Internet-Draft ECDH-MAC for JOSE January 2024
Bastian Expires 19 July 2024 [Page]
Workgroup:
Javascript Object Signing and Encryption
Internet-Draft:
draft-bastian-jose-alg-ecdh-mac-00
Published:
Intended Status:
Informational
Expires:
Author:
P. Bastian
Bundesdruckerei GmbH

JOSE algorithms for ECDH-MAC-based signatures

Abstract

This specification defines a JSON Web Algorithm for JOSE, that uses a combination of key agreement and MAC to construct a signature-like mechanism.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://paulbastian.github.io/paulbastian-jose-ecdh-mac-algorithms/draft-bastian-jose-alg-ecdh-mac.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-bastian-jose-alg-ecdh-mac/.

Discussion of this document takes place on the Javascript Object Signing and Encryption Working Group mailing list (mailto:jose@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/jose/. Subscribe at https://www.ietf.org/mailman/listinfo/jose/.

Source for this draft and an issue tracker can be found at https://github.com/paulbastian/paulbastian-jose-ecdh-mac-algorithms.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 19 July 2024.

Table of Contents

1. Introduction

JWS defines cryptographic algorithms to digitally sign or create Message Authentication Codes (MAC) of the contents of the JWS Protected Header and the JWS Payload in Section-3 [RFC7518]. JWS also offers ephemeral-static Elliptic Curve Diffie-Hellman key exchange in combination with a key derivation function ("ECDH-ES" and its variations) as a mechanism for key management in Section-4.6 [RFC7518], however these are only used for symmetric encryption.

This specification describes a combination of an ECDH key exchange with a MAC, that enables a feature set that is similar to digital signatures with repudiation.

This specification and all described algorithms should respect the efforts for Fully Specified Algorithms (https://www.ietf.org/archive/id/draft-jones-jose-fully-specified-algorithms-00.html).

This algorithm is intended for use with digital credentials ecosystems, including the Issuer-Holder-Verifier model described by W3C VCDM or IETF SD-JWT-VC.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Terminology

Generating Party:

The Party that performs the key agreement first and generates the MAC. Similar to a Signer.

Verifying Party:

The Party that performs the key agreement second, generates the MAC and compares it to a given value. Similar to a Verifier.

4. Parameters

For the generation of an ECDH-based MAC the following parameters must be chosen:

  1. the domain parameters for the ECDH "curve"

  2. the key derivation algorithm "kd"

  3. the MAC algorithm "mac"

In general, these parameters are chosen by the Generating Party. These parameters need to be communicated to the Verifying Party before the generation of an ECDH-based MAC.

5. Cryptographic Algorithm

The generation of the ECDH-based MAC takes the private key of the Generating Party and the public key of the Verifying Party as inputs. The retrieval and communication of the Verifying Party's public key is out of scope of this specification and subject to the implementing protocols.

The generation of ECDH-based MAC follows these steps:

  1. Perform ECDH as defined as defined by "curve" - use the specified elliptic curve to generate a key pair and set the epk - use the Verifier's public key defined by kid to perform the key agreement - optionally provide a certificate chain defined by x5c

  2. Derive symmetric key as defined by "kd" - use the output from the key agreement as an input for the key derivation algorithm - derive the MAC key

  3. Generate a MAC as defined by "mac" - use the output from the key derivation algorithm as an input for the MAC algorithm - generate the MAC

The verification of ECDH-based MAC follows these steps:

  1. Perform ECDH as defined as defined by "curve" - use the specified elliptic curve to generate an ephemeral key pair and set the kid - provide the public key kid to the Generating Party - use the Generating Party's public key defined by epk and perform the key agreement - optionally validate the certificate chain defined by x5c

  2. Derive symmetric key as defined by "kd" - use the output from the key agreement as an input for the key derivation algorithm - derive the MAC key

  3. Generate a MAC as defined by "mac" - use the output from the key derivation algorithm as an input for the MAC algorithm - generate the MAC - compare the generated MAC with the signature value

5.1. Header parameter "alg"

The following values MUST be used for the "alg" header parameter: +------------------+--------------------------------+-----------------+ | Algorithm Name | Algorithm Explanation | Implementation | | | | Requirements | +------------------+--------------------------------+-----------------+ | ECDH-P256-HS256 | ECDH using NIST P-256 and | Optional | | | HMAC using SHA-256 | | | ECDH-BP256-HS256 | ECDH using BrainpoolP256r1 and | Optional | | | HMAC using SHA-256 | | +------------------+--------------------------------+-----------------+ Other algorithms SHOULD follow the naming ECDH-<elliptic curve domain parameters>-<KD algorithm>-<MAC algorithm>.

5.2. Header parameter "epk"

The "epk" (ephemeral public key) value is created by the Generating Party for the use in the key agreement algorithm. This header parameter MUST be present and MUST contain the Generating Party's public key represented as a JSON Web Key according to [RFC7517]. It MUST contain only public key parameters and SHOULD contain only the minimum JWK parameters necessary to represent the key. Other JWK parameters included may be checked for consistency or may be ignored.

5.3. Header parameter "x5c"

The "x5c" (X.509 certificate chain) value is created by the Generating Party for the trust management of the "epk". This header parameter is OPTIONAL and if present MUST contain the X.509 certificate chain with the JWK from "epk" being the public key of the leaf certificate. Alternatively, the Generating Party may use "x5t", x5t#S256" or "x5u".

5.4. Header parameter "kid"

The "kid" (key identifier) value is created by the Generating Party for the use in the key agreement algorithm. This header parameter MUST be present and MUST contain the Verifying Party's public key ID user by the Generating Party for the ECDH.

5.5. Example JWT

The JWT/JWS header: { "typ" : "JWT", "alg" : "ECDH-P256-HS256", "x5c" : <issuer certificate chain that signs the epk>, "epk" : <JWK used for ECDH>, "kid" : <key ID of Verifying Party> }

The JWT/JWS payload: { "iss" : "https://example.as.com", "iat" : "1701870613", "given_name" : "Erika", "family_name" : "Mustermann" }

The JWT/JWS signature: base64-encoded MAC

6. Security Considerations

TODO Security

7. IANA Considerations

This document has no IANA actions.

8. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC7517]
Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10.17487/RFC7517, , <https://www.rfc-editor.org/rfc/rfc7517>.
[RFC7518]
Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, DOI 10.17487/RFC7518, , <https://www.rfc-editor.org/rfc/rfc7518>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.

Acknowledgments

TODO acknowledge.

Author's Address

Paul Bastian
Bundesdruckerei GmbH