| < draft-ietf-jose-json-web-encryption-04.txt | draft-ietf-jose-json-web-encryption-05.txt > | |||
|---|---|---|---|---|
| JOSE Working Group M. Jones | JOSE Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track E. Rescorla | Intended status: Standards Track E. Rescorla | |||
| Expires: January 17, 2013 RTFM | Expires: January 31, 2013 RTFM | |||
| J. Hildebrand | J. Hildebrand | |||
| Cisco | Cisco | |||
| July 16, 2012 | July 30, 2012 | |||
| JSON Web Encryption (JWE) | JSON Web Encryption (JWE) | |||
| draft-ietf-jose-json-web-encryption-04 | draft-ietf-jose-json-web-encryption-05 | |||
| Abstract | Abstract | |||
| JSON Web Encryption (JWE) is a means of representing encrypted | JSON Web Encryption (JWE) is a means of representing encrypted | |||
| content using JavaScript Object Notation (JSON) data structures. | content using JavaScript Object Notation (JSON) data structures. | |||
| Cryptographic algorithms and identifiers for use with this | Cryptographic algorithms and identifiers for use with this | |||
| specification are described in the separate JSON Web Algorithms (JWA) | specification are described in the separate JSON Web Algorithms (JWA) | |||
| specification. Related digital signature and MAC capabilities are | specification. Related digital signature and MAC capabilities are | |||
| described in the separate JSON Web Signature (JWS) specification. | described in the separate JSON Web Signature (JWS) specification. | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 17, 2013. | This Internet-Draft will expire on January 31, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 40 ¶ | skipping to change at page 2, line 40 ¶ | |||
| Parameter . . . . . . . . . . . . . . . . . . . . . . 13 | Parameter . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4.1.12. "x5c" (X.509 Certificate Chain) Header Parameter . . . 14 | 4.1.12. "x5c" (X.509 Certificate Chain) Header Parameter . . . 14 | |||
| 4.1.13. "kid" (Key ID) Header Parameter . . . . . . . . . . . 14 | 4.1.13. "kid" (Key ID) Header Parameter . . . . . . . . . . . 14 | |||
| 4.1.14. "typ" (Type) Header Parameter . . . . . . . . . . . . 14 | 4.1.14. "typ" (Type) Header Parameter . . . . . . . . . . . . 14 | |||
| 4.1.15. "cty" (Content Type) Header Parameter . . . . . . . . 15 | 4.1.15. "cty" (Content Type) Header Parameter . . . . . . . . 15 | |||
| 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 15 | 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 15 | |||
| 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15 | 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15 | |||
| 5. Message Encryption . . . . . . . . . . . . . . . . . . . . . . 15 | 5. Message Encryption . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 6. Message Decryption . . . . . . . . . . . . . . . . . . . . . . 17 | 6. Message Decryption . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 7. CMK Encryption . . . . . . . . . . . . . . . . . . . . . . . . 18 | 7. CMK Encryption . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 8. Integrity Value Calculation . . . . . . . . . . . . . . . . . 18 | 8. Integrity Value Calculation . . . . . . . . . . . . . . . . . 19 | |||
| 9. Encrypting JWEs with Cryptographic Algorithms . . . . . . . . 19 | 9. Encrypting JWEs with Cryptographic Algorithms . . . . . . . . 19 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 10.1. Registration of JWE Header Parameter Names . . . . . . . . 19 | 10.1. Registration of JWE Header Parameter Names . . . . . . . . 20 | |||
| 10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 19 | 10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 20 | |||
| 10.2. JSON Web Signature and Encryption Type Values | 10.2. JSON Web Signature and Encryption Type Values | |||
| Registration . . . . . . . . . . . . . . . . . . . . . . . 21 | Registration . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 10.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 21 | 10.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 22 | |||
| 10.3. Media Type Registration . . . . . . . . . . . . . . . . . 22 | 10.3. Media Type Registration . . . . . . . . . . . . . . . . . 22 | |||
| 10.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 22 | 10.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 22 | |||
| 11. Security Considerations . . . . . . . . . . . . . . . . . . . 23 | 11. Security Considerations . . . . . . . . . . . . . . . . . . . 23 | |||
| 12. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 23 | 12. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 | 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 13.1. Normative References . . . . . . . . . . . . . . . . . . . 24 | 13.1. Normative References . . . . . . . . . . . . . . . . . . . 24 | |||
| 13.2. Informative References . . . . . . . . . . . . . . . . . . 25 | 13.2. Informative References . . . . . . . . . . . . . . . . . . 26 | |||
| Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 26 | Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 26 | |||
| A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 26 | A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 26 | |||
| A.1.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 26 | A.1.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| A.1.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 26 | A.1.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 27 | |||
| A.1.3. Content Master Key (CMK) . . . . . . . . . . . . . . . 26 | A.1.3. Content Master Key (CMK) . . . . . . . . . . . . . . . 27 | |||
| A.1.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 27 | A.1.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 27 | |||
| A.1.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 29 | A.1.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 30 | |||
| A.1.6. "Additional Authenticated Data" Parameter . . . . . . 29 | A.1.6. "Additional Authenticated Data" Parameter . . . . . . 30 | |||
| A.1.7. Plaintext Encryption . . . . . . . . . . . . . . . . . 30 | A.1.7. Plaintext Encryption . . . . . . . . . . . . . . . . . 31 | |||
| A.1.8. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 30 | A.1.8. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 31 | |||
| A.1.9. Encoded JWE Integrity Value . . . . . . . . . . . . . 30 | A.1.9. Encoded JWE Integrity Value . . . . . . . . . . . . . 31 | |||
| A.1.10. Complete Representation . . . . . . . . . . . . . . . 30 | A.1.10. Complete Representation . . . . . . . . . . . . . . . 31 | |||
| A.1.11. Validation . . . . . . . . . . . . . . . . . . . . . . 31 | A.1.11. Validation . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| A.2. Example JWE using RSAES-PKCS1-V1_5 and AES CBC . . . . . . 31 | A.2. Example JWE using RSAES-PKCS1-V1_5 and AES CBC . . . . . . 32 | |||
| A.2.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 31 | A.2.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| A.2.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 32 | A.2.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 33 | |||
| A.2.3. Content Master Key (CMK) . . . . . . . . . . . . . . . 32 | A.2.3. Content Master Key (CMK) . . . . . . . . . . . . . . . 33 | |||
| A.2.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 32 | A.2.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 33 | |||
| A.2.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 35 | A.2.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 36 | |||
| A.2.6. Key Derivation . . . . . . . . . . . . . . . . . . . . 35 | A.2.6. Key Derivation . . . . . . . . . . . . . . . . . . . . 36 | |||
| A.2.7. Plaintext Encryption . . . . . . . . . . . . . . . . . 35 | A.2.7. Plaintext Encryption . . . . . . . . . . . . . . . . . 36 | |||
| A.2.8. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 35 | A.2.8. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 36 | |||
| A.2.9. Secured Input Value . . . . . . . . . . . . . . . . . 36 | A.2.9. Secured Input Value . . . . . . . . . . . . . . . . . 37 | |||
| A.2.10. JWE Integrity Value . . . . . . . . . . . . . . . . . 37 | A.2.10. JWE Integrity Value . . . . . . . . . . . . . . . . . 38 | |||
| A.2.11. Encoded JWE Integrity Value . . . . . . . . . . . . . 37 | A.2.11. Encoded JWE Integrity Value . . . . . . . . . . . . . 38 | |||
| A.2.12. Complete Representation . . . . . . . . . . . . . . . 37 | A.2.12. Complete Representation . . . . . . . . . . . . . . . 38 | |||
| A.2.13. Validation . . . . . . . . . . . . . . . . . . . . . . 37 | A.2.13. Validation . . . . . . . . . . . . . . . . . . . . . . 39 | |||
| A.3. Example Key Derivation with Outputs <= Hash Size . . . . . 38 | A.3. Example Key Derivation with Outputs <= Hash Size . . . . . 39 | |||
| A.3.1. CEK Generation . . . . . . . . . . . . . . . . . . . . 38 | A.3.1. CEK Generation . . . . . . . . . . . . . . . . . . . . 39 | |||
| A.3.2. CIK Generation . . . . . . . . . . . . . . . . . . . . 38 | A.3.2. CIK Generation . . . . . . . . . . . . . . . . . . . . 40 | |||
| A.4. Example Key Derivation with Outputs >= Hash Size . . . . . 39 | A.4. Example Key Derivation with Outputs >= Hash Size . . . . . 40 | |||
| A.4.1. CEK Generation . . . . . . . . . . . . . . . . . . . . 39 | A.4.1. CEK Generation . . . . . . . . . . . . . . . . . . . . 40 | |||
| A.4.2. CIK Generation . . . . . . . . . . . . . . . . . . . . 40 | A.4.2. CIK Generation . . . . . . . . . . . . . . . . . . . . 41 | |||
| Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 41 | Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 42 | |||
| Appendix C. Document History . . . . . . . . . . . . . . . . . . 41 | Appendix C. Document History . . . . . . . . . . . . . . . . . . 42 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 44 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 1. Introduction | 1. Introduction | |||
| JSON Web Encryption (JWE) is a compact encryption format intended for | JSON Web Encryption (JWE) is a compact encryption format intended for | |||
| space constrained environments such as HTTP Authorization headers and | space constrained environments such as HTTP Authorization headers and | |||
| URI query parameters. It represents this content using JavaScript | URI query parameters. It represents this content using JavaScript | |||
| Object Notation (JSON) [RFC4627] based data structures. The JWE | Object Notation (JSON) [RFC4627] based data structures. The JWE | |||
| cryptographic mechanisms encrypt and provide integrity protection for | cryptographic mechanisms encrypt and provide integrity protection for | |||
| arbitrary sequences of bytes. | arbitrary sequences of bytes. | |||
| skipping to change at page 4, line 49 ¶ | skipping to change at page 4, line 49 ¶ | |||
| Content Encryption Key (CEK) A symmetric key used to encrypt the | Content Encryption Key (CEK) A symmetric key used to encrypt the | |||
| Plaintext for the recipient to produce the Ciphertext. | Plaintext for the recipient to produce the Ciphertext. | |||
| Content Integrity Key (CIK) A key used with a MAC function to ensure | Content Integrity Key (CIK) A key used with a MAC function to ensure | |||
| the integrity of the Ciphertext and the parameters used to create | the integrity of the Ciphertext and the parameters used to create | |||
| it. | it. | |||
| Content Master Key (CMK) A key from which the CEK and CIK are | Content Master Key (CMK) A key from which the CEK and CIK are | |||
| derived. When key wrapping or key encryption are employed, the | derived. When key wrapping or key encryption are employed, the | |||
| CMK is randomly generated and encrypted to the recipient as the | CMK is randomly generated and encrypted to the recipient as the | |||
| JWE Encrypted Key. When key agreement is employed, the CMK is the | JWE Encrypted Key. When direct encryption with a shared symmetric | |||
| result of the key agreement algorithm. | key is employed, the CMK is the shared key. When key agreement | |||
| without key wrapping is employed, the CMK is the result of the key | ||||
| agreement algorithm. | ||||
| JWE Header A string representing a JSON object that describes the | JWE Header A string representing a JSON object that describes the | |||
| encryption operations applied to create the JWE Encrypted Key, the | encryption operations applied to create the JWE Encrypted Key, the | |||
| JWE Ciphertext, and the JWE Integrity Value. | JWE Ciphertext, and the JWE Integrity Value. | |||
| JWE Encrypted Key When key wrapping or key encryption are employed, | JWE Encrypted Key When key wrapping or key encryption are employed, | |||
| the Content Master Key (CMK) is encrypted with the intended | the Content Master Key (CMK) is encrypted with the intended | |||
| recipient's key and the resulting encrypted content is recorded as | recipient's key and the resulting encrypted content is recorded as | |||
| a byte array, which is referred to as the JWE Encrypted Key. | a byte array, which is referred to as the JWE Encrypted Key. | |||
| Otherwise, when key agreement is employed, the JWE Encrypted Key | Otherwise, when direct encryption with a shared or agreed upon | |||
| is the empty byte array. | symmetric key is employed, the JWE Encrypted Key is the empty byte | |||
| array. | ||||
| JWE Ciphertext A byte array containing the Ciphertext. | JWE Ciphertext A byte array containing the Ciphertext. | |||
| JWE Integrity Value A byte array containing a MAC value that ensures | JWE Integrity Value A byte array containing a MAC value that ensures | |||
| the integrity of the Ciphertext and the parameters used to create | the integrity of the Ciphertext and the parameters used to create | |||
| it. | it. | |||
| Base64url Encoding The URL- and filename-safe Base64 encoding | Base64url Encoding The URL- and filename-safe Base64 encoding | |||
| described in RFC 4648 [RFC4648], Section 5, with the (non URL- | described in RFC 4648 [RFC4648], Section 5, with the (non URL- | |||
| safe) '=' padding characters omitted, as permitted by Section 3.2. | safe) '=' padding characters omitted, as permitted by Section 3.2. | |||
| skipping to change at page 6, line 25 ¶ | skipping to change at page 6, line 25 ¶ | |||
| functions. Examples of Collision Resistant Namespaces include: | functions. Examples of Collision Resistant Namespaces include: | |||
| Domain Names, Object Identifiers (OIDs) as defined in the ITU-T | Domain Names, Object Identifiers (OIDs) as defined in the ITU-T | |||
| X.660 and X.670 Recommendation series, and Universally Unique | X.660 and X.670 Recommendation series, and Universally Unique | |||
| IDentifiers (UUIDs) [RFC4122]. When using an administratively | IDentifiers (UUIDs) [RFC4122]. When using an administratively | |||
| delegated namespace, the definer of a name needs to take | delegated namespace, the definer of a name needs to take | |||
| reasonable precautions to ensure they are in control of the | reasonable precautions to ensure they are in control of the | |||
| portion of the namespace they use to define the name. | portion of the namespace they use to define the name. | |||
| StringOrURI A JSON string value, with the additional requirement | StringOrURI A JSON string value, with the additional requirement | |||
| that while arbitrary string values MAY be used, any value | that while arbitrary string values MAY be used, any value | |||
| containing a ":" character MUST be a URI [RFC3986]. | containing a ":" character MUST be a URI [RFC3986]. StringOrURI | |||
| values are compared as case-sensitive strings with no | ||||
| transformations or canonicalizations applied. | ||||
| 3. JSON Web Encryption (JWE) Overview | 3. JSON Web Encryption (JWE) Overview | |||
| JWE represents encrypted content using JSON data structures and | JWE represents encrypted content using JSON data structures and | |||
| base64url encoding. The representation consists of four parts: the | base64url encoding. The representation consists of four parts: the | |||
| JWE Header, the JWE Encrypted Key, the JWE Ciphertext, and the JWE | JWE Header, the JWE Encrypted Key, the JWE Ciphertext, and the JWE | |||
| Integrity Value. In the Compact Serialization, the four parts are | Integrity Value. In the Compact Serialization, the four parts are | |||
| base64url-encoded for transmission, and represented as the | base64url-encoded for transmission, and represented as the | |||
| concatenation of the encoded strings in that order, with the four | concatenation of the encoded strings in that order, with the four | |||
| strings being separated by period ('.') characters. (A JSON | strings being separated by period ('.') characters. (A JSON | |||
| skipping to change at page 7, line 14 ¶ | skipping to change at page 7, line 14 ¶ | |||
| o the Content Master Key is encrypted to the recipient using the | o the Content Master Key is encrypted to the recipient using the | |||
| RSAES OAEP algorithm to produce the JWE Encrypted Key, | RSAES OAEP algorithm to produce the JWE Encrypted Key, | |||
| o the Plaintext is encrypted using the AES GCM algorithm with a 256 | o the Plaintext is encrypted using the AES GCM algorithm with a 256 | |||
| bit key to produce the Ciphertext, and | bit key to produce the Ciphertext, and | |||
| o the 96 bit Initialization Vector (IV) with the base64url encoding | o the 96 bit Initialization Vector (IV) with the base64url encoding | |||
| "48V1_ALb6US04U3b" was used. | "48V1_ALb6US04U3b" was used. | |||
| {"alg":"RSA-OAEP","enc":"A256GCM","iv":"48V1_ALb6US04U3b"} | {"alg":"RSA-OAEP","enc":"A256GCM","iv":"48V1_ALb6US04U3b"} | |||
| Base64url encoding the bytes of the UTF-8 representation of the JWE | Base64url encoding the bytes of the UTF-8 representation of the JWE | |||
| Header yields this Encoded JWE Header value (with line breaks for | Header yields this Encoded JWE Header value (with line breaks for | |||
| display purposes only): | display purposes only): | |||
| eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJpdiI6IjQ4VjFfQUxi | ||||
| NlVTMDRVM2IifQ | eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJpdiI6IjQ4VjFfQUxi | |||
| NlVTMDRVM2IifQ | ||||
| The remaining steps to finish creating this JWE are: | The remaining steps to finish creating this JWE are: | |||
| o Generate a random Content Master Key (CMK) | o Generate a random Content Master Key (CMK) | |||
| o Encrypt the CMK with the recipient's public key using the RSAES | o Encrypt the CMK with the recipient's public key using the RSAES | |||
| OAEP algorithm to produce the JWE Encrypted Key | OAEP algorithm to produce the JWE Encrypted Key | |||
| o Base64url encode the JWE Encrypted Key to produce the Encoded JWE | o Base64url encode the JWE Encrypted Key to produce the Encoded JWE | |||
| Encrypted Key | Encrypted Key | |||
| skipping to change at page 8, line 5 ¶ | skipping to change at page 8, line 7 ¶ | |||
| Encoded JWE Integrity Value | Encoded JWE Integrity Value | |||
| o Assemble the final representation: The Compact Serialization of | o Assemble the final representation: The Compact Serialization of | |||
| this result is the concatenation of the Encoded JWE Header, the | this result is the concatenation of the Encoded JWE Header, the | |||
| Encoded JWE Encrypted Key, the Encoded JWE Ciphertext, and the | Encoded JWE Encrypted Key, the Encoded JWE Ciphertext, and the | |||
| Encoded JWE Integrity Value in that order, with the four strings | Encoded JWE Integrity Value in that order, with the four strings | |||
| being separated by three period ('.') characters. | being separated by three period ('.') characters. | |||
| The final result in this example (with line breaks for display | The final result in this example (with line breaks for display | |||
| purposes only) is: | purposes only) is: | |||
| eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJpdiI6IjQ4VjFfQUxi | ||||
| NlVTMDRVM2IifQ. | eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJpdiI6IjQ4VjFfQUxi | |||
| jvwoyhWxOMboB5cxX6ncAi7Wp3Q5FKRtlmIx35pfR9HpEa6Oy-iEpxEqM30W3YcR | NlVTMDRVM2IifQ. | |||
| Q8WU9ouRoO5jd6tfdcpX-2X-OteHw4dnMXdMLjHGGx86LMDeFRAN2KGz7EGPJiva | jvwoyhWxOMboB5cxX6ncAi7Wp3Q5FKRtlmIx35pfR9HpEa6Oy-iEpxEqM30W3YcR | |||
| w0yM80fzT3zY0PKrIvU5ml1M5szqUnX4Jw0-PNcIM_j-L5YkLhv3Yk04XCwTJwxN | Q8WU9ouRoO5jd6tfdcpX-2X-OteHw4dnMXdMLjHGGx86LMDeFRAN2KGz7EGPJiva | |||
| NmXCflYAQO9f00Aa213TJJr6dbHV6I642FwU-EWvtEfN3evgX3EFIVYSnT3HCHkA | w0yM80fzT3zY0PKrIvU5ml1M5szqUnX4Jw0-PNcIM_j-L5YkLhv3Yk04XCwTJwxN | |||
| AIdBQ9ykD-abRzVA_dGp_yJAZQcrZuNTqzThd_22YMPhIpzTygfC_4k7qqxI6t7L | NmXCflYAQO9f00Aa213TJJr6dbHV6I642FwU-EWvtEfN3evgX3EFIVYSnT3HCHkA | |||
| e_l5_o-taUG7vaNAl5FjEQ. | AIdBQ9ykD-abRzVA_dGp_yJAZQcrZuNTqzThd_22YMPhIpzTygfC_4k7qqxI6t7L | |||
| _e21tGGhac_peEFkLXr2dMPUZiUkrw. | e_l5_o-taUG7vaNAl5FjEQ. | |||
| YbZSeHCNDZBqAdzpROlyiw | _e21tGGhac_peEFkLXr2dMPUZiUkrw. | |||
| YbZSeHCNDZBqAdzpROlyiw | ||||
| See Appendix A.1 for the complete details of computing this JWE. | See Appendix A.1 for the complete details of computing this JWE. | |||
| 3.2. Example JWE with a Separate Integrity Check | 3.2. Example JWE with a Separate Integrity Check | |||
| This example encrypts the plaintext "Now is the time for all good men | This example encrypts the plaintext "Now is the time for all good men | |||
| to come to the aid of their country." to the recipient using RSAES- | to come to the aid of their country." to the recipient using RSAES- | |||
| PKCS1-V1_5 and AES CBC. AES CBC does not have an integrated | PKCS1-V1_5 and AES CBC. AES CBC does not have an integrated | |||
| integrity check, so a separate integrity check calculation is | integrity check, so a separate integrity check calculation is | |||
| performed using HMAC SHA-256, with separate encryption and integrity | performed using HMAC SHA-256, with separate encryption and integrity | |||
| skipping to change at page 8, line 44 ¶ | skipping to change at page 8, line 47 ¶ | |||
| o the Plaintext is encrypted using the AES CBC algorithm with a 128 | o the Plaintext is encrypted using the AES CBC algorithm with a 128 | |||
| bit key to produce the Ciphertext, | bit key to produce the Ciphertext, | |||
| o the JWE Integrity Value safeguarding the integrity of the | o the JWE Integrity Value safeguarding the integrity of the | |||
| Ciphertext and the parameters used to create it was computed with | Ciphertext and the parameters used to create it was computed with | |||
| the HMAC SHA-256 algorithm, and | the HMAC SHA-256 algorithm, and | |||
| o the 128 bit Initialization Vector (IV) with the base64url encoding | o the 128 bit Initialization Vector (IV) with the base64url encoding | |||
| "AxY8DCtDaGlsbGljb3RoZQ" was used. | "AxY8DCtDaGlsbGljb3RoZQ" was used. | |||
| {"alg":"RSA1_5","enc":"A128CBC","int":"HS256","iv":"AxY8DCtDaGls | {"alg":"RSA1_5","enc":"A128CBC","int":"HS256","iv":"AxY8DCtDaGls | |||
| bGljb3RoZQ"} | bGljb3RoZQ"} | |||
| Base64url encoding the bytes of the UTF-8 representation of the JWE | Base64url encoding the bytes of the UTF-8 representation of the JWE | |||
| Header yields this Encoded JWE Header value (with line breaks for | Header yields this Encoded JWE Header value (with line breaks for | |||
| display purposes only): | display purposes only): | |||
| eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp | ||||
| diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ | eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp | |||
| diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ | ||||
| The remaining steps to finish creating this JWE are like the previous | The remaining steps to finish creating this JWE are like the previous | |||
| example, but with an additional step to compute the separate | example, but with an additional step to compute the separate | |||
| integrity value: | integrity value: | |||
| o Generate a random Content Master Key (CMK) | o Generate a random Content Master Key (CMK) | |||
| o Encrypt the CMK with the recipient's public key using the RSAES- | o Encrypt the CMK with the recipient's public key using the RSAES- | |||
| PKCS1-V1_5 algorithm to produce the JWE Encrypted Key | PKCS1-V1_5 algorithm to produce the JWE Encrypted Key | |||
| o Base64url encode the JWE Encrypted Key to produce the Encoded JWE | o Base64url encode the JWE Encrypted Key to produce the Encoded JWE | |||
| skipping to change at page 10, line 5 ¶ | skipping to change at page 10, line 5 ¶ | |||
| o Assemble the final representation: The Compact Serialization of | o Assemble the final representation: The Compact Serialization of | |||
| this result is the concatenation of the Encoded JWE Header, the | this result is the concatenation of the Encoded JWE Header, the | |||
| Encoded JWE Encrypted Key, the Encoded JWE Ciphertext, and the | Encoded JWE Encrypted Key, the Encoded JWE Ciphertext, and the | |||
| Encoded JWE Integrity Value in that order, with the four strings | Encoded JWE Integrity Value in that order, with the four strings | |||
| being separated by three period ('.') characters. | being separated by three period ('.') characters. | |||
| The final result in this example (with line breaks for display | The final result in this example (with line breaks for display | |||
| purposes only) is: | purposes only) is: | |||
| eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp | eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp | |||
| diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ. | diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ. | |||
| IPI_z172hSWHMFgED8EG9DM6hIXU_6NaO1DImCn0vNeuoBq847Sl6qw_GHSYHJUQ | IPI_z172hSWHMFgED8EG9DM6hIXU_6NaO1DImCn0vNeuoBq847Sl6qw_GHSYHJUQ | |||
| XtXJq7S_CxWVrI82wjrOyaQca5tLZRZc45BfKHeqByThKI261QevEK56SyAwwXfK | XtXJq7S_CxWVrI82wjrOyaQca5tLZRZc45BfKHeqByThKI261QevEK56SyAwwXfK | |||
| KZjSvkQ5dwTFSgfy76rMSUvVynHYEhdCatBF9HWTAiXPx7hgZixG1FeP_QCmOylz | KZjSvkQ5dwTFSgfy76rMSUvVynHYEhdCatBF9HWTAiXPx7hgZixG1FeP_QCmOylz | |||
| 2VClVyYFCbjKREOwBFf-puNYfO75S3LNlJUtTsGGQL2oTKpMsEiUTdefkje91VX9 | 2VClVyYFCbjKREOwBFf-puNYfO75S3LNlJUtTsGGQL2oTKpMsEiUTdefkje91VX9 | |||
| h8g7908lFsggbjV7NicJsufuXxnTj1fcWIrRDeNIOmakiPEODi0gTSz0ou-W-LWK | h8g7908lFsggbjV7NicJsufuXxnTj1fcWIrRDeNIOmakiPEODi0gTSz0ou-W-LWK | |||
| -3T1zYlOIiIKBjsExQKZ-w. | -3T1zYlOIiIKBjsExQKZ-w. | |||
| _Z_djlIoC4MDSCKireWS2beti4Q6iSG2UjFujQvdz-_PQdUcFNkOulegD6BgjgdF | _Z_djlIoC4MDSCKireWS2beti4Q6iSG2UjFujQvdz-_PQdUcFNkOulegD6BgjgdF | |||
| LjeB4HHOO7UHvP8PEDu0a0sA2a_-CI0w2YQQ2QQe35M. | LjeB4HHOO7UHvP8PEDu0a0sA2a_-CI0w2YQQ2QQe35M. | |||
| c41k4T4eAgCCt63m8ZNmiOinMciFFypOFpvid7i6D0k | c41k4T4eAgCCt63m8ZNmiOinMciFFypOFpvid7i6D0k | |||
| See Appendix A.2 for the complete details of computing this JWE. | See Appendix A.2 for the complete details of computing this JWE. | |||
| 4. JWE Header | 4. JWE Header | |||
| The members of the JSON object represented by the JWE Header describe | The members of the JSON object represented by the JWE Header describe | |||
| the encryption applied to the Plaintext and optionally additional | the encryption applied to the Plaintext and optionally additional | |||
| properties of the JWE. The Header Parameter Names within this object | properties of the JWE. The Header Parameter Names within this object | |||
| MUST be unique; JWEs with duplicate Header Parameter Names MUST be | MUST be unique; JWEs with duplicate Header Parameter Names MUST be | |||
| rejected. Implementations MUST understand the entire contents of the | rejected. Implementations MUST understand the entire contents of the | |||
| header; otherwise, the JWE MUST be rejected. | header; otherwise, the JWE MUST be rejected. | |||
| There are two ways of distinguishing whether a header is a JWS Header | There are two ways of distinguishing whether a header is a JWS Header | |||
| or a JWE Header. The first is by examining the "alg" (algorithm) | or a JWE Header. The first is by examining the "alg" (algorithm) | |||
| header value. If the value represents a digital signature or MAC | header value. If the value represents a digital signature or MAC | |||
| algorithm, or is the value "none", it is for a JWS; if it represents | algorithm, or is the value "none", it is for a JWS; if it represents | |||
| an encryption or key agreement algorithm, it is for a JWE. A second | an encryption or key agreement algorithm, it is for a JWE. A second | |||
| method is determining whether an "enc" (encryption method) member | method is determining whether an "enc" (encryption method) member | |||
| exists. If the "enc" member exists, it is a JWE; otherwise, it is a | exists. If the "enc" member exists, it is a JWE; otherwise, it is a | |||
| JWS. Both methods will yield the same result. | JWS. Both methods will yield the same result for all legal input | |||
| values. | ||||
| There are three classes of Header Parameter Names: Reserved Header | There are three classes of Header Parameter Names: Reserved Header | |||
| Parameter Names, Public Header Parameter Names, and Private Header | Parameter Names, Public Header Parameter Names, and Private Header | |||
| Parameter Names. | Parameter Names. | |||
| 4.1. Reserved Header Parameter Names | 4.1. Reserved Header Parameter Names | |||
| The following header parameter names are reserved with meanings as | The following header parameter names are reserved with meanings as | |||
| defined below. All the names are short because a core goal of JWE is | defined below. All the names are short because a core goal of JWE is | |||
| for the representations to be compact. | for the representations to be compact. | |||
| skipping to change at page 11, line 9 ¶ | skipping to change at page 11, line 10 ¶ | |||
| Additional reserved header parameter names MAY be defined via the | Additional reserved header parameter names MAY be defined via the | |||
| IANA JSON Web Signature and Encryption Header Parameters registry | IANA JSON Web Signature and Encryption Header Parameters registry | |||
| [JWS]. As indicated by the common registry, JWSs and JWEs share a | [JWS]. As indicated by the common registry, JWSs and JWEs share a | |||
| common header parameter space; when a parameter is used by both | common header parameter space; when a parameter is used by both | |||
| specifications, its usage must be compatible between the | specifications, its usage must be compatible between the | |||
| specifications. | specifications. | |||
| 4.1.1. "alg" (Algorithm) Header Parameter | 4.1.1. "alg" (Algorithm) Header Parameter | |||
| The "alg" (algorithm) header parameter identifies the cryptographic | The "alg" (algorithm) header parameter identifies the cryptographic | |||
| algorithm used to encrypt or reach agreement upon the Content Master | algorithm used to encrypt or determine the value of the Content | |||
| Key (CMK). The algorithm specified by the "alg" value MUST be | Master Key (CMK). The algorithm specified by the "alg" value MUST be | |||
| supported by the implementation and there MUST be a key for use with | supported by the implementation and there MUST be a key for use with | |||
| that algorithm associated with the intended recipient or the JWE MUST | that algorithm associated with the intended recipient or the JWE MUST | |||
| be rejected. "alg" values SHOULD either be registered in the IANA | be rejected. "alg" values SHOULD either be registered in the IANA | |||
| JSON Web Signature and Encryption Algorithms registry [JWA] or be a | JSON Web Signature and Encryption Algorithms registry [JWA] or be a | |||
| URI that contains a Collision Resistant Namespace. The "alg" value | URI that contains a Collision Resistant Namespace. The "alg" value | |||
| is a case sensitive string containing a StringOrURI value. This | is a case sensitive string containing a StringOrURI value. This | |||
| header parameter is REQUIRED. | header parameter is REQUIRED. | |||
| A list of defined "alg" values can be found in the IANA JSON Web | A list of defined "alg" values can be found in the IANA JSON Web | |||
| Signature and Encryption Algorithms registry [JWA]; the initial | Signature and Encryption Algorithms registry [JWA]; the initial | |||
| skipping to change at page 15, line 46 ¶ | skipping to change at page 15, line 46 ¶ | |||
| name that is not a Reserved Name Section 4.1 or a Public Name | name that is not a Reserved Name Section 4.1 or a Public Name | |||
| Section 4.2. Unlike Public Names, these private names are subject to | Section 4.2. Unlike Public Names, these private names are subject to | |||
| collision and should be used with caution. | collision and should be used with caution. | |||
| 5. Message Encryption | 5. Message Encryption | |||
| The message encryption process is as follows. The order of the steps | The message encryption process is as follows. The order of the steps | |||
| is not significant in cases where there are no dependencies between | is not significant in cases where there are no dependencies between | |||
| the inputs and outputs of the steps. | the inputs and outputs of the steps. | |||
| 1. When key wrapping or key encryption are employed, generate a | 1. When key agreement is employed, use the key agreement algorithm | |||
| random Content Master Key (CMK). See RFC 4086 [RFC4086] for | to compute the value of the agreed upon key. When key agreement | |||
| considerations on generating random values. Otherwise, when key | without key wrapping is employed, let the Content Master Key | |||
| agreement is employed, use the key agreement algorithm to | (CMK) be the agreed upon key. When key agreement with key | |||
| compute the value of the Content Master Key (CMK). The CMK MUST | wrapping is employed, the agreed upon key will be used to wrap | |||
| have a length equal to that of the larger of the required | the CMK. | |||
| encryption and integrity keys. | ||||
| 2. When key wrapping or key encryption are employed, encrypt the | 2. When key wrapping, key encryption, or key agreement with key | |||
| CMK for the recipient (see Section 7) and let the result be the | wrapping are employed, generate a random Content Master Key | |||
| JWE Encrypted Key. Otherwise, when key agreement is employed, | (CMK). See RFC 4086 [RFC4086] for considerations on generating | |||
| let the JWE Encrypted Key be an empty byte array. | random values. The CMK MUST have a length equal to that of the | |||
| larger of the required encryption and integrity keys. | ||||
| 3. Base64url encode the JWE Encrypted Key to create the Encoded JWE | 3. When key wrapping, key encryption, or key agreement with key | |||
| wrapping are employed, encrypt the CMK for the recipient (see | ||||
| Section 7) and let the result be the JWE Encrypted Key. | ||||
| Otherwise, when direct encryption with a shared or agreed upon | ||||
| symmetric key is employed, let the JWE Encrypted Key be the | ||||
| empty byte array. | ||||
| 4. When direct encryption with a shared symmetric key is employed, | ||||
| let the Content Master Key (CMK) be the shared key. | ||||
| 5. Base64url encode the JWE Encrypted Key to create the Encoded JWE | ||||
| Encrypted Key. | Encrypted Key. | |||
| 4. Generate a random Initialization Vector (IV) of the correct size | 6. Generate a random Initialization Vector (IV) of the correct size | |||
| for the algorithm (if required for the algorithm). | for the algorithm (if required for the algorithm). | |||
| 5. If not using an AEAD algorithm, run the key derivation algorithm | 7. If not using an AEAD algorithm, run the key derivation algorithm | |||
| specified by the "kdf" header parameter to generate the Content | specified by the "kdf" header parameter to generate the Content | |||
| Encryption Key (CEK) and the Content Integrity Key (CIK); | Encryption Key (CEK) and the Content Integrity Key (CIK); | |||
| otherwise (when using an AEAD algorithm), set the CEK to be the | otherwise (when using an AEAD algorithm), set the CEK to be the | |||
| CMK. | CMK. | |||
| 6. Compress the Plaintext if a "zip" parameter was included. | 8. Compress the Plaintext if a "zip" parameter was included. | |||
| 7. Serialize the (compressed) Plaintext into a byte sequence M. | 9. Serialize the (compressed) Plaintext into a byte sequence M. | |||
| 8. Create a JWE Header containing the encryption parameters used. | 10. Create a JWE Header containing the encryption parameters used. | |||
| Note that white space is explicitly allowed in the | Note that white space is explicitly allowed in the | |||
| representation and no canonicalization need be performed before | representation and no canonicalization need be performed before | |||
| encoding. | encoding. | |||
| 9. Base64url encode the bytes of the UTF-8 representation of the | 11. Base64url encode the bytes of the UTF-8 representation of the | |||
| JWE Header to create the Encoded JWE Header. | JWE Header to create the Encoded JWE Header. | |||
| 10. Encrypt M using the CEK and IV to form the byte sequence C. If | 12. Encrypt M using the CEK and IV to form the byte sequence C. If | |||
| an AEAD algorithm is used, use the bytes of the ASCII | an AEAD algorithm is used, use the bytes of the ASCII | |||
| representation of the concatenation of the Encoded JWE Header, a | representation of the concatenation of the Encoded JWE Header, a | |||
| period ('.') character, and the Encoded JWE Encrypted Key as the | period ('.') character, and the Encoded JWE Encrypted Key as the | |||
| "additional authenticated data" parameter value for the | "additional authenticated data" parameter value for the | |||
| encryption. | encryption. | |||
| 11. Base64url encode C to create the Encoded JWE Ciphertext. | 13. Base64url encode C to create the Encoded JWE Ciphertext. | |||
| 12. If not using an AEAD algorithm, run the integrity algorithm (see | 14. If not using an AEAD algorithm, run the integrity algorithm (see | |||
| Section 8) using the CIK to compute the JWE Integrity Value; | Section 8) using the CIK to compute the JWE Integrity Value; | |||
| otherwise (when using an AEAD algorithm), set the JWE Integrity | otherwise (when using an AEAD algorithm), set the JWE Integrity | |||
| Value to be the "authentication tag" value produced by the AEAD | Value to be the "authentication tag" value produced by the AEAD | |||
| algorithm. | algorithm. | |||
| 13. Base64url encode the JWE Integrity Value to create the Encoded | 15. Base64url encode the JWE Integrity Value to create the Encoded | |||
| JWE Integrity Value. | JWE Integrity Value. | |||
| 14. The four encoded parts, taken together, are the result. | 16. The four encoded parts, taken together, are the result. | |||
| 15. The Compact Serialization of this result is the concatenation of | 17. The Compact Serialization of this result is the concatenation of | |||
| the Encoded JWE Header, the Encoded JWE Encrypted Key, the | the Encoded JWE Header, the Encoded JWE Encrypted Key, the | |||
| Encoded JWE Ciphertext, and the Encoded JWE Integrity Value in | Encoded JWE Ciphertext, and the Encoded JWE Integrity Value in | |||
| that order, with the four strings being separated by period | that order, with the four strings being separated by period | |||
| ('.') characters. | ('.') characters. | |||
| 6. Message Decryption | 6. Message Decryption | |||
| The message decryption process is the reverse of the encryption | The message decryption process is the reverse of the encryption | |||
| process. The order of the steps is not significant in cases where | process. The order of the steps is not significant in cases where | |||
| there are no dependencies between the inputs and outputs of the | there are no dependencies between the inputs and outputs of the | |||
| skipping to change at page 17, line 38 ¶ | skipping to change at page 17, line 49 ¶ | |||
| be successfully base64url decoded following the restriction that | be successfully base64url decoded following the restriction that | |||
| no padding characters have been used. | no padding characters have been used. | |||
| 3. The resulting JWE Header MUST be completely valid JSON syntax | 3. The resulting JWE Header MUST be completely valid JSON syntax | |||
| conforming to RFC 4627 [RFC4627]. | conforming to RFC 4627 [RFC4627]. | |||
| 4. The resulting JWE Header MUST be validated to only include | 4. The resulting JWE Header MUST be validated to only include | |||
| parameters and values whose syntax and semantics are both | parameters and values whose syntax and semantics are both | |||
| understood and supported. | understood and supported. | |||
| 5. Verify that the JWE Header references a key known to the | 5. Verify that the JWE uses a key known to the recipient. | |||
| recipient. | ||||
| 6. When key wrapping or key encryption are employed, decrypt the | 6. When key agreement is employed, use the key agreement algorithm | |||
| JWE Encrypted Key to produce the Content Master Key (CMK). | to compute the value of the agreed upon key. When key agreement | |||
| Otherwise, when key agreement is employed, use the key agreement | without key wrapping is employed, let the Content Master Key | |||
| algorithm to compute the value of the Content Master Key (CMK). | (CMK) be the agreed upon key. When key agreement with key | |||
| The CMK MUST have a length equal to that of the larger of the | wrapping is employed, the agreed upon key will be used to | |||
| required encryption and integrity keys. | decrypt the JWE Encrypted Key. | |||
| 7. If not using an AEAD algorithm, run the key derivation algorithm | 7. When key wrapping, key encryption, or key agreement with key | |||
| wrapping are employed, decrypt the JWE Encrypted Key to produce | ||||
| the Content Master Key (CMK). The CMK MUST have a length equal | ||||
| to that of the larger of the required encryption and integrity | ||||
| keys. | ||||
| 8. When direct encryption with a shared symmetric key is employed, | ||||
| let the Content Master Key (CMK) be the shared key. | ||||
| 9. If not using an AEAD algorithm, run the key derivation algorithm | ||||
| specified by the "kdf" header parameter to generate the Content | specified by the "kdf" header parameter to generate the Content | |||
| Encryption Key (CEK) and the Content Integrity Key (CIK); | Encryption Key (CEK) and the Content Integrity Key (CIK); | |||
| otherwise (when using an AEAD algorithm), set the CEK to be the | otherwise (when using an AEAD algorithm), set the CEK to be the | |||
| CMK. | CMK. | |||
| 8. Decrypt the binary representation of the JWE Ciphertext using | 10. Decrypt the binary representation of the JWE Ciphertext using | |||
| the CEK and IV. If an AEAD algorithm is used, use the bytes of | the CEK and IV. If an AEAD algorithm is used, use the bytes of | |||
| the ASCII representation of the concatenation of the Encoded JWE | the ASCII representation of the concatenation of the Encoded JWE | |||
| Header, a period ('.') character, and the Encoded JWE Encrypted | Header, a period ('.') character, and the Encoded JWE Encrypted | |||
| Key as the "additional authenticated data" parameter value for | Key as the "additional authenticated data" parameter value for | |||
| the decryption. | the decryption. | |||
| 9. If not using an AEAD algorithm, run the integrity algorithm (see | 11. If not using an AEAD algorithm, run the integrity algorithm (see | |||
| Section 8) using the CIK to compute an integrity value for the | Section 8) using the CIK to compute an integrity value for the | |||
| input received. This computed value MUST match the received JWE | input received. This computed value MUST match the received JWE | |||
| Integrity Value; otherwise (when using an AEAD algorithm), the | Integrity Value; otherwise (when using an AEAD algorithm), the | |||
| received JWE Integrity Value MUST match the "authentication tag" | received JWE Integrity Value MUST match the "authentication tag" | |||
| value produced by the AEAD algorithm. | value produced by the AEAD algorithm. | |||
| 10. Uncompress the result of the previous step, if a "zip" parameter | 12. Uncompress the result of the previous step, if a "zip" parameter | |||
| was included. | was included. | |||
| 11. Output the resulting Plaintext. | 13. Output the resulting Plaintext. | |||
| 7. CMK Encryption | 7. CMK Encryption | |||
| JWE supports two forms of Content Master Key (CMK) encryption: | JWE supports three forms of Content Master Key (CMK) encryption: | |||
| o Asymmetric encryption under the recipient's public key. | o Asymmetric encryption under the recipient's public key. | |||
| o Symmetric encryption under a key shared between the sender and | o Symmetric encryption under a key shared between the sender and | |||
| receiver. | receiver. | |||
| o Symmetric encryption under a key agreed upon between the sender | ||||
| and receiver. | ||||
| See the algorithms registered for "enc" usage in the IANA JSON Web | See the algorithms registered for "enc" usage in the IANA JSON Web | |||
| Signature and Encryption Algorithms registry [JWA] and Section 4.1 of | Signature and Encryption Algorithms registry [JWA] and Section 4.1 of | |||
| the JSON Web Algorithms (JWA) [JWA] specification for lists of | the JSON Web Algorithms (JWA) [JWA] specification for lists of | |||
| encryption algorithms that can be used for CMK encryption. | encryption algorithms that can be used for CMK encryption. | |||
| 8. Integrity Value Calculation | 8. Integrity Value Calculation | |||
| When a non-AEAD algorithm is used (an algorithm without an integrated | When a non-AEAD algorithm is used (an algorithm without an integrated | |||
| content check), JWE adds an explicit integrity check value to the | content check), JWE adds an explicit integrity check value to the | |||
| representation. This value is computed in the manner described in | representation. This value is computed in the manner described in | |||
| skipping to change at page 23, line 33 ¶ | skipping to change at page 24, line 9 ¶ | |||
| 12. Open Issues | 12. Open Issues | |||
| [[ to be removed by the RFC editor before publication as an RFC ]] | [[ to be removed by the RFC editor before publication as an RFC ]] | |||
| The following items remain to be considered or done in this draft: | The following items remain to be considered or done in this draft: | |||
| o Should we define an optional nonce and/or timestamp header | o Should we define an optional nonce and/or timestamp header | |||
| parameter? (Use of a nonce is an effective countermeasure to some | parameter? (Use of a nonce is an effective countermeasure to some | |||
| kinds of attacks.) | kinds of attacks.) | |||
| o When doing key agreement, do we want to also use a separate CMK | ||||
| and encrypt the CMK with the agreed upon key or just use the | ||||
| agreed upon key directly as the CMK? Or support both? Having a | ||||
| CMK would have value in the multiple recipients case, as it would | ||||
| allow multiple recipients to share the same ciphertext even when | ||||
| key agreement is used, but it seems that it's just extra overhead | ||||
| in the single recipient case. (Also see the related open issue | ||||
| about performing symmetric encryption directly with a shared key, | ||||
| without using a CMK.) | ||||
| o Do we want to consolidate the combination of the "enc", "int", and | o Do we want to consolidate the combination of the "enc", "int", and | |||
| "kdf" parameters into a single new "enc" parameter defining | "kdf" parameters into a single new "enc" parameter defining | |||
| composite AEAD algorithms? For instance, we might define a | composite AEAD algorithms? For instance, we might define a | |||
| composite algorithm A128CBC with HS256 and CS256 and another | composite algorithm A128CBC with HS256 and CS256 and another | |||
| composite algorithm A256CBC with HS512 and CS512. A symmetry | composite algorithm A256CBC with HS512 and CS512. A symmetry | |||
| argument for doing this is that the "int" and "kdf" parameters are | argument for doing this is that the "int" and "kdf" parameters are | |||
| not used with AEAD algorithms. An argument against it is that in | not used with AEAD algorithms. An argument against it is that in | |||
| some cases, integrity is not needed because it's provided by other | some cases, integrity is not needed because it's provided by other | |||
| means, and so having the flexibility to not use an "int" algorithm | means, and so having the flexibility to not use an "int" algorithm | |||
| or key derivation with a non-AEAD "enc" algorithm could be useful. | or key derivation with a non-AEAD "enc" algorithm could be useful. | |||
| o Do we want to represent the JWE IV as a separate dot-separated | ||||
| element or continue to have it be in the header? An IV is always | ||||
| required in practice for the block encryption algorithms we've | ||||
| specified. This would save 15 and 17 characters, respectively, | ||||
| for the current AES GCM and AES CBC examples. | ||||
| 13. References | 13. References | |||
| 13.1. Normative References | 13.1. Normative References | |||
| [ITU.X690.1994] | [ITU.X690.1994] | |||
| International Telecommunications Union, "Information | International Telecommunications Union, "Information | |||
| Technology - ASN.1 encoding rules: Specification of Basic | Technology - ASN.1 encoding rules: Specification of Basic | |||
| Encoding Rules (BER), Canonical Encoding Rules (CER) and | Encoding Rules (BER), Canonical Encoding Rules (CER) and | |||
| Distinguished Encoding Rules (DER)", ITU-T Recommendation | Distinguished Encoding Rules (DER)", ITU-T Recommendation | |||
| X.690, 1994. | X.690, 1994. | |||
| skipping to change at page 26, line 32 ¶ | skipping to change at page 27, line 5 ¶ | |||
| o the Content Master Key is encrypted to the recipient using the | o the Content Master Key is encrypted to the recipient using the | |||
| RSAES OAEP algorithm to produce the JWE Encrypted Key, | RSAES OAEP algorithm to produce the JWE Encrypted Key, | |||
| o the Plaintext is encrypted using the AES GCM algorithm with a 256 | o the Plaintext is encrypted using the AES GCM algorithm with a 256 | |||
| bit key to produce the Ciphertext, and | bit key to produce the Ciphertext, and | |||
| o the 96 bit Initialization Vector (IV) [227, 197, 117, 252, 2, 219, | o the 96 bit Initialization Vector (IV) [227, 197, 117, 252, 2, 219, | |||
| 233, 68, 180, 225, 77, 219] with the base64url encoding | 233, 68, 180, 225, 77, 219] with the base64url encoding | |||
| "48V1_ALb6US04U3b" was used. | "48V1_ALb6US04U3b" was used. | |||
| {"alg":"RSA-OAEP","enc":"A256GCM","iv":"48V1_ALb6US04U3b"} | {"alg":"RSA-OAEP","enc":"A256GCM","iv":"48V1_ALb6US04U3b"} | |||
| A.1.2. Encoded JWE Header | A.1.2. Encoded JWE Header | |||
| Base64url encoding the bytes of the UTF-8 representation of the JWE | Base64url encoding the bytes of the UTF-8 representation of the JWE | |||
| Header yields this Encoded JWE Header value (with line breaks for | Header yields this Encoded JWE Header value (with line breaks for | |||
| display purposes only): | display purposes only): | |||
| eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJpdiI6IjQ4VjFfQUxi | ||||
| NlVTMDRVM2IifQ | eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJpdiI6IjQ4VjFfQUxi | |||
| NlVTMDRVM2IifQ | ||||
| A.1.3. Content Master Key (CMK) | A.1.3. Content Master Key (CMK) | |||
| Generate a random Content Master Key (CMK). In this example, the key | Generate a random Content Master Key (CMK). In this example, the key | |||
| value is: | value is: | |||
| [177, 161, 244, 128, 84, 143, 225, 115, 63, 180, 3, 255, 107, 154, | [177, 161, 244, 128, 84, 143, 225, 115, 63, 180, 3, 255, 107, 154, | |||
| 212, 246, 138, 7, 110, 91, 112, 46, 34, 105, 47, 130, 203, 46, 122, | 212, 246, 138, 7, 110, 91, 112, 46, 34, 105, 47, 130, 203, 46, 122, | |||
| 234, 64, 252] | 234, 64, 252] | |||
| skipping to change at page 29, line 10 ¶ | skipping to change at page 30, line 10 ¶ | |||
| 43, 102, 227, 83, 171, 52, 225, 119, 253, 182, 96, 195, 225, 34, 156, | 43, 102, 227, 83, 171, 52, 225, 119, 253, 182, 96, 195, 225, 34, 156, | |||
| 211, 202, 7, 194, 255, 137, 59, 170, 172, 72, 234, 222, 203, 123, | 211, 202, 7, 194, 255, 137, 59, 170, 172, 72, 234, 222, 203, 123, | |||
| 249, 121, 254, 143, 173, 105, 65, 187, 189, 163, 64, 151, 145, 99, | 249, 121, 254, 143, 173, 105, 65, 187, 189, 163, 64, 151, 145, 99, | |||
| 17] | 17] | |||
| A.1.5. Encoded JWE Encrypted Key | A.1.5. Encoded JWE Encrypted Key | |||
| Base64url encode the JWE Encrypted Key to produce the Encoded JWE | Base64url encode the JWE Encrypted Key to produce the Encoded JWE | |||
| Encrypted Key. This result (with line breaks for display purposes | Encrypted Key. This result (with line breaks for display purposes | |||
| only) is: | only) is: | |||
| jvwoyhWxOMboB5cxX6ncAi7Wp3Q5FKRtlmIx35pfR9HpEa6Oy-iEpxEqM30W3YcR | ||||
| Q8WU9ouRoO5jd6tfdcpX-2X-OteHw4dnMXdMLjHGGx86LMDeFRAN2KGz7EGPJiva | jvwoyhWxOMboB5cxX6ncAi7Wp3Q5FKRtlmIx35pfR9HpEa6Oy-iEpxEqM30W3YcR | |||
| w0yM80fzT3zY0PKrIvU5ml1M5szqUnX4Jw0-PNcIM_j-L5YkLhv3Yk04XCwTJwxN | Q8WU9ouRoO5jd6tfdcpX-2X-OteHw4dnMXdMLjHGGx86LMDeFRAN2KGz7EGPJiva | |||
| NmXCflYAQO9f00Aa213TJJr6dbHV6I642FwU-EWvtEfN3evgX3EFIVYSnT3HCHkA | w0yM80fzT3zY0PKrIvU5ml1M5szqUnX4Jw0-PNcIM_j-L5YkLhv3Yk04XCwTJwxN | |||
| AIdBQ9ykD-abRzVA_dGp_yJAZQcrZuNTqzThd_22YMPhIpzTygfC_4k7qqxI6t7L | NmXCflYAQO9f00Aa213TJJr6dbHV6I642FwU-EWvtEfN3evgX3EFIVYSnT3HCHkA | |||
| e_l5_o-taUG7vaNAl5FjEQ | AIdBQ9ykD-abRzVA_dGp_yJAZQcrZuNTqzThd_22YMPhIpzTygfC_4k7qqxI6t7L | |||
| e_l5_o-taUG7vaNAl5FjEQ | ||||
| A.1.6. "Additional Authenticated Data" Parameter | A.1.6. "Additional Authenticated Data" Parameter | |||
| Concatenate the Encoded JWE Header value, a period character ('.'), | Concatenate the Encoded JWE Header value, a period character ('.'), | |||
| and the Encoded JWE Encrypted Key to create the "additional | and the Encoded JWE Encrypted Key to create the "additional | |||
| authenticated data" parameter for the AES GCM algorithm. This result | authenticated data" parameter for the AES GCM algorithm. This result | |||
| (with line breaks for display purposes only) is: | (with line breaks for display purposes only) is: | |||
| eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJpdiI6IjQ4VjFfQUxi | ||||
| NlVTMDRVM2IifQ. | eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJpdiI6IjQ4VjFfQUxi | |||
| jvwoyhWxOMboB5cxX6ncAi7Wp3Q5FKRtlmIx35pfR9HpEa6Oy-iEpxEqM30W3YcR | NlVTMDRVM2IifQ. | |||
| Q8WU9ouRoO5jd6tfdcpX-2X-OteHw4dnMXdMLjHGGx86LMDeFRAN2KGz7EGPJiva | jvwoyhWxOMboB5cxX6ncAi7Wp3Q5FKRtlmIx35pfR9HpEa6Oy-iEpxEqM30W3YcR | |||
| w0yM80fzT3zY0PKrIvU5ml1M5szqUnX4Jw0-PNcIM_j-L5YkLhv3Yk04XCwTJwxN | Q8WU9ouRoO5jd6tfdcpX-2X-OteHw4dnMXdMLjHGGx86LMDeFRAN2KGz7EGPJiva | |||
| NmXCflYAQO9f00Aa213TJJr6dbHV6I642FwU-EWvtEfN3evgX3EFIVYSnT3HCHkA | w0yM80fzT3zY0PKrIvU5ml1M5szqUnX4Jw0-PNcIM_j-L5YkLhv3Yk04XCwTJwxN | |||
| AIdBQ9ykD-abRzVA_dGp_yJAZQcrZuNTqzThd_22YMPhIpzTygfC_4k7qqxI6t7L | NmXCflYAQO9f00Aa213TJJr6dbHV6I642FwU-EWvtEfN3evgX3EFIVYSnT3HCHkA | |||
| e_l5_o-taUG7vaNAl5FjEQ | AIdBQ9ykD-abRzVA_dGp_yJAZQcrZuNTqzThd_22YMPhIpzTygfC_4k7qqxI6t7L | |||
| e_l5_o-taUG7vaNAl5FjEQ | ||||
| The representation of this value is: | The representation of this value is: | |||
| [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, | [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, | |||
| 116, 84, 48, 70, 70, 85, 67, 73, 115, 73, 109, 86, 117, 89, 121, 73, | 116, 84, 48, 70, 70, 85, 67, 73, 115, 73, 109, 86, 117, 89, 121, 73, | |||
| 54, 73, 107, 69, 121, 78, 84, 90, 72, 81, 48, 48, 105, 76, 67, 74, | 54, 73, 107, 69, 121, 78, 84, 90, 72, 81, 48, 48, 105, 76, 67, 74, | |||
| 112, 100, 105, 73, 54, 73, 106, 81, 52, 86, 106, 70, 102, 81, 85, | 112, 100, 105, 73, 54, 73, 106, 81, 52, 86, 106, 70, 102, 81, 85, | |||
| 120, 105, 78, 108, 86, 84, 77, 68, 82, 86, 77, 50, 73, 105, 102, 81, | 120, 105, 78, 108, 86, 84, 77, 68, 82, 86, 77, 50, 73, 105, 102, 81, | |||
| 46, 106, 118, 119, 111, 121, 104, 87, 120, 79, 77, 98, 111, 66, 53, | 46, 106, 118, 119, 111, 121, 104, 87, 120, 79, 77, 98, 111, 66, 53, | |||
| 99, 120, 88, 54, 110, 99, 65, 105, 55, 87, 112, 51, 81, 53, 70, 75, | 99, 120, 88, 54, 110, 99, 65, 105, 55, 87, 112, 51, 81, 53, 70, 75, | |||
| skipping to change at page 30, line 32 ¶ | skipping to change at page 31, line 34 ¶ | |||
| The resulting "authentication tag" value is: | The resulting "authentication tag" value is: | |||
| [97, 182, 82, 120, 112, 141, 13, 144, 106, 1, 220, 233, 68, 233, 114, | [97, 182, 82, 120, 112, 141, 13, 144, 106, 1, 220, 233, 68, 233, 114, | |||
| 139] | 139] | |||
| A.1.8. Encoded JWE Ciphertext | A.1.8. Encoded JWE Ciphertext | |||
| Base64url encode the resulting Ciphertext to create the Encoded JWE | Base64url encode the resulting Ciphertext to create the Encoded JWE | |||
| Ciphertext. This result is: | Ciphertext. This result is: | |||
| _e21tGGhac_peEFkLXr2dMPUZiUkrw | ||||
| _e21tGGhac_peEFkLXr2dMPUZiUkrw | ||||
| A.1.9. Encoded JWE Integrity Value | A.1.9. Encoded JWE Integrity Value | |||
| Base64url encode the resulting "authentication tag" to create the | Base64url encode the resulting "authentication tag" to create the | |||
| Encoded JWE Integrity Value. This result is: | Encoded JWE Integrity Value. This result is: | |||
| YbZSeHCNDZBqAdzpROlyiw | ||||
| YbZSeHCNDZBqAdzpROlyiw | ||||
| A.1.10. Complete Representation | A.1.10. Complete Representation | |||
| Assemble the final representation: The Compact Serialization of this | Assemble the final representation: The Compact Serialization of this | |||
| result is the concatenation of the Encoded JWE Header, the Encoded | result is the concatenation of the Encoded JWE Header, the Encoded | |||
| JWE Encrypted Key, the Encoded JWE Ciphertext, and the Encoded JWE | JWE Encrypted Key, the Encoded JWE Ciphertext, and the Encoded JWE | |||
| Integrity Value in that order, with the four strings being separated | Integrity Value in that order, with the four strings being separated | |||
| by three period ('.') characters. | by three period ('.') characters. | |||
| The final result in this example (with line breaks for display | The final result in this example (with line breaks for display | |||
| purposes only) is: | purposes only) is: | |||
| eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJpdiI6IjQ4VjFfQUxi | eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJpdiI6IjQ4VjFfQUxi | |||
| NlVTMDRVM2IifQ. | NlVTMDRVM2IifQ. | |||
| jvwoyhWxOMboB5cxX6ncAi7Wp3Q5FKRtlmIx35pfR9HpEa6Oy-iEpxEqM30W3YcR | jvwoyhWxOMboB5cxX6ncAi7Wp3Q5FKRtlmIx35pfR9HpEa6Oy-iEpxEqM30W3YcR | |||
| Q8WU9ouRoO5jd6tfdcpX-2X-OteHw4dnMXdMLjHGGx86LMDeFRAN2KGz7EGPJiva | Q8WU9ouRoO5jd6tfdcpX-2X-OteHw4dnMXdMLjHGGx86LMDeFRAN2KGz7EGPJiva | |||
| w0yM80fzT3zY0PKrIvU5ml1M5szqUnX4Jw0-PNcIM_j-L5YkLhv3Yk04XCwTJwxN | w0yM80fzT3zY0PKrIvU5ml1M5szqUnX4Jw0-PNcIM_j-L5YkLhv3Yk04XCwTJwxN | |||
| NmXCflYAQO9f00Aa213TJJr6dbHV6I642FwU-EWvtEfN3evgX3EFIVYSnT3HCHkA | NmXCflYAQO9f00Aa213TJJr6dbHV6I642FwU-EWvtEfN3evgX3EFIVYSnT3HCHkA | |||
| AIdBQ9ykD-abRzVA_dGp_yJAZQcrZuNTqzThd_22YMPhIpzTygfC_4k7qqxI6t7L | AIdBQ9ykD-abRzVA_dGp_yJAZQcrZuNTqzThd_22YMPhIpzTygfC_4k7qqxI6t7L | |||
| e_l5_o-taUG7vaNAl5FjEQ. | e_l5_o-taUG7vaNAl5FjEQ. | |||
| _e21tGGhac_peEFkLXr2dMPUZiUkrw. | _e21tGGhac_peEFkLXr2dMPUZiUkrw. | |||
| YbZSeHCNDZBqAdzpROlyiw | YbZSeHCNDZBqAdzpROlyiw | |||
| A.1.11. Validation | A.1.11. Validation | |||
| This example illustrates the process of creating a JWE with an AEAD | This example illustrates the process of creating a JWE with an AEAD | |||
| algorithm. These results can be used to validate JWE decryption | algorithm. These results can be used to validate JWE decryption | |||
| implementations for these algorithms. However, note that since the | implementations for these algorithms. However, note that since the | |||
| RSAES OAEP computation includes random values, the results above will | RSAES OAEP computation includes random values, the results above will | |||
| not be repeatable. | not be repeatable. | |||
| A.2. Example JWE using RSAES-PKCS1-V1_5 and AES CBC | A.2. Example JWE using RSAES-PKCS1-V1_5 and AES CBC | |||
| skipping to change at page 32, line 10 ¶ | skipping to change at page 33, line 13 ¶ | |||
| bit key to produce the Ciphertext, | bit key to produce the Ciphertext, | |||
| o the JWE Integrity Value safeguarding the integrity of the | o the JWE Integrity Value safeguarding the integrity of the | |||
| Ciphertext and the parameters used to create it was computed with | Ciphertext and the parameters used to create it was computed with | |||
| the HMAC SHA-256 algorithm, and | the HMAC SHA-256 algorithm, and | |||
| o the 128 bit Initialization Vector (IV) [3, 22, 60, 12, 43, 67, | o the 128 bit Initialization Vector (IV) [3, 22, 60, 12, 43, 67, | |||
| 104, 105, 108, 108, 105, 99, 111, 116, 104, 101] with the | 104, 105, 108, 108, 105, 99, 111, 116, 104, 101] with the | |||
| base64url encoding "AxY8DCtDaGlsbGljb3RoZQ" was used. | base64url encoding "AxY8DCtDaGlsbGljb3RoZQ" was used. | |||
| {"alg":"RSA1_5","enc":"A128CBC","int":"HS256","iv":"AxY8DCtDaGls | {"alg":"RSA1_5","enc":"A128CBC","int":"HS256","iv":"AxY8DCtDaGls | |||
| bGljb3RoZQ"} | bGljb3RoZQ"} | |||
| A.2.2. Encoded JWE Header | A.2.2. Encoded JWE Header | |||
| Base64url encoding the bytes of the UTF-8 representation of the JWE | Base64url encoding the bytes of the UTF-8 representation of the JWE | |||
| Header yields this Encoded JWE Header value (with line breaks for | Header yields this Encoded JWE Header value (with line breaks for | |||
| display purposes only): | display purposes only): | |||
| eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp | ||||
| diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ | eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp | |||
| diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ | ||||
| A.2.3. Content Master Key (CMK) | A.2.3. Content Master Key (CMK) | |||
| Generate a random Content Master Key (CMK). In this example, the key | Generate a random Content Master Key (CMK). In this example, the key | |||
| value is: | value is: | |||
| [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, | [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, | |||
| 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, | 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, | |||
| 44, 207] | 44, 207] | |||
| skipping to change at page 35, line 10 ¶ | skipping to change at page 36, line 10 ¶ | |||
| 79, 37, 22, 200, 32, 110, 53, 123, 54, 39, 9, 178, 231, 238, 95, 25, | 79, 37, 22, 200, 32, 110, 53, 123, 54, 39, 9, 178, 231, 238, 95, 25, | |||
| 211, 143, 87, 220, 88, 138, 209, 13, 227, 72, 58, 102, 164, 136, 241, | 211, 143, 87, 220, 88, 138, 209, 13, 227, 72, 58, 102, 164, 136, 241, | |||
| 14, 14, 45, 32, 77, 44, 244, 162, 239, 150, 248, 181, 138, 251, 116, | 14, 14, 45, 32, 77, 44, 244, 162, 239, 150, 248, 181, 138, 251, 116, | |||
| 245, 205, 137, 78, 34, 34, 10, 6, 59, 4, 197, 2, 153, 251] | 245, 205, 137, 78, 34, 34, 10, 6, 59, 4, 197, 2, 153, 251] | |||
| A.2.5. Encoded JWE Encrypted Key | A.2.5. Encoded JWE Encrypted Key | |||
| Base64url encode the JWE Encrypted Key to produce the Encoded JWE | Base64url encode the JWE Encrypted Key to produce the Encoded JWE | |||
| Encrypted Key. This result (with line breaks for display purposes | Encrypted Key. This result (with line breaks for display purposes | |||
| only) is: | only) is: | |||
| IPI_z172hSWHMFgED8EG9DM6hIXU_6NaO1DImCn0vNeuoBq847Sl6qw_GHSYHJUQ | ||||
| XtXJq7S_CxWVrI82wjrOyaQca5tLZRZc45BfKHeqByThKI261QevEK56SyAwwXfK | IPI_z172hSWHMFgED8EG9DM6hIXU_6NaO1DImCn0vNeuoBq847Sl6qw_GHSYHJUQ | |||
| KZjSvkQ5dwTFSgfy76rMSUvVynHYEhdCatBF9HWTAiXPx7hgZixG1FeP_QCmOylz | XtXJq7S_CxWVrI82wjrOyaQca5tLZRZc45BfKHeqByThKI261QevEK56SyAwwXfK | |||
| 2VClVyYFCbjKREOwBFf-puNYfO75S3LNlJUtTsGGQL2oTKpMsEiUTdefkje91VX9 | KZjSvkQ5dwTFSgfy76rMSUvVynHYEhdCatBF9HWTAiXPx7hgZixG1FeP_QCmOylz | |||
| h8g7908lFsggbjV7NicJsufuXxnTj1fcWIrRDeNIOmakiPEODi0gTSz0ou-W-LWK | 2VClVyYFCbjKREOwBFf-puNYfO75S3LNlJUtTsGGQL2oTKpMsEiUTdefkje91VX9 | |||
| -3T1zYlOIiIKBjsExQKZ-w | h8g7908lFsggbjV7NicJsufuXxnTj1fcWIrRDeNIOmakiPEODi0gTSz0ou-W-LWK | |||
| -3T1zYlOIiIKBjsExQKZ-w | ||||
| A.2.6. Key Derivation | A.2.6. Key Derivation | |||
| Use the Concat key derivation function to derive Content Encryption | Use the Concat key derivation function to derive Content Encryption | |||
| Key (CEK) and Content Integrity Key (CIK) values from the CMK. The | Key (CEK) and Content Integrity Key (CIK) values from the CMK. The | |||
| details of this derivation are shown in Appendix A.3. The resulting | details of this derivation are shown in Appendix A.3. The resulting | |||
| CEK value is: | CEK value is: | |||
| [249, 255, 87, 218, 224, 223, 221, 53, 204, 121, 166, 130, 195, 184, | [249, 255, 87, 218, 224, 223, 221, 53, 204, 121, 166, 130, 195, 184, | |||
| 50, 69] | 50, 69] | |||
| skipping to change at page 35, line 50 ¶ | skipping to change at page 36, line 51 ¶ | |||
| 207, 239, 207, 65, 213, 28, 20, 217, 14, 186, 87, 160, 15, 160, 96, | 207, 239, 207, 65, 213, 28, 20, 217, 14, 186, 87, 160, 15, 160, 96, | |||
| 142, 7, 69, 46, 55, 129, 224, 113, 206, 59, 181, 7, 188, 255, 15, 16, | 142, 7, 69, 46, 55, 129, 224, 113, 206, 59, 181, 7, 188, 255, 15, 16, | |||
| 59, 180, 107, 75, 0, 217, 175, 254, 8, 141, 48, 217, 132, 16, 217, 4, | 59, 180, 107, 75, 0, 217, 175, 254, 8, 141, 48, 217, 132, 16, 217, 4, | |||
| 30, 223, 147] | 30, 223, 147] | |||
| A.2.8. Encoded JWE Ciphertext | A.2.8. Encoded JWE Ciphertext | |||
| Base64url encode the resulting Ciphertext to create the Encoded JWE | Base64url encode the resulting Ciphertext to create the Encoded JWE | |||
| Ciphertext. This result (with line breaks for display purposes only) | Ciphertext. This result (with line breaks for display purposes only) | |||
| is: | is: | |||
| _Z_djlIoC4MDSCKireWS2beti4Q6iSG2UjFujQvdz-_PQdUcFNkOulegD6BgjgdF | ||||
| LjeB4HHOO7UHvP8PEDu0a0sA2a_-CI0w2YQQ2QQe35M | _Z_djlIoC4MDSCKireWS2beti4Q6iSG2UjFujQvdz-_PQdUcFNkOulegD6BgjgdF | |||
| LjeB4HHOO7UHvP8PEDu0a0sA2a_-CI0w2YQQ2QQe35M | ||||
| A.2.9. Secured Input Value | A.2.9. Secured Input Value | |||
| Concatenate the Encoded JWE Header value, a period character ('.'), | Concatenate the Encoded JWE Header value, a period character ('.'), | |||
| the Encoded JWE Encrypted Key, a second period character, and the | the Encoded JWE Encrypted Key, a second period character, and the | |||
| Encoded JWE Ciphertext to create the value to integrity protect. | Encoded JWE Ciphertext to create the value to integrity protect. | |||
| This result (with line breaks for display purposes only) is: | This result (with line breaks for display purposes only) is: | |||
| eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp | ||||
| diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ. | eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp | |||
| IPI_z172hSWHMFgED8EG9DM6hIXU_6NaO1DImCn0vNeuoBq847Sl6qw_GHSYHJUQ | diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ. | |||
| XtXJq7S_CxWVrI82wjrOyaQca5tLZRZc45BfKHeqByThKI261QevEK56SyAwwXfK | IPI_z172hSWHMFgED8EG9DM6hIXU_6NaO1DImCn0vNeuoBq847Sl6qw_GHSYHJUQ | |||
| KZjSvkQ5dwTFSgfy76rMSUvVynHYEhdCatBF9HWTAiXPx7hgZixG1FeP_QCmOylz | XtXJq7S_CxWVrI82wjrOyaQca5tLZRZc45BfKHeqByThKI261QevEK56SyAwwXfK | |||
| 2VClVyYFCbjKREOwBFf-puNYfO75S3LNlJUtTsGGQL2oTKpMsEiUTdefkje91VX9 | KZjSvkQ5dwTFSgfy76rMSUvVynHYEhdCatBF9HWTAiXPx7hgZixG1FeP_QCmOylz | |||
| h8g7908lFsggbjV7NicJsufuXxnTj1fcWIrRDeNIOmakiPEODi0gTSz0ou-W-LWK | 2VClVyYFCbjKREOwBFf-puNYfO75S3LNlJUtTsGGQL2oTKpMsEiUTdefkje91VX9 | |||
| -3T1zYlOIiIKBjsExQKZ-w. | h8g7908lFsggbjV7NicJsufuXxnTj1fcWIrRDeNIOmakiPEODi0gTSz0ou-W-LWK | |||
| _Z_djlIoC4MDSCKireWS2beti4Q6iSG2UjFujQvdz-_PQdUcFNkOulegD6BgjgdF | -3T1zYlOIiIKBjsExQKZ-w. | |||
| LjeB4HHOO7UHvP8PEDu0a0sA2a_-CI0w2YQQ2QQe35M | _Z_djlIoC4MDSCKireWS2beti4Q6iSG2UjFujQvdz-_PQdUcFNkOulegD6BgjgdF | |||
| LjeB4HHOO7UHvP8PEDu0a0sA2a_-CI0w2YQQ2QQe35M | ||||
| The representation of this value is: | The representation of this value is: | |||
| [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, | [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, | |||
| 120, 88, 122, 85, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, | 120, 88, 122, 85, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, | |||
| 74, 66, 77, 84, 73, 52, 81, 48, 74, 68, 73, 105, 119, 105, 97, 87, | 74, 66, 77, 84, 73, 52, 81, 48, 74, 68, 73, 105, 119, 105, 97, 87, | |||
| 53, 48, 73, 106, 111, 105, 83, 70, 77, 121, 78, 84, 89, 105, 76, 67, | 53, 48, 73, 106, 111, 105, 83, 70, 77, 121, 78, 84, 89, 105, 76, 67, | |||
| 74, 112, 100, 105, 73, 54, 73, 107, 70, 52, 87, 84, 104, 69, 81, 51, | 74, 112, 100, 105, 73, 54, 73, 107, 70, 52, 87, 84, 104, 69, 81, 51, | |||
| 82, 69, 89, 85, 100, 115, 99, 50, 74, 72, 98, 71, 112, 105, 77, 49, | 82, 69, 89, 85, 100, 115, 99, 50, 74, 72, 98, 71, 112, 105, 77, 49, | |||
| 74, 118, 87, 108, 69, 105, 102, 81, 46, 73, 80, 73, 95, 122, 49, 55, | 74, 118, 87, 108, 69, 105, 102, 81, 46, 73, 80, 73, 95, 122, 49, 55, | |||
| skipping to change at page 37, line 24 ¶ | skipping to change at page 38, line 27 ¶ | |||
| JWE Integrity Value. This result is: | JWE Integrity Value. This result is: | |||
| [115, 141, 100, 225, 62, 30, 2, 0, 130, 183, 173, 230, 241, 147, 102, | [115, 141, 100, 225, 62, 30, 2, 0, 130, 183, 173, 230, 241, 147, 102, | |||
| 136, 232, 167, 49, 200, 133, 23, 42, 78, 22, 155, 226, 119, 184, 186, | 136, 232, 167, 49, 200, 133, 23, 42, 78, 22, 155, 226, 119, 184, 186, | |||
| 15, 73] | 15, 73] | |||
| A.2.11. Encoded JWE Integrity Value | A.2.11. Encoded JWE Integrity Value | |||
| Base64url encode the resulting JWE Integrity Value to create the | Base64url encode the resulting JWE Integrity Value to create the | |||
| Encoded JWE Integrity Value. This result is: | Encoded JWE Integrity Value. This result is: | |||
| c41k4T4eAgCCt63m8ZNmiOinMciFFypOFpvid7i6D0k | ||||
| c41k4T4eAgCCt63m8ZNmiOinMciFFypOFpvid7i6D0k | ||||
| A.2.12. Complete Representation | A.2.12. Complete Representation | |||
| Assemble the final representation: The Compact Serialization of this | Assemble the final representation: The Compact Serialization of this | |||
| result is the concatenation of the Encoded JWE Header, the Encoded | result is the concatenation of the Encoded JWE Header, the Encoded | |||
| JWE Encrypted Key, the Encoded JWE Ciphertext, and the Encoded JWE | JWE Encrypted Key, the Encoded JWE Ciphertext, and the Encoded JWE | |||
| Integrity Value in that order, with the four strings being separated | Integrity Value in that order, with the four strings being separated | |||
| by three period ('.') characters. | by three period ('.') characters. | |||
| The final result in this example (with line breaks for display | The final result in this example (with line breaks for display | |||
| purposes only) is: | purposes only) is: | |||
| eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp | ||||
| diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ. | eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp | |||
| IPI_z172hSWHMFgED8EG9DM6hIXU_6NaO1DImCn0vNeuoBq847Sl6qw_GHSYHJUQ | diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ. | |||
| XtXJq7S_CxWVrI82wjrOyaQca5tLZRZc45BfKHeqByThKI261QevEK56SyAwwXfK | IPI_z172hSWHMFgED8EG9DM6hIXU_6NaO1DImCn0vNeuoBq847Sl6qw_GHSYHJUQ | |||
| KZjSvkQ5dwTFSgfy76rMSUvVynHYEhdCatBF9HWTAiXPx7hgZixG1FeP_QCmOylz | XtXJq7S_CxWVrI82wjrOyaQca5tLZRZc45BfKHeqByThKI261QevEK56SyAwwXfK | |||
| 2VClVyYFCbjKREOwBFf-puNYfO75S3LNlJUtTsGGQL2oTKpMsEiUTdefkje91VX9 | KZjSvkQ5dwTFSgfy76rMSUvVynHYEhdCatBF9HWTAiXPx7hgZixG1FeP_QCmOylz | |||
| h8g7908lFsggbjV7NicJsufuXxnTj1fcWIrRDeNIOmakiPEODi0gTSz0ou-W-LWK | 2VClVyYFCbjKREOwBFf-puNYfO75S3LNlJUtTsGGQL2oTKpMsEiUTdefkje91VX9 | |||
| -3T1zYlOIiIKBjsExQKZ-w. | h8g7908lFsggbjV7NicJsufuXxnTj1fcWIrRDeNIOmakiPEODi0gTSz0ou-W-LWK | |||
| _Z_djlIoC4MDSCKireWS2beti4Q6iSG2UjFujQvdz-_PQdUcFNkOulegD6BgjgdF | -3T1zYlOIiIKBjsExQKZ-w. | |||
| LjeB4HHOO7UHvP8PEDu0a0sA2a_-CI0w2YQQ2QQe35M. | _Z_djlIoC4MDSCKireWS2beti4Q6iSG2UjFujQvdz-_PQdUcFNkOulegD6BgjgdF | |||
| c41k4T4eAgCCt63m8ZNmiOinMciFFypOFpvid7i6D0k | LjeB4HHOO7UHvP8PEDu0a0sA2a_-CI0w2YQQ2QQe35M. | |||
| c41k4T4eAgCCt63m8ZNmiOinMciFFypOFpvid7i6D0k | ||||
| A.2.13. Validation | A.2.13. Validation | |||
| This example illustrates the process of creating a JWE with a non- | This example illustrates the process of creating a JWE with a non- | |||
| AEAD algorithm. These results can be used to validate JWE decryption | AEAD algorithm. These results can be used to validate JWE decryption | |||
| implementations for these algorithms. Since all the algorithms used | implementations for these algorithms. Since all the algorithms used | |||
| in this example produce deterministic results, the results above | in this example produce deterministic results, the results above | |||
| should be repeatable. | should be repeatable. | |||
| A.3. Example Key Derivation with Outputs <= Hash Size | A.3. Example Key Derivation with Outputs <= Hash Size | |||
| skipping to change at page 41, line 41 ¶ | skipping to change at page 42, line 46 ¶ | |||
| to Eric Rescorla and Joe Hildebrand for allowing the reuse of text | to Eric Rescorla and Joe Hildebrand for allowing the reuse of text | |||
| from [I-D.rescorla-jsms] in this document. | from [I-D.rescorla-jsms] in this document. | |||
| Thanks to Axel Nennker, Emmanuel Raviart, Brian Campbell, and Edmund | Thanks to Axel Nennker, Emmanuel Raviart, Brian Campbell, and Edmund | |||
| Jay for validating the examples in this specification. | Jay for validating the examples in this specification. | |||
| Appendix C. Document History | Appendix C. Document History | |||
| [[ to be removed by the RFC editor before publication as an RFC ]] | [[ to be removed by the RFC editor before publication as an RFC ]] | |||
| -05 | ||||
| o Support both direct encryption using a shared or agreed upon | ||||
| symmetric key, and the use of a shared or agreed upon symmetric | ||||
| key to key wrap the CMK. | ||||
| o Added statement that "StringOrURI values are compared as case- | ||||
| sensitive strings with no transformations or canonicalizations | ||||
| applied". | ||||
| o Updated open issues. | ||||
| o Indented artwork elements to better distinguish them from the body | ||||
| text. | ||||
| -04 | -04 | |||
| o Refer to the registries as the primary sources of defined values | o Refer to the registries as the primary sources of defined values | |||
| and then secondarily reference the sections defining the initial | and then secondarily reference the sections defining the initial | |||
| contents of the registries. | contents of the registries. | |||
| o Normatively reference XML Encryption 1.1 | o Normatively reference XML Encryption 1.1 | |||
| [W3C.CR-xmlenc-core1-20120313] for its security considerations. | [W3C.CR-xmlenc-core1-20120313] for its security considerations. | |||
| o Reference draft-jones-jose-jwe-json-serialization instead of | o Reference draft-jones-jose-jwe-json-serialization instead of | |||
| End of changes. 62 change blocks. | ||||
| 190 lines changed or deleted | 243 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||