Hi all, I've used lots of signed cookies (e.g HMAC) and JSON Web Tokens (JWTs).They're great for storing sessions without a database! ...as long as you don't have sensitive information inside, because it's all visible to the client.So, how about not just signing, but also encrypting?My research is pointing me to aes-256-gcm as good algorithm that both encrypts and signs a plaintext. The aes-256 part is a standard algorithm, and the gcm part means that it also allows to verify the authenticity of the message (which apparently isn't a given with other algorithms).Here's my understanding of how the process works on node.js, and I'm looking for feedback.Start with a JSON payload, which contains the session contents.Generate a random 12-byte initialization vector.Encrypt the payload with aes-256-gcm (crypto.createCipheriv('aes-256-gcm', key, iv))Get the "authentication tag" which serves as the authenticity signature (cipher.getAuthTag())The result is 3 values, which can be then base64 encoded and concatenate together to form a signed, encrypted token:The initialization vectorThe auth tagThe ciphertextDecryption uses crypto.createDecipheriv('aes-256-gcm', key, iv) and decipher.setAuthTag(authTag)I'm looking for feedback on this process. Is this a proper use of GCM? Does this make cryptographic sense?Inside the payload, JWT claims can be used (like an expiry time) and can be checked as a second step, after decryption.Are there caveats I should look out for? Is this paying a high price in performance, as opposed to just HMAC signing? Does the tradeoff make sense?
Submitted March 11, 2016 at 04:01PM by ecmascript2038
No comments:
Post a Comment