ASP.NET #63

• What is JSON Web Token (JWT)?

  JSON Web Token is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm [Hash based Message Authentication Code]) or a public/private key pair using RSA or ECDSA. Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.

  When should you use JSON Web Tokens?

  Authorization: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains. Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn’t been tampered with … full article

• What is a Public and Private Key Pair?

  Public and Private key pair helps to encrypt information that ensures data is protected during transmission. Private Key and public key are a part of encryption that encodes the information. Both keys work in two encryption systems called symmetric and asymmetric. Symmetric encryption (private-key encryption or secret-key encryption) utilize the same key for encryption and decryption. Asymmetric encryption utilizes a pair of keys like public and private key for better security where a message sender encrypts the message with the public key and the receiver decrypts it with his/her private key … full article

• What are claims?

  Claim is piece of information that describes given identity on some aspect. Take claim as name-value pair. Claims are held in authentication token that may have also signature so you can be sure that token is not tampered on its way from remote machine to your system … full article

• HMAC algorithm:

  MAC is a great resistant towards cryptanalysis attacks as it uses the Hashing concept twice. HMAC consists of twin benefits of Hashing and MAC, and thus is more secure than any other authentication codes … full article

  

• RSA:

  A public-key encryption technology developed by RSA Data Security, Inc. The acronym stands for Rivest, Shamir, and Adelman, the inventors of the technique. The RSA algorithm is based on the fact that there is no efficient way to factor very large numbers. Deducing an RSA key, therefore, requires an extraordinary amount of computer processing power and time. The RSA algorithm has become the de facto standard for industrial-strength encryption, especially for data sent over the Internet. It is built into many software products, including Netscape Navigator and Microsoft Internet Explorer. The technology is so powerful that the U.S. government has restricted exporting it to foreign countries.

• ECDSA:

  ECDSA, also known as the Elliptic Curve Digital Signature Algorithm, is a version of the widely-used DSA algorithm which can achieve similar levels of security using a smaller key size. It does this by using elliptic curve cryptography, which is a public key cryptography technique developed in the mid-2000s. Rather than basing its security on a large integer that is the product of multiple large prime factors, it uses an ECDLP (elliptic curve discrete logarithmic problem).

More topics covered:

• Payload
• .NET Core 2.0
• .NET Core 2.1
• ASP .NET Core WebApi
• Using Authentication Role for flight project
• Base 64 string in jwt.io

Links:

• Class code: JWT .NET Core 2.0
• Class code: JWT .NET Core 2.1
• Class code: JWT for Flight Center project
• JSON Web Token – Home page
• The future of .NET – nice article
• JWT – nice video
• Lesson Summary Video!