| < draft-ietf-jose-json-web-encryption-20.txt | draft-ietf-jose-json-web-encryption-21.txt > | |||
|---|---|---|---|---|
| JOSE Working Group M. Jones | JOSE Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track E. Rescorla | Intended status: Standards Track E. Rescorla | |||
| Expires: July 24, 2014 RTFM | Expires: August 18, 2014 RTFM | |||
| J. Hildebrand | J. Hildebrand | |||
| Cisco | Cisco | |||
| January 20, 2014 | February 14, 2014 | |||
| JSON Web Encryption (JWE) | JSON Web Encryption (JWE) | |||
| draft-ietf-jose-json-web-encryption-20 | draft-ietf-jose-json-web-encryption-21 | |||
| Abstract | Abstract | |||
| JSON Web Encryption (JWE) represents encrypted content using | JSON Web Encryption (JWE) represents encrypted content using | |||
| JavaScript Object Notation (JSON) based data structures. | JavaScript Object Notation (JSON) based data structures. | |||
| Cryptographic algorithms and identifiers for use with this | Cryptographic algorithms and identifiers for use with this | |||
| specification are described in the separate JSON Web Algorithms (JWA) | specification are described in the separate JSON Web Algorithms (JWA) | |||
| specification and IANA registries defined by that specification. | specification and IANA registries defined by that specification. | |||
| Related digital signature and MAC capabilities are described in the | Related digital signature and MAC capabilities are described in the | |||
| separate JSON Web Signature (JWS) specification. | separate JSON Web Signature (JWS) specification. | |||
| skipping to change at page 1, line 39 ¶ | skipping to change at page 1, line 39 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 24, 2014. | This Internet-Draft will expire on August 18, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 19 ¶ | skipping to change at page 2, line 19 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 | 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 8 | 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 8 | |||
| 3.1. Example JWE . . . . . . . . . . . . . . . . . . . . . . . 10 | 3.1. Example JWE . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4. JWE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 4. JWE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 4.1. Registered Header Parameter Names . . . . . . . . . . . . 12 | 4.1. Registered Header Parameter Names . . . . . . . . . . . . 12 | |||
| 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 12 | 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 13 | |||
| 4.1.2. "enc" (Encryption Algorithm) Header Parameter . . . . 13 | 4.1.2. "enc" (Encryption Algorithm) Header Parameter . . . . 13 | |||
| 4.1.3. "zip" (Compression Algorithm) Header Parameter . . . . 13 | 4.1.3. "zip" (Compression Algorithm) Header Parameter . . . . 13 | |||
| 4.1.4. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 13 | 4.1.4. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 14 | |||
| 4.1.5. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 14 | 4.1.5. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 14 | |||
| 4.1.6. "kid" (Key ID) Header Parameter . . . . . . . . . . . 14 | 4.1.6. "kid" (Key ID) Header Parameter . . . . . . . . . . . 14 | |||
| 4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 14 | 4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 14 | |||
| 4.1.8. "x5c" (X.509 Certificate Chain) Header Parameter . . . 14 | 4.1.8. "x5c" (X.509 Certificate Chain) Header Parameter . . . 14 | |||
| 4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header | 4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header | |||
| Parameter . . . . . . . . . . . . . . . . . . . . . . 14 | Parameter . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 4.1.10. "typ" (Type) Header Parameter . . . . . . . . . . . . 14 | 4.1.10. "typ" (Type) Header Parameter . . . . . . . . . . . . 15 | |||
| 4.1.11. "cty" (Content Type) Header Parameter . . . . . . . . 15 | 4.1.11. "cty" (Content Type) Header Parameter . . . . . . . . 15 | |||
| 4.1.12. "crit" (Critical) Header Parameter . . . . . . . . . . 15 | 4.1.12. "crit" (Critical) Header Parameter . . . . . . . . . . 15 | |||
| 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 15 | 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 15 | |||
| 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15 | 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15 | |||
| 5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 15 | 5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 16 | |||
| 5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 15 | 5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 16 | |||
| 5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 17 | 5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 18 | |||
| 5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 20 | 5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 20 | |||
| 6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 20 | 6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 20 | 7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 21 | 7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 21 | |||
| 7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 21 | 7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 21 | |||
| 8. TLS Requirements . . . . . . . . . . . . . . . . . . . . . . . 24 | 8. TLS Requirements . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 9. Distinguishing between JWS and JWE Objects . . . . . . . . . . 24 | 9. Distinguishing between JWS and JWE Objects . . . . . . . . . . 24 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 10.1. JSON Web Signature and Encryption Header Parameters | 10.1. JSON Web Signature and Encryption Header Parameters | |||
| Registration . . . . . . . . . . . . . . . . . . . . . . . 25 | Registration . . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 25 | 10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 25 | |||
| 11. Security Considerations . . . . . . . . . . . . . . . . . . . 27 | 11. Security Considerations . . . . . . . . . . . . . . . . . . . 27 | |||
| 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| skipping to change at page 4, line 5 ¶ | skipping to change at page 4, line 5 ¶ | |||
| Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 42 | Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 42 | |||
| B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 42 | B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 42 | |||
| B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 43 | B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 43 | |||
| B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 43 | B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 43 | |||
| B.4. Initialization Vector Value . . . . . . . . . . . . . . . 43 | B.4. Initialization Vector Value . . . . . . . . . . . . . . . 43 | |||
| B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 44 | B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 44 | |||
| B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 44 | B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 44 | |||
| B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 44 | B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 44 | |||
| Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 44 | Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 44 | |||
| Appendix D. Document History . . . . . . . . . . . . . . . . . . 45 | Appendix D. Document History . . . . . . . . . . . . . . . . . . 45 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 53 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 54 | |||
| 1. Introduction | 1. Introduction | |||
| JSON Web Encryption (JWE) represents encrypted content using | JSON Web Encryption (JWE) represents encrypted content using | |||
| JavaScript Object Notation (JSON) [I-D.ietf-json-rfc4627bis] based | JavaScript Object Notation (JSON) [I-D.ietf-json-rfc4627bis] based | |||
| data structures. The JWE cryptographic mechanisms encrypt and | data structures. The JWE cryptographic mechanisms encrypt and | |||
| provide integrity protection for an arbitrary sequence of octets. | provide integrity protection for an arbitrary sequence of octets. | |||
| Two closely related serializations for JWE objects are defined. The | Two closely related serializations for JWE objects are defined. The | |||
| JWE Compact Serialization is a compact, URL-safe representation | JWE Compact Serialization is a compact, URL-safe representation | |||
| skipping to change at page 7, line 16 ¶ | skipping to change at page 7, line 16 ¶ | |||
| Note that for some algorithms, the JWE Encrypted Key value is | Note that for some algorithms, the JWE Encrypted Key value is | |||
| specified as being the empty octet sequence. | specified as being the empty octet sequence. | |||
| JWE Initialization Vector Initialization Vector value used when | JWE Initialization Vector Initialization Vector value used when | |||
| encrypting the plaintext. Note that some algorithms may not use | encrypting the plaintext. Note that some algorithms may not use | |||
| an Initialization Vector, in which case this value is the empty | an Initialization Vector, in which case this value is the empty | |||
| octet sequence. | octet sequence. | |||
| JWE AAD Additional value to be integrity protected by the | JWE AAD Additional value to be integrity protected by the | |||
| authenticated encryption operation. This can only be present when | authenticated encryption operation. This can only be present when | |||
| using the JWE JSON Serialization. | using the JWE JSON Serialization. (Note that this can also be | |||
| achieved when using either serialization by including the AAD | ||||
| value as an integrity protected Header Parameter value, but at the | ||||
| cost of the value being double base64url encoded.) | ||||
| JWE Ciphertext Ciphertext value resulting from authenticated | JWE Ciphertext Ciphertext value resulting from authenticated | |||
| encryption of the plaintext with additional associated data. | encryption of the plaintext with additional associated data. | |||
| JWE Authentication Tag Authentication Tag value resulting from | JWE Authentication Tag Authentication Tag value resulting from | |||
| authenticated encryption of the plaintext with additional | authenticated encryption of the plaintext with additional | |||
| associated data. | associated data. | |||
| Header Parameter A name/value pair that is member of the JWE Header. | Header Parameter A name/value pair that is member of the JWE Header. | |||
| skipping to change at page 7, line 41 ¶ | skipping to change at page 7, line 44 ¶ | |||
| entire JWE Header. For the JWE JSON Serialization, this is one | entire JWE Header. For the JWE JSON Serialization, this is one | |||
| component of the JWE Header. | component of the JWE Header. | |||
| JWE Shared Unprotected Header JSON object that contains the JWE | JWE Shared Unprotected Header JSON object that contains the JWE | |||
| Header Parameters that apply to all recipients of the JWE that are | Header Parameters that apply to all recipients of the JWE that are | |||
| not integrity protected. This can only be present when using the | not integrity protected. This can only be present when using the | |||
| JWE JSON Serialization. | JWE JSON Serialization. | |||
| JWE Per-Recipient Unprotected Header JSON object that contains JWE | JWE Per-Recipient Unprotected Header JSON object that contains JWE | |||
| Header Parameters that apply to a single recipient of the JWE. | Header Parameters that apply to a single recipient of the JWE. | |||
| This value is not integrity protected. This can only be present | These Header Parameter values are not integrity protected. This | |||
| when using the JWE JSON Serialization. | can only be present when using the JWE JSON Serialization. | |||
| JWE Compact Serialization A representation of the JWE as a compact, | JWE Compact Serialization A representation of the JWE as a compact, | |||
| URL-safe string. | URL-safe string. | |||
| JWE JSON Serialization A representation of the JWE as a JSON object. | JWE JSON Serialization A representation of the JWE as a JSON object. | |||
| The JWE JSON Serialization enables the same content to be | The JWE JSON Serialization enables the same content to be | |||
| encrypted to multiple parties. This representation is neither | encrypted to multiple parties. This representation is neither | |||
| optimized for compactness nor URL-safe. | optimized for compactness nor URL-safe. | |||
| Key Management Mode A method of determining the Content Encryption | Key Management Mode A method of determining the Content Encryption | |||
| skipping to change at page 9, line 28 ¶ | skipping to change at page 9, line 33 ¶ | |||
| Parameters that are integrity protected by the authenticated | Parameters that are integrity protected by the authenticated | |||
| encryption operation. These parameters apply to all recipients of | encryption operation. These parameters apply to all recipients of | |||
| the JWE. | the JWE. | |||
| JWE Shared Unprotected Header JSON object that contains the JWE | JWE Shared Unprotected Header JSON object that contains the JWE | |||
| Header Parameters that apply to all recipients of the JWE that are | Header Parameters that apply to all recipients of the JWE that are | |||
| not integrity protected. | not integrity protected. | |||
| JWE Per-Recipient Unprotected Header JSON object that contains JWE | JWE Per-Recipient Unprotected Header JSON object that contains JWE | |||
| Header Parameters that apply to a single recipient of the JWE. | Header Parameters that apply to a single recipient of the JWE. | |||
| This value is not integrity protected. | These Header Parameter values are not integrity protected. | |||
| This document defines two serializations for JWE objects: a compact, | This document defines two serializations for JWE objects: a compact, | |||
| URL-safe serialization called the JWE Compact Serialization and a | URL-safe serialization called the JWE Compact Serialization and a | |||
| JSON serialization called the JWE JSON Serialization. In both | JSON serialization called the JWE JSON Serialization. In both | |||
| serializations, the JWE Protected Header, JWE Encrypted Key, JWE | serializations, the JWE Protected Header, JWE Encrypted Key, JWE | |||
| Initialization Vector, JWE Ciphertext, and JWE Authentication Tag are | Initialization Vector, JWE Ciphertext, and JWE Authentication Tag are | |||
| base64url encoded for transmission, since JSON lacks a way to | base64url encoded for transmission, since JSON lacks a way to | |||
| directly represent octet sequences. When present, the JWE AAD is | directly represent octet sequences. When present, the JWE AAD is | |||
| also base64url encoded for transmission. | also base64url encoded for transmission. | |||
| skipping to change at page 21, line 26 ¶ | skipping to change at page 21, line 38 ¶ | |||
| 7.2. JWE JSON Serialization | 7.2. JWE JSON Serialization | |||
| The JWE JSON Serialization represents encrypted content as a JSON | The JWE JSON Serialization represents encrypted content as a JSON | |||
| object. Content using the JWE JSON Serialization can be encrypted to | object. Content using the JWE JSON Serialization can be encrypted to | |||
| more than one recipient. This representation is neither optimized | more than one recipient. This representation is neither optimized | |||
| for compactness nor URL-safe. | for compactness nor URL-safe. | |||
| The following members are defined for use in top-level JSON objects | The following members are defined for use in top-level JSON objects | |||
| used for the JWE JSON Serialization: | used for the JWE JSON Serialization: | |||
| protected The value BASE64URL(UTF8(JWE Protected Header)), if non- | protected The "protected" member MUST be present and contain the | |||
| empty, is stored in the "protected" member. | value BASE64URL(UTF8(JWE Protected Header)) when the JWE Protected | |||
| Header value is non-empty; otherwise, it MUST be absent. These | ||||
| Header Parameter values are integrity protected. | ||||
| unprotected The value BASE64URL(UTF8(JWE Shared Unprotected | unprotected The "unprotected" member MUST be present and contain the | |||
| Header)), if non-empty, is stored in the "unprotected" member. If | value JWE Shared Unprotected Header when the JWE Shared | |||
| present, a JWE Shared Unprotected Header value is represented as | Unprotected Header value is non-empty; otherwise, it MUST be | |||
| an unencoded JSON object, rather than as a string. | absent. This value is represented as an unencoded JSON object, | |||
| rather than as a string. These Header Parameter values are not | ||||
| integrity protected. | ||||
| iv The value BASE64URL(JWE Initialization Vector), if non-empty, is | iv The "iv" member MUST be present and contain the value | |||
| stored in the "iv" member. | BASE64URL(JWE Initialization Vector) when the JWE Initialization | |||
| Vector value is non-empty; otherwise, it MUST be absent. | ||||
| aad A JWE AAD value can be included to supply a base64url encoded | aad The "aad" member MUST be present and contain the value | |||
| value to be integrity protected but not encrypted. (Note that | BASE64URL(JWE AAD)) when the JWE AAD value is non-empty; | |||
| this can also be achieved when using either serialization by | otherwise, it MUST be absent. A JWE AAD value can be included to | |||
| including the AAD value as a protected Header Parameter value, but | supply a base64url encoded value to be integrity protected but not | |||
| at the cost of the value being double base64url encoded.) If a | encrypted. | |||
| JWE AAD value is present, the value BASE64URL(JWE AAD)) is stored | ||||
| in the "aad" member. | ||||
| ciphertext The value BASE64URL(JWE Ciphertext) is stored in the | ciphertext The "ciphertext" member MUST be present and contain the | |||
| "ciphertext" member. | value BASE64URL(JWE Ciphertext). | |||
| tag The value BASE64URL(JWE Authentication Tag), if non-empty, is | tag The "tag" member MUST be present and contain the value | |||
| stored in the "tag" member. | BASE64URL(JWE Authentication Tag) when the JWE Authentication Tag | |||
| value is non-empty; otherwise, it MUST be absent. | ||||
| recipients A JSON array in the "recipients" member is used to hold | recipients The "recipients" member value MUST be an array of JSON | |||
| values that are specific to a particular recipient, with one array | objects. Each object contains information specific to a single | |||
| element per recipient represented. These array elements are JSON | recipient. This member MUST be present, even if the array | |||
| objects, as specified below. | elements contain only the empty JSON object "{}" (which can happen | |||
| when all Header Parameter values are shared between all recipients | ||||
| and when no encrypted key is used, such as when doing Direct | ||||
| Encryption). | ||||
| The following members are defined for use in the JSON objects that | The following members are defined for use in the JSON objects that | |||
| are elements of the "recipients" array: | are elements of the "recipients" array: | |||
| header Each JWE Per-Recipient Unprotected Header value, if non- | header The "header" member MUST be present and contain the value JWE | |||
| empty, is stored in the "header" member. If present, a JWE Per- | Per-Recipient Unprotected Header when the JWE Per-Recipient | |||
| Recipient Unprotected Header value is represented as an unencoded | Unprotected Header value is non-empty; otherwise, it MUST be | |||
| JSON object, rather than as a string. | absent. This value is represented as an unencoded JSON object, | |||
| rather than as a string. These Header Parameter values are not | ||||
| encrypted_key Each value BASE64URL(JWE Encrypted Key), if non-empty, | integrity protected. | |||
| is stored in the "encrypted_key" member. | ||||
| Of these members of the two JSON objects defined above, only the | encrypted_key The "encrypted_key" member MUST be present and contain | |||
| "ciphertext" and "recipients" members MUST be present. The | the value BASE64URL(JWE Encrypted Key) when the JWE Encrypted Key | |||
| "recipients" array MUST always be present, even if the array elements | value is non-empty; otherwise, it MUST be absent. | |||
| contain only the empty JSON object "{}" (which can happen when all | ||||
| Header Parameter values are shared between all recipients and when no | ||||
| encrypted key is used, such as when doing Direct Encryption). | ||||
| The "iv", "tag", and "encrypted_key" members MUST be present when | At least one of the "header", "protected", and "unprotected" members | |||
| corresponding JWE Initialization Vector, JWE Authentication Tag, and | MUST be present so that "alg" and "enc" Header Parameter values are | |||
| JWE Encrypted Key values are non-empty. The "recipients" member MUST | conveyed for each recipient computation. | |||
| be present when any "header" or "encrypted_key" members are needed | ||||
| for recipients. At least one of the "header", "protected", and | ||||
| "unprotected" members MUST be present so that "alg" and "enc" Header | ||||
| Parameter values are conveyed for each recipient computation. | ||||
| Additional members can be present in both the JSON objects defined | Additional members can be present in both the JSON objects defined | |||
| above; if not understood by implementations encountering them, they | above; if not understood by implementations encountering them, they | |||
| MUST be ignored. | MUST be ignored. | |||
| Some Header Parameters, including the "alg" parameter, can be shared | Some Header Parameters, including the "alg" parameter, can be shared | |||
| among all recipient computations. Header Parameters in the JWE | among all recipient computations. Header Parameters in the JWE | |||
| Protected Header and JWE Shared Unprotected Header values are shared | Protected Header and JWE Shared Unprotected Header values are shared | |||
| among all recipients. | among all recipients. | |||
| Not all Header Parameters are integrity protected. The shared Header | ||||
| Parameters in the JWE Protected Header value member are integrity | ||||
| protected, and are base64url encoded for transmission. The per- | ||||
| recipient Header Parameters in the JWE Per-Recipient Unprotected | ||||
| Header values and the shared Header Parameters in the JWE Shared | ||||
| Unprotected Header value are not integrity protected. These JSON | ||||
| objects containing Header Parameters that are not integrity protected | ||||
| are not base64url encoded. | ||||
| The Header Parameter values used when creating or validating per- | The Header Parameter values used when creating or validating per- | |||
| recipient Ciphertext and Authentication Tag values are the union of | recipient Ciphertext and Authentication Tag values are the union of | |||
| the three sets of Header Parameter values that may be present: (1) | the three sets of Header Parameter values that may be present: (1) | |||
| the JWE Protected Header values represented in the "protected" | the JWE Protected Header represented in the "protected" member, (2) | |||
| member, (2) the JWE Shared Unprotected Header values represented in | the JWE Shared Unprotected Header represented in the "unprotected" | |||
| the "unprotected" member, and (3) the JWE Per-Recipient Unprotected | member, and (3) the JWE Per-Recipient Unprotected Header represented | |||
| Header values represented in the "header" member of the recipient's | in the "header" member of the recipient's array element. The union | |||
| array element. The union of these sets of Header Parameters | of these sets of Header Parameters comprises the JWE Header. The | |||
| comprises the JWE Header. The Header Parameter names in the three | Header Parameter names in the three locations MUST be disjoint. | |||
| locations MUST be disjoint. | ||||
| The contents of the JWE Encrypted Key, JWE Initialization Vector, JWE | ||||
| Ciphertext, and JWE Authentication Tag values are exactly as defined | ||||
| in the rest of this specification. They are interpreted and | ||||
| validated in the same manner, with each corresponding JWE Encrypted | ||||
| Key, JWE Initialization Vector, JWE Ciphertext, JWE Authentication | ||||
| Tag, and set of Header Parameter values being created and validated | ||||
| together. The JWE Header values used are the union of the Header | ||||
| Parameters in the JWE Protected Header, JWE Shared Unprotected | ||||
| Header, and corresponding JWE Per-Recipient Unprotected Header | ||||
| values, as described earlier. | ||||
| Each JWE Encrypted Key value is computed using the parameters of the | Each JWE Encrypted Key value is computed using the parameters of the | |||
| corresponding JWE Header value in the same manner as for the JWE | corresponding JWE Header value in the same manner as for the JWE | |||
| Compact Serialization. This has the desirable property that each JWE | Compact Serialization. This has the desirable property that each JWE | |||
| Encrypted Key value in the "recipients" array is identical to the | Encrypted Key value in the "recipients" array is identical to the | |||
| value that would have been computed for the same parameter in the JWE | value that would have been computed for the same parameter in the JWE | |||
| Compact Serialization. Likewise, the JWE Ciphertext and JWE | Compact Serialization. Likewise, the JWE Ciphertext and JWE | |||
| Authentication Tag values match those produced for the JWE Compact | Authentication Tag values match those produced for the JWE Compact | |||
| Serialization, provided that the JWE Protected Header value (which | Serialization, provided that the JWE Protected Header value (which | |||
| represents the integrity-protected Header Parameter values) matches | represents the integrity-protected Header Parameter values) matches | |||
| skipping to change at page 28, line 7 ¶ | skipping to change at page 28, line 7 ¶ | |||
| Ecma International, "ECMAScript Language Specification, | Ecma International, "ECMAScript Language Specification, | |||
| 5.1 Edition", ECMA 262, June 2011. | 5.1 Edition", ECMA 262, June 2011. | |||
| [I-D.ietf-json-rfc4627bis] | [I-D.ietf-json-rfc4627bis] | |||
| Bray, T., "The JSON Data Interchange Format", | Bray, T., "The JSON Data Interchange Format", | |||
| draft-ietf-json-rfc4627bis-10 (work in progress), | draft-ietf-json-rfc4627bis-10 (work in progress), | |||
| December 2013. | December 2013. | |||
| [JWA] Jones, M., "JSON Web Algorithms (JWA)", | [JWA] Jones, M., "JSON Web Algorithms (JWA)", | |||
| draft-ietf-jose-json-web-algorithms (work in progress), | draft-ietf-jose-json-web-algorithms (work in progress), | |||
| January 2014. | February 2014. | |||
| [JWK] Jones, M., "JSON Web Key (JWK)", | [JWK] Jones, M., "JSON Web Key (JWK)", | |||
| draft-ietf-jose-json-web-key (work in progress), | draft-ietf-jose-json-web-key (work in progress), | |||
| January 2014. | February 2014. | |||
| [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | |||
| Signature (JWS)", draft-ietf-jose-json-web-signature (work | Signature (JWS)", draft-ietf-jose-json-web-signature (work | |||
| in progress), January 2014. | in progress), February 2014. | |||
| [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification | [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification | |||
| version 1.3", RFC 1951, May 1996. | version 1.3", RFC 1951, May 1996. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | |||
| 10646", STD 63, RFC 3629, November 2003. | 10646", STD 63, RFC 3629, November 2003. | |||
| [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness | ||||
| Requirements for Security", BCP 106, RFC 4086, June 2005. | ||||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, May 2008. | (CRL) Profile", RFC 5280, May 2008. | |||
| [USASCII] American National Standards Institute, "Coded Character | [USASCII] American National Standards Institute, "Coded Character | |||
| Set -- 7-bit American Standard Code for Information | Set -- 7-bit American Standard Code for Information | |||
| Interchange", ANSI X3.4, 1986. | Interchange", ANSI X3.4, 1986. | |||
| [W3C.CR-xmlenc-core1-20120313] | ||||
| Eastlake, D., Reagle, J., Roessler, T., and F. Hirsch, | ||||
| "XML Encryption Syntax and Processing Version 1.1", World | ||||
| Wide Web Consortium CR CR-xmlenc-core1-20120313, | ||||
| March 2012, | ||||
| <http://www.w3.org/TR/2012/CR-xmlenc-core1-20120313>. | ||||
| 12.2. Informative References | 12.2. Informative References | |||
| [I-D.mcgrew-aead-aes-cbc-hmac-sha2] | [I-D.mcgrew-aead-aes-cbc-hmac-sha2] | |||
| McGrew, D. and K. Paterson, "Authenticated Encryption with | McGrew, D. and K. Paterson, "Authenticated Encryption with | |||
| AES-CBC and HMAC-SHA", | AES-CBC and HMAC-SHA", | |||
| draft-mcgrew-aead-aes-cbc-hmac-sha2-01 (work in progress), | draft-mcgrew-aead-aes-cbc-hmac-sha2-01 (work in progress), | |||
| October 2012. | October 2012. | |||
| [I-D.rescorla-jsms] | [I-D.rescorla-jsms] | |||
| Rescorla, E. and J. Hildebrand, "JavaScript Message | Rescorla, E. and J. Hildebrand, "JavaScript Message | |||
| Security Format", draft-rescorla-jsms-00 (work in | Security Format", draft-rescorla-jsms-00 (work in | |||
| progress), March 2011. | progress), March 2011. | |||
| [JSE] Bradley, J. and N. Sakimura (editor), "JSON Simple | [JSE] Bradley, J. and N. Sakimura (editor), "JSON Simple | |||
| Encryption", September 2010. | Encryption", September 2010. | |||
| [RFC3218] Rescorla, E., "Preventing the Million Message Attack on | [RFC3218] Rescorla, E., "Preventing the Million Message Attack on | |||
| Cryptographic Message Syntax", RFC 3218, January 2002. | Cryptographic Message Syntax", RFC 3218, January 2002. | |||
| [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness | ||||
| Requirements for Security", BCP 106, RFC 4086, June 2005. | ||||
| [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | |||
| RFC 5652, September 2009. | RFC 5652, September 2009. | |||
| [W3C.CR-xmlenc-core1-20120313] | ||||
| Eastlake, D., Reagle, J., Roessler, T., and F. Hirsch, | ||||
| "XML Encryption Syntax and Processing Version 1.1", World | ||||
| Wide Web Consortium CR CR-xmlenc-core1-20120313, | ||||
| March 2012, | ||||
| <http://www.w3.org/TR/2012/CR-xmlenc-core1-20120313>. | ||||
| Appendix A. JWE Examples | Appendix A. JWE Examples | |||
| This section provides examples of JWE computations. | This section provides examples of JWE computations. | |||
| A.1. Example JWE using RSAES OAEP and AES GCM | A.1. Example JWE using RSAES OAEP and AES GCM | |||
| This example encrypts the plaintext "The true sign of intelligence is | This example encrypts the plaintext "The true sign of intelligence is | |||
| not knowledge but imagination." to the recipient using RSAES OAEP for | not knowledge but imagination." to the recipient using RSAES OAEP for | |||
| key encryption and AES GCM for content encryption. The | key encryption and AES GCM for content encryption. The | |||
| representation of this plaintext is: | representation of this plaintext is: | |||
| skipping to change at page 45, line 26 ¶ | skipping to change at page 45, line 26 ¶ | |||
| Hannes Tschofenig, and Sean Turner. | Hannes Tschofenig, and Sean Turner. | |||
| Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | |||
| Sean Turner and Stephen Farrell served as Security area directors | Sean Turner and Stephen Farrell served as Security area directors | |||
| during the creation of this specification. | during the creation of this specification. | |||
| Appendix D. Document History | Appendix D. Document History | |||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
| -21 | ||||
| o Changed some references from being normative to informative, | ||||
| addressing issue #90. | ||||
| o Applied review comments to the JSON Serialization section, | ||||
| addressing issue #178. | ||||
| -20 | -20 | |||
| o Made terminology definitions more consistent, addressing issue | o Made terminology definitions more consistent, addressing issue | |||
| #165. | #165. | |||
| o Restructured the JSON Serialization section to call out the | o Restructured the JSON Serialization section to call out the | |||
| parameters used in hanging lists, addressing issue #178. | parameters used in hanging lists, addressing issue #178. | |||
| o Replaced references to RFC 4627 with draft-ietf-json-rfc4627bis, | o Replaced references to RFC 4627 with draft-ietf-json-rfc4627bis, | |||
| addressing issue #90. | addressing issue #90. | |||
| End of changes. 33 change blocks. | ||||
| 100 lines changed or deleted | 89 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||