I am generating JWT with the HS512 algorithm.
A secret key is used to sign the header and content. Presently I am using the key as follows: q1w2e3r4t5y6u7i8o9p0
What are the ideal characteristics of the secret key in HS512 JWT algorithm?
For example: Length must be n characters; include upper case, lower case, symbols....?
CodePudding user response:
Ideally your HS512 secret is 512 random bits (64 random bytes). You encode this secret as base64, base64url, or hex for "storage" and then decode it before it's used as a secret.
HS512 is HMAC with SHA-512, secret with less than 64 bytes gets padded to 64 bytes, secrets larger than 64 bytes add no additional security.
You can generate these with openssl, e.g.
openssl rand -hex 64
This will produce e.g.
2dae84f846e4f4b158a8d26681707f4338495bc7ab68151d7f7679cc5e56202dd3da0d356da007a7c28cb0b780418f4f3246769972d6feaa8f610c7d1e7ecf6a
Which you then hex decode to be used as the symmetric secret.
Same goes for HS256 (256 bits, 32 bytes), HS384 (384 bits, 48 bytes).