Implementing Detached JSON Web Signature

In some cases where you’re required to integrity protect content that is already existing and not contained in a JWS, It’s possible by attaching a JWS signature without a payload as an external attribute according to RFC7515 — Appendix F for JWS integrity protection, this method is known as the Detached Content approach.

Photo by [Mike Kononov](https://unsplash.com/@mikofilm?utm_source=medium&utm_medium=referral) on [Unsplash](https://unsplash.com?utm_source=medium&utm_medium=referral)

Photo by Mike Kononov on Unsplash

Decomposition of a standard JWS

We’ll first take a look at a standard JWS which will allow us to understand the implement the detached approach as the fundamental lies here. A JWS is a string composed of three components separated by ‘.’

base64UrlEncode(Header) + ‘.’ + base64UrlEncode(Payload) + ‘.’ + base64UrlEncode(JSONWebSignature)

The header contains information such as the algorithm used and the payload is the value that requires integrity protection. The JSON web signature is simply the first two parts hashed with a secret thus allowing any other party to validate the payload’s authenticity by using a public key.

JSONWebSignature \= RSASHA256( base64UrlEncode(header) + “.” +base64UrlEncode(payload), secret)

Detached Approach

The fundamentals of encoding and decoding JWS still remains in this approach with the exception where the payload is redacted from the JWS and sent separately.

Example use case

One option would be to use in REST APIs as it provides an easy way of ensuring integrity. The signature can be sent over in the request or response as a header, such asx-jws-signaturewhich the client or server can validate the HTTP payload using the signature.

Implementing the detached approach

This is fairly simple as you’re able to use your standard JWS libraries to perform this task and then by manipulating the input/output, you’ll be able to extract the detached JWS. Given below are example implementations in Python using pyjwt.

Encoding

  1. Create standard JWS with the header and payload
  2. Split the JWS output by ‘.’
  3. Replace the second element with an empty string ‘’ thus removing the payload.
  4. Join the JWS back together with ‘.’

Decoding

In the decoding process, the previously mentioned encoding process is to be reversed. Making sure to base64 URL encode the payload, this recreates the JWS.

  1. Split JWS by ‘.’
  2. Replace the second element with the payload encoded using Base64 URL.
  3. Rejoin the modified JWS with ‘.’

As you can see this can be implemented quite easily by manipulating inputs and outputs of existing JWS implementations. This is a great option for introducing non-intrusive integrity validation for existing mediums.