheme using JWT secure?Is a user being able to view their own UID a security risk?jwt in message payload?Storing JWT in SPAJWT: Why is audience important?JWT: In a server-to-server request, should I sign the entire request body?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
I was fiddling with https://jwt.io/ using this header
"alg": "HS256",
"typ": "JWT"
when I realized that replacing the payload name with something repetitive like AAAAAAAAAAAAAAAAAAAA would produce a token such as this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFBQUFBQUFBQUFBQUFBQUFBQUFBIiwiaWF0IjoxNTE2MjM5MDIyfQ.hlXlWvaeyOb6OcrOwd-xfWgF8QlfmTycj5WWZwRr6FY
You can see that the BQUF substring appears to be repeated. The more As I added to the name, the more BQUFs show up.
As far as I know the presence of these kind of patterns makes it considerably easier to find out the encoded contents. What am I missing?
encryption jwt token
asked 9 hours ago
jmacedojmacedo
1134 bronze badges
New contributor
jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment
|
I was fiddling with https://jwt.io/ using this header
"alg": "HS256",
"typ": "JWT"
when I realized that replacing the payload name with something repetitive like AAAAAAAAAAAAAAAAAAAA would produce a token such as this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFBQUFBQUFBQUFBQUFBQUFBQUFBIiwiaWF0IjoxNTE2MjM5MDIyfQ.hlXlWvaeyOb6OcrOwd-xfWgF8QlfmTycj5WWZwRr6FY
You can see that the BQUF substring appears to be repeated. The more As I added to the name, the more BQUFs show up.
As far as I know the presence of these kind of patterns makes it considerably easier to find out the encoded contents. What am I missing?
encryption jwt token
asked 9 hours ago
jmacedojmacedo
1134 bronze badges
New contributor
jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment
|
I was fiddling with https://jwt.io/ using this header
"alg": "HS256",
"typ": "JWT"
when I realized that replacing the payload name with something repetitive like AAAAAAAAAAAAAAAAAAAA would produce a token such as this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFBQUFBQUFBQUFBQUFBQUFBQUFBIiwiaWF0IjoxNTE2MjM5MDIyfQ.hlXlWvaeyOb6OcrOwd-xfWgF8QlfmTycj5WWZwRr6FY
You can see that the BQUF substring appears to be repeated. The more As I added to the name, the more BQUFs show up.
As far as I know the presence of these kind of patterns makes it considerably easier to find out the encoded contents. What am I missing?
encryption jwt token
asked 9 hours ago
jmacedojmacedo
1134 bronze badges
New contributor
jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I was fiddling with https://jwt.io/ using this header
"alg": "HS256",
"typ": "JWT"
when I realized that replacing the payload name with something repetitive like AAAAAAAAAAAAAAAAAAAA would produce a token such as this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFBQUFBQUFBQUFBQUFBQUFBQUFBIiwiaWF0IjoxNTE2MjM5MDIyfQ.hlXlWvaeyOb6OcrOwd-xfWgF8QlfmTycj5WWZwRr6FY
You can see that the BQUF substring appears to be repeated. The more As I added to the name, the more BQUFs show up.
As far as I know the presence of these kind of patterns makes it considerably easier to find out the encoded contents. What am I missing?
encryption jwt token
encryption jwt token
asked 9 hours ago
jmacedojmacedo
1134 bronze badges
New contributor
jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 9 hours ago
jmacedojmacedo
1134 bronze badges
New contributor
jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 9 hours ago
jmacedojmacedo
1134 bronze badges
New contributor
jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 9 hours ago
jmacedojmacedo
1134 bronze badges
asked 9 hours ago
jmacedojmacedo
1134 bronze badges
1134 bronze badges
New contributor
jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment
|
add a comment
|
2 Answers
2
active
oldest
votes
tl/dr: JWTs don't encrypt anything, they merely encode it for easy
transport. The data in the payload is not meant to be a secret.
What you are looking at is simply the base64 encoded data payload. A JWT contains 3 parts:
- The base64 encoded header
- The base64 encoded data
- A cryptographic signature
Base64 is simply an encoding format - not any kind of encryption, and is not meant to hide the data. Rather, it just makes sure it is composed solely of standard ASCII characters that easily survive transfer between different systems. As a result, if you were to take everything in between the two periods and run it through a base64 decoder, you would see your original payload data without issue.
The key therefore is simple: a JWT isn't meant to hide the data. It is simply intended (through the signature) to ensure data integrity, i.e. if someone changes the data payload then you will know because your signature will no longer match.
answered 8 hours ago
Conor ManconeConor Mancone
15.8k7 gold badges48 silver badges64 bronze badges
Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.
– jmacedo
8 hours ago
@jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.
– Conor Mancone
8 hours ago
add a comment
|
What you're missing is that your token is signed (or, more precisely, authenticated with a symmetric key) but not encrypted.
If you take the token in your question above, split it into three pieces at the periods (.) and feed each piece into a base64 decoder, you'll get the following decoded outputs:
"alg":"HS256","typ":"JWT"
"sub":"1234567890","name":"AAAAAAAAAAAAAAAAAAAA","iat":1516239022
and a sequence of 32 mostly non-ASCII bytes which is the 256-bit HMAC authentication tag for the rest of the token. As you can see, all the data is there easily readable by anyone. The authentication tag only prevents anyone who doesn't know the secret HMAC key from modifying the token or creating forged tokens from scratch.
answered 8 hours ago
Ilmari KaronenIlmari Karonen
2,95713 silver badges22 bronze badges
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
jmacedo is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218801%2fshould-i-be-able-to-see-patterns-in-a-hs256-encoded-jwt%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
tl/dr: JWTs don't encrypt anything, they merely encode it for easy
transport. The data in the payload is not meant to be a secret.
What you are looking at is simply the base64 encoded data payload. A JWT contains 3 parts:
- The base64 encoded header
- The base64 encoded data
- A cryptographic signature
Base64 is simply an encoding format - not any kind of encryption, and is not meant to hide the data. Rather, it just makes sure it is composed solely of standard ASCII characters that easily survive transfer between different systems. As a result, if you were to take everything in between the two periods and run it through a base64 decoder, you would see your original payload data without issue.
The key therefore is simple: a JWT isn't meant to hide the data. It is simply intended (through the signature) to ensure data integrity, i.e. if someone changes the data payload then you will know because your signature will no longer match.
answered 8 hours ago
Conor ManconeConor Mancone
15.8k7 gold badges48 silver badges64 bronze badges
Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.
– jmacedo
8 hours ago
@jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.
– Conor Mancone
8 hours ago
add a comment
|
tl/dr: JWTs don't encrypt anything, they merely encode it for easy
transport. The data in the payload is not meant to be a secret.
What you are looking at is simply the base64 encoded data payload. A JWT contains 3 parts:
- The base64 encoded header
- The base64 encoded data
- A cryptographic signature
Base64 is simply an encoding format - not any kind of encryption, and is not meant to hide the data. Rather, it just makes sure it is composed solely of standard ASCII characters that easily survive transfer between different systems. As a result, if you were to take everything in between the two periods and run it through a base64 decoder, you would see your original payload data without issue.
The key therefore is simple: a JWT isn't meant to hide the data. It is simply intended (through the signature) to ensure data integrity, i.e. if someone changes the data payload then you will know because your signature will no longer match.
answered 8 hours ago
Conor ManconeConor Mancone
15.8k7 gold badges48 silver badges64 bronze badges
Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.
– jmacedo
8 hours ago
@jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.
– Conor Mancone
8 hours ago
add a comment
|
tl/dr: JWTs don't encrypt anything, they merely encode it for easy
transport. The data in the payload is not meant to be a secret.
What you are looking at is simply the base64 encoded data payload. A JWT contains 3 parts:
- The base64 encoded header
- The base64 encoded data
- A cryptographic signature
Base64 is simply an encoding format - not any kind of encryption, and is not meant to hide the data. Rather, it just makes sure it is composed solely of standard ASCII characters that easily survive transfer between different systems. As a result, if you were to take everything in between the two periods and run it through a base64 decoder, you would see your original payload data without issue.
The key therefore is simple: a JWT isn't meant to hide the data. It is simply intended (through the signature) to ensure data integrity, i.e. if someone changes the data payload then you will know because your signature will no longer match.
answered 8 hours ago
Conor ManconeConor Mancone
15.8k7 gold badges48 silver badges64 bronze badges
tl/dr: JWTs don't encrypt anything, they merely encode it for easy
transport. The data in the payload is not meant to be a secret.
What you are looking at is simply the base64 encoded data payload. A JWT contains 3 parts:
- The base64 encoded header
- The base64 encoded data
- A cryptographic signature
Base64 is simply an encoding format - not any kind of encryption, and is not meant to hide the data. Rather, it just makes sure it is composed solely of standard ASCII characters that easily survive transfer between different systems. As a result, if you were to take everything in between the two periods and run it through a base64 decoder, you would see your original payload data without issue.
The key therefore is simple: a JWT isn't meant to hide the data. It is simply intended (through the signature) to ensure data integrity, i.e. if someone changes the data payload then you will know because your signature will no longer match.
answered 8 hours ago
Conor ManconeConor Mancone
15.8k7 gold badges48 silver badges64 bronze badges
answered 8 hours ago
Conor ManconeConor Mancone
15.8k7 gold badges48 silver badges64 bronze badges
answered 8 hours ago
Conor ManconeConor Mancone
15.8k7 gold badges48 silver badges64 bronze badges
answered 8 hours ago
Conor ManconeConor Mancone
15.8k7 gold badges48 silver badges64 bronze badges
15.8k7 gold badges48 silver badges64 bronze badges
Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.
– jmacedo
8 hours ago
@jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.
– Conor Mancone
8 hours ago
add a comment
|
Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.
– jmacedo
8 hours ago
@jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.
– Conor Mancone
8 hours ago
Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.
– jmacedo
8 hours ago
Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.
– jmacedo
8 hours ago
@jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.
– Conor Mancone
8 hours ago
@jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.
– Conor Mancone
8 hours ago
add a comment
|
What you're missing is that your token is signed (or, more precisely, authenticated with a symmetric key) but not encrypted.
If you take the token in your question above, split it into three pieces at the periods (.) and feed each piece into a base64 decoder, you'll get the following decoded outputs:
"alg":"HS256","typ":"JWT"
"sub":"1234567890","name":"AAAAAAAAAAAAAAAAAAAA","iat":1516239022
and a sequence of 32 mostly non-ASCII bytes which is the 256-bit HMAC authentication tag for the rest of the token. As you can see, all the data is there easily readable by anyone. The authentication tag only prevents anyone who doesn't know the secret HMAC key from modifying the token or creating forged tokens from scratch.
answered 8 hours ago
Ilmari KaronenIlmari Karonen
2,95713 silver badges22 bronze badges
add a comment
|
What you're missing is that your token is signed (or, more precisely, authenticated with a symmetric key) but not encrypted.
If you take the token in your question above, split it into three pieces at the periods (.) and feed each piece into a base64 decoder, you'll get the following decoded outputs:
"alg":"HS256","typ":"JWT"
"sub":"1234567890","name":"AAAAAAAAAAAAAAAAAAAA","iat":1516239022
and a sequence of 32 mostly non-ASCII bytes which is the 256-bit HMAC authentication tag for the rest of the token. As you can see, all the data is there easily readable by anyone. The authentication tag only prevents anyone who doesn't know the secret HMAC key from modifying the token or creating forged tokens from scratch.
answered 8 hours ago
Ilmari KaronenIlmari Karonen
2,95713 silver badges22 bronze badges
add a comment
|
What you're missing is that your token is signed (or, more precisely, authenticated with a symmetric key) but not encrypted.
If you take the token in your question above, split it into three pieces at the periods (.) and feed each piece into a base64 decoder, you'll get the following decoded outputs:
"alg":"HS256","typ":"JWT"
"sub":"1234567890","name":"AAAAAAAAAAAAAAAAAAAA","iat":1516239022
and a sequence of 32 mostly non-ASCII bytes which is the 256-bit HMAC authentication tag for the rest of the token. As you can see, all the data is there easily readable by anyone. The authentication tag only prevents anyone who doesn't know the secret HMAC key from modifying the token or creating forged tokens from scratch.
answered 8 hours ago
Ilmari KaronenIlmari Karonen
2,95713 silver badges22 bronze badges
What you're missing is that your token is signed (or, more precisely, authenticated with a symmetric key) but not encrypted.
If you take the token in your question above, split it into three pieces at the periods (.) and feed each piece into a base64 decoder, you'll get the following decoded outputs:
"alg":"HS256","typ":"JWT"
"sub":"1234567890","name":"AAAAAAAAAAAAAAAAAAAA","iat":1516239022
and a sequence of 32 mostly non-ASCII bytes which is the 256-bit HMAC authentication tag for the rest of the token. As you can see, all the data is there easily readable by anyone. The authentication tag only prevents anyone who doesn't know the secret HMAC key from modifying the token or creating forged tokens from scratch.
answered 8 hours ago
Ilmari KaronenIlmari Karonen
2,95713 silver badges22 bronze badges
answered 8 hours ago
Ilmari KaronenIlmari Karonen
2,95713 silver badges22 bronze badges
answered 8 hours ago
Ilmari KaronenIlmari Karonen
2,95713 silver badges22 bronze badges
answered 8 hours ago
Ilmari KaronenIlmari Karonen
2,95713 silver badges22 bronze badges
2,95713 silver badges22 bronze badges
add a comment
|
add a comment
|
jmacedo is a new contributor. Be nice, and check out our Code of Conduct.
jmacedo is a new contributor. Be nice, and check out our Code of Conduct.
jmacedo is a new contributor. Be nice, and check out our Code of Conduct.
jmacedo is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218801%2fshould-i-be-able-to-see-patterns-in-a-hs256-encoded-jwt%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
