authenticationencryptionjwtauthorization

JWT, is it safe to use the same key pair to sign from server-side and encrypt from client-side?


My private key is server-side and the public one are client-side. I use them to sign JWT from my server and sent to my clients, for authorisation. I have now to also encrypt the user password client-side during the authentication using JWE and verify it from server-side.

This two use case have the same requirements: private key is server-side, public key are client-side, and encryption algorithms can be the same. This is why I am thinking to use the same key pair but I am afraid to miss something about security and I would like to have confirmation, is it safe?


Solution

  • As best practice, you should not re-use the same key pair for different purposes. Just have two distinct key pairs, one for digital signatures, the other for public key encryption.