Understanding JWT Algorithms
JSON Web Tokens can be signed using various cryptographic algorithms, each with different security properties, performance characteristics, and use cases. Choosing the right algorithm is critical for JWT security. The algorithm used is specified in the JWT header and determines how the token's signature is calculated and verified.
JWT algorithms fall into two main categories: symmetric (HMAC-based) where the same secret signs and verifies tokens, and asymmetric (RSA and ECDSA-based) where different keys sign and verify. Each category has advantages and disadvantages depending on your system architecture.
Understanding these algorithms helps you make informed decisions about token security. An inappropriate algorithm choice can undermine otherwise well-designed authentication systems. Conversely, understanding algorithm strengths allows you to implement JWTs that provide strong security without unnecessary complexity.
Symmetric Algorithms: HMAC Variants
HMAC (Hash-based Message Authentication Code) algorithms use a shared secret key for both signing and verifying tokens. The server creates tokens using the secret, and any service with the same secret can verify them. Common HMAC variants include HS256 (HMAC with SHA-256), HS384, and HS512.
HMAC algorithms are fast and simple, making them suitable for systems where all components are in the same trust domain. If you're running a monolithic application or a tightly coupled microservices system where all components are under your control, HMAC works well. The shared secret is easy to manage, and verification is computationally lightweight.
However, HMAC has critical limitations in distributed systems. Every service that needs to verify tokens must have access to the secret key. This increases the risk of key compromise—the more places that know the secret, the more opportunities for it to be stolen. If a developer writes the secret into source code, stores it insecurely, or leaves it in logs, the compromise spreads across all services sharing that secret.
HS256 is HMAC with SHA-256, providing 256-bit security. For most applications, HS256 offers sufficient security as long as the secret is properly managed. The secret should be at least 32 bytes (256 bits) of random data, not a simple password. Secrets derived from passwords using weak key derivation functions provide poor security.
HS384 and HS512 offer increased security margins but at minimal performance cost. Unless you have specific cryptographic requirements, HS256 is generally recommended—it's secure and widely supported.
Asymmetric Algorithms: RSA Variants
RSA-based JWT algorithms use a public-private key pair. The issuing service signs tokens with the private key, and other services verify tokens using the public key. RSA algorithms used with JWTs include RS256, RS384, and RS512, where the number indicates the SHA variant used for hashing.
RS256 (RSA with SHA-256) is the most commonly used asymmetric algorithm for JWTs. It provides excellent security and enables a distributed architecture where multiple services can verify tokens without possessing the signing key. The issuing service keeps the private key secret and publishes the public key where other services can retrieve it.
The security of RSA depends on the key size. Modern recommendations suggest using RSA-2048 or larger. RSA-2048 provides approximately 112 bits of symmetric strength, while RSA-4096 provides approximately 128 bits. The larger the key size, the stronger the security but the longer verification takes.
One advantage of RSA is that you can safely distribute the public key. Services can retrieve and cache the public key without needing any secret management. This makes RSA ideal for microservices architectures, APIs served to multiple consumers, and systems where you want to maintain a strict separation between signing and verification components.
RSA is computationally more expensive than HMAC—signature generation requires key operations that take longer. However, verification typically dominates in practice, and while RSA verification is slower than HMAC verification, modern hardware handles the computational load well.
PS256, PS384, and PS512 (RSA PSS variants) are more modern RSA approaches offering better security properties than the standard RS variants, though the practical security improvement is often negligible for most applications. If your JWT library supports them, PS256 is worth considering as it's technically superior to RS256.
Elliptic Curve Algorithms: ECDSA Variants
ECDSA (Elliptic Curve Digital Signature Algorithm) offers excellent security properties with smaller key sizes than RSA. ES256 (ECDSA with SHA-256) uses a 256-bit key providing approximately 128-bit security strength. This matches RSA-3072 but with dramatically smaller keys and faster operations.
ES256 is becoming increasingly popular for JWTs because it combines the asymmetric advantages of RSA with better performance and smaller signatures. The token is slightly smaller, verification is faster, and the keys are easier to manage due to their smaller size.
ES384 and ES512 offer higher security margins, using larger elliptic curves. ES512 uses a 521-bit key (not 512, a quirk of the specification) and provides approximately 256-bit security strength. For most applications, ES256 is sufficient and recommended.
EdDSA (Edwards Curve Signature Algorithm) is an even more modern approach, though less commonly used for JWTs. If your JWT library supports EdDSA, it's an excellent choice, offering strong security with excellent performance. The future of cryptographic signatures likely lies with EdDSA and similar elliptic curve approaches.
Algorithms to Avoid
Several algorithms should be avoided due to security vulnerabilities or poor design. The "none" algorithm allows unsigned tokens and should never be accepted in production. If an attacker can create unsigned tokens, they can forge any claims they want.
"HS256" is secure only when used properly. Many vulnerabilities arise not from the algorithm itself but from misusing HMAC with RSA. Some vulnerable implementations allowed the algorithm field to be changed from RS256 to HS256, and if the code used the public key as the HMAC secret, an attacker could forge tokens.
Older symmetric algorithms like HS1 (HMAC-SHA-1) are deprecated due to SHA-1 weaknesses. If you encounter systems using HS1, migrate to HS256 or better. SHA-1 should not be used for cryptographic operations in new systems.
Custom or proprietary algorithms should never be used for JWT signing. The JWT ecosystem's security strength comes from using well-tested, standard algorithms. Custom cryptography almost always introduces vulnerabilities.
Choosing an Algorithm for Your Use Case
For small, tightly controlled environments where all components are under your management, HMAC algorithms like HS256 offer simplicity and acceptable security. The reduced complexity and faster performance might outweigh the symmetric key management concerns.
For microservices or distributed systems, RSA or ECDSA algorithms are preferable. The ability to distribute public keys without compromising security is crucial. Between RS256 and ES256, ES256 is slightly preferred due to better performance and smaller keys, but both are excellent choices.
For new implementations, consider ES256 or better yet, EdDSA if your JWT library supports it. These algorithms represent the current best practices in cryptography. Legacy systems might need RS256 or HS256 for compatibility, but new systems should leverage modern algorithms.
For systems with strict performance requirements (handling millions of requests per second), ECDSA variants might provide enough improvement over RSA to justify the implementation effort. For typical applications, the performance difference is negligible.
For compliance and regulatory requirements, check whether your industry has algorithm requirements. Some compliance frameworks mandate specific algorithms or key strengths. Financial services, healthcare, and government sectors often have specific cryptographic requirements.
Key Management and Algorithm Selection
Regardless of algorithm choice, proper key management is essential. For symmetric algorithms, keep secrets secure using environment variables, secure vaults, or dedicated key management services. Rotate secrets periodically and retire old secrets carefully to avoid invalidating existing tokens.
For asymmetric algorithms, protect the private key with appropriate access controls. The public key can be freely distributed. Implement key rotation by maintaining multiple valid public keys during transitions—this allows old tokens to remain valid while new tokens use the new key.
Use key identifiers (the "kid" header in JWT) to indicate which key signed the token. This enables seamless key rotation—you can validate tokens signed with old keys while issuing new tokens with new keys.
Algorithm Strength and Token Size
Different algorithms produce signatures of different lengths. HMAC signatures are roughly the size of the hash output (32 bytes for SHA-256). RSA signatures are the size of the RSA key (256 bytes for RSA-2048). ECDSA signatures are roughly twice the key size divided by 8 (64 bytes for ES256).
Larger signatures mean larger tokens, which impacts bandwidth and storage. For systems transmitting tokens frequently, ECDSA's smaller signature size provides advantages. However, for most applications, the difference is negligible.
Conclusion
Secure JWT implementations use proven algorithms: HS256 for symmetric scenarios, RS256 or ES256 for asymmetric scenarios. Modern systems should prefer ECDSA (ES256) over RSA due to superior performance and smaller keys. Always avoid weak or deprecated algorithms, never use "none," and never allow algorithm confusion attacks through improper verification. Choose your algorithm based on your architecture—symmetric for integrated systems, asymmetric for distributed systems. Pair algorithm choice with proper key management for a secure JWT implementation.
