Understanding JWT Tokens and the Hashing Techniques Used
JSON Web Tokens (JWT) have become an increasingly popular method of securely transmitting data between parties. JWTs are compact, URL-safe means of representing claims to be transferred between two parties. A JWT token is an encoded JSON object that is passed between a client and a server. It contains a set of claims that allow the receiver to identify the user and perform authorization checks. In this blog post, we’ll explore how JWT tokens work, and how the hashing techniques used in JWT make it a secure way to transmit data.
Part 1: Understanding JWT Tokens
A JWT token is a string that contains three parts: a header, a payload, and a signature. The header contains information about the type of token and the algorithm used to sign it. The payload contains a set of claims that identify the user and provide authorization information. The signature is a hash of the header and the payload, signed with a secret key that is known only to the server.
JWT Example: Encoded Token -
1
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.tos2hwtguLeeA67GKRTgvbLxrnxzerRmtuNTM9_-c7E
JWT Header
The header of a JWT contains information about the type of token and the cryptographic algorithm used to create its signature. It is base64Url encoded and includes two properties: alg and typ.
The alg property specifies the cryptographic algorithm used to sign the token, such as HMAC SHA256 or RSA. The typ property specifies the type of token, which is always “JWT”.
Here’s an example of a JWT header:
1
2
3
4
{
"alg": "HS256",
"typ": "JWT"
}
This header indicates that the HMAC SHA256 algorithm was used to sign the token and that the type of token is JWT.
JWT Payload
The payload of a JWT contains the actual data that is transmitted between parties. It is also base64Url encoded and can include any number of claims. A claim is a piece of information that is asserted about the subject of the token. There are three types of claims: registered, public, and private.
Registered claims are predefined by the JWT specification and include information such as the issuer of the token, the subject of the token, and the expiration time of the token.
Public claims are defined by those who use JWTs and can be used to share additional information about the token.
Private claims are custom claims used by those who create and consume the JWT.
Here’s an example of a JWT payload:
1
2
3
4
5
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
This payload includes a subject (sub) claim with the value “1234567890”, a name (name) claim with the value “John Doe”, and an issued at (iat) claim with the value 1516239022.
JWT Signature
The signature of a JWT is used to verify that the message has not been altered during transit. It is created by taking the encoded header and payload, and signing them with a secret key using the algorithm specified in the header.
The signature is created using the alg property in the header and a secret key. The signature is created by hashing the encoded header and payload with the secret key using the algorithm specified in the alg property.
Here’s an example of a JWT signature:
1
2
3
4
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)
In this example, the HMAC SHA256 algorithm is used to create the signature.
Part 2: Understanding Popular Hashing Algorithms Used in JWT Token
As JWTs consist of three parts: a header, a payload, and a signature. The signature is used to verify the integrity of the message and ensure that it has not been tampered with. One way to create a signature is by using a hashing algorithm. Here are some popular hashing algorithms used in JWT token:
HMAC-SHA256 HMAC-SHA256 (Hash-based Message Authentication Code using Secure Hash Algorithm 256) is a widely used hashing algorithm. It takes a message and a secret key as input and produces a fixed-size output called a digest. The digest is then used as the signature. HMAC-SHA256 is a secure and fast algorithm that provides authentication and integrity for the message.
RSA-SHA256 RSA-SHA256 is a public-key cryptography algorithm. It uses a pair of keys, a public key and a private key, to encrypt and decrypt messages. The public key is used to verify the signature, while the private key is used to create the signature. RSA-SHA256 is a secure and widely used algorithm that provides authentication and integrity for the message.
ECDSA-SHA256 ECDSA-SHA256 (Elliptic Curve Digital Signature Algorithm using Secure Hash Algorithm 256) is a public-key cryptography algorithm that uses elliptic curve cryptography. It also uses a pair of keys, a public key and a private key, to encrypt and decrypt messages. The public key is used to verify the signature, while the private key is used to create the signature. ECDSA-SHA256 is a secure and efficient algorithm that provides authentication and integrity for the message.
SHA256 SHA256 (Secure Hash Algorithm 256) is a popular hashing algorithm that produces a 256-bit digest. It is often used in conjunction with HMAC to create a signature. SHA256 is a fast and secure algorithm that provides integrity for the message.
MD5 MD5 (Message-Digest Algorithm 5) is a widely used hashing algorithm that produces a 128-bit digest. It is fast and efficient but has some known vulnerabilities. It is not recommended to use MD5 for new applications.
Choice of algorithm
The choice of algorithm depends on the specific use case and the desired level of security. HMAC-SHA256, RSA-SHA256, and ECDSA-SHA256 are all secure and widely used algorithms that provide authentication and integrity for the message. SHA256 is a fast and secure algorithm, while MD5 is not recommended for new applications due to its known vulnerabilities.
Conclusion
Understanding the header, payload, and signature of a JWT is crucial in creating and verifying JWTs. The header specifies the cryptographic algorithm used to sign the token, the payload contains the data that is transmitted, and the signature is used to verify that the message has not been altered during transit. By understanding how these parts work together, you can use JWTs to securely transmit information between parties.