Resolved – IDX10603: The algorithm HS256 requires the SecurityKey.KeySize

Error IDX10603: The algorithm: ‘HS256’ requires the SecurityKey.KeySize to be greater

Today in this article, we will see how to fix error IDX10603: The algorithm: ‘HS256’ requires the SecurityKey.KeySize to be greater than ‘128’ bits. KeySize reported: ’32’. Parameter name: key.KeySize

Issue Description

The JWT Security handler produces an error while Validating the JWT Token from .NET/C# code.

IDX10603: The algorithm: 'HS256' requires the SecurityKey.KeySize to be  greater than '128' bits. KeySize reported: '32'. Parameter name:  key.KeySize

Or you might also get the below error,

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException:   IDX10503: Signature validation failed. Keys tried:   'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey,

The secret key used was below,

"JwtToken": {
    "SecretKey": "xecretKeywqe",
    "Issuer": "https://localhost:44378",
  }

The code used was as below,

IDX10603 The algorithm HS256 requires the SecurityKeyKeySize

Resolution – IDX10603

After a few analyses, This issue I found to be due to limitations of the SecretKey length used in the SymmetricSecurityKey before signing and generating the signed credentials.

As per RFC2104 , Its recommended to use a minimum 128-bit key, generated with cryptographically algorithms.

Increasing the key size above or equal >= 16 characters in ASCII text format gave me 128 bit above keys size thereby fixing the issue.

Please see the example here: JWT Authentication in ASP.NET Core

After updating the key size to greater than 16 characters and above i.e. 16 bytes or more as below finally resolved the issue.

References :

Did I miss anything else in these resolution steps?

Did the above steps resolve your issue? Please sound off your comments below!

Happy Coding !!

Please bookmark this page and share it with your friends. Please Subscribe to the blog to receive notifications on freshly published(2024) best practices and guidelines for software design and development.

4 thoughts on “Resolved – IDX10603: The algorithm HS256 requires the SecurityKey.KeySize”

The key’s verification size is 48

admin says:
December 8, 2023 at 2:09 am

Hey John, Thanks for your inputs. As per RFC recommendation Key size anything above 128 bits (above 16 char) is recommended.
Reply

Hi, Please add the usage of the authenticated user in some service

admin says:
April 1, 2020 at 11:45 am

Hello Yashar, Thanks for the query. If understanding your question correctly, please see here Example JWT Authentication in ASP.NET Core 2.2 service. Also if interested to know for ASP.NET Core 3.1 please see here example
Hope this helps. Thanks
Reply

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

TheCodeBuzz