Jwt Secret Key Generator Cluster 3,6/5 1425 votes

2018-06-11T14:15:42Z

Posted by Miguel Grinberg under Authentication, Security, Python, Programming.

JSON Web Tokens offer a simple and powerful way to generate tokens for APIs. These tokens carry a payload that is cryptographically signed. While the payload itself is not encrypted, the signature protects it again tampering. In their most common format, a 'secret key' is used in the generation and verification of the signature. In this article I'm going to show you a less known mechanism to generate JWTs that have signatures that can be verified without having access to the secret key.

Online JWT generator and verifyer You can generate and verify signed JSON Web Token(JWT) online. Or specify signature algorithm, private key, private key passcode and/or shared secret: passcode for private key: NOTE: Off course you can set your own private key and passcode. Please care of proper signature algorithm when you set your own key. For authentication purposes I plan to generate JWT token for every user using HMAC HS256. I need a secret key for HMAC. What are the requirements for secret key? Do I need a long string of random characters? Or fixed-length string? Shared secret when using JWT with an HMAC for authentication. Ask Question Asked 3 years. To do an API call, the client will send the JWT to the server. All the server does then is validate the JWT using its private key, and also checking that the signature algorithm is the one expected by the server. 'Shared secret' in this case.

Quick Introduction to JSON Web Tokens (JWTs)

In case you are not familiar with JWTs, let me first show you how to work with them using Python with the pyjwt package. Create a virtual environment, and install pyjwt in it:

Now let's say you want to create a token that gives a user with id 123 access to your application. After you verify that the user has provided the correct username and password, you can generate a token for the user:

The jwt.encode() function has three arguments of which the most important is the first, containing the token payload. This is the information that you want stored in the token. You can use anything that can be serialized to a JSON dictionary as a payload. The payload is where you record any information that identifies the user. In the simplest case this is just the user id like in the example above, but you can include other user information such as a username, user roles, permissions, etc. Here is a more complex token:

May 01, 2018 Imagine you are using 2048 bit key as secret for our JWT, which will be decoded every time a request is sent to maintain the user session. Building A Stoic Quote Generator With React & Netlify.

As you can see, the more data you write in the payload, the longer the token is, because all that data is physically stored in the token. By looking at the resulting JWTs you may think that the data that you put in the tokens is encrypted, but this is actually incorrect. You should never write sensitive data in a JWT, because there is no encryption. This seemingly random sequence of characters that you see in these tokens is just generated with a simple base64 encoding.

In addition to user information, the payload of a JWT can include a few fields that apply to the token itself, and have a predefined meaning. The most useful of these is the exp field, which defines an expiration time for the token. The following example gives the token a validity period of 5 minutes (300 seconds):

Other predefined fields that can be included in the JWT are nbf (not before), which defines a point in time in the future at which the token becomes valid, iss (issuer), aud (audience) and iat (issued at). Consult the JWT specification if you want to learn more about these.

The second argument to jwt.encode() is the secret key. This is a string that is used in the algorithm that generates the cryptographic signature for the token. The idea is that this key must be known only to the application, because anyone who is in possession of this key can generate new tokens with valid signatures. In a Flask or Django application, you can pass the configured SECRET_KEY for this argument.

The last argument in the jwt.encode() call is the signing algorithm. Most applications use the HS256 algorithm, which is short for HMAC-SHA256. The signing algorithm is what protects the payload of the JWT against tampering.

Jwt generator

The value returned by jwt.encode() is a byte sequence with the token. You can see in all the above examples that I decoded the token into a UTF-8 string, because a string is easier to handle.

Once your application generates a token it must return it to the user, and from then on, the user can authenticate by passing the token back to the server, which prevents the user from having to constantly send stronger credentials such as username and password. Using JWTs for authentication is considered more secure than usernames and passwords, because you can set an appropriate expiration time, and in that way limit the damage that can be caused in the case of a leak.

When the application receives a JWT from the user it needs to make sure that it is a legitimate token that was generated by the application itself, which requires generating a new signature for the payload and making sure it matches the signature included with the token. Using the first of the example tokens above, this is how the verification step is done with pyjwt:

The jwt.decode() call also takes three arguments: the JWT token, the signing key, and the accepted signature algorithms. Note how in this call a list of algorithms is provided, since the application may want to accept tokens generated with more than one signing algorithm. Note that while the algorithms argument is currently optional in pyjwt, there are potential vulnerabilities that can occur if you don't pass the list of algorithms explicitly. If you have applications that call jwt.decode() and don't pass this argument, I strongly advise you to add this argument.

The return value of the jwt.decode() call is the payload that is stored in the token as a dictionary ready to be used. If this function returns, it means that the token was determined to be valid, so the information in the payload can be trusted as legitimate.

Let's try to decode the token from above that had an associated expiration time. I have generated that token more than five minutes ago, so even though it is a valid token, it is now rejected because it has expired:

It is also interesting to see what happens if I take one of the tokens above, make a change to any of the characters in the string and then try to decode it:

So as you see, if jwt.decode() returns back a dictionary, you can be sure that the data in that dictionary is legitimate and can be trusted (at least as much as you are sure your secret key is really secret).

Using Public-Key Signatures with JWTs

A disadvantage of the popular HS256 signing algorithm is that the secret key needs to be accessible both when generating and validating tokens. For a monolithic application this isn't so much of a problem, but if you have a distributed system built out of multiple services running independently of each other, you basically have to choose between two really bad options:

  • You can opt to have a dedicated service for token generation and verification. Any services that receive a token from a client need to make a call into the authentication service to have the token verified. For busy systems this creates a performance bottleneck on the authentication service.
  • You can configure the secret key into all the services that receive tokens from clients, so that they can verify the tokens without having to make a call to the authentication service. But having the secret key in multiple locations increases the risk of it being compromised, and once it is compromised the attacker can generate valid tokens and impersonate any user in the system.

So for these types of applications, it would be better to have the signing key safely stored in the authentication service, and only used to generate keys, while all other services can verify those tokens without actually having access to the key. And this can actually be accomplished with public-key cryptography.

Public-key cryptography is based on encryption keys that have two components: a public key and a private key. As it name imples, the public key component can be shared freely. There are two workflows that can be accomplished with public-key cryptography:

  • Message encryption: If I want to send an encrypted message to someone, I can use that person's public key to encrypt it. The encrypted message can only be decrypted with the person's private key.
  • Message signing: If I want to sign a message to certify that it came from me, I can generate a signature with my own private key. Anybody interested in verifying the message can use my public key to confirm that the signature is valid.

There are signing algorithms for JWTs that implement the second scenario above. Tokens are signed with the server's private key, and then they can be verified by anyone using the server's public key, which is freely available to anyone who wants to have it. For the examples that follow I'm going to use the RS256 signing algorithm, which is short for RSA-SHA256.

The pyjwt package does not directly implement the cryptographic signing functions for the more advanced public-key signing algorithms, and instead depends on the cryptography package to provide those. So to use public-key signatures, this package needs to be installed:

The next step is to generate a public/private key set (usually called a 'key pair') for the application to use. There are a few different ways to generate RSA keys, but one that I like is to use the ssh-keygen tool from openssh:

The -t option to the ssh-keygen command defines that I'm requesting an RSA key pair, and the -b option specifies a key size of 4096 bits, which is considered a very secure key length. When you run the command you will be prompted to provide a filename for the key pair, and for this I used jwt-key without any path, so that the key is written to the current directory. Then you will be prompted to enter a passphrase to protect the key, which needs to be left empty.

When the command completes, you are left with two files in the current directory, jwt-key and jwt-key.pub. The former is the private key, which will be used to generate token signature, so you should protect this very well. In particular, you should not commit your private key to your source control, and instead should install on your server directly (you should keep a well protected backup copy of it, in case you ever need to rebuild your server). The .pub file will be used to verify tokens. Since this file has no sensitive information, you can freely add a copy of it on any project that needs to verify tokens.

The process to generate tokens with this key pair is fairly similar to what I showed you earlier. Let's first make a new token:

The main difference with the previous tokens is that I'm passing the RSA private key as the secret key argument. The value of this key is the entire contents of the jwt-key file. The other difference is that the algorithm requested is RS256 instead of HS256. The resulting token is longer, but otherwise similar to those I generated previously. Like the previous tokens, the payload is not encrypted, so also for these tokens you should never put sensitive information in the payload.

Now that I have the token, I can show you how it can be verified using the public key. If you are trying this with me, exit your Python session and start a new one, to make sure there is no trace of the private key in the Python context. Here is how you can verify the token above:

This example looks nearly identical to the previous ones, but the important fact is that we are ensuring this token is valid without access to any sensitive information. The server's public key presents no risk, so it can be freely shared with the world. And in fact, anybody would be able to verify the tokens that your application generates with this key. To prove this point, let me share with you my public key:

You can now take this public key and validate the token that I generated, and letting you validate the tokens does not introduce any security risks for me. I'm still the only person in the world that can generate new tokens.

Conclusion

I hope those of you who were using JWTs with the popular HS256 algorithm are now ready to introduce RS256 or any of the other public-key signature options available.

Let me know if you have any questions in the comment area below!

Hello, and thank you for visiting my blog! If you enjoyed this article, please consider supporting my work on this blog on Patreon!

41 comments

  • #1Ars said 2018-06-11T19:42:22Z

  • #2Miguel Grinberg said 2018-06-11T22:34:20Z

  • #3JM said 2018-07-06T00:47:09Z

  • #4Miguel Grinberg said 2018-07-06T05:37:07Z

  • #5Abdul Wahab van Reenen said 2018-07-30T10:21:35Z

  • #6Miguel Grinberg said 2018-07-30T21:02:35Z

  • #7SG said 2018-08-07T00:35:35Z

  • #8Miguel Grinberg said 2018-08-07T21:18:10Z

  • #9Mitch said 2018-08-19T22:08:06Z

  • #10stm said 2018-09-07T07:24:16Z

  • #11Miguel Grinberg said 2018-09-13T20:51:35Z

  • #12grex_e said 2018-10-17T23:52:59Z

  • #13Miguel Grinberg said 2018-10-18T14:19:33Z

  • #14grex_e said 2018-10-20T23:40:32Z

  • #15Vladyslav said 2018-11-01T09:58:18Z

  • #16yoni said 2018-11-10T00:18:03Z

  • #17Akshay said 2018-12-11T21:12:23Z

  • #18Miguel Grinberg said 2018-12-12T15:21:26Z

  • #19simi403 said 2018-12-19T18:24:52Z

  • #20Miguel Grinberg said 2018-12-19T22:19:59Z

  • #21Kim said 2019-02-24T00:28:17Z

  • #22Miguel Grinberg said 2019-02-24T19:47:17Z

  • #23Saqib said 2019-04-12T10:10:24Z

  • #24Miguel Grinberg said 2019-04-12T18:34:58Z

  • #25Andy said 2019-08-17T13:19:30Z

Leave a Comment

4 Sep 2017CPOL
Learn how to create JWT and use with WebApi, REST and MVC all build with .Net Core

Intro

JWT (JSON Web Token) becomes more and more popular as a standard for securing web sites, and REST services. I discuss how you can implement JWT security for both a REST service and a MVC web application all build with .Net Core. I divided the JWT security in 3 blogs

  1. Create JWT
  2. Secure REST service with JWT
  3. Secure web application with JWT

This is the first of the three blogs and I start with a small JWT explanation.

JWT Primer

JWT (JSON Web Tokens) is open, security protocol for securely exchanging claims between 2 parties. A server generates or issues a token and is signed by a secret key. The client also knows the secret key and the key and can verify if the token is genuine. The token contains claims for authentication and authorization. Authentication is simply the verification if someone is really who he claims to be be. Authorization is when an user is granted to access a resource or execute a certain task. For example user A can view payments and user B can execute payments. JWT are self contained. Because JWT is a protocol and not a framework it works across different languages like .net , Java Python and many more. The JWT is usually transmitted by adding the JWT to the header of the request but can also be used as a parameter in an URL. This transmission makes the JWT stateless.

JWT Structure

JWT has three parts:

Secret Key Pokemon

  1. Header
  2. Payload
  3. Signature

The parts are separated with a dot.

aaaa.bbbb.cccc

Header

The header and the payload has one or more key value pairs. The header contains the token type ('typ') and the hashing algorithm ('alg') SHA256.

The Header and the Payload parts are base64 encoded, this makes the Header part:

Payload

The payload part is the most interesting section because it contains all the claims. There are three claims types Registered, Public and Private claims.

Registered Claims

The registered claims are part of the JWT standard and have the same purpose on all implementations. In order to keep the JWT size small the key is always 3 characters long. Here's the short list:

  • iss Issuer Identifies who issued the JWT.
  • sub Subject Identifies the principal (read user) of the JWT.
  • aud Audience Identifies recipients the JWT is intended for.
  • exp Expiration Sets the expiration date and when expired the JWT must be refused.
  • nbf Not before. Sets the date before the JWT may not be used.
  • iat Issued at. Sets the date when the JWT was created.
  • jti Unique identifier for the JWT. Use for a one time token and prevent token replay.

All registered claims dates are in the Unix Epoch date format and describe the seconds after UTC time 1 January 1970.

Public Claims

Public claims contain more general information for example 'name'. Public names are also registered to prevent collision with other claims.

Private Claims

A private claim is agreed between issuer and audience. Always check if a private claim does not collide with existing claims. The claim 'role' is private claim example we will use later on.

Payload Example

will result in

Signature

So far there was nothing secure about a JWT. All data is base64 encoded and although not human readable it's easy to decode it into a readable text. This where the signature comes in. With the signature we can verify if the JWT is genuine and has not been tampered. The signature is calculated from the Header, the Payload and a secret key.

The secret key is symmetric and is known to issuer and client. Needless to say, be care full where you store the secret key!

Put it all together

The screen dump below is constructed with help from https://jwt.io/ where you can test and debug JWT claims. The left pane holds the JWT and the other pane shows the extracted Header and Payload. If you add the secret key the page also verifies the signature.

General JWT Security Overview

The solution overview shows three separate servers, the Web application, the RESTful service and the JWT issuer server. They could be hosted in one server and in one project but I made three items for it. In this way it's much more clear how each server is configured. Because JWT is self contained there no need for some kind of connection between the JWT issuer and the REST service to validate the JWT claim. Dark souls 3 key generator.

General JWT Flow

The basic JWT flow is quite simple:

  • The user enters the login credentials on the web application.
  • The web application send the login credentials to JWT issuer and ask for a JWT claim.
  • JWT issuer validates login credentials with user database.
  • JWT issuers creates JWT based on claims and roles from user database and add the 'exp' (Expires) claim for limited lifetime (30 minutes).
  • JWT issuer sends the JWT to web application.
  • Web application receives JWT and stores it in an authentication cookie.
  • Web application verifies JWT and parses payload for authentication and authorization.
  • Web application adds JWT to REST service calls.

Pros and cons

Pros:

  • Comparatively simple. Security is never easy, what ever you choose. JWT is a smart design and combined with the .net libraries who do the 'hard' work makes JWT relative easy to implement.
  • REST service is truly stateless as it supposed to be. In most cases security adds some kind of session management for authentication.
  • Stateless makes scalable. If you need more servers to handle the workload there is no need to shares sessions among all the servers. This makes scaling easier and less error prone.
  • Useable across different services. JWT are self contained and the service can authorize without having access to the user database.
  • JWT provides neat options for temporary authorization elevation. Claims can be added or removed during an user session. For example you can add a claim to a user that he successfully passed a two way authentication for executing a payment. The claim can be removed when the payment is successfully executed. In this manner there's no need to create special way for tracking the user status.

Cons:

  • JWT has no build in features for sliding expirations, although you can build it your self.
  • The Secret key is very important. If the secret key is somehow stolen or leaked the security is heavily compromised.

Generate Jwt Secret Key

Create JWT Issuer project

The main task is to deliver JWT claims based on user credentials. The project is a standard MVC application with Individual User Accounts as Authentication.

The Individual User Accounts Authentication is used to secure the website and having easy access to users and their roles and claims. I added the package Microsoft.AspNetCore.Authentication.JwtBearer for the actual JWT creation. Because JWT is not used to secure this web site caller there is no need to register JwtBearer services during start up. Only the JWT parameters are configured during start up.

The DI (Dependency Injection) pattern is applied for the configuration. The class JwtIssuerSettings maps to the config section JwtIssuerSettings in appsettings.json and the class JwtIssuerFactory creates and instance of IJwtIssuerOptions interface.

They are added to the service collection and are now available as parameters in controller constructor.

Jwt Secret Key Generator Cluster System

Create JWT Claim

The function Login on controller JwtIssuerController creates the JWT claim. The process is pretty straight forward:

  • Find the user.
  • Check password.
  • Create Issuer, Subject, Email, Unique Id and IssuedAt claims.
  • Collect user roles (claims) from storage
  • Create JWT based on configuration parameters and secret key.
  • Send token to caller

Test Data

Jwt Secret Key Generator Clustered

During startup an in-memory database is created. It contains three users and three roles and mimics an Human Resource department.

Roles:

  • Employee this can be any company member.
  • HR-Worker, every HR department member.
  • HR-Manager, sure it's the HR-boss.

Users:

  • employee@xyz.com
  • hrworker@xyz.com
  • hrmanager@xyz.com

Namespace Microsoft.AspNetCore.Identity contains RoleManager<IdentityRole> and is ready to use without explicit configuration. You don't read much about it in examples or documentation. It's a bit of a missed chance because the class is really useful for managing the roles in the system.

Testing JWT claim

I added Swagger by adding package Swashbuckle.AspNetCore for testing. You can read here more how to configure swagger. In short it comes to this

Swagger can now be tested at http://localhost:49842/swagger/

We can test the response at https://jwt.io/

and all looks fine and we can start securing the REST service.

Visual Studio Startup Projects

Jwt secret key generator cluster system

Secret Key Skin Care

Sometimes the Visual Studio startup Project is lost and prevent running the application. Right click on the solution and choose 'Set Startup Projects..'

And repair the startup setting:

Jwt Generator Online

Conclusion

This blog demonstrates how you can setup a JWT (JSON Web Token) issuer. Stateless, self contained, scalable and other features makes JWT a smart design. With help from packages integrates JWT well with .Net Core and takes little effort to setup.

Next post : JWT Security Part 2, Secure REST service

Further reading

Versions

1.0 2017-08-31 Initial release

1.1 2017-09-05 Source Code upgraded for Dot Net Core 2.0

Coments are closed
Scroll to top