| < draft-ietf-jose-json-web-encryption-14.txt | draft-ietf-jose-json-web-encryption-15.txt > | |||
|---|---|---|---|---|
| JOSE Working Group M. Jones | JOSE Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track E. Rescorla | Intended status: Standards Track E. Rescorla | |||
| Expires: January 30, 2014 RTFM | Expires: March 7, 2014 RTFM | |||
| J. Hildebrand | J. Hildebrand | |||
| Cisco | Cisco | |||
| July 29, 2013 | September 3, 2013 | |||
| JSON Web Encryption (JWE) | JSON Web Encryption (JWE) | |||
| draft-ietf-jose-json-web-encryption-14 | draft-ietf-jose-json-web-encryption-15 | |||
| Abstract | Abstract | |||
| JSON Web Encryption (JWE) is a means of representing encrypted | JSON Web Encryption (JWE) represents encrypted content using | |||
| content using JavaScript Object Notation (JSON) based data | JavaScript Object Notation (JSON) based data structures. | |||
| structures. Cryptographic algorithms and identifiers for use with | Cryptographic algorithms and identifiers for use with this | |||
| this specification are described in the separate JSON Web Algorithms | specification are described in the separate JSON Web Algorithms (JWA) | |||
| (JWA) specification. Related digital signature and MAC capabilities | specification and IANA registries defined by that specification. | |||
| are described in the separate JSON Web Signature (JWS) specification. | Related digital signature and MAC capabilities are described in the | |||
| separate JSON Web Signature (JWS) specification. | ||||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 30, 2014. | This Internet-Draft will expire on March 7, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 19 ¶ | skipping to change at page 2, line 20 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 | 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 8 | 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 8 | |||
| 3.1. Example JWE . . . . . . . . . . . . . . . . . . . . . . . 9 | 3.1. Example JWE . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4. JWE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 4. JWE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.1. Reserved Header Parameter Names . . . . . . . . . . . . . 11 | 4.1. Reserved Header Parameter Names . . . . . . . . . . . . . 11 | |||
| 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 11 | 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 11 | |||
| 4.1.2. "enc" (Encryption Method) Header Parameter . . . . . . 12 | 4.1.2. "enc" (Encryption Method) Header Parameter . . . . . . 11 | |||
| 4.1.3. "zip" (Compression Algorithm) Header Parameter . . . . 12 | 4.1.3. "zip" (Compression Algorithm) Header Parameter . . . . 12 | |||
| 4.1.4. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 12 | 4.1.4. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 12 | |||
| 4.1.5. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 12 | 4.1.5. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 12 | |||
| 4.1.6. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 13 | 4.1.6. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 12 | |||
| 4.1.7. "x5t" (X.509 Certificate Thumbprint) Header | 4.1.7. "x5t" (X.509 Certificate Thumbprint) Header | |||
| Parameter . . . . . . . . . . . . . . . . . . . . . . 13 | Parameter . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4.1.8. "x5c" (X.509 Certificate Chain) Header Parameter . . . 13 | 4.1.8. "x5c" (X.509 Certificate Chain) Header Parameter . . . 13 | |||
| 4.1.9. "kid" (Key ID) Header Parameter . . . . . . . . . . . 14 | 4.1.9. "kid" (Key ID) Header Parameter . . . . . . . . . . . 14 | |||
| 4.1.10. "typ" (Type) Header Parameter . . . . . . . . . . . . 14 | 4.1.10. "typ" (Type) Header Parameter . . . . . . . . . . . . 14 | |||
| 4.1.11. "cty" (Content Type) Header Parameter . . . . . . . . 14 | 4.1.11. "cty" (Content Type) Header Parameter . . . . . . . . 14 | |||
| 4.1.12. "crit" (Critical) Header Parameter . . . . . . . . . . 15 | 4.1.12. "crit" (Critical) Header Parameter . . . . . . . . . . 15 | |||
| 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 15 | 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 15 | |||
| 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 16 | 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15 | |||
| 5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 16 | 5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 16 | |||
| 5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 16 | 5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 16 | |||
| 5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 18 | 5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 18 | |||
| 5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 20 | 5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 20 | |||
| 6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 20 | 6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 20 | 7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 21 | 7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 21 | |||
| 7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 21 | 7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 21 | |||
| 8. Distinguishing Between JWS and JWE Objects . . . . . . . . . . 24 | 8. Distinguishing Between JWS and JWE Objects . . . . . . . . . . 24 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 9.1. Registration of JWE Header Parameter Names . . . . . . . . 24 | 9.1. Registration of JWE Header Parameter Names . . . . . . . . 25 | |||
| 9.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 25 | 9.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 25 | |||
| 10. Security Considerations . . . . . . . . . . . . . . . . . . . 26 | 10. Security Considerations . . . . . . . . . . . . . . . . . . . 26 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . . 26 | 11.1. Normative References . . . . . . . . . . . . . . . . . . . 27 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . . 28 | 11.2. Informative References . . . . . . . . . . . . . . . . . . 28 | |||
| Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 29 | Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 29 | |||
| A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 29 | A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 29 | |||
| A.1.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 29 | A.1.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 29 | |||
| A.1.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 29 | A.1.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 29 | |||
| A.1.3. Content Encryption Key (CEK) . . . . . . . . . . . . . 29 | A.1.3. Content Encryption Key (CEK) . . . . . . . . . . . . . 30 | |||
| A.1.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 30 | A.1.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 30 | |||
| A.1.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 30 | A.1.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 31 | |||
| A.1.6. Initialization Vector . . . . . . . . . . . . . . . . 31 | A.1.6. Initialization Vector . . . . . . . . . . . . . . . . 31 | |||
| A.1.7. Additional Authenticated Data . . . . . . . . . . . . 31 | A.1.7. Additional Authenticated Data . . . . . . . . . . . . 31 | |||
| A.1.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 31 | A.1.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 31 | |||
| A.1.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 32 | A.1.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 32 | |||
| A.1.10. Encoded JWE Authentication Tag . . . . . . . . . . . . 32 | A.1.10. Encoded JWE Authentication Tag . . . . . . . . . . . . 32 | |||
| A.1.11. Complete Representation . . . . . . . . . . . . . . . 32 | A.1.11. Complete Representation . . . . . . . . . . . . . . . 32 | |||
| A.1.12. Validation . . . . . . . . . . . . . . . . . . . . . . 32 | A.1.12. Validation . . . . . . . . . . . . . . . . . . . . . . 33 | |||
| A.2. Example JWE using RSAES-PKCS1-V1_5 and | A.2. Example JWE using RSAES-PKCS1-V1_5 and | |||
| AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 33 | AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 33 | |||
| A.2.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 33 | A.2.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 33 | |||
| A.2.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 33 | A.2.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 33 | |||
| A.2.3. Content Encryption Key (CEK) . . . . . . . . . . . . . 33 | A.2.3. Content Encryption Key (CEK) . . . . . . . . . . . . . 33 | |||
| A.2.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 33 | A.2.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 34 | |||
| A.2.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 34 | A.2.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 35 | |||
| A.2.6. Initialization Vector . . . . . . . . . . . . . . . . 35 | A.2.6. Initialization Vector . . . . . . . . . . . . . . . . 35 | |||
| A.2.7. Additional Authenticated Data . . . . . . . . . . . . 35 | A.2.7. Additional Authenticated Data . . . . . . . . . . . . 35 | |||
| A.2.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 35 | A.2.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 35 | |||
| A.2.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 35 | A.2.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 36 | |||
| A.2.10. Encoded JWE Authentication Tag . . . . . . . . . . . . 36 | A.2.10. Encoded JWE Authentication Tag . . . . . . . . . . . . 36 | |||
| A.2.11. Complete Representation . . . . . . . . . . . . . . . 36 | A.2.11. Complete Representation . . . . . . . . . . . . . . . 36 | |||
| A.2.12. Validation . . . . . . . . . . . . . . . . . . . . . . 36 | A.2.12. Validation . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| A.3. Example JWE using AES Key Wrap and | A.3. Example JWE using AES Key Wrap and | |||
| AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 36 | AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 37 | |||
| A.3.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 37 | A.3.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 37 | |||
| A.3.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 37 | A.3.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 37 | |||
| A.3.3. Content Encryption Key (CEK) . . . . . . . . . . . . . 37 | A.3.3. Content Encryption Key (CEK) . . . . . . . . . . . . . 37 | |||
| A.3.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 37 | A.3.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 37 | |||
| A.3.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 38 | A.3.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 38 | |||
| A.3.6. Initialization Vector . . . . . . . . . . . . . . . . 38 | A.3.6. Initialization Vector . . . . . . . . . . . . . . . . 38 | |||
| A.3.7. Additional Authenticated Data . . . . . . . . . . . . 38 | A.3.7. Additional Authenticated Data . . . . . . . . . . . . 38 | |||
| A.3.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 38 | A.3.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 38 | |||
| A.3.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 39 | A.3.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 39 | |||
| A.3.10. Encoded JWE Authentication Tag . . . . . . . . . . . . 39 | A.3.10. Encoded JWE Authentication Tag . . . . . . . . . . . . 39 | |||
| A.3.11. Complete Representation . . . . . . . . . . . . . . . 39 | A.3.11. Complete Representation . . . . . . . . . . . . . . . 39 | |||
| A.3.12. Validation . . . . . . . . . . . . . . . . . . . . . . 39 | A.3.12. Validation . . . . . . . . . . . . . . . . . . . . . . 40 | |||
| A.4. Example JWE Using JWE JSON Serialization . . . . . . . . . 39 | A.4. Example JWE Using JWE JSON Serialization . . . . . . . . . 40 | |||
| A.4.1. JWE Per-Recipient Unprotected Headers . . . . . . . . 40 | A.4.1. JWE Per-Recipient Unprotected Headers . . . . . . . . 40 | |||
| A.4.2. JWE Protected Header . . . . . . . . . . . . . . . . . 40 | A.4.2. JWE Protected Header . . . . . . . . . . . . . . . . . 40 | |||
| A.4.3. JWE Unprotected Header . . . . . . . . . . . . . . . . 40 | A.4.3. JWE Unprotected Header . . . . . . . . . . . . . . . . 41 | |||
| A.4.4. Complete JWE Header Values . . . . . . . . . . . . . . 41 | A.4.4. Complete JWE Header Values . . . . . . . . . . . . . . 41 | |||
| A.4.5. Additional Authenticated Data . . . . . . . . . . . . 41 | A.4.5. Additional Authenticated Data . . . . . . . . . . . . 41 | |||
| A.4.6. Plaintext Encryption . . . . . . . . . . . . . . . . . 41 | A.4.6. Plaintext Encryption . . . . . . . . . . . . . . . . . 41 | |||
| A.4.7. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 41 | A.4.7. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 42 | |||
| A.4.8. Encoded JWE Authentication Tag . . . . . . . . . . . . 42 | A.4.8. Encoded JWE Authentication Tag . . . . . . . . . . . . 42 | |||
| A.4.9. Complete JWE JSON Serialization Representation . . . . 42 | A.4.9. Complete JWE JSON Serialization Representation . . . . 42 | |||
| Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 42 | Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 43 | |||
| B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 43 | B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 43 | |||
| B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 43 | B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 44 | |||
| B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 43 | B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 44 | |||
| B.4. Initialization Vector Value . . . . . . . . . . . . . . . 44 | B.4. Initialization Vector Value . . . . . . . . . . . . . . . 44 | |||
| B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 44 | B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 45 | |||
| B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 44 | B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 45 | |||
| B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 44 | B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 45 | |||
| Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 45 | Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 45 | |||
| Appendix D. Document History . . . . . . . . . . . . . . . . . . 45 | Appendix D. Document History . . . . . . . . . . . . . . . . . . 46 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 52 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 53 | |||
| 1. Introduction | 1. Introduction | |||
| JSON Web Encryption (JWE) is a means of representing encrypted | JSON Web Encryption (JWE) represents encrypted content using | |||
| content using JavaScript Object Notation (JSON) [RFC4627] based data | JavaScript Object Notation (JSON) [RFC4627] based data structures. | |||
| structures. The JWE cryptographic mechanisms encrypt and provide | The JWE cryptographic mechanisms encrypt and provide integrity | |||
| integrity protection for arbitrary sequences of octets. | protection for an arbitrary sequence of octets. | |||
| Two closely related representations for JWE objects are defined. The | Two closely related serializations for JWE objects are defined. The | |||
| JWE Compact Serialization is a compact, URL-safe representation | JWE Compact Serialization is a compact, URL-safe representation | |||
| intended for space constrained environments such as HTTP | intended for space constrained environments such as HTTP | |||
| Authorization headers and URI query parameters. The JWE JSON | Authorization headers and URI query parameters. The JWE JSON | |||
| Serialization represents JWE objects as JSON objects and enables the | Serialization represents JWE objects as JSON objects and enables the | |||
| same content to be encrypted to multiple parties. Both share the | same content to be encrypted to multiple parties. Both share the | |||
| same cryptographic underpinnings. | same cryptographic underpinnings. | |||
| Cryptographic algorithms and identifiers for use with this | Cryptographic algorithms and identifiers for use with this | |||
| specification are described in the separate JSON Web Algorithms (JWA) | specification are described in the separate JSON Web Algorithms (JWA) | |||
| [JWA] specification. Related digital signature and MAC capabilities | [JWA] specification and IANA registries defined by that | |||
| are described in the separate JSON Web Signature (JWS) [JWS] | specification. Related digital signature and MAC capabilities are | |||
| described in the separate JSON Web Signature (JWS) [JWS] | ||||
| specification. | specification. | |||
| Names defined by this specification are short because a core goal is | ||||
| for the resulting representations to be compact. | ||||
| 1.1. Notational Conventions | 1.1. Notational Conventions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in Key words for use in | document are to be interpreted as described in Key words for use in | |||
| RFCs to Indicate Requirement Levels [RFC2119]. | RFCs to Indicate Requirement Levels [RFC2119]. | |||
| 2. Terminology | 2. Terminology | |||
| JSON Web Encryption (JWE) A data structure representing an encrypted | JSON Web Encryption (JWE) A data structure representing an encrypted | |||
| skipping to change at page 7, line 11 ¶ | skipping to change at page 7, line 11 ¶ | |||
| the JWE Header that is integrity protected. For the JWE Compact | the JWE Header that is integrity protected. For the JWE Compact | |||
| Serialization, this comprises the entire JWE Header. For the JWE | Serialization, this comprises the entire JWE Header. For the JWE | |||
| JSON Serialization, this is one component of the JWE Header. | JSON Serialization, this is one component of the JWE Header. | |||
| Header Parameter A name/value pair that is member of the JWE Header. | Header Parameter A name/value pair that is member of the JWE Header. | |||
| Header Parameter Name The name of a member of the JWE Header. | Header Parameter Name The name of a member of the JWE Header. | |||
| Header Parameter Value The value of a member of the JWE Header. | Header Parameter Value The value of a member of the JWE Header. | |||
| Base64url Encoding The URL- and filename-safe Base64 encoding | Base64url Encoding Base64 encoding using the URL- and filename-safe | |||
| described in RFC 4648 [RFC4648], Section 5, with the (non URL- | character set defined in Section 5 of RFC 4648 [RFC4648], with all | |||
| safe) '=' padding characters omitted, as permitted by Section 3.2. | trailing '=' characters omitted (as permitted by Section 3.2). | |||
| (See Appendix C of [JWS] for notes on implementing base64url | (See Appendix C of [JWS] for notes on implementing base64url | |||
| encoding without padding.) | encoding without padding.) | |||
| Encoded JWE Header Base64url encoding of the JWE Protected Header. | Encoded JWE Header Base64url encoding of the JWE Protected Header. | |||
| Encoded JWE Encrypted Key Base64url encoding of the JWE Encrypted | Encoded JWE Encrypted Key Base64url encoding of the JWE Encrypted | |||
| Key. | Key. | |||
| Encoded JWE Initialization Vector Base64url encoding of the JWE | Encoded JWE Initialization Vector Base64url encoding of the JWE | |||
| Initialization Vector. | Initialization Vector. | |||
| skipping to change at page 7, line 47 ¶ | skipping to change at page 7, line 47 ¶ | |||
| JWE JSON Serialization A representation of the JWE as a JSON | JWE JSON Serialization A representation of the JWE as a JSON | |||
| structure containing JWE Header, Encoded JWE Encrypted Key, | structure containing JWE Header, Encoded JWE Encrypted Key, | |||
| Encoded JWE Initialization Vector, Encoded JWE Ciphertext, and | Encoded JWE Initialization Vector, Encoded JWE Ciphertext, and | |||
| Encoded JWE Authentication Tag values. Unlike the JWE Compact | Encoded JWE Authentication Tag values. Unlike the JWE Compact | |||
| Serialization, the JWE JSON Serialization enables the same content | Serialization, the JWE JSON Serialization enables the same content | |||
| to be encrypted to multiple parties. This representation is | to be encrypted to multiple parties. This representation is | |||
| neither compact nor URL-safe. | neither compact nor URL-safe. | |||
| Collision Resistant Namespace A namespace that allows names to be | Collision Resistant Namespace A namespace that allows names to be | |||
| allocated in a manner such that they are highly unlikely to | allocated in a manner such that they are highly unlikely to | |||
| collide with other names. For instance, collision resistance can | collide with other names. Examples of Collision Resistant | |||
| be achieved through administrative delegation of portions of the | Namespaces include: Domain Names, Object Identifiers (OIDs) as | |||
| namespace or through use of collision-resistant name allocation | defined in the ITU-T X.660 and X.670 Recommendation series, and | |||
| functions. Examples of Collision Resistant Namespaces include: | Universally Unique IDentifiers (UUIDs) [RFC4122]. When using an | |||
| Domain Names, Object Identifiers (OIDs) as defined in the ITU-T | administratively delegated namespace, the definer of a name needs | |||
| X.660 and X.670 Recommendation series, and Universally Unique | to take reasonable precautions to ensure they are in control of | |||
| IDentifiers (UUIDs) [RFC4122]. When using an administratively | the portion of the namespace they use to define the name. | |||
| delegated namespace, the definer of a name needs to take | ||||
| reasonable precautions to ensure they are in control of the | ||||
| portion of the namespace they use to define the name. | ||||
| StringOrURI A JSON string value, with the additional requirement | StringOrURI A JSON string value, with the additional requirement | |||
| that while arbitrary string values MAY be used, any value | that while arbitrary string values MAY be used, any value | |||
| containing a ":" character MUST be a URI [RFC3986]. StringOrURI | containing a ":" character MUST be a URI [RFC3986]. StringOrURI | |||
| values are compared as case-sensitive strings with no | values are compared as case-sensitive strings with no | |||
| transformations or canonicalizations applied. | transformations or canonicalizations applied. | |||
| Key Management Mode A method of determining the Content Encryption | Key Management Mode A method of determining the Content Encryption | |||
| Key (CEK) value to use. Each algorithm used for determining the | Key (CEK) value to use. Each algorithm used for determining the | |||
| CEK value uses a specific Key Management Mode. Key Management | CEK value uses a specific Key Management Mode. Key Management | |||
| skipping to change at page 11, line 19 ¶ | skipping to change at page 11, line 16 ¶ | |||
| Section 4.1.12, all header parameters not defined by this | Section 4.1.12, all header parameters not defined by this | |||
| specification MUST be ignored when not understood. | specification MUST be ignored when not understood. | |||
| There are three classes of Header Parameter Names: Reserved Header | There are three classes of Header Parameter Names: Reserved Header | |||
| Parameter Names, Public Header Parameter Names, and Private Header | Parameter Names, Public Header Parameter Names, and Private Header | |||
| Parameter Names. | Parameter Names. | |||
| 4.1. Reserved Header Parameter Names | 4.1. Reserved Header Parameter Names | |||
| The following Header Parameter Names are reserved with meanings as | The following Header Parameter Names are reserved with meanings as | |||
| defined below. All the names are short because a core goal of this | defined below. | |||
| specification is for the resulting representations using the JWE | ||||
| Compact Serialization to be compact. | ||||
| Additional reserved Header Parameter Names can be defined via the | Additional reserved Header Parameter Names can be defined via the | |||
| IANA JSON Web Signature and Encryption Header Parameters registry | IANA JSON Web Signature and Encryption Header Parameters registry | |||
| [JWS]. As indicated by the common registry, JWSs and JWEs share a | [JWS]. As indicated by the common registry, JWSs and JWEs share a | |||
| common header parameter space; when a parameter is used by both | common header parameter space; when a parameter is used by both | |||
| specifications, its usage must be compatible between the | specifications, its usage must be compatible between the | |||
| specifications. | specifications. | |||
| 4.1.1. "alg" (Algorithm) Header Parameter | 4.1.1. "alg" (Algorithm) Header Parameter | |||
| The "alg" (algorithm) header parameter identifies a cryptographic | The "alg" (algorithm) header parameter identifies the cryptographic | |||
| algorithm used to encrypt or determine the value of the Content | algorithm used to encrypt or determine the value of the Content | |||
| Encryption Key (CEK). The recipient MUST reject the JWE if the "alg" | Encryption Key (CEK). The encrypted content is not usable if the | |||
| value does not represent a supported algorithm, or if the recipient | "alg" value does not represent a supported algorithm, or if the | |||
| does not have a key that can be used with that algorithm. "alg" | recipient does not have a key that can be used with that algorithm. | |||
| values SHOULD either be registered in the IANA JSON Web Signature and | "alg" values SHOULD either be registered in the IANA JSON Web | |||
| Encryption Algorithms registry [JWA] or be a value that contains a | Signature and Encryption Algorithms registry [JWA] or be a value that | |||
| Collision Resistant Namespace. The "alg" value is a case sensitive | contains a Collision Resistant Namespace. The "alg" value is a case | |||
| string containing a StringOrURI value. Use of this header parameter | sensitive string containing a StringOrURI value. Use of this header | |||
| is REQUIRED. This header parameter MUST be understood by | parameter is REQUIRED. This header parameter MUST be understood by | |||
| implementations. | implementations. | |||
| A list of defined "alg" values can be found in the IANA JSON Web | A list of defined "alg" values can be found in the IANA JSON Web | |||
| Signature and Encryption Algorithms registry [JWA]; the initial | Signature and Encryption Algorithms registry [JWA]; the initial | |||
| contents of this registry are the values defined in Section 4.1 of | contents of this registry are the values defined in Section 4.1 of | |||
| the JSON Web Algorithms (JWA) [JWA] specification. | the JSON Web Algorithms (JWA) [JWA] specification. | |||
| 4.1.2. "enc" (Encryption Method) Header Parameter | 4.1.2. "enc" (Encryption Method) Header Parameter | |||
| The "enc" (encryption method) header parameter identifies the content | The "enc" (encryption method) header parameter identifies the content | |||
| skipping to change at page 18, line 15 ¶ | skipping to change at page 18, line 10 ¶ | |||
| Initialization Vector, the Encoded JWE Ciphertext, and the | Initialization Vector, the Encoded JWE Ciphertext, and the | |||
| Encoded JWE Authentication Tag in that order, with the five | Encoded JWE Authentication Tag in that order, with the five | |||
| strings being separated by four period ('.') characters. The | strings being separated by four period ('.') characters. The | |||
| JWE JSON Serialization is described in Section 7.2. | JWE JSON Serialization is described in Section 7.2. | |||
| 5.2. Message Decryption | 5.2. Message Decryption | |||
| The message decryption process is the reverse of the encryption | The message decryption process is the reverse of the encryption | |||
| process. The order of the steps is not significant in cases where | process. The order of the steps is not significant in cases where | |||
| there are no dependencies between the inputs and outputs of the | there are no dependencies between the inputs and outputs of the | |||
| steps. If any of these steps fails, the JWE MUST be rejected. | steps. If any of these steps fails, the encrypted content cannot be | |||
| validated. | ||||
| It is an application decision which recipients' encrypted content | ||||
| must successfully validate for the JWE to be accepted. In some | ||||
| cases, encrypted content for all recipients must successfully | ||||
| validate or the JWE will be rejected. In other cases, only the | ||||
| encrypted content for a single recipient needs to be successfully | ||||
| validated. However, in all cases, the encrypted content for at least | ||||
| one recipient MUST successfully validate or the JWE MUST be rejected. | ||||
| 1. Parse the serialized input to determine the values of the JWE | 1. Parse the serialized input to determine the values of the JWE | |||
| Header, the Encoded JWE Encrypted Key, the Encoded JWE | Header, the Encoded JWE Encrypted Key, the Encoded JWE | |||
| Initialization Vector, the Encoded JWE Ciphertext, and the | Initialization Vector, the Encoded JWE Ciphertext, and the | |||
| Encoded JWE Authentication Tag. When using the JWE Compact | Encoded JWE Authentication Tag. When using the JWE Compact | |||
| Serialization, the Encoded JWE Header, the Encoded JWE Encrypted | Serialization, the Encoded JWE Header, the Encoded JWE Encrypted | |||
| Key, the Encoded JWE Initialization Vector, the Encoded JWE | Key, the Encoded JWE Initialization Vector, the Encoded JWE | |||
| Ciphertext, and the Encoded JWE Authentication Tag are | Ciphertext, and the Encoded JWE Authentication Tag are | |||
| represented as text strings in that order, separated by four | represented as text strings in that order, separated by four | |||
| period ('.') characters. The JWE JSON Serialization is | period ('.') characters. The JWE JSON Serialization is | |||
| skipping to change at page 20, line 41 ¶ | skipping to change at page 20, line 43 ¶ | |||
| specified in the String Comparison Rules in Section 5.3 of [JWS]. | specified in the String Comparison Rules in Section 5.3 of [JWS]. | |||
| 6. Key Identification | 6. Key Identification | |||
| It is necessary for the recipient of a JWE to be able to determine | It is necessary for the recipient of a JWE to be able to determine | |||
| the key that was employed for the encryption operation. The key | the key that was employed for the encryption operation. The key | |||
| employed can be identified using the Header Parameter methods | employed can be identified using the Header Parameter methods | |||
| described in Section 4.1 or can be identified using methods that are | described in Section 4.1 or can be identified using methods that are | |||
| outside the scope of this specification. Specifically, the Header | outside the scope of this specification. Specifically, the Header | |||
| Parameters "jku", "jwk", "x5u", "x5t", "x5c", and "kid" can be used | Parameters "jku", "jwk", "x5u", "x5t", "x5c", and "kid" can be used | |||
| to identify the key used. The sender SHOULD include sufficient | to identify the key used. These header parameters MUST be integrity | |||
| information in the Header Parameters to identify the key used, unless | protected if the information about the key that they convey is to be | |||
| the application uses another means or convention to determine the key | considered trusted. | |||
| used. Recipients MUST reject the input when the key used cannot be | ||||
| determined. | The sender SHOULD include sufficient information in the Header | |||
| Parameters to identify the key used, unless the application uses | ||||
| another means or convention to determine the key used. Validation of | ||||
| the encrypted content fails when the key used cannot be determined. | ||||
| The means of exchanging any shared symmetric keys used is outside the | ||||
| scope of this specification. | ||||
| 7. Serializations | 7. Serializations | |||
| JWE objects use one of two serializations, the JWE Compact | JWE objects use one of two serializations, the JWE Compact | |||
| Serialization or the JWE JSON Serialization. The JWE Compact | Serialization or the JWE JSON Serialization. The JWE Compact | |||
| Serialization is mandatory to implement. Implementation of the JWE | Serialization is mandatory to implement. Implementation of the JWE | |||
| JSON Serialization is OPTIONAL. | JSON Serialization is OPTIONAL. | |||
| 7.1. JWE Compact Serialization | 7.1. JWE Compact Serialization | |||
| skipping to change at page 26, line 42 ¶ | skipping to change at page 27, line 4 ¶ | |||
| When decrypting, particular care must be taken not to allow the JWE | When decrypting, particular care must be taken not to allow the JWE | |||
| recipient to be used as an oracle for decrypting messages. RFC 3218 | recipient to be used as an oracle for decrypting messages. RFC 3218 | |||
| [RFC3218] should be consulted for specific countermeasures to attacks | [RFC3218] should be consulted for specific countermeasures to attacks | |||
| on RSAES-PKCS1-V1_5. An attacker might modify the contents of the | on RSAES-PKCS1-V1_5. An attacker might modify the contents of the | |||
| "alg" parameter from "RSA-OAEP" to "RSA1_5" in order to generate a | "alg" parameter from "RSA-OAEP" to "RSA1_5" in order to generate a | |||
| formatting error that can be detected and used to recover the CEK | formatting error that can be detected and used to recover the CEK | |||
| even if RSAES OAEP was used to encrypt the CEK. It is therefore | even if RSAES OAEP was used to encrypt the CEK. It is therefore | |||
| particularly important to report all formatting errors to the CEK, | particularly important to report all formatting errors to the CEK, | |||
| Additional Authenticated Data, or ciphertext as a single error when | Additional Authenticated Data, or ciphertext as a single error when | |||
| the JWE is rejected. | the encrypted content is rejected. | |||
| 11. References | 11. References | |||
| 11.1. Normative References | 11.1. Normative References | |||
| [ECMAScript] | [ECMAScript] | |||
| Ecma International, "ECMAScript Language Specification, | Ecma International, "ECMAScript Language Specification, | |||
| 5.1 Edition", ECMA 262, June 2011. | 5.1 Edition", ECMA 262, June 2011. | |||
| [ITU.X690.1994] | [ITU.X690.1994] | |||
| International Telecommunications Union, "Information | International Telecommunications Union, "Information | |||
| Technology - ASN.1 encoding rules: Specification of Basic | Technology - ASN.1 encoding rules: Specification of Basic | |||
| Encoding Rules (BER), Canonical Encoding Rules (CER) and | Encoding Rules (BER), Canonical Encoding Rules (CER) and | |||
| Distinguished Encoding Rules (DER)", ITU-T Recommendation | Distinguished Encoding Rules (DER)", ITU-T Recommendation | |||
| X.690, 1994. | X.690, 1994. | |||
| [JWA] Jones, M., "JSON Web Algorithms (JWA)", | [JWA] Jones, M., "JSON Web Algorithms (JWA)", | |||
| draft-ietf-jose-json-web-algorithms (work in progress), | draft-ietf-jose-json-web-algorithms (work in progress), | |||
| July 2013. | September 2013. | |||
| [JWK] Jones, M., "JSON Web Key (JWK)", | [JWK] Jones, M., "JSON Web Key (JWK)", | |||
| draft-ietf-jose-json-web-key (work in progress), | draft-ietf-jose-json-web-key (work in progress), | |||
| July 2013. | September 2013. | |||
| [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | |||
| Signature (JWS)", draft-ietf-jose-json-web-signature (work | Signature (JWS)", draft-ietf-jose-json-web-signature (work | |||
| in progress), July 2013. | in progress), September 2013. | |||
| [RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic | [RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic | |||
| Mail: Part I: Message Encryption and Authentication | Mail: Part I: Message Encryption and Authentication | |||
| Procedures", RFC 1421, February 1993. | Procedures", RFC 1421, February 1993. | |||
| [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification | [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification | |||
| version 1.3", RFC 1951, May 1996. | version 1.3", RFC 1951, May 1996. | |||
| [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | |||
| Extensions (MIME) Part Two: Media Types", RFC 2046, | Extensions (MIME) Part Two: Media Types", RFC 2046, | |||
| skipping to change at page 45, line 41 ¶ | skipping to change at page 46, line 26 ¶ | |||
| Hannes Tschofenig, and Sean Turner. | Hannes Tschofenig, and Sean Turner. | |||
| Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | |||
| Sean Turner and Stephen Farrell served as Security area directors | Sean Turner and Stephen Farrell served as Security area directors | |||
| during the creation of this specification. | during the creation of this specification. | |||
| Appendix D. Document History | Appendix D. Document History | |||
| [[ to be removed by the RFC editor before publication as an RFC ]] | [[ to be removed by the RFC editor before publication as an RFC ]] | |||
| -15 | ||||
| o Clarified that it is an application decision which recipients' | ||||
| encrypted content must successfully validate for the JWE to be | ||||
| accepted, addressing issue #35. | ||||
| o Changes to address editorial issues #34, #164, and #169. | ||||
| -14 | -14 | |||
| o Clarified that the "protected", "unprotected", "header", "iv", | o Clarified that the "protected", "unprotected", "header", "iv", | |||
| "tag", and "encrypted_key" parameters are to be omitted in the JWE | "tag", and "encrypted_key" parameters are to be omitted in the JWE | |||
| JSON Serialization when their values would be empty. Stated that | JSON Serialization when their values would be empty. Stated that | |||
| the "recipients" array must always be present. | the "recipients" array must always be present. | |||
| -13 | -13 | |||
| o Added an "aad" (Additional Authenticated Data) member for the JWE | o Added an "aad" (Additional Authenticated Data) member for the JWE | |||
| End of changes. 40 change blocks. | ||||
| 79 lines changed or deleted | 102 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||