Using JOSE To Protect your APIs 1:JOSE Basics

huizhou92 - Nov 11 - - Dev Community

With the development of internet technology, data security has become a top priority. Data security covers a broad spectrum, including technical, service, storage, and transmission security. This article focuses on transmission security, specifically how to develop secure APIs.

This article series will include several topics:

  1. Basic Knowledge
  2. Introduction to JOSE, JWT, and JWE
  3. Certificates
  4. How HTTPS Secures Web Applications
  5. OAuth 2.0

The primary content of this article reviews several encryption and verification algorithms, laying a foundation for later practical discussions. Let’s go!

Information Security Algorithms

Encryption Algorithms

Modern cryptography classifies encryption techniques into:

  • Single-key algorithms
  • Dual-key algorithms
  • Keyless algorithms

Single-key algorithms, known as symmetric encryption, use the same key for encryption and decryption.

Dual-key algorithms, or asymmetric encryption, use different keys for encryption and decryption.

Keyless algorithms, also called random key algorithms, generate a unique key for each use, making them an ideal but less common method due to design challenges.

Symmetric Encryption Algorithms

Symmetric encryption, also known as private-key encryption, involves using the same key for encryption and decryption. Standard symmetric encryption algorithms include DES, IDEA (based on DES), 3DES, RC4, RC5, RC6, and AES.

Critical characteristics of symmetric encryption:

  1. Fast, suitable for encrypting extensive data.
  2. The security of the algorithm depends on the key's confidentiality.

Asymmetric Encryption Algorithms

Asymmetric encryption uses a public key for encryption and a private key for decryption. Standard algorithms include RSA, ECC, and DSA.

Critical characteristics of asymmetric encryption:

  1. Slower speed, mainly used for small data encryption.
  2. Higher security.

Data Verification Algorithms

Data verification algorithms fall into three categories: message digests, message authentication, and digital signatures.

Message Digest (MD)

Message digests, or digital digests, use a one-way hash function to "digest" plaintext into a fixed-length encrypted string, also known as a digital fingerprint. Popular hash algorithms include MD2, MD4, MD5, HAVAL, SHA-1, and SHA256.

Key characteristics:

  1. The process is irreversible.
  2. The output length is fixed.
  3. It ensures data integrity.

Message Authentication (MA)

Message authentication ensures that messages have not been altered during transmission or storage. It often uses hash algorithms combined with encryption to verify the integrity of the message.

Standard message authentication algorithms use hash functions with keys, known as [HMAC](http://www.ietf.org/rfc/rfc2104.txt, and combine MD and SHA algorithms with added vital protection.

Key characteristics:

  1. Ensures data integrity and accuracy.
  2. The process is irreversible.
  3. The output length is fixed. ### Digital Signatures (DS)

A digital signature encrypts the message digest using the sender’s private key and sends it with the original message. The receiver decrypts the digest using the sender's public key and compares it to the original message digest.

Key characteristics:

  1. Ensures data integrity, sender authentication, and non-repudiation.
  2. The process is irreversible.

sub summary

Characteristics and examples of each algorithm

Algorithm Type Features Example
Symmetric Encryption Fast, suitable for large data/files DES, 3DES, AES
Asymmetric Encryption Slower, suitable for small data RSA, ECC
Message Digest (MD) Integrity MD2, MD4, MD5, SHA1, SHA256
Message Authentication (MA) Integrity, authenticity HMAC-MD5, HMAC-SHA1, HMAC-SHA256, HMAC-SHA384
Digital Signature (DS) Integrity, authenticity, non-repudiation RSA, DSA, ECDSA

Evolution of Security Solutions

1. Symmetric Encryption

After the development of the Internet, some enterprises began to focus on security, based on symmetric encryption algorithms, designed this program.

The whole process involves only the AES (symmetric) algorithm, only and encrypts the data in transit. As shown in the figure:

Pasted image 20241017154609

Security

Security Item Description
Data Security Achieved through AES
Data Integrity Not ensured
Data Authenticity Not ensured, vulnerable to key exposure

There are many drawbacks to this program.

  1. single key can not realize dynamic key management
  2. Unable to verify data integrity
  3. After the key is exposed, the security of the whole program will not be broken.

2. Symmetric Encryption + Message Digest

This solution adds a message digest to ensure data integrity, but the other issues remain.

Pasted image 20241017154624

Security

Security Item Description
Data Security Achieved through AES
Data Integrity Realized through information summaries
Data Authenticity Not ensured, vulnerable to key exposure

drawback

  1. single key can not realize dynamic key management
  2. After the key is exposed, the security of the whole program will not be broken.

3. Symmetric Encryption + Message Authentication

Symmetric encryption + message digest is used when the security requirements are not exceptionally high. However, there is room for improvement for industries with particularly high-security requirements, such as finance, education, and other sectors. Therefore, people have improved the digest mechanism, the message digest with message authentication code to replace the formation of HTTP + symmetric encryption + message authentication scheme; this scheme is characterized by message authentication code to replace the digest, based on the ordinary digest to increase the two-way checksum, to ensure the authenticity of the data.

The security and disadvantages are similar to the second scheme.

Pasted image 20241017154643

4. Asymmetric Encryption

Asymmetric encryption solves the issue of key exposure by using a public-private key pair, providing higher security but at the cost of performance.

Pasted image 20241017154651

Security

Security Item Description
Data Security Achieved via RSA
Data Integrity (Tamper-proof) Achieved via RSA
Data Authenticity (Anti-forgery) Achieved through RSA public and private key pairing

drawback

  1. Poor performance, slow speed
  2. Not suitable for extensive data or file encryption/decryption ### 5. Symmetric Encryption + Message Authentication + Asymmetric Encryption

All of the above schemes have flaws, which stem from the encryption algorithms, so is there a way to combine symmetric and asymmetric encryption to complement each other's weaknesses? The answer is yes; human wisdom is infinite, so this scheme comes to mind:

The message is encrypted with symmetric encryption, and the key of the symmetric algorithm is encrypted with asymmetric encryption so that efficiency and security are considered. As shown in the figure below, using AES + authentication + RSA as an example:

Pasted image 20241017154027

Security:

Security Item Description
Data Security Achieved through AES and RSA
Data Integrity Ensured via HMAC
Data Authenticity Ensured with RSA public-private key pair

The solution is secure enough to meet the vast majority of security requirements. Many companies use this type of program now.

  1. AES encryption of the original message, fast
  2. HMAC on the AES result authentication code to ensure the authenticity of the data
  3. each time the keys of AES and HMAC are randomly generated, to achieve the effect of dynamic keys
  4. the RSA algorithm guarantees the security of the key, and the data is small, to play the advantages of RSA
  5. the key of RSA is two groups, realizing two-way authentication.

Conclusion

This article outlines the basics of encryption algorithms, including symmetric and asymmetric encryption, message authentication, and digital signatures. It also explores the evolution of security solutions, illustrating how modern transmission security balances performance and security. These concepts provide the groundwork for developing secure APIs in future discussions.

. . . . . . . . . . . . . . . . .