I'm new to everything related to authentication and have no knowledge about encryption algorithms. I was reading about JWT, but from what I gathered, it'd make more sense for my project to authenticate users using either one of these 2 strategies:
- Sign with the server's private key a publicly readable JSON, such as:
const token = {
"user": "johndoe",
"iat": 4342342352,
"exp": 4352234322
}
- Or encrypt that JSON content and only allow the server to decrypt it
E.g.:
// server sets token
encryptionLibrary.encrypt(token, "AES-256", "server's super password")
// then decrypts it when the token is sent with a HTTP request
encryptionLibrary.decrypt(token, "AES-256", "server's super password")
Question: Would checking the signature only be faster than decrypting the whole string or is it absolutely dependable on the implementation? (i.e., using a fast/slow library).
Related question: if I already know the content of an encrypted string (let's say I know it's the token variable above) and the encryption algorithm, will this make it possible to break my password? (thus, rendering option #2 unsafe)
Why not simply use JWT instead? Looks like too much bloat for my project, I just need a way of storing on the client's end a JSON with user, iat and exp information and letting the server prove it's legit. Signing or encrypting the whole payload should stop attackers from creating false tokens, I think