https://github.com/tinacious/poc-jwt-ecdsa

🔐 Proof of concept of asymmetrical signing using the ECDSA algorithm for JWT tokens
https://github.com/tinacious/poc-jwt-ecdsa

ecdsa jwt security

Last synced: 8 months ago
JSON representation

🔐 Proof of concept of asymmetrical signing using the ECDSA algorithm for JWT tokens

• Host: GitHub
• URL: https://github.com/tinacious/poc-jwt-ecdsa
• Owner: tinacious
• License: mit
• Created: 2019-07-13T01:27:57.000Z (almost 7 years ago)
• Default Branch: master
• Last Pushed: 2022-12-22T12:50:55.000Z (over 3 years ago)
• Last Synced: 2025-10-10T13:08:07.443Z (8 months ago)
• Topics: ecdsa, jwt, security
• Language: JavaScript
• Homepage: https://jwt-ecdsa-poc.herokuapp.com
• Size: 1.03 MB
• Stars: 2
• Watchers: 0
• Forks: 0
• Open Issues: 42
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# JWT using ECDSA

Proof of concept script to demonstrate asymmetric signing using Elliptic Curve Digital Signature Algorithm (ECDSA).

Check out the [working demo](https://jwt-ecdsa-poc.herokuapp.com/)! 👯

## Overview

1. Generate a private-public key pair signed using elliptic curve cryptography (ECC) algorithm ECDSA

2. Use the private key on the back-end to sign your token

3. Use the public key on the front-end to verify your token and read the data

## Generating keys

Run the following commands in a Unix shell to generate your private and public key pairs:

    openssl ecparam -name prime256v1 -genkey -out keys/private.key

    openssl ec -in keys/private.key -pubout -out keys/public.key

These commands are also in the executable file named `./generate_keys.sh`.

The keys will be generated in the `./keys` directory.

![](screenshot-output.png)

## Usage

Run the script which will output information into the console (`node index.js`):

    yarn example

This should print output in the console with your asymmetrically signed JWT and public key.

To see how it works, check out this file `./index.js`.

## Development

There are a few parts to this project:

- `index.js` will have the entire process outlined in a simplified way

- `demo`

    - `./server` has the server-side implementation

    - `./client` has the client-side implementation. The client app is a nested repository (Vue.js app)

## Deployment

Deployed to Heroku:

    git push heroku master

## Further reading

- [ECDSA: The digital signature algorithm of a better internet](https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/) by Cloudflare

- [Seriously, stop using RSA](https://blog.trailofbits.com/2019/07/08/fuck-rsa/) by Trail of Bits

- [Bitcoin uses ECDSA](https://en.bitcoin.it/wiki/Elliptic_Curve_Digital_Signature_Algorithm) to ensure funds can only be spent by their rightful owner

- [Comparing ECDSA vs. RSA](https://www.ssl.com/article/comparing-ecdsa-vs-rsa/) by SSL.com

- [Elliptic Curve Digital Signature Algorithm](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) on Wikipedia