We did not find any security vulnerabilities in the JWT library itself; however, we did find a previously undiscovered cryptographic vulnerability in one of its dependencies.
Technology should support your ambitions, not hinder them!
Secure software development philosophy:
Build it right the first time, then make it fast!
About Our Company
Paragon Initiative Enterprises is a team of technology consultants, website and app developers, and application security experts based in Orlando, FL.
Professional Services Offered
Paragon Initiative Enterprise's expertise in web development and application security can help you fulfill your vision for your business's future while ensuring the safety and security of your online presence.
Community Projects
From solving challenging security problems to reducing the cognitive load of proven security strategies, we actively contribute towards the betterment of our community, both online and offline.
Latest Blog Post
How to Safely Store Your Users' Passwords in 2016
If you are unfamiliar with cryptography concepts or the vocabulary it uses, or especially you are looking for guidance on "password encryption", please read this page first.
We've previously said that even security advice should carry an expiration date. So unlike most of our past blog posts, this page should be considered a living document: As requirements change and new attacks are discovered, we will update it accordingly.
Semantic point: Don't store the password, store a hash of the password. (Obligatory.)
The Latest From Our Security Team
Latest Security Advisory
CVE-2015-7503 - Zend\Crypt - RSA Padding Oracle (Plaintext Recovery)
The Zend\Crypt\RSA\PublicKey class in Zend Framework's cryptography library in affected versions of Zend Framework is vulnerable to padding oracle attacks, as first demonstrated by Daniel Bleichenbacher in 1998. The RSA padding oracle attack was further optimized by Steel, et al. in 2012. This vulnerability is specific to PKCS1v1.5 padding; RSA-OAEP is unaffected.
Back-of-the-envelope math: If you can perform 25 attempts per second using the Steel method, you can decrypt any message encrypted with 1024-bit RSA using a vulnerable version of Zend\Crypt in about 10 minutes (median).