JWT Signing Algorithms: A Comprehensive Guide
Introduction
When working with JSON Web Tokens (JWT) in .NET, one of the most critical decisions is choosing the right signing algorithm. The SecurityAlgorithms class in Microsoft.IdentityModel.Tokens provides various cryptographic algorithms for signing and verifying JWTs. This article explores the available algorithms, their differences, security implications, and best practices for selecting the right one for your use case.
Available Algorithm Families
1. HMAC Algorithms (Symmetric Key)
HMAC (Hash-based Message Authentication Code) algorithms use a shared secret for both signing and verification.
Available Algorithms:
- HS256 (
SecurityAlgorithms.HmacSha256) - HMAC with SHA-256 - HS384 (
SecurityAlgorithms.HmacSha384) - HMAC with SHA-384 - HS512 (
SecurityAlgorithms.HmacSha512) - HMAC with SHA-512
Characteristics:
- Symmetric encryption: Same secret key for signing and verification
- Fast performance: Computationally efficient
- Simple implementation: Easy to set up and use
- Key distribution challenge: Both parties must securely share the secret
Example Usage:
2. RSA Algorithms (Asymmetric Key)
RSA algorithms use public-key cryptography with a private key for signing and a public key for verification.
Available Algorithms:
- RS256 (
SecurityAlgorithms.RsaSha256) - RSA with SHA-256 - RS384 (
SecurityAlgorithms.RsaSha384) - RSA with SHA-384 - RS512 (
SecurityAlgorithms.RsaSha512) - RSA with SHA-512
Characteristics:
- Asymmetric encryption: Private key signs, public key verifies
- Better key distribution: Public key can be freely shared
- Slower performance: More computationally intensive than HMAC
- Industry standard: Widely adopted in OAuth 2.0 and OpenID Connect
Example Usage:
3. RSA-PSS Algorithms (Probabilistic Signature Scheme)
RSA-PSS provides enhanced security over traditional RSA PKCS#1 v1.5 padding.
Available Algorithms:
- PS256 (
SecurityAlgorithms.RsaSsaPssSha256) - RSA-PSS with SHA-256 - PS384 (
SecurityAlgorithms.RsaSsaPssSha384) - RSA-PSS with SHA-384 - PS512 (
SecurityAlgorithms.RsaSsaPssSha512) - RSA-PSS with SHA-512
Characteristics:
- More secure padding: Probabilistic padding makes attacks harder
- Modern standard: Recommended by cryptographic experts
- Similar performance: Comparable to standard RSA
- Less compatibility: Not supported by all JWT libraries
Example Usage:
4. ECDSA Algorithms (Elliptic Curve)
ECDSA (Elliptic Curve Digital Signature Algorithm) provides strong security with smaller key sizes.
Available Algorithms:
- ES256 (
SecurityAlgorithms.EcdsaSha256) - ECDSA with P-256 curve and SHA-256 - ES384 (
SecurityAlgorithms.EcdsaSha384) - ECDSA with P-384 curve and SHA-384 - ES512 (
SecurityAlgorithms.EcdsaSha512) - ECDSA with P-521 curve and SHA-512
Characteristics:
- Smaller keys: 256-bit ECDSA ≈ 3072-bit RSA security
- Faster operations: Better performance than RSA
- Modern cryptography: Increasingly popular choice
- Battery-friendly: Ideal for mobile and IoT devices
Example Usage:
Algorithm Comparison Table
| AlgorithmTypeKey Size (bits)Security LevelPerformanceUse Case | |||||
| HS256 | HMAC | 256 | Good | Very Fast | Single application, microservices |
| HS384 | HMAC | 384 | Better | Very Fast | High-security internal systems |
| HS512 | HMAC | 512 | Best | Very Fast | Maximum security internal systems |
| RS256 | RSA | 2048+ | Good | Moderate | Multi-party, OAuth 2.0, OpenID Connect |
| RS384 | RSA | 2048+ | Better | Moderate | High-security multi-party |
| RS512 | RSA | 2048+ | Best | Slower | Maximum security multi-party |
| PS256 | RSA-PSS | 2048+ | Better | Moderate | Modern secure applications |
| PS384 | RSA-PSS | 2048+ | Better | Moderate | Modern high-security applications |
| PS512 | RSA-PSS | 2048+ | Best | Slower | Modern maximum security |
| ES256 | ECDSA | 256 | Good | Fast | Mobile apps, IoT, modern APIs |
| ES384 | ECDSA | 384 | Better | Fast | High-security mobile/IoT |
| ES512 | ECDSA | 521 | Best | Fast | Maximum security modern systems |
Which Algorithm Should You Choose?
Use HMAC (HS256/HS384/HS512) When:
✅ Your application signs and verifies tokens itself (monolithic architecture)
✅ You need maximum performance
✅ Tokens are used only internally
✅ You have secure key management in place
✅ Building microservices within a trusted boundary
❌ Avoid when:
- Third parties need to verify tokens
- Multiple independent services need verification
- Implementing OAuth 2.0 or OpenID Connect
Use RSA (RS256/RS384/RS512) When:
✅ Multiple independent parties verify tokens
✅ Implementing OAuth 2.0 / OpenID Connect
✅ Building public APIs with JWT authentication
✅ Need to distribute public keys for verification
✅ Industry standard compliance required
❌ Avoid when:
- Performance is critical
- Working in resource-constrained environments
- Only internal token usage
Use RSA-PSS (PS256/PS384/PS512) When:
✅ Need maximum RSA security
✅ Modern infrastructure with recent library versions
✅ Security requirements mandate probabilistic padding
✅ Building new systems without legacy constraints
❌ Avoid when:
- Need broad compatibility with older systems
- Integrating with legacy JWT consumers
Use ECDSA (ES256/ES384/ES512) When:
✅ Building mobile or IoT applications
✅ Performance and key size matter
✅ Need modern cryptography
✅ Battery consumption is a concern
✅ Future-proofing your security
❌ Avoid when:
- Legacy system compatibility required
- FIPS 140-2 compliance needed (check implementation)
Security Recommendations
Minimum Key Sizes
- HMAC: At least 256 bits (32 bytes)
- RSA: At least 2048 bits (3072 bits recommended)
- ECDSA: Use named curves (P-256, P-384, P-521)
Hash Algorithm Selection
| HashSecurity LevelRecommendation | ||
| SHA-256 | 128-bit | ✅ Recommended minimum |
| SHA-384 | 192-bit | ✅ High security applications |
| SHA-512 | 256-bit | ✅ Maximum security (overkill for most) |
Best Practices
- Default Recommendation: Use RS256 for most applications
- Industry standard
- Good security
- Wide compatibility
- Clear separation of signing and verification
- Modern Applications: Consider ES256
- Better performance than RSA
- Smaller key sizes
- Future-proof
- Mobile-friendly
- Internal Services: Use HS256 if appropriate
- Simpler key management
- Better performance
- Lower resource usage
- High Security: Use PS256 or ES384
- Enhanced security properties
- Suitable for sensitive data
- Modern cryptographic standards
- Never Use:
- ❌
Nonealgorithm (no signature) - ❌ Weak algorithms (if any legacy ones exist)
- ❌ Custom/untested algorithms
Common Pitfalls
1. Algorithm Confusion Attack
Always validate the algorithm in the JWT header matches your expected algorithm:
2. Weak Secret Keys (HMAC)
Don't use weak secrets:
3. Key Rotation
Implement key rotation strategy:
Real-World Scenarios
Scenario 1: OAuth 2.0 Authorization Server
Recommended: RS256 or ES256
Why: OAuth clients need to verify tokens using your public key.
Scenario 2: Microservices Authentication
Recommended: HS256 with shared secret
Why: All services trust each other and can share a secret securely.
Scenario 3: Mobile App Authentication
Recommended: ES256
Why: Better performance on mobile devices, smaller tokens.
Scenario 4: High-Security Financial System
Recommended: PS384 or ES384
Why: Enhanced security for sensitive financial data.
Migration Strategy
If you need to change algorithms:
- Add new algorithm support alongside the old
- Start signing with new algorithm
- Validate both algorithms during transition period
- Monitor old algorithm usage
- Remove old algorithm after all tokens expired
Conclusion
The choice of JWT signing algorithm depends on your specific requirements:
- Most Common Choice: RS256 - Industry standard for multi-party scenarios
- Best Performance: HS256 - For trusted internal systems
- Modern & Efficient: ES256 - For mobile, IoT, and new applications
- Maximum Security: PS384 or ES384 - For high-security requirements
Your current implementation using RS256 is an excellent choice for an OAuth 2.0 client credentials flow with asymmetric keys. It provides:
- ✅ Strong security
- ✅ Industry standard compliance
- ✅ Public key distribution for verification
- ✅ Wide compatibility