The Art of Writing Secrets: Encryption for JavaScript Developers

The Art of Writing Secrets: Encryption for JavaScript Developers

Written by WWC Team


Jen Schreiber, Software Engineer at Workday

I work all on the back end, primarily in Go, Kotlin, and AWS. When I can, I do a bit of JavaScript and React. Encryption is an ancient art. The first documented uses of encryption date back to around 1900 BC when an Egyptian scribe used non-standard hieroglyphics in an inscription. Some experts argue that encryption appeared spontaneously after writing was invented with applications ranging anywhere from diplomatic missions to wartime battle plans. Any time someone wanted to send a private message from one person to another, encryption could be used. 

Encryption is the process of encoding information. Only the sender and the intended recipient of a message can view its contents. Encryption takes plain text and turns it into ciphertext, which is basically an unreadable string of characters. There are three main types of encryption: Hash functions, symmetric encryption, and asymmetric encryption. 

A hash function is taking an input and message, performing some mathematical operation on it, and out comes a hash value. With hash functions, you are transforming an input of arbitrary size into a result of a fixed size. Hash functions are one-way functions. Hash functions are used like fingerprints. By hashing something, we can see if it maintained its message integrity. 

One example of hashing is bcrypt. Another example of hashing in your everyday life would be git commit hashes. Any time that you are committing code with git, git creates a commit hash for you. To build this hash, the git basically hashes your working directory and hashes metadata about you, like your user name and the date of your commit. Hashes are everywhere, whether you recognize them at the time or not, they really help us do our everyday work.

Other types of encryption include asymmetric and symmetric encryption. These are both key encryption. A Key is a string of characters used to lock or unlock a message. A public key is just a string of characters. The two types of keyed encryption that we're going to talk about are symmetric encryption and asymmetric encryption. Symmetric encryption is when you encrypt and decrypt using the same key, and asymmetric encryption is when you encrypt and decrypt using different keys. 

Symmetric encryption is called a private key. This is because symmetric encryption uses one key, a private key for both encryption and decryption. Symmetric encryption is often used for things like data storage or banking. Some algorithms that you might have heard of are AES and DES symmetric encryption algorithms. 

Asymmetric encryption is called public key cryptography. Asymmetric encryption has different keys used for encryption and decryption. In this case, we're using a private key and a public key. The public key is derived mathematically from a private key, but you cannot derive the private key from the public key. Asymmetric encryption is a lot slower than symmetric encryption, but it does have better security because we're not sharing private keys with recipients, we are just sharing public key. Asymmetric encryption is used for digital signatures, Blockchain transactions, and PKIs. Some algorithms for asymmetric encryption include RSA and ECC. ECC stands for elliptic-curve cryptography, just another algorithm that's often used.

Let's come full circle and give you an example of this in JavaScript. Let's talk about JSON web tokens or JWTs. JWTs are a compact and self-contained way to securely transmit claims between parties. A way to send information from one party to another. JWTs are often used in technology for authentication, authorization, and for information exchange. They're in a JSON format, so key value pairs. JWTs are made up of three parts: A header, a payload, and a signature. JWTs don't have to be signed, they can be unsecured JWTs that don't include a signature.

You would add a signature for more security. When we do include a signature, this is called a JWS, a JSON web signature. Once we include a signature with our JWT, our JWT is now a JWS, a JSON web signature. JSON web signatures are contents carried with digital signatures using JSON-based data structures. JWSs provide integrity protection, so when a JWT is signed, the recipient can verify that the JWT is coming from a certain party and that it has not been changed since it was sent for that party.

JWS are made up of three parts, a header, which includes a protected header and sometimes an unprotected header, it includes a payload and a signature. In order to generate a JWS, I first start by generating a key pair. Next step, we need to sign our JWT. We just pass it in the payload, set a protected header, set the expiration date, and then run the Sign function. Then, pass in our private key and out comes the JWS.

To verify the JWT, this library has a function called Compact Verify where we pass in a string of the JWS, you pass in the public key, the sender. And the verification is really easy, we'll just get the output of the claims and the protected header, and we can see that everything was verified as expected. The last step in the flow would be to verify and decrypt the JWE.