Mdthbs

How can I find places to store/land a private airplane?

Could the Queen overturn the UK Supreme Court ruling regarding prorogation of Parliament?

What’s the BrE for “shotgun wedding”?

How to explain that the sums of numerators over sums of denominators isn't the same as the mean of ratios?

In search of a pedagogically simple example of asymmetric encryption routine?

"cd" into /sys/kernel/debug/tracing causes permission change

How to "Start as close to the end as possible", and why to do so?

Lighthouse Alternatives

If I travelled back in time to invest in X company to make a fortune, roughly what is the probability that it would fail?

Advices to added homemade symbols

Is right click on tables bad UX

What is the origin of the minced oath “Jiminy”?

I've been fired, was allowed to announce it as if I quit and given extra notice, how to handle the questions?

Why is the time of useful consciousness only seconds at high altitudes?

Was there an autocomplete utility in MS-DOS?

Can I pay off my mortgage with a new one?

What benefits are there to blocking most search engines?

Determining if auto stats update is in progress

Using 4K Skyrim Textures when running 1920 x 1080 display resolution?

Can I voluntarily exit from the US after a 20 year overstay, or could I be detained at the airport?

Is it unethical to give a gift to my professor who might potentially write me a LOR?

Did Joe Biden "stop a prosecution" into his son in Ukraine? And did he brag about stopping the prosecution?

Did the Soviet army intentionally send troops (e.g. penal battalions) running over minefields?

Is "Ram married his daughter" ambiguous?

Should I be able to see patterns in a HS256 encoded JWT?

Would encrypting a signed JWT prove viable to secure claims payload?Is this authentication scheme using JWT secure?Is a user being able to view their own UID a security risk?jwt in message payload?Storing JWT in SPAJWT: Why is audience important?JWT: In a server-to-server request, should I sign the entire request body?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{
margin-bottom:0;
}

2

I was fiddling with https://jwt.io/ using this header

{

  "alg": "HS256",

  "typ": "JWT"

}

when I realized that replacing the payload name with something repetitive like AAAAAAAAAAAAAAAAAAAA would produce a token such as this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFBQUFBQUFBQUFBQUFBQUFBQUFBIiwiaWF0IjoxNTE2MjM5MDIyfQ.hlXlWvaeyOb6OcrOwd-xfWgF8QlfmTycj5WWZwRr6FY

You can see that the BQUF substring appears to be repeated. The more As I added to the name, the more BQUFs show up.

As far as I know the presence of these kind of patterns makes it considerably easier to find out the encoded contents. What am I missing?

encryption jwt token

share|improve this question

asked 8 hours ago

jmacedojmacedo

11344 bronze badges

New contributor

jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment
 | 

2

I was fiddling with https://jwt.io/ using this header

{

  "alg": "HS256",

  "typ": "JWT"

}

when I realized that replacing the payload name with something repetitive like AAAAAAAAAAAAAAAAAAAA would produce a token such as this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFBQUFBQUFBQUFBQUFBQUFBQUFBIiwiaWF0IjoxNTE2MjM5MDIyfQ.hlXlWvaeyOb6OcrOwd-xfWgF8QlfmTycj5WWZwRr6FY

You can see that the BQUF substring appears to be repeated. The more As I added to the name, the more BQUFs show up.

As far as I know the presence of these kind of patterns makes it considerably easier to find out the encoded contents. What am I missing?

encryption jwt token

share|improve this question

asked 8 hours ago

jmacedojmacedo

11344 bronze badges

New contributor

jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment
 | 

I was fiddling with https://jwt.io/ using this header

{

  "alg": "HS256",

  "typ": "JWT"

}

when I realized that replacing the payload name with something repetitive like AAAAAAAAAAAAAAAAAAAA would produce a token such as this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFBQUFBQUFBQUFBQUFBQUFBQUFBIiwiaWF0IjoxNTE2MjM5MDIyfQ.hlXlWvaeyOb6OcrOwd-xfWgF8QlfmTycj5WWZwRr6FY

You can see that the BQUF substring appears to be repeated. The more As I added to the name, the more BQUFs show up.

As far as I know the presence of these kind of patterns makes it considerably easier to find out the encoded contents. What am I missing?

encryption jwt token

share|improve this question

asked 8 hours ago

jmacedojmacedo

11344 bronze badges

New contributor

jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

{

  "alg": "HS256",

  "typ": "JWT"

}

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFBQUFBQUFBQUFBQUFBQUFBQUFBIiwiaWF0IjoxNTE2MjM5MDIyfQ.hlXlWvaeyOb6OcrOwd-xfWgF8QlfmTycj5WWZwRr6FY

share|improve this question

asked 8 hours ago

jmacedojmacedo

11344 bronze badges

New contributor

jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 8 hours ago

jmacedojmacedo

11344 bronze badges

New contributor

jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 8 hours ago

jmacedojmacedo

11344 bronze badges

New contributor

jmacedo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 8 hours ago

jmacedojmacedo

11344 bronze badges

2 Answers
2

active

oldest

votes

5

tl/dr: JWTs don't encrypt anything, they merely encode it for easy
transport. The data in the payload is not meant to be a secret.

What you are looking at is simply the base64 encoded data payload. A JWT contains 3 parts:

1. The base64 encoded header


2. The base64 encoded data


3. A cryptographic signature

Base64 is simply an encoding format - not any kind of encryption, and is not meant to hide the data. Rather, it just makes sure it is composed solely of standard ASCII characters that easily survive transfer between different systems. As a result, if you were to take everything in between the two periods and run it through a base64 decoder, you would see your original payload data without issue.

The key therefore is simple: a JWT isn't meant to hide the data. It is simply intended (through the signature) to ensure data integrity, i.e. if someone changes the data payload then you will know because your signature will no longer match.

share|improve this answer

answered 8 hours ago

Conor ManconeConor Mancone

15.8k77 gold badges4848 silver badges6464 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.
  
  – jmacedo
  7 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.
  
  – Conor Mancone
  7 hours ago
  

  
  
  
  

add a comment
 | 

3

What you're missing is that your token is signed (or, more precisely, authenticated with a symmetric key) but not encrypted.

If you take the token in your question above, split it into three pieces at the periods (.) and feed each piece into a base64 decoder, you'll get the following decoded outputs:

{"alg":"HS256","typ":"JWT"}

{"sub":"1234567890","name":"AAAAAAAAAAAAAAAAAAAA","iat":1516239022}

and a sequence of 32 mostly non-ASCII bytes which is the 256-bit HMAC authentication tag for the rest of the token. As you can see, all the data is there easily readable by anyone. The authentication tag only prevents anyone who doesn't know the secret HMAC key from modifying the token or creating forged tokens from scratch.

share|improve this answer

answered 8 hours ago

Ilmari KaronenIlmari Karonen

2,9571313 silver badges2222 bronze badges

add a comment
 | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

jmacedo is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218801%2fshould-i-be-able-to-see-patterns-in-a-hs256-encoded-jwt%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

5

tl/dr: JWTs don't encrypt anything, they merely encode it for easy
transport. The data in the payload is not meant to be a secret.

What you are looking at is simply the base64 encoded data payload. A JWT contains 3 parts:

1. The base64 encoded header


2. The base64 encoded data


3. A cryptographic signature

Base64 is simply an encoding format - not any kind of encryption, and is not meant to hide the data. Rather, it just makes sure it is composed solely of standard ASCII characters that easily survive transfer between different systems. As a result, if you were to take everything in between the two periods and run it through a base64 decoder, you would see your original payload data without issue.

The key therefore is simple: a JWT isn't meant to hide the data. It is simply intended (through the signature) to ensure data integrity, i.e. if someone changes the data payload then you will know because your signature will no longer match.

share|improve this answer

answered 8 hours ago

Conor ManconeConor Mancone

15.8k77 gold badges4848 silver badges6464 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.
  
  – jmacedo
  7 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.
  
  – Conor Mancone
  7 hours ago
  

  
  
  
  

add a comment
 | 

5

tl/dr: JWTs don't encrypt anything, they merely encode it for easy
transport. The data in the payload is not meant to be a secret.

What you are looking at is simply the base64 encoded data payload. A JWT contains 3 parts:

1. The base64 encoded header


2. The base64 encoded data


3. A cryptographic signature

Base64 is simply an encoding format - not any kind of encryption, and is not meant to hide the data. Rather, it just makes sure it is composed solely of standard ASCII characters that easily survive transfer between different systems. As a result, if you were to take everything in between the two periods and run it through a base64 decoder, you would see your original payload data without issue.

The key therefore is simple: a JWT isn't meant to hide the data. It is simply intended (through the signature) to ensure data integrity, i.e. if someone changes the data payload then you will know because your signature will no longer match.

share|improve this answer

answered 8 hours ago

Conor ManconeConor Mancone

15.8k77 gold badges4848 silver badges6464 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Of course. Thanks. I had this misconception in my mind that the jwt could only be read by those having the secret, but it turns out that it's just a vehicle for information which we need to make sure came from a legitimate source.
  
  – jmacedo
  7 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @jmacedo Yup, that's exactly correct. It's easy to get confused about because base64 data certainly looks encrypted, which is even more true when you realize that a lot of encrypted data is actually displayed in a base64 encoding.
  
  – Conor Mancone
  7 hours ago
  

  
  
  
  

add a comment
 | 

tl/dr: JWTs don't encrypt anything, they merely encode it for easy
transport. The data in the payload is not meant to be a secret.

What you are looking at is simply the base64 encoded data payload. A JWT contains 3 parts:

1. The base64 encoded header


2. The base64 encoded data


3. A cryptographic signature

Base64 is simply an encoding format - not any kind of encryption, and is not meant to hide the data. Rather, it just makes sure it is composed solely of standard ASCII characters that easily survive transfer between different systems. As a result, if you were to take everything in between the two periods and run it through a base64 decoder, you would see your original payload data without issue.

The key therefore is simple: a JWT isn't meant to hide the data. It is simply intended (through the signature) to ensure data integrity, i.e. if someone changes the data payload then you will know because your signature will no longer match.

share|improve this answer

answered 8 hours ago

Conor ManconeConor Mancone

15.8k77 gold badges4848 silver badges6464 bronze badges

share|improve this answer

answered 8 hours ago

Conor ManconeConor Mancone

15.8k77 gold badges4848 silver badges6464 bronze badges

answered 8 hours ago

Conor ManconeConor Mancone

15.8k77 gold badges4848 silver badges6464 bronze badges

answered 8 hours ago

Conor ManconeConor Mancone

15.8k77 gold badges4848 silver badges6464 bronze badges

3

What you're missing is that your token is signed (or, more precisely, authenticated with a symmetric key) but not encrypted.

If you take the token in your question above, split it into three pieces at the periods (.) and feed each piece into a base64 decoder, you'll get the following decoded outputs:

{"alg":"HS256","typ":"JWT"}

{"sub":"1234567890","name":"AAAAAAAAAAAAAAAAAAAA","iat":1516239022}

and a sequence of 32 mostly non-ASCII bytes which is the 256-bit HMAC authentication tag for the rest of the token. As you can see, all the data is there easily readable by anyone. The authentication tag only prevents anyone who doesn't know the secret HMAC key from modifying the token or creating forged tokens from scratch.

share|improve this answer

answered 8 hours ago

Ilmari KaronenIlmari Karonen

2,9571313 silver badges2222 bronze badges

add a comment
 | 

3

What you're missing is that your token is signed (or, more precisely, authenticated with a symmetric key) but not encrypted.

If you take the token in your question above, split it into three pieces at the periods (.) and feed each piece into a base64 decoder, you'll get the following decoded outputs:

{"alg":"HS256","typ":"JWT"}

{"sub":"1234567890","name":"AAAAAAAAAAAAAAAAAAAA","iat":1516239022}

and a sequence of 32 mostly non-ASCII bytes which is the 256-bit HMAC authentication tag for the rest of the token. As you can see, all the data is there easily readable by anyone. The authentication tag only prevents anyone who doesn't know the secret HMAC key from modifying the token or creating forged tokens from scratch.

share|improve this answer

answered 8 hours ago

Ilmari KaronenIlmari Karonen

2,9571313 silver badges2222 bronze badges

add a comment
 | 

What you're missing is that your token is signed (or, more precisely, authenticated with a symmetric key) but not encrypted.

If you take the token in your question above, split it into three pieces at the periods (.) and feed each piece into a base64 decoder, you'll get the following decoded outputs:

{"alg":"HS256","typ":"JWT"}

{"sub":"1234567890","name":"AAAAAAAAAAAAAAAAAAAA","iat":1516239022}

and a sequence of 32 mostly non-ASCII bytes which is the 256-bit HMAC authentication tag for the rest of the token. As you can see, all the data is there easily readable by anyone. The authentication tag only prevents anyone who doesn't know the secret HMAC key from modifying the token or creating forged tokens from scratch.

share|improve this answer

answered 8 hours ago

Ilmari KaronenIlmari Karonen

2,9571313 silver badges2222 bronze badges

{"alg":"HS256","typ":"JWT"}

{"sub":"1234567890","name":"AAAAAAAAAAAAAAAAAAAA","iat":1516239022}

share|improve this answer

answered 8 hours ago

Ilmari KaronenIlmari Karonen

2,9571313 silver badges2222 bronze badges

answered 8 hours ago

Ilmari KaronenIlmari Karonen

2,9571313 silver badges2222 bronze badges

answered 8 hours ago

Ilmari KaronenIlmari Karonen

2,9571313 silver badges2222 bronze badges