RS256 vs HS256 What s the difference

Question

I m using Auth0 to handle authentication in my web app  I m using ASP NET Core v1 0 0 and Angular 2 rc5 and I don t know much about authentication security in general  In the Auth0 docs for ASP NET Core Web Api  there are two choices for the JWT algorithm being RS256 and HS256  This may be a dumb question but  What s the difference between RS256 and HS256  What are some use cases  if applicable

User · Answer

In cryptography there are two types of algorithms used:

Symmetric algorithms

A single key is used to encrypt data. When encrypted with the key, the data can be decrypted using the same key. If, for example, Mary encrypts a message using the key "my-secret" and sends it to John, he will be able to decrypt the message correctly with the same key "my-secret".

Asymmetric algorithms

Two keys are used to encrypt and decrypt messages. While one key(public) is used to encrypt the message, the other key(private) can only be used to decrypt it. So, John can generate both public and private keys, then send only the public key to Mary to encrypt her message. The message can only be decrypted using the private key.

HS256 and RS256 Scenario

These algorithms are NOT used to encrypt/decryt data. Rather they are used to verify the origin or the authenticity of the data. When Mary needs to send an open message to Jhon and he needs to verify that the message is surely from Mary, HS256 or RS256 can be used.

HS256 can create a signature for a given sample of data using a single key. When the message is transmitted along with the signature, the receiving party can use the same key to verify that the signature matches the message.

RS256 uses pair of keys to do the same. A signature can only be generated using the private key. And the public key has to be used to verify the signature. In this scenario, even if Jack finds the public key, he cannot create a spoof message with a signature to impersonate Mary.

User · Answer

short answer  specific to OAuth2    HS256 user client secret to generate the token signature and same secret is required to validate the token in back-end  So you should have a copy of that secret in your back-end server to verify the signature  RS256 use public key encryption to sign the token Signature hash  will create using private key and it can verify using public key  So  no need of private key or client secret  to store in back-end server  but back-end server will fetch the public key from openid configuration url in your tenant  https    tenant   well-known openid-configuration  to verify the token  KID parameter inside the access toekn will use to detect the correct key public  from openid-configuration

User · Answer

There is a difference in performance  Simply put HS256 is about 1 order of magnitude faster than RS256 for verification but about 2 orders of magnitude faster than RS256 for issuing  signing    640 251  91 464 3 ops s   86 123  12 303 3 ops s  RS256 verify     7 046   1 006 5 ops s  RS256 sign   Don t get hung up on the actual numbers  just think of them with respect of each other   Program cs  class Program       static void Main string   args                foreach  var duration in new     1  3  5  7                          var t   TimeSpan FromSeconds duration                byte   publicKey  privateKey               using  var rsa   new RSACryptoServiceProvider                                  publicKey   rsa ExportCspBlob false                   privateKey   rsa ExportCspBlob true                              byte   key   new byte 64                using  var rng   new RNGCryptoServiceProvider                                  rng GetBytes key                              var s1   new Stopwatch                var n1   0               using  var hs256   new HMACSHA256 key                                 while  s1 Elapsed  lt  t                                        s1 Start                        var hash   hs256 ComputeHash privateKey                       s1 Stop                        n1                                                 byte   sign               using  var rsa   new RSACryptoServiceProvider                                  rsa ImportCspBlob privateKey                    sign   rsa SignData privateKey   quot SHA256 quot                               var s2   new Stopwatch                var n2   0               using  var rsa   new RSACryptoServiceProvider                                  rsa ImportCspBlob publicKey                    while  s2 Elapsed  lt  t                                        s2 Start                        var success   rsa VerifyData privateKey   quot SHA256 quot   sign                       s2 Stop                        n2                                                 var s3   new Stopwatch                var n3   0               using  var rsa   new RSACryptoServiceProvider                                  rsa ImportCspBlob privateKey                    while  s3 Elapsed  lt  t                                        s3 Start                        rsa SignData privateKey   quot SHA256 quot                        s3 Stop                        n3                                                 Console WriteLine   quot  s1 Elapsed TotalSeconds 0   n1 7 N0   n1   s1 Elapsed TotalSeconds 9 N1  ops s quot                Console WriteLine   quot  s2 Elapsed TotalSeconds 0   n2 7 N0   n2   s2 Elapsed TotalSeconds 9 N1  ops s quot                Console WriteLine   quot  s3 Elapsed TotalSeconds 0   n3 7 N0   n3   s3 Elapsed TotalSeconds 9 N1  ops s quot                 Console WriteLine   quot RS256 is   n1   s1 Elapsed TotalSeconds     n2   s2 Elapsed TotalSeconds  9 N1 x slower  verify  quot                Console WriteLine   quot RS256 is   n1   s1 Elapsed TotalSeconds     n3   s3 Elapsed TotalSeconds  9 N1 x slower  issue  quot                    RS256 is about 7 5x slower  but it can still do over 10K ops per sec

User · Answer

Both choices refer to what algorithm the identity provider uses to sign the JWT  Signing is a cryptographic operation that generates a  signature   part of the JWT  that the recipient of the token can validate to ensure that the token has not been tampered with    RS256  RSA Signature with SHA-256  is an asymmetric algorithm  and it uses a public private key pair  the identity provider has a private  secret  key used to generate the signature  and the consumer of the JWT gets a public key to validate the signature  Since the public key  as opposed to the private key  doesn t need to be kept secured  most identity providers make it easily available for consumers to obtain and use  usually through a metadata URL   HS256  HMAC with SHA-256   on the other hand  involves a combination of a hashing function and one  secret  key that is shared between the two parties used to generate the hash that will serve as the signature  Since the same key is used both to generate the signature and to validate it  care must be taken to ensure that the key is not compromised     If you will be developing the application consuming the JWTs  you can safely use HS256  because you will have control on who uses the secret keys   If  on the other hand  you don t have control over the client  or you have no way of securing a secret key  RS256 will be a better fit  since the consumer only needs to know the public  shared  key   Since the public key is usually made available from metadata endpoints  clients can be programmed to retrieve the public key automatically  If this is the case  as it is with the  Net Core libraries   you will have less work to do on configuration  the libraries will fetch the public key from the server   Symmetric keys  on the other hand  need to be exchanged out of band  ensuring a secure communication channel   and manually updated if there is a signing key rollover   Auth0 provides metadata endpoints for the OIDC  SAML and WS-Fed protocols  where the public keys can be retrieved  You can see those endpoints under the  Advanced Settings  of a client   The OIDC metadata endpoint  for example  takes the form of https    account domain   well-known openid-configuration  If you browse to that URL  you will see a JSON object with a reference to https    account domain   well-known jwks json  which contains the public key  or keys  of the account   If you look at the RS256 samples  you will see that you don t need to configure the public key anywhere  it s retrieved automatically by the framework

[jwt] RS256 vs HS256: What's the difference?

Examples related to jwt

Examples related to auth0

Examples related to asp.net-core-webapi