24

As I understand it, a JSON Web Token (JWT) consists of 3 parts:

  • the header, specifying the hashing algorithm to use for the signature;
  • the payload itself; and
  • the signature, which is a hash of the header and the payload using the specified hashing algorithm and a given secret.

The point of the signature is for the receiver to verify the integrity of the received JWT, that it has not been tampered with. This is done, presumably, by the receiver of the JWT reproducing the steps made by the JWT producer to create the signature, by hashing the header and the payload with the specified hashing algorithm and a given secret.

When the secret used by the JWT sender and receiver is one and the same (shared secret, symmetric key), I understand how this works. All the inputs are identical, so the hash will be identical, whether calculated by the sender or receiver.

My actual question, and what I don't understand, is how this works when the secrets used by the sender and receiver are different (asymmetric keys, public/private key pair). I.e. if the hash produced by the sender was generated using the secret key, and the hash produced by the receiver (for signature verification purposes) was produced by the corresponding public key.

How can two different secrets yield the same hash?

Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230
Anders Rabo Thorbeck
  • 565
  • 1
  • 3
  • 10

1 Answers1

22

I received the following explanation from a separate source.

Send:    { object | encrypt(hash(object), private_key) }
Receive: { object | signature }
Verify:  hash(object) == decrypt(signature, public_key)

This explains what I was struggling to understand.

There are two processes at work here: not just hashing, but also encryption. The actual hashing itself needs no secret parameter, it takes in only the object to be hashed (the concatenation of header + payload in the case of JWT). The resulting hash itself is then the input to the encryption, the result of which forms the signature, which can then be decrypted by the recipient to retrieve the original hash for comparison against the recipient's own computed hash.

Thus, instead of the sender and recipient performing similar calculations, with different secrets, to arrive at the same hash value:

hash(object, private_key) == signature == hash(object, public_key)

we rather have the sender and recipient performing complementary calculations to arrive back at the original input

decrypt(encrypt(hash_value, private_key), public_key) == hash_value

This makes sense with how I understand public-private key encryption.

Anders Rabo Thorbeck
  • 565
  • 1
  • 3
  • 10