JWS vs JWE

🔥More exclusive content: https://productioncoder.com/you-decid...
Twitter:   / _jgoebel  
Website: https://jangoebel.com
Blog: https://productioncoder.com

00:00 difference between JSON Web Signature Token and JSON Web Encryption token
00:40 JSON Web Signature tokens guarantees
02:13 JSON Web Encryption tokens guarantees
03:16 JWT compact serialization for JWS and JWE

There are two types of JSON Web Tokens (JWTs). There are JSON Web Signature Tokens (JWS token) that contain a digital signature or a MAC at the end (but don't have to). These tokens guarantee authenticity and data integrity. In case you are using digital signatures and not MACs, JWS also guarantee non-repudiation because contrary to MACs you do not have a share secret with digital signatures. Digital signatures rely on public key cryptography such as RSA and therefore only the public key is distributed. With the public key you can only verify signatures, but you cannot create signatures. Only the party that is in possession of the private key can actually create new signatures.

JSON Web Encryption tokens actually encrypt the plaintext. JWE tokens make use of a hybrid encryption schema where you make a key for a symmetric secret and then encrypt this key for the symmetric encryption algorithm with an asymmetric algorithm such as RSA or ECDSA. The reason is that asymmetric algorithms typically have hard limits on the amount of data they can transport. In addition the encryption and decryption process for larger amounts of data is way faster. JWE tokens use authenticated encryption schemes.