Security Keys

The Security Key needs to be provided only when you require the “claims data” (see below) to be encrypted. i.e. when you have activated the “JWE Enabled” option for the App. Where do I provide the Security key?

The Security key must be a Public Key that conforms to the RSA Specification.

This is used to encrypt the claims data so the intended recipient of the data can read it. Read more in the What is JWE? section below.

cidaas home page -> Apps -> “Security Keys”

  • Claims Data: Data/information transported between two interested parties. (or between a client and server). For the secure transfer of information (for e.g. user identity, entitlements, data) the following standards are used:

  • JWT (Json Web Token) is an open standard that defines a compact and self-contained way for securely transmitting information between parties in the web as a JSON object. This Token can be verified and trusted because it is digitally signed using another standard JWS (Json Web Token Signature). In the payload of the token could be placed further information in self-defined fields, whose content can be transferred encrypted using a further standard JWE (Json Web Encryption), see below.

  • JWT is used in the Web as standardized way to realize SSO and for secure transfer of information between parties (API consumers, applications, …).

When would I want to activate the “JWE Enabled” option? What does this mean?

Normally, the information/data that is transported between interested parties (also called claims data) are sent using JWS.

JWS claims are signed with a signature that can be verified by the server with a secret signing key. This ensures that the claims have not been tampered with when passed between client and server. The contents of JWS token are Base64 encoded and not encrypted. Base64 encoded data looks encrypted in that it looks like a garbage text but it’s trivially simple to turn back into readable data. Therefore, it is always advised to not contain any sensitive information in JWT. It is advisable to use JWT only when you want to exchange information between two parties (or between client and server) and no sensitive data is passed as payload in token.

But what if you want to include any private information in a token? You don’t want your sensitive information to be present in a token that is only Base64 encoded that can be easily decoded by any attacker. The way to encrypt and guard the claims data is to use a more secure level of protection known as JSON Web Encryption (JWE). It defines a way to encrypt your claims data (which is basically JSON based data structure) so that only intended receiver can read the information present in a token.

Note A JWS is used to sign claims, a JWE is used to transmit sensitive data.



results matching ""

    No results matching ""