Encrypted JWTs

Encrypted JWTs (JSON Web Tokens) are used to secure the exchange of information between parties by ensuring both confidentiality and integrity. Encryption prevents unauthorized access to the payload, and integrity guarantees that the data has not been tampered with during transmission.

Key Features of Encrypted JWTs

Confidentiality: Only the intended recipient can view the JWT payload.
Integrity: Guarantees that no one has tampered with the JWT in transit.

Important:

While encryption ensures confidentiality, it does not always guarantee that a message hasn't been tampered with. For this reason, JWTs use Authenticated Encryption algorithms to ensure both confidentiality and integrity.

JWE Encryption Algorithms

The JWT specification mandates the use of Authenticated Encryption algorithms for encrypting the JWT payload. Below are the standard encryption algorithms used:

Algorithm Identifier	A128CBC-HS256	A192CBC-HS384	A256CBC-HS512	A128GCM	A192GCM	A256GCM

Symmetric Ciphers and Key Management

The encryption algorithms used in JWTs are all based on symmetric key cryptography, meaning the same key is used for both encryption and decryption. While symmetric encryption is fast and efficient, some use cases may require asymmetric encryption (RSA, Elliptic Curve) or password-based keys. However, asymmetric encryption is typically not used to directly encrypt JWTs due to performance and size limitations.

Why Not Use Asymmetric Encryption Directly?

Asymmetric encryption (like RSA) is slower than symmetric encryption (AES).
Asymmetric algorithms like RSA have size limitations, making them unsuitable for large JWT payloads.
Passwords often do not meet the required key length or entropy needed for secure encryption.

Instead, asymmetric encryption is used to generate a Content Encryption Key (CEK), which is then used to encrypt the JWT payload with a fast symmetric algorithm.

Key Management Process:

Step 1: Use a key management algorithm (e.g., RSA, Elliptic Curve) to generate the Content Encryption Key (CEK).
Step 2: Use the CEK to encrypt the JWT payload with an AES-based Authenticated Encryption algorithm.


        Key algorithmKey = getKeyManagementAlgorithmKey(); // PublicKey, SecretKey, or Password 

        SecretKey contentEncryptionKey = keyManagementAlgorithm.produceEncryptionKey(algorithmKey);

        byte[] ciphertext = encryptionAlgorithm.encrypt(payload, contentEncryptionKey);

JWE Key Management Algorithms

The JWT specification supports several Key Management Algorithms, including RSA, Elliptic Curve, and password-based key derivation algorithms. These algorithms produce the symmetric key (CEK) that is used to encrypt the JWT payload.

Why Use Key Management Algorithms?

Performance: Symmetric encryption is much faster than asymmetric encryption, making it ideal for high-throughput applications like web APIs.
Size Limitations: RSA encryption is limited in the size of data it can encrypt. Using a CEK allows for larger JWTs.
Security: Key management algorithms ensure that encryption keys meet required standards, enhancing the overall security model.

Conclusion

By using JWE (JSON Web Encryption), you can ensure that your JWTs are both confidential and tamper-proof.