Inno II - Token/API Flashcards
Symmetric Encryption
Symmetric encryption uses a single secret key for both encryption and decryption of data. Key characteristics include:
Uses the same key to encrypt plaintext into ciphertext and decrypt ciphertext back into plaintext
Faster and more efficient than asymmetric encryption, making it ideal for encrypting large amounts of data
Requires secure key exchange between parties
Common algorithms: AES, DES, Triple DES
Asymmetric Encryption
Asymmetric encryption, also known as public key cryptography, uses a pair of mathematically related keys: a public key and a private key. Key features include:
Public key is used for encryption, private key for decryption
Eliminates the need for secure key exchange
More secure but slower and more resource-intensive than symmetric encryption
Common algorithms: RSA, ECC, DSA
Key Differences between symmetric and asymteric encryption
Key usage: Symmetric uses one key, asymmetric uses two related keys
Key length: Asymmetric keys are typically longer for equivalent security
Speed: Symmetric is faster and more efficient for large data sets
Security: Asymmetric is generally considered more secure for key exchange
Usecases for symteric and asymetric encryption
Symmetric encryption is commonly used for:
Data storage encryption
Secure communication
Financial transactions
Device and network security
Asymmetric encryption is often used for:
Secure key exchange
Digital signatures
Email encryption
Secure communication protocols (HTTPS, SSH, TLS)
What is JWT and how does it work?
JSON Web Token (JWT) is a compact, URL-safe token used to represent claims between two parties.
It works by encoding a JSON object into a string, which is then signed using a cryptographic algorithm to ensure its integrity and authenticity.”
Explain the structure of a JWT.
A JSON Web Token (JWT) consists of three parts:
the header,
the payload,
and the signature.
The header contains metadata about the token and the algorithm used for signing, the payload holds the claims, and the signature ensures the token’s integrity.
What is the purpose of the header in a JWT?
The purpose of the header in a JWT is to contain metadata about the token, including the type of token and the signing algorithm used. This information is crucial for verifying the token’s integrity and ensuring it hasn’t been tampered with.
Explain the difference between symmetric and asymmetric signing algorithms in JWT
Symmetric algorithms use the same key for both signing and verification, making them faster but less secure. Asymmetric algorithms, on the other hand, use a pair of keys: one for signing and another for verification, providing better security at the cost of speed.
How do you handle token expiration in JWT?
To handle token expiration in JWT, you can set an expiration time in the token’s payload using the exp claim. On the server side, always check the token’s expiration time before processing any requests to ensure it hasn’t expired
What is the role of the payload in a JWT?
The payload in a JWT contains the claims, which are statements about an entity (typically, the user) and additional data. These claims can include information such as user ID, roles, and expiration time.
How can you refresh a JWT token?
To refresh a JWT token, you need to implement a refresh token mechanism alongside the access token. The refresh token should be securely stored and used to request a new access token when the old one expires
What are the security implications of using JWT?
The security implications of using JWT include the risk of token theft if not stored securely and the potential for token tampering if weak signing algorithms are used. To mitigate these risks, it’s essential to implement strong signing algorithms, secure storage practices, and token expiration mechanisms
How do you store JWTs securely on the client side?
To store JWTs securely on the client side, you should use secure, HTTP-only cookies to prevent access by JavaScript. Additionally, implement token expiration and refresh mechanisms to enhance security.
Explain the concept of “claims” in a JWT
Claims in a JWT are statements about an entity, typically the user, and additional data. They can include information such as user ID, roles, and permissions, and are encoded in the payload of the JWT to convey information between parties.
What are some common use cases for JWT?
JWTs are commonly used for secure user authentication and authorization, allowing users to access protected resources without repeatedly logging in. They are also employed in single sign-on (SSO) systems to streamline user access across multiple applications
How do you implement role-based access control using JWT?
To implement role-based access control using JWT, you need to include user roles in the JWT payload. On the server side, verify the token and extract the roles, then check the user’s roles against the required permissions for accessing specific resources
Explain the difference between access tokens and refresh tokens in the context of JWT.
Access tokens are short-lived tokens used to access protected resources, ensuring that users can only interact with the system for a limited time before needing re-authentication.
Refresh tokens, on the other hand, are long-lived tokens that allow users to obtain new access tokens without re-authenticating, providing a seamless user experience.
How can you mitigate the risks of token theft when using JWT?
To mitigate the risks of token theft when using JWT, you should store tokens in secure, HTTP-only cookies to prevent access by JavaScript. Additionally, always use HTTPS to encrypt token transmission and implement token expiration and refresh mechanisms to limit the lifespan of stolen tokens.
What is a JWT, and how does it differ from a session-based cookie?
JWT: A compact, self-contained token used for securely transmitting information between parties, typically containing a header, payload, and signature.
Cookie-based sessions: Use a session ID stored in a cookie and maintained on the server side to track users.
Difference: JWTs are stateless (no server storage required), whereas cookie sessions rely on server-side storage.
How does the structure of a JWT support its functionality?
Header: Specifies the algorithm (e.g., HS256, RS256) and type (JWT).
Payload: Contains claims (e.g., iss, sub, exp) to convey data.
Signature: Ensures token integrity and authenticity.
How would you use a JWT in a web application for authentication?
After login, generate a JWT with user-specific claims.
Send the JWT to the client in a secure HTTP-only cookie or as part of the response.
Validate the JWT on subsequent requests using the server’s secret or public key.
How do you ensure a JWT stored in a cookie is secure?
Use HTTP-only cookies to prevent JavaScript access.
Set the Secure flag to allow transmission over HTTPS only.
Enable SameSite to restrict cross-origin usage.
Encrypt the cookie if additional security is needed.
What are the potential risks of using JWTs, and how can you mitigate them?
Risk: Token leakage due to XSS or logging.
Mitigation: Use HTTP-only cookies and sanitize inputs.
Risk: Replay attacks.
Mitigation: Include unique jti claims and track tokens in a server-side blacklist.
Risk: Expired tokens.
Mitigation: Set reasonable exp claims and implement token refresh mechanisms.
Compare the security implications of storing a JWT in a cookie versus local storage.
Cookie: Safer due to HTTP-only and Secure flags but susceptible to CSRF.
Local Storage: Vulnerable to XSS attacks since JavaScript can access it.
