什么应该是“秘密”在JWT？ [英] What should be the "Secret" in JWT?

问题描述

我将把JWT应用到我使用Java-Jersey开发的REST API中。我正在将此库用于JWT - https://github.com/auth0/java-jwt

I am going to apply JWT into my REST API developed using Java-Jersey. I am using this library for JWT - https://github.com/auth0/java-jwt

我对JWT几乎没有疑问 - 秘密

I have few questions about the JWT - Secret

1. 这是秘密必须是唯一的？


2. 我应该使用用户密码的哈希版本来保密吗？ （然后它不是唯一的）这是因为当用户更改他的密码时，他的令牌将自动无效。

1. Does this Secret has to be unique?
2. Shall I use the hashed version of user's password for secret? (Then it is not unique anyway) This is because then when user changed his password, his token will be automatically invalid.

推荐答案

1. 这个秘密必须是唯一的吗？

1. Does this Secret has to be unique?

它应该是您的应用程序所独有的—毕竟，它需要是一个秘密—但它对每个令牌都不是唯一的。相反，您应该在任何给定时间拥有相对较少数量的密钥（例如，通常只有一个密钥，但是当您从一个密钥旋转到下一个密钥时，您有两个密钥的短暂时间段。）

It should be unique to your application — it needs to be a secret, after all — but it won't be unique for each token. Rather, you should have a relatively small number of secret keys at any given time (e.g., usually having just one key, but having brief periods where you have two keys as you rotate from one to the next).

1. 我应该使用用户密码的哈希版本来保密吗？

不，有两个原因：

1. 假设你的用户有一个相对不安全的密码，比如 GoPackers123 。在您的秘密中使用密码意味着有人可以轻松测试给定的潜在密码，看它是否产生正确的签名;而且，更重要的是，他们可以轻松测试大量潜在密码，看看是否有任何密码给出正确的签名。这是一次离线攻击，所以你永远不会知道它发生了。


2. 这将要求你将所有用户的密码哈希值分发给需要保密的每个系统。如果您的用户数量超过了一定数量，这可能会对您的秘密分发机制造成相当严重的负担。

1. Suppose that your user has a relatively insecure password, like GoPackers123. Using the password in your secret then means that someone can easily test a given potential password to see if it results in the right signature; and, more to the point, they can easily test huge numbers of potential passwords to see if any of them gives the right signature. This is an offline attack, so you would never even know it happened.
2. This would require you to distribute all of your users' password hashes to every system that needs to hold the secret. If you have more than a trivial number of users, this can become a pretty serious burden on your secret-distribution mechanism.

这篇关于什么应该是“秘密”在JWT？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！