Update hacking-jwt-json-web-tokens.md

Reference https://asecuritysite.com/encryption/ecd5
This commit is contained in:
Mane 2024-03-28 16:12:09 +08:00 committed by GitHub
parent 0954fe38a8
commit e07c0f6d07
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -246,6 +246,12 @@ console.log('Parameter e: ', publicComponents.e.toString(16));
Finally, using the public and private key and the new "n" and "e" values you can use [jwt.io](https://jwt.io) to forge a new valid JWT with any information. Finally, using the public and private key and the new "n" and "e" values you can use [jwt.io](https://jwt.io) to forge a new valid JWT with any information.
### ES256: Revealing the private key with same nonce
If some applications use ES256 and use the same nonce to generate two jwts, the private key can be restored.
Here is a example: [ECDSA: Revealing the private key, if same nonce used (with SECP256k1)](https://asecuritysite.com/encryption/ecd5)
### JTI (JWT ID) ### JTI (JWT ID)
The JTI (JWT ID) claim provides a unique identifier for a JWT Token. It can be used to prevent the token from being replayed.\ The JTI (JWT ID) claim provides a unique identifier for a JWT Token. It can be used to prevent the token from being replayed.\