JWT signature and validation exaplained

JWT signature and validation exaplained

Table of Contents

JWT stands for JSON Wen Token. JWTs are used to securely transmit information between parties because they can be signed. It consists of three sections separated by a dot (.)

• Header section is a JSON (encoded as base64url) that contains the information about the encryption algorithm used for signing the JWT by the issuer
• Payload section JSON (encoded as base64url) that contains the message data
• Signature section ciphertext (encoded as base64url) that is generated by the sender by encrypting the hash of header and payload

Let us understand how the signature of a JWT is generated by the sender (or issuer or server) and how this signature is verified by the receiver (or client) for checking if the JWT is tampered in transit

How JWT signature generated by the sender / issuer

• Step 1 : Header and payload of the JWT are concatenated with a dot(.) to create a single string of text (header+”.”+payload)
• Step 2 : Hash of the text from Step 1 is calculated. (For example, SHA-256 hashing algorithm is used for RS256 JWT tokens)
• Step 3 : Hash derived from Step 2 is encrypted using private key to generate a signature

How JWT signature is validated by the receiver

• Step A : Header and payload of the JWT are concatenated with a dot(.) to create a single string of text (header+”.”+payload)
• Step B : Hash of the text from Step A is calculated
• Step C : Signature of the JWT is decrypted using the public key of the sender / issuer

Why use base64 URL encoding

• base64url encoding converts input text or bytes into printable text with limited character set (a-z A-Z 0-9 - _ =)
• This ensures that special characters like newline, carriage return etc. are not present in JWT thereby increasing the reliability of transmission
• For example base64 encoding of the text “ab/.?<*.cd” would be “YWIvLj88Ki5jZA”

Why using hashing before signature

• Using a hash function compresses the signature size thereby reducing the size of JWT. For example, a hashing function like SHA-256 takes an input of size <2^64 bits and produces an output of 256 bits or 64 characters
• SHA-256 hashing algorithm takes a text input and creates an output text called hash
  • Hashing will always produce the same output for the same input
  • No two different hashing inputs will produce the same output
  • Hashing is irreversible. That means, the input cannot be derived from output
• For example, the SHA-256 hash of the text “ab/.?<*.cd” would be “a9ca32e6d95a4d9fd398948d91b7780a1f897e0c73e0fe8474f8503978827bcf”

Ensuring JWT authenticity with RSA asymmetric key encryption

• Asymmetric key encryption uses a public key and private key for encrypting and decrypting the data. The private key will be accessible only to the issuer and the public key will be accessible to everyone
• The issuer will use the private key to encrypt the JWT header and payload contents. This is called the signature because only the issuer can generate the signature since only issuer knows the private key
• Using the public key, receiver can decrypt the signature and verify that the decrypted contents match with the received JWT header and payload
• If the JWT header or payload is tampered, the decrypted signature will not match with the tampered JWT contents

Video

Video for this post can be found here

References

• Visualize JWT online - https://jwt.io/
• base64url encode online - https://base64.guru/converter/encode
• base64url decode online - https://base64.guru/converter/decode
• Online SHA-256 hash generator - https://www.movable-type.co.uk/scripts/sha256.html
• JWT standard - https://datatracker.ietf.org/doc/html/rfc7519#ref-JWS
• about base64url encoding - https://en.wikipedia.org/wiki/Base64
• https://dev.to/kimmaida/signing-and-validating-json-web-tokens-jwt-for-everyone-25fb