Should I be able to see patterns in a HS256 encoded JWT?Would encrypting a signed JWT prove viable to secure claims payload?Is this authentication scheme using JWT secure?Is a user being able to view their own UID a security risk?jwt in message payload?Storing JWT in SPAJWT: Why is audience important?JWT: In a server-to-server request, should I sign the entire request body?

Why is the time of useful consciousness only seconds at high altitudes?

How to tension rope between two trees?

Was the whistleblower in the Ukraine scandal legally required to make his report?

What's the difference between motherboard and chassis?

How can I find places to store/land a private airplane?

TIKZ Macro to draw hundredth of a square

I've been fired, was allowed to announce it as if I quit and given extra notice, how to handle the questions?

Sci-fi story about aliens with cells based on arsenic or nitrogen, poisoned by oxygen

What is the origin of the minced oath “Jiminy”?

Where does the image of a data connector as a sharp metal spike originate from?

Is there a pattern for handling conflicting function parameters?

"last" command not working properly

What's the correct way to determine turn order in this situation?

Did the Humans find out about Gaius Baltar's role in the sabotage of the fleet?

Driving test in New Zealand?

Has Boris Johnson ever referred to any of his opponents as "traitors"?

In search of a pedagogically simple example of asymmetric encryption routine?

Redirect output on-the-fly - looks not possible in Linux, why?

Enumerating all permutations that are "square roots" of derangements

How to prove (A v B), (A → C), (B → D) therefore (C v D)

Did the Soviet army intentionally send troops (e.g. penal battalions) running over minefields?

Parent asking for money after I moved out

Does Hogwarts have its own anthem?

Can I pay off my mortgage with a new one?



Should I be able to see patterns in a HS256 encoded JWT?


Would encrypting a signed JWT prove viable to secure claims payload?Is this authentication scheme using JWT secure?Is a user being able to view their own UID a security risk?jwt in message payload?Storing JWT in SPAJWT: Why is audience important?JWT: In a server-to-server request, should I sign the entire request body?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









2















I was fiddling with https://jwt.io/ using this header




"alg": "HS256",
"typ": "JWT"



when I realized that replacing the payload name with something repetitive like AAAAAAAAAAAAAAAAAAAA would produce a token such as this:



eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFBQUFBQUFBQUFBQUFBQUFBQUFBIiwiaWF0IjoxNTE2MjM5MDIyfQ.hlXlWvaeyOb6OcrOwd-xfWgF8QlfmTycj5WWZwRr6FY


You can see that the BQUF substring appears to be repeated. The more As I added to the name, the more BQUFs show up.



As far as I know the presence of these kind of patterns makes it considerably easier to find out the encoded contents. What am I missing?










share|improve this question







New contributor



jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



























    2















    I was fiddling with https://jwt.io/ using this header




    "alg": "HS256",
    "typ": "JWT"



    when I realized that replacing the payload name with something repetitive like AAAAAAAAAAAAAAAAAAAA would produce a token such as this:



    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFBQUFBQUFBQUFBQUFBQUFBQUFBIiwiaWF0IjoxNTE2MjM5MDIyfQ.hlXlWvaeyOb6OcrOwd-xfWgF8QlfmTycj5WWZwRr6FY


    You can see that the BQUF substring appears to be repeated. The more As I added to the name, the more BQUFs show up.



    As far as I know the presence of these kind of patterns makes it considerably easier to find out the encoded contents. What am I missing?










    share|improve this question







    New contributor



    jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      2












      2








      2








      I was fiddling with https://jwt.io/ using this header




      "alg": "HS256",
      "typ": "JWT"



      when I realized that replacing the payload name with something repetitive like AAAAAAAAAAAAAAAAAAAA would produce a token such as this:



      eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFBQUFBQUFBQUFBQUFBQUFBQUFBIiwiaWF0IjoxNTE2MjM5MDIyfQ.hlXlWvaeyOb6OcrOwd-xfWgF8QlfmTycj5WWZwRr6FY


      You can see that the BQUF substring appears to be repeated. The more As I added to the name, the more BQUFs show up.



      As far as I know the presence of these kind of patterns makes it considerably easier to find out the encoded contents. What am I missing?










      share|improve this question







      New contributor



      jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      I was fiddling with https://jwt.io/ using this header




      "alg": "HS256",
      "typ": "JWT"



      when I realized that replacing the payload name with something repetitive like AAAAAAAAAAAAAAAAAAAA would produce a token such as this:



      eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFBQUFBQUFBQUFBQUFBQUFBQUFBIiwiaWF0IjoxNTE2MjM5MDIyfQ.hlXlWvaeyOb6OcrOwd-xfWgF8QlfmTycj5WWZwRr6FY


      You can see that the BQUF substring appears to be repeated. The more As I added to the name, the more BQUFs show up.



      As far as I know the presence of these kind of patterns makes it considerably easier to find out the encoded contents. What am I missing?







      encryption jwt token






      share|improve this question







      New contributor



      jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      share|improve this question







      New contributor



      jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      share|improve this question




      share|improve this question






      New contributor



      jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      asked 9 hours ago









      jmacedojmacedo

      1134 bronze badges




      1134 bronze badges




      New contributor



      jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




      New contributor




      jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.

























          2 Answers
          2






          active

          oldest

          votes


















          5

















          tl/dr: JWTs don't encrypt anything, they merely encode it for easy
          transport. The data in the payload is not meant to be a secret.




          What you are looking at is simply the base64 encoded data payload. A JWT contains 3 parts:



          1. The base64 encoded header

          2. The base64 encoded data

          3. A cryptographic signature

          Base64 is simply an encoding format - not any kind of encryption, and is not meant to hide the data. Rather, it just makes sure it is composed solely of standard ASCII characters that easily survive transfer between different systems. As a result, if you were to take everything in between the two periods and run it through a base64 decoder, you would see your original payload data without issue.



          The key therefore is simple: a JWT isn't meant to hide the data. It is simply intended (through the signature) to ensure data integrity, i.e. if someone changes the data payload then you will know because your signature will no longer match.






          share|improve this answer

























          • Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.

            – jmacedo
            8 hours ago












          • @jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.

            – Conor Mancone
            8 hours ago


















          3
















          What you're missing is that your token is signed (or, more precisely, authenticated with a symmetric key) but not encrypted.



          If you take the token in your question above, split it into three pieces at the periods (.) and feed each piece into a base64 decoder, you'll get the following decoded outputs:



          "alg":"HS256","typ":"JWT"
          "sub":"1234567890","name":"AAAAAAAAAAAAAAAAAAAA","iat":1516239022


          and a sequence of 32 mostly non-ASCII bytes which is the 256-bit HMAC authentication tag for the rest of the token. As you can see, all the data is there easily readable by anyone. The authentication tag only prevents anyone who doesn't know the secret HMAC key from modifying the token or creating forged tokens from scratch.






          share|improve this answer


























            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "162"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );







            jmacedo is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded
















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218801%2fshould-i-be-able-to-see-patterns-in-a-hs256-encoded-jwt%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            5

















            tl/dr: JWTs don't encrypt anything, they merely encode it for easy
            transport. The data in the payload is not meant to be a secret.




            What you are looking at is simply the base64 encoded data payload. A JWT contains 3 parts:



            1. The base64 encoded header

            2. The base64 encoded data

            3. A cryptographic signature

            Base64 is simply an encoding format - not any kind of encryption, and is not meant to hide the data. Rather, it just makes sure it is composed solely of standard ASCII characters that easily survive transfer between different systems. As a result, if you were to take everything in between the two periods and run it through a base64 decoder, you would see your original payload data without issue.



            The key therefore is simple: a JWT isn't meant to hide the data. It is simply intended (through the signature) to ensure data integrity, i.e. if someone changes the data payload then you will know because your signature will no longer match.






            share|improve this answer

























            • Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.

              – jmacedo
              8 hours ago












            • @jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.

              – Conor Mancone
              8 hours ago















            5

















            tl/dr: JWTs don't encrypt anything, they merely encode it for easy
            transport. The data in the payload is not meant to be a secret.




            What you are looking at is simply the base64 encoded data payload. A JWT contains 3 parts:



            1. The base64 encoded header

            2. The base64 encoded data

            3. A cryptographic signature

            Base64 is simply an encoding format - not any kind of encryption, and is not meant to hide the data. Rather, it just makes sure it is composed solely of standard ASCII characters that easily survive transfer between different systems. As a result, if you were to take everything in between the two periods and run it through a base64 decoder, you would see your original payload data without issue.



            The key therefore is simple: a JWT isn't meant to hide the data. It is simply intended (through the signature) to ensure data integrity, i.e. if someone changes the data payload then you will know because your signature will no longer match.






            share|improve this answer

























            • Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.

              – jmacedo
              8 hours ago












            • @jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.

              – Conor Mancone
              8 hours ago













            5














            5










            5










            tl/dr: JWTs don't encrypt anything, they merely encode it for easy
            transport. The data in the payload is not meant to be a secret.




            What you are looking at is simply the base64 encoded data payload. A JWT contains 3 parts:



            1. The base64 encoded header

            2. The base64 encoded data

            3. A cryptographic signature

            Base64 is simply an encoding format - not any kind of encryption, and is not meant to hide the data. Rather, it just makes sure it is composed solely of standard ASCII characters that easily survive transfer between different systems. As a result, if you were to take everything in between the two periods and run it through a base64 decoder, you would see your original payload data without issue.



            The key therefore is simple: a JWT isn't meant to hide the data. It is simply intended (through the signature) to ensure data integrity, i.e. if someone changes the data payload then you will know because your signature will no longer match.






            share|improve this answer














            tl/dr: JWTs don't encrypt anything, they merely encode it for easy
            transport. The data in the payload is not meant to be a secret.




            What you are looking at is simply the base64 encoded data payload. A JWT contains 3 parts:



            1. The base64 encoded header

            2. The base64 encoded data

            3. A cryptographic signature

            Base64 is simply an encoding format - not any kind of encryption, and is not meant to hide the data. Rather, it just makes sure it is composed solely of standard ASCII characters that easily survive transfer between different systems. As a result, if you were to take everything in between the two periods and run it through a base64 decoder, you would see your original payload data without issue.



            The key therefore is simple: a JWT isn't meant to hide the data. It is simply intended (through the signature) to ensure data integrity, i.e. if someone changes the data payload then you will know because your signature will no longer match.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 8 hours ago









            Conor ManconeConor Mancone

            15.8k7 gold badges48 silver badges64 bronze badges




            15.8k7 gold badges48 silver badges64 bronze badges















            • Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.

              – jmacedo
              8 hours ago












            • @jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.

              – Conor Mancone
              8 hours ago

















            • Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.

              – jmacedo
              8 hours ago












            • @jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.

              – Conor Mancone
              8 hours ago
















            Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.

            – jmacedo
            8 hours ago






            Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.

            – jmacedo
            8 hours ago














            @jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.

            – Conor Mancone
            8 hours ago





            @jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.

            – Conor Mancone
            8 hours ago













            3
















            What you're missing is that your token is signed (or, more precisely, authenticated with a symmetric key) but not encrypted.



            If you take the token in your question above, split it into three pieces at the periods (.) and feed each piece into a base64 decoder, you'll get the following decoded outputs:



            "alg":"HS256","typ":"JWT"
            "sub":"1234567890","name":"AAAAAAAAAAAAAAAAAAAA","iat":1516239022


            and a sequence of 32 mostly non-ASCII bytes which is the 256-bit HMAC authentication tag for the rest of the token. As you can see, all the data is there easily readable by anyone. The authentication tag only prevents anyone who doesn't know the secret HMAC key from modifying the token or creating forged tokens from scratch.






            share|improve this answer





























              3
















              What you're missing is that your token is signed (or, more precisely, authenticated with a symmetric key) but not encrypted.



              If you take the token in your question above, split it into three pieces at the periods (.) and feed each piece into a base64 decoder, you'll get the following decoded outputs:



              "alg":"HS256","typ":"JWT"
              "sub":"1234567890","name":"AAAAAAAAAAAAAAAAAAAA","iat":1516239022


              and a sequence of 32 mostly non-ASCII bytes which is the 256-bit HMAC authentication tag for the rest of the token. As you can see, all the data is there easily readable by anyone. The authentication tag only prevents anyone who doesn't know the secret HMAC key from modifying the token or creating forged tokens from scratch.






              share|improve this answer



























                3














                3










                3









                What you're missing is that your token is signed (or, more precisely, authenticated with a symmetric key) but not encrypted.



                If you take the token in your question above, split it into three pieces at the periods (.) and feed each piece into a base64 decoder, you'll get the following decoded outputs:



                "alg":"HS256","typ":"JWT"
                "sub":"1234567890","name":"AAAAAAAAAAAAAAAAAAAA","iat":1516239022


                and a sequence of 32 mostly non-ASCII bytes which is the 256-bit HMAC authentication tag for the rest of the token. As you can see, all the data is there easily readable by anyone. The authentication tag only prevents anyone who doesn't know the secret HMAC key from modifying the token or creating forged tokens from scratch.






                share|improve this answer













                What you're missing is that your token is signed (or, more precisely, authenticated with a symmetric key) but not encrypted.



                If you take the token in your question above, split it into three pieces at the periods (.) and feed each piece into a base64 decoder, you'll get the following decoded outputs:



                "alg":"HS256","typ":"JWT"
                "sub":"1234567890","name":"AAAAAAAAAAAAAAAAAAAA","iat":1516239022


                and a sequence of 32 mostly non-ASCII bytes which is the 256-bit HMAC authentication tag for the rest of the token. As you can see, all the data is there easily readable by anyone. The authentication tag only prevents anyone who doesn't know the secret HMAC key from modifying the token or creating forged tokens from scratch.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 8 hours ago









                Ilmari KaronenIlmari Karonen

                2,95713 silver badges22 bronze badges




                2,95713 silver badges22 bronze badges
























                    jmacedo is a new contributor. Be nice, and check out our Code of Conduct.









                    draft saved

                    draft discarded

















                    jmacedo is a new contributor. Be nice, and check out our Code of Conduct.












                    jmacedo is a new contributor. Be nice, and check out our Code of Conduct.











                    jmacedo is a new contributor. Be nice, and check out our Code of Conduct.














                    Thanks for contributing an answer to Information Security Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218801%2fshould-i-be-able-to-see-patterns-in-a-hs256-encoded-jwt%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

                    Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

                    199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單