DEV Community

Discussion on: How I Fixed JWT Security Flaws in 3 Steps

Collapse
 
paragoniescott profile image
Scott Arciszewski • Edited

You mostly got the idea right.

The design of PASETO was influenced by a simple observation about real world cryptanalysis.

Let's say you were tasked with building a brick wall. Would you...

  1. Place each brick carefully and meaningfully and then use mortar to join them together once, OR
  2. Create a three-dimensional lattice so bricks can be hot-swapped to better fit the designer's goals and operational requirements?

Which design would you trust to hold up a roof?

Option 2 is what the JOSE standards (JWT, JWE, JWS) do. Option 1 is what PASETO does. PASETO doesn't merely hide the algorithms, it forces developers to one of two modes that have security turned up to 11, based on their specific requirements.

PASETO's design was inspired by the least controversial meta-observation in cryptography today: Cryptography vulnerabilities more often lie in the metaphorical mortar rather than the bricks.

Randal Degges gave a talk about PASETO recently. The slides are available here.

Thread Thread
 
byrro profile image
Renato Byrro

Looks good, thanks for clarifying. Will research more into it.