JWT 有 3 个部分:
是否可以对有效负载进行加密?以下是我的令牌的有效负载:
{
"iss": "joe",
"exp": "1300819380",
"data": {
"id": "12",
"userName": "PH",
"qntRed": "7",
"qntGrad": {
"1": "800",
"2": "858",
"3": "950",
"4": "745",
"5": "981"
}
}
如果“qntGrad”包含敏感数据。我可以使用密钥对其进行加密吗?它仍然是有效的 JWT 吗?
实际上不仅有签名的 JWT,还有 RFC 描述的几种技术:
根据您的情况,请阅读 RFC7516 (JWE)。这些 JWE 有 5 个部分:
根据您的平台,您可能会找到一个库来帮助您创建此类加密的 JWT。关于
PHP
,我正在编写一个库,它已经能够加载和创建这些 jose。
使用散列和异或编码并与时间戳混合来加密有效负载的其他非常简单且有效的方法
有帮助吧..
import jwt
import base64
from datetime import datetime
import hashlib
# Get the current timestamp in seconds
def get_current_unix_timestamp():
return str(int(datetime.now().timestamp()))
# Convert the current Unix timestamp to a human-readable format
def get_human_readable_timestamp(timestamp):
current_datetime = datetime.fromtimestamp(int(timestamp))
return current_datetime.strftime("%Y-%m-%d %H:%M:%S")
# Encode the user ID with the timestamp using XOR operation
def encode_userid_with_timestamp(userid, current_unix_timestamp, secret_key):
# Hash the timestamp and trim to 32 characters
hashed_timestamp = hashlib.sha256((current_unix_timestamp + secret_key.decode()).encode()).hexdigest()[:32]
# Combine the hashed timestamp with the user ID
data = userid + "|" + hashed_timestamp
data_bytes = data.encode()
# Perform XOR operation
repeated_key = secret_key * ((len(data_bytes) // len(secret_key)) + 1)
repeated_key = repeated_key[:len(data_bytes)]
encoded_data_bytes = bytes([a ^ b for a, b in zip(data_bytes, repeated_key)])
# Encode the result in Base64 and return
encoded_data = base64.b64encode(encoded_data_bytes).decode()
return encoded_data
# Decode the XOR-encoded data
def decode_userid_timestamp(encoded_data, key):
# Decode from Base64
encoded_data_bytes = base64.b64decode(encoded_data.encode())
# Perform XOR operation
repeated_key = key * ((len(encoded_data_bytes) // len(key)) + 1)
repeated_key = repeated_key[:len(encoded_data_bytes)]
decoded_data_bytes = bytes([a ^ b for a, b in zip(encoded_data_bytes, repeated_key)])
# Separate the user ID and the hashed timestamp
decoded_data = decoded_data_bytes.decode()
userid, hashed_timestamp = decoded_data.split("|")
# Return the hashed timestamp
return userid, hashed_timestamp
def main():
userid = "23243232"
xor_secret_key = b'generally_user_salt_or_hash_or_random_uuid_this_value_must_be_in_dbms'
jwt_secret_key = 'yes_your_service_jwt_secret_key'
current_unix_timesstamp = get_current_unix_timestamp()
human_readable_timestamp = get_human_readable_timestamp(current_unix_timesstamp)
encoded_userid_timestamp = encode_userid_with_timestamp(userid, current_unix_timesstamp, xor_secret_key)
decoded_userid, hashed_timestamp = decode_userid_timestamp(encoded_userid_timestamp, xor_secret_key)
jwt_token = jwt.encode({'timestamp': human_readable_timestamp, 'userid': encoded_userid_timestamp}, jwt_secret_key, algorithm='HS256')
decoded_token = jwt.decode(jwt_token, jwt_secret_key, algorithms=['HS256'])
print("")
print("- Current Unix Timestamp:", current_unix_timesstamp)
print("- Current Unix Timestamp to Human Readable:", human_readable_timestamp)
print("")
print("- userid:", userid)
print("- XOR Symmetric key:", xor_secret_key)
print("- JWT Secret key:", jwt_secret_key)
print("")
print("- Encoded UserID and Timestamp:", encoded_userid_timestamp)
print("- Decoded UserID and Hashed Timestamp:", decoded_userid + "|" + hashed_timestamp)
print("")
print("- JWT Token:", jwt_token)
print("- Decoded JWT:", decoded_token)
if __name__ == "__main__":
main()
https://github.com/password123456/some-tweak-to-hide-jwt-payload-values
下面是一种非常简单有效的使用 AES 加密的方法。请注意,您需要获取自己的密钥(链接包含在评论中)。
注意,当你加密时,它会为每个加密调用设置一个IV。您将需要它来解密。
public class CustomEncryption
{
public static string Encrypt256(string text, byte[] AesKey256, out byte[] iv)
{
// AesCryptoServiceProvider
AesCryptoServiceProvider aes = new AesCryptoServiceProvider();
aes.BlockSize = 128;
aes.KeySize = 256;
aes.Key = aesKey256();
aes.Mode = CipherMode.CBC;
aes.Padding = PaddingMode.PKCS7;
iv = aes.IV;
byte[] src = Encoding.Unicode.GetBytes(text);
using (ICryptoTransform encrypt = aes.CreateEncryptor())
{
byte[] dest = encrypt.TransformFinalBlock(src, 0, src.Length);
return Convert.ToBase64String(dest);
}
}
public static string Decrypt256(string text, byte[] AesKey256, byte[] iv)
{
AesCryptoServiceProvider aes = new AesCryptoServiceProvider();
aes.BlockSize = 128;
aes.KeySize = 256;
aes.IV = iv;
aes.Key = aesKey256();
aes.Mode = CipherMode.CBC;
aes.Padding = PaddingMode.PKCS7;
byte[] src = System.Convert.FromBase64String(text);
using (ICryptoTransform decrypt = aes.CreateDecryptor())
{
byte[] dest = decrypt.TransformFinalBlock(src, 0, src.Length);
return Encoding.Unicode.GetString(dest);
}
}
private static byte[] aesKey256()
{
//you will need to get your own aesKey
//for testing you can generate one from
//https://asecuritysite.com/encryption/keygen
return new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 1, 2, 3, 4, 5, 6, 7, 8, 9, 1, 2, 3, 4, 5, 6, 7, 8, 9, 1, 2, 3, 4, 5 };
}
}
}
不加密令牌意味着其他外部服务可以读取并验证令牌实际上是真实的,而无需访问您的私钥。 (他们只需要公钥)