Reputation: 81
How make sure that an encrypted message was sent by me?
Ok, let's suppose i will send a message encrypted with my private key using the RSA algorithm to someone and this person will return me this same encrypted message i sent. If i send the message Hey to him and he returns something, did i need to know the message i sent him was Hey to know the message he returned my was sent by me?
This is what makes not understanding things like JSON web tokens. If a rest server needs to be stateless, how can it be sure that the beaver token in the header of the request is generated by it private key?
Upvotes: 0
Views: 138
Answers (1)
Reputation: 12075
Ok, let's suppose i will send a message encrypted with my private key using the RSA algorithm to someone
Using RSA you encrypt a message with a public key of the recipient. The recipient can decrypt the message with its private key.
The private key can be used to sign the message, so the recipient can validate the signature using the public key
did i need to know the message i sent him was Hey to know the message he returned my was sent by me?
If the message was signed, then you can validate the signature.
If a rest server needs to be stateless, how can it be sure that the beaver token in the header of the request is generated by it private key?
From the question I assume you want to ask - how can you validate, that the token was issued by a trusted party (server itself or a trusted identity provider) ?
JWT tokens are having 3 parts. Header, payload and signature.
The payload can be as well encrypted, but is not important in this context. Full spec can be found in this RFC.
The token issuer signs the payload with its private key. The issuer may be the server itself, but as well other trusted provider.
The server needs to have the issuer's public key to validate the signature of the ticket. A stateless rest service just validates a signature of the token (it needs to validate as well the issuer and expiration) and the signature is either valid or not. The rest service then can trust the information provided in the token without keeping the payload itself).
Upvotes: 1
Related Questions
- RSA trick in email reply
- How to decrypt an encrypted message with RSA private key
- how client sending client's public key to server?
- How to make sure the public key's authenticity
- How to sign a message with public key RSA
- Secure communication using encrypted messages
- RSA Encryption - Public Key Encryption
- RSA Algorithm Example
- Identifying your own message RSA
- Sending messages between two clients, how to verify the identity of the sender?