0

It might be a bit out of scope for JWT concept but how can i ensure the confidentiality of input parameters in order to generate token?

I have three parameters. Client IP Address, username and password. IP addresses could be spoofed. Usernames and passwords might be stolen. Due to all these reasons I doubt of the security of input parameters.

To ensure higher level security i might be considering asymetric encyrption. So, do you think that it would be a good aproach to accept only encrypted username and password with private key?

Eren
  • 632
  • 1
  • 8
  • 16
  • You might want to take a look at https://stackoverflow.com/questions/27301557/if-you-can-decode-jwt-how-are-they-secure – Rakesh Feb 10 '17 at 06:51
  • 1
    If you assume that an IP or credentials can be stolen, apply the same rule for the private key, even if using a hardware token. The risk is obviously not the same. I mean your question is difficult to answer because you have not described the user context, security requirements and usability constraints. For example I could suggest to use an USB hardware token with a private key, but it could not be used to sign JWT in a web environment because token is not accesible from javascript. But token might be used to start a TLS session with two ways authentication. You may want to be more specific – pedrofb Feb 10 '17 at 07:51

0 Answers0