I'm trying to understand the process behind JSON Web Encryption (JWE) and its relationship with JSON Web Signature (JWS). I know a JWS is issued by an authorization server to confirm a user is authenticated, but what happens when sensitive data is involved? Does the resource server take the JWS and encrypt it to create a JWE? Also, why use a public key for this operation? Why wouldn't the resource server just use a secret key for both encryption and decryption? If the resource server can decrypt the JWE, does that mean there's still a need to verify the signature of the JWS? Isn't being able to decrypt enough to prove that the JWS is legitimate?
2 Answers
Even if the JWE can be decrypted, it doesn't guarantee authenticity. The signature helps prove that the information intended to come from a specific sender hasn't been altered in transit. So, while decryption is necessary for confidentiality, verifying the signature is still crucial to confirm its origin.
Great question! The rules of encryption dictate that a private key used for decryption should be kept secure and limited in access. It’s standard to share public keys so anyone can encrypt messages intended for the private key holder. This way, only the holder can read the message. This system allows for secure communication while still requiring signatures for verifying authenticity. So, in short, JWE ensures the data is kept confidential, while JWS ensures it’s coming from a verified source. They serve complementary, but distinct purposes.
But if only my app is encrypting and decrypting the JWS it receives from AWS Cognito, wouldn't a secret key for the app suffice? Why public key encryption?
That makes sense! For those who want a deeper dive, check out this great video on the topic: