• caglararli@hotmail.com
  • 05386281520

How does JWE secure the Content Encryption Key

Çağlar Arlı      -    22 Views

How does JWE secure the Content Encryption Key

I apologise in advance if this is a dumb question. But this seems like one of those straight forward things that are so straight forward that its not even mentioned and I am not getting it.

Perhaps I am too used to the simplistic client / server model where the client is like a web browser or a native mobile client which can't be trusted.

As far as i know with JWE's there is a symmetric content encryption key that encrypts the payload. The same key will be used to decrypt the payload. This key is securely transferred through asymmetric key encryption. For this I assume the public key is used to encrypt the secret key ? I assume this because from what i know in public key encryption, the public key is used to encrypt and the private key to decrypt (opposite of digital signatures)

But this is what I see from the JWT handbook:

So if the above statements and assumptions are correct, I can't make sense of:

  1. Is it possible for the private key to both encrypt and decrypt ?

If yes, it would answer the rest of my questions because if a private key can both encrypt and decrypt then it makes sense a server can encrypt it and sent it out in the public. But if only one key can be used for encryption and the other for decryption then I struggle to understand how the CEK can ever be secure?

  1. Who generates the symmetric CEK ? Surely it can't be a public client, If it is a server with a private key, how is this encrypted and sent for the first time ?
  2. How can the symmetric CEK ever be secure when the public key is encrypting it ?
  3. Even if a secure server nests the JWE inside a JWS and the public key verifies that the token comes from a verified source, can't anyone just use the secret key and encrypt anything ?