< draft-ietf-jose-json-web-encryption-29.txt   draft-ietf-jose-json-web-encryption-30.txt >
JOSE Working Group M. Jones JOSE Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track J. Hildebrand Intended status: Standards Track J. Hildebrand
Expires: December 22, 2014 Cisco Expires: January 2, 2015 Cisco
June 20, 2014 July 1, 2014
JSON Web Encryption (JWE) JSON Web Encryption (JWE)
draft-ietf-jose-json-web-encryption-29 draft-ietf-jose-json-web-encryption-30
Abstract Abstract
JSON Web Encryption (JWE) represents encrypted content using JSON Web Encryption (JWE) represents encrypted content using
JavaScript Object Notation (JSON) based data structures. JavaScript Object Notation (JSON) based data structures.
Cryptographic algorithms and identifiers for use with this Cryptographic algorithms and identifiers for use with this
specification are described in the separate JSON Web Algorithms (JWA) specification are described in the separate JSON Web Algorithms (JWA)
specification and IANA registries defined by that specification. specification and IANA registries defined by that specification.
Related digital signature and MAC capabilities are described in the Related digital signature and MAC capabilities are described in the
separate JSON Web Signature (JWS) specification. separate JSON Web Signature (JWS) specification.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 22, 2014. This Internet-Draft will expire on January 2, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 8 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 8
3.1. Example JWE . . . . . . . . . . . . . . . . . . . . . . . 10 3.1. JWE Compact Serialization Overview . . . . . . . . . . . . 10
3.2. JWE JSON Serialization Overview . . . . . . . . . . . . . 10
3.3. Example JWE . . . . . . . . . . . . . . . . . . . . . . . 10
4. JOSE Header . . . . . . . . . . . . . . . . . . . . . . . . . 12 4. JOSE Header . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.1. Registered Header Parameter Names . . . . . . . . . . . . 12 4.1. Registered Header Parameter Names . . . . . . . . . . . . 12
4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 12 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 12
4.1.2. "enc" (Encryption Algorithm) Header Parameter . . . . 13 4.1.2. "enc" (Encryption Algorithm) Header Parameter . . . . 12
4.1.3. "zip" (Compression Algorithm) Header Parameter . . . . 13 4.1.3. "zip" (Compression Algorithm) Header Parameter . . . . 13
4.1.4. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 13 4.1.4. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 13
4.1.5. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 14 4.1.5. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 13
4.1.6. "kid" (Key ID) Header Parameter . . . . . . . . . . . 14 4.1.6. "kid" (Key ID) Header Parameter . . . . . . . . . . . 13
4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 14 4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 14
4.1.8. "x5c" (X.509 Certificate Chain) Header Parameter . . . 14 4.1.8. "x5c" (X.509 Certificate Chain) Header Parameter . . . 14
4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header 4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header
Parameter . . . . . . . . . . . . . . . . . . . . . . 14 Parameter . . . . . . . . . . . . . . . . . . . . . . 14
4.1.10. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) 4.1.10. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint)
Header Parameter . . . . . . . . . . . . . . . . . . . 14 Header Parameter . . . . . . . . . . . . . . . . . . . 14
4.1.11. "typ" (Type) Header Parameter . . . . . . . . . . . . 15 4.1.11. "typ" (Type) Header Parameter . . . . . . . . . . . . 14
4.1.12. "cty" (Content Type) Header Parameter . . . . . . . . 15 4.1.12. "cty" (Content Type) Header Parameter . . . . . . . . 15
4.1.13. "crit" (Critical) Header Parameter . . . . . . . . . . 15 4.1.13. "crit" (Critical) Header Parameter . . . . . . . . . . 15
4.2. Public Header Parameter Names . . . . . . . . . . . . . . 15 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 15
4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15
5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 16 5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 15
5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 16 5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 15
5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 18 5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 17
5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 20 5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 20
6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 20 6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 20
7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 20 7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 20
7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 21 7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 20
7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 21 7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 21
8. TLS Requirements . . . . . . . . . . . . . . . . . . . . . . . 24 8. TLS Requirements . . . . . . . . . . . . . . . . . . . . . . . 23
9. Distinguishing between JWS and JWE Objects . . . . . . . . . . 24 9. Distinguishing between JWS and JWE Objects . . . . . . . . . . 24
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
10.1. JSON Web Signature and Encryption Header Parameters 10.1. JSON Web Signature and Encryption Header Parameters
Registration . . . . . . . . . . . . . . . . . . . . . . . 24 Registration . . . . . . . . . . . . . . . . . . . . . . . 24
10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 25 10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 24
11. Security Considerations . . . . . . . . . . . . . . . . . . . 26 11. Security Considerations . . . . . . . . . . . . . . . . . . . 26
11.1. Using Matching Algorithm Strengths . . . . . . . . . . . . 27 11.1. Using Matching Algorithm Strengths . . . . . . . . . . . . 27
11.2. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 27 11.2. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 27
11.3. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 27 11.3. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 27
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
12.1. Normative References . . . . . . . . . . . . . . . . . . . 27 12.1. Normative References . . . . . . . . . . . . . . . . . . . 27
12.2. Informative References . . . . . . . . . . . . . . . . . . 28 12.2. Informative References . . . . . . . . . . . . . . . . . . 28
Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 29 Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 29
A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 29 A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 29
A.1.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 29 A.1.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 29
A.1.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 30 A.1.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 30
A.1.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 30 A.1.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 30
A.1.4. Initialization Vector . . . . . . . . . . . . . . . . 31 A.1.4. Initialization Vector . . . . . . . . . . . . . . . . 31
A.1.5. Additional Authenticated Data . . . . . . . . . . . . 31 A.1.5. Additional Authenticated Data . . . . . . . . . . . . 31
A.1.6. Content Encryption . . . . . . . . . . . . . . . . . . 31 A.1.6. Content Encryption . . . . . . . . . . . . . . . . . . 32
A.1.7. Complete Representation . . . . . . . . . . . . . . . 32 A.1.7. Complete Representation . . . . . . . . . . . . . . . 32
A.1.8. Validation . . . . . . . . . . . . . . . . . . . . . . 32 A.1.8. Validation . . . . . . . . . . . . . . . . . . . . . . 33
A.2. Example JWE using RSAES-PKCS1-V1_5 and A.2. Example JWE using RSAES-PKCS1-V1_5 and
AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 33 AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 33
A.2.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 33 A.2.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 33
A.2.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 33 A.2.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 34
A.2.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 33 A.2.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 34
A.2.4. Initialization Vector . . . . . . . . . . . . . . . . 35 A.2.4. Initialization Vector . . . . . . . . . . . . . . . . 35
A.2.5. Additional Authenticated Data . . . . . . . . . . . . 35 A.2.5. Additional Authenticated Data . . . . . . . . . . . . 35
A.2.6. Content Encryption . . . . . . . . . . . . . . . . . . 35 A.2.6. Content Encryption . . . . . . . . . . . . . . . . . . 35
A.2.7. Complete Representation . . . . . . . . . . . . . . . 36 A.2.7. Complete Representation . . . . . . . . . . . . . . . 36
A.2.8. Validation . . . . . . . . . . . . . . . . . . . . . . 36 A.2.8. Validation . . . . . . . . . . . . . . . . . . . . . . 36
A.3. Example JWE using AES Key Wrap and A.3. Example JWE using AES Key Wrap and
AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 36 AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 37
A.3.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 37 A.3.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 37
A.3.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 37 A.3.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 37
A.3.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 37 A.3.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 37
A.3.4. Initialization Vector . . . . . . . . . . . . . . . . 38 A.3.4. Initialization Vector . . . . . . . . . . . . . . . . 38
A.3.5. Additional Authenticated Data . . . . . . . . . . . . 38 A.3.5. Additional Authenticated Data . . . . . . . . . . . . 38
A.3.6. Content Encryption . . . . . . . . . . . . . . . . . . 38 A.3.6. Content Encryption . . . . . . . . . . . . . . . . . . 38
A.3.7. Complete Representation . . . . . . . . . . . . . . . 39 A.3.7. Complete Representation . . . . . . . . . . . . . . . 39
A.3.8. Validation . . . . . . . . . . . . . . . . . . . . . . 39 A.3.8. Validation . . . . . . . . . . . . . . . . . . . . . . 39
A.4. Example JWE using JWE JSON Serialization . . . . . . . . . 39 A.4. Example JWE using JWE JSON Serialization . . . . . . . . . 40
A.4.1. JWE Per-Recipient Unprotected Headers . . . . . . . . 40 A.4.1. JWE Per-Recipient Unprotected Headers . . . . . . . . 40
A.4.2. JWE Protected Header . . . . . . . . . . . . . . . . . 40 A.4.2. JWE Protected Header . . . . . . . . . . . . . . . . . 40
A.4.3. JWE Unprotected Header . . . . . . . . . . . . . . . . 40 A.4.3. JWE Unprotected Header . . . . . . . . . . . . . . . . 41
A.4.4. Complete JOSE Header Values . . . . . . . . . . . . . 40 A.4.4. Complete JOSE Header Values . . . . . . . . . . . . . 41
A.4.5. Additional Authenticated Data . . . . . . . . . . . . 41 A.4.5. Additional Authenticated Data . . . . . . . . . . . . 41
A.4.6. Content Encryption . . . . . . . . . . . . . . . . . . 41 A.4.6. Content Encryption . . . . . . . . . . . . . . . . . . 41
A.4.7. Complete JWE JSON Serialization Representation . . . . 41 A.4.7. Complete JWE JSON Serialization Representation . . . . 42
Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 42 Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 43
B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 42 B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 43
B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 43 B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 43
B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 43 B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 44
B.4. Initialization Vector Value . . . . . . . . . . . . . . . 44 B.4. Initialization Vector Value . . . . . . . . . . . . . . . 44
B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 44 B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 44
B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 44 B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 44
B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 44 B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 45
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 44 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 45
Appendix D. Document History . . . . . . . . . . . . . . . . . . 45 Appendix D. Document History . . . . . . . . . . . . . . . . . . 45
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 55 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 56
1. Introduction 1. Introduction
JSON Web Encryption (JWE) represents encrypted content using JSON Web Encryption (JWE) represents encrypted content using
JavaScript Object Notation (JSON) [RFC7159] based data structures. JavaScript Object Notation (JSON) [RFC7159] based data structures.
The JWE cryptographic mechanisms encrypt and provide integrity The JWE cryptographic mechanisms encrypt and provide integrity
protection for an arbitrary sequence of octets. protection for an arbitrary sequence of octets.
Two closely related serializations for JWE objects are defined. The Two closely related serializations for JWE objects are defined. The
JWE Compact Serialization is a compact, URL-safe representation JWE Compact Serialization is a compact, URL-safe representation
skipping to change at page 9, line 40 skipping to change at page 9, line 40
JWE Shared Unprotected Header JWE Shared Unprotected Header
JSON object that contains the Header Parameters that apply to all JSON object that contains the Header Parameters that apply to all
recipients of the JWE that are not integrity protected. recipients of the JWE that are not integrity protected.
JWE Per-Recipient Unprotected Header JWE Per-Recipient Unprotected Header
JSON object that contains Header Parameters that apply to a single JSON object that contains Header Parameters that apply to a single
recipient of the JWE. These Header Parameter values are not recipient of the JWE. These Header Parameter values are not
integrity protected. integrity protected.
JWE utilizes authenticated encryption to ensure the confidentiality
and integrity of the Plaintext and the integrity of the JWE Protected
Header and the JWE AAD.
This document defines two serializations for JWE objects: a compact, This document defines two serializations for JWE objects: a compact,
URL-safe serialization called the JWE Compact Serialization and a URL-safe serialization called the JWE Compact Serialization and a
JSON serialization called the JWE JSON Serialization. In both JSON serialization called the JWE JSON Serialization. In both
serializations, the JWE Protected Header, JWE Encrypted Key, JWE serializations, the JWE Protected Header, JWE Encrypted Key, JWE
Initialization Vector, JWE Ciphertext, and JWE Authentication Tag are Initialization Vector, JWE Ciphertext, and JWE Authentication Tag are
base64url encoded for transmission, since JSON lacks a way to base64url encoded for transmission, since JSON lacks a way to
directly represent octet sequences. When present, the JWE AAD is directly represent octet sequences. When present, the JWE AAD is
also base64url encoded for transmission. also base64url encoded for transmission.
3.1. JWE Compact Serialization Overview
In the JWE Compact Serialization, no JWE Shared Unprotected Header or In the JWE Compact Serialization, no JWE Shared Unprotected Header or
JWE Per-Recipient Unprotected Header are used. In this case, the JWE Per-Recipient Unprotected Header are used. In this case, the
JOSE Header and the JWE Protected Header are the same. JOSE Header and the JWE Protected Header are the same.
In the JWE Compact Serialization, a JWE object is represented as the In the JWE Compact Serialization, a JWE object is represented as the
combination of these five string values, combination of these five string values,
BASE64URL(UTF8(JWE Protected Header)), BASE64URL(UTF8(JWE Protected Header)),
BASE64URL(JWE Encrypted Key), BASE64URL(JWE Encrypted Key),
BASE64URL(JWE Initialization Vector), BASE64URL(JWE Initialization Vector),
BASE64URL(JWE Ciphertext), and BASE64URL(JWE Ciphertext), and
BASE64URL(JWE Authentication Tag), BASE64URL(JWE Authentication Tag),
concatenated in that order, with the five strings being separated by concatenated in that order, with the five strings being separated by
four period ('.') characters. four period ('.') characters.
3.2. JWE JSON Serialization Overview
In the JWE JSON Serialization, one or more of the JWE Protected In the JWE JSON Serialization, one or more of the JWE Protected
Header, JWE Shared Unprotected Header, and JWE Per-Recipient Header, JWE Shared Unprotected Header, and JWE Per-Recipient
Unprotected Header MUST be present. In this case, the members of the Unprotected Header MUST be present. In this case, the members of the
JOSE Header are the combination of the members of the JWE Protected JOSE Header are the combination of the members of the JWE Protected
Header, JWE Shared Unprotected Header, and JWE Per-Recipient Header, JWE Shared Unprotected Header, and JWE Per-Recipient
Unprotected Header values that are present. Unprotected Header values that are present.
In the JWE JSON Serialization, a JWE object is represented as the In the JWE JSON Serialization, a JWE object is represented as the
combination of these eight values, combination of these eight values,
BASE64URL(UTF8(JWE Protected Header)), BASE64URL(UTF8(JWE Protected Header)),
skipping to change at page 10, line 39 skipping to change at page 10, line 47
BASE64URL(JWE Ciphertext), BASE64URL(JWE Ciphertext),
BASE64URL(JWE Authentication Tag), and BASE64URL(JWE Authentication Tag), and
BASE64URL(JWE AAD), BASE64URL(JWE AAD),
with the six base64url encoded result strings and the two unprotected with the six base64url encoded result strings and the two unprotected
JSON object values being represented as members within a JSON object. JSON object values being represented as members within a JSON object.
The inclusion of some of these values is OPTIONAL. The JWE JSON The inclusion of some of these values is OPTIONAL. The JWE JSON
Serialization can also encrypt the plaintext to multiple recipients. Serialization can also encrypt the plaintext to multiple recipients.
See Section 7.2 for more information about the JWE JSON See Section 7.2 for more information about the JWE JSON
Serialization. Serialization.
JWE utilizes authenticated encryption to ensure the confidentiality 3.3. Example JWE
and integrity of the Plaintext and the integrity of the JWE Protected
Header and the JWE AAD.
3.1. Example JWE
This example encrypts the plaintext "The true sign of intelligence is This example encrypts the plaintext "The true sign of intelligence is
not knowledge but imagination." to the recipient using RSAES OAEP for not knowledge but imagination." to the recipient.
key encryption and AES GCM for content encryption.
The following example JWE Protected Header declares that: The following example JWE Protected Header declares that:
o the Content Encryption Key is encrypted to the recipient using the o the Content Encryption Key is encrypted to the recipient using the
RSAES OAEP algorithm to produce the JWE Encrypted Key and RSAES OAEP [RFC3447] algorithm to produce the JWE Encrypted Key
and
o the Plaintext is encrypted using the AES GCM algorithm with a 256 o the Plaintext is encrypted using the AES GCM [AES, NIST.800-38D]
bit key to produce the Ciphertext. algorithm with a 256 bit key to produce the Ciphertext.
{"alg":"RSA-OAEP","enc":"A256GCM"} {"alg":"RSA-OAEP","enc":"A256GCM"}
Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected
Header)) gives this value: Header)) gives this value:
eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ
The remaining steps to finish creating this JWE are: The remaining steps to finish creating this JWE are:
o Generate a random Content Encryption Key (CEK). o Generate a random Content Encryption Key (CEK).
o Encrypt the CEK with the recipient's public key using the RSAES o Encrypt the CEK with the recipient's public key using the RSAES
OAEP algorithm to produce the JWE Encrypted Key. OAEP algorithm to produce the JWE Encrypted Key.
o Base64url encode the JWE Encrypted Key. o Base64url encode the JWE Encrypted Key.
o Generate a random JWE Initialization Vector. o Generate a random JWE Initialization Vector.
o Base64url encode the JWE Initialization Vector. o Base64url encode the JWE Initialization Vector.
o Let the Additional Authenticated Data encryption parameter be o Let the Additional Authenticated Data encryption parameter be
ASCII(BASE64URL(UTF8(JWE Protected Header))). ASCII(BASE64URL(UTF8(JWE Protected Header))).
o Encrypt the Plaintext with AES GCM using the CEK as the encryption o Encrypt the Plaintext with AES GCM using the CEK as the encryption
key, the JWE Initialization Vector, and the Additional key, the JWE Initialization Vector, and the Additional
Authenticated Data value, requesting a 128 bit Authentication Tag Authenticated Data value, requesting a 128 bit Authentication Tag
output. output.
o Base64url encode the Ciphertext. o Base64url encode the Ciphertext.
o Base64url encode the Authentication Tag. o Base64url encode the Authentication Tag.
o Assemble the final representation: The Compact Serialization of o Assemble the final representation: The Compact Serialization of
this result is the string BASE64URL(UTF8(JWE Protected Header)) || this result is the string BASE64URL(UTF8(JWE Protected Header)) ||
'.' || BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE '.' || BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE
Initialization Vector) || '.' || BASE64URL(JWE Ciphertext) || '.' Initialization Vector) || '.' || BASE64URL(JWE Ciphertext) || '.'
|| BASE64URL(JWE Authentication Tag). || BASE64URL(JWE Authentication Tag).
The final result in this example (with line breaks for display The final result in this example (with line breaks for display
purposes only) is: purposes only) is:
eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ. eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.
skipping to change at page 18, line 22 skipping to change at page 18, line 10
It is an application decision which recipients' encrypted content It is an application decision which recipients' encrypted content
must successfully validate for the JWE to be accepted. In some must successfully validate for the JWE to be accepted. In some
cases, encrypted content for all recipients must successfully cases, encrypted content for all recipients must successfully
validate or the JWE will be rejected. In other cases, only the validate or the JWE will be rejected. In other cases, only the
encrypted content for a single recipient needs to be successfully encrypted content for a single recipient needs to be successfully
validated. However, in all cases, the encrypted content for at least validated. However, in all cases, the encrypted content for at least
one recipient MUST successfully validate or the JWE MUST be rejected. one recipient MUST successfully validate or the JWE MUST be rejected.
1. Parse the JWE representation to extract the serialized values 1. Parse the JWE representation to extract the serialized values
for the components of the JWE -- when using the JWE Compact for the components of the JWE. When using the JWE Compact
Serialization, the base64url encoded representations of the JWE Serialization, these components are the base64url encoded
Protected Header, the JWE Encrypted Key, the JWE Initialization representations of the JWE Protected Header, the JWE Encrypted
Vector, the JWE Ciphertext, and the JWE Authentication Tag, and Key, the JWE Initialization Vector, the JWE Ciphertext, and the
when using the JWE JSON Serialization, also the base64url JWE Authentication Tag, and when using the JWE JSON
Serialization, these components also include the base64url
encoded representation of the JWE AAD and the unencoded JWE encoded representation of the JWE AAD and the unencoded JWE
Shared Unprotected Header and JWE Per-Recipient Unprotected Shared Unprotected Header and JWE Per-Recipient Unprotected
Header values. When using the JWE Compact Serialization, the Header values. When using the JWE Compact Serialization, the
JWE Protected Header, the JWE Encrypted Key, the JWE JWE Protected Header, the JWE Encrypted Key, the JWE
Initialization Vector, the JWE Ciphertext, and the JWE Initialization Vector, the JWE Ciphertext, and the JWE
Authentication Tag are represented as base64url encoded values Authentication Tag are represented as base64url encoded values
in that order, separated by four period ('.') characters. The in that order, separated by four period ('.') characters. The
JWE JSON Serialization is described in Section 7.2. JWE JSON Serialization is described in Section 7.2.
2. The encoded representations of the JWE Protected Header, the JWE 2. The encoded representations of the JWE Protected Header, the JWE
Encrypted Key, the JWE Initialization Vector, the JWE Encrypted Key, the JWE Initialization Vector, the JWE
Ciphertext, the JWE Authentication Tag, and the JWE AAD MUST be Ciphertext, the JWE Authentication Tag, and the JWE AAD MUST be
successfully base64url decoded following the restriction that no successfully base64url decoded following the restriction that no
padding characters have been used. padding characters have been used.
3. The octet sequence resulting from decoding the encoded JWE 3. The octet sequence resulting from decoding the encoded JWE
Protected Header MUST be a UTF-8 encoded representation of a Protected Header MUST be a UTF-8 encoded representation of a
completely valid JSON object conforming to [RFC7159], which is completely valid JSON object conforming to RFC 7159 [RFC7159],
the JWE Protected Header. which is the JWE Protected Header.
4. If using the JWE Compact Serialization, let the JOSE Header be 4. If using the JWE Compact Serialization, let the JOSE Header be
the JWE Protected Header; otherwise, when using the JWE JSON the JWE Protected Header. Otherwise, when using the JWE JSON
Serialization, let the JOSE Header be the union of the members Serialization, let the JOSE Header be the union of the members
of the JWE Protected Header, the JWE Shared Unprotected Header of the JWE Protected Header, the JWE Shared Unprotected Header
and the corresponding JWE Per-Recipient Unprotected Header, all and the corresponding JWE Per-Recipient Unprotected Header, all
of which must be completely valid JSON objects. of which must be completely valid JSON objects.
5. The resulting JOSE Header MUST NOT contain duplicate Header 5. The resulting JOSE Header MUST NOT contain duplicate Header
Parameter names. When using the JWE JSON Serialization, this Parameter names. When using the JWE JSON Serialization, this
restriction includes that the same Header Parameter name also restriction includes that the same Header Parameter name also
MUST NOT occur in distinct JSON object values that together MUST NOT occur in distinct JSON object values that together
comprise the JOSE Header. comprise the JOSE Header.
skipping to change at page 26, line 42 skipping to change at page 26, line 38
o Specification Document(s): Section 4.1.12 of [[ this document ]] o Specification Document(s): Section 4.1.12 of [[ this document ]]
o Header Parameter Name: "crit" o Header Parameter Name: "crit"
o Header Parameter Description: Critical o Header Parameter Description: Critical
o Header Parameter Usage Location(s): JWE o Header Parameter Usage Location(s): JWE
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1.13 of [[ this document ]] o Specification Document(s): Section 4.1.13 of [[ this document ]]
11. Security Considerations 11. Security Considerations
All of the security issues faced by any cryptographic application All of the security issues that are pertinent to any cryptographic
must be faced by a JWS/JWE/JWK agent. Among these issues are application must be addressed by JWS/JWE/JWK agents. Among these
protecting the user's asymmetric private and symmetric secret keys, issues are protecting the user's asymmetric private and symmetric
preventing various attacks, and helping avoid mistakes such as secret keys, preventing various attacks, and helping avoid mistakes
inadvertently encrypting a message to the wrong recipient. The such as inadvertently encrypting a message to the wrong recipient.
entire list of security considerations is beyond the scope of this The entire list of security considerations is beyond the scope of
document. this document, but some significant considerations are listed here.
All the security considerations in the JWS specification also apply All the security considerations in the JWS specification also apply
to this specification. Likewise, all the security considerations in to this specification. Likewise, all the security considerations in
XML Encryption 1.1 [W3C.REC-xmlenc-core1-20130411] also apply, other XML Encryption 1.1 [W3C.REC-xmlenc-core1-20130411] also apply, other
than those that are XML specific. than those that are XML specific.
11.1. Using Matching Algorithm Strengths 11.1. Using Matching Algorithm Strengths
Algorithms of matching strengths should be used together whenever Algorithms of matching strengths should be used together whenever
possible. For instance, when AES Key Wrap is used with a given key possible. For instance, when AES Key Wrap is used with a given key
skipping to change at page 27, line 50 skipping to change at page 27, line 47
of receiving an improperly formatted key, that the receiver of receiving an improperly formatted key, that the receiver
substitute a randomly generated CEK and proceed to the next step, to substitute a randomly generated CEK and proceed to the next step, to
mitigate timing attacks. mitigate timing attacks.
12. References 12. References
12.1. Normative References 12.1. Normative References
[JWA] Jones, M., "JSON Web Algorithms (JWA)", [JWA] Jones, M., "JSON Web Algorithms (JWA)",
draft-ietf-jose-json-web-algorithms (work in progress), draft-ietf-jose-json-web-algorithms (work in progress),
June 2014. July 2014.
[JWK] Jones, M., "JSON Web Key (JWK)", [JWK] Jones, M., "JSON Web Key (JWK)",
draft-ietf-jose-json-web-key (work in progress), draft-ietf-jose-json-web-key (work in progress),
June 2014. July 2014.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", draft-ietf-jose-json-web-signature (work Signature (JWS)", draft-ietf-jose-json-web-signature (work
in progress), June 2014. in progress), July 2014.
[RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification
version 1.3", RFC 1951, May 1996. version 1.3", RFC 1951, May 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003. 10646", STD 63, RFC 3629, November 2003.
skipping to change at page 28, line 36 skipping to change at page 28, line 32
[RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7159, March 2014. Interchange Format", RFC 7159, March 2014.
[USASCII] American National Standards Institute, "Coded Character [USASCII] American National Standards Institute, "Coded Character
Set -- 7-bit American Standard Code for Information Set -- 7-bit American Standard Code for Information
Interchange", ANSI X3.4, 1986. Interchange", ANSI X3.4, 1986.
12.2. Informative References 12.2. Informative References
[AES] National Institute of Standards and Technology (NIST),
"Advanced Encryption Standard (AES)", FIPS PUB 197,
November 2001.
[I-D.mcgrew-aead-aes-cbc-hmac-sha2] [I-D.mcgrew-aead-aes-cbc-hmac-sha2]
McGrew, D., Foley, J., and K. Paterson, "Authenticated McGrew, D., Foley, J., and K. Paterson, "Authenticated
Encryption with AES-CBC and HMAC-SHA", Encryption with AES-CBC and HMAC-SHA",
draft-mcgrew-aead-aes-cbc-hmac-sha2-04 (work in progress), draft-mcgrew-aead-aes-cbc-hmac-sha2-04 (work in progress),
February 2014. February 2014.
[I-D.rescorla-jsms] [I-D.rescorla-jsms]
Rescorla, E. and J. Hildebrand, "JavaScript Message Rescorla, E. and J. Hildebrand, "JavaScript Message
Security Format", draft-rescorla-jsms-00 (work in Security Format", draft-rescorla-jsms-00 (work in
progress), March 2011. progress), March 2011.
[JSE] Bradley, J. and N. Sakimura (editor), "JSON Simple [JSE] Bradley, J. and N. Sakimura (editor), "JSON Simple
Encryption", September 2010. Encryption", September 2010.
[NIST.800-38D]
National Institute of Standards and Technology (NIST),
"Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D,
December 2001.
[RFC3218] Rescorla, E., "Preventing the Million Message Attack on [RFC3218] Rescorla, E., "Preventing the Million Message Attack on
Cryptographic Message Syntax", RFC 3218, January 2002. Cryptographic Message Syntax", RFC 3218, January 2002.
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1", RFC 3447, February 2003.
[RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
Requirements for Security", BCP 106, RFC 4086, June 2005. Requirements for Security", BCP 106, RFC 4086, June 2005.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, September 2009. RFC 5652, September 2009.
[W3C.REC-xmlenc-core1-20130411] [W3C.REC-xmlenc-core1-20130411]
Eastlake, D., Reagle, J., Hirsch, F., and T. Roessler, Eastlake, D., Reagle, J., Hirsch, F., and T. Roessler,
"XML Encryption Syntax and Processing Version 1.1", World "XML Encryption Syntax and Processing Version 1.1", World
Wide Web Consortium Recommendation REC-xmlenc-core1- Wide Web Consortium Recommendation REC-xmlenc-core1-
skipping to change at page 45, line 20 skipping to change at page 45, line 38
Thanks to Axel Nennker, Emmanuel Raviart, Brian Campbell, and Edmund Thanks to Axel Nennker, Emmanuel Raviart, Brian Campbell, and Edmund
Jay for validating the examples in this specification. Jay for validating the examples in this specification.
This specification is the work of the JOSE Working Group, which This specification is the work of the JOSE Working Group, which
includes dozens of active and dedicated participants. In particular, includes dozens of active and dedicated participants. In particular,
the following individuals contributed ideas, feedback, and wording the following individuals contributed ideas, feedback, and wording
that influenced this specification: that influenced this specification:
Richard Barnes, John Bradley, Brian Campbell, Breno de Medeiros, Dick Richard Barnes, John Bradley, Brian Campbell, Breno de Medeiros, Dick
Hardt, Jeff Hodges, Edmund Jay, James Manger, Matt Miller, Tony Hardt, Jeff Hodges, Edmund Jay, James Manger, Matt Miller, Kathleen
Nadalin, Hideki Nara, Axel Nennker, Emmanuel Raviart, Eric Rescorla, Moriarty, Tony Nadalin, Hideki Nara, Axel Nennker, Emmanuel Raviart,
Nat Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner. Eric Rescorla, Nat Sakimura, Jim Schaad, Hannes Tschofenig, and Sean
Turner.
Jim Schaad and Karen O'Donoghue chaired the JOSE working group and Jim Schaad and Karen O'Donoghue chaired the JOSE working group and
Sean Turner, Stephen Farrell, and Kathleen Moriarty served as Sean Turner, Stephen Farrell, and Kathleen Moriarty served as
Security area directors during the creation of this specification. Security area directors during the creation of this specification.
Appendix D. Document History Appendix D. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-30
o Added subsection headings within the Overview section for the two
serializations.
o Added references and cleaned up the reference syntax in a few
places.
o Applied minor wording changes to the Security Considerations
section and made other local editorial improvements.
-29 -29
o Replaced the terms JWS Header, JWE Header, and JWT Header with a o Replaced the terms JWS Header, JWE Header, and JWT Header with a
single JOSE Header term defined in the JWS specification. This single JOSE Header term defined in the JWS specification. This
also enabled a single Header Parameter definition to be used and also enabled a single Header Parameter definition to be used and
reduced other areas of duplication between specifications. reduced other areas of duplication between specifications.
-28 -28
 End of changes. 49 change blocks. 
72 lines changed or deleted 94 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/