Error IDX10603: The algorithm: ‘HS256’ requires the SecurityKey.KeySize to be greater

Today in this article, we will see how to fix error IDX10603: The algorithm: ‘HS256’ requires the SecurityKey.KeySize to be greater than ‘128’ bits. KeySize reported: ’32’. Parameter name: key.KeySize

Issue Description

The JWT Security handler produces an error while Validating the JWT Token from .NET/C# code.

IDX10603: The algorithm: 'HS256' requires the SecurityKey.KeySize to be  greater than '128' bits. KeySize reported: '32'. Parameter name:  key.KeySize 

Or you might also get the below error,

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException:   IDX10503: Signature validation failed. Keys tried:   'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey,  

The secret key used was below,

"JwtToken": {
    "SecretKey": "xecretKeywqe",
    "Issuer": "https://localhost:44378",
  }

The code used was as below,

IDX10603 The algorithm HS256 requires the SecurityKeyKeySize

Resolution – IDX10603

After a few analyses, This issue I found to be due to limitations of the SecretKey length used in the SymmetricSecurityKey before signing and generating the signed credentials.

As per RFC2104 , Its recommended to use a minimum 128-bit key, generated with cryptographically algorithms.

Increasing the key size above or equal >= 16 characters in ASCII text format gave me 128 bit above keys size thereby fixing the issue.

Please see the example here: JWT Authentication in ASP.NET Core

After updating the key size to greater than 16 characters and above i.e. 16 bytes or more as below finally resolved the issue.

IDX10603 The algorithm HS256 requires the SecurityKeyKeySize

References :

Did I miss anything else in these resolution steps?

Did the above steps resolve your issue? Please sound off your comments below!

Happy Coding !!



Please bookmark this page and share it with your friends. Please Subscribe to the blog to receive notifications on freshly published(2024) best practices and guidelines for software design and development.



4 thoughts on “Resolved – IDX10603: The algorithm HS256 requires the SecurityKey.KeySize

    1. Hey John, Thanks for your inputs. As per RFC recommendation Key size anything above 128 bits (above 16 char) is recommended.

Leave a Reply

Your email address will not be published. Required fields are marked *