node.js - What happens when an attacker gains access to the secret used to generate JWTs? -
as understand jwt authentication works this:
- user sends login credentials server
- if login credentials correct, server issues jwt containing users id , username (or whatever want in payload identify user)
- this jwt generated using application-wide secret, should stored in environment variable
- the jwt stored user, example in localstorage , send every request server in header
- the jwt auth header verified using app-wide secret. if verification successful know sends request , if request authorized.
but happens if attacker gains access secret used generate jwts? isn't master password? secret , users id/username issue jwts user , take on account. isn't massive flaw since 1 little piece of information compromise whole system (and not 1 users account)? or mistaken?
if crypto stuff i'd suggest read on diffie-hellman key exchange technique. allows 2 parties have secure conversation without first knowing common secret. utilizes pk cryptography , following analogy:
1) put padlock on box , send in postal mail. inside box secret want know, in case session key. 2) receive package , place own padlock on box, sending me in mail. 3) receive box 2 locks on , remove own lock, sending lock on it. 4) receive box again, remove lock , contents: session key that's never been seen else me.
Comments
Post a Comment