duanbigan7765 2019-07-16 01:17
浏览 410
已采纳

使用“ Paseto令牌”生成的“令牌”是否可以解密并像“ JWT令牌”一样查看?

I am using "Platform agnostic Security Token" for oAuth in Golang - https://github.com/o1egl/paseto

I am not able to understand, why this is better than JWT even after reading README

My Major Question is:

  1. Can "token" generated be altered like "JWT" and pass modified or tampered data?
  2. Can "token" generated using "paseto" be decrypted and viewed like "JWT"?

Paseto library above uses "SET" and "GET" method inside their JSONToken method. Is that how we can verify authenticity of the user?

Sample Code:

symmetricKey := []byte("YELLOW SUBMARINE, BLACK WIZARDRY") // Must be 32 bytes
now := time.Now()
exp := now.Add(24 * time.Hour)
nbt := now

jsonToken := paseto.JSONToken{
        Audience:   "test",
        Issuer:     "test_service",
        Jti:        "123",
        Subject:    "test_subject",
        IssuedAt:   now,
        Expiration: exp,
        NotBefore:  nbt,
        }
// Add custom claim to the token    
jsonToken.Set("data", "this is a signed message")
footer := "some footer"

v2 := paseto.NewV2()

// Encrypt data
token, err := v2.Encrypt(symmetricKey, jsonToken, footer)
// token = "v2.local.E42A2iMY9SaZVzt-WkCi45_aebky4vbSUJsfG45OcanamwXwieieMjSjUkgsyZzlbYt82miN1xD-X0zEIhLK_RhWUPLZc9nC0shmkkkHS5Exj2zTpdNWhrC5KJRyUrI0cupc5qrctuREFLAvdCgwZBjh1QSgBX74V631fzl1IErGBgnt2LV1aij5W3hw9cXv4gtm_jSwsfee9HZcCE0sgUgAvklJCDO__8v_fTY7i_Regp5ZPa7h0X0m3yf0n4OXY9PRplunUpD9uEsXJ_MTF5gSFR3qE29eCHbJtRt0FFl81x-GCsQ9H9701TzEjGehCC6Bhw.c29tZSBmb290ZXI"

// Decrypt data
var newJsonToken paseto.JSONToken
var newFooter string
err := v2.Decrypt(token, symmetricKey, &newJsonToken, &newFooter)

Now, if you see there is code: jsonToken.Set("data", "this is a signed message") and we can get that value in Decrypt data at the end where newJsonToken variable is created.

We can get the value of "data" key using: newJsonToken.Get("data").

But is above data "verifiable" and can't be tampered or modified on user's end?

Like in JWT debugger at JWT.io, People can tamper data and know the algorithm and pass "modified" data.

Can user do the same with my generated token as well? Can they decode and pass tampered data? or they can't decode data or view actual data at all?

  • 写回答

1条回答 默认 最新

  • duanben4771 2019-07-16 02:43
    关注

    1 - Can "token" generated be altered like "JWT" and pass modified or tampered data?

    Note that token cannot be "altered" either using PASETO or JWT without knowing the signing key (which should of course be secret).

    The fact you mention about being able to view the JWT token data in JWT.io page is because data is not encrypted (so you can see it without the key).

    But token is signed, so if you modify any value and don't have the key, you won't be able to sign it back and the token receiver will note the token is not valid when trying to verify it.

    2 - Can "token" generated using "paseto" be decrypted and viewed like "JWT"?

    It depends on how you generate the PASETO token.

    See here:

    https://tools.ietf.org/id/draft-paragon-paseto-rfc-00.html#rfc.section.2

    Format for the token is version.purpose.payload.

    And from the docs:

    The payload is a string that contains the token's data. In a local token, this data is encrypted with a symmetric cipher. In a public token, this data is unencrypted.

    So if you generate the token as in the code snippet you posted (local token, with a symmetric key), then payload will be encrypted (you won't be able to see it unless you know the symmetric key and use that one to decrypt it).

    If you use a public/private key pair, then payload will not be encrypted, so you'll be able to see it without the key (but you'll not be able to change it and sign it again without knowing the private key).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图
  • ¥15 stm32开发clion时遇到的编译问题