node.js - What happens when an attacker gains access to the secret used to generate JWTs? -


as understand jwt authentication works this:

  • user sends login credentials server
  • if login credentials correct, server issues jwt containing users id , username (or whatever want in payload identify user)
  • this jwt generated using application-wide secret, should stored in environment variable
  • the jwt stored user, example in localstorage , send every request server in header
  • the jwt auth header verified using app-wide secret. if verification successful know sends request , if request authorized.

but happens if attacker gains access secret used generate jwts? isn't master password? secret , users id/username issue jwts user , take on account. isn't massive flaw since 1 little piece of information compromise whole system (and not 1 users account)? or mistaken?

if crypto stuff i'd suggest read on diffie-hellman key exchange technique. allows 2 parties have secure conversation without first knowing common secret. utilizes pk cryptography , following analogy:

1) put padlock on box , send in postal mail. inside box secret want know, in case session key. 2) receive package , place own padlock on box, sending me in mail. 3) receive box 2 locks on , remove own lock, sending lock on it. 4) receive box again, remove lock , contents: session key that's never been seen else me.


Comments

Popular posts from this blog

twig - Using Twigbridge in a Laravel 5.1 Package -

jdbc - Not able to establish database connection in eclipse -

Kivy: Swiping (Carousel & ScreenManager) -