how to generate secret key?

[nelsonic]

"Apologies if this is mentioned elsewhere. The private key used for signing the tokens, is this the same as a private key generated using ssh-keygen?"

originally posted by @skota on ryanfitz/hapi-auth-jwt#30

[nelsonic]

Hi @skota,
Since JSON Web Tokens (JWT) are not signed using asymmetric encryption you do not have to generate your secret key using ssh-keygen. You can just as easily use a strong password e.g: https://www.grc.com/passwords.htm provided its long and random. The chance of collision (and thus someone being able to decode your encoded JSON) is pretty low. And if you stick two of those Strong Passwords together, you'll have a 128bit ASCII String. So the chances of collision are less than than the number of atoms in the universe... 😉

We wrote a tutorial on this: https://github.com/dwyl/learn-json-web-tokens
And here's a bit more info:

• Lessons learned and misconceptions regarding encryption and cryptology: http://security.stackexchange.com/questions/2202/lessons-learned-and-misconceptions-regarding-encryption-and-cryptology
• Hash Collision Probability: http://preshing.com/20110504/hash-collision-probabilities/
• In an infinite universe, does everything that’s possible have to happen somewhere?http://www.askamathematician.com/2012/12/q-in-an-infinite-universe-does-everything-thats-possible-have-to-happen-somewhere/

Hope that helps!

[skota]

Thank you. Yes it does help. Is this the right place to post questions by the way?

Thanks

---

From: Nelson notifications@github.com
To: dwyl/hapi-auth-jwt2 hapi-auth-jwt2@noreply.github.com
Cc: skota sriramkota@yahoo.com
Sent: Monday, June 8, 2015 6:27 AM
Subject: Re: [hapi-auth-jwt2] how to generate secret key? (#48)

Hi @skota,
Since JSON Web Tokens (JWT) are not signed using asymmetric encryption you do not have to generate your secret key using ssh-keygen. You can just as easily use a strong password e.g: https://www.grc.com/passwords.htm provided its long and random. The chance of collision (and thus someone being able to decode your encoded JSON) is lower than the number of stars in the universe...
We wrote a tutorial on this: https://github.com/docdis/learn-json-web-tokens

And here's a bit more info: http://security.stackexchange.com/questions/2202/lessons-learned-and-misconceptions-regarding-encryption-and-cryptology
Hope that helps!
—
Reply to this email directly or view it on GitHub.

[nelsonic]

@skota glad it helped.
there is no "right" or "wrong" place to ask questions.
If you want them answered fast ask them here. 👍
Please ⭐ this repo so others know it was useful to you. thanks! 😄

[nelsonic]

@skota we have added instructions to our readme for sourcing your JWT secret key.
Closing the issue. hope we helped.
Please re-open this issue if you need more info.

[gstolfo]

there is a correct way to generate a secret

[nelsonic]

@gstolfo please share a link to the correct way, or describe it for us, thanks! 👍

[jeandat]

So does that mean using a private and public key is not supported by this package? If so, is it enough to read their content and provide them as the key? It seems to make jsonwebtoken crash.

[niksmac]

As seen on the README

node -e "console.log(require('crypto').randomBytes(256).toString('base64'));"

[oshihirii]

Just for reference as I'm learning about JWT as well, i found it interesting that i can generate a JWT token server side, send it to client to store as cookie, and then do this in browser dev tools:

// returns the decoded header
var decoded_header = JSON.parse(atob(Cookies.get("session_token").split(".")[0])); 

// returns the decoded payload
var decoded_payload = JSON.parse(atob(Cookies.get("session_token").split(".")[1]));

// returns error when trying to 'decode' the signature  
var decoded_signature_nope = JSON.parse(atob(Cookies.get("session_token").split(".")[2]));

So good to know that the header and payload are just base64 encoded, so not good to store secure information in them.