Comments (2)
simo5
commented on July 29, 2024
The headers are used to provide the necessary information to the recipient to be able to decrypt the payload.
If the headers where themselves encrypted you wouldn't be able to decrypt the JWE.
Integrity protection has a specific meaning in cryptography and means simply: the data cannot be altered without the recipient knowing it has been altered.
Integrity protection does not imply encryption, it may be achieved, via MAC, Signatures, or other AEAD ciphers in the case of encryption.
Keep in mind that JWCrypto has an extensive suite of tests based on the standard's test vectors, which include JWEs test vectors.
If your system can deal with JWEs in the absence of a header that tells them any information, you can simply strip the protected header or leave it empty. The headers are never part of the payload, therefore are never encrypted.
Generally in JWE the integrity protection of the protected header is achieved by using the protected header as input in calculating the Authentication Tag.
from jwcrypto.
ds2286
commented on July 29, 2024
That makes a lot of sense. Thank you for clarifying that!
from jwcrypto.
Related Issues (20)
- Project Status
- Release the current state HOT 4
- Fix or discontinu ppc64le CI testing HOT 1
- Lack of wheel in distribution causes it to break builds targeting separate platforms HOT 12
- variables naming convention HOT 2
- key_id deprecated. What's the alternative?
- InvalidJWSSignature error always occurs HOT 7
- Shouldn't `jwk.import_from_pyca` also provide a `kid` param and set it to `thumbprint()` by default? HOT 2
- ValueError: wrapper has not been initialized in jwcrypto Library
- Drop Python 3.6 support since 1.5.2 HOT 5
- Dependency to typing_extensions broken HOT 6
- Jwt.JWT allows parsing tokens with json serialization
- Improve ergonomics or document usage to emulate python-jose/PyJWT HOT 13
- Docs on readthedocs are broken since 1.5.1
- Can't sign a JWT with an ed25519 JWK HOT 1
- FR: Allow passing 'unsafe_skip_rsa_key_validation' flag when signing tokens HOT 4
- 'Header' not set, after importing raw token
- user data becomes an "unorganized dictionary" HOT 8
- make leeway and validitity configurable via constructor HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jwcrypto.