Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

how to generate secret key? #48

Closed
nelsonic opened this issue Jun 8, 2015 · 14 comments
Closed

how to generate secret key? #48

nelsonic opened this issue Jun 8, 2015 · 14 comments

Comments

@nelsonic
Copy link
Member

nelsonic commented Jun 8, 2015

"Apologies if this is mentioned elsewhere. The private key used for signing the tokens, is this the same as a private key generated using ssh-keygen?"

originally posted by @skota on ryanfitz/hapi-auth-jwt#30

@nelsonic
Copy link
Member Author

nelsonic commented Jun 8, 2015

Hi @skota,
Since JSON Web Tokens (JWT) are not signed using asymmetric encryption you do not have to generate your secret key using ssh-keygen. You can just as easily use a strong password e.g: https://www.grc.com/passwords.htm provided its long and random. The chance of collision (and thus someone being able to decode your encoded JSON) is pretty low. And if you stick two of those Strong Passwords together, you'll have a 128bit ASCII String. So the chances of collision are less than than the number of atoms in the universe... 😉

We wrote a tutorial on this: https://github.com/dwyl/learn-json-web-tokens
And here's a bit more info:

Hope that helps!

@skota
Copy link

skota commented Jun 8, 2015

Thank you. Yes it does help. Is this the right place to post questions by the way?

Thanks


From: Nelson notifications@github.com
To: dwyl/hapi-auth-jwt2 hapi-auth-jwt2@noreply.github.com
Cc: skota sriramkota@yahoo.com
Sent: Monday, June 8, 2015 6:27 AM
Subject: Re: [hapi-auth-jwt2] how to generate secret key? (#48)

Hi @skota,
Since JSON Web Tokens (JWT) are not signed using asymmetric encryption you do not have to generate your secret key using ssh-keygen. You can just as easily use a strong password e.g: https://www.grc.com/passwords.htm provided its long and random. The chance of collision (and thus someone being able to decode your encoded JSON) is lower than the number of stars in the universe...
We wrote a tutorial on this: https://github.com/docdis/learn-json-web-tokens

And here's a bit more info: http://security.stackexchange.com/questions/2202/lessons-learned-and-misconceptions-regarding-encryption-and-cryptology
Hope that helps!

Reply to this email directly or view it on GitHub.

@nelsonic
Copy link
Member Author

nelsonic commented Jun 8, 2015

@skota glad it helped.
there is no "right" or "wrong" place to ask questions.
If you want them answered fast ask them here. 👍
Please ⭐ this repo so others know it was useful to you. thanks! 😄

@nelsonic
Copy link
Member Author

@skota we have added instructions to our readme for sourcing your JWT secret key.
Closing the issue. hope we helped.
Please re-open this issue if you need more info.

@gstolfo
Copy link

gstolfo commented Aug 27, 2016

there is a correct way to generate a secret

@nelsonic
Copy link
Member Author

nelsonic commented Aug 27, 2016

@gstolfo please share a link to the correct way, or describe it for us, thanks! 👍

@jeandat
Copy link

jeandat commented Jun 22, 2017

So does that mean using a private and public key is not supported by this package? If so, is it enough to read their content and provide them as the key? It seems to make jsonwebtoken crash.

@niksmac
Copy link

niksmac commented Sep 2, 2018

As seen on the README

node -e "console.log(require('crypto').randomBytes(256).toString('base64'));"

@oshihirii
Copy link

oshihirii commented Jun 24, 2019

Just for reference as I'm learning about JWT as well, i found it interesting that i can generate a JWT token server side, send it to client to store as cookie, and then do this in browser dev tools:

// returns the decoded header
var decoded_header = JSON.parse(atob(Cookies.get("session_token").split(".")[0])); 

// returns the decoded payload
var decoded_payload = JSON.parse(atob(Cookies.get("session_token").split(".")[1]));

// returns error when trying to 'decode' the signature  
var decoded_signature_nope = JSON.parse(atob(Cookies.get("session_token").split(".")[2]));

So good to know that the header and payload are just base64 encoded, so not good to store secure information in them.

@jakzal
Copy link

jakzal commented Jan 3, 2020

with openssl you can do:

openssl rand 256 | base64

@satishpatro44
Copy link

openssl rand -base64 10

@ben-xD
Copy link

ben-xD commented Dec 14, 2021

@satishpatro44, could you explain why you use 10 for the num parameter of openssl rand? num is actually the number of bytes. If you only generate 10 bytes, perhaps this could be brute forced more easily? Since a threat actor can just randomly try all permutations that can be generated in 10 bytes. (i.e. If I wanted to attack your server, I can rest assured it would be easier than if you had generated e.g. 32 bytes instead)

I guess if you have 10 bytes, that's 2 ^ (10 * 8) = 1.20892582e24 permutations. So I guess it's not a real problem that someone can brute force this.

This is just my unqualified thoughts, and I would love to see what others think about my concerns :)

@ahmedelq
Copy link

openssl rand 64 | hexdump -v -e '/1 "%02x"'

@hendisantika
Copy link

openssl rand 256 | base64

Suppose. I have secret word: verytopsecret. Then I want to encode this using SignatureAlgorithm.HS256 in JWT Signature.
How to encode it?

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests