Photo by Dan Nelson / Unsplash

The Dangers of Using Symmetric Keys in JWTs: A Call for Responsible Coding

culture May 25, 2024

I recently read an eye-opening article from Truffle Security discussing the dangers of using JWTs (JSON Web Tokens) with symmetric keys. The article highlights a critical issue: developers often copy example code from documentation without fully understanding the risks, leading to guessable keys and severe security vulnerabilities. Using poorly chosen symmetric keys undermines authentication and authorization.

The article reveals that many JWTs in production use weak, guessable keys often copied from documentation, compromising security by allowing attackers to forge tokens.

In my opinion, this is happening because developers are merely following example code in documentation without understanding what is at stake. This indicates a clear lack of ownership and accountability. Engineers should think through what they are doing, the impact of it, and code responsibly. Using example keys in production is really concerning.

Engineering teams should have proper checklists and guidelines on security practices to avoid this kind of risk. Some years back, when I had to choose a library for client-side data decryption in a ReactNative mobile application, I rigorously researched each candidate library. I checked repository health, maintenance, and the authors' backgrounds to ensure they were qualified to write a production-grade cryptographic library. I even contacted some authors to confirm they were still maintaining the libraries and that they were credible. Critical packages should be written by qualified individuals. Since I'm not a cryptographic expert, I sought out expertise in those libraries' developers. Extensive testing and evaluation are crucial for such key decisions.

Rigorous code review practices can also help reduce incidents like using simple symmetric keys or default keys from internet code snippets in production. In short, we need to nurture responsible and accountable engineering teams to prevent such incidents.

When we rush to meet deadlines and underestimate sprint goals by skipping standard practices and code reviews to move tasks from To Do to Done on the project board, we often don’t realize the risks we are taking. Engineering and management teams should recognize what is being compromised and ensure that standard practices are included in the task scope, allocating time for them during sprint planning. Overemphasizing phrases like “we’re building an MVP” or “we’re moving lean” can lead to significant risks. Always be mindful of the technical debt and security risks being incurred.

It's essential to be aware of the security implications of using JWTs with symmetric keys and to adopt best practices for secure development. Responsible engineering requires careful consideration of the tools and methods we use, thorough research, and adherence to security standards to protect our applications and users.


Muhammad Swalah

A passionate individual who dream in code to revolutionize the digital solutions. Entrepreneur | Java Enthusiast | Code Dreamer | KeralaJUG Lead