table of Contents
Why this talk about two things together
Why this talk about two things together
They are two of the more common set of user login authentication and encryption technology, JWT service authentication, RSA encryption is responsible
JWT
JWT, stands for Json Web Token, is a JSON-style lightweight authorization and authentication specification , enabling stateless, distributed Web application authorization
Data Format
JWT data comprising three parts:
-
Header: the head, the head usually has two pieces of information:
-
Declared type, here is the JWT
We will head base64 encode the data to obtain a first part
-
-
Payload: payload is valid data, typically contains the following information:
-
User identity information (note that here because the base64-encoded, can be decoded, so do not store sensitive information)
-
Registration Statement: As token of the issue of time, the expiration time, the issuer, etc.
This part also base64-encoded to give a second portion of the data
-
-
Signature: Signature, authentication information is the whole data. The first two steps of the general data, coupled with the service key (Secret) (not leak, preferably replaced periodically), generated by the encryption algorithm. It used to verify data integrity and reliability of the entire
Generated data formats: token == individual personal identification documents jwt =
JWT interaction processes
-
1, a user logs
-
2, the authentication service, by generating a token according to the secret
-
3, the generated token back to the browser
-
4, each request carries the user token
-
5, jwt interpretation service using the public key signature, the signature is valid after the determination, the user information acquired from the Payload
-
6, processes the request, it returns a response result
Summary: Because the token JWT issued already contains a user's identity information, and each request would carry such services do not need to store user information, even without having to query the database, which is fully in line with the norms stateless Rest
encryption
Encryption is the information encoding and decoding technology, the original code is readable information (also known as plaintext) translated code form (also known as ciphertext), the decoding process is the inverse (decryption), the encrypted encryption key points algorithm, encryption algorithm can be divided into three categories
-
Symmetric encryption, such as AES
-
Rationale: The plaintext into N groups, and then use the key to encrypt individual groups, each formed ciphertext, and finally all the ciphertext packets combined to form the final ciphertext.
-
Advantages: public algorithm, a small amount of computation, fast encryption speed, high efficiency encryption
-
Defects: Both sides use the same key, security can not be guaranteed
-
-
Asymmetric encryption, such as RSA
-
Rationale: simultaneously generate two keys: a public key and a private key, the private key secret preservation, public key can be distributed under the trust clients
-
Private key encryption, hold private or public key can decrypt
-
Public key encryption, before holding a private key to decrypt
-
-
Advantages: safety, difficult to crack
-
Disadvantages: time-consuming algorithms
-
-
Irreversible encryption, such as MD5, SHA
-
Rationale: The process does not require the use of encryption keys , the encrypted input plaintext algorithm processing directly into ciphertext by the system, this data can not be decrypted is encrypted, the ciphertext can not be calculated according to plaintext.
-
