5

I am using JWT for API authentication. I am just curious to know how much expensive is to decrypt the JWT each time when a request arrives.

nobody
  • 19,814
  • 17
  • 56
  • 77
Harikrishnan
  • 3,664
  • 7
  • 48
  • 77

1 Answers1

3

It depends on the algorithm(s) used.

(Note that JWT supports signing as well as encryption - signed JWTs are the more common use case; my answer is general.)

The symmetric key algorithms (AES, HMAC) are the least expensive (very fast). For public key algorithms, RSA-based algorithms are the most expensive, and elliptic curve algorithms (ECDH for key encryption, ECDSA for signing) are less computationally expensive but still more expensive than symmetric algorithms.

frasertweedale
  • 5,424
  • 3
  • 26
  • 38
  • I am using RS256 algorithm. So is there any problem with the usual processing since it is expensive? I am using Node.js as server. so is there any performance lag? – Harikrishnan Sep 28 '15 at 05:20
  • Well, that depends on how many requests per second versus your hardware and the software implementation of RS256. In general, the ECC and HMAC algorithms are faster (per my answer). – frasertweedale Sep 28 '15 at 07:17
  • Yes, and the choice between ECC (public key) or HMAC (shared secret) will largely depend on your use case (a topic for another question). – frasertweedale Sep 28 '15 at 08:08