DEV Community

Discussion on: Cryptography for programmers 3: Hashes, MACs & JWT

Collapse
 
anduser96 profile image
Andrei Gatej

Great article, thanks for sharing!

AFAIK, one can also use asymmetric encryption for JWT. What would be the pros and cons of each approach?

Thank you!

Collapse
 
shierve profile image
Sergi Canal

Thanks for the comment!

It is true that you can use asymmetric crypto for JWT, although I did not mention because I will cover asymmetric cryptography in the next post. As far as I know it is not used as much, and for the authentication problem I don't see any advantages.

In asymmetric cryptography there is a private key and a public key. For encryption you would encrypt a message with the public key, and then decrypt it with the private key. Signing is the reverse, you encrypt it with the private key, and then it can be verified with the public key. So when using an asymmetric algorithm for signing in JWT, since the public key is public, anybody can verify a token, but only the one with the private key can sign it. With HMAC, to verify a token you need the secret key, and it can not be public, so only the creator can verify it. That's the main advantage of asymmetric cryptography in JWT, if it is a property that you want. I guess also an advantage is that if you want to minimize the amount of keys you need to protect, and you already have an asymmetric key-pair (you have an ssl certificate for example), you can reuse it for JWT.

Collapse
 
anduser96 profile image
Andrei Gatej

Thanks for such an informative answer!

Maybe the public and private keys approach would be useful when adopting a Microservices architecture, where each service would hold the public key.

Looking forward to your next article!

Collapse
 
shierve profile image
Sergi Canal

Heey Andrei, I published the last post of the series. A bit late but finally got the time and motivation. I talk about asymmetric encryption a bit more in depth. Check it out! 😄

Collapse
 
anduser96 profile image
Andrei Gatej

Hello! Thank you very much for these articles, they are very useful. :)