Hacker News Comments on
DEF CON 26 CRYPTO AND PRIVACY VILLAGE - Scott Arciszewski - No Way JOSE! Designing Cryptography
DEFCONConference
·
Youtube
·
3
HN comments
- This course is unranked · view top recommended courses
Hacker News Stories and Comments
All the comments and stories posted to Hacker News that reference this video.I've been doing a similar thing recently. I found PASETO to be interesting ( https://paseto.io ), which is a lot like JWT but is simpler and more opinionated (e.g. there is no plaintext option; symmetric and asymmetric operations are cleanly separated; etc.). I especially enjoyed watching this video https://youtu.be/RijGNytjbOII still decided to go with JWT, since PASETO isn't yet standard and its software hasn't been around for long, but it definitely helped me understand more about the choice I was making. In particular, PASETO distinguishes between "local" tokens (producer and consumer can both use the same symmetric key) versus "public" tokens (producer and consumer can't use the same key, e.g. third party services run by different organisations; hence asymmetric keys are needed). PASETO encourages local tokens to be used when possible, since their keys can be shorter, they generate shorter tokens, they're faster to encrypt/decrypt, they're easier to rotate, etc.; public tokens are essentially a last resort when we must interact with a third party.
I was originally considering 'public' JWTs (i.e. asymmetric keys) for my use case, since we're using AWS API Gateway and that has the option to check the signatures of 'public' JWTs, and reject invalid ones before they ever hit my code. However, I eventually went with 'local' JWTs (i.e. symmetric keys), since the convenience of having AWS discard some tokens for us wasn't worth the (mostly logistical) overhead of using asymmetric keys.
My choice to use the JJWT library was also partly due to its recommendation by the JPaseto library ( https://github.com/paseto-toolkit/jpaseto ).
⬐ asdjlkadsjkladsPASETO looks interesting, thank you!Since my primary concern is external client APIs communicating with ours securely, but also in a way that's not too-foreign. I imagine JWT would fit the bill of being widely known, but PASETO sounds really interesting too - having less things to get wrong sounds amazing. My concern with PASETO is that client APIs are huge slow customers, so i'm hesitant to choose anything that's not super mainstream.
I'll research PASETO more, but i feel like my decision would come down to fitting to what the customer can use - less change is more, in that case. Ie, JWT.
If you like video consumption, a DEFCON 2018 talk by the author Scott Arciszewski on this same topic can be found here:No Way JOSE! Designing Cryptography:
https://www.youtube.com/watch?v=RijGNytjbOI
You're welcome :)
Edit: Clarify that Scott is the author of both post and video.
Blog post: https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-ba...DEFCON CPV talk: https://paragonie.com/files/talks/NoWayJoseCPV2018.pdf + https://youtu.be/RijGNytjbOI
Alternative design that isn't radioactive: https://paseto.io
Apologies if this wasn't more readily available or commonly known. I'm worse at marketing than I am at engineering.
⬐ tenaciousDaniel[bookmarks]Thanks a lot! This is exactly what I needed.