| < draft-ietf-jose-json-web-encryption-35.txt | draft-ietf-jose-json-web-encryption-36.txt > | |||
|---|---|---|---|---|
| JOSE Working Group M. Jones | JOSE Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track J. Hildebrand | Intended status: Standards Track J. Hildebrand | |||
| Expires: April 20, 2015 Cisco | Expires: April 27, 2015 Cisco | |||
| October 17, 2014 | October 24, 2014 | |||
| JSON Web Encryption (JWE) | JSON Web Encryption (JWE) | |||
| draft-ietf-jose-json-web-encryption-35 | draft-ietf-jose-json-web-encryption-36 | |||
| Abstract | Abstract | |||
| JSON Web Encryption (JWE) represents encrypted content using | JSON Web Encryption (JWE) represents encrypted content using | |||
| JavaScript Object Notation (JSON) based data structures. | JavaScript Object Notation (JSON) based data structures. | |||
| Cryptographic algorithms and identifiers for use with this | Cryptographic algorithms and identifiers for use with this | |||
| specification are described in the separate JSON Web Algorithms (JWA) | specification are described in the separate JSON Web Algorithms (JWA) | |||
| specification and IANA registries defined by that specification. | specification and IANA registries defined by that specification. | |||
| Related digital signature and MAC capabilities are described in the | Related digital signature and MAC capabilities are described in the | |||
| separate JSON Web Signature (JWS) specification. | separate JSON Web Signature (JWS) specification. | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 20, 2015. | This Internet-Draft will expire on April 27, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 18 ¶ | skipping to change at page 2, line 18 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 | 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 8 | 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 8 | |||
| 3.1. JWE Compact Serialization Overview . . . . . . . . . . . . 9 | 3.1. JWE Compact Serialization Overview . . . . . . . . . . . . 9 | |||
| 3.2. JWE JSON Serialization Overview . . . . . . . . . . . . . 9 | 3.2. JWE JSON Serialization Overview . . . . . . . . . . . . . 9 | |||
| 3.3. Example JWE . . . . . . . . . . . . . . . . . . . . . . . 10 | 3.3. Example JWE . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4. JOSE Header . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 4. JOSE Header . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 4.1. Registered Header Parameter Names . . . . . . . . . . . . 11 | 4.1. Registered Header Parameter Names . . . . . . . . . . . . 12 | |||
| 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 12 | 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 12 | |||
| 4.1.2. "enc" (Encryption Algorithm) Header Parameter . . . . 12 | 4.1.2. "enc" (Encryption Algorithm) Header Parameter . . . . 12 | |||
| 4.1.3. "zip" (Compression Algorithm) Header Parameter . . . . 12 | 4.1.3. "zip" (Compression Algorithm) Header Parameter . . . . 13 | |||
| 4.1.4. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 13 | 4.1.4. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 13 | |||
| 4.1.5. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 13 | 4.1.5. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 13 | |||
| 4.1.6. "kid" (Key ID) Header Parameter . . . . . . . . . . . 13 | 4.1.6. "kid" (Key ID) Header Parameter . . . . . . . . . . . 13 | |||
| 4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 13 | 4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 13 | |||
| 4.1.8. "x5c" (X.509 Certificate Chain) Header Parameter . . . 13 | 4.1.8. "x5c" (X.509 Certificate Chain) Header Parameter . . . 14 | |||
| 4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header | 4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header | |||
| Parameter . . . . . . . . . . . . . . . . . . . . . . 14 | Parameter . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.1.10. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) | 4.1.10. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) | |||
| Header Parameter . . . . . . . . . . . . . . . . . . . 14 | Header Parameter . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.1.11. "typ" (Type) Header Parameter . . . . . . . . . . . . 14 | 4.1.11. "typ" (Type) Header Parameter . . . . . . . . . . . . 14 | |||
| 4.1.12. "cty" (Content Type) Header Parameter . . . . . . . . 14 | 4.1.12. "cty" (Content Type) Header Parameter . . . . . . . . 14 | |||
| 4.1.13. "crit" (Critical) Header Parameter . . . . . . . . . . 14 | 4.1.13. "crit" (Critical) Header Parameter . . . . . . . . . . 14 | |||
| 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 14 | 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 15 | |||
| 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15 | 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15 | |||
| 5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 15 | 5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 15 | |||
| 5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 15 | 5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 17 | 5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 17 | |||
| 5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 20 | 5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 20 | |||
| 6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 20 | 6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 20 | 7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 20 | 7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 20 | |||
| 7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 21 | 7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 21 | |||
| 8. TLS Requirements . . . . . . . . . . . . . . . . . . . . . . . 23 | 7.2.1. General JWE JSON Serialization Syntax . . . . . . . . 21 | |||
| 9. Distinguishing between JWS and JWE Objects . . . . . . . . . . 23 | 7.2.2. Flattened JWE JSON Serialization Syntax . . . . . . . 24 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 | 8. TLS Requirements . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 9. Distinguishing between JWS and JWE Objects . . . . . . . . . . 25 | ||||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 | ||||
| 10.1. JSON Web Signature and Encryption Header Parameters | 10.1. JSON Web Signature and Encryption Header Parameters | |||
| Registration . . . . . . . . . . . . . . . . . . . . . . . 24 | Registration . . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 24 | ||||
| 11. Security Considerations . . . . . . . . . . . . . . . . . . . 26 | 10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 25 | |||
| 11.1. Key Entropy and Random Values . . . . . . . . . . . . . . 26 | 11. Security Considerations . . . . . . . . . . . . . . . . . . . 27 | |||
| 11.2. Key Protection . . . . . . . . . . . . . . . . . . . . . . 27 | 11.1. Key Entropy and Random Values . . . . . . . . . . . . . . 28 | |||
| 11.3. Using Matching Algorithm Strengths . . . . . . . . . . . . 27 | 11.2. Key Protection . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 11.4. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 27 | 11.3. Using Matching Algorithm Strengths . . . . . . . . . . . . 28 | |||
| 11.5. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 27 | 11.4. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 28 | |||
| 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28 | 11.5. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 29 | |||
| 12.1. Normative References . . . . . . . . . . . . . . . . . . . 28 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29 | |||
| 12.2. Informative References . . . . . . . . . . . . . . . . . . 28 | 12.1. Normative References . . . . . . . . . . . . . . . . . . . 29 | |||
| Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 29 | 12.2. Informative References . . . . . . . . . . . . . . . . . . 30 | |||
| A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 30 | Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 31 | |||
| A.1.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 30 | A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 31 | |||
| A.1.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 30 | A.1.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 31 | |||
| A.1.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 30 | A.1.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 31 | |||
| A.1.4. Initialization Vector . . . . . . . . . . . . . . . . 32 | A.1.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 32 | |||
| A.1.5. Additional Authenticated Data . . . . . . . . . . . . 32 | A.1.4. Initialization Vector . . . . . . . . . . . . . . . . 33 | |||
| A.1.6. Content Encryption . . . . . . . . . . . . . . . . . . 32 | A.1.5. Additional Authenticated Data . . . . . . . . . . . . 33 | |||
| A.1.7. Complete Representation . . . . . . . . . . . . . . . 33 | A.1.6. Content Encryption . . . . . . . . . . . . . . . . . . 33 | |||
| A.1.8. Validation . . . . . . . . . . . . . . . . . . . . . . 33 | A.1.7. Complete Representation . . . . . . . . . . . . . . . 34 | |||
| A.1.8. Validation . . . . . . . . . . . . . . . . . . . . . . 34 | ||||
| A.2. Example JWE using RSAES-PKCS1-V1_5 and | A.2. Example JWE using RSAES-PKCS1-V1_5 and | |||
| AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 33 | AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 35 | |||
| A.2.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 34 | A.2.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 35 | |||
| A.2.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 34 | A.2.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 35 | |||
| A.2.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 34 | A.2.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 35 | |||
| A.2.4. Initialization Vector . . . . . . . . . . . . . . . . 36 | A.2.4. Initialization Vector . . . . . . . . . . . . . . . . 37 | |||
| A.2.5. Additional Authenticated Data . . . . . . . . . . . . 36 | A.2.5. Additional Authenticated Data . . . . . . . . . . . . 37 | |||
| A.2.6. Content Encryption . . . . . . . . . . . . . . . . . . 36 | A.2.6. Content Encryption . . . . . . . . . . . . . . . . . . 37 | |||
| A.2.7. Complete Representation . . . . . . . . . . . . . . . 37 | A.2.7. Complete Representation . . . . . . . . . . . . . . . 38 | |||
| A.2.8. Validation . . . . . . . . . . . . . . . . . . . . . . 37 | A.2.8. Validation . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| A.3. Example JWE using AES Key Wrap and | A.3. Example JWE using AES Key Wrap and | |||
| AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 37 | AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 38 | |||
| A.3.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 38 | A.3.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 39 | |||
| A.3.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 38 | A.3.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 39 | |||
| A.3.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 38 | A.3.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 39 | |||
| A.3.4. Initialization Vector . . . . . . . . . . . . . . . . 39 | A.3.4. Initialization Vector . . . . . . . . . . . . . . . . 40 | |||
| A.3.5. Additional Authenticated Data . . . . . . . . . . . . 39 | A.3.5. Additional Authenticated Data . . . . . . . . . . . . 40 | |||
| A.3.6. Content Encryption . . . . . . . . . . . . . . . . . . 39 | A.3.6. Content Encryption . . . . . . . . . . . . . . . . . . 40 | |||
| A.3.7. Complete Representation . . . . . . . . . . . . . . . 40 | A.3.7. Complete Representation . . . . . . . . . . . . . . . 41 | |||
| A.3.8. Validation . . . . . . . . . . . . . . . . . . . . . . 40 | A.3.8. Validation . . . . . . . . . . . . . . . . . . . . . . 41 | |||
| A.4. Example JWE using JWE JSON Serialization . . . . . . . . . 40 | A.4. Example JWE using General JWE JSON Serialization . . . . . 41 | |||
| A.4.1. JWE Per-Recipient Unprotected Headers . . . . . . . . 41 | A.4.1. JWE Per-Recipient Unprotected Headers . . . . . . . . 42 | |||
| A.4.2. JWE Protected Header . . . . . . . . . . . . . . . . . 41 | A.4.2. JWE Protected Header . . . . . . . . . . . . . . . . . 42 | |||
| A.4.3. JWE Unprotected Header . . . . . . . . . . . . . . . . 41 | A.4.3. JWE Unprotected Header . . . . . . . . . . . . . . . . 42 | |||
| A.4.4. Complete JOSE Header Values . . . . . . . . . . . . . 41 | A.4.4. Complete JOSE Header Values . . . . . . . . . . . . . 42 | |||
| A.4.5. Additional Authenticated Data . . . . . . . . . . . . 42 | A.4.5. Additional Authenticated Data . . . . . . . . . . . . 43 | |||
| A.4.6. Content Encryption . . . . . . . . . . . . . . . . . . 42 | A.4.6. Content Encryption . . . . . . . . . . . . . . . . . . 43 | |||
| A.4.7. Complete JWE JSON Serialization Representation . . . . 42 | A.4.7. Complete JWE JSON Serialization Representation . . . . 43 | |||
| Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 43 | ||||
| B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 43 | A.5. Example JWE using Flattened JWE JSON Serialization . . . . 44 | |||
| B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 44 | Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 45 | |||
| B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 44 | B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 45 | |||
| B.4. Initialization Vector Value . . . . . . . . . . . . . . . 45 | B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 46 | |||
| B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 45 | B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 46 | |||
| B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 45 | B.4. Initialization Vector Value . . . . . . . . . . . . . . . 46 | |||
| B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 45 | B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 46 | |||
| Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 45 | B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 47 | |||
| Appendix D. Document History . . . . . . . . . . . . . . . . . . 46 | B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 47 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 57 | Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 47 | |||
| Appendix D. Document History . . . . . . . . . . . . . . . . . . 48 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 59 | ||||
| 1. Introduction | 1. Introduction | |||
| JSON Web Encryption (JWE) represents encrypted content using | JSON Web Encryption (JWE) represents encrypted content using | |||
| JavaScript Object Notation (JSON) [RFC7159] based data structures. | JavaScript Object Notation (JSON) [RFC7159] based data structures. | |||
| The JWE cryptographic mechanisms encrypt and provide integrity | The JWE cryptographic mechanisms encrypt and provide integrity | |||
| protection for an arbitrary sequence of octets. | protection for an arbitrary sequence of octets. | |||
| Two closely related serializations for JWE objects are defined. The | Two closely related serializations for JWE objects are defined. The | |||
| JWE Compact Serialization is a compact, URL-safe representation | JWE Compact Serialization is a compact, URL-safe representation | |||
| skipping to change at page 8, line 41 ¶ | skipping to change at page 8, line 41 ¶ | |||
| Direct Encryption | Direct Encryption | |||
| A Key Management Mode in which the Content Encryption Key (CEK) | A Key Management Mode in which the Content Encryption Key (CEK) | |||
| value used is the secret symmetric key value shared between the | value used is the secret symmetric key value shared between the | |||
| parties. | parties. | |||
| 3. JSON Web Encryption (JWE) Overview | 3. JSON Web Encryption (JWE) Overview | |||
| JWE represents encrypted content using JSON data structures and | JWE represents encrypted content using JSON data structures and | |||
| base64url encoding. These JSON data structures MAY contain white | base64url encoding. These JSON data structures MAY contain white | |||
| space and/or line breaks. A JWE represents these logical values | space and/or line breaks before or after any JSON values or | |||
| (each of which is defined in Section 2): | structural characters, in accordance with Section 2 of RFC 7159 | |||
| [RFC7159]. A JWE represents these logical values (each of which is | ||||
| defined in Section 2): | ||||
| o JOSE Header | o JOSE Header | |||
| o JWE Encrypted Key | o JWE Encrypted Key | |||
| o JWE Initialization Vector | o JWE Initialization Vector | |||
| o JWE AAD | o JWE AAD | |||
| o JWE Ciphertext | o JWE Ciphertext | |||
| o JWE Authentication Tag | o JWE Authentication Tag | |||
| For a JWE object, the JOSE Header members are the union of the | For a JWE object, the JOSE Header members are the union of the | |||
| members of these values (each of which is defined in Section 2): | members of these values (each of which is defined in Section 2): | |||
| skipping to change at page 11, line 33 ¶ | skipping to change at page 11, line 38 ¶ | |||
| Sv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lDp5XnZAYpQdb76FdIKLaV | Sv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lDp5XnZAYpQdb76FdIKLaV | |||
| mqgfwX7XWRxv2322i-vDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je8 | mqgfwX7XWRxv2322i-vDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je8 | |||
| 1860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi | 1860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi | |||
| 6UklfCpIMfIjf7iGdXKHzg. | 6UklfCpIMfIjf7iGdXKHzg. | |||
| 48V1_ALb6US04U3b. | 48V1_ALb6US04U3b. | |||
| 5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji | 5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji | |||
| SdiwkIr3ajwQzaBtQD_A. | SdiwkIr3ajwQzaBtQD_A. | |||
| XFBoMYUZodetZdvTiFvSkQ | XFBoMYUZodetZdvTiFvSkQ | |||
| See Appendix A.1 for the complete details of computing this JWE. See | See Appendix A.1 for the complete details of computing this JWE. See | |||
| other parts of Appendix A for additional examples, including an | Appendix A for additional examples, including examples using the JWE | |||
| example using the JWE JSON Serialization in Appendix A.4. | JSON Serialization in Sections A.4 and A.5. | |||
| 4. JOSE Header | 4. JOSE Header | |||
| For a JWE object, the members of the JSON object(s) representing the | For a JWE object, the members of the JSON object(s) representing the | |||
| JOSE Header describe the encryption applied to the Plaintext and | JOSE Header describe the encryption applied to the Plaintext and | |||
| optionally additional properties of the JWE. The Header Parameter | optionally additional properties of the JWE. The Header Parameter | |||
| names within the JOSE Header MUST be unique, just as described in | names within the JOSE Header MUST be unique, just as described in | |||
| Section 4 of [JWS]. The rules about handling Header Parameters that | Section 4 of [JWS]. The rules about handling Header Parameters that | |||
| are not understood by the implementation are also the same. The | are not understood by the implementation are also the same. The | |||
| classes of Header Parameter names are likewise the same. | classes of Header Parameter names are likewise the same. | |||
| skipping to change at page 21, line 8 ¶ | skipping to change at page 21, line 18 ¶ | |||
| BASE64URL(JWE Ciphertext) || '.' || | BASE64URL(JWE Ciphertext) || '.' || | |||
| BASE64URL(JWE Authentication Tag) | BASE64URL(JWE Authentication Tag) | |||
| Only one recipient is supported by the JWE Compact Serialization and | Only one recipient is supported by the JWE Compact Serialization and | |||
| it provides no syntax to represent JWE Shared Unprotected Header, JWE | it provides no syntax to represent JWE Shared Unprotected Header, JWE | |||
| Per-Recipient Unprotected Header, or JWE AAD values. | Per-Recipient Unprotected Header, or JWE AAD values. | |||
| 7.2. JWE JSON Serialization | 7.2. JWE JSON Serialization | |||
| The JWE JSON Serialization represents encrypted content as a JSON | The JWE JSON Serialization represents encrypted content as a JSON | |||
| object. Content using the JWE JSON Serialization can be encrypted to | object. This representation is neither optimized for compactness nor | |||
| more than one recipient. This representation is neither optimized | URL-safe. | |||
| for compactness nor URL-safe. | ||||
| Two closely related syntaxes are defined for the JWE JSON | ||||
| Serialization: a fully general syntax, with which content can be | ||||
| encrypted to more than one recipient, and a flattened syntax, which | ||||
| is optimized for the single recipient case. | ||||
| 7.2.1. General JWE JSON Serialization Syntax | ||||
| The following members are defined for use in top-level JSON objects | The following members are defined for use in top-level JSON objects | |||
| used for the JWE JSON Serialization: | used for the fully general JWE JSON Serialization syntax: | |||
| protected | protected | |||
| The "protected" member MUST be present and contain the value | The "protected" member MUST be present and contain the value | |||
| BASE64URL(UTF8(JWE Protected Header)) when the JWE Protected | BASE64URL(UTF8(JWE Protected Header)) when the JWE Protected | |||
| Header value is non-empty; otherwise, it MUST be absent. These | Header value is non-empty; otherwise, it MUST be absent. These | |||
| Header Parameter values are integrity protected. | Header Parameter values are integrity protected. | |||
| unprotected | unprotected | |||
| The "unprotected" member MUST be present and contain the value JWE | The "unprotected" member MUST be present and contain the value JWE | |||
| Shared Unprotected Header when the JWE Shared Unprotected Header | Shared Unprotected Header when the JWE Shared Unprotected Header | |||
| skipping to change at page 23, line 8 ¶ | skipping to change at page 23, line 24 ¶ | |||
| Header Parameter names in the three locations MUST be disjoint. | Header Parameter names in the three locations MUST be disjoint. | |||
| Each JWE Encrypted Key value is computed using the parameters of the | Each JWE Encrypted Key value is computed using the parameters of the | |||
| corresponding JOSE Header value in the same manner as for the JWE | corresponding JOSE Header value in the same manner as for the JWE | |||
| Compact Serialization. This has the desirable property that each JWE | Compact Serialization. This has the desirable property that each JWE | |||
| Encrypted Key value in the "recipients" array is identical to the | Encrypted Key value in the "recipients" array is identical to the | |||
| value that would have been computed for the same parameter in the JWE | value that would have been computed for the same parameter in the JWE | |||
| Compact Serialization. Likewise, the JWE Ciphertext and JWE | Compact Serialization. Likewise, the JWE Ciphertext and JWE | |||
| Authentication Tag values match those produced for the JWE Compact | Authentication Tag values match those produced for the JWE Compact | |||
| Serialization, provided that the JWE Protected Header value (which | Serialization, provided that the JWE Protected Header value (which | |||
| represents the integrity-protected Header Parameter values) matches | represents the integrity protected Header Parameter values) matches | |||
| that used in the JWE Compact Serialization. | that used in the JWE Compact Serialization. | |||
| All recipients use the same JWE Protected Header, JWE Initialization | All recipients use the same JWE Protected Header, JWE Initialization | |||
| Vector, JWE Ciphertext, and JWE Authentication Tag values, when | Vector, JWE Ciphertext, and JWE Authentication Tag values, when | |||
| present, resulting in potentially significant space savings if the | present, resulting in potentially significant space savings if the | |||
| message is large. Therefore, all Header Parameters that specify the | message is large. Therefore, all Header Parameters that specify the | |||
| treatment of the Plaintext value MUST be the same for all recipients. | treatment of the Plaintext value MUST be the same for all recipients. | |||
| This primarily means that the "enc" (encryption algorithm) Header | This primarily means that the "enc" (encryption algorithm) Header | |||
| Parameter value in the JOSE Header for each recipient and any | Parameter value in the JOSE Header for each recipient and any | |||
| parameters of that algorithm MUST be the same. | parameters of that algorithm MUST be the same. | |||
| In summary, the syntax of a JWE using the JWE JSON Serialization is | In summary, the syntax of a JWE using the general JWE JSON | |||
| as follows: | Serialization is as follows: | |||
| {"protected":"<integrity-protected shared header contents>", | { | |||
| "protected":"<integrity-protected shared header contents>", | ||||
| "unprotected":<non-integrity-protected shared header contents>, | "unprotected":<non-integrity-protected shared header contents>, | |||
| "recipients":[ | "recipients":[ | |||
| {"header":<per-recipient unprotected header 1 contents>, | {"header":<per-recipient unprotected header 1 contents>, | |||
| "encrypted_key":"<encrypted key 1 contents>"}, | "encrypted_key":"<encrypted key 1 contents>"}, | |||
| ... | ... | |||
| {"header":<per-recipient unprotected header N contents>, | {"header":<per-recipient unprotected header N contents>, | |||
| "encrypted_key":"<encrypted key N contents>"}], | "encrypted_key":"<encrypted key N contents>"}], | |||
| "aad":"<additional authenticated data contents>", | "aad":"<additional authenticated data contents>", | |||
| "iv":"<initialization vector contents>", | "iv":"<initialization vector contents>", | |||
| "ciphertext":"<ciphertext contents>", | "ciphertext":"<ciphertext contents>", | |||
| skipping to change at page 23, line 35 ¶ | skipping to change at page 24, line 4 ¶ | |||
| "recipients":[ | "recipients":[ | |||
| {"header":<per-recipient unprotected header 1 contents>, | {"header":<per-recipient unprotected header 1 contents>, | |||
| "encrypted_key":"<encrypted key 1 contents>"}, | "encrypted_key":"<encrypted key 1 contents>"}, | |||
| ... | ... | |||
| {"header":<per-recipient unprotected header N contents>, | {"header":<per-recipient unprotected header N contents>, | |||
| "encrypted_key":"<encrypted key N contents>"}], | "encrypted_key":"<encrypted key N contents>"}], | |||
| "aad":"<additional authenticated data contents>", | "aad":"<additional authenticated data contents>", | |||
| "iv":"<initialization vector contents>", | "iv":"<initialization vector contents>", | |||
| "ciphertext":"<ciphertext contents>", | "ciphertext":"<ciphertext contents>", | |||
| "tag":"<authentication tag contents>" | "tag":"<authentication tag contents>" | |||
| } | } | |||
| See Appendix A.4 for an example of computing a JWE using the JWE JSON | See Appendix A.4 for an example JWE using the general JWE JSON | |||
| Serialization. | Serialization syntax. | |||
| 7.2.2. Flattened JWE JSON Serialization Syntax | ||||
| The flattened JWE JSON Serialization syntax is based upon the general | ||||
| syntax, but flattens it, optimizing it for the single recipient case. | ||||
| It flattens it by removing the "recipients" member and instead | ||||
| placing those members defined for use in the "recipients" array (the | ||||
| "header" and "encrypted_key" members) in the top-level JSON object | ||||
| (at the same level as the "ciphertext" member). | ||||
| The "recipients" member MUST NOT be present when using this syntax. | ||||
| Other than this syntax difference, JWE JSON Serialization objects | ||||
| using the flattened syntax are processed identically to those using | ||||
| the general syntax. | ||||
| In summary, the syntax of a JWE using the flattened JWE JSON | ||||
| Serialization is as follows: | ||||
| { | ||||
| "protected":"<integrity-protected header contents>", | ||||
| "unprotected":<non-integrity-protected header contents>, | ||||
| "header":<more non-integrity-protected header contents>, | ||||
| "encrypted_key":"<encrypted key contents>", | ||||
| "aad":"<additional authenticated data contents>", | ||||
| "iv":"<initialization vector contents>", | ||||
| "ciphertext":"<ciphertext contents>", | ||||
| "tag":"<authentication tag contents>" | ||||
| } | ||||
| Note that when using the flattened syntax, just as when using the | ||||
| general syntax, any unprotected Header Parameter values can reside in | ||||
| either the "unprotected" member or the "header" member, or in both. | ||||
| See Appendix A.5 for an example JWE using the flattened JWE JSON | ||||
| Serialization syntax. | ||||
| 8. TLS Requirements | 8. TLS Requirements | |||
| The TLS requirements for this specification are the same as those | The TLS requirements for this specification are the same as those | |||
| defined in Section 8 of [JWS]. | defined in Section 8 of [JWS]. | |||
| 9. Distinguishing between JWS and JWE Objects | 9. Distinguishing between JWS and JWE Objects | |||
| There are several ways of distinguishing whether an object is a JWS | There are several ways of distinguishing whether an object is a JWS | |||
| or JWE object. All these methods will yield the same result for all | or JWE object. All these methods will yield the same result for all | |||
| skipping to change at page 24, line 14 ¶ | skipping to change at page 25, line 20 ¶ | |||
| inputs. | inputs. | |||
| o If the object is using the JWS Compact Serialization or the JWE | o If the object is using the JWS Compact Serialization or the JWE | |||
| Compact Serialization, the number of base64url encoded segments | Compact Serialization, the number of base64url encoded segments | |||
| separated by period ('.') characters differs for JWSs and JWEs. | separated by period ('.') characters differs for JWSs and JWEs. | |||
| JWSs have three segments separated by two period ('.') characters. | JWSs have three segments separated by two period ('.') characters. | |||
| JWEs have five segments separated by four period ('.') characters. | JWEs have five segments separated by four period ('.') characters. | |||
| o If the object is using the JWS JSON Serialization or the JWE JSON | o If the object is using the JWS JSON Serialization or the JWE JSON | |||
| Serialization, the members used will be different. JWSs have a | Serialization, the members used will be different. JWSs have a | |||
| "signatures" member and JWEs do not. JWEs have a "recipients" | "payload" member and JWEs do not. JWEs have a "ciphertext" member | |||
| member and JWSs do not. | and JWSs do not. | |||
| o The JOSE Header for a JWS object can be distinguished from the | o The JOSE Header for a JWS object can be distinguished from the | |||
| JOSE Header for a JWE object by examining the "alg" (algorithm) | JOSE Header for a JWE object by examining the "alg" (algorithm) | |||
| Header Parameter value. If the value represents a digital | Header Parameter value. If the value represents a digital | |||
| signature or MAC algorithm, or is the value "none", it is for a | signature or MAC algorithm, or is the value "none", it is for a | |||
| JWS; if it represents a Key Encryption, Key Wrapping, Direct Key | JWS; if it represents a Key Encryption, Key Wrapping, Direct Key | |||
| Agreement, Key Agreement with Key Wrapping, or Direct Encryption | Agreement, Key Agreement with Key Wrapping, or Direct Encryption | |||
| algorithm, it is for a JWE. (Extracting the "alg" value to | algorithm, it is for a JWE. (Extracting the "alg" value to | |||
| examine is straightforward when using the JWS Compact | examine is straightforward when using the JWS Compact | |||
| Serialization or the JWE Compact Serialization and may be more | Serialization or the JWE Compact Serialization and may be more | |||
| skipping to change at page 40, line 38 ¶ | skipping to change at page 41, line 38 ¶ | |||
| This example illustrates the process of creating a JWE with AES Key | This example illustrates the process of creating a JWE with AES Key | |||
| Wrap for key encryption and AES GCM for content encryption. These | Wrap for key encryption and AES GCM for content encryption. These | |||
| results can be used to validate JWE decryption implementations for | results can be used to validate JWE decryption implementations for | |||
| these algorithms. Also, since both the AES Key Wrap and AES GCM | these algorithms. Also, since both the AES Key Wrap and AES GCM | |||
| computations are deterministic, the resulting JWE value will be the | computations are deterministic, the resulting JWE value will be the | |||
| same for all encryptions performed using these inputs. Since the | same for all encryptions performed using these inputs. Since the | |||
| computation is reproducible, these results can also be used to | computation is reproducible, these results can also be used to | |||
| validate JWE encryption implementations for these algorithms. | validate JWE encryption implementations for these algorithms. | |||
| A.4. Example JWE using JWE JSON Serialization | A.4. Example JWE using General JWE JSON Serialization | |||
| This section contains an example using the JWE JSON Serialization. | This section contains an example using the general JWE JSON | |||
| This example demonstrates the capability for encrypting the same | Serialization syntax. This example demonstrates the capability for | |||
| plaintext to multiple recipients. | encrypting the same plaintext to multiple recipients. | |||
| Two recipients are present in this example. The algorithm and key | Two recipients are present in this example. The algorithm and key | |||
| used for the first recipient are the same as that used in | used for the first recipient are the same as that used in | |||
| Appendix A.2. The algorithm and key used for the second recipient | Appendix A.2. The algorithm and key used for the second recipient | |||
| are the same as that used in Appendix A.3. The resulting JWE | are the same as that used in Appendix A.3. The resulting JWE | |||
| Encrypted Key values are therefore the same; those computations are | Encrypted Key values are therefore the same; those computations are | |||
| not repeated here. | not repeated here. | |||
| The Plaintext, the Content Encryption Key (CEK), JWE Initialization | The Plaintext, the Content Encryption Key (CEK), JWE Initialization | |||
| Vector, and JWE Protected Header are shared by all recipients (which | Vector, and JWE Protected Header are shared by all recipients (which | |||
| skipping to change at page 42, line 50 ¶ | skipping to change at page 43, line 50 ¶ | |||
| KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY | KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY | |||
| Encoding this JWE Authentication Tag as BASE64URL(JWE Authentication | Encoding this JWE Authentication Tag as BASE64URL(JWE Authentication | |||
| Tag) gives this value: | Tag) gives this value: | |||
| Mz-VPPyU4RlcuYv1IwIvzw | Mz-VPPyU4RlcuYv1IwIvzw | |||
| A.4.7. Complete JWE JSON Serialization Representation | A.4.7. Complete JWE JSON Serialization Representation | |||
| The complete JSON Web Encryption JSON Serialization for these values | The complete JWE JSON Serialization for these values is as follows | |||
| is as follows (with line breaks within values for display purposes | (with line breaks within values for display purposes only): | |||
| only): | ||||
| {"protected": | { | |||
| "protected": | ||||
| "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0", | "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0", | |||
| "unprotected": | "unprotected": | |||
| {"jku":"https://server.example.com/keys.jwks"}, | {"jku":"https://server.example.com/keys.jwks"}, | |||
| "recipients":[ | "recipients":[ | |||
| {"header": | {"header": | |||
| {"alg":"RSA1_5","kid":"2011-04-29"}, | {"alg":"RSA1_5","kid":"2011-04-29"}, | |||
| "encrypted_key": | "encrypted_key": | |||
| "UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0- | "UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0- | |||
| kFm1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ__deLKx | kFm1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ__deLKx | |||
| GHZ7PcHALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRirb6Y5Cl_p-ko3 | GHZ7PcHALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRirb6Y5Cl_p-ko3 | |||
| skipping to change at page 43, line 31 ¶ | skipping to change at page 44, line 32 ¶ | |||
| "encrypted_key": | "encrypted_key": | |||
| "6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ"}], | "6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ"}], | |||
| "iv": | "iv": | |||
| "AxY8DCtDaGlsbGljb3RoZQ", | "AxY8DCtDaGlsbGljb3RoZQ", | |||
| "ciphertext": | "ciphertext": | |||
| "KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY", | "KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY", | |||
| "tag": | "tag": | |||
| "Mz-VPPyU4RlcuYv1IwIvzw" | "Mz-VPPyU4RlcuYv1IwIvzw" | |||
| } | } | |||
| A.5. Example JWE using Flattened JWE JSON Serialization | ||||
| This section contains an example using the flattened JWE JSON | ||||
| Serialization syntax. This example demonstrates the capability for | ||||
| encrypting the plaintext to a single recipient in a flattened JSON | ||||
| structure. | ||||
| The values in this example are the same as those for the second | ||||
| recipient of the previous example in Appendix A.4. | ||||
| The complete JWE JSON Serialization for these values is as follows | ||||
| (with line breaks within values for display purposes only): | ||||
| { | ||||
| "protected": | ||||
| "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0", | ||||
| "unprotected": | ||||
| {"jku":"https://server.example.com/keys.jwks"}, | ||||
| "header": | ||||
| {"alg":"A128KW","kid":"7"}, | ||||
| "encrypted_key": | ||||
| "6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ", | ||||
| "iv": | ||||
| "AxY8DCtDaGlsbGljb3RoZQ", | ||||
| "ciphertext": | ||||
| "KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY", | ||||
| "tag": | ||||
| "Mz-VPPyU4RlcuYv1IwIvzw" | ||||
| } | ||||
| Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation | Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation | |||
| This example shows the steps in the AES_128_CBC_HMAC_SHA_256 | This example shows the steps in the AES_128_CBC_HMAC_SHA_256 | |||
| authenticated encryption computation using the values from the | authenticated encryption computation using the values from the | |||
| example in Appendix A.3. As described where this algorithm is | example in Appendix A.3. As described where this algorithm is | |||
| defined in Sections 5.2 and 5.2.3 of JWA, the AES_CBC_HMAC_SHA2 | defined in Sections 5.2 and 5.2.3 of JWA, the AES_CBC_HMAC_SHA2 | |||
| family of algorithms are implemented using Advanced Encryption | family of algorithms are implemented using Advanced Encryption | |||
| Standard (AES) in Cipher Block Chaining (CBC) mode with PKCS #7 | Standard (AES) in Cipher Block Chaining (CBC) mode with PKCS #7 | |||
| padding to perform the encryption and an HMAC SHA-2 function to | padding to perform the encryption and an HMAC SHA-2 function to | |||
| perform the integrity calculation - in this case, HMAC SHA-256. | perform the integrity calculation - in this case, HMAC SHA-256. | |||
| skipping to change at page 46, line 34 ¶ | skipping to change at page 48, line 21 ¶ | |||
| Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner. | Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner. | |||
| Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | |||
| Sean Turner, Stephen Farrell, and Kathleen Moriarty served as | Sean Turner, Stephen Farrell, and Kathleen Moriarty served as | |||
| Security area directors during the creation of this specification. | Security area directors during the creation of this specification. | |||
| Appendix D. Document History | Appendix D. Document History | |||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
| -36 | ||||
| o Defined a flattened JWE JSON Serialization syntax, which is | ||||
| optimized for the single recipient case. | ||||
| o Clarified where white space and line breaks may occur in JSON | ||||
| objects by referencing Section 2 of RFC 7159. | ||||
| -35 | -35 | |||
| o Addressed AppsDir reviews by Ray Polk. | o Addressed AppsDir reviews by Ray Polk. | |||
| -34 | -34 | |||
| o Addressed IESG review comments by Barry Leiba, Alissa Cooper, Pete | o Addressed IESG review comments by Barry Leiba, Alissa Cooper, Pete | |||
| Resnick, Stephen Farrell, and Richard Barnes. | Resnick, Stephen Farrell, and Richard Barnes. | |||
| -33 | -33 | |||
| End of changes. 27 change blocks. | ||||
| 93 lines changed or deleted | 181 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||