Reputation: 85
JWT Brute force attack possible?
I was wondering if you had a JWT and did an offline brute force attack on it to get the servers secret key, if you could then sign valid JWTs?
The only reason I think this wouldn’t work is that once the server signs a JWT, it stores it somewhere locally. So even if the server verifies the signature, it won’t authenticate you as it has no local record of that token.
Is this true that the token is stored locally as well as in the client side?
Upvotes: 1
Views: 672
Answers (1)
Reputation: 19971
Some token providers do rotate (change) their private signing key on a regular basis. Second, access tokens usually have a short lifetime, like minutes, to days. So it would be pretty hard to crack in that timeframe.
You as a user only get access to the signature and the public key, with just the public key, is practically impossible to use brute-force to get the private key.
Also, for JWT's there are different signing algorithms (RSA, ECDSA..) and the ECDSA is stronger than RSA.
Upvotes: 2
Related Questions
- How safe is JWT?
- What if JWT is stolen?
- Does JWT Authorization entirely depend upon the secret key?
- Secure JWT tokens against "burglars"
- If JWT-Token is stolen
- JWT Token Security vulnerability and request for possible solution
- JWT and blocking users
- Handle stolen JWT?
- Is JWT safe if someone knows the secret? If not, how can you make JWT secure?
- Is this JWT based authentication method safe?