| < draft-ietf-jose-json-web-encryption-26.txt | draft-ietf-jose-json-web-encryption-27.txt > | |||
|---|---|---|---|---|
| JOSE Working Group M. Jones | JOSE Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track J. Hildebrand | Intended status: Standards Track J. Hildebrand | |||
| Expires: November 1, 2014 Cisco | Expires: December 12, 2014 Cisco | |||
| April 30, 2014 | June 10, 2014 | |||
| JSON Web Encryption (JWE) | JSON Web Encryption (JWE) | |||
| draft-ietf-jose-json-web-encryption-26 | draft-ietf-jose-json-web-encryption-27 | |||
| Abstract | Abstract | |||
| JSON Web Encryption (JWE) represents encrypted content using | JSON Web Encryption (JWE) represents encrypted content using | |||
| JavaScript Object Notation (JSON) based data structures. | JavaScript Object Notation (JSON) based data structures. | |||
| Cryptographic algorithms and identifiers for use with this | Cryptographic algorithms and identifiers for use with this | |||
| specification are described in the separate JSON Web Algorithms (JWA) | specification are described in the separate JSON Web Algorithms (JWA) | |||
| specification and IANA registries defined by that specification. | specification and IANA registries defined by that specification. | |||
| Related digital signature and MAC capabilities are described in the | Related digital signature and MAC capabilities are described in the | |||
| separate JSON Web Signature (JWS) specification. | separate JSON Web Signature (JWS) specification. | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 1, 2014. | This Internet-Draft will expire on December 12, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4 | 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 8 | 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 9 | |||
| 3.1. Example JWE . . . . . . . . . . . . . . . . . . . . . . . 10 | 3.1. Example JWE . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 4. JWE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 4. JWE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 4.1. Registered Header Parameter Names . . . . . . . . . . . . 12 | 4.1. Registered Header Parameter Names . . . . . . . . . . . . 13 | |||
| 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 12 | 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 13 | |||
| 4.1.2. "enc" (Encryption Algorithm) Header Parameter . . . . 12 | 4.1.2. "enc" (Encryption Algorithm) Header Parameter . . . . 13 | |||
| 4.1.3. "zip" (Compression Algorithm) Header Parameter . . . . 12 | 4.1.3. "zip" (Compression Algorithm) Header Parameter . . . . 13 | |||
| 4.1.4. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 13 | 4.1.4. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 14 | |||
| 4.1.5. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 13 | 4.1.5. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 14 | |||
| 4.1.6. "kid" (Key ID) Header Parameter . . . . . . . . . . . 13 | 4.1.6. "kid" (Key ID) Header Parameter . . . . . . . . . . . 14 | |||
| 4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 13 | 4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 14 | |||
| 4.1.8. "x5c" (X.509 Certificate Chain) Header Parameter . . . 14 | 4.1.8. "x5c" (X.509 Certificate Chain) Header Parameter . . . 15 | |||
| 4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header | 4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header | |||
| Parameter . . . . . . . . . . . . . . . . . . . . . . 14 | Parameter . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 4.1.10. "typ" (Type) Header Parameter . . . . . . . . . . . . 14 | 4.1.10. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) | |||
| 4.1.11. "cty" (Content Type) Header Parameter . . . . . . . . 14 | Header Parameter . . . . . . . . . . . . . . . . . . . 15 | |||
| 4.1.12. "crit" (Critical) Header Parameter . . . . . . . . . . 14 | 4.1.11. "typ" (Type) Header Parameter . . . . . . . . . . . . 15 | |||
| 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 14 | 4.1.12. "cty" (Content Type) Header Parameter . . . . . . . . 15 | |||
| 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15 | 4.1.13. "crit" (Critical) Header Parameter . . . . . . . . . . 15 | |||
| 5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 15 | 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 16 | |||
| 5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 15 | 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 16 | |||
| 5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 17 | 5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 16 | |||
| 5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 20 | 5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 16 | |||
| 6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 20 | 5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 18 | |||
| 7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 20 | 5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 21 | |||
| 7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 20 | 6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 20 | 7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 8. TLS Requirements . . . . . . . . . . . . . . . . . . . . . . . 23 | 7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 21 | |||
| 9. Distinguishing between JWS and JWE Objects . . . . . . . . . . 23 | 7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 21 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 | 8. TLS Requirements . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 9. Distinguishing between JWS and JWE Objects . . . . . . . . . . 24 | ||||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 | ||||
| 10.1. JSON Web Signature and Encryption Header Parameters | 10.1. JSON Web Signature and Encryption Header Parameters | |||
| Registration . . . . . . . . . . . . . . . . . . . . . . . 24 | Registration . . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 24 | 10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 25 | |||
| 11. Security Considerations . . . . . . . . . . . . . . . . . . . 26 | 11. Security Considerations . . . . . . . . . . . . . . . . . . . 27 | |||
| 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 | 11.1. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 27 | |||
| 12.1. Normative References . . . . . . . . . . . . . . . . . . . 27 | 11.2. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 12.2. Informative References . . . . . . . . . . . . . . . . . . 27 | ||||
| Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 28 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 28 | 12.1. Normative References . . . . . . . . . . . . . . . . . . . 28 | |||
| A.1.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 28 | 12.2. Informative References . . . . . . . . . . . . . . . . . . 29 | |||
| A.1.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 29 | Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 29 | |||
| A.1.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 29 | A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 29 | |||
| A.1.4. Initialization Vector . . . . . . . . . . . . . . . . 30 | A.1.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| A.1.5. Additional Authenticated Data . . . . . . . . . . . . 30 | A.1.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 30 | |||
| A.1.6. Content Encryption . . . . . . . . . . . . . . . . . . 31 | A.1.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 30 | |||
| A.1.7. Complete Representation . . . . . . . . . . . . . . . 31 | A.1.4. Initialization Vector . . . . . . . . . . . . . . . . 32 | |||
| A.1.8. Validation . . . . . . . . . . . . . . . . . . . . . . 32 | A.1.5. Additional Authenticated Data . . . . . . . . . . . . 32 | |||
| A.1.6. Content Encryption . . . . . . . . . . . . . . . . . . 32 | ||||
| A.1.7. Complete Representation . . . . . . . . . . . . . . . 33 | ||||
| A.1.8. Validation . . . . . . . . . . . . . . . . . . . . . . 33 | ||||
| A.2. Example JWE using RSAES-PKCS1-V1_5 and | A.2. Example JWE using RSAES-PKCS1-V1_5 and | |||
| AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 32 | AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 33 | |||
| A.2.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 32 | A.2.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 34 | |||
| A.2.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 33 | A.2.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 34 | |||
| A.2.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 33 | A.2.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 34 | |||
| A.2.4. Initialization Vector . . . . . . . . . . . . . . . . 34 | A.2.4. Initialization Vector . . . . . . . . . . . . . . . . 35 | |||
| A.2.5. Additional Authenticated Data . . . . . . . . . . . . 34 | A.2.5. Additional Authenticated Data . . . . . . . . . . . . 36 | |||
| A.2.6. Content Encryption . . . . . . . . . . . . . . . . . . 34 | A.2.6. Content Encryption . . . . . . . . . . . . . . . . . . 36 | |||
| A.2.7. Complete Representation . . . . . . . . . . . . . . . 35 | A.2.7. Complete Representation . . . . . . . . . . . . . . . 36 | |||
| A.2.8. Validation . . . . . . . . . . . . . . . . . . . . . . 35 | A.2.8. Validation . . . . . . . . . . . . . . . . . . . . . . 37 | |||
| A.3. Example JWE using AES Key Wrap and | A.3. Example JWE using AES Key Wrap and | |||
| AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 36 | AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 37 | |||
| A.3.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 36 | A.3.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 37 | |||
| A.3.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 36 | A.3.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 38 | |||
| A.3.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 36 | A.3.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 38 | |||
| A.3.4. Initialization Vector . . . . . . . . . . . . . . . . 37 | A.3.4. Initialization Vector . . . . . . . . . . . . . . . . 38 | |||
| A.3.5. Additional Authenticated Data . . . . . . . . . . . . 37 | A.3.5. Additional Authenticated Data . . . . . . . . . . . . 39 | |||
| A.3.6. Content Encryption . . . . . . . . . . . . . . . . . . 37 | A.3.6. Content Encryption . . . . . . . . . . . . . . . . . . 39 | |||
| A.3.7. Complete Representation . . . . . . . . . . . . . . . 38 | A.3.7. Complete Representation . . . . . . . . . . . . . . . 39 | |||
| A.3.8. Validation . . . . . . . . . . . . . . . . . . . . . . 38 | A.3.8. Validation . . . . . . . . . . . . . . . . . . . . . . 40 | |||
| A.4. Example JWE using JWE JSON Serialization . . . . . . . . . 39 | A.4. Example JWE using JWE JSON Serialization . . . . . . . . . 40 | |||
| A.4.1. JWE Per-Recipient Unprotected Headers . . . . . . . . 39 | A.4.1. JWE Per-Recipient Unprotected Headers . . . . . . . . 40 | |||
| A.4.2. JWE Protected Header . . . . . . . . . . . . . . . . . 39 | A.4.2. JWE Protected Header . . . . . . . . . . . . . . . . . 41 | |||
| A.4.3. JWE Unprotected Header . . . . . . . . . . . . . . . . 40 | A.4.3. JWE Unprotected Header . . . . . . . . . . . . . . . . 41 | |||
| A.4.4. Complete JWE Header Values . . . . . . . . . . . . . . 40 | A.4.4. Complete JWE Header Values . . . . . . . . . . . . . . 41 | |||
| A.4.5. Additional Authenticated Data . . . . . . . . . . . . 40 | A.4.5. Additional Authenticated Data . . . . . . . . . . . . 41 | |||
| A.4.6. Content Encryption . . . . . . . . . . . . . . . . . . 40 | A.4.6. Content Encryption . . . . . . . . . . . . . . . . . . 42 | |||
| A.4.7. Complete JWE JSON Serialization Representation . . . . 41 | A.4.7. Complete JWE JSON Serialization Representation . . . . 42 | |||
| Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 41 | Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 43 | |||
| B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 42 | B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 43 | |||
| B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 42 | B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 44 | |||
| B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 43 | B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 44 | |||
| B.4. Initialization Vector Value . . . . . . . . . . . . . . . 43 | B.4. Initialization Vector Value . . . . . . . . . . . . . . . 45 | |||
| B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 43 | B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 45 | |||
| B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 43 | B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 45 | |||
| B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 43 | B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 45 | |||
| Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 44 | Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 45 | |||
| Appendix D. Document History . . . . . . . . . . . . . . . . . . 44 | Appendix D. Document History . . . . . . . . . . . . . . . . . . 46 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 54 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 56 | |||
| 1. Introduction | 1. Introduction | |||
| JSON Web Encryption (JWE) represents encrypted content using | JSON Web Encryption (JWE) represents encrypted content using | |||
| JavaScript Object Notation (JSON) [RFC7159] based data structures. | JavaScript Object Notation (JSON) [RFC7159] based data structures. | |||
| The JWE cryptographic mechanisms encrypt and provide integrity | The JWE cryptographic mechanisms encrypt and provide integrity | |||
| protection for an arbitrary sequence of octets. | protection for an arbitrary sequence of octets. | |||
| Two closely related serializations for JWE objects are defined. The | Two closely related serializations for JWE objects are defined. The | |||
| JWE Compact Serialization is a compact, URL-safe representation | JWE Compact Serialization is a compact, URL-safe representation | |||
| skipping to change at page 11, line 45 ¶ | skipping to change at page 12, line 45 ¶ | |||
| with duplicate Header Parameter names or use a JSON parser that | with duplicate Header Parameter names or use a JSON parser that | |||
| returns only the lexically last duplicate member name, as specified | returns only the lexically last duplicate member name, as specified | |||
| in Section 15.12 (The JSON Object) of ECMAScript 5.1 [ECMAScript]. | in Section 15.12 (The JSON Object) of ECMAScript 5.1 [ECMAScript]. | |||
| Implementations are required to understand the specific Header | Implementations are required to understand the specific Header | |||
| Parameters defined by this specification that are designated as "MUST | Parameters defined by this specification that are designated as "MUST | |||
| be understood" and process them in the manner defined in this | be understood" and process them in the manner defined in this | |||
| specification. All other Header Parameters defined by this | specification. All other Header Parameters defined by this | |||
| specification that are not so designated MUST be ignored when not | specification that are not so designated MUST be ignored when not | |||
| understood. Unless listed as a critical Header Parameter, per | understood. Unless listed as a critical Header Parameter, per | |||
| Section 4.1.12, all Header Parameters not defined by this | Section 4.1.13, all Header Parameters not defined by this | |||
| specification MUST be ignored when not understood. | specification MUST be ignored when not understood. | |||
| There are three classes of Header Parameter names: Registered Header | There are three classes of Header Parameter names: Registered Header | |||
| Parameter names, Public Header Parameter names, and Private Header | Parameter names, Public Header Parameter names, and Private Header | |||
| Parameter names. | Parameter names. | |||
| 4.1. Registered Header Parameter Names | 4.1. Registered Header Parameter Names | |||
| The following Header Parameter names are registered in the IANA JSON | The following Header Parameter names are registered in the IANA JSON | |||
| Web Signature and Encryption Header Parameters registry defined in | Web Signature and Encryption Header Parameters registry defined in | |||
| skipping to change at page 14, line 19 ¶ | skipping to change at page 15, line 19 ¶ | |||
| that the X.509 public key certificate or certificate chain [RFC5280] | that the X.509 public key certificate or certificate chain [RFC5280] | |||
| contains the public key to which the JWE was encrypted; this can be | contains the public key to which the JWE was encrypted; this can be | |||
| used to determine the private key needed to decrypt the JWE. | used to determine the private key needed to decrypt the JWE. | |||
| See Appendix B of [JWS] for an example "x5c" value. | See Appendix B of [JWS] for an example "x5c" value. | |||
| 4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter | 4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter | |||
| This parameter has the same meaning, syntax, and processing rules as | This parameter has the same meaning, syntax, and processing rules as | |||
| the "x5t" Header Parameter defined in Section 4.1.7 of [JWS], except | the "x5t" Header Parameter defined in Section 4.1.7 of [JWS], except | |||
| that certificate referenced by the thumbprint contains the public key | that the certificate referenced by the thumbprint contains the public | |||
| to which the JWE was encrypted; this can be used to determine the | key to which the JWE was encrypted; this can be used to determine the | |||
| private key needed to decrypt the JWE. | private key needed to decrypt the JWE. | |||
| 4.1.10. "typ" (Type) Header Parameter | 4.1.10. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Header | |||
| Parameter | ||||
| This parameter has the same meaning, syntax, and processing rules as | This parameter has the same meaning, syntax, and processing rules as | |||
| the "typ" Header Parameter defined in Section 4.1.8 of [JWS], except | the "x5t#S256" Header Parameter defined in Section 4.1.8 of [JWS], | |||
| except that the certificate referenced by the thumbprint contains the | ||||
| public key to which the JWE was encrypted; this can be used to | ||||
| determine the private key needed to decrypt the JWE. | ||||
| 4.1.11. "typ" (Type) Header Parameter | ||||
| This parameter has the same meaning, syntax, and processing rules as | ||||
| the "typ" Header Parameter defined in Section 4.1.9 of [JWS], except | ||||
| that the type is of this complete JWE object. | that the type is of this complete JWE object. | |||
| 4.1.11. "cty" (Content Type) Header Parameter | 4.1.12. "cty" (Content Type) Header Parameter | |||
| This parameter has the same meaning, syntax, and processing rules as | This parameter has the same meaning, syntax, and processing rules as | |||
| the "cty" Header Parameter defined in Section 4.1.9 of [JWS], except | the "cty" Header Parameter defined in Section 4.1.10 of [JWS], except | |||
| that the type is of the secured content (the plaintext). | that the type is of the secured content (the plaintext). | |||
| 4.1.12. "crit" (Critical) Header Parameter | 4.1.13. "crit" (Critical) Header Parameter | |||
| This parameter has the same meaning, syntax, and processing rules as | This parameter has the same meaning, syntax, and processing rules as | |||
| the "crit" Header Parameter defined in Section 4.1.10 of [JWS], | the "crit" Header Parameter defined in Section 4.1.11 of [JWS], | |||
| except that JWE Header Parameters are being referred to, rather than | except that JWE Header Parameters are being referred to, rather than | |||
| JWS Header Parameters. | JWS Header Parameters. | |||
| 4.2. Public Header Parameter Names | 4.2. Public Header Parameter Names | |||
| Additional Header Parameter names can be defined by those using JWEs. | Additional Header Parameter names can be defined by those using JWEs. | |||
| However, in order to prevent collisions, any new Header Parameter | However, in order to prevent collisions, any new Header Parameter | |||
| name should either be registered in the IANA JSON Web Signature and | name should either be registered in the IANA JSON Web Signature and | |||
| Encryption Header Parameters registry defined in [JWS] or be a Public | Encryption Header Parameters registry defined in [JWS] or be a Public | |||
| Name: a value that contains a Collision-Resistant Name. In each | Name: a value that contains a Collision-Resistant Name. In each | |||
| skipping to change at page 18, line 50 ¶ | skipping to change at page 20, line 13 ¶ | |||
| upon key will be used to decrypt the JWE Encrypted Key. | upon key will be used to decrypt the JWE Encrypted Key. | |||
| 10. When Key Wrapping, Key Encryption, or Key Agreement with Key | 10. When Key Wrapping, Key Encryption, or Key Agreement with Key | |||
| Wrapping are employed, decrypt the JWE Encrypted Key to produce | Wrapping are employed, decrypt the JWE Encrypted Key to produce | |||
| the Content Encryption Key (CEK). The CEK MUST have a length | the Content Encryption Key (CEK). The CEK MUST have a length | |||
| equal to that required for the content encryption algorithm. | equal to that required for the content encryption algorithm. | |||
| Note that when there are multiple recipients, each recipient | Note that when there are multiple recipients, each recipient | |||
| will only be able decrypt any JWE Encrypted Key values that were | will only be able decrypt any JWE Encrypted Key values that were | |||
| encrypted to a key in that recipient's possession. It is | encrypted to a key in that recipient's possession. It is | |||
| therefore normal to only be able to decrypt one of the per- | therefore normal to only be able to decrypt one of the per- | |||
| recipient JWE Encrypted Key values to obtain the CEK value. To | recipient JWE Encrypted Key values to obtain the CEK value. | |||
| mitigate the attacks described in RFC 3218 [RFC3218], the | Also, see Section 11.2 for security considerations on mitigating | |||
| recipient MUST NOT distinguish between format, padding, and | timing attacks. | |||
| length errors of encrypted keys. It is strongly recommended, in | ||||
| the event of receiving an improperly formatted key, that the | ||||
| receiver substitute a randomly generated CEK and proceed to the | ||||
| next step, to mitigate timing attacks. | ||||
| 11. When Direct Key Agreement or Direct Encryption are employed, | 11. When Direct Key Agreement or Direct Encryption are employed, | |||
| verify that the JWE Encrypted Key value is empty octet sequence. | verify that the JWE Encrypted Key value is empty octet sequence. | |||
| 12. When Direct Encryption is employed, let the Content Encryption | 12. When Direct Encryption is employed, let the Content Encryption | |||
| Key (CEK) be the shared symmetric key. | Key (CEK) be the shared symmetric key. | |||
| 13. If the JWE JSON Serialization is being used, repeat this process | 13. If the JWE JSON Serialization is being used, repeat this process | |||
| (steps 4-12) for each recipient contained in the representation | (steps 4-12) for each recipient contained in the representation | |||
| until the CEK value has been determined. | until the CEK value has been determined. | |||
| skipping to change at page 25, line 43 ¶ | skipping to change at page 26, line 43 ¶ | |||
| o Header Parameter Usage Location(s): JWE | o Header Parameter Usage Location(s): JWE | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 4.1.8 of [[ this document ]] | o Specification Document(s): Section 4.1.8 of [[ this document ]] | |||
| o Header Parameter Name: "x5t" | o Header Parameter Name: "x5t" | |||
| o Header Parameter Description: X.509 Certificate SHA-1 Thumbprint | o Header Parameter Description: X.509 Certificate SHA-1 Thumbprint | |||
| o Header Parameter Usage Location(s): JWE | o Header Parameter Usage Location(s): JWE | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 4.1.9 of [[ this document ]] | o Specification Document(s): Section 4.1.9 of [[ this document ]] | |||
| o Header Parameter Name: "x5t#S256" | ||||
| o Header Parameter Description: X.509 Certificate SHA-256 Thumbprint | ||||
| o Header Parameter Usage Location(s): JWE | ||||
| o Change Controller: IESG | ||||
| o Specification Document(s): Section 4.1.10 of [[ this document ]] | ||||
| o Header Parameter Name: "typ" | o Header Parameter Name: "typ" | |||
| o Header Parameter Description: Type | o Header Parameter Description: Type | |||
| o Header Parameter Usage Location(s): JWE | o Header Parameter Usage Location(s): JWE | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 4.1.10 of [[ this document ]] | o Specification Document(s): Section 4.1.11 of [[ this document ]] | |||
| o Header Parameter Name: "cty" | o Header Parameter Name: "cty" | |||
| o Header Parameter Description: Content Type | o Header Parameter Description: Content Type | |||
| o Header Parameter Usage Location(s): JWE | o Header Parameter Usage Location(s): JWE | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 4.1.11 of [[ this document ]] | o Specification Document(s): Section 4.1.12 of [[ this document ]] | |||
| o Header Parameter Name: "crit" | o Header Parameter Name: "crit" | |||
| o Header Parameter Description: Critical | o Header Parameter Description: Critical | |||
| o Header Parameter Usage Location(s): JWE | o Header Parameter Usage Location(s): JWE | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 4.1.12 of [[ this document ]] | o Specification Document(s): Section 4.1.13 of [[ this document ]] | |||
| 11. Security Considerations | 11. Security Considerations | |||
| All of the security issues faced by any cryptographic application | All of the security issues faced by any cryptographic application | |||
| must be faced by a JWS/JWE/JWK agent. Among these issues are | must be faced by a JWS/JWE/JWK agent. Among these issues are | |||
| protecting the user's private and symmetric keys, preventing various | protecting the user's private and symmetric keys, preventing various | |||
| attacks, and helping the user avoid mistakes such as inadvertently | attacks, and helping the user avoid mistakes such as inadvertently | |||
| encrypting a message for the wrong recipient. The entire list of | encrypting a message for the wrong recipient. The entire list of | |||
| security considerations is beyond the scope of this document. | security considerations is beyond the scope of this document. | |||
| All the security considerations in the JWS specification also apply | All the security considerations in the JWS specification also apply | |||
| to this specification. Likewise, all the security considerations in | to this specification. Likewise, all the security considerations in | |||
| XML Encryption 1.1 [W3C.REC-xmlenc-core1-20130411] also apply, other | XML Encryption 1.1 [W3C.REC-xmlenc-core1-20130411] also apply, other | |||
| than those that are XML specific. | than those that are XML specific. | |||
| 11.1. Adaptive Chosen-Ciphertext Attacks | ||||
| When decrypting, particular care must be taken not to allow the JWE | When decrypting, particular care must be taken not to allow the JWE | |||
| recipient to be used as an oracle for decrypting messages. RFC 3218 | recipient to be used as an oracle for decrypting messages. RFC 3218 | |||
| [RFC3218] should be consulted for specific countermeasures to attacks | [RFC3218] should be consulted for specific countermeasures to attacks | |||
| on RSAES-PKCS1-V1_5. An attacker might modify the contents of the | on RSAES-PKCS1-V1_5. An attacker might modify the contents of the | |||
| "alg" parameter from "RSA-OAEP" to "RSA1_5" in order to generate a | "alg" parameter from "RSA-OAEP" to "RSA1_5" in order to generate a | |||
| formatting error that can be detected and used to recover the CEK | formatting error that can be detected and used to recover the CEK | |||
| even if RSAES OAEP was used to encrypt the CEK. It is therefore | even if RSAES OAEP was used to encrypt the CEK. It is therefore | |||
| particularly important to report all formatting errors to the CEK, | particularly important to report all formatting errors to the CEK, | |||
| Additional Authenticated Data, or ciphertext as a single error when | Additional Authenticated Data, or ciphertext as a single error when | |||
| the encrypted content is rejected. | the encrypted content is rejected. | |||
| Additionally, this type of attack can be prevented by the use of "key | Additionally, this type of attack can be prevented by the use of "key | |||
| tainting". This method restricts the use of a key to a limited set | tainting". This method restricts the use of a key to a limited set | |||
| of algorithms -- usually one. This means, for instance, that if the | of algorithms -- usually one. This means, for instance, that if the | |||
| key is marked as being for "RSA-OAEP" only, any attempt to decrypt a | key is marked as being for "RSA-OAEP" only, any attempt to decrypt a | |||
| message using the "RSA1_5" algorithm with that key would fail | message using the "RSA1_5" algorithm with that key would fail | |||
| immediately due to invalid use of the key. | immediately due to invalid use of the key. | |||
| 11.2. Timing Attacks | ||||
| To mitigate the attacks described in RFC 3218 [RFC3218], the | ||||
| recipient MUST NOT distinguish between format, padding, and length | ||||
| errors of encrypted keys. It is strongly recommended, in the event | ||||
| of receiving an improperly formatted key, that the receiver | ||||
| substitute a randomly generated CEK and proceed to the next step, to | ||||
| mitigate timing attacks. | ||||
| 12. References | 12. References | |||
| 12.1. Normative References | 12.1. Normative References | |||
| [ECMAScript] | [ECMAScript] | |||
| Ecma International, "ECMAScript Language Specification, | Ecma International, "ECMAScript Language Specification, | |||
| 5.1 Edition", ECMA 262, June 2011. | 5.1 Edition", ECMA 262, June 2011. | |||
| [JWA] Jones, M., "JSON Web Algorithms (JWA)", | [JWA] Jones, M., "JSON Web Algorithms (JWA)", | |||
| draft-ietf-jose-json-web-algorithms (work in progress), | draft-ietf-jose-json-web-algorithms (work in progress), | |||
| April 2014. | June 2014. | |||
| [JWK] Jones, M., "JSON Web Key (JWK)", | [JWK] Jones, M., "JSON Web Key (JWK)", | |||
| draft-ietf-jose-json-web-key (work in progress), | draft-ietf-jose-json-web-key (work in progress), | |||
| April 2014. | June 2014. | |||
| [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | |||
| Signature (JWS)", draft-ietf-jose-json-web-signature (work | Signature (JWS)", draft-ietf-jose-json-web-signature (work | |||
| in progress), April 2014. | in progress), June 2014. | |||
| [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification | [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification | |||
| version 1.3", RFC 1951, May 1996. | version 1.3", RFC 1951, May 1996. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | |||
| 10646", STD 63, RFC 3629, November 2003. | 10646", STD 63, RFC 3629, November 2003. | |||
| skipping to change at page 44, line 45 ¶ | skipping to change at page 46, line 32 ¶ | |||
| Nat Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner. | Nat Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner. | |||
| Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | |||
| Sean Turner, Stephen Farrell, and Kathleen Moriarty served as | Sean Turner, Stephen Farrell, and Kathleen Moriarty served as | |||
| Security area directors during the creation of this specification. | Security area directors during the creation of this specification. | |||
| Appendix D. Document History | Appendix D. Document History | |||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
| -27 | ||||
| o Described additional security considerations. | ||||
| o Added the "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) header | ||||
| parameter. | ||||
| -26 | -26 | |||
| o Noted that octet sequences are depicted using JSON array notation. | o Noted that octet sequences are depicted using JSON array notation. | |||
| o Updated references, including to W3C specifications. | o Updated references, including to W3C specifications. | |||
| -25 | -25 | |||
| o Corrected two external section number references that had changed. | o Corrected two external section number references that had changed. | |||
| End of changes. 28 change blocks. | ||||
| 111 lines changed or deleted | 146 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||