how to generate secret key?

Question

how to generate secret key?

nelsonic opened this issue 9 years ago · comments

"Apologies if this is mentioned elsewhere. The private key used for signing the tokens, is this the same as a private key generated using ssh-keygen?"

originally posted by @skota on ryanfitz/hapi-auth-jwt#30

Nelson · Answer 1 · Mon Jun 08 2015 18:27:26 GMT+0800 (China Standard Time)

Hi @skota,
Since JSON Web Tokens (JWT) are not signed using asymmetric encryption you do not have to generate your secret key using ssh-keygen. You can just as easily use a strong password e.g: https://www.grc.com/passwords.htm provided its long and random. The chance of collision (and thus someone being able to decode your encoded JSON) is pretty low. And if you stick two of those Strong Passwords together, you'll have a 128bit ASCII String. So the chances of collision are less than than the number of atoms in the universe... 😉

We wrote a tutorial on this: https://github.com/dwyl/learn-json-web-tokens
And here's a bit more info:

Lessons learned and misconceptions regarding encryption and cryptology: http://security.stackexchange.com/questions/2202/lessons-learned-and-misconceptions-regarding-encryption-and-cryptology
Hash Collision Probability: http://preshing.com/20110504/hash-collision-probabilities/
In an infinite universe, does everything that’s possible have to happen somewhere?http://www.askamathematician.com/2012/12/q-in-an-infinite-universe-does-everything-thats-possible-have-to-happen-somewhere/

Hope that helps!

Sriram Kota · Answer 2 · Mon Jun 08 2015 20:21:39 GMT+0800 (China Standard Time)

Thank you. Yes it does help. Is this the right place to post questions by the way?

Thanks

From: Nelson notifications@github.com
To: dwyl/hapi-auth-jwt2 hapi-auth-jwt2@noreply.github.com
Cc: skota sriramkota@yahoo.com
Sent: Monday, June 8, 2015 6:27 AM
Subject: Re: [hapi-auth-jwt2] how to generate secret key? (#48)

Hi @skota,
Since JSON Web Tokens (JWT) are not signed using asymmetric encryption you do not have to generate your secret key using ssh-keygen. You can just as easily use a strong password e.g: https://www.grc.com/passwords.htm provided its long and random. The chance of collision (and thus someone being able to decode your encoded JSON) is lower than the number of stars in the universe...
We wrote a tutorial on this: https://github.com/docdis/learn-json-web-tokens

And here's a bit more info: http://security.stackexchange.com/questions/2202/lessons-learned-and-misconceptions-regarding-encryption-and-cryptology
Hope that helps!
—
Reply to this email directly or view it on GitHub.

Nelson · Answer 3 · Mon Jun 08 2015 21:27:29 GMT+0800 (China Standard Time)

@skota glad it helped.
there is no "right" or "wrong" place to ask questions.
If you want them answered fast ask them here. 👍
Please ⭐ this repo so others know it was useful to you. thanks! 😄

Nelson · Answer 4 · Sun Jul 19 2015 05:35:47 GMT+0800 (China Standard Time)

@skota we have added instructions to our readme for sourcing your JWT secret key.
Closing the issue. hope we helped.
Please re-open this issue if you need more info.

gstolfo · Answer 5 · Sun Aug 28 2016 01:29:32 GMT+0800 (China Standard Time)

there is a correct way to generate a secret

Nelson · Answer 6 · Sun Aug 28 2016 03:32:40 GMT+0800 (China Standard Time)

@gstolfo please share a link to the correct way, or describe it for us, thanks! 👍

Jean DAT · Answer 7 · Fri Jun 23 2017 00:49:50 GMT+0800 (China Standard Time)

So does that mean using a private and public key is not supported by this package? If so, is it enough to read their content and provide them as the key? It seems to make jsonwebtoken crash.

Nikhil M · Answer 8 · Sun Sep 02 2018 13:14:20 GMT+0800 (China Standard Time)

As seen on the README

node -e "console.log(require('crypto').randomBytes(256).toString('base64'));"

oshihirii · Answer 9 · Mon Jun 24 2019 19:01:37 GMT+0800 (China Standard Time)

Just for reference as I'm learning about JWT as well, i found it interesting that i can generate a JWT token server side, send it to client to store as cookie, and then do this in browser dev tools:

// returns the decoded header
var decoded_header = JSON.parse(atob(Cookies.get("session_token").split(".")[0])); 

// returns the decoded payload
var decoded_payload = JSON.parse(atob(Cookies.get("session_token").split(".")[1]));

// returns error when trying to 'decode' the signature  
var decoded_signature_nope = JSON.parse(atob(Cookies.get("session_token").split(".")[2]));

So good to know that the header and payload are just base64 encoded, so not good to store secure information in them.

Jakub Zalas · Answer 10 · Fri Jan 03 2020 22:13:15 GMT+0800 (China Standard Time)

with openssl you can do:

openssl rand 256 | base64

satishpatro44 · Answer 11 · Tue Jul 07 2020 22:42:04 GMT+0800 (China Standard Time)

openssl rand -base64 10

Ben Butterworth · Answer 12 · Wed Dec 15 2021 06:43:02 GMT+0800 (China Standard Time)

@satishpatro44, could you explain why you use 10 for the num parameter of openssl rand? num is actually the number of bytes. If you only generate 10 bytes, perhaps this could be brute forced more easily? Since a threat actor can just randomly try all permutations that can be generated in 10 bytes. (i.e. If I wanted to attack your server, I can rest assured it would be easier than if you had generated e.g. 32 bytes instead)

I guess if you have 10 bytes, that's 2 ^ (10 * 8) = 1.20892582e24 permutations. So I guess it's not a real problem that someone can brute force this.

This is just my unqualified thoughts, and I would love to see what others think about my concerns :)

Alq · Answer 13 · Sat Sep 23 2023 19:36:25 GMT+0800 (China Standard Time)

openssl rand 64 | hexdump -v -e '/1 "%02x"'

Hendi Santika · Answer 14 · Tue Nov 21 2023 08:29:37 GMT+0800 (China Standard Time)

openssl rand 256 | base64

Suppose. I have secret word: verytopsecret. Then I want to encode this using SignatureAlgorithm.HS256 in JWT Signature.
How to encode it?

Thanks