Signed Tokens are breakable

50 views

Skip to first unread message

karanv...@gmail.com

unread,

Dec 26, 2019, 6:53:26 AM12/26/19

to ruby-jwt

Signed tokens with secret keys and HS512 etc, algorithm are breakable over http://calebb.net/

secret = "unique_string"

payload = {user_id: 1}

token = JWT.encode(payload, secret, "HS512")}

=> "eyJhbGciOiJIUzUxMjI1NiJ9.eyJ1c2VyX2lkIjoxfQ.KOUOmkaLcVOLiQu4Im9T6TbU-aox8SsKDICsLh6HcDY"

copy and paste this token over above site and see the payload without providing secret key.

Please update a fix.

Dan Leyden

unread,

Dec 26, 2019, 7:25:52 AM12/26/19

to ruby-jwt

HS512 is a hashing algorithm used for signing tokens. It is not an encryption algorithm. It is expected that the recipient will have the secret and be able to use that to ensure that the token was created by the expected party and has not been tampered with, rather than to decipher an encrypted payload.

The payload is not meant to be hidden with hashing algorithms...

If you need the payload to be encrypted You should use an encryption algorithm instead of a hashing algorithm.

Reply all

Reply to author

Forward

0 new messages