問題描述

我打算將 JWT 應(yīng)用到我使用 Java-Jersey 開發(fā)的 REST API 中.我正在將此庫用于 JWT - https://github.com/auth0/java-jwt

我對 JWT - Secret 有幾個問題

1. 這個 Secret 必須是唯一的嗎?
2. 我應(yīng)該使用用戶密碼的散列版本來保密嗎?(那么無論如何它都不是唯一的)這是因為當用戶更改密碼時，他的令牌將自動失效.

1. 這個 Secret 必須是唯一的嗎?

它應(yīng)該是您的應(yīng)用程序獨有的 —畢竟它必須是一個秘密 —但它不會對每個令牌都是唯一的.相反，在任何給定時間，您都應(yīng)該擁有相對較少數(shù)量的密鑰(例如，通常只有一個密鑰，但在從一個密鑰輪換到另一個密鑰時，您會在短時間內(nèi)擁有兩個密鑰).

1. 我應(yīng)該使用哈希版本的用戶密碼作為密碼嗎?

不，有兩個原因:

1. 假設(shè)您的用戶有一個相對不安全的密碼，例如 GoPackers123.然后，在您的秘密中使用密碼意味著有人可以輕松地測試給定的潛在密碼，看看它是否會產(chǎn)生正確的簽名；而且，更重要的是，他們可以輕松測試大量潛在密碼，看看其中是否有任何一個給出了正確的簽名.這是一次離線攻擊，因此您甚至都不會知道它發(fā)生了.
2. 這將要求您將所有用戶的密碼哈希分發(fā)到每個需要保存密碼的系統(tǒng).如果您的用戶數(shù)量很少，這可能會對您的秘密分發(fā)機制造成相當嚴重的負擔.

I am going to apply JWT into my REST API developed using Java-Jersey. I am using this library for JWT - https://github.com/auth0/java-jwt

I have few questions about the JWT - Secret

1. Does this Secret has to be unique?
2. Shall I use the hashed version of user's password for secret? (Then it is not unique anyway) This is because then when user changed his password, his token will be automatically invalid.

1. Does this Secret has to be unique?

It should be unique to your application — it needs to be a secret, after all — but it won't be unique for each token. Rather, you should have a relatively small number of secret keys at any given time (e.g., usually having just one key, but having brief periods where you have two keys as you rotate from one to the next).

2. Shall I use the hashed version of user's password for secret?

No, for two reasons:

1. Suppose that your user has a relatively insecure password, like GoPackers123. Using the password in your secret then means that someone can easily test a given potential password to see if it results in the right signature; and, more to the point, they can easily test huge numbers of potential passwords to see if any of them gives the right signature. This is an offline attack, so you would never even know it happened.
2. This would require you to distribute all of your users' password hashes to every system that needs to hold the secret. If you have more than a trivial number of users, this can become a pretty serious burden on your secret-distribution mechanism.

這篇關(guān)于“秘密"應(yīng)該是什么?在智威湯遜?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！