Note: HS256 and RS256 are both not used for ecnryption/decription,
HS256 and RS256 use to make a signature, then remake one to verify whether its same or not
sign: creates an HMAC-SHA256 of message using your secret.
verify: recomputes and compares in constant time (to avoid timing attacks).
for ecnryption decryption use
Use a symmetric cipher like AES-GCM:
RS256 vs HS256
https://auth0.com/blog/rs256-vs-hs256-whats-the-difference/
HS256 (HMAC with SHA-256) is a symmetric keyed hashing algorithm that uses one secret key. Symmetric means two parties share the secret key. The key is used for both generating the signature and validating it.
RS256 (RSA Signature with SHA-256) is an asymmetric algorithm that uses a public/private key pair. The identity provider has a private key to generate the signature. The receiver of the JWT uses a public key to validate the JWT signature.
JWT token, is just base 64 encode string, that any one can decrypt,
but its signature is unable to be changed because it signed using HS256 or RS256
https://jwt.io/introduction#:~:text=Decoding%20a%20JWT%20reverses%20this,parts%20without%20needing%20a%20key.
JWT token structure :
In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:
- Header
- Payload
- Signature
No comments:
Post a Comment