< draft-ietf-jose-json-web-encryption-32.txt   draft-ietf-jose-json-web-encryption-33.txt >
JOSE Working Group M. Jones JOSE Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track J. Hildebrand Intended status: Standards Track J. Hildebrand
Expires: March 27, 2015 Cisco Expires: March 29, 2015 Cisco
September 23, 2014 September 25, 2014
JSON Web Encryption (JWE) JSON Web Encryption (JWE)
draft-ietf-jose-json-web-encryption-32 draft-ietf-jose-json-web-encryption-33
Abstract Abstract
JSON Web Encryption (JWE) represents encrypted content using JSON Web Encryption (JWE) represents encrypted content using
JavaScript Object Notation (JSON) based data structures. JavaScript Object Notation (JSON) based data structures.
Cryptographic algorithms and identifiers for use with this Cryptographic algorithms and identifiers for use with this
specification are described in the separate JSON Web Algorithms (JWA) specification are described in the separate JSON Web Algorithms (JWA)
specification and IANA registries defined by that specification. specification and IANA registries defined by that specification.
Related digital signature and MAC capabilities are described in the Related digital signature and MAC capabilities are described in the
separate JSON Web Signature (JWS) specification. separate JSON Web Signature (JWS) specification.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 27, 2015. This Internet-Draft will expire on March 29, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 43 skipping to change at page 2, line 43
4.1.13. "crit" (Critical) Header Parameter . . . . . . . . . . 14 4.1.13. "crit" (Critical) Header Parameter . . . . . . . . . . 14
4.2. Public Header Parameter Names . . . . . . . . . . . . . . 14 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 14
4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15
5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 15 5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 15
5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 15 5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 15
5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 17 5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 17
5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 20 5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 20
6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 20 6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 20
7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 20 7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 20
7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 20 7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 20
7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 20 7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 21
8. TLS Requirements . . . . . . . . . . . . . . . . . . . . . . . 23 8. TLS Requirements . . . . . . . . . . . . . . . . . . . . . . . 23
9. Distinguishing between JWS and JWE Objects . . . . . . . . . . 23 9. Distinguishing between JWS and JWE Objects . . . . . . . . . . 23
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
10.1. JSON Web Signature and Encryption Header Parameters 10.1. JSON Web Signature and Encryption Header Parameters
Registration . . . . . . . . . . . . . . . . . . . . . . . 24 Registration . . . . . . . . . . . . . . . . . . . . . . . 24
10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 24 10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 24
11. Security Considerations . . . . . . . . . . . . . . . . . . . 26 11. Security Considerations . . . . . . . . . . . . . . . . . . . 26
11.1. Key Entropy and Random Values . . . . . . . . . . . . . . 26 11.1. Key Entropy and Random Values . . . . . . . . . . . . . . 26
11.2. Key Protection . . . . . . . . . . . . . . . . . . . . . . 26 11.2. Key Protection . . . . . . . . . . . . . . . . . . . . . . 27
11.3. Using Matching Algorithm Strengths . . . . . . . . . . . . 27 11.3. Using Matching Algorithm Strengths . . . . . . . . . . . . 27
11.4. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 27 11.4. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 27
11.5. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 27 11.5. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 27
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28
12.1. Normative References . . . . . . . . . . . . . . . . . . . 28 12.1. Normative References . . . . . . . . . . . . . . . . . . . 28
12.2. Informative References . . . . . . . . . . . . . . . . . . 28 12.2. Informative References . . . . . . . . . . . . . . . . . . 28
Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 29 Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 29
A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 29 A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 30
A.1.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 30 A.1.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 30
A.1.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 30 A.1.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 30
A.1.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 30 A.1.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 30
A.1.4. Initialization Vector . . . . . . . . . . . . . . . . 32 A.1.4. Initialization Vector . . . . . . . . . . . . . . . . 32
A.1.5. Additional Authenticated Data . . . . . . . . . . . . 32 A.1.5. Additional Authenticated Data . . . . . . . . . . . . 32
A.1.6. Content Encryption . . . . . . . . . . . . . . . . . . 32 A.1.6. Content Encryption . . . . . . . . . . . . . . . . . . 32
A.1.7. Complete Representation . . . . . . . . . . . . . . . 33 A.1.7. Complete Representation . . . . . . . . . . . . . . . 33
A.1.8. Validation . . . . . . . . . . . . . . . . . . . . . . 33 A.1.8. Validation . . . . . . . . . . . . . . . . . . . . . . 33
A.2. Example JWE using RSAES-PKCS1-V1_5 and A.2. Example JWE using RSAES-PKCS1-V1_5 and
AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 33 AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 33
A.2.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 34 A.2.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 34
A.2.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 34 A.2.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 34
A.2.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 34 A.2.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 34
A.2.4. Initialization Vector . . . . . . . . . . . . . . . . 35 A.2.4. Initialization Vector . . . . . . . . . . . . . . . . 36
A.2.5. Additional Authenticated Data . . . . . . . . . . . . 36 A.2.5. Additional Authenticated Data . . . . . . . . . . . . 36
A.2.6. Content Encryption . . . . . . . . . . . . . . . . . . 36 A.2.6. Content Encryption . . . . . . . . . . . . . . . . . . 36
A.2.7. Complete Representation . . . . . . . . . . . . . . . 36 A.2.7. Complete Representation . . . . . . . . . . . . . . . 37
A.2.8. Validation . . . . . . . . . . . . . . . . . . . . . . 37 A.2.8. Validation . . . . . . . . . . . . . . . . . . . . . . 37
A.3. Example JWE using AES Key Wrap and A.3. Example JWE using AES Key Wrap and
AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 37 AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 37
A.3.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 37 A.3.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 38
A.3.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 38 A.3.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 38
A.3.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 38 A.3.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 38
A.3.4. Initialization Vector . . . . . . . . . . . . . . . . 38 A.3.4. Initialization Vector . . . . . . . . . . . . . . . . 39
A.3.5. Additional Authenticated Data . . . . . . . . . . . . 39 A.3.5. Additional Authenticated Data . . . . . . . . . . . . 39
A.3.6. Content Encryption . . . . . . . . . . . . . . . . . . 39 A.3.6. Content Encryption . . . . . . . . . . . . . . . . . . 39
A.3.7. Complete Representation . . . . . . . . . . . . . . . 39 A.3.7. Complete Representation . . . . . . . . . . . . . . . 40
A.3.8. Validation . . . . . . . . . . . . . . . . . . . . . . 40 A.3.8. Validation . . . . . . . . . . . . . . . . . . . . . . 40
A.4. Example JWE using JWE JSON Serialization . . . . . . . . . 40 A.4. Example JWE using JWE JSON Serialization . . . . . . . . . 40
A.4.1. JWE Per-Recipient Unprotected Headers . . . . . . . . 40 A.4.1. JWE Per-Recipient Unprotected Headers . . . . . . . . 41
A.4.2. JWE Protected Header . . . . . . . . . . . . . . . . . 41 A.4.2. JWE Protected Header . . . . . . . . . . . . . . . . . 41
A.4.3. JWE Unprotected Header . . . . . . . . . . . . . . . . 41 A.4.3. JWE Unprotected Header . . . . . . . . . . . . . . . . 41
A.4.4. Complete JOSE Header Values . . . . . . . . . . . . . 41 A.4.4. Complete JOSE Header Values . . . . . . . . . . . . . 41
A.4.5. Additional Authenticated Data . . . . . . . . . . . . 41 A.4.5. Additional Authenticated Data . . . . . . . . . . . . 42
A.4.6. Content Encryption . . . . . . . . . . . . . . . . . . 42 A.4.6. Content Encryption . . . . . . . . . . . . . . . . . . 42
A.4.7. Complete JWE JSON Serialization Representation . . . . 42 A.4.7. Complete JWE JSON Serialization Representation . . . . 42
Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 43 Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 43
B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 43 B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 43
B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 44 B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 44
B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 44 B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 44
B.4. Initialization Vector Value . . . . . . . . . . . . . . . 45 B.4. Initialization Vector Value . . . . . . . . . . . . . . . 45
B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 45 B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 45
B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 45 B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 45
B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 45 B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 45
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 45 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 45
Appendix D. Document History . . . . . . . . . . . . . . . . . . 46 Appendix D. Document History . . . . . . . . . . . . . . . . . . 46
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 56 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 57
1. Introduction 1. Introduction
JSON Web Encryption (JWE) represents encrypted content using JSON Web Encryption (JWE) represents encrypted content using
JavaScript Object Notation (JSON) [RFC7159] based data structures. JavaScript Object Notation (JSON) [RFC7159] based data structures.
The JWE cryptographic mechanisms encrypt and provide integrity The JWE cryptographic mechanisms encrypt and provide integrity
protection for an arbitrary sequence of octets. protection for an arbitrary sequence of octets.
Two closely related serializations for JWE objects are defined. The Two closely related serializations for JWE objects are defined. The
JWE Compact Serialization is a compact, URL-safe representation JWE Compact Serialization is a compact, URL-safe representation
skipping to change at page 6, line 46 skipping to change at page 6, line 46
encrypted. encrypted.
Authentication Tag Authentication Tag
An output of an AEAD operation that ensures the integrity of the An output of an AEAD operation that ensures the integrity of the
Ciphertext and the Additional Authenticated Data. Note that some Ciphertext and the Additional Authenticated Data. Note that some
algorithms may not use an Authentication Tag, in which case this algorithms may not use an Authentication Tag, in which case this
value is the empty octet sequence. value is the empty octet sequence.
Content Encryption Key (CEK) Content Encryption Key (CEK)
A symmetric key for the AEAD algorithm used to encrypt the A symmetric key for the AEAD algorithm used to encrypt the
Plaintext for the recipient to produce the Ciphertext and the Plaintext to produce the Ciphertext and the Authentication Tag.
Authentication Tag.
JWE Encrypted Key JWE Encrypted Key
Encrypted Content Encryption Key (CEK) value. Note that for some Encrypted Content Encryption Key (CEK) value. Note that for some
algorithms, the JWE Encrypted Key value is specified as being the algorithms, the JWE Encrypted Key value is specified as being the
empty octet sequence. empty octet sequence.
JWE Initialization Vector JWE Initialization Vector
Initialization vector value used when encrypting the plaintext. Initialization vector value used when encrypting the plaintext.
Note that some algorithms may not use an Initialization Vector, in Note that some algorithms may not use an Initialization Vector, in
which case this value is the empty octet sequence. which case this value is the empty octet sequence.
skipping to change at page 10, line 27 skipping to change at page 10, line 27
3.3. Example JWE 3.3. Example JWE
This example encrypts the plaintext "The true sign of intelligence is This example encrypts the plaintext "The true sign of intelligence is
not knowledge but imagination." to the recipient. not knowledge but imagination." to the recipient.
The following example JWE Protected Header declares that: The following example JWE Protected Header declares that:
o the Content Encryption Key is encrypted to the recipient using the o the Content Encryption Key is encrypted to the recipient using the
RSAES OAEP [RFC3447] algorithm to produce the JWE Encrypted Key RSAES OAEP [RFC3447] algorithm to produce the JWE Encrypted Key
and and
o the Plaintext is encrypted using the AES GCM [AES, NIST.800-38D] o authenticated encryption is performed on the Plaintext using the
algorithm with a 256 bit key to produce the Ciphertext. AES GCM [AES, NIST.800-38D] algorithm with a 256 bit key to
produce the Ciphertext and the Authentication Tag.
{"alg":"RSA-OAEP","enc":"A256GCM"} {"alg":"RSA-OAEP","enc":"A256GCM"}
Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected
Header)) gives this value: Header)) gives this value:
eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ
The remaining steps to finish creating this JWE are: The remaining steps to finish creating this JWE are:
o Generate a random Content Encryption Key (CEK). o Generate a random Content Encryption Key (CEK).
o Encrypt the CEK with the recipient's public key using the RSAES o Encrypt the CEK with the recipient's public key using the RSAES
OAEP algorithm to produce the JWE Encrypted Key. OAEP algorithm to produce the JWE Encrypted Key.
o Base64url encode the JWE Encrypted Key. o Base64url encode the JWE Encrypted Key.
o Generate a random JWE Initialization Vector. o Generate a random JWE Initialization Vector.
o Base64url encode the JWE Initialization Vector. o Base64url encode the JWE Initialization Vector.
o Let the Additional Authenticated Data encryption parameter be o Let the Additional Authenticated Data encryption parameter be
ASCII(BASE64URL(UTF8(JWE Protected Header))). ASCII(BASE64URL(UTF8(JWE Protected Header))).
o Encrypt the Plaintext with AES GCM using the CEK as the encryption o Perform authenticated encryption on the Plaintext with the AES GCM
key, the JWE Initialization Vector, and the Additional algorithm using the CEK as the encryption key, the JWE
Authenticated Data value, requesting a 128 bit Authentication Tag Initialization Vector, and the Additional Authenticated Data
output. value, requesting a 128 bit Authentication Tag output.
o Base64url encode the Ciphertext. o Base64url encode the Ciphertext.
o Base64url encode the Authentication Tag. o Base64url encode the Authentication Tag.
o Assemble the final representation: The Compact Serialization of o Assemble the final representation: The Compact Serialization of
this result is the string BASE64URL(UTF8(JWE Protected Header)) || this result is the string BASE64URL(UTF8(JWE Protected Header)) ||
'.' || BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE '.' || BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE
Initialization Vector) || '.' || BASE64URL(JWE Ciphertext) || '.' Initialization Vector) || '.' || BASE64URL(JWE Ciphertext) || '.'
|| BASE64URL(JWE Authentication Tag). || BASE64URL(JWE Authentication Tag).
The final result in this example (with line breaks for display The final result in this example (with line breaks for display
skipping to change at page 12, line 23 skipping to change at page 12, line 23
have a key that can be used with that algorithm. have a key that can be used with that algorithm.
A list of defined "alg" values for this use can be found in the IANA A list of defined "alg" values for this use can be found in the IANA
JSON Web Signature and Encryption Algorithms registry defined in JSON Web Signature and Encryption Algorithms registry defined in
[JWA]; the initial contents of this registry are the values defined [JWA]; the initial contents of this registry are the values defined
in Section 4.1 of the JSON Web Algorithms (JWA) [JWA] specification. in Section 4.1 of the JSON Web Algorithms (JWA) [JWA] specification.
4.1.2. "enc" (Encryption Algorithm) Header Parameter 4.1.2. "enc" (Encryption Algorithm) Header Parameter
The "enc" (encryption algorithm) Header Parameter identifies the The "enc" (encryption algorithm) Header Parameter identifies the
content encryption algorithm used to encrypt the Plaintext to produce content encryption algorithm used to perform authenticated encryption
the Ciphertext. This algorithm MUST be an AEAD algorithm with a on the Plaintext to produce the Ciphertext and the Authentication
specified key length. The recipient MUST reject the JWE if the "enc" Tag. This algorithm MUST be an AEAD algorithm with a specified key
value does not represent a supported algorithm. "enc" values should length. The recipient MUST reject the JWE if the "enc" value does
either be registered in the IANA JSON Web Signature and Encryption not represent a supported algorithm. "enc" values should either be
Algorithms registry defined in [JWA] or be a value that contains a registered in the IANA JSON Web Signature and Encryption Algorithms
Collision-Resistant Name. The "enc" value is a case-sensitive string registry defined in [JWA] or be a value that contains a Collision-
Resistant Name. The "enc" value is a case-sensitive string
containing a StringOrURI value. This Header Parameter MUST be containing a StringOrURI value. This Header Parameter MUST be
present and MUST be understood and processed by implementations. present and MUST be understood and processed by implementations.
A list of defined "enc" values for this use can be found in the IANA A list of defined "enc" values for this use can be found in the IANA
JSON Web Signature and Encryption Algorithms registry defined in JSON Web Signature and Encryption Algorithms registry defined in
[JWA]; the initial contents of this registry are the values defined [JWA]; the initial contents of this registry are the values defined
in Section 5.1 of the JSON Web Algorithms (JWA) [JWA] specification. in Section 5.1 of the JSON Web Algorithms (JWA) [JWA] specification.
4.1.3. "zip" (Compression Algorithm) Header Parameter 4.1.3. "zip" (Compression Algorithm) Header Parameter
skipping to change at page 14, line 11 skipping to change at page 14, line 11
used to determine the private key needed to decrypt the JWE. used to determine the private key needed to decrypt the JWE.
See Appendix B of [JWS] for an example "x5c" value. See Appendix B of [JWS] for an example "x5c" value.
4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter 4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter
This parameter has the same meaning, syntax, and processing rules as This parameter has the same meaning, syntax, and processing rules as
the "x5t" Header Parameter defined in Section 4.1.7 of [JWS], except the "x5t" Header Parameter defined in Section 4.1.7 of [JWS], except
that the certificate referenced by the thumbprint contains the public that the certificate referenced by the thumbprint contains the public
key to which the JWE was encrypted; this can be used to determine the key to which the JWE was encrypted; this can be used to determine the
private key needed to decrypt the JWE. private key needed to decrypt the JWE. Note that certificate
thumbprints are also sometimes known as certificate fingerprints.
4.1.10. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Header 4.1.10. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Header
Parameter Parameter
This parameter has the same meaning, syntax, and processing rules as This parameter has the same meaning, syntax, and processing rules as
the "x5t#S256" Header Parameter defined in Section 4.1.8 of [JWS], the "x5t#S256" Header Parameter defined in Section 4.1.8 of [JWS],
except that the certificate referenced by the thumbprint contains the except that the certificate referenced by the thumbprint contains the
public key to which the JWE was encrypted; this can be used to public key to which the JWE was encrypted; this can be used to
determine the private key needed to decrypt the JWE. determine the private key needed to decrypt the JWE. Note that
certificate thumbprints are also sometimes known as certificate
fingerprints.
4.1.11. "typ" (Type) Header Parameter 4.1.11. "typ" (Type) Header Parameter
This parameter has the same meaning, syntax, and processing rules as This parameter has the same meaning, syntax, and processing rules as
the "typ" Header Parameter defined in Section 4.1.9 of [JWS], except the "typ" Header Parameter defined in Section 4.1.9 of [JWS], except
that the type is that of this complete JWE object. that the type is that of this complete JWE object.
4.1.12. "cty" (Content Type) Header Parameter 4.1.12. "cty" (Content Type) Header Parameter
This parameter has the same meaning, syntax, and processing rules as This parameter has the same meaning, syntax, and processing rules as
skipping to change at page 30, line 18 skipping to change at page 30, line 25
101, 100, 103, 101, 32, 98, 117, 116, 32, 105, 109, 97, 103, 105, 101, 100, 103, 101, 32, 98, 117, 116, 32, 105, 109, 97, 103, 105,
110, 97, 116, 105, 111, 110, 46] 110, 97, 116, 105, 111, 110, 46]
A.1.1. JOSE Header A.1.1. JOSE Header
The following example JWE Protected Header declares that: The following example JWE Protected Header declares that:
o the Content Encryption Key is encrypted to the recipient using the o the Content Encryption Key is encrypted to the recipient using the
RSAES OAEP algorithm to produce the JWE Encrypted Key and RSAES OAEP algorithm to produce the JWE Encrypted Key and
o the Plaintext is encrypted using the AES GCM algorithm with a 256 o authenticated encryption is performed on the Plaintext using the
bit key to produce the Ciphertext. AES GCM algorithm with a 256 bit key to produce the Ciphertext and
the Authentication Tag.
{"alg":"RSA-OAEP","enc":"A256GCM"} {"alg":"RSA-OAEP","enc":"A256GCM"}
Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected
Header)) gives this value: Header)) gives this value:
eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ
A.1.2. Content Encryption Key (CEK) A.1.2. Content Encryption Key (CEK)
skipping to change at page 32, line 28 skipping to change at page 32, line 28
Let the Additional Authenticated Data encryption parameter be Let the Additional Authenticated Data encryption parameter be
ASCII(BASE64URL(UTF8(JWE Protected Header))). This value is: ASCII(BASE64URL(UTF8(JWE Protected Header))). This value is:
[101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69,
116, 84, 48, 70, 70, 85, 67, 73, 115, 73, 109, 86, 117, 89, 121, 73, 116, 84, 48, 70, 70, 85, 67, 73, 115, 73, 109, 86, 117, 89, 121, 73,
54, 73, 107, 69, 121, 78, 84, 90, 72, 81, 48, 48, 105, 102, 81] 54, 73, 107, 69, 121, 78, 84, 90, 72, 81, 48, 48, 105, 102, 81]
A.1.6. Content Encryption A.1.6. Content Encryption
Encrypt the Plaintext with AES GCM using the CEK as the encryption Perform authenticated encryption on the Plaintext with the AES GCM
key, the JWE Initialization Vector, and the Additional Authenticated algorithm using the CEK as the encryption key, the JWE Initialization
Data value above, requesting a 128 bit Authentication Tag output. Vector, and the Additional Authenticated Data value above, requesting
The resulting Ciphertext is: a 128 bit Authentication Tag output. The resulting Ciphertext is:
[229, 236, 166, 241, 53, 191, 115, 196, 174, 43, 73, 109, 39, 122, [229, 236, 166, 241, 53, 191, 115, 196, 174, 43, 73, 109, 39, 122,
233, 96, 140, 206, 120, 52, 51, 237, 48, 11, 190, 219, 186, 80, 111, 233, 96, 140, 206, 120, 52, 51, 237, 48, 11, 190, 219, 186, 80, 111,
104, 50, 142, 47, 167, 59, 61, 181, 127, 196, 21, 40, 82, 242, 32, 104, 50, 142, 47, 167, 59, 61, 181, 127, 196, 21, 40, 82, 242, 32,
123, 143, 168, 226, 73, 216, 176, 144, 138, 247, 106, 60, 16, 205, 123, 143, 168, 226, 73, 216, 176, 144, 138, 247, 106, 60, 16, 205,
160, 109, 64, 63, 192] 160, 109, 64, 63, 192]
The resulting Authentication Tag value is: The resulting Authentication Tag value is:
[92, 80, 104, 49, 133, 25, 161, 215, 173, 101, 219, 211, 136, 91, [92, 80, 104, 49, 133, 25, 161, 215, 173, 101, 219, 211, 136, 91,
skipping to change at page 34, line 12 skipping to change at page 34, line 12
[76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32, [76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32,
112, 114, 111, 115, 112, 101, 114, 46] 112, 114, 111, 115, 112, 101, 114, 46]
A.2.1. JOSE Header A.2.1. JOSE Header
The following example JWE Protected Header declares that: The following example JWE Protected Header declares that:
o the Content Encryption Key is encrypted to the recipient using the o the Content Encryption Key is encrypted to the recipient using the
RSAES-PKCS1-V1_5 algorithm to produce the JWE Encrypted Key and RSAES-PKCS1-V1_5 algorithm to produce the JWE Encrypted Key and
o the Plaintext is encrypted using the AES_128_CBC_HMAC_SHA_256 o authenticated encryption is performed on the Plaintext using the
algorithm to produce the Ciphertext. AES_128_CBC_HMAC_SHA_256 algorithm to produce the Ciphertext and
the Authentication Tag.
{"alg":"RSA1_5","enc":"A128CBC-HS256"} {"alg":"RSA1_5","enc":"A128CBC-HS256"}
Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected
Header)) gives this value: Header)) gives this value:
eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0
A.2.2. Content Encryption Key (CEK) A.2.2. Content Encryption Key (CEK)
skipping to change at page 36, line 17 skipping to change at page 36, line 30
Let the Additional Authenticated Data encryption parameter be Let the Additional Authenticated Data encryption parameter be
ASCII(BASE64URL(UTF8(JWE Protected Header))). This value is: ASCII(BASE64URL(UTF8(JWE Protected Header))). This value is:
[101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69,
120, 88, 122, 85, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 120, 88, 122, 85, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105,
74, 66, 77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 74, 66, 77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85,
50, 73, 110, 48] 50, 73, 110, 48]
A.2.6. Content Encryption A.2.6. Content Encryption
Encrypt the Plaintext with AES_128_CBC_HMAC_SHA_256 using the CEK as Perform authenticated encryption on the Plaintext with the
the encryption key, the JWE Initialization Vector, and the Additional AES_128_CBC_HMAC_SHA_256 algorithm using the CEK as the encryption
Authenticated Data value above. The steps for doing this using the key, the JWE Initialization Vector, and the Additional Authenticated
values from Appendix A.3 are detailed in Appendix B. The resulting Data value above. The steps for doing this using the values from
Ciphertext is: Appendix A.3 are detailed in Appendix B. The resulting Ciphertext
is:
[40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6, [40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6,
75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143, 75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143,
112, 56, 102] 112, 56, 102]
The resulting Authentication Tag value is: The resulting Authentication Tag value is:
[246, 17, 244, 190, 4, 95, 98, 3, 231, 0, 115, 157, 242, 203, 100, [246, 17, 244, 190, 4, 95, 98, 3, 231, 0, 115, 157, 242, 203, 100,
191] 191]
skipping to change at page 37, line 45 skipping to change at page 38, line 13
112, 114, 111, 115, 112, 101, 114, 46] 112, 114, 111, 115, 112, 101, 114, 46]
A.3.1. JOSE Header A.3.1. JOSE Header
The following example JWE Protected Header declares that: The following example JWE Protected Header declares that:
o the Content Encryption Key is encrypted to the recipient using the o the Content Encryption Key is encrypted to the recipient using the
AES Key Wrap algorithm with a 128 bit key to produce the JWE AES Key Wrap algorithm with a 128 bit key to produce the JWE
Encrypted Key and Encrypted Key and
o the Plaintext is encrypted using the AES_128_CBC_HMAC_SHA_256 o authenticated encryption is performed on the Plaintext using the
algorithm to produce the Ciphertext. AES_128_CBC_HMAC_SHA_256 algorithm to produce the Ciphertext and
the Authentication Tag.
{"alg":"A128KW","enc":"A128CBC-HS256"} {"alg":"A128KW","enc":"A128CBC-HS256"}
Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected
Header)) gives this value: Header)) gives this value:
eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0 eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0
A.3.2. Content Encryption Key (CEK) A.3.2. Content Encryption Key (CEK)
skipping to change at page 39, line 17 skipping to change at page 39, line 32
Let the Additional Authenticated Data encryption parameter be Let the Additional Authenticated Data encryption parameter be
ASCII(BASE64URL(UTF8(JWE Protected Header))). This value is: ASCII(BASE64URL(UTF8(JWE Protected Header))). This value is:
[101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 66, 77, 84, 73, 52, [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 66, 77, 84, 73, 52,
83, 49, 99, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 83, 49, 99, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66,
77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73, 77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73,
110, 48] 110, 48]
A.3.6. Content Encryption A.3.6. Content Encryption
Encrypt the Plaintext with AES_128_CBC_HMAC_SHA_256 using the CEK as Perform authenticated encryption on the Plaintext with the
the encryption key, the JWE Initialization Vector, and the Additional AES_128_CBC_HMAC_SHA_256 algorithm using the CEK as the encryption
Authenticated Data value above. The steps for doing this using the key, the JWE Initialization Vector, and the Additional Authenticated
values from this example are detailed in Appendix B. The resulting Data value above. The steps for doing this using the values from
Ciphertext is: this example are detailed in Appendix B. The resulting Ciphertext
is:
[40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6, [40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6,
75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143, 75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143,
112, 56, 102] 112, 56, 102]
The resulting Authentication Tag value is: The resulting Authentication Tag value is:
[83, 73, 191, 98, 104, 205, 211, 128, 201, 189, 199, 133, 32, 38, [83, 73, 191, 98, 104, 205, 211, 128, 201, 189, 199, 133, 32, 38,
194, 85] 194, 85]
skipping to change at page 41, line 7 skipping to change at page 41, line 23
Key IDs are: Key IDs are:
{"alg":"RSA1_5","kid":"2011-04-29"} {"alg":"RSA1_5","kid":"2011-04-29"}
and and
{"alg":"A128KW","kid":"7"} {"alg":"A128KW","kid":"7"}
A.4.2. JWE Protected Header A.4.2. JWE Protected Header
The Plaintext is encrypted using the AES_128_CBC_HMAC_SHA_256 Authenticated encryption is performed on the Plaintext using the
algorithm to produce the common JWE Ciphertext and JWE Authentication AES_128_CBC_HMAC_SHA_256 algorithm to produce the common JWE
Tag values. The JWE Protected Header value representing this is: Ciphertext and JWE Authentication Tag values. The JWE Protected
Header value representing this is:
{"enc":"A128CBC-HS256"} {"enc":"A128CBC-HS256"}
Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected
Header)) gives this value: Header)) gives this value:
eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0 eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0
A.4.3. JWE Unprotected Header A.4.3. JWE Unprotected Header
skipping to change at page 42, line 7 skipping to change at page 42, line 22
A.4.5. Additional Authenticated Data A.4.5. Additional Authenticated Data
Let the Additional Authenticated Data encryption parameter be Let the Additional Authenticated Data encryption parameter be
ASCII(BASE64URL(UTF8(JWE Protected Header))). This value is: ASCII(BASE64URL(UTF8(JWE Protected Header))). This value is:
[101, 121, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 77, 84, 73, [101, 121, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 77, 84, 73,
52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73, 110, 48] 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73, 110, 48]
A.4.6. Content Encryption A.4.6. Content Encryption
Encrypt the Plaintext with AES_128_CBC_HMAC_SHA_256 using the CEK as Perform authenticated encryption on the Plaintext with the
the encryption key, the JWE Initialization Vector, and the Additional AES_128_CBC_HMAC_SHA_256 algorithm using the CEK as the encryption
Authenticated Data value above. The steps for doing this using the key, the JWE Initialization Vector, and the Additional Authenticated
values from Appendix A.3 are detailed in Appendix B. The resulting Data value above. The steps for doing this using the values from
Ciphertext is: Appendix A.3 are detailed in Appendix B. The resulting Ciphertext
is:
[40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6, [40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6,
75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143, 75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143,
112, 56, 102] 112, 56, 102]
The resulting Authentication Tag value is: The resulting Authentication Tag value is:
[51, 63, 149, 60, 252, 148, 225, 25, 92, 185, 139, 245, 35, 2, 47, [51, 63, 149, 60, 252, 148, 225, 25, 92, 185, 139, 245, 35, 2, 47,
207] 207]
skipping to change at page 46, line 20 skipping to change at page 46, line 20
Thanks to Axel Nennker, Emmanuel Raviart, Brian Campbell, and Edmund Thanks to Axel Nennker, Emmanuel Raviart, Brian Campbell, and Edmund
Jay for validating the examples in this specification. Jay for validating the examples in this specification.
This specification is the work of the JOSE Working Group, which This specification is the work of the JOSE Working Group, which
includes dozens of active and dedicated participants. In particular, includes dozens of active and dedicated participants. In particular,
the following individuals contributed ideas, feedback, and wording the following individuals contributed ideas, feedback, and wording
that influenced this specification: that influenced this specification:
Richard Barnes, John Bradley, Brian Campbell, Breno de Medeiros, Dick Richard Barnes, John Bradley, Brian Campbell, Breno de Medeiros, Dick
Hardt, Jeff Hodges, Edmund Jay, James Manger, Matt Miller, Kathleen Hardt, Jeff Hodges, Russ Housley, Edmund Jay, Scott Kelly, Stephen
Moriarty, Tony Nadalin, Hideki Nara, Axel Nennker, Emmanuel Raviart, Kent, James Manger, Matt Miller, Kathleen Moriarty, Tony Nadalin,
Eric Rescorla, Nat Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Hideki Nara, Axel Nennker, Emmanuel Raviart, Eric Rescorla, Nat
Turner. Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner.
Jim Schaad and Karen O'Donoghue chaired the JOSE working group and Jim Schaad and Karen O'Donoghue chaired the JOSE working group and
Sean Turner, Stephen Farrell, and Kathleen Moriarty served as Sean Turner, Stephen Farrell, and Kathleen Moriarty served as
Security area directors during the creation of this specification. Security area directors during the creation of this specification.
Appendix D. Document History Appendix D. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-33
o Noted that certificate thumbprints are also sometimes known as
certificate fingerprints.
o Changed to use the term "authenticated encryption" instead of
"encryption", where appropriate.
o Acknowledged additional contributors.
-32 -32
o Addressed Gen-ART review comments by Russ Housley. o Addressed Gen-ART review comments by Russ Housley.
o Addressed secdir review comments by Scott Kelly, Tero Kivinen, and o Addressed secdir review comments by Scott Kelly, Tero Kivinen, and
Stephen Kent. Stephen Kent.
-31 -31
o Updated the reference to draft-mcgrew-aead-aes-cbc-hmac-sha2. o Updated the reference to draft-mcgrew-aead-aes-cbc-hmac-sha2.
-30 -30
o Added subsection headings within the Overview section for the two o Added subsection headings within the Overview section for the two
serializations. serializations.
o Added references and cleaned up the reference syntax in a few o Added references and cleaned up the reference syntax in a few
places. places.
 End of changes. 31 change blocks. 
65 lines changed or deleted 85 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/