Search code examples
jsonencryptionjwtjwejose

Combining JWE and JWS


Just learning about JOSE and I understand that JWE is for encryption and JWS is for signing. What I don't seem to be able to find examples of is a payload that is both encrypted and signed.

Let's pretend I have a payload hello world. Is the correct thing to do something like this? JWS(JWE('hello world') with the encrypted JWE as the payload of the JWS?


Solution

  • JSON Web Token (JWT) is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWT is a generic name for the following types of token:

    • JSON Web Signature (JWS): The payload is encoded and signed so the integrity of the claims can be verified.

    • JSON Web Encryption (JWE): The payload is encrypted so the claims are hidden from other parties.

    JWT, JWS and JWE
    The image was extracted from this page.


    Is the correct thing to do something like this? JWS(JWE('hello world') with the encrypted JWE as the payload of the JWS?

    It's a nested JWT and its concept is defined in the RFC 7519:

    A JWT in which nested signing and/or encryption are employed. In Nested JWTs, a JWT is used as the payload or plaintext value of an enclosing JWS or JWE structure, respectively.

    You could add a JWE as a claim of a JWS payload, however the other way around is recommended: First sign the message and then encrypt the result, as mentioned in the same document:

    11.2. Signing and Encryption Order

    While syntactically the signing and encryption operations for Nested JWTs may be applied in any order, if both signing and encryption are necessary, normally producers should sign the message and then encrypt the result (thus encrypting the signature). This prevents attacks in which the signature is stripped, leaving just an encrypted message, as well as providing privacy for the signer. Furthermore, signatures over encrypted text are not considered valid in many jurisdictions.