< draft-ietf-jose-json-web-encryption-28.txt   draft-ietf-jose-json-web-encryption-29.txt >
JOSE Working Group M. Jones JOSE Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track J. Hildebrand Intended status: Standards Track J. Hildebrand
Expires: December 22, 2014 Cisco Expires: December 22, 2014 Cisco
June 20, 2014 June 20, 2014
JSON Web Encryption (JWE) JSON Web Encryption (JWE)
draft-ietf-jose-json-web-encryption-28 draft-ietf-jose-json-web-encryption-29
Abstract Abstract
JSON Web Encryption (JWE) represents encrypted content using JSON Web Encryption (JWE) represents encrypted content using
JavaScript Object Notation (JSON) based data structures. JavaScript Object Notation (JSON) based data structures.
Cryptographic algorithms and identifiers for use with this Cryptographic algorithms and identifiers for use with this
specification are described in the separate JSON Web Algorithms (JWA) specification are described in the separate JSON Web Algorithms (JWA)
specification and IANA registries defined by that specification. specification and IANA registries defined by that specification.
Related digital signature and MAC capabilities are described in the Related digital signature and MAC capabilities are described in the
separate JSON Web Signature (JWS) specification. separate JSON Web Signature (JWS) specification.
skipping to change at page 2, line 13 skipping to change at page 2, line 13
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 9 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 8
3.1. Example JWE . . . . . . . . . . . . . . . . . . . . . . . 11 3.1. Example JWE . . . . . . . . . . . . . . . . . . . . . . . 10
4. JWE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4. JOSE Header . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.1. Registered Header Parameter Names . . . . . . . . . . . . 13 4.1. Registered Header Parameter Names . . . . . . . . . . . . 12
4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 13 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 12
4.1.2. "enc" (Encryption Algorithm) Header Parameter . . . . 13 4.1.2. "enc" (Encryption Algorithm) Header Parameter . . . . 13
4.1.3. "zip" (Compression Algorithm) Header Parameter . . . . 13 4.1.3. "zip" (Compression Algorithm) Header Parameter . . . . 13
4.1.4. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 14 4.1.4. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 13
4.1.5. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 14 4.1.5. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 14
4.1.6. "kid" (Key ID) Header Parameter . . . . . . . . . . . 14 4.1.6. "kid" (Key ID) Header Parameter . . . . . . . . . . . 14
4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 14 4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 14
4.1.8. "x5c" (X.509 Certificate Chain) Header Parameter . . . 15 4.1.8. "x5c" (X.509 Certificate Chain) Header Parameter . . . 14
4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header 4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header
Parameter . . . . . . . . . . . . . . . . . . . . . . 15 Parameter . . . . . . . . . . . . . . . . . . . . . . 14
4.1.10. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) 4.1.10. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint)
Header Parameter . . . . . . . . . . . . . . . . . . . 15 Header Parameter . . . . . . . . . . . . . . . . . . . 14
4.1.11. "typ" (Type) Header Parameter . . . . . . . . . . . . 15 4.1.11. "typ" (Type) Header Parameter . . . . . . . . . . . . 15
4.1.12. "cty" (Content Type) Header Parameter . . . . . . . . 15 4.1.12. "cty" (Content Type) Header Parameter . . . . . . . . 15
4.1.13. "crit" (Critical) Header Parameter . . . . . . . . . . 15 4.1.13. "crit" (Critical) Header Parameter . . . . . . . . . . 15
4.2. Public Header Parameter Names . . . . . . . . . . . . . . 16 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 15
4.3. Private Header Parameter Names . . . . . . . . . . . . . . 16 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15
5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 16 5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 16
5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 16 5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 16
5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 18 5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 18
5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 21 5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 20
6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 21 6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 20
7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 21 7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 20
7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 21 7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 21
7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 21 7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 21
8. TLS Requirements . . . . . . . . . . . . . . . . . . . . . . . 24 8. TLS Requirements . . . . . . . . . . . . . . . . . . . . . . . 24
9. Distinguishing between JWS and JWE Objects . . . . . . . . . . 24 9. Distinguishing between JWS and JWE Objects . . . . . . . . . . 24
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
10.1. JSON Web Signature and Encryption Header Parameters 10.1. JSON Web Signature and Encryption Header Parameters
Registration . . . . . . . . . . . . . . . . . . . . . . . 25 Registration . . . . . . . . . . . . . . . . . . . . . . . 24
10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 25 10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 25
11. Security Considerations . . . . . . . . . . . . . . . . . . . 27 11. Security Considerations . . . . . . . . . . . . . . . . . . . 26
11.1. Using Matching Algorithm Strengths . . . . . . . . . . . . 27 11.1. Using Matching Algorithm Strengths . . . . . . . . . . . . 27
11.2. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 27 11.2. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 27
11.3. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 28 11.3. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 27
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
12.1. Normative References . . . . . . . . . . . . . . . . . . . 28 12.1. Normative References . . . . . . . . . . . . . . . . . . . 27
12.2. Informative References . . . . . . . . . . . . . . . . . . 29 12.2. Informative References . . . . . . . . . . . . . . . . . . 28
Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 30 Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 29
A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 30 A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 29
A.1.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 30 A.1.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 29
A.1.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 30 A.1.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 30
A.1.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 30 A.1.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 30
A.1.4. Initialization Vector . . . . . . . . . . . . . . . . 32 A.1.4. Initialization Vector . . . . . . . . . . . . . . . . 31
A.1.5. Additional Authenticated Data . . . . . . . . . . . . 32 A.1.5. Additional Authenticated Data . . . . . . . . . . . . 31
A.1.6. Content Encryption . . . . . . . . . . . . . . . . . . 32 A.1.6. Content Encryption . . . . . . . . . . . . . . . . . . 31
A.1.7. Complete Representation . . . . . . . . . . . . . . . 33 A.1.7. Complete Representation . . . . . . . . . . . . . . . 32
A.1.8. Validation . . . . . . . . . . . . . . . . . . . . . . 33 A.1.8. Validation . . . . . . . . . . . . . . . . . . . . . . 32
A.2. Example JWE using RSAES-PKCS1-V1_5 and A.2. Example JWE using RSAES-PKCS1-V1_5 and
AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 33 AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 33
A.2.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 34 A.2.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 33
A.2.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 34 A.2.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 33
A.2.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 34 A.2.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 33
A.2.4. Initialization Vector . . . . . . . . . . . . . . . . 35 A.2.4. Initialization Vector . . . . . . . . . . . . . . . . 35
A.2.5. Additional Authenticated Data . . . . . . . . . . . . 36 A.2.5. Additional Authenticated Data . . . . . . . . . . . . 35
A.2.6. Content Encryption . . . . . . . . . . . . . . . . . . 36 A.2.6. Content Encryption . . . . . . . . . . . . . . . . . . 35
A.2.7. Complete Representation . . . . . . . . . . . . . . . 36 A.2.7. Complete Representation . . . . . . . . . . . . . . . 36
A.2.8. Validation . . . . . . . . . . . . . . . . . . . . . . 37 A.2.8. Validation . . . . . . . . . . . . . . . . . . . . . . 36
A.3. Example JWE using AES Key Wrap and A.3. Example JWE using AES Key Wrap and
AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 37 AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 36
A.3.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 37 A.3.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 37
A.3.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 38 A.3.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 37
A.3.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 38 A.3.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 37
A.3.4. Initialization Vector . . . . . . . . . . . . . . . . 38 A.3.4. Initialization Vector . . . . . . . . . . . . . . . . 38
A.3.5. Additional Authenticated Data . . . . . . . . . . . . 39 A.3.5. Additional Authenticated Data . . . . . . . . . . . . 38
A.3.6. Content Encryption . . . . . . . . . . . . . . . . . . 39 A.3.6. Content Encryption . . . . . . . . . . . . . . . . . . 38
A.3.7. Complete Representation . . . . . . . . . . . . . . . 39 A.3.7. Complete Representation . . . . . . . . . . . . . . . 39
A.3.8. Validation . . . . . . . . . . . . . . . . . . . . . . 40 A.3.8. Validation . . . . . . . . . . . . . . . . . . . . . . 39
A.4. Example JWE using JWE JSON Serialization . . . . . . . . . 40 A.4. Example JWE using JWE JSON Serialization . . . . . . . . . 39
A.4.1. JWE Per-Recipient Unprotected Headers . . . . . . . . 40 A.4.1. JWE Per-Recipient Unprotected Headers . . . . . . . . 40
A.4.2. JWE Protected Header . . . . . . . . . . . . . . . . . 41 A.4.2. JWE Protected Header . . . . . . . . . . . . . . . . . 40
A.4.3. JWE Unprotected Header . . . . . . . . . . . . . . . . 41 A.4.3. JWE Unprotected Header . . . . . . . . . . . . . . . . 40
A.4.4. Complete JWE Header Values . . . . . . . . . . . . . . 41 A.4.4. Complete JOSE Header Values . . . . . . . . . . . . . 40
A.4.5. Additional Authenticated Data . . . . . . . . . . . . 41 A.4.5. Additional Authenticated Data . . . . . . . . . . . . 41
A.4.6. Content Encryption . . . . . . . . . . . . . . . . . . 42 A.4.6. Content Encryption . . . . . . . . . . . . . . . . . . 41
A.4.7. Complete JWE JSON Serialization Representation . . . . 42 A.4.7. Complete JWE JSON Serialization Representation . . . . 41
Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 43 Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 42
B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 43 B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 42
B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 44 B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 43
B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 44 B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 43
B.4. Initialization Vector Value . . . . . . . . . . . . . . . 45 B.4. Initialization Vector Value . . . . . . . . . . . . . . . 44
B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 45 B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 44
B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 45 B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 44
B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 45 B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 44
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 45 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 44
Appendix D. Document History . . . . . . . . . . . . . . . . . . 46 Appendix D. Document History . . . . . . . . . . . . . . . . . . 45
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 56 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 55
1. Introduction 1. Introduction
JSON Web Encryption (JWE) represents encrypted content using JSON Web Encryption (JWE) represents encrypted content using
JavaScript Object Notation (JSON) [RFC7159] based data structures. JavaScript Object Notation (JSON) [RFC7159] based data structures.
The JWE cryptographic mechanisms encrypt and provide integrity The JWE cryptographic mechanisms encrypt and provide integrity
protection for an arbitrary sequence of octets. protection for an arbitrary sequence of octets.
Two closely related serializations for JWE objects are defined. The Two closely related serializations for JWE objects are defined. The
JWE Compact Serialization is a compact, URL-safe representation JWE Compact Serialization is a compact, URL-safe representation
skipping to change at page 6, line 10 skipping to change at page 6, line 10
ASCII(STRING) denotes the octets of the ASCII [USASCII] ASCII(STRING) denotes the octets of the ASCII [USASCII]
representation of STRING. representation of STRING.
The concatenation of two values A and B is denoted as A || B. The concatenation of two values A and B is denoted as A || B.
2. Terminology 2. Terminology
These terms defined by the JSON Web Signature (JWS) [JWS] These terms defined by the JSON Web Signature (JWS) [JWS]
specification are incorporated into this specification: "JSON Web specification are incorporated into this specification: "JSON Web
Signature (JWS)", "Base64url Encoding", "Collision-Resistant Name", Signature (JWS)", "Base64url Encoding", "Collision-Resistant Name",
and "StringOrURI". "Header Parameter", "JOSE Header", and "StringOrURI".
These terms are defined for use by this specification: These terms are defined by this specification:
JSON Web Encryption (JWE) JSON Web Encryption (JWE)
A data structure representing an encrypted and integrity protected A data structure representing an encrypted and integrity protected
message. message.
Authenticated Encryption with Associated Data (AEAD) Authenticated Encryption with Associated Data (AEAD)
An AEAD algorithm is one that encrypts the Plaintext, allows An AEAD algorithm is one that encrypts the Plaintext, allows
Additional Authenticated Data to be specified, and provides an Additional Authenticated Data to be specified, and provides an
integrated content integrity check over the Ciphertext and integrated content integrity check over the Ciphertext and
Additional Authenticated Data. AEAD algorithms accept two inputs, Additional Authenticated Data. AEAD algorithms accept two inputs,
skipping to change at page 6, line 49 skipping to change at page 6, line 49
An output of an AEAD operation that ensures the integrity of the An output of an AEAD operation that ensures the integrity of the
Ciphertext and the Additional Authenticated Data. Note that some Ciphertext and the Additional Authenticated Data. Note that some
algorithms may not use an Authentication Tag, in which case this algorithms may not use an Authentication Tag, in which case this
value is the empty octet sequence. value is the empty octet sequence.
Content Encryption Key (CEK) Content Encryption Key (CEK)
A symmetric key for the AEAD algorithm used to encrypt the A symmetric key for the AEAD algorithm used to encrypt the
Plaintext for the recipient to produce the Ciphertext and the Plaintext for the recipient to produce the Ciphertext and the
Authentication Tag. Authentication Tag.
JWE Header
JSON object containing the parameters describing the cryptographic
operations and parameters employed. The JWE Header members are
the union of the members of the JWE Protected Header, the JWE
Shared Unprotected Header, and the JWE Per-Recipient Unprotected
Header. The members of the JWE Header are Header Parameters.
JWE Encrypted Key JWE Encrypted Key
Encrypted Content Encryption Key (CEK) value. Note that for some Encrypted Content Encryption Key (CEK) value. Note that for some
algorithms, the JWE Encrypted Key value is specified as being the algorithms, the JWE Encrypted Key value is specified as being the
empty octet sequence. empty octet sequence.
JWE Initialization Vector JWE Initialization Vector
Initialization Vector value used when encrypting the plaintext. Initialization vector value used when encrypting the plaintext.
Note that some algorithms may not use an Initialization Vector, in Note that some algorithms may not use an Initialization Vector, in
which case this value is the empty octet sequence. which case this value is the empty octet sequence.
JWE AAD JWE AAD
Additional value to be integrity protected by the authenticated Additional value to be integrity protected by the authenticated
encryption operation. This can only be present when using the JWE encryption operation. This can only be present when using the JWE
JSON Serialization. (Note that this can also be achieved when JSON Serialization. (Note that this can also be achieved when
using either serialization by including the AAD value as an using either serialization by including the AAD value as an
integrity protected Header Parameter value, but at the cost of the integrity protected Header Parameter value, but at the cost of the
value being double base64url encoded.) value being double base64url encoded.)
JWE Ciphertext JWE Ciphertext
Ciphertext value resulting from authenticated encryption of the Ciphertext value resulting from authenticated encryption of the
plaintext with additional authenticated data. plaintext with additional authenticated data.
JWE Authentication Tag JWE Authentication Tag
Authentication Tag value resulting from authenticated encryption Authentication Tag value resulting from authenticated encryption
of the plaintext with additional authenticated data. of the plaintext with additional authenticated data.
Header Parameter
A name/value pair that is member of the JWE Header.
JWE Protected Header JWE Protected Header
JSON object that contains the JWE Header Parameters that are JSON object that contains the Header Parameters that are integrity
integrity protected by the authenticated encryption operation. protected by the authenticated encryption operation. These
These parameters apply to all recipients of the JWE. For the JWE parameters apply to all recipients of the JWE. For the JWE
Compact Serialization, this comprises the entire JWE Header. For Compact Serialization, this comprises the entire JOSE Header. For
the JWE JSON Serialization, this is one component of the JWE the JWE JSON Serialization, this is one component of the JOSE
Header. Header.
JWE Shared Unprotected Header JWE Shared Unprotected Header
JSON object that contains the JWE Header Parameters that apply to JSON object that contains the Header Parameters that apply to all
all recipients of the JWE that are not integrity protected. This recipients of the JWE that are not integrity protected. This can
can only be present when using the JWE JSON Serialization. only be present when using the JWE JSON Serialization.
JWE Per-Recipient Unprotected Header JWE Per-Recipient Unprotected Header
JSON object that contains JWE Header Parameters that apply to a JSON object that contains Header Parameters that apply to a single
single recipient of the JWE. These Header Parameter values are recipient of the JWE. These Header Parameter values are not
not integrity protected. This can only be present when using the integrity protected. This can only be present when using the JWE
JWE JSON Serialization. JSON Serialization.
JWE Compact Serialization JWE Compact Serialization
A representation of the JWE as a compact, URL-safe string. A representation of the JWE as a compact, URL-safe string.
JWE JSON Serialization JWE JSON Serialization
A representation of the JWE as a JSON object. The JWE JSON A representation of the JWE as a JSON object. The JWE JSON
Serialization enables the same content to be encrypted to multiple Serialization enables the same content to be encrypted to multiple
parties. This representation is neither optimized for compactness parties. This representation is neither optimized for compactness
nor URL-safe. nor URL-safe.
skipping to change at page 9, line 10 skipping to change at page 8, line 42
Direct Encryption Direct Encryption
A Key Management Mode in which the Content Encryption Key (CEK) A Key Management Mode in which the Content Encryption Key (CEK)
value used is the secret symmetric key value shared between the value used is the secret symmetric key value shared between the
parties. parties.
3. JSON Web Encryption (JWE) Overview 3. JSON Web Encryption (JWE) Overview
JWE represents encrypted content using JSON data structures and JWE represents encrypted content using JSON data structures and
base64url encoding. A JWE represents these logical values: base64url encoding. A JWE represents these logical values:
JWE Header JOSE Header
JSON object containing the parameters describing the cryptographic JSON object containing the parameters describing the cryptographic
operations and parameters employed. The JWE Header members are operations and parameters employed. For a JWE object, the JOSE
the union of the members of the JWE Protected Header, the JWE Header members are the union of the members of the JWE Protected
Shared Unprotected Header, and the JWE Per-Recipient Unprotected Header, the JWE Shared Unprotected Header, and the JWE Per-
Header, as described below. Recipient Unprotected Header, as described below.
JWE Encrypted Key JWE Encrypted Key
Encrypted Content Encryption Key (CEK) value. Encrypted Content Encryption Key (CEK) value.
JWE Initialization Vector JWE Initialization Vector
Initialization Vector value used when encrypting the plaintext. Initialization Vector value used when encrypting the plaintext.
JWE AAD JWE AAD
Additional value to be integrity protected by the authenticated Additional value to be integrity protected by the authenticated
encryption operation. encryption operation.
JWE Ciphertext JWE Ciphertext
Ciphertext value resulting from authenticated encryption of the Ciphertext value resulting from authenticated encryption of the
plaintext with additional authenticated data. plaintext with additional authenticated data.
JWE Authentication Tag JWE Authentication Tag
Authentication Tag value resulting from authenticated encryption Authentication Tag value resulting from authenticated encryption
of the plaintext with additional authenticated data. of the plaintext with additional authenticated data.
The JWE Header represents the combination of these logical values: For a JWE object, the JOSE Header represents the combination of these
logical values:
JWE Protected Header JWE Protected Header
JSON object that contains the JWE Header Parameters that are JSON object that contains the Header Parameters that are integrity
integrity protected by the authenticated encryption operation. protected by the authenticated encryption operation. These
These parameters apply to all recipients of the JWE. parameters apply to all recipients of the JWE.
JWE Shared Unprotected Header JWE Shared Unprotected Header
JSON object that contains the JWE Header Parameters that apply to JSON object that contains the Header Parameters that apply to all
all recipients of the JWE that are not integrity protected. recipients of the JWE that are not integrity protected.
JWE Per-Recipient Unprotected Header JWE Per-Recipient Unprotected Header
JSON object that contains JWE Header Parameters that apply to a JSON object that contains Header Parameters that apply to a single
single recipient of the JWE. These Header Parameter values are recipient of the JWE. These Header Parameter values are not
not integrity protected. integrity protected.
This document defines two serializations for JWE objects: a compact, This document defines two serializations for JWE objects: a compact,
URL-safe serialization called the JWE Compact Serialization and a URL-safe serialization called the JWE Compact Serialization and a
JSON serialization called the JWE JSON Serialization. In both JSON serialization called the JWE JSON Serialization. In both
serializations, the JWE Protected Header, JWE Encrypted Key, JWE serializations, the JWE Protected Header, JWE Encrypted Key, JWE
Initialization Vector, JWE Ciphertext, and JWE Authentication Tag are Initialization Vector, JWE Ciphertext, and JWE Authentication Tag are
base64url encoded for transmission, since JSON lacks a way to base64url encoded for transmission, since JSON lacks a way to
directly represent octet sequences. When present, the JWE AAD is directly represent octet sequences. When present, the JWE AAD is
also base64url encoded for transmission. also base64url encoded for transmission.
In the JWE Compact Serialization, no JWE Shared Unprotected Header or In the JWE Compact Serialization, no JWE Shared Unprotected Header or
JWE Per-Recipient Unprotected Header are used. In this case, the JWE JWE Per-Recipient Unprotected Header are used. In this case, the
Header and the JWE Protected Header are the same. JOSE Header and the JWE Protected Header are the same.
In the JWE Compact Serialization, a JWE object is represented as the In the JWE Compact Serialization, a JWE object is represented as the
combination of these five string values, combination of these five string values,
BASE64URL(UTF8(JWE Protected Header)), BASE64URL(UTF8(JWE Protected Header)),
BASE64URL(JWE Encrypted Key), BASE64URL(JWE Encrypted Key),
BASE64URL(JWE Initialization Vector), BASE64URL(JWE Initialization Vector),
BASE64URL(JWE Ciphertext), and BASE64URL(JWE Ciphertext), and
BASE64URL(JWE Authentication Tag), BASE64URL(JWE Authentication Tag),
concatenated in that order, with the five strings being separated by concatenated in that order, with the five strings being separated by
four period ('.') characters. four period ('.') characters.
In the JWE JSON Serialization, one or more of the JWE Protected In the JWE JSON Serialization, one or more of the JWE Protected
Header, JWE Shared Unprotected Header, and JWE Per-Recipient Header, JWE Shared Unprotected Header, and JWE Per-Recipient
Unprotected Header MUST be present. In this case, the members of the Unprotected Header MUST be present. In this case, the members of the
JWE Header are the combination of the members of the JWE Protected JOSE Header are the combination of the members of the JWE Protected
Header, JWE Shared Unprotected Header, and JWE Per-Recipient Header, JWE Shared Unprotected Header, and JWE Per-Recipient
Unprotected Header values that are present. Unprotected Header values that are present.
In the JWE JSON Serialization, a JWE object is represented as the In the JWE JSON Serialization, a JWE object is represented as the
combination of these eight values, combination of these eight values,
BASE64URL(UTF8(JWE Protected Header)), BASE64URL(UTF8(JWE Protected Header)),
JWE Shared Unprotected Header, JWE Shared Unprotected Header,
JWE Per-Recipient Unprotected Header, JWE Per-Recipient Unprotected Header,
BASE64URL(JWE Encrypted Key), BASE64URL(JWE Encrypted Key),
BASE64URL(JWE Initialization Vector), BASE64URL(JWE Initialization Vector),
skipping to change at page 12, line 29 skipping to change at page 12, line 20
1860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi 1860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi
6UklfCpIMfIjf7iGdXKHzg. 6UklfCpIMfIjf7iGdXKHzg.
48V1_ALb6US04U3b. 48V1_ALb6US04U3b.
5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji 5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji
SdiwkIr3ajwQzaBtQD_A. SdiwkIr3ajwQzaBtQD_A.
XFBoMYUZodetZdvTiFvSkQ XFBoMYUZodetZdvTiFvSkQ
See Appendix A.1 for the complete details of computing this JWE. See See Appendix A.1 for the complete details of computing this JWE. See
other parts of Appendix A for additional examples. other parts of Appendix A for additional examples.
4. JWE Header 4. JOSE Header
The members of the JSON object(s) representing the JWE Header
describe the encryption applied to the Plaintext and optionally
additional properties of the JWE. The Header Parameter names within
the JWE Header MUST be unique; recipients MUST either reject JWEs
with duplicate Header Parameter names or use a JSON parser that
returns only the lexically last duplicate member name, as specified
in Section 15.12 (The JSON Object) of ECMAScript 5.1 [ECMAScript].
Implementations are required to understand the specific Header
Parameters defined by this specification that are designated as "MUST
be understood" and process them in the manner defined in this
specification. All other Header Parameters defined by this
specification that are not so designated MUST be ignored when not
understood. Unless listed as a critical Header Parameter, per
Section 4.1.13, all Header Parameters not defined by this
specification MUST be ignored when not understood.
There are three classes of Header Parameter names: Registered Header For a JWE object, the members of the JSON object(s) representing the
Parameter names, Public Header Parameter names, and Private Header JOSE Header describe the encryption applied to the Plaintext and
Parameter names. optionally additional properties of the JWE. The Header Parameter
names within the JOSE Header MUST be unique, just as described in
Section 4 of [JWS]. The rules about handling Header Parameters that
are not understood by the implementation are also the same. The
classes of Header Parameter names are likewise the same.
4.1. Registered Header Parameter Names 4.1. Registered Header Parameter Names
The following Header Parameter names are registered in the IANA JSON The following Header Parameter names for use in JWE objects are
Web Signature and Encryption Header Parameters registry defined in registered in the IANA JSON Web Signature and Encryption Header
[JWS], with meanings as defined below. Parameters registry defined in [JWS], with meanings as defined below.
As indicated by the common registry, JWSs and JWEs share a common As indicated by the common registry, JWSs and JWEs share a common
Header Parameter space; when a parameter is used by both Header Parameter space; when a parameter is used by both
specifications, its usage must be compatible between the specifications, its usage must be compatible between the
specifications. specifications.
4.1.1. "alg" (Algorithm) Header Parameter 4.1.1. "alg" (Algorithm) Header Parameter
This parameter has the same meaning, syntax, and processing rules as This parameter has the same meaning, syntax, and processing rules as
the "alg" Header Parameter defined in Section 4.1.1 of [JWS], except the "alg" Header Parameter defined in Section 4.1.1 of [JWS], except
skipping to change at page 15, line 48 skipping to change at page 15, line 23
4.1.12. "cty" (Content Type) Header Parameter 4.1.12. "cty" (Content Type) Header Parameter
This parameter has the same meaning, syntax, and processing rules as This parameter has the same meaning, syntax, and processing rules as
the "cty" Header Parameter defined in Section 4.1.10 of [JWS], except the "cty" Header Parameter defined in Section 4.1.10 of [JWS], except
that the type is that of the secured content (the plaintext). that the type is that of the secured content (the plaintext).
4.1.13. "crit" (Critical) Header Parameter 4.1.13. "crit" (Critical) Header Parameter
This parameter has the same meaning, syntax, and processing rules as This parameter has the same meaning, syntax, and processing rules as
the "crit" Header Parameter defined in Section 4.1.11 of [JWS], the "crit" Header Parameter defined in Section 4.1.11 of [JWS],
except that JWE Header Parameters are being referred to, rather than except that Header Parameters for a JWE object are being referred to,
JWS Header Parameters. rather than Header Parameters for a JWS object.
4.2. Public Header Parameter Names 4.2. Public Header Parameter Names
Additional Header Parameter names can be defined by those using JWEs. Additional Header Parameter names can be defined by those using JWEs.
However, in order to prevent collisions, any new Header Parameter However, in order to prevent collisions, any new Header Parameter
name should either be registered in the IANA JSON Web Signature and name should either be registered in the IANA JSON Web Signature and
Encryption Header Parameters registry defined in [JWS] or be a Public Encryption Header Parameters registry defined in [JWS] or be a Public
Name: a value that contains a Collision-Resistant Name. In each Name: a value that contains a Collision-Resistant Name. In each
case, the definer of the name or value needs to take reasonable case, the definer of the name or value needs to take reasonable
precautions to make sure they are in control of the part of the precautions to make sure they are in control of the part of the
skipping to change at page 17, line 35 skipping to change at page 17, line 11
10. Compute the encoded initialization vector value BASE64URL(JWE 10. Compute the encoded initialization vector value BASE64URL(JWE
Initialization Vector). Initialization Vector).
11. If a "zip" parameter was included, compress the Plaintext using 11. If a "zip" parameter was included, compress the Plaintext using
the specified compression algorithm. the specified compression algorithm.
12. Serialize the (compressed) Plaintext into an octet sequence M. 12. Serialize the (compressed) Plaintext into an octet sequence M.
13. Create the JSON object(s) containing the desired set of Header 13. Create the JSON object(s) containing the desired set of Header
Parameters, which together comprise the JWE Header: the JWE Parameters, which together comprise the JOSE Header: the JWE
Protected Header, and if the JWE JSON Serialization is being Protected Header, and if the JWE JSON Serialization is being
used, the JWE Shared Unprotected Header and the JWE Per- used, the JWE Shared Unprotected Header and the JWE Per-
Recipient Unprotected Header. Recipient Unprotected Header.
14. Compute the Encoded Protected Header value BASE64URL(UTF8(JWE 14. Compute the Encoded Protected Header value BASE64URL(UTF8(JWE
Protected Header)). If the JWE Protected Header is not present Protected Header)). If the JWE Protected Header is not present
(which can only happen when using the JWE JSON Serialization and (which can only happen when using the JWE JSON Serialization and
no "protected" member is present), let this value be the empty no "protected" member is present), let this value be the empty
string. string.
skipping to change at page 19, line 22 skipping to change at page 18, line 47
Encrypted Key, the JWE Initialization Vector, the JWE Encrypted Key, the JWE Initialization Vector, the JWE
Ciphertext, the JWE Authentication Tag, and the JWE AAD MUST be Ciphertext, the JWE Authentication Tag, and the JWE AAD MUST be
successfully base64url decoded following the restriction that no successfully base64url decoded following the restriction that no
padding characters have been used. padding characters have been used.
3. The octet sequence resulting from decoding the encoded JWE 3. The octet sequence resulting from decoding the encoded JWE
Protected Header MUST be a UTF-8 encoded representation of a Protected Header MUST be a UTF-8 encoded representation of a
completely valid JSON object conforming to [RFC7159], which is completely valid JSON object conforming to [RFC7159], which is
the JWE Protected Header. the JWE Protected Header.
4. If using the JWE Compact Serialization, let the JWE Header be 4. If using the JWE Compact Serialization, let the JOSE Header be
the JWE Protected Header; otherwise, when using the JWE JSON the JWE Protected Header; otherwise, when using the JWE JSON
Serialization, let the JWE Header be the union of the members of Serialization, let the JOSE Header be the union of the members
the JWE Protected Header, the JWE Shared Unprotected Header and of the JWE Protected Header, the JWE Shared Unprotected Header
the corresponding JWE Per-Recipient Unprotected Header, all of and the corresponding JWE Per-Recipient Unprotected Header, all
which must be completely valid JSON objects. of which must be completely valid JSON objects.
5. The resulting JWE Header MUST NOT contain duplicate Header 5. The resulting JOSE Header MUST NOT contain duplicate Header
Parameter names. When using the JWE JSON Serialization, this Parameter names. When using the JWE JSON Serialization, this
restriction includes that the same Header Parameter name also restriction includes that the same Header Parameter name also
MUST NOT occur in distinct JSON object values that together MUST NOT occur in distinct JSON object values that together
comprise the JWE Header. comprise the JOSE Header.
6. Verify that the implementation understands and can process all 6. Verify that the implementation understands and can process all
fields that it is required to support, whether required by this fields that it is required to support, whether required by this
specification, by the algorithms being used, or by the "crit" specification, by the algorithms being used, or by the "crit"
Header Parameter value, and that the values of those parameters Header Parameter value, and that the values of those parameters
are also understood and supported. are also understood and supported.
7. Determine the Key Management Mode employed by the algorithm 7. Determine the Key Management Mode employed by the algorithm
specified by the "alg" (algorithm) Header Parameter. specified by the "alg" (algorithm) Header Parameter.
skipping to change at page 23, line 38 skipping to change at page 23, line 9
Protected Header and JWE Shared Unprotected Header values are shared Protected Header and JWE Shared Unprotected Header values are shared
among all recipients. among all recipients.
The Header Parameter values used when creating or validating per- The Header Parameter values used when creating or validating per-
recipient Ciphertext and Authentication Tag values are the union of recipient Ciphertext and Authentication Tag values are the union of
the three sets of Header Parameter values that may be present: (1) the three sets of Header Parameter values that may be present: (1)
the JWE Protected Header represented in the "protected" member, (2) the JWE Protected Header represented in the "protected" member, (2)
the JWE Shared Unprotected Header represented in the "unprotected" the JWE Shared Unprotected Header represented in the "unprotected"
member, and (3) the JWE Per-Recipient Unprotected Header represented member, and (3) the JWE Per-Recipient Unprotected Header represented
in the "header" member of the recipient's array element. The union in the "header" member of the recipient's array element. The union
of these sets of Header Parameters comprises the JWE Header. The of these sets of Header Parameters comprises the JOSE Header. The
Header Parameter names in the three locations MUST be disjoint. Header Parameter names in the three locations MUST be disjoint.
Each JWE Encrypted Key value is computed using the parameters of the Each JWE Encrypted Key value is computed using the parameters of the
corresponding JWE Header value in the same manner as for the JWE corresponding JOSE Header value in the same manner as for the JWE
Compact Serialization. This has the desirable property that each JWE Compact Serialization. This has the desirable property that each JWE
Encrypted Key value in the "recipients" array is identical to the Encrypted Key value in the "recipients" array is identical to the
value that would have been computed for the same parameter in the JWE value that would have been computed for the same parameter in the JWE
Compact Serialization. Likewise, the JWE Ciphertext and JWE Compact Serialization. Likewise, the JWE Ciphertext and JWE
Authentication Tag values match those produced for the JWE Compact Authentication Tag values match those produced for the JWE Compact
Serialization, provided that the JWE Protected Header value (which Serialization, provided that the JWE Protected Header value (which
represents the integrity-protected Header Parameter values) matches represents the integrity-protected Header Parameter values) matches
that used in the JWE Compact Serialization. that used in the JWE Compact Serialization.
All recipients use the same JWE Protected Header, JWE Initialization All recipients use the same JWE Protected Header, JWE Initialization
Vector, JWE Ciphertext, and JWE Authentication Tag values, when Vector, JWE Ciphertext, and JWE Authentication Tag values, when
present, resulting in potentially significant space savings if the present, resulting in potentially significant space savings if the
message is large. Therefore, all Header Parameters that specify the message is large. Therefore, all Header Parameters that specify the
treatment of the Plaintext value MUST be the same for all recipients. treatment of the Plaintext value MUST be the same for all recipients.
This primarily means that the "enc" (encryption algorithm) Header This primarily means that the "enc" (encryption algorithm) Header
Parameter value in the JWE Header for each recipient and any Parameter value in the JOSE Header for each recipient and any
parameters of that algorithm MUST be the same. parameters of that algorithm MUST be the same.
In summary, the syntax of a JWE using the JWE JSON Serialization is In summary, the syntax of a JWE using the JWE JSON Serialization is
as follows: as follows:
{"protected":"<integrity-protected shared header contents>", {"protected":"<integrity-protected shared header contents>",
"unprotected":<non-integrity-protected shared header contents>, "unprotected":<non-integrity-protected shared header contents>,
"recipients":[ "recipients":[
{"header":<per-recipient unprotected header 1 contents>, {"header":<per-recipient unprotected header 1 contents>,
"encrypted_key":"<encrypted key 1 contents>"}, "encrypted_key":"<encrypted key 1 contents>"},
skipping to change at page 25, line 10 skipping to change at page 24, line 28
Compact Serialization, the number of base64url encoded segments Compact Serialization, the number of base64url encoded segments
separated by period ('.') characters differs for JWSs and JWEs. separated by period ('.') characters differs for JWSs and JWEs.
JWSs have three segments separated by two period ('.') characters. JWSs have three segments separated by two period ('.') characters.
JWEs have five segments separated by four period ('.') characters. JWEs have five segments separated by four period ('.') characters.
o If the object is using the JWS JSON Serialization or the JWE JSON o If the object is using the JWS JSON Serialization or the JWE JSON
Serialization, the members used will be different. JWSs have a Serialization, the members used will be different. JWSs have a
"signatures" member and JWEs do not. JWEs have a "recipients" "signatures" member and JWEs do not. JWEs have a "recipients"
member and JWSs do not. member and JWSs do not.
o A JWS Header can be distinguished from a JWE header by examining o The JOSE Header for a JWS object can be distinguished from the
the "alg" (algorithm) Header Parameter value. If the value JOSE Header for a JWE object by examining the "alg" (algorithm)
represents a digital signature or MAC algorithm, or is the value Header Parameter value. If the value represents a digital
"none", it is for a JWS; if it represents a Key Encryption, Key signature or MAC algorithm, or is the value "none", it is for a
Wrapping, Direct Key Agreement, Key Agreement with Key Wrapping, JWS; if it represents a Key Encryption, Key Wrapping, Direct Key
or Direct Encryption algorithm, it is for a JWE. (Extracting the Agreement, Key Agreement with Key Wrapping, or Direct Encryption
"alg" value to examine is straightforward when using the JWS algorithm, it is for a JWE. (Extracting the "alg" value to
Compact Serialization or the JWE Compact Serialization and may be examine is straightforward when using the JWS Compact
more difficult when using the JWS JSON Serialization or the JWE Serialization or the JWE Compact Serialization and may be more
JSON Serialization.) difficult when using the JWS JSON Serialization or the JWE JSON
Serialization.)
o A JWS Header can also be distinguished from a JWE header by o The JOSE Header for a JWS object can also be distinguished from
determining whether an "enc" (encryption algorithm) member exists. the JOSE Header for a JWE object by determining whether an "enc"
If the "enc" member exists, it is a JWE; otherwise, it is a JWS. (encryption algorithm) member exists. If the "enc" member exists,
it is a JWE; otherwise, it is a JWS.
10. IANA Considerations 10. IANA Considerations
10.1. JSON Web Signature and Encryption Header Parameters Registration 10.1. JSON Web Signature and Encryption Header Parameters Registration
This specification registers the Header Parameter names defined in This specification registers the Header Parameter names defined in
Section 4.1 in the IANA JSON Web Signature and Encryption Header Section 4.1 in the IANA JSON Web Signature and Encryption Header
Parameters registry defined in [JWS]. Parameters registry defined in [JWS].
10.1.1. Registry Contents 10.1.1. Registry Contents
skipping to change at page 28, line 29 skipping to change at page 27, line 48
recipient MUST NOT distinguish between format, padding, and length recipient MUST NOT distinguish between format, padding, and length
errors of encrypted keys. It is strongly recommended, in the event errors of encrypted keys. It is strongly recommended, in the event
of receiving an improperly formatted key, that the receiver of receiving an improperly formatted key, that the receiver
substitute a randomly generated CEK and proceed to the next step, to substitute a randomly generated CEK and proceed to the next step, to
mitigate timing attacks. mitigate timing attacks.
12. References 12. References
12.1. Normative References 12.1. Normative References
[ECMAScript]
Ecma International, "ECMAScript Language Specification,
5.1 Edition", ECMA 262, June 2011.
[JWA] Jones, M., "JSON Web Algorithms (JWA)", [JWA] Jones, M., "JSON Web Algorithms (JWA)",
draft-ietf-jose-json-web-algorithms (work in progress), draft-ietf-jose-json-web-algorithms (work in progress),
June 2014. June 2014.
[JWK] Jones, M., "JSON Web Key (JWK)", [JWK] Jones, M., "JSON Web Key (JWK)",
draft-ietf-jose-json-web-key (work in progress), draft-ietf-jose-json-web-key (work in progress),
June 2014. June 2014.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", draft-ietf-jose-json-web-signature (work Signature (JWS)", draft-ietf-jose-json-web-signature (work
skipping to change at page 30, line 22 skipping to change at page 29, line 35
not knowledge but imagination." to the recipient using RSAES OAEP for not knowledge but imagination." to the recipient using RSAES OAEP for
key encryption and AES GCM for content encryption. The key encryption and AES GCM for content encryption. The
representation of this plaintext (using JSON array notation) is: representation of this plaintext (using JSON array notation) is:
[84, 104, 101, 32, 116, 114, 117, 101, 32, 115, 105, 103, 110, 32, [84, 104, 101, 32, 116, 114, 117, 101, 32, 115, 105, 103, 110, 32,
111, 102, 32, 105, 110, 116, 101, 108, 108, 105, 103, 101, 110, 99, 111, 102, 32, 105, 110, 116, 101, 108, 108, 105, 103, 101, 110, 99,
101, 32, 105, 115, 32, 110, 111, 116, 32, 107, 110, 111, 119, 108, 101, 32, 105, 115, 32, 110, 111, 116, 32, 107, 110, 111, 119, 108,
101, 100, 103, 101, 32, 98, 117, 116, 32, 105, 109, 97, 103, 105, 101, 100, 103, 101, 32, 98, 117, 116, 32, 105, 109, 97, 103, 105,
110, 97, 116, 105, 111, 110, 46] 110, 97, 116, 105, 111, 110, 46]
A.1.1. JWE Header A.1.1. JOSE Header
The following example JWE Protected Header declares that: The following example JWE Protected Header declares that:
o the Content Encryption Key is encrypted to the recipient using the o the Content Encryption Key is encrypted to the recipient using the
RSAES OAEP algorithm to produce the JWE Encrypted Key and RSAES OAEP algorithm to produce the JWE Encrypted Key and
o the Plaintext is encrypted using the AES GCM algorithm with a 256 o the Plaintext is encrypted using the AES GCM algorithm with a 256
bit key to produce the Ciphertext. bit key to produce the Ciphertext.
{"alg":"RSA-OAEP","enc":"A256GCM"} {"alg":"RSA-OAEP","enc":"A256GCM"}
skipping to change at page 31, line 5 skipping to change at page 30, line 19
[177, 161, 244, 128, 84, 143, 225, 115, 63, 180, 3, 255, 107, 154, [177, 161, 244, 128, 84, 143, 225, 115, 63, 180, 3, 255, 107, 154,
212, 246, 138, 7, 110, 91, 112, 46, 34, 105, 47, 130, 203, 46, 122, 212, 246, 138, 7, 110, 91, 112, 46, 34, 105, 47, 130, 203, 46, 122,
234, 64, 252] 234, 64, 252]
A.1.3. Key Encryption A.1.3. Key Encryption
Encrypt the CEK with the recipient's public key using the RSAES OAEP Encrypt the CEK with the recipient's public key using the RSAES OAEP
algorithm to produce the JWE Encrypted Key. This example uses the RSA algorithm to produce the JWE Encrypted Key. This example uses the RSA
key represented in JSON Web Key [JWK] format below (with line breaks key represented in JSON Web Key [JWK] format below (with line breaks
for display purposes only): within values for display purposes only):
{"kty":"RSA", {"kty":"RSA",
"n":"oahUIoWw0K0usKNuOR6H4wkf4oBUXHTxRvgb48E-BVvxkeDNjbC4he8rUW "n":"oahUIoWw0K0usKNuOR6H4wkf4oBUXHTxRvgb48E-BVvxkeDNjbC4he8rUW
cJoZmds2h7M70imEVhRU5djINXtqllXI4DFqcI1DgjT9LewND8MW2Krf3S cJoZmds2h7M70imEVhRU5djINXtqllXI4DFqcI1DgjT9LewND8MW2Krf3S
psk_ZkoFnilakGygTwpZ3uesH-PFABNIUYpOiN15dsQRkgr0vEhxN92i2a psk_ZkoFnilakGygTwpZ3uesH-PFABNIUYpOiN15dsQRkgr0vEhxN92i2a
sbOenSZeyaxziK72UwxrrKoExv6kc5twXTq4h-QChLOln0_mtUZwfsRaMS sbOenSZeyaxziK72UwxrrKoExv6kc5twXTq4h-QChLOln0_mtUZwfsRaMS
tPs6mS6XrgxnxbWhojf663tuEQueGC-FCMfra36C9knDFGzKsNa7LZK2dj tPs6mS6XrgxnxbWhojf663tuEQueGC-FCMfra36C9knDFGzKsNa7LZK2dj
YgyD3JR_MB_4NUJW_TqOQtwHYbxevoJArm-L5StowjzGy-_bq6Gw", YgyD3JR_MB_4NUJW_TqOQtwHYbxevoJArm-L5StowjzGy-_bq6Gw",
"e":"AQAB", "e":"AQAB",
"d":"kLdtIj6GbDks_ApCSTYQtelcNttlKiOyPzMrXHeI-yk1F7-kpDxY4-WY5N "d":"kLdtIj6GbDks_ApCSTYQtelcNttlKiOyPzMrXHeI-yk1F7-kpDxY4-WY5N
skipping to change at page 34, line 5 skipping to change at page 33, line 16
A.2. Example JWE using RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256 A.2. Example JWE using RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256
This example encrypts the plaintext "Live long and prosper." to the This example encrypts the plaintext "Live long and prosper." to the
recipient using RSAES-PKCS1-V1_5 for key encryption and recipient using RSAES-PKCS1-V1_5 for key encryption and
AES_128_CBC_HMAC_SHA_256 for content encryption. The representation AES_128_CBC_HMAC_SHA_256 for content encryption. The representation
of this plaintext (using JSON array notation) is: of this plaintext (using JSON array notation) is:
[76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32, [76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32,
112, 114, 111, 115, 112, 101, 114, 46] 112, 114, 111, 115, 112, 101, 114, 46]
A.2.1. JWE Header A.2.1. JOSE Header
The following example JWE Protected Header declares that: The following example JWE Protected Header declares that:
o the Content Encryption Key is encrypted to the recipient using the o the Content Encryption Key is encrypted to the recipient using the
RSAES-PKCS1-V1_5 algorithm to produce the JWE Encrypted Key and RSAES-PKCS1-V1_5 algorithm to produce the JWE Encrypted Key and
o the Plaintext is encrypted using the AES_128_CBC_HMAC_SHA_256 o the Plaintext is encrypted using the AES_128_CBC_HMAC_SHA_256
algorithm to produce the Ciphertext. algorithm to produce the Ciphertext.
{"alg":"RSA1_5","enc":"A128CBC-HS256"} {"alg":"RSA1_5","enc":"A128CBC-HS256"}
skipping to change at page 34, line 36 skipping to change at page 33, line 47
[4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106,
206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156,
44, 207] 44, 207]
A.2.3. Key Encryption A.2.3. Key Encryption
Encrypt the CEK with the recipient's public key using the RSAES- Encrypt the CEK with the recipient's public key using the RSAES-
PKCS1-V1_5 algorithm to produce the JWE Encrypted Key. This example PKCS1-V1_5 algorithm to produce the JWE Encrypted Key. This example
uses the RSA key represented in JSON Web Key [JWK] format below (with uses the RSA key represented in JSON Web Key [JWK] format below (with
line breaks for display purposes only): line breaks within values for display purposes only):
{"kty":"RSA", {"kty":"RSA",
"n":"sXchDaQebHnPiGvyDOAT4saGEUetSyo9MKLOoWFsueri23bOdgWp4Dy1Wl "n":"sXchDaQebHnPiGvyDOAT4saGEUetSyo9MKLOoWFsueri23bOdgWp4Dy1Wl
UzewbgBHod5pcM9H95GQRV3JDXboIRROSBigeC5yjU1hGzHHyXss8UDpre UzewbgBHod5pcM9H95GQRV3JDXboIRROSBigeC5yjU1hGzHHyXss8UDpre
cbAYxknTcQkhslANGRUZmdTOQ5qTRsLAt6BTYuyvVRdhS8exSZEy_c4gs_ cbAYxknTcQkhslANGRUZmdTOQ5qTRsLAt6BTYuyvVRdhS8exSZEy_c4gs_
7svlJJQ4H9_NxsiIoLwAEk7-Q3UXERGYw_75IDrGA84-lA_-Ct4eTlXHBI 7svlJJQ4H9_NxsiIoLwAEk7-Q3UXERGYw_75IDrGA84-lA_-Ct4eTlXHBI
Y2EaV7t7LjJaynVJCpkv4LKjTTAumiGUIuQhrNhZLuF_RJLqHpM2kgWFLU Y2EaV7t7LjJaynVJCpkv4LKjTTAumiGUIuQhrNhZLuF_RJLqHpM2kgWFLU
7-VTdL1VbC2tejvcI2BlMkEpk1BzBZI0KQB0GaDWFLN-aEAw3vRw", 7-VTdL1VbC2tejvcI2BlMkEpk1BzBZI0KQB0GaDWFLN-aEAw3vRw",
"e":"AQAB", "e":"AQAB",
"d":"VFCWOqXr8nvZNyaaJLXdnNPXZKRaWCjkU5Q2egQQpTBMwhprMzWzpR8Sxq "d":"VFCWOqXr8nvZNyaaJLXdnNPXZKRaWCjkU5Q2egQQpTBMwhprMzWzpR8Sxq
skipping to change at page 37, line 37 skipping to change at page 37, line 5
A.3. Example JWE using AES Key Wrap and AES_128_CBC_HMAC_SHA_256 A.3. Example JWE using AES Key Wrap and AES_128_CBC_HMAC_SHA_256
This example encrypts the plaintext "Live long and prosper." to the This example encrypts the plaintext "Live long and prosper." to the
recipient using AES Key Wrap for key encryption and recipient using AES Key Wrap for key encryption and
AES_128_CBC_HMAC_SHA_256 for content encryption. The representation AES_128_CBC_HMAC_SHA_256 for content encryption. The representation
of this plaintext (using JSON array notation) is: of this plaintext (using JSON array notation) is:
[76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32, [76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32,
112, 114, 111, 115, 112, 101, 114, 46] 112, 114, 111, 115, 112, 101, 114, 46]
A.3.1. JWE Header A.3.1. JOSE Header
The following example JWE Protected Header declares that: The following example JWE Protected Header declares that:
o the Content Encryption Key is encrypted to the recipient using the o the Content Encryption Key is encrypted to the recipient using the
AES Key Wrap algorithm with a 128 bit key to produce the JWE AES Key Wrap algorithm with a 128 bit key to produce the JWE
Encrypted Key and Encrypted Key and
o the Plaintext is encrypted using the AES_128_CBC_HMAC_SHA_256 o the Plaintext is encrypted using the AES_128_CBC_HMAC_SHA_256
algorithm to produce the Ciphertext. algorithm to produce the Ciphertext.
skipping to change at page 40, line 35 skipping to change at page 39, line 48
This example demonstrates the capability for encrypting the same This example demonstrates the capability for encrypting the same
plaintext to multiple recipients. plaintext to multiple recipients.
Two recipients are present in this example. The algorithm and key Two recipients are present in this example. The algorithm and key
used for the first recipient are the same as that used in used for the first recipient are the same as that used in
Appendix A.2. The algorithm and key used for the second recipient Appendix A.2. The algorithm and key used for the second recipient
are the same as that used in Appendix A.3. The resulting JWE are the same as that used in Appendix A.3. The resulting JWE
Encrypted Key values are therefore the same; those computations are Encrypted Key values are therefore the same; those computations are
not repeated here. not repeated here.
The Plaintext, the Content Encryption Key (CEK), Initialization The Plaintext, the Content Encryption Key (CEK), JWE Initialization
Vector, and JWE Protected Header are shared by all recipients (which Vector, and JWE Protected Header are shared by all recipients (which
must be the case, since the Ciphertext and Authentication Tag are must be the case, since the Ciphertext and Authentication Tag are
also shared). also shared).
A.4.1. JWE Per-Recipient Unprotected Headers A.4.1. JWE Per-Recipient Unprotected Headers
The first recipient uses the RSAES-PKCS1-V1_5 algorithm to encrypt The first recipient uses the RSAES-PKCS1-V1_5 algorithm to encrypt
the Content Encryption Key (CEK). The second uses AES Key Wrap to the Content Encryption Key (CEK). The second uses AES Key Wrap to
encrypt the CEK. Key ID values are supplied for both keys. The two encrypt the CEK. Key ID values are supplied for both keys. The two
per-recipient header values used to represent these algorithms and per-recipient header values used to represent these algorithms and
skipping to change at page 41, line 25 skipping to change at page 40, line 39
eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0 eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0
A.4.3. JWE Unprotected Header A.4.3. JWE Unprotected Header
This JWE uses the "jku" Header Parameter to reference a JWK Set. This This JWE uses the "jku" Header Parameter to reference a JWK Set. This
is represented in the following JWE Unprotected Header value as: is represented in the following JWE Unprotected Header value as:
{"jku":"https://server.example.com/keys.jwks"} {"jku":"https://server.example.com/keys.jwks"}
A.4.4. Complete JWE Header Values A.4.4. Complete JOSE Header Values
Combining the per-recipient, protected, and unprotected header values Combining the per-recipient, protected, and unprotected header values
supplied, the JWE Header values used for the first and second supplied, the JOSE Header values used for the first and second
recipient respectively are: recipient respectively are:
{"alg":"RSA1_5", {"alg":"RSA1_5",
"kid":"2011-04-29", "kid":"2011-04-29",
"enc":"A128CBC-HS256", "enc":"A128CBC-HS256",
"jku":"https://server.example.com/keys.jwks"} "jku":"https://server.example.com/keys.jwks"}
and and
{"alg":"A128KW", {"alg":"A128KW",
"kid":"7", "kid":"7",
"enc":"A128CBC-HS256", "enc":"A128CBC-HS256",
"jku":"https://server.example.com/keys.jwks"} "jku":"https://server.example.com/keys.jwks"}
A.4.5. Additional Authenticated Data A.4.5. Additional Authenticated Data
Let the Additional Authenticated Data encryption parameter be Let the Additional Authenticated Data encryption parameter be
ASCII(BASE64URL(UTF8(JWE Protected Header))). This value is: ASCII(BASE64URL(UTF8(JWE Protected Header))). This value is:
skipping to change at page 42, line 35 skipping to change at page 41, line 47
KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY
Encoding this JWE Authentication Tag as BASE64URL(JWE Authentication Encoding this JWE Authentication Tag as BASE64URL(JWE Authentication
Tag) gives this value: Tag) gives this value:
Mz-VPPyU4RlcuYv1IwIvzw Mz-VPPyU4RlcuYv1IwIvzw
A.4.7. Complete JWE JSON Serialization Representation A.4.7. Complete JWE JSON Serialization Representation
The complete JSON Web Encryption JSON Serialization for these values The complete JSON Web Encryption JSON Serialization for these values
is as follows (with line breaks for display purposes only): is as follows (with line breaks within values for display purposes
only):
{"protected": {"protected":
"eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0", "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0",
"unprotected": "unprotected":
{"jku":"https://server.example.com/keys.jwks"}, {"jku":"https://server.example.com/keys.jwks"},
"recipients":[ "recipients":[
{"header": {"header":
{"alg":"RSA1_5","kid":"2011-04-29"}, {"alg":"RSA1_5","kid":"2011-04-29"},
"encrypted_key": "encrypted_key":
"UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0- "UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0-
skipping to change at page 46, line 32 skipping to change at page 45, line 32
Nat Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner. Nat Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner.
Jim Schaad and Karen O'Donoghue chaired the JOSE working group and Jim Schaad and Karen O'Donoghue chaired the JOSE working group and
Sean Turner, Stephen Farrell, and Kathleen Moriarty served as Sean Turner, Stephen Farrell, and Kathleen Moriarty served as
Security area directors during the creation of this specification. Security area directors during the creation of this specification.
Appendix D. Document History Appendix D. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-29
o Replaced the terms JWS Header, JWE Header, and JWT Header with a
single JOSE Header term defined in the JWS specification. This
also enabled a single Header Parameter definition to be used and
reduced other areas of duplication between specifications.
-28 -28
o Specified the use of PKCS #7 padding with AES CBC, rather than o Specified the use of PKCS #7 padding with AES CBC, rather than
PKCS #5. (PKCS #7 is a superset of PKCS #5, and is appropriate PKCS #5. (PKCS #7 is a superset of PKCS #5, and is appropriate
for the 16 octet blocks used by AES CBC.) for the 16 octet blocks used by AES CBC.)
o Revised the introduction to the Security Considerations section. o Revised the introduction to the Security Considerations section.
Also moved a security consideration item here from the JWA draft. Also moved a security consideration item here from the JWA draft.
-27 -27
 End of changes. 63 change blocks. 
166 lines changed or deleted 149 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/