| < draft-ietf-jose-json-web-encryption-06.txt | draft-ietf-jose-json-web-encryption-07.txt > | |||
|---|---|---|---|---|
| JOSE Working Group M. Jones | JOSE Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track E. Rescorla | Intended status: Standards Track E. Rescorla | |||
| Expires: April 18, 2013 RTFM | Expires: May 10, 2013 RTFM | |||
| J. Hildebrand | J. Hildebrand | |||
| Cisco | Cisco | |||
| October 15, 2012 | November 6, 2012 | |||
| JSON Web Encryption (JWE) | JSON Web Encryption (JWE) | |||
| draft-ietf-jose-json-web-encryption-06 | draft-ietf-jose-json-web-encryption-07 | |||
| Abstract | Abstract | |||
| JSON Web Encryption (JWE) is a means of representing encrypted | JSON Web Encryption (JWE) is a means of representing encrypted | |||
| content using JavaScript Object Notation (JSON) data structures. | content using JavaScript Object Notation (JSON) data structures. | |||
| Cryptographic algorithms and identifiers for use with this | Cryptographic algorithms and identifiers for use with this | |||
| specification are described in the separate JSON Web Algorithms (JWA) | specification are described in the separate JSON Web Algorithms (JWA) | |||
| specification. Related digital signature and MAC capabilities are | specification. Related digital signature and MAC capabilities are | |||
| described in the separate JSON Web Signature (JWS) specification. | described in the separate JSON Web Signature (JWS) specification. | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 18, 2013. | This Internet-Draft will expire on May 10, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 15 ¶ | skipping to change at page 2, line 15 ¶ | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 | 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 7 | 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 7 | |||
| 3.1. Example JWE with an Integrated Integrity Check . . . . . . 8 | 3.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 8 | |||
| 3.2. Example JWE with a Separate Integrity Check . . . . . . . 9 | 3.2. Example JWE using RSAES-PKCS1-V1_5 and AES CBC . . . . . . 9 | |||
| 4. JWE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 4. JWE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 4.1. Reserved Header Parameter Names . . . . . . . . . . . . . 12 | 4.1. Reserved Header Parameter Names . . . . . . . . . . . . . 12 | |||
| 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 12 | 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 12 | |||
| 4.1.2. "enc" (Encryption Method) Header Parameter . . . . . . 12 | 4.1.2. "enc" (Encryption Method) Header Parameter . . . . . . 12 | |||
| 4.1.3. "epk" (Ephemeral Public Key) Header Parameter . . . . 13 | 4.1.3. "epk" (Ephemeral Public Key) Header Parameter . . . . 13 | |||
| 4.1.4. "zip" (Compression Algorithm) Header Parameter . . . . 13 | 4.1.4. "zip" (Compression Algorithm) Header Parameter . . . . 13 | |||
| 4.1.5. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 13 | 4.1.5. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 13 | |||
| 4.1.6. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 13 | 4.1.6. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 13 | |||
| 4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 13 | 4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 13 | |||
| 4.1.8. "x5t" (X.509 Certificate Thumbprint) Header | 4.1.8. "x5t" (X.509 Certificate Thumbprint) Header | |||
| Parameter . . . . . . . . . . . . . . . . . . . . . . 14 | Parameter . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.1.9. "x5c" (X.509 Certificate Chain) Header Parameter . . . 14 | 4.1.9. "x5c" (X.509 Certificate Chain) Header Parameter . . . 14 | |||
| 4.1.10. "kid" (Key ID) Header Parameter . . . . . . . . . . . 14 | 4.1.10. "kid" (Key ID) Header Parameter . . . . . . . . . . . 15 | |||
| 4.1.11. "typ" (Type) Header Parameter . . . . . . . . . . . . 15 | 4.1.11. "typ" (Type) Header Parameter . . . . . . . . . . . . 15 | |||
| 4.1.12. "cty" (Content Type) Header Parameter . . . . . . . . 15 | 4.1.12. "cty" (Content Type) Header Parameter . . . . . . . . 15 | |||
| 4.1.13. "apu" (Agreement PartyUInfo) Header Parameter . . . . 15 | 4.1.13. "apu" (Agreement PartyUInfo) Header Parameter . . . . 15 | |||
| 4.1.14. "apv" (Agreement PartyVInfo) Header Parameter . . . . 15 | 4.1.14. "apv" (Agreement PartyVInfo) Header Parameter . . . . 15 | |||
| 4.1.15. "epu" (Encryption PartyUInfo) Header Parameter . . . . 15 | 4.1.15. "epu" (Encryption PartyUInfo) Header Parameter . . . . 16 | |||
| 4.1.16. "epv" (Encryption PartyVInfo) Header Parameter . . . . 16 | 4.1.16. "epv" (Encryption PartyVInfo) Header Parameter . . . . 16 | |||
| 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 16 | 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 16 | |||
| 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 16 | 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 16 | |||
| 5. Message Encryption . . . . . . . . . . . . . . . . . . . . . . 16 | 5. Message Encryption . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 6. Message Decryption . . . . . . . . . . . . . . . . . . . . . . 18 | 6. Message Decryption . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 7. CMK Encryption . . . . . . . . . . . . . . . . . . . . . . . . 19 | 7. CMK Encryption . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 8. Encrypting JWEs with Cryptographic Algorithms . . . . . . . . 19 | 8. Encrypting JWEs with Cryptographic Algorithms . . . . . . . . 20 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 9.1. Registration of JWE Header Parameter Names . . . . . . . . 20 | 9.1. Registration of JWE Header Parameter Names . . . . . . . . 20 | |||
| 9.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 20 | 9.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 20 | |||
| 9.2. JSON Web Signature and Encryption Type Values | 9.2. JSON Web Signature and Encryption Type Values | |||
| Registration . . . . . . . . . . . . . . . . . . . . . . . 21 | Registration . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 9.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 21 | 9.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 22 | |||
| 9.3. Media Type Registration . . . . . . . . . . . . . . . . . 21 | 9.3. Media Type Registration . . . . . . . . . . . . . . . . . 22 | |||
| 9.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 21 | 9.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 22 | |||
| 10. Security Considerations . . . . . . . . . . . . . . . . . . . 22 | 10. Security Considerations . . . . . . . . . . . . . . . . . . . 23 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . . 22 | 11.1. Normative References . . . . . . . . . . . . . . . . . . . 23 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . . 24 | 11.2. Informative References . . . . . . . . . . . . . . . . . . 24 | |||
| Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 24 | Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 25 | |||
| A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 24 | A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 25 | |||
| A.1.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 25 | A.1.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| A.1.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 25 | A.1.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 25 | |||
| A.1.3. Content Master Key (CMK) . . . . . . . . . . . . . . . 25 | A.1.3. Content Master Key (CMK) . . . . . . . . . . . . . . . 26 | |||
| A.1.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 25 | A.1.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 26 | |||
| A.1.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 28 | A.1.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 28 | |||
| A.1.6. Initialization Vector . . . . . . . . . . . . . . . . 28 | A.1.6. Initialization Vector . . . . . . . . . . . . . . . . 28 | |||
| A.1.7. "Additional Authenticated Data" Parameter . . . . . . 28 | A.1.7. "Additional Authenticated Data" Parameter . . . . . . 28 | |||
| A.1.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 29 | A.1.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 29 | |||
| A.1.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 29 | A.1.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 29 | |||
| A.1.10. Encoded JWE Integrity Value . . . . . . . . . . . . . 30 | A.1.10. Encoded JWE Integrity Value . . . . . . . . . . . . . 30 | |||
| A.1.11. Complete Representation . . . . . . . . . . . . . . . 30 | A.1.11. Complete Representation . . . . . . . . . . . . . . . 30 | |||
| A.1.12. Validation . . . . . . . . . . . . . . . . . . . . . . 30 | A.1.12. Validation . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| A.2. Example JWE using RSAES-PKCS1-V1_5 and AES CBC . . . . . . 30 | A.2. Example JWE using RSAES-PKCS1-V1_5 and AES CBC . . . . . . 30 | |||
| A.2.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 31 | A.2.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| skipping to change at page 4, line 5 ¶ | skipping to change at page 4, line 5 ¶ | |||
| A.3.7. "Additional Authenticated Data" Parameter . . . . . . 39 | A.3.7. "Additional Authenticated Data" Parameter . . . . . . 39 | |||
| A.3.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 39 | A.3.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 39 | |||
| A.3.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 39 | A.3.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 39 | |||
| A.3.10. Encoded JWE Integrity Value . . . . . . . . . . . . . 40 | A.3.10. Encoded JWE Integrity Value . . . . . . . . . . . . . 40 | |||
| A.3.11. Complete Representation . . . . . . . . . . . . . . . 40 | A.3.11. Complete Representation . . . . . . . . . . . . . . . 40 | |||
| A.3.12. Validation . . . . . . . . . . . . . . . . . . . . . . 40 | A.3.12. Validation . . . . . . . . . . . . . . . . . . . . . . 40 | |||
| A.4. Example Key Derivation for "enc" value "A128CBC+HS256" . . 40 | A.4. Example Key Derivation for "enc" value "A128CBC+HS256" . . 40 | |||
| A.4.1. CEK Generation . . . . . . . . . . . . . . . . . . . . 41 | A.4.1. CEK Generation . . . . . . . . . . . . . . . . . . . . 41 | |||
| A.4.2. CIK Generation . . . . . . . . . . . . . . . . . . . . 42 | A.4.2. CIK Generation . . . . . . . . . . . . . . . . . . . . 42 | |||
| A.5. Example Key Derivation for "enc" value "A256CBC+HS512" . . 42 | A.5. Example Key Derivation for "enc" value "A256CBC+HS512" . . 43 | |||
| A.5.1. CEK Generation . . . . . . . . . . . . . . . . . . . . 43 | A.5.1. CEK Generation . . . . . . . . . . . . . . . . . . . . 43 | |||
| A.5.2. CIK Generation . . . . . . . . . . . . . . . . . . . . 44 | A.5.2. CIK Generation . . . . . . . . . . . . . . . . . . . . 44 | |||
| Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 45 | Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 45 | |||
| Appendix C. Open Issues . . . . . . . . . . . . . . . . . . . . . 45 | Appendix C. Open Issues . . . . . . . . . . . . . . . . . . . . . 45 | |||
| Appendix D. Document History . . . . . . . . . . . . . . . . . . 46 | Appendix D. Document History . . . . . . . . . . . . . . . . . . 46 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 49 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 50 | |||
| 1. Introduction | 1. Introduction | |||
| JSON Web Encryption (JWE) is a compact encryption format intended for | JSON Web Encryption (JWE) is a compact encryption format intended for | |||
| space constrained environments such as HTTP Authorization headers and | space constrained environments such as HTTP Authorization headers and | |||
| URI query parameters. It represents this content using JavaScript | URI query parameters. It represents this content using JavaScript | |||
| Object Notation (JSON) [RFC4627] based data structures. The JWE | Object Notation (JSON) [RFC4627] based data structures. The JWE | |||
| cryptographic mechanisms encrypt and provide integrity protection for | cryptographic mechanisms encrypt and provide integrity protection for | |||
| arbitrary sequences of bytes. | arbitrary sequences of bytes. | |||
| skipping to change at page 7, line 17 ¶ | skipping to change at page 7, line 17 ¶ | |||
| JWE Compact Serialization A representation of the JWE as the | JWE Compact Serialization A representation of the JWE as the | |||
| concatenation of the Encoded JWE Header, the Encoded JWE Encrypted | concatenation of the Encoded JWE Header, the Encoded JWE Encrypted | |||
| Key, the Encoded JWE Initialization Vector, the Encoded JWE | Key, the Encoded JWE Initialization Vector, the Encoded JWE | |||
| Ciphertext, and the Encoded JWE Integrity Value in that order, | Ciphertext, and the Encoded JWE Integrity Value in that order, | |||
| with the five strings being separated by four period ('.') | with the five strings being separated by four period ('.') | |||
| characters. | characters. | |||
| AEAD Algorithm An Authenticated Encryption with Associated Data | AEAD Algorithm An Authenticated Encryption with Associated Data | |||
| (AEAD) [RFC5116] encryption algorithm is one that provides an | (AEAD) [RFC5116] encryption algorithm is one that provides an | |||
| integrated content integrity check. AES Galois/Counter Mode (GCM) | integrated content integrity check. AEAD encryption algorithms | |||
| is one such algorithm. | accept two inputs, the plaintext and the "additional authenticated | |||
| data" value, and produce two outputs, the ciphertext and the | ||||
| "authentication tag" value. AES Galois/Counter Mode (GCM) is one | ||||
| such algorithm. | ||||
| Collision Resistant Namespace A namespace that allows names to be | Collision Resistant Namespace A namespace that allows names to be | |||
| allocated in a manner such that they are highly unlikely to | allocated in a manner such that they are highly unlikely to | |||
| collide with other names. For instance, collision resistance can | collide with other names. For instance, collision resistance can | |||
| be achieved through administrative delegation of portions of the | be achieved through administrative delegation of portions of the | |||
| namespace or through use of collision-resistant name allocation | namespace or through use of collision-resistant name allocation | |||
| functions. Examples of Collision Resistant Namespaces include: | functions. Examples of Collision Resistant Namespaces include: | |||
| Domain Names, Object Identifiers (OIDs) as defined in the ITU-T | Domain Names, Object Identifiers (OIDs) as defined in the ITU-T | |||
| X.660 and X.670 Recommendation series, and Universally Unique | X.660 and X.670 Recommendation series, and Universally Unique | |||
| IDentifiers (UUIDs) [RFC4122]. When using an administratively | IDentifiers (UUIDs) [RFC4122]. When using an administratively | |||
| skipping to change at page 8, line 4 ¶ | skipping to change at page 8, line 6 ¶ | |||
| JWE represents encrypted content using JSON data structures and | JWE represents encrypted content using JSON data structures and | |||
| base64url encoding. The representation consists of five parts: the | base64url encoding. The representation consists of five parts: the | |||
| JWE Header, the JWE Encrypted Key, the JWE Initialization Vector, the | JWE Header, the JWE Encrypted Key, the JWE Initialization Vector, the | |||
| JWE Ciphertext, and the JWE Integrity Value. In the Compact | JWE Ciphertext, and the JWE Integrity Value. In the Compact | |||
| Serialization, the five parts are base64url-encoded for transmission, | Serialization, the five parts are base64url-encoded for transmission, | |||
| and represented as the concatenation of the encoded strings in that | and represented as the concatenation of the encoded strings in that | |||
| order, with the five strings being separated by four period ('.') | order, with the five strings being separated by four period ('.') | |||
| characters. (A JSON Serialization for this information is defined in | characters. (A JSON Serialization for this information is defined in | |||
| the separate JSON Web Encryption JSON Serialization (JWE-JS) [JWE-JS] | the separate JSON Web Encryption JSON Serialization (JWE-JS) [JWE-JS] | |||
| specification.) | specification.) | |||
| JWE utilizes encryption to ensure the confidentiality of the | JWE utilizes encryption to ensure the confidentiality of the | |||
| Plaintext. JWE adds a content integrity check if not provided by the | Plaintext. JWE adds a content integrity check if not provided by the | |||
| underlying encryption algorithm. | underlying encryption algorithm. | |||
| 3.1. Example JWE with an Integrated Integrity Check | 3.1. Example JWE using RSAES OAEP and AES GCM | |||
| This example encrypts the plaintext "Live long and prosper." to the | This example encrypts the plaintext "Live long and prosper." to the | |||
| recipient using RSAES OAEP and AES GCM. The AES GCM algorithm has an | recipient using RSAES OAEP and AES GCM. The AES GCM algorithm has an | |||
| integrated integrity check. | integrated integrity check. | |||
| The following example JWE Header declares that: | The following example JWE Header declares that: | |||
| o the Content Master Key is encrypted to the recipient using the | o the Content Master Key is encrypted to the recipient using the | |||
| RSAES OAEP algorithm to produce the JWE Encrypted Key and | RSAES OAEP algorithm to produce the JWE Encrypted Key and | |||
| skipping to change at page 9, line 39 ¶ | skipping to change at page 9, line 40 ¶ | |||
| O6JHkWLuAEYoe58lcxIQneyKdaYSLbV9cKqoUoFQpvKWYRHZbfszIyfsa18rmgTj | O6JHkWLuAEYoe58lcxIQneyKdaYSLbV9cKqoUoFQpvKWYRHZbfszIyfsa18rmgTj | |||
| zrtLDTPnc09DSJE24aQ8w3i8RXEDthW9T1J6LsTH_vwHdwUgkI-tC2PNeGrnM-dN | zrtLDTPnc09DSJE24aQ8w3i8RXEDthW9T1J6LsTH_vwHdwUgkI-tC2PNeGrnM-dN | |||
| SfzF3Y7-lwcGy0FsdXkPXytvDV7y4pZeeUiQ-0VdibIN2AjjfW60nfrPuOjepMFG | SfzF3Y7-lwcGy0FsdXkPXytvDV7y4pZeeUiQ-0VdibIN2AjjfW60nfrPuOjepMFG | |||
| 6BBBbR37pHcyzext9epOAQ. | 6BBBbR37pHcyzext9epOAQ. | |||
| 48V1_ALb6US04U3b. | 48V1_ALb6US04U3b. | |||
| _e21tGGhac_peEFkLXr2dMPUZiUkrw. | _e21tGGhac_peEFkLXr2dMPUZiUkrw. | |||
| 7V5ZDko0v_mf2PAc4JMiUg | 7V5ZDko0v_mf2PAc4JMiUg | |||
| See Appendix A.1 for the complete details of computing this JWE. | See Appendix A.1 for the complete details of computing this JWE. | |||
| 3.2. Example JWE with a Separate Integrity Check | 3.2. Example JWE using RSAES-PKCS1-V1_5 and AES CBC | |||
| This example encrypts the plaintext "No matter where you go, there | This example encrypts the plaintext "No matter where you go, there | |||
| you are." to the recipient using RSAES-PKCS1-V1_5 and AES CBC. AES | you are." to the recipient using RSAES-PKCS1-V1_5 and AES CBC. AES | |||
| CBC does not have an integrated integrity check, so a separate | CBC does not have an integrated integrity check, so a separate | |||
| integrity check calculation is performed using HMAC SHA-256, with | integrity check calculation is performed using HMAC SHA-256, with | |||
| separate encryption and integrity keys being derived from a master | separate encryption and integrity keys being derived from a master | |||
| key using the Concat KDF with the SHA-256 digest function. | key using the Concat KDF with the SHA-256 digest function. | |||
| The following example JWE Header (with line breaks for display | The following example JWE Header (with line breaks for display | |||
| purposes only) declares that: | purposes only) declares that: | |||
| skipping to change at page 12, line 39 ¶ | skipping to change at page 12, line 42 ¶ | |||
| is a case sensitive string containing a StringOrURI value. This | is a case sensitive string containing a StringOrURI value. This | |||
| header parameter is REQUIRED. | header parameter is REQUIRED. | |||
| A list of defined "alg" values can be found in the IANA JSON Web | A list of defined "alg" values can be found in the IANA JSON Web | |||
| Signature and Encryption Algorithms registry [JWA]; the initial | Signature and Encryption Algorithms registry [JWA]; the initial | |||
| contents of this registry are the values defined in Section 4.1 of | contents of this registry are the values defined in Section 4.1 of | |||
| the JSON Web Algorithms (JWA) [JWA] specification. | the JSON Web Algorithms (JWA) [JWA] specification. | |||
| 4.1.2. "enc" (Encryption Method) Header Parameter | 4.1.2. "enc" (Encryption Method) Header Parameter | |||
| The "enc" (encryption method) header parameter identifies the | The "enc" (encryption method) header parameter identifies the block | |||
| symmetric encryption algorithm used to encrypt the Plaintext to | encryption algorithm used to encrypt the Plaintext to produce the | |||
| produce the Ciphertext. The algorithm specified by the "enc" value | Ciphertext. This algorithm MUST be an AEAD algorithm with a | |||
| specified key length. The algorithm specified by the "enc" value | ||||
| MUST be supported by the implementation or the JWE MUST be rejected. | MUST be supported by the implementation or the JWE MUST be rejected. | |||
| "enc" values SHOULD either be registered in the IANA JSON Web | "enc" values SHOULD either be registered in the IANA JSON Web | |||
| Signature and Encryption Algorithms registry [JWA] or be a URI that | Signature and Encryption Algorithms registry [JWA] or be a URI that | |||
| contains a Collision Resistant Namespace. The "enc" value is a case | contains a Collision Resistant Namespace. The "enc" value is a case | |||
| sensitive string containing a StringOrURI value. This header | sensitive string containing a StringOrURI value. This header | |||
| parameter is REQUIRED. | parameter is REQUIRED. | |||
| A list of defined "enc" values can be found in the IANA JSON Web | A list of defined "enc" values can be found in the IANA JSON Web | |||
| Signature and Encryption Algorithms registry [JWA]; the initial | Signature and Encryption Algorithms registry [JWA]; the initial | |||
| contents of this registry are the values defined in Section 4.2 of | contents of this registry are the values defined in Section 4.2 of | |||
| skipping to change at page 17, line 38 ¶ | skipping to change at page 17, line 42 ¶ | |||
| 9. Serialize the (compressed) Plaintext into a byte sequence M. | 9. Serialize the (compressed) Plaintext into a byte sequence M. | |||
| 10. Create a JWE Header containing the encryption parameters used. | 10. Create a JWE Header containing the encryption parameters used. | |||
| Note that white space is explicitly allowed in the | Note that white space is explicitly allowed in the | |||
| representation and no canonicalization need be performed before | representation and no canonicalization need be performed before | |||
| encoding. | encoding. | |||
| 11. Base64url encode the bytes of the UTF-8 representation of the | 11. Base64url encode the bytes of the UTF-8 representation of the | |||
| JWE Header to create the Encoded JWE Header. | JWE Header to create the Encoded JWE Header. | |||
| 12. Encrypt M using the CMK, the JWE Initialization Vector, and the | 12. Let the "additional authenticated data" value be the bytes of | |||
| other parameters required for the specified block encryption | the ASCII representation of the concatenation of the Encoded JWE | |||
| algorithm to create the JWE Ciphertext value and the JWE | Header, a period ('.') character, the Encoded JWE Encrypted Key, | |||
| Integrity Value. | a second period character ('.'), and the Encoded JWE | |||
| Initialization Vector. | ||||
| 13. Base64url encode the JWE Ciphertext to create the Encoded JWE | 13. Encrypt M using the CMK, the JWE Initialization Vector, and the | |||
| "additional authenticated data" value using the specified block | ||||
| encryption algorithm to create the JWE Ciphertext value and the | ||||
| JWE Integrity Value (which is the "authentication tag" output | ||||
| from the calculation). | ||||
| 14. Base64url encode the JWE Ciphertext to create the Encoded JWE | ||||
| Ciphertext. | Ciphertext. | |||
| 14. Base64url encode the JWE Integrity Value to create the Encoded | 15. Base64url encode the JWE Integrity Value to create the Encoded | |||
| JWE Integrity Value. | JWE Integrity Value. | |||
| 15. The five encoded parts, taken together, are the result. | 16. The five encoded parts, taken together, are the result. | |||
| 16. The Compact Serialization of this result is the concatenation of | 17. The Compact Serialization of this result is the concatenation of | |||
| the Encoded JWE Header, the Encoded JWE Encrypted Key, the | the Encoded JWE Header, the Encoded JWE Encrypted Key, the | |||
| Encoded JWE Initialization Vector, the Encoded JWE Ciphertext, | Encoded JWE Initialization Vector, the Encoded JWE Ciphertext, | |||
| and the Encoded JWE Integrity Value in that order, with the five | and the Encoded JWE Integrity Value in that order, with the five | |||
| strings being separated by four period ('.') characters. | strings being separated by four period ('.') characters. | |||
| 6. Message Decryption | 6. Message Decryption | |||
| The message decryption process is the reverse of the encryption | The message decryption process is the reverse of the encryption | |||
| process. The order of the steps is not significant in cases where | process. The order of the steps is not significant in cases where | |||
| there are no dependencies between the inputs and outputs of the | there are no dependencies between the inputs and outputs of the | |||
| skipping to change at page 19, line 5 ¶ | skipping to change at page 19, line 17 ¶ | |||
| decrypt the JWE Encrypted Key. | decrypt the JWE Encrypted Key. | |||
| 7. When key wrapping, key encryption, or key agreement with key | 7. When key wrapping, key encryption, or key agreement with key | |||
| wrapping are employed, decrypt the JWE Encrypted Key to produce | wrapping are employed, decrypt the JWE Encrypted Key to produce | |||
| the Content Master Key (CMK). The CMK MUST have a length equal | the Content Master Key (CMK). The CMK MUST have a length equal | |||
| to that required for the block encryption algorithm. | to that required for the block encryption algorithm. | |||
| 8. When direct encryption with a shared symmetric key is employed, | 8. When direct encryption with a shared symmetric key is employed, | |||
| let the Content Master Key (CMK) be the shared key. | let the Content Master Key (CMK) be the shared key. | |||
| 9. Decrypt the JWE Ciphertext using the CMK, the JWE Initialization | 9. Let the "additional authenticated data" value be the bytes of | |||
| Vector, and the other parameters required for the specified | the ASCII representation of the concatenation of the Encoded JWE | |||
| block encryption algorithm, returning the decrypted plaintext | Header, a period ('.') character, the Encoded JWE Encrypted Key, | |||
| and verifying the JWE Integrity Value in the manner specified | a second period character ('.'), and the Encoded JWE | |||
| for the algorithm. | Initialization Vector. | |||
| 10. Uncompress the decrypted plaintext if a "zip" parameter was | 10. Decrypt the JWE Ciphertext using the CMK, the JWE Initialization | |||
| Vector, the "additional authenticated data" value, and the JWE | ||||
| Integrity Value (which is the "authentication tag" input to the | ||||
| calculation) using the specified block encryption algorithm, | ||||
| returning the decrypted plaintext and verifying the JWE | ||||
| Integrity Value in the manner specified for the algorithm, | ||||
| rejecting the input without emitting any decrypted output if the | ||||
| JWE Integrity Value is incorrect. | ||||
| 11. Uncompress the decrypted plaintext if a "zip" parameter was | ||||
| included. | included. | |||
| 11. Output the resulting Plaintext. | 12. Output the resulting Plaintext. | |||
| 7. CMK Encryption | 7. CMK Encryption | |||
| JWE supports three forms of Content Master Key (CMK) encryption: | JWE supports three forms of Content Master Key (CMK) encryption: | |||
| o Asymmetric encryption under the recipient's public key. | o Asymmetric encryption under the recipient's public key. | |||
| o Symmetric encryption under a key shared between the sender and | o Symmetric encryption under a key shared between the sender and | |||
| receiver. | receiver. | |||
| skipping to change at page 23, line 6 ¶ | skipping to change at page 23, line 32 ¶ | |||
| 11.1. Normative References | 11.1. Normative References | |||
| [ITU.X690.1994] | [ITU.X690.1994] | |||
| International Telecommunications Union, "Information | International Telecommunications Union, "Information | |||
| Technology - ASN.1 encoding rules: Specification of Basic | Technology - ASN.1 encoding rules: Specification of Basic | |||
| Encoding Rules (BER), Canonical Encoding Rules (CER) and | Encoding Rules (BER), Canonical Encoding Rules (CER) and | |||
| Distinguished Encoding Rules (DER)", ITU-T Recommendation | Distinguished Encoding Rules (DER)", ITU-T Recommendation | |||
| X.690, 1994. | X.690, 1994. | |||
| [JWA] Jones, M., "JSON Web Algorithms (JWA)", October 2012. | [JWA] Jones, M., "JSON Web Algorithms (JWA)", November 2012. | |||
| [JWK] Jones, M., "JSON Web Key (JWK)", October 2012. | [JWK] Jones, M., "JSON Web Key (JWK)", November 2012. | |||
| [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | |||
| Signature (JWS)", October 2012. | Signature (JWS)", November 2012. | |||
| [RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic | [RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic | |||
| Mail: Part I: Message Encryption and Authentication | Mail: Part I: Message Encryption and Authentication | |||
| Procedures", RFC 1421, February 1993. | Procedures", RFC 1421, February 1993. | |||
| [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification | [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification | |||
| version 1.3", RFC 1951, May 1996. | version 1.3", RFC 1951, May 1996. | |||
| [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | |||
| Extensions (MIME) Part Two: Media Types", RFC 2046, | Extensions (MIME) Part Two: Media Types", RFC 2046, | |||
| skipping to change at page 24, line 12 ¶ | skipping to change at page 24, line 41 ¶ | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, May 2008. | (CRL) Profile", RFC 5280, May 2008. | |||
| [W3C.CR-xmlenc-core1-20120313] | [W3C.CR-xmlenc-core1-20120313] | |||
| Eastlake, D., Reagle, J., Hirsch, F., and T. Roessler, | Eastlake, D., Reagle, J., Roessler, T., and F. Hirsch, | |||
| "XML Encryption Syntax and Processing Version 1.1", World | "XML Encryption Syntax and Processing Version 1.1", World | |||
| Wide Web Consortium CR CR-xmlenc-core1-20120313, | Wide Web Consortium CR CR-xmlenc-core1-20120313, | |||
| March 2012, | March 2012, | |||
| <http://www.w3.org/TR/2012/CR-xmlenc-core1-20120313>. | <http://www.w3.org/TR/2012/CR-xmlenc-core1-20120313>. | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [I-D.rescorla-jsms] | [I-D.rescorla-jsms] | |||
| Rescorla, E. and J. Hildebrand, "JavaScript Message | Rescorla, E. and J. Hildebrand, "JavaScript Message | |||
| Security Format", draft-rescorla-jsms-00 (work in | Security Format", draft-rescorla-jsms-00 (work in | |||
| progress), March 2011. | progress), March 2011. | |||
| [JSE] Bradley, J. and N. Sakimura (editor), "JSON Simple | [JSE] Bradley, J. and N. Sakimura (editor), "JSON Simple | |||
| Encryption", September 2010. | Encryption", September 2010. | |||
| [JWE-JS] Jones, M., "JSON Web Encryption JSON Serialization | [JWE-JS] Jones, M., "JSON Web Encryption JSON Serialization | |||
| (JWE-JS)", October 2012. | (JWE-JS)", November 2012. | |||
| [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally | [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally | |||
| Unique IDentifier (UUID) URN Namespace", RFC 4122, | Unique IDentifier (UUID) URN Namespace", RFC 4122, | |||
| July 2005. | July 2005. | |||
| [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | |||
| RFC 5652, September 2009. | RFC 5652, September 2009. | |||
| Appendix A. JWE Examples | Appendix A. JWE Examples | |||
| skipping to change at page 33, line 31 ¶ | skipping to change at page 33, line 31 ¶ | |||
| | | 46, 196, 90, 173, 38, 245, 219, 186, 222, 27, 240, | | | | 46, 196, 90, 173, 38, 245, 219, 186, 222, 27, 240, | | |||
| | | 212, 194, 15, 66, 135, 226, 178, 190, 52, 245, 74, | | | | 212, 194, 15, 66, 135, 226, 178, 190, 52, 245, 74, | | |||
| | | 65, 224, 81, 100, 85, 25, 204, 165, 203, 187, 175, | | | | 65, 224, 81, 100, 85, 25, 204, 165, 203, 187, 175, | | |||
| | | 84, 100, 82, 15, 11, 23, 202, 151, 107, 54, 41, 207, | | | | 84, 100, 82, 15, 11, 23, 202, 151, 107, 54, 41, 207, | | |||
| | | 3, 136, 229, 134, 131, 93, 139, 50, 182, 204, 93, | | | | 3, 136, 229, 134, 131, 93, 139, 50, 182, 204, 93, | | |||
| | | 130, 89] | | | | 130, 89] | | |||
| +-----------+-------------------------------------------------------+ | +-----------+-------------------------------------------------------+ | |||
| The resulting JWE Encrypted Key value is: | The resulting JWE Encrypted Key value is: | |||
| [59, 160, 42, 94, 168, 21, 148, 146, 120, 115, 137, 105, 230, 197, | [102, 105, 229, 169, 104, 35, 95, 42, 176, 142, 190, 220, 92, 124, | |||
| 217, 119, 182, 233, 24, 112, 48, 232, 4, 100, 29, 71, 151, 67, 16, | 172, 240, 94, 253, 106, 114, 20, 35, 162, 118, 81, 103, 64, 201, 20, | |||
| 245, 112, 5, 184, 249, 125, 113, 210, 171, 99, 252, 3, 116, 154, 233, | 4, 112, 96, 84, 248, 163, 199, 177, 227, 204, 247, 93, 63, 70, 132, | |||
| 42, 16, 233, 120, 99, 165, 14, 192, 149, 200, 37, 143, 126, 27, 81, | 195, 26, 237, 72, 91, 141, 3, 159, 71, 111, 113, 213, 68, 142, 146, | |||
| 11, 43, 228, 80, 90, 178, 135, 253, 43, 81, 248, 3, 61, 31, 177, 169, | 92, 60, 243, 72, 111, 53, 156, 51, 16, 226, 215, 125, 68, 141, 232, | |||
| 42, 100, 132, 142, 47, 16, 96, 231, 12, 58, 58, 254, 187, 209, 245, | 62, 111, 197, 98, 91, 150, 23, 230, 132, 93, 97, 216, 145, 226, 3, | |||
| 46, 223, 233, 4, 72, 158, 27, 205, 54, 75, 21, 179, 210, 182, 197, | 18, 12, 48, 119, 153, 185, 8, 156, 195, 84, 21, 63, 143, 43, 144, | |||
| 77, 116, 92, 143, 128, 86, 47, 23, 41, 10, 216, 212, 103, 125, 64, | 174, 101, 25, 199, 7, 106, 212, 43, 151, 225, 62, 225, 122, 92, 90, | |||
| 63, 235, 28, 248, 191, 222, 9, 158, 84, 54, 93, 26, 73, 19, 106, 22, | 139, 45, 144, 134, 229, 15, 235, 38, 110, 132, 189, 236, 126, 92, | |||
| 201, 46, 62, 76, 209, 176, 86, 81, 12, 154, 146, 72, 151, 149, 59, | 183, 13, 64, 2, 77, 107, 95, 186, 8, 133, 53, 217, 104, 247, 152, | |||
| 34, 123, 165, 144, 144, 243, 119, 229, 139, 95, 85, 130, 47, 247, 71, | 241, 49, 199, 15, 111, 110, 123, 16, 13, 78, 193, 224, 23, 230, 133, | |||
| 181, 204, 82, 169, 110, 66, 235, 156, 237, 145, 206, 90, 44, 98, 227, | 220, 162, 126, 82, 192, 236, 7, 185, 100, 106, 21, 70, 93, 192, 255, | |||
| 184, 215, 148, 20, 229, 89, 22, 121, 136, 92, 90, 75, 193, 186, 39, | 252, 139, 61, 124, 81, 140, 113, 97, 164, 231, 131, 167, 246, 157, | |||
| 204, 20, 173, 222, 1, 42, 8, 0, 195, 122, 151, 229, 122, 8, 125, 116, | 199, 195, 114, 122, 49, 121, 115, 63, 114, 12, 165, 11, 186, 3, 108, | |||
| 21, 149, 6, 68, 209, 89, 164, 171, 252, 208, 72, 138, 57, 46, 113, | 12, 199, 101, 29, 226, 80, 56, 193, 149, 45, 134, 146, 102, 221, 202, | |||
| 74, 202, 140, 40, 161, 23, 29, 176, 75, 141, 135, 208, 125, 50, 76, | 63, 166, 150, 53, 42, 133, 3, 83, 199, 14, 15, 181, 209, 199, 174, | |||
| 173, 209, 148, 4, 148, 111, 163, 25, 219, 71, 90, 54, 82, 56] | 76, 75, 106, 254, 243, 196, 227, 225, 173, 122, 254, 13, 224, 174, 4, | |||
| 185, 217, 99, 225] | ||||
| A.2.5. Encoded JWE Encrypted Key | A.2.5. Encoded JWE Encrypted Key | |||
| Base64url encode the JWE Encrypted Key to produce the Encoded JWE | Base64url encode the JWE Encrypted Key to produce the Encoded JWE | |||
| Encrypted Key. This result (with line breaks for display purposes | Encrypted Key. This result (with line breaks for display purposes | |||
| only) is: | only) is: | |||
| O6AqXqgVlJJ4c4lp5sXZd7bpGHAw6ARkHUeXQxD1cAW4-X1x0qtj_AN0mukqEOl4 | ZmnlqWgjXyqwjr7cXHys8F79anIUI6J2UWdAyRQEcGBU-KPHsePM910_RoTDGu1I | |||
| Y6UOwJXIJY9-G1ELK-RQWrKH_StR-AM9H7GpKmSEji8QYOcMOjr-u9H1Lt_pBEie | W40Dn0dvcdVEjpJcPPNIbzWcMxDi131Ejeg-b8ViW5YX5oRdYdiR4gMSDDB3mbkI | |||
| G802SxWz0rbFTXRcj4BWLxcpCtjUZ31AP-sc-L_eCZ5UNl0aSRNqFskuPkzRsFZR | nMNUFT-PK5CuZRnHB2rUK5fhPuF6XFqLLZCG5Q_rJm6Evex-XLcNQAJNa1-6CIU1 | |||
| DJqSSJeVOyJ7pZCQ83fli19Vgi_3R7XMUqluQuuc7ZHOWixi47jXlBTlWRZ5iFxa | 2Wj3mPExxw9vbnsQDU7B4BfmhdyiflLA7Ae5ZGoVRl3A__yLPXxRjHFhpOeDp_ad | |||
| S8G6J8wUrd4BKggAw3qX5XoIfXQVlQZE0Vmkq_zQSIo5LnFKyowooRcdsEuNh9B9 | x8NyejF5cz9yDKULugNsDMdlHeJQOMGVLYaSZt3KP6aWNSqFA1PHDg-10ceuTEtq | |||
| Mkyt0ZQElG-jGdtHWjZSOA | _vPE4-Gtev4N4K4Eudlj4Q | |||
| A.2.6. Key Derivation | A.2.6. Key Derivation | |||
| Use the Concat key derivation function to derive Content Encryption | Use the Concat key derivation function to derive Content Encryption | |||
| Key (CEK) and Content Integrity Key (CIK) values from the CMK. The | Key (CEK) and Content Integrity Key (CIK) values from the CMK. The | |||
| details of this derivation are shown in Appendix A.4. The resulting | details of this derivation are shown in Appendix A.4. The resulting | |||
| CEK value is: | CEK value is: | |||
| [37, 245, 125, 247, 113, 155, 238, 98, 228, 206, 62, 65, 81, 153, 79, | [203, 165, 180, 113, 62, 195, 22, 98, 91, 153, 210, 38, 112, 35, 230, | |||
| 91] | 236] | |||
| The resulting CIK value is: | The resulting CIK value is: | |||
| [203, 194, 197, 180, 120, 46, 123, 202, 78, 12, 33, 116, 214, 247, | [218, 24, 160, 17, 160, 50, 235, 35, 216, 209, 100, 174, 155, 163, | |||
| 128, 41, 175, 53, 181, 164, 224, 223, 56, 146, 179, 193, 18, 223, | 10, 117, 180, 111, 172, 200, 127, 201, 206, 173, 40, 45, 58, 170, 35, | |||
| 146, 85, 244, 127] | 93, 9, 60] | |||
| A.2.7. Initialization Vector | A.2.7. Initialization Vector | |||
| Generate a random 128 bit JWE Initialization Vector. In this | Generate a random 128 bit JWE Initialization Vector. In this | |||
| example, the value is: | example, the value is: | |||
| [3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104, | [3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104, | |||
| 101] | 101] | |||
| Base64url encoding this value yields the Encoded JWE Initialization | Base64url encoding this value yields the Encoded JWE Initialization | |||
| Vector value: | Vector value: | |||
| AxY8DCtDaGlsbGljb3RoZQ | AxY8DCtDaGlsbGljb3RoZQ | |||
| A.2.8. Plaintext Encryption | A.2.8. Plaintext Encryption | |||
| Encrypt the Plaintext with AES CBC using the CEK and the JWE | Encrypt the Plaintext with AES CBC using the CEK and the JWE | |||
| Initialization Vector to produce the Ciphertext. The resulting | Initialization Vector to produce the Ciphertext. The resulting | |||
| Ciphertext is: | Ciphertext is: | |||
| [213, 224, 86, 22, 7, 43, 207, 141, 48, 11, 207, 28, 130, 255, 43, | [71, 27, 35, 131, 163, 200, 19, 23, 38, 25, 33, 123, 46, 116, 132, | |||
| 62, 11, 183, 17, 249, 130, 214, 158, 51, 79, 73, 8, 199, 23, 210, 23, | 144, 58, 150, 32, 167, 192, 195, 92, 25, 207, 101, 233, 105, 181, | |||
| 108, 195, 37, 196, 62, 136, 65, 228, 214, 52, 12, 247, 156, 64, 118, | 121, 63, 4, 44, 162, 82, 176, 17, 171, 150, 97, 147, 68, 245, 13, 97, | |||
| 190, 89] | 100, 145, 25] | |||
| A.2.9. Encoded JWE Ciphertext | A.2.9. Encoded JWE Ciphertext | |||
| Base64url encode the resulting Ciphertext to create the Encoded JWE | Base64url encode the resulting Ciphertext to create the Encoded JWE | |||
| Ciphertext. This result is: | Ciphertext. This result is: | |||
| 1eBWFgcrz40wC88cgv8rPgu3EfmC1p4zT0kIxxfSF2zDJcQ-iEHk1jQM95xAdr5Z | Rxsjg6PIExcmGSF7LnSEkDqWIKfAw1wZz2XpabV5PwQsolKwEauWYZNE9Q1hZJEZ | |||
| A.2.10. Secured Input Value | A.2.10. Secured Input Value | |||
| Concatenate the Encoded JWE Header value, a period character ('.'), | Concatenate the Encoded JWE Header value, a period character ('.'), | |||
| the Encoded JWE Encrypted Key, a second period character, the Encoded | the Encoded JWE Encrypted Key, a second period character, the Encoded | |||
| JWE Initialization Vector, a third period ('.') character, and the | JWE Initialization Vector, a third period ('.') character, and the | |||
| Encoded JWE Ciphertext to create the value to integrity protect. | Encoded JWE Ciphertext to create the value to integrity protect. | |||
| This result (with line breaks for display purposes only) is: | This result (with line breaks for display purposes only) is: | |||
| eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDK0hTMjU2In0. | eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDK0hTMjU2In0. | |||
| O6AqXqgVlJJ4c4lp5sXZd7bpGHAw6ARkHUeXQxD1cAW4-X1x0qtj_AN0mukqEOl4 | ZmnlqWgjXyqwjr7cXHys8F79anIUI6J2UWdAyRQEcGBU-KPHsePM910_RoTDGu1I | |||
| Y6UOwJXIJY9-G1ELK-RQWrKH_StR-AM9H7GpKmSEji8QYOcMOjr-u9H1Lt_pBEie | W40Dn0dvcdVEjpJcPPNIbzWcMxDi131Ejeg-b8ViW5YX5oRdYdiR4gMSDDB3mbkI | |||
| G802SxWz0rbFTXRcj4BWLxcpCtjUZ31AP-sc-L_eCZ5UNl0aSRNqFskuPkzRsFZR | nMNUFT-PK5CuZRnHB2rUK5fhPuF6XFqLLZCG5Q_rJm6Evex-XLcNQAJNa1-6CIU1 | |||
| DJqSSJeVOyJ7pZCQ83fli19Vgi_3R7XMUqluQuuc7ZHOWixi47jXlBTlWRZ5iFxa | 2Wj3mPExxw9vbnsQDU7B4BfmhdyiflLA7Ae5ZGoVRl3A__yLPXxRjHFhpOeDp_ad | |||
| S8G6J8wUrd4BKggAw3qX5XoIfXQVlQZE0Vmkq_zQSIo5LnFKyowooRcdsEuNh9B9 | x8NyejF5cz9yDKULugNsDMdlHeJQOMGVLYaSZt3KP6aWNSqFA1PHDg-10ceuTEtq | |||
| Mkyt0ZQElG-jGdtHWjZSOA. | _vPE4-Gtev4N4K4Eudlj4Q. | |||
| AxY8DCtDaGlsbGljb3RoZQ. | AxY8DCtDaGlsbGljb3RoZQ. | |||
| 1eBWFgcrz40wC88cgv8rPgu3EfmC1p4zT0kIxxfSF2zDJcQ-iEHk1jQM95xAdr5Z | Rxsjg6PIExcmGSF7LnSEkDqWIKfAw1wZz2XpabV5PwQsolKwEauWYZNE9Q1hZJEZ | |||
| The representation of this value is: | The representation of this value is: | |||
| [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, | [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, | |||
| 120, 88, 122, 85, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, | 120, 88, 122, 85, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, | |||
| 74, 66, 77, 84, 73, 52, 81, 48, 74, 68, 75, 48, 104, 84, 77, 106, 85, | 74, 66, 77, 84, 73, 52, 81, 48, 74, 68, 75, 48, 104, 84, 77, 106, 85, | |||
| 50, 73, 110, 48, 46, 79, 54, 65, 113, 88, 113, 103, 86, 108, 74, 74, | 50, 73, 110, 48, 46, 90, 109, 110, 108, 113, 87, 103, 106, 88, 121, | |||
| 52, 99, 52, 108, 112, 53, 115, 88, 90, 100, 55, 98, 112, 71, 72, 65, | 113, 119, 106, 114, 55, 99, 88, 72, 121, 115, 56, 70, 55, 57, 97, | |||
| 119, 54, 65, 82, 107, 72, 85, 101, 88, 81, 120, 68, 49, 99, 65, 87, | 110, 73, 85, 73, 54, 74, 50, 85, 87, 100, 65, 121, 82, 81, 69, 99, | |||
| 52, 45, 88, 49, 120, 48, 113, 116, 106, 95, 65, 78, 48, 109, 117, | 71, 66, 85, 45, 75, 80, 72, 115, 101, 80, 77, 57, 49, 48, 95, 82, | |||
| 107, 113, 69, 79, 108, 52, 89, 54, 85, 79, 119, 74, 88, 73, 74, 89, | 111, 84, 68, 71, 117, 49, 73, 87, 52, 48, 68, 110, 48, 100, 118, 99, | |||
| 57, 45, 71, 49, 69, 76, 75, 45, 82, 81, 87, 114, 75, 72, 95, 83, 116, | 100, 86, 69, 106, 112, 74, 99, 80, 80, 78, 73, 98, 122, 87, 99, 77, | |||
| 82, 45, 65, 77, 57, 72, 55, 71, 112, 75, 109, 83, 69, 106, 105, 56, | 120, 68, 105, 49, 51, 49, 69, 106, 101, 103, 45, 98, 56, 86, 105, 87, | |||
| 81, 89, 79, 99, 77, 79, 106, 114, 45, 117, 57, 72, 49, 76, 116, 95, | 53, 89, 88, 53, 111, 82, 100, 89, 100, 105, 82, 52, 103, 77, 83, 68, | |||
| 112, 66, 69, 105, 101, 71, 56, 48, 50, 83, 120, 87, 122, 48, 114, 98, | 68, 66, 51, 109, 98, 107, 73, 110, 77, 78, 85, 70, 84, 45, 80, 75, | |||
| 70, 84, 88, 82, 99, 106, 52, 66, 87, 76, 120, 99, 112, 67, 116, 106, | 53, 67, 117, 90, 82, 110, 72, 66, 50, 114, 85, 75, 53, 102, 104, 80, | |||
| 85, 90, 51, 49, 65, 80, 45, 115, 99, 45, 76, 95, 101, 67, 90, 53, 85, | 117, 70, 54, 88, 70, 113, 76, 76, 90, 67, 71, 53, 81, 95, 114, 74, | |||
| 78, 108, 48, 97, 83, 82, 78, 113, 70, 115, 107, 117, 80, 107, 122, | 109, 54, 69, 118, 101, 120, 45, 88, 76, 99, 78, 81, 65, 74, 78, 97, | |||
| 82, 115, 70, 90, 82, 68, 74, 113, 83, 83, 74, 101, 86, 79, 121, 74, | 49, 45, 54, 67, 73, 85, 49, 50, 87, 106, 51, 109, 80, 69, 120, 120, | |||
| 55, 112, 90, 67, 81, 56, 51, 102, 108, 105, 49, 57, 86, 103, 105, 95, | 119, 57, 118, 98, 110, 115, 81, 68, 85, 55, 66, 52, 66, 102, 109, | |||
| 51, 82, 55, 88, 77, 85, 113, 108, 117, 81, 117, 117, 99, 55, 90, 72, | 104, 100, 121, 105, 102, 108, 76, 65, 55, 65, 101, 53, 90, 71, 111, | |||
| 79, 87, 105, 120, 105, 52, 55, 106, 88, 108, 66, 84, 108, 87, 82, 90, | 86, 82, 108, 51, 65, 95, 95, 121, 76, 80, 88, 120, 82, 106, 72, 70, | |||
| 53, 105, 70, 120, 97, 83, 56, 71, 54, 74, 56, 119, 85, 114, 100, 52, | 104, 112, 79, 101, 68, 112, 95, 97, 100, 120, 56, 78, 121, 101, 106, | |||
| 66, 75, 103, 103, 65, 119, 51, 113, 88, 53, 88, 111, 73, 102, 88, 81, | 70, 53, 99, 122, 57, 121, 68, 75, 85, 76, 117, 103, 78, 115, 68, 77, | |||
| 86, 108, 81, 90, 69, 48, 86, 109, 107, 113, 95, 122, 81, 83, 73, 111, | 100, 108, 72, 101, 74, 81, 79, 77, 71, 86, 76, 89, 97, 83, 90, 116, | |||
| 53, 76, 110, 70, 75, 121, 111, 119, 111, 111, 82, 99, 100, 115, 69, | 51, 75, 80, 54, 97, 87, 78, 83, 113, 70, 65, 49, 80, 72, 68, 103, 45, | |||
| 117, 78, 104, 57, 66, 57, 77, 107, 121, 116, 48, 90, 81, 69, 108, 71, | 49, 48, 99, 101, 117, 84, 69, 116, 113, 95, 118, 80, 69, 52, 45, 71, | |||
| 45, 106, 71, 100, 116, 72, 87, 106, 90, 83, 79, 65, 46, 65, 120, 89, | 116, 101, 118, 52, 78, 52, 75, 52, 69, 117, 100, 108, 106, 52, 81, | |||
| 56, 68, 67, 116, 68, 97, 71, 108, 115, 98, 71, 108, 106, 98, 51, 82, | 46, 65, 120, 89, 56, 68, 67, 116, 68, 97, 71, 108, 115, 98, 71, 108, | |||
| 111, 90, 81, 46, 49, 101, 66, 87, 70, 103, 99, 114, 122, 52, 48, 119, | 106, 98, 51, 82, 111, 90, 81, 46, 82, 120, 115, 106, 103, 54, 80, 73, | |||
| 67, 56, 56, 99, 103, 118, 56, 114, 80, 103, 117, 51, 69, 102, 109, | 69, 120, 99, 109, 71, 83, 70, 55, 76, 110, 83, 69, 107, 68, 113, 87, | |||
| 67, 49, 112, 52, 122, 84, 48, 107, 73, 120, 120, 102, 83, 70, 50, | 73, 75, 102, 65, 119, 49, 119, 90, 122, 50, 88, 112, 97, 98, 86, 53, | |||
| 122, 68, 74, 99, 81, 45, 105, 69, 72, 107, 49, 106, 81, 77, 57, 53, | 80, 119, 81, 115, 111, 108, 75, 119, 69, 97, 117, 87, 89, 90, 78, 69, | |||
| 120, 65, 100, 114, 53, 90] | 57, 81, 49, 104, 90, 74, 69, 90] | |||
| A.2.11. JWE Integrity Value | A.2.11. JWE Integrity Value | |||
| Compute the HMAC SHA-256 of this value using the CIK to create the | Compute the HMAC SHA-256 of this value using the CIK to create the | |||
| JWE Integrity Value. This result is: | JWE Integrity Value. This result is: | |||
| [68, 17, 161, 99, 49, 60, 253, 198, 75, 30, 50, 106, 168, 123, 139, | [240, 181, 234, 49, 221, 9, 44, 107, 49, 49, 160, 121, 186, 131, 90, | |||
| 135, 54, 224, 90, 2, 255, 193, 93, 203, 13, 37, 43, 113, 185, 14, | 50, 152, 59, 185, 69, 191, 167, 141, 17, 149, 166, 71, 11, 3, 8, 203, | |||
| 136, 128] | 57] | |||
| A.2.12. Encoded JWE Integrity Value | A.2.12. Encoded JWE Integrity Value | |||
| Base64url encode the resulting JWE Integrity Value to create the | Base64url encode the resulting JWE Integrity Value to create the | |||
| Encoded JWE Integrity Value. This result is: | Encoded JWE Integrity Value. This result is: | |||
| RBGhYzE8_cZLHjJqqHuLhzbgWgL_wV3LDSUrcbkOiIA | 8LXqMd0JLGsxMaB5uoNaMpg7uUW_p40RlaZHCwMIyzk | |||
| A.2.13. Complete Representation | A.2.13. Complete Representation | |||
| Assemble the final representation: The Compact Serialization of this | Assemble the final representation: The Compact Serialization of this | |||
| result is the concatenation of the Encoded JWE Header, the Encoded | result is the concatenation of the Encoded JWE Header, the Encoded | |||
| JWE Encrypted Key, the Encoded JWE Initialization Vector, the Encoded | JWE Encrypted Key, the Encoded JWE Initialization Vector, the Encoded | |||
| JWE Ciphertext, and the Encoded JWE Integrity Value in that order, | JWE Ciphertext, and the Encoded JWE Integrity Value in that order, | |||
| with the five strings being separated by four period ('.') | with the five strings being separated by four period ('.') | |||
| characters. | characters. | |||
| The final result in this example (with line breaks for display | The final result in this example (with line breaks for display | |||
| purposes only) is: | purposes only) is: | |||
| eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDK0hTMjU2In0. | eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDK0hTMjU2In0. | |||
| O6AqXqgVlJJ4c4lp5sXZd7bpGHAw6ARkHUeXQxD1cAW4-X1x0qtj_AN0mukqEOl4 | ZmnlqWgjXyqwjr7cXHys8F79anIUI6J2UWdAyRQEcGBU-KPHsePM910_RoTDGu1I | |||
| Y6UOwJXIJY9-G1ELK-RQWrKH_StR-AM9H7GpKmSEji8QYOcMOjr-u9H1Lt_pBEie | W40Dn0dvcdVEjpJcPPNIbzWcMxDi131Ejeg-b8ViW5YX5oRdYdiR4gMSDDB3mbkI | |||
| G802SxWz0rbFTXRcj4BWLxcpCtjUZ31AP-sc-L_eCZ5UNl0aSRNqFskuPkzRsFZR | nMNUFT-PK5CuZRnHB2rUK5fhPuF6XFqLLZCG5Q_rJm6Evex-XLcNQAJNa1-6CIU1 | |||
| DJqSSJeVOyJ7pZCQ83fli19Vgi_3R7XMUqluQuuc7ZHOWixi47jXlBTlWRZ5iFxa | 2Wj3mPExxw9vbnsQDU7B4BfmhdyiflLA7Ae5ZGoVRl3A__yLPXxRjHFhpOeDp_ad | |||
| S8G6J8wUrd4BKggAw3qX5XoIfXQVlQZE0Vmkq_zQSIo5LnFKyowooRcdsEuNh9B9 | x8NyejF5cz9yDKULugNsDMdlHeJQOMGVLYaSZt3KP6aWNSqFA1PHDg-10ceuTEtq | |||
| Mkyt0ZQElG-jGdtHWjZSOA. | _vPE4-Gtev4N4K4Eudlj4Q. | |||
| AxY8DCtDaGlsbGljb3RoZQ. | AxY8DCtDaGlsbGljb3RoZQ. | |||
| 1eBWFgcrz40wC88cgv8rPgu3EfmC1p4zT0kIxxfSF2zDJcQ-iEHk1jQM95xAdr5Z. | Rxsjg6PIExcmGSF7LnSEkDqWIKfAw1wZz2XpabV5PwQsolKwEauWYZNE9Q1hZJEZ. | |||
| RBGhYzE8_cZLHjJqqHuLhzbgWgL_wV3LDSUrcbkOiIA | 8LXqMd0JLGsxMaB5uoNaMpg7uUW_p40RlaZHCwMIyzk | |||
| A.2.14. Validation | A.2.14. Validation | |||
| This example illustrates the process of creating a JWE with a | This example illustrates the process of creating a JWE with a | |||
| composite AEAD algorithm created from a non-AEAD algorithm by adding | composite AEAD algorithm created from a non-AEAD algorithm by adding | |||
| a separate integrity check calculation. These results can be used to | a separate integrity check calculation. These results can be used to | |||
| validate JWE decryption implementations for these algorithms. Note | validate JWE decryption implementations for these algorithms. Note | |||
| that since the RSAES-PKCS1-V1_5 computation includes random values, | that since the RSAES-PKCS1-V1_5 computation includes random values, | |||
| the encryption results above will not be completely reproducible. | the encryption results above will not be completely reproducible. | |||
| However, since the AES CBC computation is deterministic, the JWE | However, since the AES CBC computation is deterministic, the JWE | |||
| skipping to change at page 41, line 22 ¶ | skipping to change at page 41, line 22 ¶ | |||
| o the CMK value (as above), | o the CMK value (as above), | |||
| o the output bit size 128 as a 32 bit big endian number ([0, 0, 0, | o the output bit size 128 as a 32 bit big endian number ([0, 0, 0, | |||
| 128]), | 128]), | |||
| o the bytes of the UTF-8 representation of the "enc" value | o the bytes of the UTF-8 representation of the "enc" value | |||
| "A128CBC+HS256" -- [65, 49, 50, 56, 67, 66, 67, 43, 72, 83, 50, | "A128CBC+HS256" -- [65, 49, 50, 56, 67, 66, 67, 43, 72, 83, 50, | |||
| 53, 54], | 53, 54], | |||
| o (no bytes are included for the "epu" (encryption PartyUInfo) and | o the Datalen value of zero for the omitted "epu" (encryption | |||
| "epv" (encryption PartyVInfo) parameters because they are absent, | PartyUInfo) value ([0, 0, 0, 0]), | |||
| but if present, the base64url decoded values of them would have | ||||
| been included here), | o the Datalen value of zero for the omitted "epv" (encryption | |||
| PartyVInfo) value ([0, 0, 0, 0]), | ||||
| o the bytes of the ASCII representation of the label "Encryption" -- | o the bytes of the ASCII representation of the label "Encryption" -- | |||
| [69, 110, 99, 114, 121, 112, 116, 105, 111, 110]. | [69, 110, 99, 114, 121, 112, 116, 105, 111, 110]. | |||
| Thus the round 1 hash input is: | Thus the round 1 hash input is: | |||
| [0, 0, 0, 1, 4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, | [0, 0, 0, 1, 4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, | |||
| 63, 170, 106, 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, | 63, 170, 106, 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, | |||
| 240, 143, 156, 44, 207, 0, 0, 0, 128, 65, 49, 50, 56, 67, 66, 67, 43, | 240, 143, 156, 44, 207, 0, 0, 0, 128, 65, 49, 50, 56, 67, 66, 67, 43, | |||
| 72, 83, 50, 53, 54, 69, 110, 99, 114, 121, 112, 116, 105, 111, 110] | 72, 83, 50, 53, 54, 0, 0, 0, 0, 0, 0, 0, 0, 69, 110, 99, 114, 121, | |||
| 112, 116, 105, 111, 110] | ||||
| The SHA-256 hash of this value, which is the round 1 hash output, is: | The SHA-256 hash of this value, which is the round 1 hash output, is: | |||
| [37, 245, 125, 247, 113, 155, 238, 98, 228, 206, 62, 65, 81, 153, 79, | [203, 165, 180, 113, 62, 195, 22, 98, 91, 153, 210, 38, 112, 35, 230, | |||
| 91, 225, 37, 250, 101, 198, 63, 51, 182, 5, 242, 241, 169, 162, 232, | 236, 181, 193, 129, 233, 251, 107, 70, 80, 36, 150, 216, 251, 182, | |||
| 103, 155] | 29, 104, 150] | |||
| Given that 128 bits are needed for the CEK and the hash has produced | Given that 128 bits are needed for the CEK and the hash has produced | |||
| 256 bits, the CEK value is the first 128 bits of that value: | 256 bits, the CEK value is the first 128 bits of that value: | |||
| [37, 245, 125, 247, 113, 155, 238, 98, 228, 206, 62, 65, 81, 153, 79, | [203, 165, 180, 113, 62, 195, 22, 98, 91, 153, 210, 38, 112, 35, 230, | |||
| 91] | 236] | |||
| A.4.2. CIK Generation | A.4.2. CIK Generation | |||
| These values are concatenated to produce the round 1 hash input: | These values are concatenated to produce the round 1 hash input: | |||
| o the round number 1 as a 32 bit big endian integer ([0, 0, 0, 1]), | o the round number 1 as a 32 bit big endian integer ([0, 0, 0, 1]), | |||
| o the CMK value (as above), | o the CMK value (as above), | |||
| o the output bit size 256 as a 32 bit big endian number ([0, 0, 1, | o the output bit size 256 as a 32 bit big endian number ([0, 0, 1, | |||
| 0]), | 0]), | |||
| o the bytes of the UTF-8 representation of the "enc" value | o the bytes of the UTF-8 representation of the "enc" value | |||
| "A128CBC+HS256" -- [65, 49, 50, 56, 67, 66, 67, 43, 72, 83, 50, | "A128CBC+HS256" -- [65, 49, 50, 56, 67, 66, 67, 43, 72, 83, 50, | |||
| 53, 54], | 53, 54], | |||
| o (no bytes are included for the "epu" (encryption PartyUInfo) and | o the Datalen value of zero for the omitted "epu" (encryption | |||
| "epv" (encryption PartyVInfo) parameters because they are absent, | PartyUInfo) value ([0, 0, 0, 0]), | |||
| but if present, the base64url decoded values of them would have | ||||
| been included here), | o the Datalen value of zero for the omitted "epv" (encryption | |||
| PartyVInfo) value ([0, 0, 0, 0]), | ||||
| o the bytes of the ASCII representation of the label "Integrity" -- | o the bytes of the ASCII representation of the label "Integrity" -- | |||
| [73, 110, 116, 101, 103, 114, 105, 116, 121]. | [73, 110, 116, 101, 103, 114, 105, 116, 121]. | |||
| Thus the round 1 hash input is: | Thus the round 1 hash input is: | |||
| [0, 0, 0, 1, 4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, | [0, 0, 0, 1, 4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, | |||
| 63, 170, 106, 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, | 63, 170, 106, 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, | |||
| 240, 143, 156, 44, 207, 0, 0, 1, 0, 65, 49, 50, 56, 67, 66, 67, 43, | 240, 143, 156, 44, 207, 0, 0, 1, 0, 65, 49, 50, 56, 67, 66, 67, 43, | |||
| 72, 83, 50, 53, 54, 73, 110, 116, 101, 103, 114, 105, 116, 121] | 72, 83, 50, 53, 54, 0, 0, 0, 0, 0, 0, 0, 0, 73, 110, 116, 101, 103, | |||
| 114, 105, 116, 121] | ||||
| The SHA-256 hash of this value, which is the round 1 hash output, is: | The SHA-256 hash of this value, which is the round 1 hash output, is: | |||
| [203, 194, 197, 180, 120, 46, 123, 202, 78, 12, 33, 116, 214, 247, | [218, 24, 160, 17, 160, 50, 235, 35, 216, 209, 100, 174, 155, 163, | |||
| 128, 41, 175, 53, 181, 164, 224, 223, 56, 146, 179, 193, 18, 223, | 10, 117, 180, 111, 172, 200, 127, 201, 206, 173, 40, 45, 58, 170, 35, | |||
| 146, 85, 244, 127] | 93, 9, 60] | |||
| Given that 256 bits are needed for the CIK and the hash has produced | Given that 256 bits are needed for the CIK and the hash has produced | |||
| 256 bits, the CIK value is that same value: | 256 bits, the CIK value is that same value: | |||
| [203, 194, 197, 180, 120, 46, 123, 202, 78, 12, 33, 116, 214, 247, | [218, 24, 160, 17, 160, 50, 235, 35, 216, 209, 100, 174, 155, 163, | |||
| 128, 41, 175, 53, 181, 164, 224, 223, 56, 146, 179, 193, 18, 223, | 10, 117, 180, 111, 172, 200, 127, 201, 206, 173, 40, 45, 58, 170, 35, | |||
| 146, 85, 244, 127] | 93, 9, 60] | |||
| A.5. Example Key Derivation for "enc" value "A256CBC+HS512" | A.5. Example Key Derivation for "enc" value "A256CBC+HS512" | |||
| This example uses the Concat KDF to derive the Content Encryption Key | This example uses the Concat KDF to derive the Content Encryption Key | |||
| (CEK) and Content Integrity Key (CIK) from the Content Master Key | (CEK) and Content Integrity Key (CIK) from the Content Master Key | |||
| (CMK) in the manner described in Section 4.8.1 of [JWA]. In this | (CMK) in the manner described in Section 4.8.1 of [JWA]. In this | |||
| example, a 512 bit CMK is used to derive a 256 bit CEK and a 512 bit | example, a 512 bit CMK is used to derive a 256 bit CEK and a 512 bit | |||
| CIK. | CIK. | |||
| The CMK value used is: | The CMK value used is: | |||
| skipping to change at page 43, line 30 ¶ | skipping to change at page 43, line 36 ¶ | |||
| o the CMK value (as above), | o the CMK value (as above), | |||
| o the output bit size 256 as a 32 bit big endian number ([0, 0, 1, | o the output bit size 256 as a 32 bit big endian number ([0, 0, 1, | |||
| 0]), | 0]), | |||
| o the bytes of the UTF-8 representation of the "enc" value | o the bytes of the UTF-8 representation of the "enc" value | |||
| "A256CBC+HS512" -- [65, 50, 53, 54, 67, 66, 67, 43, 72, 83, 53, | "A256CBC+HS512" -- [65, 50, 53, 54, 67, 66, 67, 43, 72, 83, 53, | |||
| 49, 50], | 49, 50], | |||
| o (no bytes are included for the "epu" (encryption PartyUInfo) and | o the Datalen value of zero for the omitted "epu" (encryption | |||
| "epv" (encryption PartyVInfo) parameters because they are absent, | PartyUInfo) value ([0, 0, 0, 0]), | |||
| but if present, the base64url decoded values of them would have | ||||
| been included here), | o the Datalen value of zero for the omitted "epv" (encryption | |||
| PartyVInfo) value ([0, 0, 0, 0]), | ||||
| o the bytes of the ASCII representation of the label "Encryption" -- | o the bytes of the ASCII representation of the label "Encryption" -- | |||
| [69, 110, 99, 114, 121, 112, 116, 105, 111, 110]. | [69, 110, 99, 114, 121, 112, 116, 105, 111, 110]. | |||
| Thus the round 1 hash input is: | Thus the round 1 hash input is: | |||
| [0, 0, 0, 1, 148, 116, 199, 126, 2, 117, 233, 76, 150, 149, 89, 193, | [0, 0, 0, 1, 148, 116, 199, 126, 2, 117, 233, 76, 150, 149, 89, 193, | |||
| 61, 34, 239, 226, 109, 71, 59, 160, 192, 140, 150, 235, 106, 204, 49, | 61, 34, 239, 226, 109, 71, 59, 160, 192, 140, 150, 235, 106, 204, 49, | |||
| 176, 68, 119, 13, 34, 49, 19, 41, 69, 5, 20, 252, 145, 104, 129, 137, | 176, 68, 119, 13, 34, 49, 19, 41, 69, 5, 20, 252, 145, 104, 129, 137, | |||
| 138, 67, 23, 153, 83, 81, 234, 82, 247, 48, 211, 41, 130, 35, 124, | 138, 67, 23, 153, 83, 81, 234, 82, 247, 48, 211, 41, 130, 35, 124, | |||
| 45, 156, 249, 7, 225, 168, 0, 0, 1, 0, 65, 50, 53, 54, 67, 66, 67, | 45, 156, 249, 7, 225, 168, 0, 0, 1, 0, 65, 50, 53, 54, 67, 66, 67, | |||
| 43, 72, 83, 53, 49, 50, 69, 110, 99, 114, 121, 112, 116, 105, 111, | 43, 72, 83, 53, 49, 50, 0, 0, 0, 0, 0, 0, 0, 0, 69, 110, 99, 114, | |||
| 110] | 121, 112, 116, 105, 111, 110] | |||
| The SHA-512 hash of this value, which is the round 1 hash output, is: | The SHA-512 hash of this value, which is the round 1 hash output, is: | |||
| [95, 112, 19, 252, 0, 97, 200, 188, 108, 84, 27, 116, 192, 169, 42, | [157, 19, 75, 205, 31, 190, 110, 46, 117, 217, 137, 19, 116, 166, | |||
| 165, 25, 246, 115, 235, 226, 198, 148, 211, 94, 143, 240, 226, 89, | 126, 60, 18, 244, 226, 114, 38, 153, 78, 198, 26, 0, 181, 168, 113, | |||
| 226, 79, 13, 178, 80, 124, 251, 55, 114, 30, 115, 179, 64, 107, 213, | 45, 149, 89, 107, 213, 109, 183, 207, 164, 86, 131, 51, 105, 214, 29, | |||
| 222, 225, 12, 169, 245, 116, 231, 83, 227, 233, 20, 164, 249, 148, | 229, 32, 243, 46, 40, 53, 123, 4, 13, 7, 250, 48, 227, 207, 167, 211, | |||
| 62, 92, 43, 5, 1, 97] | 147, 91, 0, 171] | |||
| Given that 256 bits are needed for the CEK and the hash has produced | Given that 256 bits are needed for the CEK and the hash has produced | |||
| 512 bits, the CEK value is the first 256 bits of that value: | 512 bits, the CEK value is the first 256 bits of that value: | |||
| [95, 112, 19, 252, 0, 97, 200, 188, 108, 84, 27, 116, 192, 169, 42, | [157, 19, 75, 205, 31, 190, 110, 46, 117, 217, 137, 19, 116, 166, | |||
| 165, 25, 246, 115, 235, 226, 198, 148, 211, 94, 143, 240, 226, 89, | 126, 60, 18, 244, 226, 114, 38, 153, 78, 198, 26, 0, 181, 168, 113, | |||
| 226, 79, 13] | 45, 149, 89] | |||
| A.5.2. CIK Generation | A.5.2. CIK Generation | |||
| These values are concatenated to produce the round 1 hash input: | These values are concatenated to produce the round 1 hash input: | |||
| o the round number 1 as a 32 bit big endian integer ([0, 0, 0, 1]), | o the round number 1 as a 32 bit big endian integer ([0, 0, 0, 1]), | |||
| o the CMK value (as above), | o the CMK value (as above), | |||
| o the output bit size 512 as a 32 bit big endian number ([0, 0, 2, | o the output bit size 512 as a 32 bit big endian number ([0, 0, 2, | |||
| 0]), | 0]), | |||
| o the bytes of the UTF-8 representation of the "enc" value | o the bytes of the UTF-8 representation of the "enc" value | |||
| "A256CBC+HS512" -- [65, 50, 53, 54, 67, 66, 67, 43, 72, 83, 53, | "A256CBC+HS512" -- [65, 50, 53, 54, 67, 66, 67, 43, 72, 83, 53, | |||
| 49, 50], | 49, 50], | |||
| o (no bytes are included for the "epu" (encryption PartyUInfo) and | o the Datalen value of zero for the omitted "epu" (encryption | |||
| "epv" (encryption PartyVInfo) parameters because they are absent, | PartyUInfo) value ([0, 0, 0, 0]), | |||
| but if present, the base64url decoded values of them would have | ||||
| been included here), | o the Datalen value of zero for the omitted "epv" (encryption | |||
| PartyVInfo) value ([0, 0, 0, 0]), | ||||
| o the bytes of the ASCII representation of the label "Integrity" -- | o the bytes of the ASCII representation of the label "Integrity" -- | |||
| [73, 110, 116, 101, 103, 114, 105, 116, 121]. | [73, 110, 116, 101, 103, 114, 105, 116, 121]. | |||
| Thus the round 1 hash input is: | Thus the round 1 hash input is: | |||
| [0, 0, 0, 1, 148, 116, 199, 126, 2, 117, 233, 76, 150, 149, 89, 193, | [0, 0, 0, 1, 148, 116, 199, 126, 2, 117, 233, 76, 150, 149, 89, 193, | |||
| 61, 34, 239, 226, 109, 71, 59, 160, 192, 140, 150, 235, 106, 204, 49, | 61, 34, 239, 226, 109, 71, 59, 160, 192, 140, 150, 235, 106, 204, 49, | |||
| 176, 68, 119, 13, 34, 49, 19, 41, 69, 5, 20, 252, 145, 104, 129, 137, | 176, 68, 119, 13, 34, 49, 19, 41, 69, 5, 20, 252, 145, 104, 129, 137, | |||
| 138, 67, 23, 153, 83, 81, 234, 82, 247, 48, 211, 41, 130, 35, 124, | 138, 67, 23, 153, 83, 81, 234, 82, 247, 48, 211, 41, 130, 35, 124, | |||
| 45, 156, 249, 7, 225, 168, 0, 0, 2, 0, 65, 50, 53, 54, 67, 66, 67, | 45, 156, 249, 7, 225, 168, 0, 0, 2, 0, 65, 50, 53, 54, 67, 66, 67, | |||
| 43, 72, 83, 53, 49, 50, 73, 110, 116, 101, 103, 114, 105, 116, 121] | 43, 72, 83, 53, 49, 50, 0, 0, 0, 0, 0, 0, 0, 0, 73, 110, 116, 101, | |||
| 103, 114, 105, 116, 121] | ||||
| The SHA-512 hash of this value, which is the round 1 hash output, is: | The SHA-512 hash of this value, which is the round 1 hash output, is: | |||
| [203, 188, 104, 71, 177, 60, 21, 10, 255, 157, 56, 214, 254, 87, 32, | [81, 249, 131, 194, 25, 166, 147, 155, 47, 249, 146, 160, 200, 236, | |||
| 115, 194, 36, 117, 162, 226, 93, 50, 220, 191, 219, 41, 56, 80, 197, | 115, 72, 103, 248, 228, 30, 130, 225, 164, 61, 105, 172, 198, 31, | |||
| 18, 173, 250, 145, 215, 178, 235, 51, 251, 122, 212, 193, 48, 227, | 137, 170, 215, 141, 27, 247, 73, 236, 125, 113, 151, 33, 0, 251, 72, | |||
| 126, 89, 253, 101, 143, 252, 124, 157, 147, 200, 175, 164, 253, 92, | 53, 72, 63, 146, 117, 247, 13, 49, 20, 210, 169, 232, 156, 118, 1, | |||
| 204, 122, 218, 77, 105, 146] | 16, 45, 29, 21, 15, 208] | |||
| Given that 512 bits are needed for the CIK and the hash has produced | Given that 512 bits are needed for the CIK and the hash has produced | |||
| 512 bits, the CIK value is that same value: | 512 bits, the CIK value is that same value: | |||
| [203, 188, 104, 71, 177, 60, 21, 10, 255, 157, 56, 214, 254, 87, 32, | [81, 249, 131, 194, 25, 166, 147, 155, 47, 249, 146, 160, 200, 236, | |||
| 115, 194, 36, 117, 162, 226, 93, 50, 220, 191, 219, 41, 56, 80, 197, | 115, 72, 103, 248, 228, 30, 130, 225, 164, 61, 105, 172, 198, 31, | |||
| 18, 173, 250, 145, 215, 178, 235, 51, 251, 122, 212, 193, 48, 227, | 137, 170, 215, 141, 27, 247, 73, 236, 125, 113, 151, 33, 0, 251, 72, | |||
| 126, 89, 253, 101, 143, 252, 124, 157, 147, 200, 175, 164, 253, 92, | 53, 72, 63, 146, 117, 247, 13, 49, 20, 210, 169, 232, 156, 118, 1, | |||
| 204, 122, 218, 77, 105, 146] | 16, 45, 29, 21, 15, 208] | |||
| Appendix B. Acknowledgements | Appendix B. Acknowledgements | |||
| Solutions for encrypting JSON content were also explored by JSON | Solutions for encrypting JSON content were also explored by JSON | |||
| Simple Encryption [JSE] and JavaScript Message Security Format | Simple Encryption [JSE] and JavaScript Message Security Format | |||
| [I-D.rescorla-jsms], both of which significantly influenced this | [I-D.rescorla-jsms], both of which significantly influenced this | |||
| draft. This draft attempts to explicitly reuse as many of the | draft. This draft attempts to explicitly reuse as many of the | |||
| relevant concepts from XML Encryption 1.1 | relevant concepts from XML Encryption 1.1 | |||
| [W3C.CR-xmlenc-core1-20120313] and RFC 5652 [RFC5652] as possible, | [W3C.CR-xmlenc-core1-20120313] and RFC 5652 [RFC5652] as possible, | |||
| while utilizing simple compact JSON-based data structures. | while utilizing simple compact JSON-based data structures. | |||
| skipping to change at page 45, line 41 ¶ | skipping to change at page 46, line 4 ¶ | |||
| Thanks to Axel Nennker, Emmanuel Raviart, Brian Campbell, and Edmund | Thanks to Axel Nennker, Emmanuel Raviart, Brian Campbell, and Edmund | |||
| Jay for validating the examples in this specification. | Jay for validating the examples in this specification. | |||
| Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | |||
| Sean Turner and Stephen Farrell served as Security area directors | Sean Turner and Stephen Farrell served as Security area directors | |||
| during the creation of this specification. | during the creation of this specification. | |||
| Appendix C. Open Issues | Appendix C. Open Issues | |||
| [[ to be removed by the RFC editor before publication as an RFC ]] | [[ to be removed by the RFC editor before publication as an RFC ]] | |||
| The following items remain to be considered or done in this draft: | The following items remain to be considered or done in this draft: | |||
| o Should we define optional nonce, timestamp, and/or uninterpreted | o Should we define optional nonce, timestamp, and/or uninterpreted | |||
| string header parameter(s)? | string header parameter(s)? | |||
| Appendix D. Document History | Appendix D. Document History | |||
| [[ to be removed by the RFC editor before publication as an RFC ]] | [[ to be removed by the RFC editor before publication as an RFC ]] | |||
| -07 | ||||
| o Added a data length prefix to PartyUInfo and PartyVInfo values. | ||||
| o Updated values for example AES CBC calculations. | ||||
| o Made several local editorial changes to clean up loose ends left | ||||
| over from to the decision to only support block encryption methods | ||||
| providing integrity. One of these changes was to explicitly state | ||||
| that the "enc" (encryption method) algorithm must be an AEAD | ||||
| algorithm with a specified key length. | ||||
| -06 | -06 | |||
| o Removed the "int" and "kdf" parameters and defined the new | o Removed the "int" and "kdf" parameters and defined the new | |||
| composite AEAD algorithms "A128CBC+HS256" and "A256CBC+HS512" to | composite AEAD algorithms "A128CBC+HS256" and "A256CBC+HS512" to | |||
| replace the former uses of AES CBC, which required the use of | replace the former uses of AES CBC, which required the use of | |||
| separate integrity and key derivation functions. | separate integrity and key derivation functions. | |||
| o Included additional values in the Concat KDF calculation -- the | o Included additional values in the Concat KDF calculation -- the | |||
| desired output size and the algorithm value, and optionally | desired output size and the algorithm value, and optionally | |||
| PartyUInfo and PartyVInfo values. Added the optional header | PartyUInfo and PartyVInfo values. Added the optional header | |||
| End of changes. 62 change blocks. | ||||
| 180 lines changed or deleted | 220 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||