0

In the old scheme we had digital signing by symmetric encryption without encryption of the whole token, now it is decided at first - to move to asymmetric keys, secondly - not to sign but to encrypt the token. Does successful decryption on receivers side, when he restores the main structure of the token, proves the authenticity of a token and are these guarantees weaker than if it was signed or not?

Ilmari Karonen
  • 49,047
  • 9
  • 93
  • 153
user3358365
  • 9
  • 2

2 Answers2

2

Encryption only protects your payload from being read by unintended recipients. It does not protect it from being modified by a malicious party.

See Digital certificates: What is the difference between encrypting and signing

Community
  • 1
  • 1
Spomky-Labs
  • 15,473
  • 5
  • 40
  • 64
  • okay, lets say malicious party(user) can view indirectly the result of decryption in user panel of receiver's site and can manipuate encrypted string passing to receiver. But he doesn't have encrypting key. Lets even assume receivers key went into public. But is the user's only way to brute force encrypted string to get some another jwt token with userful contents when decrypted? – user3358365 Aug 18 '16 at 08:06
  • 1
    @user3358363: In most asymmetric encryption schemes, knowing the receiver's private decryption key is enough to calculate the public encryption key. So if the receiver's key is leaked, all security is lost anyway. Even if it's not, encryption schemes without signatures (or MACs for symmetric encryption) generally make no guarantees about message integrity. – Ilmari Karonen Aug 18 '16 at 09:22
  • If you just rely on encryption, you don't need any private key to generate valid tokens, the public key is sufficient. Thereby no bruteforce has to be performed. "useful content" can be obtained by several means (client code analysis, tests against the server...) – Spomky-Labs Aug 19 '16 at 06:34
1

In general, no, successful decryption does not prove that the message wasn't forged or tampered with, unless the integrity of the message has been separately verified using a digital signature or a message authentication code. That's because basically all encryption schemes are malleable to some extent. The only significant exception are authenticated encryption schemes, which include a signature or a message authentication code as part of the encryption scheme itself.

In particular, asymmetric encryption schemes generally don't even try to offer any guarantee of message integrity whatsoever, since they assume that anybody can create valid messages using the public key anyway. To prove that the message wasn't sent (or modified) by an attacker, it needs to be signed as well.

Ilmari Karonen
  • 49,047
  • 9
  • 93
  • 153