duanbigan7765 2019-07-16 01:17
浏览 410
已采纳

使用“ Paseto令牌”生成的“令牌”是否可以解密并像“ JWT令牌”一样查看?

I am using "Platform agnostic Security Token" for oAuth in Golang - https://github.com/o1egl/paseto

I am not able to understand, why this is better than JWT even after reading README

My Major Question is:

  1. Can "token" generated be altered like "JWT" and pass modified or tampered data?
  2. Can "token" generated using "paseto" be decrypted and viewed like "JWT"?

Paseto library above uses "SET" and "GET" method inside their JSONToken method. Is that how we can verify authenticity of the user?

Sample Code:

symmetricKey := []byte("YELLOW SUBMARINE, BLACK WIZARDRY") // Must be 32 bytes
now := time.Now()
exp := now.Add(24 * time.Hour)
nbt := now

jsonToken := paseto.JSONToken{
        Audience:   "test",
        Issuer:     "test_service",
        Jti:        "123",
        Subject:    "test_subject",
        IssuedAt:   now,
        Expiration: exp,
        NotBefore:  nbt,
        }
// Add custom claim to the token    
jsonToken.Set("data", "this is a signed message")
footer := "some footer"

v2 := paseto.NewV2()

// Encrypt data
token, err := v2.Encrypt(symmetricKey, jsonToken, footer)
// token = "v2.local.E42A2iMY9SaZVzt-WkCi45_aebky4vbSUJsfG45OcanamwXwieieMjSjUkgsyZzlbYt82miN1xD-X0zEIhLK_RhWUPLZc9nC0shmkkkHS5Exj2zTpdNWhrC5KJRyUrI0cupc5qrctuREFLAvdCgwZBjh1QSgBX74V631fzl1IErGBgnt2LV1aij5W3hw9cXv4gtm_jSwsfee9HZcCE0sgUgAvklJCDO__8v_fTY7i_Regp5ZPa7h0X0m3yf0n4OXY9PRplunUpD9uEsXJ_MTF5gSFR3qE29eCHbJtRt0FFl81x-GCsQ9H9701TzEjGehCC6Bhw.c29tZSBmb290ZXI"

// Decrypt data
var newJsonToken paseto.JSONToken
var newFooter string
err := v2.Decrypt(token, symmetricKey, &newJsonToken, &newFooter)

Now, if you see there is code: jsonToken.Set("data", "this is a signed message") and we can get that value in Decrypt data at the end where newJsonToken variable is created.

We can get the value of "data" key using: newJsonToken.Get("data").

But is above data "verifiable" and can't be tampered or modified on user's end?

Like in JWT debugger at JWT.io, People can tamper data and know the algorithm and pass "modified" data.

Can user do the same with my generated token as well? Can they decode and pass tampered data? or they can't decode data or view actual data at all?

  • 写回答

1条回答 默认 最新

  • duanben4771 2019-07-16 02:43
    关注

    1 - Can "token" generated be altered like "JWT" and pass modified or tampered data?

    Note that token cannot be "altered" either using PASETO or JWT without knowing the signing key (which should of course be secret).

    The fact you mention about being able to view the JWT token data in JWT.io page is because data is not encrypted (so you can see it without the key).

    But token is signed, so if you modify any value and don't have the key, you won't be able to sign it back and the token receiver will note the token is not valid when trying to verify it.

    2 - Can "token" generated using "paseto" be decrypted and viewed like "JWT"?

    It depends on how you generate the PASETO token.

    See here:

    https://tools.ietf.org/id/draft-paragon-paseto-rfc-00.html#rfc.section.2

    Format for the token is version.purpose.payload.

    And from the docs:

    The payload is a string that contains the token's data. In a local token, this data is encrypted with a symmetric cipher. In a public token, this data is unencrypted.

    So if you generate the token as in the code snippet you posted (local token, with a symmetric key), then payload will be encrypted (you won't be able to see it unless you know the symmetric key and use that one to decrypt it).

    If you use a public/private key pair, then payload will not be encrypted, so you'll be able to see it without the key (but you'll not be able to change it and sign it again without knowing the private key).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 使用C#,asp.net读取Excel文件并保存到Oracle数据库
  • ¥15 C# datagridview 单元格显示进度及值
  • ¥15 thinkphp6配合social login单点登录问题
  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配