< draft-ietf-jose-json-web-encryption-00.txt   draft-ietf-jose-json-web-encryption-01.txt >
JOSE Working Group M. Jones JOSE Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track E. Rescorla Intended status: Standards Track E. Rescorla
Expires: July 19, 2012 RTFM, Inc. Expires: September 13, 2012 RTFM, Inc.
J. Hildebrand J. Hildebrand
Cisco Systems, Inc. Cisco Systems, Inc.
January 16, 2012 March 12, 2012
JSON Web Encryption (JWE) JSON Web Encryption (JWE)
draft-ietf-jose-json-web-encryption-00 draft-ietf-jose-json-web-encryption-01
Abstract Abstract
JSON Web Encryption (JWE) is a means of representing encrypted JSON Web Encryption (JWE) is a means of representing encrypted
content using JSON data structures. Cryptographic algorithms and content using JSON data structures. Cryptographic algorithms and
identifiers used with this specification are enumerated in the identifiers used with this specification are enumerated in the
separate JSON Web Algorithms (JWA) specification. Related digital separate JSON Web Algorithms (JWA) specification. Related digital
signature and HMAC capabilities are described in the separate JSON signature and HMAC capabilities are described in the separate JSON
Web Signature (JWS) specification. Web Signature (JWS) specification.
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 19, 2012. This Internet-Draft will expire on September 13, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 20 skipping to change at page 2, line 20
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 4 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 4
3.1. Example JWE . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Example JWE with an Integrated Integrity Check . . . . . . 5
4. JWE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2. Example JWE with a Separate Integrity Check . . . . . . . 6
4.1. Reserved Header Parameter Names . . . . . . . . . . . . . 5 4. JWE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2. Public Header Parameter Names . . . . . . . . . . . . . . 10 4.1. Reserved Header Parameter Names . . . . . . . . . . . . . 7
4.3. Private Header Parameter Names . . . . . . . . . . . . . . 10 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 14
5. Message Encryption . . . . . . . . . . . . . . . . . . . . . . 10 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 14
6. Message Decryption . . . . . . . . . . . . . . . . . . . . . . 11 5. Message Encryption . . . . . . . . . . . . . . . . . . . . . . 14
7. CEK Encryption . . . . . . . . . . . . . . . . . . . . . . . . 12 6. Message Decryption . . . . . . . . . . . . . . . . . . . . . . 16
7.1. Asymmetric Encryption . . . . . . . . . . . . . . . . . . 12 7. Key Derivation . . . . . . . . . . . . . . . . . . . . . . . . 17
7.2. Symmetric Encryption . . . . . . . . . . . . . . . . . . . 12 8. CMK Encryption . . . . . . . . . . . . . . . . . . . . . . . . 17
8. Composition . . . . . . . . . . . . . . . . . . . . . . . . . 12 8.1. Asymmetric Encryption . . . . . . . . . . . . . . . . . . 17
9. Encrypting JWEs with Cryptographic Algorithms . . . . . . . . 12 8.2. Symmetric Encryption . . . . . . . . . . . . . . . . . . . 18
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 9. Integrity Value Calculation . . . . . . . . . . . . . . . . . 18
11. Security Considerations . . . . . . . . . . . . . . . . . . . 13 10. Encrypting JWEs with Cryptographic Algorithms . . . . . . . . 18
11.1. Unicode Comparison Security Issues . . . . . . . . . . . . 14 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
12. Open Issues and Things To Be Done (TBD) . . . . . . . . . . . 14 12. Security Considerations . . . . . . . . . . . . . . . . . . . 19
13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 12.1. Unicode Comparison Security Issues . . . . . . . . . . . . 19
13.1. Normative References . . . . . . . . . . . . . . . . . . . 15 13. Open Issues and Things To Be Done (TBD) . . . . . . . . . . . 20
13.2. Informative References . . . . . . . . . . . . . . . . . . 17 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 17 14.1. Normative References . . . . . . . . . . . . . . . . . . . 21
A.1. JWE Example using TBD Algorithm . . . . . . . . . . . . . 17 14.2. Informative References . . . . . . . . . . . . . . . . . . 22
A.1.1. Encrypting . . . . . . . . . . . . . . . . . . . . . . 17 Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 23
A.1.2. Decrypting . . . . . . . . . . . . . . . . . . . . . . 17 A.1. JWE Example using TBD Algorithm . . . . . . . . . . . . . 23
Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 17 A.1.1. Encrypting . . . . . . . . . . . . . . . . . . . . . . 23
Appendix C. Document History . . . . . . . . . . . . . . . . . . 18 A.1.2. Decrypting . . . . . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 23
Appendix C. Document History . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction 1. Introduction
JSON Web Encryption (JWE) is a compact encryption format intended for JSON Web Encryption (JWE) is a compact encryption format intended for
space constrained environments such as HTTP Authorization headers and space constrained environments such as HTTP Authorization headers and
URI query parameters. It provides a wrapper for encrypted content URI query parameters. It provides a wrapper for encrypted content
using JSON RFC 4627 [RFC4627] data structures. The JWE encryption using JSON RFC 4627 [RFC4627] data structures. The JWE encryption
mechanisms are independent of the type of content being encrypted. mechanisms are independent of the type of content being encrypted.
Cryptographic algorithms and identifiers used with this specification Cryptographic algorithms and identifiers used with this specification
are enumerated in the separate JSON Web Algorithms (JWA) [JWA] are enumerated in the separate JSON Web Algorithms (JWA) [JWA]
specification. Related digital signature and HMAC capabilities are specification. Related digital signature and HMAC capabilities are
described in the separate JSON Web Signature (JWS) [JWS] described in the separate JSON Web Signature (JWS) [JWS]
specification. specification.
2. Terminology 2. Terminology
JSON Web Encryption (JWE) A data structure representing an encrypted JSON Web Encryption (JWE) A data structure representing an encrypted
version of a Plaintext. The structure consists of three parts: version of a Plaintext. The structure consists of four parts: the
the JWE Header, the JWE Encrypted Key, and the JWE Ciphertext. JWE Header, the JWE Encrypted Key, the JWE Ciphertext, and the JWE
Integrity Value.
Plaintext The bytes to be encrypted - a.k.a., the message. Plaintext The bytes to be encrypted - a.k.a., the message.
Ciphertext The encrypted version of the Plaintext. Ciphertext The encrypted version of the Plaintext.
Content Encryption Key (CEK) A symmetric key generated to encrypt Content Encryption Key (CEK) A symmetric key used to encrypt the
the Plaintext for the recipient to produce the Ciphertext, which Plaintext for the recipient to produce the Ciphertext.
is encrypted to the recipient as the JWE Encrypted Key.
Content Integrity Key (CIK) A key used with an HMAC function to
ensure the integrity of the Ciphertext and the parameters used to
create it.
Content Master Key (CMK) A randomly generated key from which the CEK
and CIK are derived, which is encrypted to the recipient as the
JWE Encrypted Key.
JWE Header A string representing a JSON object that describes the JWE Header A string representing a JSON object that describes the
encryption operations applied to create the JWE Encrypted Key and encryption operations applied to create the JWE Encrypted Key and
the JWE Ciphertext. the JWE Ciphertext.
JWE Encrypted Key The Content Encryption Key (CEK) is encrypted with JWE Encrypted Key The Content Encryption Key (CEK) is encrypted with
the intended recipient's key and the resulting encrypted content the intended recipient's key and the resulting encrypted content
is recorded as a byte array, which is referred to as the JWE is recorded as a byte array, which is referred to as the JWE
Encrypted Key. Encrypted Key.
JWE Ciphertext A byte array containing the Ciphertext. JWE Ciphertext A byte array containing the Ciphertext.
JWE Integrity Value A byte array containing a HMAC value that
ensures the integrity of the Ciphertext and the parameters used to
create it.
Encoded JWE Header Base64url encoding of the bytes of the UTF-8 RFC Encoded JWE Header Base64url encoding of the bytes of the UTF-8 RFC
3629 [RFC3629] representation of the JWE Header. 3629 [RFC3629] representation of the JWE Header.
Encoded JWE Encrypted Key Base64url encoding of the JWE Encrypted Encoded JWE Encrypted Key Base64url encoding of the JWE Encrypted
Key. Key.
Encoded JWE Ciphertext Base64url encoding of the JWE Ciphertext. Encoded JWE Ciphertext Base64url encoding of the JWE Ciphertext.
Encoded JWE Integrity Value Base64url encoding of the JWE Integrity
Value.
Header Parameter Names The names of the members within the JWE Header Parameter Names The names of the members within the JWE
Header. Header.
Header Parameter Values The values of the members within the JWE Header Parameter Values The values of the members within the JWE
Header. Header.
JWE Compact Serialization A representation of the JWE as the
concatenation of the Encoded JWE Header, the Encoded JWE Encrypted
Key, the Encoded JWE Ciphertext, and the Encoded JWE Integrity
Value in that order, with the four strings being separated by
period ('.') characters.
AEAD Algorithm An Authenticated Encryption with Associated Data
(AEAD) [RFC5116] encryption algorithm is one that provides an
integrated content integrity check. AES Galois/Counter Mode (GCM)
is one such algorithm.
Base64url Encoding For the purposes of this specification, this term Base64url Encoding For the purposes of this specification, this term
always refers to the URL- and filename-safe Base64 encoding always refers to the URL- and filename-safe Base64 encoding
described in RFC 4648 [RFC4648], Section 5, with the (non URL- described in RFC 4648 [RFC4648], Section 5, with the (non URL-
safe) '=' padding characters omitted, as permitted by Section 3.2. safe) '=' padding characters omitted, as permitted by Section 3.2.
(See Appendix B of [JWS] for notes on implementing base64url (See Appendix B of [JWS] for notes on implementing base64url
encoding without padding.) encoding without padding.)
3. JSON Web Encryption (JWE) Overview 3. JSON Web Encryption (JWE) Overview
JWE represents encrypted content using JSON data structures and JWE represents encrypted content using JSON data structures and
base64url encoding. The representation consists of three parts: the base64url encoding. The representation consists of four parts: the
JWE Header, the JWE Encrypted Key, and the JWE Ciphertext. The three JWE Header, the JWE Encrypted Key, the JWE Ciphertext, and the JWE
parts are base64url-encoded for transmission, and typically Integrity Value. In the Compact Serialization, the four parts are
represented as the concatenation of the encoded strings in that base64url-encoded for transmission, and represented as the
order, with the three strings being separated by period ('.') concatenation of the encoded strings in that order, with the four
characters. strings being separated by period ('.') characters. (A JSON
Serialization for this information is defined in the separate JSON
Web Encryption JSON Serialization (JWE-JS) [JWE-JS] specification.)
JWE utilizes encryption to ensure the confidentiality of the contents JWE utilizes encryption to ensure the confidentiality of the contents
of the Plaintext. JWE does not add a content integrity check if not of the Plaintext. JWE adds a content integrity check if not provided
provided by the underlying encryption algorithm. If such a check is by the underlying encryption algorithm.
needed, an algorithm providing it such as AES-GCM [NIST-800-38D] can
be used, or alternatively, it can be provided through composition by
encrypting a representation of the digitally signed or HMACed
content.
3.1. Example JWE 3.1. Example JWE with an Integrated Integrity Check
The following example JWE Header declares that: The following example JWE Header declares that:
o the Content Encryption Key is encrypted to the recipient using the o the Content Master Key is encrypted to the recipient using the
RSA-PKCS1_1.5 algorithm to produce the JWE Encrypted Key, RSA-PKCS1_1.5 algorithm to produce the JWE Encrypted Key,
o the Plaintext is encrypted using the AES-256-GCM algorithm to o the Plaintext is encrypted using the AES-256-GCM algorithm to
produce the JWE Ciphertext, produce the JWE Ciphertext,
o the specified 64-bit Initialization Vector with the base64url o the specified 64-bit Initialization Vector with the base64url
encoding "__79_Pv6-fg" was used, and encoding "__79_Pv6-fg" was used, and
o the thumbprint of the X.509 certificate that corresponds to the o a JSON Web Key (JWK) representation of the public key used to
key used to encrypt the JWE has the base64url encoding encrypt the JWE is located at
"7noOPq-hJ1_hCnvWh6IeYI2w9Q0". "https://example.com/public_key.jwk".
{"alg":"RSA1_5", {"alg":"RSA1_5",
"enc":"A256GCM", "enc":"A256GCM",
"iv":"__79_Pv6-fg", "iv":"__79_Pv6-fg",
"x5t":"7noOPq-hJ1_hCnvWh6IeYI2w9Q0"} "jku":"https://example.com/public_key.jwk"}
Base64url encoding the bytes of the UTF-8 representation of the JWE Base64url encoding the bytes of the UTF-8 representation of the JWE
Header yields this Encoded JWE Header value (with line breaks for Header yields this Encoded JWE Header value (with line breaks for
display purposes only): display purposes only):
eyJhbGciOiJSU0ExXzUiLA0KICJlbmMiOiJBMjU2R0NNIiwNCiAiaXYiOiJfXzc5 eyJhbGciOiJSU0ExXzUiLA0KICJlbmMiOiJBMjU2R0NNIiwNCiAiaXYiOiJfXzc5
X1B2Ni1mZyIsDQogIng1dCI6Ijdub09QcS1oSjFfaENudldoNkllWUkydzlRMCJ9 X1B2Ni1mZyIsDQogImprdSI6Imh0dHBzOi8vZXhhbXBsZS5jb20vcHVibGljX2tl
eS5qd2sifQ
TBD: Finish this example by showing generation of a Content TBD: Finish this example by showing generation of a Content Master
Encryption Key (CEK), using the CEK to encrypt the Plaintext to Key (CMK), saying that the CMK is used as the CEK and there is no
produce the Ciphertext (and base64url encoding it), and using the separate integrity check since AES GCM is an AEAD algorithm, using
recipient's key to encrypt the CEK to produce the JWE Encrypted Key the CEK to encrypt the Plaintext to produce the Ciphertext, using the
(and base64url encoding it). recipient's key to encrypt the CMK to produce the JWE Encrypted Key,
base64url encoding these values, and assembling the result.
Concatenating these parts in the order
Header.EncryptedKey.Ciphertext.IntegrityValue with period characters
between the parts yields this complete JWE representation (with line
breaks for display purposes only):
eyJhbGciOiJSU0ExXzUiLA0KICJlbmMiOiJBMjU2R0NNIiwNCiAiaXYiOiJfXzc5
X1B2Ni1mZyIsDQogImprdSI6Imh0dHBzOi8vZXhhbXBsZS5jb20vcHVibGljX2tl
eS5qd2sifQ
.
TBD_encrypted_key_value_TBD
.
TBD_ciphertext_value_TBD
.
3.2. Example JWE with a Separate Integrity Check
The following example JWE Header declares that:
o the Content Master Key is encrypted to the recipient using the
RSA-PKCS1_1.5 algorithm to produce the JWE Encrypted Key,
o the Plaintext is encrypted using the AES-256-CBC algorithm to
produce the JWE Ciphertext,
o the JWE Integrity Value safeguarding the integrity of the
Ciphertext and the parameters used to create it was computed with
the HMAC SHA-256 algorithm,
o the specified 64-bit Initialization Vector with the base64url
encoding "Mz-mW_4JHfg" was used, and
o the thumbprint of the X.509 certificate that corresponds to the
key used to encrypt the JWE has the base64url encoding
"7noOPq-hJ1_hCnvWh6IeYI2w9Q0".
{"alg":"RSA1_5",
"enc":"A256CBC",
"int":"HS256",
"iv":"Mz-mW_4JHfg",
"x5t":"7noOPq-hJ1_hCnvWh6IeYI2w9Q0"}
Because AES CBC is not an AEAD algorithm (and so provides no
integrated content integrity check), a separate integrity check value
is used.
Base64url encoding the bytes of the UTF-8 representation of the JWE
Header yields this Encoded JWE Header value (with line breaks for
display purposes only):
eyJhbGciOiJSU0ExXzUiLA0KICJlbmMiOiJBMjU2Q0JDIiwNCiAiaW50IjoiSFMy
NTYiLA0KICJpdiI6Ik16LW1XXzRKSGZnIiwNCiAieDV0IjoiN25vT1BxLWhKMV9o
Q252V2g2SWVZSTJ3OVEwIn0
TBD: Finish this example by showing generation of a Content Master
Key (CMK), showing the derivation of the CEK and the CEK from the
CMK, using the CEK to encrypt the Plaintext to produce the
Ciphertext, using the recipient's key to encrypt the CMK to produce
the JWE Encrypted Key, showing the computation of the JWE Integrity
Value, base64url encoding these values, and assembling the result.
eyJhbGciOiJSU0ExXzUiLA0KICJlbmMiOiJBMjU2Q0JDIiwNCiAiaW50IjoiSFMy
NTYiLA0KICJpdiI6Ik16LW1XXzRKSGZnIiwNCiAieDV0IjoiN25vT1BxLWhKMV9o
Q252V2g2SWVZSTJ3OVEwIn0
.
TBD_encrypted_key_value_TBD
.
TBD_ciphertext_value_TBD
.
TBD_integrity_value_TBD
4. JWE Header 4. JWE Header
The members of the JSON object represented by the JWE Header describe The members of the JSON object represented by the JWE Header describe
the encryption applied to the Plaintext and optionally additional the encryption applied to the Plaintext and optionally additional
properties of the JWE. The Header Parameter Names within this object properties of the JWE. The Header Parameter Names within this object
MUST be unique. Implementations MUST understand the entire contents MUST be unique. Implementations MUST understand the entire contents
of the header; otherwise, the JWE MUST be rejected. of the header; otherwise, the JWE MUST be rejected.
4.1. Reserved Header Parameter Names 4.1. Reserved Header Parameter Names
The following header parameter names are reserved. All the names are The following header parameter names are reserved. All the names are
short because a core goal of JWE is for the representations to be short because a core goal of JWE is for the representations to be
compact. compact.
TBD: Describe the relationship between the JWS and JWE header +-----------+--------+----------------+-----------------------------+
parameters - especially the "alg" parameter, which can contain | Header | JSON | Header | Header Parameter Semantics |
digital signature or HMAC algorithms (from JWS) or encryption | Parameter | Value | Parameter | |
algorithms (from JWE), and the key reference parameters "jku", "kid", | Name | Type | Syntax | |
"x5u", and "x5t". +-----------+--------+----------------+-----------------------------+
| alg | string | StringOrURI | The "alg" (algorithm) |
+-----------+--------+-------------+--------------------------------+ | | | | header parameter identifies |
| Header | JSON | Header | Header Parameter Semantics | | | | | the cryptographic algorithm |
| Parameter | Value | Parameter | | | | | | used to secure the JWE |
| Name | Type | Syntax | | | | | | Encrypted Key. A list of |
+-----------+--------+-------------+--------------------------------+ | | | | defined encryption "alg" |
| alg | string | StringOrURI | The "alg" (algorithm) header | | | | | values is presented in |
| | | | parameter identifies the | | | | | Section 4, Table 2 of the |
| | | | cryptographic algorithm used | | | | | JSON Web Algorithms (JWA) |
| | | | to secure the JWE Encrypted | | | | | [JWA] specification. The |
| | | | Key. A list of defined | | | | | processing of the "alg" |
| | | | encryption "alg" values is | | | | | (algorithm) header |
| | | | presented in Section 4, Table | | | | | parameter requires that the |
| | | | 2 of the JSON Web Algorithms | | | | | value MUST be one that is |
| | | | (JWA) [JWA] specification. | | | | | both supported and for |
| | | | The processing of the "alg" | | | | | which there exists a key |
| | | | (algorithm) header parameter | | | | | for use with that algorithm |
| | | | requires that the value MUST | | | | | associated with the |
| | | | be one that is both supported | | | | | intended recipient. The |
| | | | and for which there exists a | | | | | "alg" value is case |
| | | | key for use with that | | | | | sensitive. This header |
| | | | algorithm associated with the | | | | | parameter is REQUIRED. |
| | | | intended recipient. The "alg" | | enc | string | StringOrURI | The "enc" (encryption |
| | | | value is case sensitive. This | | | | | method) header parameter |
| | | | header parameter is REQUIRED. | | | | | identifies the symmetric |
| enc | string | StringOrURI | The "enc" (encryption method) | | | | | encryption algorithm used |
| | | | header parameter identifies | | | | | to secure the Ciphertext. |
| | | | the symmetric encryption | | | | | A list of defined "enc" |
| | | | algorithm used to secure the | | | | | values is presented in |
| | | | Ciphertext. A list of defined | | | | | Section 4, Table 3 of the |
| | | | "enc" values is presented in | | | | | JSON Web Algorithms (JWA) |
| | | | Section 4, Table 3 of the JSON | | | | | [JWA] specification. The |
| | | | Web Algorithms (JWA) [JWA] | | | | | processing of the "enc" |
| | | | specification. The processing | | | | | (encryption method) header |
| | | | of the "enc" (encryption | | | | | parameter requires that the |
| | | | method) header parameter | | | | | value MUST be one that is |
| | | | requires that the value MUST | | | | | supported. The "enc" value |
| | | | be one that is supported. The | | | | | is case sensitive. This |
| | | | "enc" value is case sensitive. | | | | | header parameter is |
| | | | This header parameter is | | | | | REQUIRED. |
| | | | REQUIRED. | | int | string | StringOrURI | The "int" (integrity |
| iv | string | String | Initialization Vector ("iv") | | | | | algorithm) header parameter |
| | | | value for algorithms requiring | | | | | identifies the |
| | | | it, represented as a base64url | | | | | cryptographic algorithm |
| | | | encoded string. This header | | | | | used to safeguard the |
| | | | parameter is OPTIONAL. | | | | | integrity of the Ciphertext |
| epk | object | JWK Key | Ephemeral Public Key ("epk") | | | | | and the parameters used to |
| | | Object | value created by the | | | | | create it. The "int" |
| | | | originator for the use in | | | | | parameter uses the same |
| | | | ECDH-ES RFC 6090 [RFC6090] | | | | | values as the JWS "alg" |
| | | | encryption. This key is | | | | | parameter; a list of |
| | | | represented in the same manner | | | | | defined JWS "alg" values is |
| | | | as a JSON Web Key [JWK] JWK | | | | | presented in Section 3, |
| | | | Key Object value, containing | | | | | Table 1 of the JSON Web |
| | | | "crv" (curve), "x", and "y" | | | | | Algorithms (JWA) [JWA] |
| | | | members. The inclusion of the | | | | | specification. This header |
| | | | JWK Key Object "alg" | | | | | parameter is REQUIRED when |
| | | | (algorithm) member is | | | | | an AEAD algorithm is not |
| | | | OPTIONAL. This header | | | | | used to encrypt the |
| | | | parameter is OPTIONAL. | | | | | Plaintext and MUST NOT be |
| zip | string | String | Compression algorithm ("zip") | | | | | present when an AEAD |
| | | | applied to the Plaintext | | | | | algorithm is used. |
| | | | before encryption, if any. | | iv | string | String | Initialization Vector |
| | | | This specification defines the | | | | | ("iv") value for algorithms |
| | | | value "GZIP" to refer to the | | | | | requiring it, represented |
| | | | encoding format produced by | | | | | as a base64url encoded |
| | | | the file compression program | | | | | string. This header |
| | | | "gzip" (GNU zip) as described | | | | | parameter is OPTIONAL. |
| | | | in [RFC1952]; this format is a | | epk | object | JWK Key Object | Ephemeral Public Key |
| | | | Lempel-Ziv coding (LZ77) with | | | | | ("epk") value created by |
| | | | a 32 bit CRC. If no "zip" | | | | | the originator for the use |
| | | | parameter is present, or its | | | | | in ECDH-ES RFC 6090 |
| | | | value is "none", no | | | | | [RFC6090] encryption. This |
| | | | compression is applied to the | | | | | key is represented in the |
| | | | Plaintext before encryption. | | | | | same manner as a JSON Web |
| | | | The "zip" value is case | | | | | Key [JWK] JWK Key Object |
| | | | sensitive. This header | | | | | value, containing "crv" |
| | | | parameter is OPTIONAL. | | | | | (curve), "x", and "y" |
| jku | string | URL | The "jku" (JSON Web Key URL) | | | | | members. The inclusion of |
| | | | header parameter is an | | | | | the JWK Key Object "alg" |
| | | | absolute URL that refers to a | | | | | (algorithm) member is |
| | | | resource for a set of | | | | | OPTIONAL. This header |
| | | | JSON-encoded public keys, one | | | | | parameter is OPTIONAL. |
| | | | of which corresponds to the | | zip | string | String | Compression algorithm |
| | | | key that was used to encrypt | | | | | ("zip") applied to the |
| | | | the JWE. The keys MUST be | | | | | Plaintext before |
| | | | encoded as described in the | | | | | encryption, if any. This |
| | | | JSON Web Key (JWK) [JWK] | | | | | specification defines the |
| | | | specification. The protocol | | | | | value "GZIP" to refer to |
| | | | used to acquire the resource | | | | | the encoding format |
| | | | MUST provide integrity | | | | | produced by the file |
| | | | protection. An HTTP GET | | | | | compression program "gzip" |
| | | | request to retrieve the | | | | | (GNU zip) as described in |
| | | | certificate MUST use TLS RFC | | | | | [RFC1952]; this format is a |
| | | | 2818 [RFC2818] RFC 5246 | | | | | Lempel-Ziv coding (LZ77) |
| | | | [RFC5246] with server | | | | | with a 32 bit CRC. If no |
| | | | authentication RFC 6125 | | | | | "zip" parameter is present, |
| | | | [RFC6125]. This header | | | | | or its value is "none", no |
| | | | parameter is OPTIONAL. | | | | | compression is applied to |
| kid | string | String | The "kid" (key ID) header | | | | | the Plaintext before |
| | | | parameter is a hint indicating | | | | | encryption. The "zip" |
| | | | which key was used to encrypt | | | | | value is case sensitive. |
| | | | the JWE. This allows | | | | | This header parameter is |
| | | | originators to explicitly | | | | | OPTIONAL. |
| | | | signal a change of key to | | jku | string | URL | The "jku" (JSON Web Key |
| | | | recipients. The | | | | | URL) header parameter is an |
| | | | interpretation of the contents | | | | | absolute URL that refers to |
| | | | of the "kid" parameter is | | | | | a resource for a set of |
| | | | unspecified. This header | | | | | JSON-encoded public keys, |
| | | | parameter is OPTIONAL. | | | | | one of which corresponds to |
| x5u | string | URL | The "x5u" (X.509 URL) header | | | | | the key that was used to |
| | | | parameter is an absolute URL | | | | | encrypt the JWE. The keys |
| | | | that refers to a resource for | | | | | MUST be encoded as |
| | | | the X.509 public key | | | | | described in the JSON Web |
| | | | certificate or certificate | | | | | Key (JWK) [JWK] |
| | | | chain corresponding to the key | | | | | specification. The |
| | | | used to encrypt the JWE. The | | | | | protocol used to acquire |
| | | | identified resource MUST | | | | | the resource MUST provide |
| | | | provide a representation of | | | | | integrity protection. An |
| | | | the certificate or certificate | | | | | HTTP GET request to |
| | | | chain that conforms to RFC | | | | | retrieve the certificate |
| | | | 5280 [RFC5280] in PEM encoded | | | | | MUST use TLS RFC 2818 |
| | | | form RFC 1421 [RFC1421]. The | | | | | [RFC2818] RFC 5246 |
| | | | protocol used to acquire the | | | | | [RFC5246] with server |
| | | | resource MUST provide | | | | | authentication RFC 6125 |
| | | | integrity protection. An HTTP | | | | | [RFC6125]. This header |
| | | | GET request to retrieve the | | | | | parameter is OPTIONAL. |
| | | | certificate MUST use TLS RFC | | kid | string | String | The "kid" (key ID) header |
| | | | 2818 [RFC2818] RFC 5246 | | | | | parameter is a hint |
| | | | [RFC5246] with server | | | | | indicating which key was |
| | | | authentication RFC 6125 | | | | | used to encrypt the JWE. |
| | | | [RFC6125]. This header | | | | | This allows originators to |
| | | | parameter is OPTIONAL. | | | | | explicitly signal a change |
| x5t | string | String | The "x5t" (x.509 certificate | | | | | of key to recipients. The |
| | | | thumbprint) header parameter | | | | | interpretation of the |
| | | | provides a base64url encoded | | | | | contents of the "kid" |
| | | | SHA-1 thumbprint (a.k.a. | | | | | parameter is unspecified. |
| | | | digest) of the DER encoding of | | | | | This header parameter is |
| | | | the X.509 certificate that | | | | | OPTIONAL. |
| | | | corresponds to the key that | | jpk | object | JWK Key Object | The "jpk" (JSON Public Key) |
| | | | was used to encrypt the JWE. | | | | | header parameter is a |
| | | | This header parameter is | | | | | public key that corresponds |
| | | | OPTIONAL. | | | | | to the key that was used to |
| typ | string | String | The "typ" (type) header | | | | | encrypt the JWE. This key |
| | | | parameter is used to declare | | | | | is represented in the same |
| | | | the type of the encrypted | | | | | manner as a JSON Web Key |
| | | | content. The "typ" value is | | | | | [JWK] JWK Key Object value. |
| | | | case sensitive. This header | | | | | This header parameter is |
| | | | parameter is OPTIONAL. | | | | | OPTIONAL. |
+-----------+--------+-------------+--------------------------------+ | x5u | string | URL | The "x5u" (X.509 URL) |
| | | | header parameter is an |
| | | | absolute URL that refers to |
| | | | a resource for the X.509 |
| | | | public key certificate or |
| | | | certificate chain |
| | | | corresponding to the key |
| | | | used to encrypt the JWE. |
| | | | The identified resource |
| | | | MUST provide a |
| | | | representation of the |
| | | | certificate or certificate |
| | | | chain that conforms to RFC |
| | | | 5280 [RFC5280] in PEM |
| | | | encoded form RFC 1421 |
| | | | [RFC1421]. The certificate |
| | | | containing the public key |
| | | | of the entity encrypting |
| | | | the JWE MUST be the first |
| | | | certificate. This MAY be |
| | | | followed by additional |
| | | | certificates, with each |
| | | | subsequent certificate |
| | | | being the one used to |
| | | | certify the previous one. |
| | | | The protocol used to |
| | | | acquire the resource MUST |
| | | | provide integrity |
| | | | protection. An HTTP GET |
| | | | request to retrieve the |
| | | | certificate MUST use TLS |
| | | | RFC 2818 [RFC2818] RFC 5246 |
| | | | [RFC5246] with server |
| | | | authentication RFC 6125 |
| | | | [RFC6125]. This header |
| | | | parameter is OPTIONAL. |
| x5t | string | String | The "x5t" (x.509 |
| | | | certificate thumbprint) |
| | | | header parameter provides a |
| | | | base64url encoded SHA-1 |
| | | | thumbprint (a.k.a. digest) |
| | | | of the DER encoding of the |
| | | | X.509 certificate that |
| | | | corresponds to the key that |
| | | | was used to encrypt the |
| | | | JWE. This header parameter |
| | | | is OPTIONAL. |
| x5c | array | ArrayOfStrings | The "x5c" (x.509 |
| | | | certificate chain) header |
| | | | parameter contains the |
| | | | X.509 public key |
| | | | certificate or certificate |
| | | | chain corresponding to the |
| | | | key used to encrypt the |
| | | | JWE. The certificate or |
| | | | certificate chain is |
| | | | represented as an array of |
| | | | certificate values. Each |
| | | | value is a base64-encoded |
| | | | (not base64url encoded) |
| | | | DER/BER PKIX certificate |
| | | | value. The certificate |
| | | | containing the public key |
| | | | of the entity encrypting |
| | | | the JWE MUST be the first |
| | | | certificate. This MAY be |
| | | | followed by additional |
| | | | certificates, with each |
| | | | subsequent certificate |
| | | | being the one used to |
| | | | certify the previous one. |
| | | | The recipient MUST verify |
| | | | the certificate chain |
| | | | according to [RFC5280] and |
| | | | reject the JWE if any |
| | | | validation failure occurs. |
| | | | This header parameter is |
| | | | OPTIONAL. |
| typ | string | String | The "typ" (type) header |
| | | | parameter is used to |
| | | | declare the type of the |
| | | | encrypted content. The |
| | | | "typ" value is case |
| | | | sensitive. This header |
| | | | parameter is OPTIONAL. |
+-----------+--------+----------------+-----------------------------+
Table 1: Reserved Header Parameter Definitions Table 1: Reserved Header Parameter Definitions
Additional reserved header parameter names MAY be defined via the Additional reserved header parameter names MAY be defined via the
IANA JSON Web Encryption Header Parameters registry, as per IANA JSON Web Encryption Header Parameters registry, as per
Section 10. The syntax values used above are defined as follows: Section 11. The syntax values used above are defined as follows:
+-------------+-----------------------------------------------------+ +----------------+--------------------------------------------------+
| Syntax Name | Syntax Definition | | Syntax Name | Syntax Definition |
+-------------+-----------------------------------------------------+ +----------------+--------------------------------------------------+
| String | Any string value MAY be used. | | String | Any string value MAY be used. |
| StringOrURI | Any string value MAY be used but a value containing | | StringOrURI | Any string value MAY be used but a value |
| | a ":" character MUST be a URI as defined in RFC | | | containing a ":" character MUST be a URI as |
| | 3986 [RFC3986]. | | | defined in RFC 3986 [RFC3986]. |
| URL | A URL as defined in RFC 1738 [RFC1738]. | | URL | A URL as defined in RFC 1738 [RFC1738]. |
+-------------+-----------------------------------------------------+ | ArrayOfStrings | An array of string values. |
+----------------+--------------------------------------------------+
Table 2: Header Parameter Syntax Definitions Table 2: Header Parameter Syntax Definitions
4.2. Public Header Parameter Names 4.2. Public Header Parameter Names
Additional header parameter names can be defined by those using JWE. Additional header parameter names can be defined by those using JWE.
However, in order to prevent collisions, any new header parameter However, in order to prevent collisions, any new header parameter
name or algorithm value SHOULD either be defined in the IANA JSON Web name or algorithm value SHOULD either be defined in the IANA JSON Web
Encryption Header Parameters registry or be defined as a URI that Encryption Header Parameters registry or be defined as a URI that
contains a collision resistant namespace. In each case, the definer contains a collision resistant namespace. In each case, the definer
of the name or value needs to take reasonable precautions to make of the name or value needs to take reasonable precautions to make
sure they are in control of the part of the namespace they use to sure they are in control of the part of the namespace they use to
define the header parameter name. define the header parameter name.
New header parameters should be introduced sparingly, as they can New header parameters should be introduced sparingly since an
result in non-interoperable JWEs. implementation that does not understand a parameter MUST reject the
JWE.
4.3. Private Header Parameter Names 4.3. Private Header Parameter Names
A producer and consumer of a JWE may agree to any header parameter A producer and consumer of a JWE may agree to any header parameter
name that is not a Reserved Name Section 4.1 or a Public Name name that is not a Reserved Name Section 4.1 or a Public Name
Section 4.2. Unlike Public Names, these private names are subject to Section 4.2. Unlike Public Names, these private names are subject to
collision and should be used with caution. collision and should be used with caution.
New header parameters should be introduced sparingly, as they can New header parameters should be introduced sparingly, as they can
result in non-interoperable JWEs. result in non-interoperable JWEs.
5. Message Encryption 5. Message Encryption
The message encryption process is as follows: The message encryption process is as follows. The order of the steps
is not significant in cases where there are no dependencies between
the inputs and outputs of the steps.
1. Generate a random Content Encryption Key (CEK). The CEK MUST 1. Generate a random Content Master Key (CMK). The CMK MUST have a
have a length at least equal to that of the required encryption length at least equal to that of the larger of the required
keys and MUST be generated randomly. See RFC 4086 [RFC4086] for encryption or integrity keys and MUST be generated randomly.
considerations on generating random values.
2. Encrypt the CEK for the recipient (see Section 7). See RFC 4086 [RFC4086] for considerations on generating random
values.
3. Generate a random IV (if required for the algorithm). 2. Encrypt the CMK for the recipient (see Section 8) and let the
result be the JWE Encrypted Key.
4. Compress the Plaintext if a "zip" parameter was included. 3. Base64url encode the JWE Encrypted Key to create the Encoded JWE
Encrypted Key.
5. Serialize the (compressed) Plaintext into a bitstring M. 4. Generate a random Initialization Vector (IV) (if required for
the algorithm).
6. Encrypt M using the CEK and IV to form the bitstring C. 5. If not using an AEAD algorithm, run the key derivation algorithm
(see Section 7) to generate the Content Encryption Key (CEK) and
the Content Integrity Key (CIK); otherwise (when using an AEAD
algorithm), set the CEK to be the CMK.
7. Set the Encoded JWE Ciphertext equal to the base64url encoded 6. Compress the Plaintext if a "zip" parameter was included.
representation of C.
8. Create a JWE Header containing the encryption parameters used. 7. Serialize the (compressed) Plaintext into a bitstring M.
8. Encrypt M using the CEK and IV to form the bitstring C.
9. Base64url encode C to create the Encoded JWE Ciphertext.
10. Create a JWE Header containing the encryption parameters used.
Note that white space is explicitly allowed in the Note that white space is explicitly allowed in the
representation and no canonicalization is performed before representation and no canonicalization need be performed before
encoding. encoding.
9. Base64url encode the bytes of the UTF-8 representation of the 11. Base64url encode the bytes of the UTF-8 representation of the
JWE Header to create the Encoded JWE Header. JWE Header to create the Encoded JWE Header.
10. The three encoded parts, taken together, are the result of the 12. If not using an AEAD algorithm, run the integrity algorithm (see
encryption. Section 9) using the CIK to compute the JWE Integrity Value;
otherwise (when using an AEAD algorithm), set the JWE Integrity
Value to be the empty byte string.
13. Base64url encode the JWE Integrity Value to create the Encoded
JWE Integrity Value.
14. The four encoded parts, taken together, are the result. The
Compact Serialization of this result is the concatenation of the
Encoded JWE Header, the Encoded JWE Encrypted Key, the Encoded
JWE Ciphertext, and the Encoded JWE Integrity Value in that
order, with the four strings being separated by period ('.')
characters.
6. Message Decryption 6. Message Decryption
The message decryption process is the reverse of the encryption The message decryption process is the reverse of the encryption
process. If any of these steps fails, the JWE MUST be rejected. process. The order of the steps is not significant in cases where
there are no dependencies between the inputs and outputs of the
steps. If any of these steps fails, the JWE MUST be rejected.
1. The Encoded JWE Header, the Encoded JWE Encrypted Key, and the 1. Parse the four parts of the input (which are separated by period
Encoded JWE Ciphertext MUST be successfully base64url decoded characters when using the JWE Compact Serialization) into the
following the restriction that no padding characters have been Encoded JWE Header, the Encoded JWE Encrypted Key, the Encoded
used. JWE Ciphertext, and the Encoded JWE Integrity Value.
2. The resulting JWE Header MUST be completely valid JSON syntax 2. The Encoded JWE Header, the Encoded JWE Encrypted Key, the
conforming to RFC 4627 [RFC4627]. Encoded JWE Ciphertext, and the Encoded JWE Integrity Value MUST
be successfully base64url decoded following the restriction that
no padding characters have been used.
3. The resulting JWE Header MUST be validated to only include 3. The resulting JWE Header MUST be completely valid JSON syntax
parameters and values whose syntax and semantics are both conforming to RFC 4627 [RFC4627].
understood and supported.
4. Verify that the JWE Header appears to reference a key known to 4. The resulting JWE Header MUST be validated to only include
the recipient. parameters and values whose syntax and semantics are both
understood and supported.
5. Decrypt the JWE Encrypted Key to produce the CEK. 5. Verify that the JWE Header references a key known to the
recipient.
6. Decrypt the binary representation of the JWE Ciphertext using the 6. Decrypt the JWE Encrypted Key to produce the Content Master Key
CEK. (CMK).
7. Uncompress the result of the previous step, if a "zip" parameter 7. If not using an AEAD algorithm, run the key derivation algorithm
was included. (see Section 7) to generate the Content Encryption Key (CEK) and
the Content Integrity Key (CIK); otherwise (when using an AEAD
algorithm), set the CEK to be the CMK.
8. Output the result. 8. If not using an AEAD algorithm, run the integrity algorithm (see
Section 9) using the CIK to compute an integrity value for the
input received. This computed value MUST match the received JWE
Integrity Value; otherwise (when using an AEAD algorithm), the
received JWE Integrity Value MUST be empty.
7. CEK Encryption 9. Decrypt the binary representation of the JWE Ciphertext using
the CEK.
JWE supports two forms of CEK encryption: 10. Remove the Initialization Vector (IV) value from the decrypted
result (if an IV was used).
11. Uncompress the result of the previous step, if a "zip" parameter
was included.
12. Output the resulting Plaintext.
7. Key Derivation
The key derivation process converts the CMK into a CEK and a CIK. It
assumes as a primitive a Key Derivation Function (KDF) which
notionally takes three arguments:
MasterKey: The master key used to compute the individual use keys
Label: The use key label, used to differentiate individual use keys
Length: The length of the desired use key
The only KDF used in this document is the Concat KDF, as defined in
[NIST-800-56A], where the Digest Method is SHA-256, the SuppPubInfo
parameter is the Label, and the remaining OtherInfo parameters are
the empty bit string.
To compute the CEK from the CMK, the ASCII label "Encryption" is
used.
To compute the CIK from the CMK, the ASCII label "Integrity" is used.
When AEAD algorithms are used the KDF element MUST NOT be present.
When they are not used, it MUST be present.
8. CMK Encryption
JWE supports two forms of CMK encryption:
o Asymmetric encryption under the recipient's public key. o Asymmetric encryption under the recipient's public key.
o Symmetric encryption under a shared key. o Symmetric encryption under a shared key.
7.1. Asymmetric Encryption 8.1. Asymmetric Encryption
In the asymmetric encryption mode, the CEK is encrypted under the In the asymmetric encryption mode, the CMK is encrypted under the
recipient's public key. The asymmetric encryption modes defined for recipient's public key. The asymmetric encryption modes defined for
use with this in this specification are listed in Section 4, Table 2 use with this in this specification are listed in Section 4, Table 2
of the JSON Web Algorithms (JWA) [JWA] specification. of the JSON Web Algorithms (JWA) [JWA] specification.
7.2. Symmetric Encryption 8.2. Symmetric Encryption
In the symmetric encryption mode, the CEK is encrypted under a In the symmetric encryption mode, the CMK is encrypted under a
symmetric key shared between the sender and receiver. The symmetric symmetric key shared between the sender and receiver. The symmetric
encryption modes defined for use with this in this specification are encryption modes defined for use with this in this specification are
listed in Section 4, Table 2 of the JSON Web Algorithms (JWA) [JWA] listed in Section 4, Table 2 of the JSON Web Algorithms (JWA) [JWA]
specification. For GCM, the random 64-bit IV is prepended to the specification. For GCM, the random 64-bit IV is prepended to the
ciphertext. ciphertext.
8. Composition 9. Integrity Value Calculation
This document does not specify a combination integrity and encrypted When a non-AEAD algorithm is used (an algorithm without an integrated
mode. However, because the contents of a message can be arbitrary, content check), JWE adds an explicit integrity check value to the
encryption and data origin authentication can be provided by representation. This value is computed in the manner described in
recursively encapsulating multiple JWE and JWS messages. In general, the JSON Web Signature (JWS) [JWS] specification, with these
senders SHOULD digitally sign or HMAC the message and then encrypt modifications:
the result (thus encrypting the digital signature or HMAC). This
prevents attacks in which the digital signature or HMAC is stripped,
leaving just an encrypted message, as well as providing privacy for
signers.
9. Encrypting JWEs with Cryptographic Algorithms o The algorithm used is taken from the "int" (integrity algorithm)
header parameter rather than the "alg" header parameter.
o The algorithm MUST be an HMAC algorithm (normally HMAC SHA-256).
o The JWS Secured Input used is the concatenation of the Encoded JWE
Header, a period ('.') character, the Encoded JWE Encrypted Key, a
period ('.') character, and the Encoded JWE Ciphertext.
o The CIK is used as the HMAC key.
The computed JWS Signature value is the resulting integrity value.
10. Encrypting JWEs with Cryptographic Algorithms
JWE uses cryptographic algorithms to encrypt the Content Encryption JWE uses cryptographic algorithms to encrypt the Content Encryption
Key (CEK) and the Plaintext. The JSON Web Algorithms (JWA) [JWA] Key (CMK) and the Plaintext. The JSON Web Algorithms (JWA) [JWA]
specification enumerates a set of cryptographic algorithms and specification enumerates a set of cryptographic algorithms and
identifiers to be used with this specification. Specifically, identifiers to be used with this specification. Specifically,
Section 4, Table 2 enumerates a set of "alg" (algorithm) header Section 4, Table 2 enumerates a set of "alg" (algorithm) header
parameter values and Section 4, Table 3 enumerates a set of "enc" parameter values and Section 4, Table 3 enumerates a set of "enc"
(encryption method) header parameter values intended for use this (encryption method) header parameter values intended for use this
specification. It also describes the semantics and operations that specification. It also describes the semantics and operations that
are specific to these algorithms and algorithm families. are specific to these algorithms and algorithm families.
Public keys employed for encryption can be identified using the Public keys employed for encryption can be identified using the
Header Parameter methods described in Section 4.1 or can be Header Parameter methods described in Section 4.1 or can be
distributed using methods that are outside the scope of this distributed using methods that are outside the scope of this
specification. specification.
10. IANA Considerations 11. IANA Considerations
This specification calls for: This specification calls for:
o A new IANA registry entitled "JSON Web Encryption Header o A new IANA registry entitled "JSON Web Encryption Header
Parameters" for reserved header parameter names is defined in Parameters" for reserved header parameter names is defined in
Section 4.1. Inclusion in the registry is RFC Required in the RFC Section 4.1. Inclusion in the registry is RFC Required in the RFC
5226 [RFC5226] sense for reserved JWE header parameter names that 5226 [RFC5226] sense for reserved JWE header parameter names that
are intended to be interoperable between implementations. The are intended to be interoperable between implementations. The
registry will just record the reserved header parameter name and a registry will just record the reserved header parameter name and a
pointer to the RFC that defines it. This specification defines pointer to the RFC that defines it. This specification defines
inclusion of the header parameter names defined in Table 1. inclusion of the header parameter names defined in Table 1.
11. Security Considerations 12. Security Considerations
TBD: Lots of work to do here. We need to remember to look into any TBD: Lots of work to do here. We need to remember to look into any
issues relating to security and JSON parsing. One wonders just how issues relating to security and JSON parsing. One wonders just how
secure most JSON parsing libraries are. Were they ever hardened for secure most JSON parsing libraries are. Were they ever hardened for
security scenarios? If not, what kind of holes does that open up? security scenarios? If not, what kind of holes does that open up?
Also, we need to walk through the JSON standard and see what kind of Also, we need to walk through the JSON standard and see what kind of
issues we have especially around comparison of names. For instance, issues we have especially around comparison of names. For instance,
comparisons of header parameter names and other parameters must occur comparisons of header parameter names and other parameters must occur
after they are unescaped. Need to also put in text about: Importance after they are unescaped. Need to also put in text about: Importance
of keeping secrets secret. Rotating keys. Strengths and weaknesses of keeping secrets secret. Rotating keys. Strengths and weaknesses
skipping to change at page 14, line 10 skipping to change at page 19, line 44
of malformed JSON that MUST be rejected is an object in which the of malformed JSON that MUST be rejected is an object in which the
same member name occurs multiple times. same member name occurs multiple times.
TBD: We need a section on generating randomness in browsers - it's TBD: We need a section on generating randomness in browsers - it's
easy to screw up. easy to screw up.
When utilizing TLS to retrieve information, the authority providing When utilizing TLS to retrieve information, the authority providing
the resource MUST be authenticated and the information retrieved MUST the resource MUST be authenticated and the information retrieved MUST
be free from modification. be free from modification.
11.1. Unicode Comparison Security Issues 12.1. Unicode Comparison Security Issues
Header parameter names in JWEs are Unicode strings. For security Header parameter names in JWEs are Unicode strings. For security
reasons, the representations of these names must be compared verbatim reasons, the representations of these names must be compared verbatim
after performing any escape processing (as per RFC 4627 [RFC4627], after performing any escape processing (as per RFC 4627 [RFC4627],
Section 2.5). Section 2.5).
This means, for instance, that these JSON strings must compare as This means, for instance, that these JSON strings must compare as
being equal ("enc", "\u0065nc"), whereas these must all compare as being equal ("enc", "\u0065nc"), whereas these must all compare as
being not equal to the first set or to each other ("ENC", "Enc", being not equal to the first set or to each other ("ENC", "Enc",
"en\u0043"). "en\u0043").
JSON strings MAY contain characters outside the Unicode Basic JSON strings MAY contain characters outside the Unicode Basic
Multilingual Plane. For instance, the G clef character (U+1D11E) may Multilingual Plane. For instance, the G clef character (U+1D11E) may
be represented in a JSON string as "\uD834\uDD1E". Ideally, JWE be represented in a JSON string as "\uD834\uDD1E". Ideally, JWE
implementations SHOULD ensure that characters outside the Basic implementations SHOULD ensure that characters outside the Basic
Multilingual Plane are preserved and compared correctly; Multilingual Plane are preserved and compared correctly;
alternatively, if this is not possible due to these characters alternatively, if this is not possible due to these characters
exercising limitations present in the underlying JSON implementation, exercising limitations present in the underlying JSON implementation,
then input containing them MUST be rejected. then input containing them MUST be rejected.
12. Open Issues and Things To Be Done (TBD) 13. Open Issues and Things To Be Done (TBD)
The following items remain to be done in this draft: The following items remain to be done in this draft:
o Describe the relationship between the JWE, JWS, and JWT header o EDITORIAL: Give each header parameter definition its own section.
parameters. In particular, point out that the set of "alg" values This will let them appear in the index, will give space for
defined by each must be compatible and non-overlapping. examples when needed, and will get rid of the way-too-cramped
tables.
o Consider whether we want to define composite integrity/encryption
operations (as was the consensus to do at IIW, as documented at
http://self-issued.info/?p=378). This would provide both
confidentiality and integrity.
o Consider whether reusing the JWS "jku", "kid", "x5u", and "x5t" o Consider adding the DEFLATE compression algorithm (which omits the
parameters is the right thing to do, particularly as it ZLIB header and checksum fields) and so produces smaller results
effectively precludes specifying composite operations. than "GZIP".
o Consider whether to add parameters for directly including keys in o Provide a more robust description of the use of the Initialization
the header, either as JWK Key Objects, or X.509 cert values, or Vector (IV), including listing which algorithms require an IV.
both. (This list may belong in the JWA spec.) The current statement
"For GCM, the random 64-bit IV is prepended to the ciphertext" in
the Symmetric Encryption section is almost certainly out of place
and insufficiently general.
o Consider whether to add version numbers. o Finish the Security Considerations section.
o Consider which of the open issues from the JWS and JWT specs also o Consider which of the open issues from the JWS and JWT specs also
apply here. apply here.
o Think about how to best describe the concept currently described o Should the JWE Encrypted Key be moved to the header (which would
as "the bytes of the UTF-8 representation of". Possible terms to add about 20 bytes to every JWE) or left in a separate period-
use instead of "bytes of" include "byte sequence", "octet series", separated segment to prevent double base64 encoding?
and "octet sequence". Also consider whether we want to add an
overall clarifying statement somewhere in each spec something like
"every place we say 'the UTF-8 representation of X', we mean 'the
bytes of the UTF-8 representation of X'". That would potentially
allow us to omit the "the bytes of" part everywhere else.
o Finish the Security Considerations section.
o Write a note in the Security Considerations section about how
"x5t" (x.509 certificate thumbprint) should be deprecated because
of known problems with SHA-1.
o Should StringOrURI use IRIs rather than RFC 3986 URIs?
o Provide a more robust description of the use of the IV. The
current statement "For GCM, the random 64-bit IV is prepended to
the ciphertext" in the Symmetric Encryption section is almost
certainly out of place.
13. References
13.1. Normative References 14. References
14.1. Normative References
[JWA] Jones, M., "JSON Web Algorithms (JWA)", January 2012. [JWA] Jones, M., "JSON Web Algorithms (JWA)", January 2012.
[JWK] Jones, M., "JSON Web Key (JWK)", January 2012. [JWK] Jones, M., "JSON Web Key (JWK)", March 2012.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", January 2012. Signature (JWS)", January 2012.
[NIST-800-38D] [NIST-800-38D]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Recommendation for Block Cipher Modes of Operation: "Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D, Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D,
December 2001. December 2001.
[NIST-800-56A]
National Institute of Standards and Technology (NIST),
"Recommendation for Pair-Wise Key Establishment Schemes
Using Discrete Logarithm Cryptography (Revised)", NIST PUB
800-56A, March 2007.
[RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic [RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic
Mail: Part I: Message Encryption and Authentication Mail: Part I: Message Encryption and Authentication
Procedures", RFC 1421, February 1993. Procedures", RFC 1421, February 1993.
[RFC1738] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform [RFC1738] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform
Resource Locators (URL)", RFC 1738, December 1994. Resource Locators (URL)", RFC 1738, December 1994.
[RFC1952] Deutsch, P., Gailly, J-L., Adler, M., Deutsch, L., and G. [RFC1952] Deutsch, P., Gailly, J-L., Adler, M., Deutsch, L., and G.
Randers-Pehrson, "GZIP file format specification version Randers-Pehrson, "GZIP file format specification version
4.3", RFC 1952, May 1996. 4.3", RFC 1952, May 1996.
skipping to change at page 16, line 33 skipping to change at page 22, line 9
[RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
Requirements for Security", BCP 106, RFC 4086, June 2005. Requirements for Security", BCP 106, RFC 4086, June 2005.
[RFC4627] Crockford, D., "The application/json Media Type for [RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627, July 2006. JavaScript Object Notation (JSON)", RFC 4627, July 2006.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006. Encodings", RFC 4648, October 2006.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, January 2008.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008. May 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
skipping to change at page 17, line 5 skipping to change at page 22, line 33
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
Curve Cryptography Algorithms", RFC 6090, February 2011. Curve Cryptography Algorithms", RFC 6090, February 2011.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509 within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer (PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011. Security (TLS)", RFC 6125, March 2011.
13.2. Informative References 14.2. Informative References
[I-D.rescorla-jsms] [I-D.rescorla-jsms]
Rescorla, E. and J. Hildebrand, "JavaScript Message Rescorla, E. and J. Hildebrand, "JavaScript Message
Security Format", draft-rescorla-jsms-00 (work in Security Format", draft-rescorla-jsms-00 (work in
progress), March 2011. progress), March 2011.
[JSE] Bradley, J. and N. Sakimura (editor), "JSON Simple [JSE] Bradley, J. and N. Sakimura (editor), "JSON Simple
Encryption", September 2010. Encryption", September 2010.
[JWE-JS] Jones, M., "JSON Web Encryption JSON Serialization
(JWE-JS)", March 2012.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, September 2009. RFC 5652, September 2009.
[W3C.CR-xmlenc-core1-20110303] [W3C.CR-xmlenc-core1-20110303]
Hirsch, F., Roessler, T., Reagle, J., and D. Eastlake, Hirsch, F., Roessler, T., Reagle, J., and D. Eastlake,
"XML Encryption Syntax and Processing Version 1.1", World "XML Encryption Syntax and Processing Version 1.1", World
Wide Web Consortium CR CR-xmlenc-core1-20110303, Wide Web Consortium CR CR-xmlenc-core1-20110303,
March 2011, March 2011,
<http://www.w3.org/TR/2011/CR-xmlenc-core1-20110303>. <http://www.w3.org/TR/2011/CR-xmlenc-core1-20110303>.
skipping to change at page 18, line 9 skipping to change at page 23, line 39
[W3C.CR-xmlenc-core1-20110303] and RFC 5652 [RFC5652] as possible, [W3C.CR-xmlenc-core1-20110303] and RFC 5652 [RFC5652] as possible,
while utilizing simple compact JSON-based data structures. while utilizing simple compact JSON-based data structures.
Special thanks are due to John Bradley and Nat Sakimura for the Special thanks are due to John Bradley and Nat Sakimura for the
discussions that helped inform the content of this specification and discussions that helped inform the content of this specification and
to Eric Rescorla and Joe Hildebrand for allowing the reuse of text to Eric Rescorla and Joe Hildebrand for allowing the reuse of text
from [I-D.rescorla-jsms] in this document. from [I-D.rescorla-jsms] in this document.
Appendix C. Document History Appendix C. Document History
-01
o Added an integrity check for non-AEAD algorithms.
o Added "jpk" and "x5c" header parameters for including JWK public
keys and X.509 certificate chains directly in the header.
o Clarified that this specification is defining the JWE Compact
Serialization. Referenced the new JWE-JS spec, which defines the
JWE JSON Serialization.
o Added text "New header parameters should be introduced sparingly
since an implementation that does not understand a parameter MUST
reject the JWE".
o Clarified that the order of the encryption and decryption steps is
not significant in cases where there are no dependencies between
the inputs and outputs of the steps.
o Made other editorial improvements suggested by JOSE working group
participants.
-00 -00
o Created the initial IETF draft based upon o Created the initial IETF draft based upon
draft-jones-json-web-encryption-02 with no normative changes. draft-jones-json-web-encryption-02 with no normative changes.
o Changed terminology to no longer call both digital signatures and o Changed terminology to no longer call both digital signatures and
HMACs "signatures". HMACs "signatures".
Authors' Addresses Authors' Addresses
 End of changes. 69 change blocks. 
324 lines changed or deleted 600 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/