Can you elaborate on this comment, "However, a public key encryption scheme such as RSA would be wholly inappropriate in this case, as anybody with the public key can then create a valid session token."
Security Director at ForgeRock.
Author: https://www.manning.com/books/api-security-in-action
Cryptography and application security. PhD in AI. Secret Prolog junkie.
The issue is with just using RSA encryption without signing/hmac. Encryption is done using the public key, which means anyone with that public key could then create a valid token.
Can you elaborate on this comment, "However, a public key encryption scheme such as RSA would be wholly inappropriate in this case, as anybody with the public key can then create a valid session token."
I am confused how the situation you describe can come about. Specifically due to the multitude of implementations described using RSA and public/private key pairs.
Box using a JSON Web Token (JWT) signed with an RSA key.
Signing a JWT with RSA SHA-256
Is your comment specific in calling out the public key as the encryption mechanism?
The issue is with just using RSA encryption without signing/hmac. Encryption is done using the public key, which means anyone with that public key could then create a valid token.
Thank you for the clarification!