“秘密"应该是什么?在智威汤逊?

问题描述

我打算将 JWT 应用到我使用 Java-Jersey 开发的 REST API 中.我正在将此库用于 JWT - https://github.com/auth0/java-jwt

我对 JWT - Secret 有几个问题

1. 这个 Secret 必须是唯一的吗?
2. 我应该使用用户密码的散列版本来保密吗?(那么无论如何它都不是唯一的)这是因为当用户更改密码时，他的令牌将自动失效.

1. 这个 Secret 必须是唯一的吗?

它应该是您的应用程序独有的 —毕竟它必须是一个秘密 —但它不会对每个令牌都是唯一的.相反，在任何给定时间，您都应该拥有相对较少数量的密钥(例如，通常只有一个密钥，但在从一个密钥轮换到另一个密钥时，您会在短时间内拥有两个密钥).

1. 我应该使用哈希版本的用户密码作为密码吗?

不，有两个原因:

1. 假设您的用户有一个相对不安全的密码，例如 GoPackers123.然后，在您的秘密中使用密码意味着有人可以轻松地测试给定的潜在密码，看看它是否会产生正确的签名；而且，更重要的是，他们可以轻松测试大量潜在密码，看看其中是否有任何一个给出了正确的签名.这是一次离线攻击，因此您甚至都不会知道它发生了.
2. 这将要求您将所有用户的密码哈希分发到每个需要保存密码的系统.如果您的用户数量很少，这可能会对您的秘密分发机制造成相当严重的负担.

I am going to apply JWT into my REST API developed using Java-Jersey. I am using this library for JWT - https://github.com/auth0/java-jwt

I have few questions about the JWT - Secret

1. Does this Secret has to be unique?
2. Shall I use the hashed version of user's password for secret? (Then it is not unique anyway) This is because then when user changed his password, his token will be automatically invalid.

1. Does this Secret has to be unique?

It should be unique to your application — it needs to be a secret, after all — but it won't be unique for each token. Rather, you should have a relatively small number of secret keys at any given time (e.g., usually having just one key, but having brief periods where you have two keys as you rotate from one to the next).

2. Shall I use the hashed version of user's password for secret?

No, for two reasons:

1. Suppose that your user has a relatively insecure password, like GoPackers123. Using the password in your secret then means that someone can easily test a given potential password to see if it results in the right signature; and, more to the point, they can easily test huge numbers of potential passwords to see if any of them gives the right signature. This is an offline attack, so you would never even know it happened.
2. This would require you to distribute all of your users' password hashes to every system that needs to hold the secret. If you have more than a trivial number of users, this can become a pretty serious burden on your secret-distribution mechanism.

这篇关于“秘密"应该是什么?在智威汤逊?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！