Understanding JWT: Basics of Authentication and Algorithms

sotergreco

Sotiris Kourouklis

Posted on May 18, 2024

Understanding JWT: Basics of Authentication and Algorithms

This is a JWT token. It consists of a Header, a Payload, and a Signature. JWTs are considered the best modern way of authentication.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

They are stateless, meaning that you can authenticate users across many services, and they have multiple options for hashing.

Today we are going to discuss encryption algorithms and how a token works.

Quick Overview

Before we take a deeper dive, we first need to understand how our application authenticates the user with JWT.

First, when we issue a JWT, we encrypt it with a SECRET KEY, which is basically a string. For example, "thisismysecretkey" or "iUup54c5ZfbRk2VXbG3S7MTfTRk+9LkjG".

The key has to be a specific length. The secret key used in HS512 should be 64 bytes long. Why 64 bytes? Well, because 512 bits divided by 8 bits per byte equals 64 bytes.

So the token is basically an object, looks something like this.

// header
{
  "alg": "HS512"
},
// payload
{
  "sub": "test@gmail.com",
  "iat": 1716051202,
  "exp": 1716057202
}
Enter fullscreen mode Exit fullscreen mode

The sub is the email of the user, the iat is a timestamp of when the token was issued, and the exp is a timestamp of when the token expires. So, next time you send a token to an API, you need to know that it decrypts the token with that secret key and checks if the token is expired or not. The alg is what algorithm you are using.

Algorithms

To choose from, there are a ton of algorithms like AES, RSA, and HS, and one of the most used is AES because of its quantum-resistant abilities. But not exactly, quantum computers might not exist right now, but in the future, they will come to life in the next 10 years.

And AES algorithms are both secure and not vulnerable to quantum attacks. That is because of some very complex stuff which I am not going to cover currently.

Now, for each algorithm, there are different sizes: HS256, HS512, etc. This is the length of the hash. The longer it is, the more difficult it is to decrypt. But don't change your algorithms too quickly because the more bytes a hash has, the slower it is to decrypt with your secret.

Use Cases

The most common use case is JWT where HS512 or AES256. But here is a table with a detailed view of the most common algorithms.

Algorithm Type Key Size Security Level Performance Use Cases
AES Symmetric Encryption 128, 192, 256 bits Very High Fast Data encryption, TLS/SSL, VPNs
SHA-256 Hash Function N/A (hash output size: 256 bits) Very High Fast Data integrity, digital signatures
SHA-3 Hash Function N/A (hash output size: 224, 256, 384, 512 bits) Very High Moderate Data integrity, digital signatures
RSA Asymmetric Encryption 1024, 2048, 4096 bits High to Very High (depending on key size) Moderate to Slow Digital signatures, key exchange
ECDSA Asymmetric Encryption 224, 256, 384, 521 bits Very High Moderate Digital signatures, cryptocurrency
HMAC Message Authentication Code Variable (depends on underlying hash function) High Fast Data integrity, authentication

Security Considerations

When implementing JWT authentication, it's crucial to handle the secret key with care. The secret key should be stored on a secure place and never exposed to the client side.

Use a strong, randomly generated secret key to prevent brute-force attacks. Regularly rotate your keys and invalidate old tokens to enhance security.

To generate a secret key just use this command. Depending on how long you key should be change the last number. For a HS512 I am using 64

openssl rand -hex 64
Enter fullscreen mode Exit fullscreen mode

Refresh Token

Refresh tokens in JWT are used to obtain new access tokens without requiring the user to log in again.

When an access token expires, the client can use the refresh token to request a new one, ensuring continuous authentication. Refresh tokens are typically long-lived and stored securely, while access tokens have a shorter lifespan to minimize security risks. This approach enhances security by reducing the exposure of sensitive credentials and maintaining user sessions without frequent re-authentication.

Final Words

In conclusion, understanding JWT authentication algorithms is essential for implementing secure and efficient authentication mechanisms in modern applications.

By choosing the appropriate algorithm and key size, you can ensure robust security while maintaining performance. Additionally, handling secret keys with care and utilizing refresh tokens can significantly enhance the security and user experience of your system.

Thanks for reading, and I hope you found this article helpful. If you have any questions, feel free to email me at kourouklis@pm.me, and I will respond.

You can also keep up with my latest updates by checking out my X here: x.com/sotergreco

💖 💪 🙅 🚩
sotergreco
Sotiris Kourouklis

Posted on May 18, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related