I am not personally a huge fan of JSON Web Tokens (JWT). Why? Well, the short answer is: I don’t know exactly why I don’t like the JWT protocol. It is more about a gut feeling.
JWTs make me feel as if web apps need to be written by crypto experts rather than web developers, which in itself is a security risk already. I don’t like also the idea of signing JSON Web Tokens with symmetric cryptography algorithms when there is a risk that somebody will collect them massively, automatically, for further statistical analysis — I guess for the same reason that no web developer will share hashed passwords with anybody.
By the way, JWTs are usually similar among themselves, or put another way, the degree of randomness they share is almost non-existent. The Hamming distance among them can be very small, and in some instances they are even predictable, which I guess both are good ingredients for hypothetical attacks on hash functions.
Which ones in particular? I don’t know…
Cryptanalysts could launch plaintext attacks on vulnerable JWT APIs. Just to give a few examples, they could apply frequency analysis methods in order to identify statistical patterns on the signatures. Or even launch differential analysis style attacks looking at how differences in the JWTs’ headers/payloads affect the resulting signatures. The list of potential threads could go on.
Add in the fact that JWT signatures are usually obtained with well-known symmetric cryptography algorithms. And throw in that web developers end up using the same popular JWT libraries in their applications — which unfortunately might contain bugs. In fact, decoding a JWT token is a piece of cake: just visit jwt.io, copy and paste any JSON Web Token, decode its payload and header, and learn which algorithm was used in its signature.
The thing is, at the end of the day JWTs assume you’re OK addressing the following security concerns:
- Are you happy with attackers controlling the decryption and the signature verification processes of your JWTs?
- Does your application deal with JWTs in such way that cryptanalysis is possible?
- What if there’s a bug in the JWT library that your app is currently using?
- Why would you pick this or that hash algorithm rather than any other?
- Do you understand how hashing algorithms work?
- What if your hash algorithm is deprecated?
- Can your hash secret be brute forced?
- What if it is compromised?
- Are you willing to learn about GPU attacks?
- Are you OK with all this evolving like a living creature?