Quote:
Originally Posted by calgarywinning
Amazing. So cool. Concept, proof of concept. Encrypted data. Can you do a private key by changing one value and encrypting to share? Like just one character.
|
Quote:
|
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxN jY5NSIsIm5hbWUiOiJQZWxsYW5vciIsImpvaW5fZGF0ZSI6IjA 0LTExLTIwMTQiLCJpYXQiOjE1MTYyMzkwMjN9.LqmX3-yEqGmKDO93dlM0xXD3Q8Jmkow46U_xwfH6c6G1fDwyOK4AtWUK 6rejygLvyUKJ4_8tKkCaPbxvjELfAAGZQKkhyE6becb4R0nuiX WT23Gb3JzVWDcXfuTsVo_t5DI8ZWVvfK9UaK9kUWd-4LSvgWOewn3wHkFDoN8eh77cQMsCbC_GL_2-_2tNfhJ9nWe5UcjiuSUF1yHmeQJ2XHm0MIPth9tDrNdCmi-qaphFTOXgPpewnxb_v5PvvXt0zzbcTGF5VEII6HghWCgCcFh80 7MTwt2Y-7oy3nh8CY1i9EaNtAnqWXcXYiapO7hW4x6vk78Cmuwpb1V50nm AuQ
|
So here's the same signed token with one character changed. Since it's URL encoded, the token has two characters that are different, which I highlighted in red. The signature hasn't changed, so when you
decode the token on jwt.io using the provided public key, you can see that it has an invalid signature.
However if I make the same one character change, but sign it with the private key rather that re-using the signature you can see that the entire last segment (after the highlighted characters) of the token has changed to reflect this.
Quote:
|
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxN jY5NSIsIm5hbWUiOiJQZWxsYW5vciIsImpvaW5fZGF0ZSI6IjA 0LTExLTIwMTQiLCJpYXQiOjE1MTYyMzkwMjN9.N9IU4NkGVOKzjuY9D0T6IQNDN9t2kFZRiqua0Kgrkt-AoQo5oYnUoN_vDgTw89foFmw122dAE0_OGAskvkQp2JKBLjTqY kSnA9Q9FqUVbCwJClNRgdNYEM5tSnCHKAqnG-nLFTqX1j9UnSWJcob9xEUEhBS58yaVOq0JG7XwjfOfOV6lvcG6 CWpHC3jy6Z4aCIg6LvuJKJ43v0Svf8inQ1iTUX6pr5RS_W47gM aJ-JaT7QsDy99BeWLPzL_xfwQGRg2jVrjXW-DAVIqtrqJGYeMDvBtPYpDqUFq_AdNYOicjBX4yptcAZ55VdAKG _eMrEDDrucfpZtvRAkCgwvsXBgp
|
I could use a different private key to sign a modified token, but then it wouldn't match the public key that I'd given out earlier, so you would still get an invalid signature.