3

What would be the issue if I encrypt the "claims/body/data" and I send it to the user, then when the user sends me this encrypted token, I decrypt it I trust it, and operate on the data in it (If it's decryptable using a secret key). So basically the same idea as JWT only I won't send the header and the signature, and the body would be encrypted.

Is there a known/implicit vulnerability with this ?

Limit
  • 3,276
  • 1
  • 17
  • 36
Mehdi
  • 133
  • 3

1 Answers1

3

TL;DR: It is not recommended. If you don't want to use public key cryptography, you can use HMAC.

Using encryption may work to some extent, but you would really need to know what you are doing or hope you get lucky.

Signature/MAC protects the whole message from being changed. Encryption does not prevent change, the only thing it can prevent is the attacker knowing, what he is changing.

Now if the format is known, for example he knows where the user ID is (and is lucky), he can change it to a different (random) ID blindly. Now this may or may not be useful for the attacker but it brings a lot of problems.

Also, depending on the encryption algorithm, padding (if any) and other factors, you may face additional problems.

For example, if there is no IV in the scheme, an attacker may take part of one message and part of another and mix them together. So let's say I intercept two messages. One makes you administrator and one makes me user. I may be able to take the name from my message and the rank (administrator) from your massage and make myself administrator.

Also as pointed out by AndrolGenhald, with CTR mode (AES or any other block cipher), the attacker can completely change the encrypted message as long, as it is the same length. This may also be possible with less well known modes and/or ciphers.

PS: AES in GCM mode can be used to both encrypt and authenticate data, so using it prevents all the above mentioned problems and is preferable, if confidentiality of the data is required. However, it is still necessary to send the IV and the MAC with the body.

Peter Harmann
  • 7,858
  • 5
  • 21
  • 28
  • 2
    Even worse, if using e.g. CTR mode and I know the format is {"userId": 12345,...} and I know my user id is 12345, I can change it to any other 5 digit number I want. – AndrolGenhald Apr 24 '18 at 15:46
  • @AndrolGenhald I did not realize, but you are right :) Will edit. – Peter Harmann Apr 24 '18 at 15:51
  • 1
    So to summarize (and check If I understand), using encryption will only allow the server to protect what he sends, but will not assure me that the client is giving me back the same token I gave him? – Mehdi Apr 24 '18 at 15:56
  • 2
    @Mehdi yes, if you want to do both, you can always use AES in GCM mode. GCM provides a MAC as well as encryption. Or you can just encrypt the JWT. – Peter Harmann Apr 24 '18 at 15:58
  • Thank you guys a lot, that was really helpful, have a wonderful day. – Mehdi Apr 24 '18 at 16:00