Using JOSE To Protect your APIs 1:JOSE Basics
huizhou92
Posted on November 11, 2024
With the development of internet technology, data security has become a top priority. Data security covers a broad spectrum, including technical, service, storage, and transmission security. This article focuses on transmission security, specifically how to develop secure APIs.
This article series will include several topics:
- Basic Knowledge
- Introduction to JOSE, JWT, and JWE
- Certificates
- How HTTPS Secures Web Applications
- OAuth 2.0
The primary content of this article reviews several encryption and verification algorithms, laying a foundation for later practical discussions. Let’s go!
Information Security Algorithms
Encryption Algorithms
Modern cryptography classifies encryption techniques into:
- Single-key algorithms
- Dual-key algorithms
- Keyless algorithms
Single-key algorithms, known as symmetric encryption, use the same key for encryption and decryption.
Dual-key algorithms, or asymmetric encryption, use different keys for encryption and decryption.
Keyless algorithms, also called random key algorithms, generate a unique key for each use, making them an ideal but less common method due to design challenges.
Symmetric Encryption Algorithms
Symmetric encryption, also known as private-key encryption, involves using the same key for encryption and decryption. Standard symmetric encryption algorithms include DES, IDEA (based on DES), 3DES, RC4, RC5, RC6, and AES.
Critical characteristics of symmetric encryption:
- Fast, suitable for encrypting extensive data.
- The security of the algorithm depends on the key's confidentiality.
Asymmetric Encryption Algorithms
Asymmetric encryption uses a public key for encryption and a private key for decryption. Standard algorithms include RSA, ECC, and DSA.
Critical characteristics of asymmetric encryption:
- Slower speed, mainly used for small data encryption.
- Higher security.
Data Verification Algorithms
Data verification algorithms fall into three categories: message digests, message authentication, and digital signatures.
Message Digest (MD)
Message digests, or digital digests, use a one-way hash function to "digest" plaintext into a fixed-length encrypted string, also known as a digital fingerprint. Popular hash algorithms include MD2, MD4, MD5, HAVAL, SHA-1, and SHA256.
Key characteristics:
- The process is irreversible.
- The output length is fixed.
- It ensures data integrity.
Message Authentication (MA)
Message authentication ensures that messages have not been altered during transmission or storage. It often uses hash algorithms combined with encryption to verify the integrity of the message.
Standard message authentication algorithms use hash functions with keys, known as [HMAC](http://www.ietf.org/rfc/rfc2104.txt, and combine MD and SHA algorithms with added vital protection.
Key characteristics:
- Ensures data integrity and accuracy.
- The process is irreversible.
- The output length is fixed. ### Digital Signatures (DS)
A digital signature encrypts the message digest using the sender’s private key and sends it with the original message. The receiver decrypts the digest using the sender's public key and compares it to the original message digest.
Key characteristics:
- Ensures data integrity, sender authentication, and non-repudiation.
- The process is irreversible.
sub summary
Characteristics and examples of each algorithm
Algorithm Type | Features | Example |
---|---|---|
Symmetric Encryption | Fast, suitable for large data/files | DES, 3DES, AES |
Asymmetric Encryption | Slower, suitable for small data | RSA, ECC |
Message Digest (MD) | Integrity | MD2, MD4, MD5, SHA1, SHA256 |
Message Authentication (MA) | Integrity, authenticity | HMAC-MD5, HMAC-SHA1, HMAC-SHA256, HMAC-SHA384 |
Digital Signature (DS) | Integrity, authenticity, non-repudiation | RSA, DSA, ECDSA |
Evolution of Security Solutions
1. Symmetric Encryption
After the development of the Internet, some enterprises began to focus on security, based on symmetric encryption algorithms, designed this program.
The whole process involves only the AES (symmetric) algorithm, only and encrypts the data in transit. As shown in the figure:
Security
Security Item | Description |
---|---|
Data Security | Achieved through AES |
Data Integrity | Not ensured |
Data Authenticity | Not ensured, vulnerable to key exposure |
There are many drawbacks to this program.
- single key can not realize dynamic key management
- Unable to verify data integrity
- After the key is exposed, the security of the whole program will not be broken.
2. Symmetric Encryption + Message Digest
This solution adds a message digest to ensure data integrity, but the other issues remain.
Security
Security Item | Description |
---|---|
Data Security | Achieved through AES |
Data Integrity | Realized through information summaries |
Data Authenticity | Not ensured, vulnerable to key exposure |
drawback
- single key can not realize dynamic key management
- After the key is exposed, the security of the whole program will not be broken.
3. Symmetric Encryption + Message Authentication
Symmetric encryption + message digest is used when the security requirements are not exceptionally high. However, there is room for improvement for industries with particularly high-security requirements, such as finance, education, and other sectors. Therefore, people have improved the digest mechanism, the message digest with message authentication code to replace the formation of HTTP + symmetric encryption + message authentication scheme; this scheme is characterized by message authentication code to replace the digest, based on the ordinary digest to increase the two-way checksum, to ensure the authenticity of the data.
The security and disadvantages are similar to the second scheme.
4. Asymmetric Encryption
Asymmetric encryption solves the issue of key exposure by using a public-private key pair, providing higher security but at the cost of performance.
Security Item | Description |
---|---|
Data Security | Achieved via RSA |
Data Integrity (Tamper-proof) | Achieved via RSA |
Data Authenticity (Anti-forgery) | Achieved through RSA public and private key pairing |
drawback
- Poor performance, slow speed
- Not suitable for extensive data or file encryption/decryption ### 5. Symmetric Encryption + Message Authentication + Asymmetric Encryption
All of the above schemes have flaws, which stem from the encryption algorithms, so is there a way to combine symmetric and asymmetric encryption to complement each other's weaknesses? The answer is yes; human wisdom is infinite, so this scheme comes to mind:
The message is encrypted with symmetric encryption, and the key of the symmetric algorithm is encrypted with asymmetric encryption so that efficiency and security are considered. As shown in the figure below, using AES + authentication + RSA as an example:
Security:
Security Item | Description |
---|---|
Data Security | Achieved through AES and RSA |
Data Integrity | Ensured via HMAC |
Data Authenticity | Ensured with RSA public-private key pair |
The solution is secure enough to meet the vast majority of security requirements. Many companies use this type of program now.
- AES encryption of the original message, fast
- HMAC on the AES result authentication code to ensure the authenticity of the data
- each time the keys of AES and HMAC are randomly generated, to achieve the effect of dynamic keys
- the RSA algorithm guarantees the security of the key, and the data is small, to play the advantages of RSA
- the key of RSA is two groups, realizing two-way authentication.
Conclusion
This article outlines the basics of encryption algorithms, including symmetric and asymmetric encryption, message authentication, and digital signatures. It also explores the evolution of security solutions, illustrating how modern transmission security balances performance and security. These concepts provide the groundwork for developing secure APIs in future discussions.
Posted on November 11, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 27, 2024
November 27, 2024