Json Web Tokens (JWT) are a means to send json objects between 2 parties. They can be secured with keys, so the receiver can verify the source.

It consists of a concatenation of 3 json-strings that are encoded according to an algorithm.

First part

The first json (up to the first point) is a header with info, such as the algorithm used.

Second part

The second part is the actual data (payload) that is encoded with the algorithm from the header.

Registered claims

The payload may contain registered claims. The claims are only 3 characters long. This was done to keep the data as small as possible.

Examples:

  • iss = the issuer (=the sender)
  • exp = expiration time (seconds), how long the token remains valid
  • aud = audience
  • iat = the timestamp of when the token was created
  • jti = unique identifier of the token
  • sid = session id

Third part

The third part is a mechanism to check whether the data was sent by the correct party (verify signature).

It contains a key that is known by the sender and receiver.

This is important, because if someone else would send a token, or change it, but he does not know the key, then that third-party json will not be correct, and so the recipient can know that fraud has occurred.

However, the third part does not protect the data from being decoded. Even without the third part, the data can be decoded.

Example:

  • At the left side you see the json-web token.
  • At the right side you see the decoded 3 parts.
  • Without the 3rd part (the signature) you can also decode the message, you just can’t verify if it was altered by a malicious party.

example_json_web_token

To try it out by yourself, check the official website of JSON web tokens.

This tutorial explains how to secure your Dropbox files with Truecrypt in Ubuntu (or Linux Mint). It assumes you know Truecrypt already and have a basic understanding of the Unix folderstructure.

Why securing your files in Dropbox?

I use Truecrypt for keeping my personal files. Basically all my important files are in a 50GB volume. My Dropbox folder was located inside the Truecrypt volume.

Like this:

/media/truecrypt1/Dropbox/all_my_files/

I wasn’t satisfied with the system. Who knows what happens with your data when you submit it to Dropbox. A hacker could get access to my account, or a Dropbox-employee or the government (not all stories are conspiracies).

There wasn’t really a point of securing my data with Truecrypt, when everything inside the Truecrypt-volume was copied to “the cloud”.

What even bugged me more were the credentials on my filesystem. Some folders need different credentials (www-root, root-owned files, mysql-files). When Dropbox faces a file it can’t access, it keeps on indexing and consuming cpu.

How does it work?

I came up with the following script:

Continue reading “Secure Dropbox by using Truecrypt volumes”…


Wordpress.org clearPaper by CreativeBits.it Copyright © 2012-2019 Robin Brackez. All rights reserved. By visiting this site you agree to accept cookies that are purely used to check how many visitors I have. Theme by: creativebits. Custom adaptations by Robin Brackez.