No Way Jose! Cryptography & Encryption - JS Monthly London - January 2021

Поделиться
HTML-код
  • Опубликовано: 17 ноя 2024

Комментарии • 13

  • @armonraphiel4028
    @armonraphiel4028 3 года назад

    Definitely one of my favorite talks so far

  • @easywebdotdev
    @easywebdotdev 7 месяцев назад

    who'd have thought Joaquin Phoenix was a programmer too!

  • @87wicky
    @87wicky 3 года назад +1

    I understood everything before JOSE, so could you please explain with an example how with the help of node jose library you generate the cek, kid, public and private key set etc etc and then use it to encrypt the message and then decrypt it later on. With current video its bit confusing as random fancy words are just appearing on the screen :D

    • @87wicky
      @87wicky 3 года назад

      could anyone show how to do this ?

  • @alfredoalarconyanez4896
    @alfredoalarconyanez4896 Год назад

    This was excelent, thank you !!

  • @usamayousuf3778
    @usamayousuf3778 Год назад

    Great session

  • @gatty.
    @gatty. 2 года назад

    First of all, fantastic talk!
    Second, when decrypting the JWE, can I confirm that the private key is in the header?
    It seem insecure then? Anyone who gets hold of the JWE can decrypt it?
    Did I miss something?

    • @mitchynz
      @mitchynz 2 года назад +3

      A bit late here - but no, the private key is always completely private and securely stored on the server. The header has three fields the "type" (typ), the algorithm used (alg) and optionally the key ID (kid). This is because sometimes the OAuth/OIDC server will use several public/private keys at the same time, different keys for signing and encryption, and the keys will periodically get refreshed too - so this is a way to know which of the public keys to use to validate the JWT was signed by the corresponding private key. OAuth has an API endpoint called "/introspection" where a client can send a JWT to validate it was signed by the private key with the keyid (kid) in the header. In OIDC this has been deprecated in favour of publishing a list of well known JWKs (JSON Web Key) with all the public keys and key IDs being currently used. This was the client (resource server trying to access the API for) can download and cache the public key for that key id. and validate "was the JWT signed by the private key for this public key.

    • @gatty.
      @gatty. 2 года назад

      @@mitchynz Thank you for your reply! What you wrote makes sense.
      Also, no worries on the lateness of reply :)

    • @CatainaLopez
      @CatainaLopez 9 месяцев назад

      @@mitchynz thanks for the knowledge.

  • @j0aquinin
    @j0aquinin 3 года назад

    you've made my day

  • @shivangitomar5557
    @shivangitomar5557 2 года назад

    Best video!

  • @mohdsaad1612
    @mohdsaad1612 3 года назад

    thank you