chapter eleven

11 JSON Object Signing and Encryption (JOSE)

This chapter covers

What makes up JavaScript Object Signing and Encryption (JOSE) standard
Creating and verifying JSON Web Signature (JWS) objects
Encrypting and decrypting JSON Web Encryption (JWE) objects
Avoiding common JWS and JWE security pitfalls

We live in a world where data is exchanged between systems implemented in multiple programming languages by multiple teams working for multiple organizations. Systems interoperate using standard networking protocols such as HTTP in a well-defined manner using standard data formats. For example, REST with JSON, SOAP with XML, and gRPC with protocol buffers (protobuffers). Standardized data formats for exchanging encrypted and signed data make interoperability significantly easier.

Security protocols such as X.509 digital certificates (chapters 8 and 9), OpenID Connect and OAuth2 (chapters 12 and 13), SAML, TLS (chapter 10) need to exchange encrypted and signed messages. Security protocols rely on standard formats to represent encrypted and signed content. For example, OpenID Connect uses JSON, SAML uses XML, while X.509 certificates are represented using a standardized binary data format.

11.1 The Standards Layer Cake

11.2 The problem solved by JSON Web Algorithms (JWA)

11.2.1 Exercises

11.3 JSON Web Key (JWK)

11.3.1 Exercises

11.4 JSON Web Signature (JWS)

11.4.1 JSON Web Object (JWS) Structure

11.4.2 Creating and verifying a JWS object

11.4.3 The credit card refunds scenario with JWS

11.4.4 Exercises

11.5 JSON Web Encryption (JWE)

11.5.1 JWE Structure

11.5.2 Creating and verifying JWE objects

11.5.3 Exercises

11.6 JSON Web Token (JWT)

11.6.1 Exercises

11.7 Answers to exercises

11.8 Summary