implementing-jwt-signing-and-verification
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/implementing-jwt-signing-and-verificationGenerate secure JWT tokens using HMAC-SHA256, RSA-PSS, or EdDSA.
- Creates signed tokens for authentication and authorization tasks.
- Depends on Python 3.8+ and cryptography libraries.
- Validates claims and detects algorithm confusion attacks.
- Outputs token strings and verification status directly.
SKILL.md
.github/skills/implementing-jwt-signing-and-verificationView on GitHub ↗
--- name: implementing-jwt-signing-and-verification description: JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens used for authentication and authorization in web applications. This skill covers implementing secure JWT signing with HMAC-SHA256 domain: cybersecurity subdomain: cryptography tags: [cryptography, jwt, authentication, token-security, digital-signatures] version: "1.0" author: mahipal license: Apache-2.0 --- # Implementing JWT Signing and Verification ## Overview JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens used for authentication and authorization in web applications. This skill covers implementing secure JWT signing with HMAC-SHA256, RSA-PSS, and EdDSA algorithms, along with verification, token expiration, claims validation, and defense against common JWT attacks (algorithm confusion, none algorithm, key injection). ## When to Use - When deploying or configuring implementing jwt signing and verification capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Familiarity with cryptography concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Objectives - Implement JWT signing with HS256, RS256, ES256, and EdDSA - Verify JWT signatures and validate standard claims - Implement token expiration, not-before, and audience validation - Defend against algorithm confusion and none algorithm attacks - Implement JWT key rotation with JWK Sets - Build a complete authentication middleware ## Key Concepts ### JWT Algorithms | Algorithm | Type | Key | Security Level | |-----------|------|-----|---------------| | HS256 | Symmetric (HMAC) | Shared secret | 128-bit | | RS256 | Asymmetric (RSA) | RSA key pair | 112-bit | | ES256 | Asymmetric (ECDSA) | P-256 key pair | 128-bit | | EdDSA | Asymmetric (Ed25519) | Ed25519 pair | 128-bit | ### Common JWT Attacks - **Algorithm confusion**: Switching from RS256 to HS256, using public key as HMAC secret - **None algorithm**: Setting alg=none to bypass signature verification - **Key injection**: Embedding key in JWK header - **Weak secrets**: Brute-forcing short HMAC secrets - **Token replay**: Reusing valid tokens without expiration ## Security Considerations - Always validate the algorithm header against an allowlist - Never accept alg=none in production - Use asymmetric algorithms (RS256, ES256) for distributed systems - Set short expiration times (15 min for access tokens) - Implement token refresh mechanism - Store secrets securely (not in source code) ## Validation Criteria - [ ] JWT signing produces valid tokens for all algorithms - [ ] Signature verification rejects tampered tokens - [ ] Expired tokens are rejected - [ ] Algorithm confusion attack is prevented - [ ] None algorithm is rejected - [ ] JWK key rotation works correctly - [ ] Claims validation enforces all required claims