Menu
Is there practical difference between HS256 and HS512 encryption algorithms, or is the additional security from longer key redundant compared to already unbreakable key? Which one should I use to encrypt the JWT token?
Is it even possible to use HS512 encryption with auth0's java JWT?
615
The algorithm is used to perform a digital signature (not encryption) over the header and payload of the token. If you want to encrypt the token payload, you need to apply the JWE standard (see RFC)
Is there a practical difference between HS256 and HS512 encryption algorithms, or is the additional security from longer key redundant compared to already unbreakable key? Which one should I use to encrypt the JWT token?
HS256 means HMAC-SHA256. The difference with HS512 is the strength of the hash methods themselves. You can take a look at the keylength.com website and this answer. You will see that even SHA-256 has quite a large security margin. What's more, the HMAC algorithm is pretty much oblivious to attacks on the underlying hash algorithm. So even you can use HMAC-SHA1 safely.
Is it even possible to use HS512 encryption with auth0's java JWT?
I took a look at the code, and it is possible (but not documented). Use something similar to
JWTSigner.Options options = new JWTSigner.Options();
options.setAlgorithm(Algorithm.HS512);
jwtSigner.sign(claims, options);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
