# Symmetric Encryption

In [1]:
import jwt
# import secrets
key = "secret"
payload = {
    "some": "payload",
}
encoded = jwt.encode(payload, key, algorithm="HS256")
print(encoded)

jwt.decode(encoded, key, algorithms="HS256")

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21lIjoicGF5bG9hZCJ9.Joh1R2dYzkRvDkqv3sygm5YyK8Gi4ShZqbhK2gxcs2U


{'some': 'payload'}

# Symmetric Encryption with Expiry

In [2]:
import jwt, datetime, time

EXPIRY_TIME_SECONDS = 1
WAIT_TIME_SECONDS = 2

now = datetime.datetime.utcnow()
later = datetime.timedelta(seconds=EXPIRY_TIME_SECONDS)
key = "secret"
payload = {
    "some": "payload",
    "exp": now+later
}
encoded = jwt.encode(payload, key, algorithm="HS256")
print(encoded)
time.sleep(WAIT_TIME_SECONDS)
try:
    decoded = jwt.decode(encoded, key, algorithms="HS256")
    print(f"decoded: {decoded}")
except jwt.ExpiredSignatureError:
    print("Token expired")


eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21lIjoicGF5bG9hZCIsImV4cCI6MTY3MDAzNDI2OX0.7wHlAc_eWrV0Tn4v10tfmHsVX4O5qWFF7c0qdBdVFcE
Token expired


# Asymmetric Encryption
there are kinds: 
- encrypt with public key, decrypt with private key
- encrypt with private key, decrypt with public key

In [6]:
# Generate key pairs
import jwt
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization

def gen_private_key():
    private_key = rsa.generate_private_key(
        public_exponent=65537,
        key_size=2048,
        # backend=default_backend()
    )
    unencrypted_pem_private_key = private_key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.NoEncryption()
    )
    return private_key, unencrypted_pem_private_key

def gen_public_key(private_key):
    public_key = private_key.public_key()
    pem_public_key = public_key.public_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PublicFormat.SubjectPublicKeyInfo
    )
    return public_key, pem_public_key

private_key, pri_key_inbytes = gen_private_key()
public_key, pub_key_inbytes = gen_public_key(private_key)

In [8]:
# If the box is locked with the private key, only a public key can unlock it.
payload = {
    "some": "payload",
}
encoded = jwt.encode(payload, pri_key_inbytes, algorithm="RS256")
print(encoded)

decoded = jwt.decode(encoded, pub_key_inbytes, algorithms=["RS256"])
decoded

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzb21lIjoicGF5bG9hZCJ9.Jl7B9QFN6J1nWD-ul8ABWE2TpfHnnsXV6nLmLh7JqxwQheEDi0_Q8ztyy0fprfPKq1gxK2zH42l3wXI7BJCUyw-48w6q_ocqqEPPn5Y5XzBVh_EV8RRxpJ5iJ400rG2VDy2TYkfg7qRcnIP4F7oA2rA-YHTtrBiE5qHI7v0I1srMo4l_4PEtn8lcIzCkLJjajul3OnVvC9z18Py29ghwislJTFr1DH84O-cFP0k1VPKDA9KeLFFUYB7VjaFUrqkJw_ZPx6fqiPgDtFBH7VDNawDF4iwC6gcWUI3PsheL2pqu7s7gVaZNpOX2dhoL-Ib4voG6Ml0TU6sdRX_bjX5DYA


{'some': 'payload'}

In [13]:
# If the box is locked with a public key, only the private key can unlock it.
payload = {
    "some": "payload",
}
try:
    encoded = jwt.encode(payload, pub_key_inbytes, algorithm="RS256")
    print(encoded)
    decoded = jwt.decode(encoded, pri_key_inbytes, algorithms=["RS256"])
    print(decoded)
except AttributeError as e:
    print(str(e))


'_RSAPublicKey' object has no attribute 'sign'


In [5]:
# If the box is locked with a public key, only the private key can unlock it.
import json
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
payload = {
    "some": "payload",
}
payload = json.dumps(payload).encode('utf-8')

encrypted = public_key.encrypt(
    payload,
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA256()),
        algorithm=hashes.SHA256(),
        label=None
    )
)
print(encrypted)

decrypted = private_key.decrypt(
    encrypted,
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA256()),
        algorithm=hashes.SHA256(),
        label=None
    )
)
json.dumps(decrypted.decode('utf-8'))

b"B\x16\xf0\x83\xe1\x1e\x88\xb5\x13\x90\x1f@f\xbc\xd6\x9e=\rMy\x9a\xe9\xe9\xc4Hi\n\x1b\x84\xdf\x1f(M\xa0,\x0f\x9f\xaa\x95_\xb5/k\xed\xe35\xa0\xf3h\x08\x9d/\xd5\xf0\xa2c4\xbeM\x01vz\xfeb\x06\x91\xb8\xd1\x8e\x87x-\x1a&\x95\x173\x8c\x96\x92F\xb9\x0b*\x1d\xb3\xd5\xc3\xaf\xc7@Z\x7fCA5\xdc\x9f\xba\xaf;\xf1e\x8cT\xd3,Eb\x108\xad\xb9\xfc\xa08\x84\xf4h\xdaO\xdeN\x8f\xac\xf1y\xfa\xcds\n\xbe\xe9\xcd\xe5T\x17\x83{]\x05\x1d\x19:\xe9\x84,\xe5\xbf\xdb}T\xe9\xcb\xd6\xb2\x1ax\xf0%:\x8c\x12'\x0c\x83\xe9\xe1\xc8\xd4\x9bTRu)M*\xfd\rOb\xea\xc9d#jd\x04w\xb7\x91Mk\x179l`\xa0\xa6\xf1E\xb5w \xcb*M\xf1\xdc*\xaeR=\x89\x0b\xd9\t\xce]6\x95;HI\x8a\xef\x84\xa0\xf9\xe2B\xfeq\xf4 \x94='M\xc5x(J\xe7\xef3d\xaa\xfe\x86\xbe.\xda\x88w\xe5"


'"{\\"some\\": \\"payload\\"}"'

#### why can't i encode jwt with public key with pyjwt? is it because is it not meant to? but with cryptography package then can..

### About Digital signing
as oppose to encryption, where we sign/encrpyt data with public key then decrpyt with private key.  
in digital signing it is said that data is hashed along with sender's private key, which can only be recreated through use of one of the keys in the key pair created by the sender. 

The recipient then receives the message, the hash digest, and the public key, if they did not already have it.  
The recipient then uses the sender’s public key to hash the message they have received.  
If the resulting hash digest matches the hash digest that has been sent along with the message, then the identity of the sender has been confirmed.  
This also confirms that the data has not been changed in transit. However, signing alone does not ensure the data has not been intercepted and read. 

let's try...

In [28]:
import hashlib
payload = "some message"
sha_512_withPri = hashlib.sha512(payload.encode('utf-8'))
sha_512_withPub = hashlib.sha512(payload.encode('utf-8'))
hash_withPri = sha_512_withPri.update(pri_key_inbytes)
hash_withPub = sha_512_withPub.update(pub_key_inbytes)
print(hash_withPri == hash_withPub, pri_key_inbytes == pub_key_inbytes)


True False


there is **public key encryption** and there is **digital signing**, there's no such thing as *private key encryption*, i confused it with digital signing...