| < draft-ietf-jose-json-web-encryption-37.txt | draft-ietf-jose-json-web-encryption-38.txt > | |||
|---|---|---|---|---|
| JOSE Working Group M. Jones | JOSE Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track J. Hildebrand | Intended status: Standards Track J. Hildebrand | |||
| Expires: May 23, 2015 Cisco | Expires: June 12, 2015 Cisco | |||
| November 19, 2014 | December 9, 2014 | |||
| JSON Web Encryption (JWE) | JSON Web Encryption (JWE) | |||
| draft-ietf-jose-json-web-encryption-37 | draft-ietf-jose-json-web-encryption-38 | |||
| Abstract | Abstract | |||
| JSON Web Encryption (JWE) represents encrypted content using | JSON Web Encryption (JWE) represents encrypted content using | |||
| JavaScript Object Notation (JSON) based data structures. | JavaScript Object Notation (JSON) based data structures. | |||
| Cryptographic algorithms and identifiers for use with this | Cryptographic algorithms and identifiers for use with this | |||
| specification are described in the separate JSON Web Algorithms (JWA) | specification are described in the separate JSON Web Algorithms (JWA) | |||
| specification and IANA registries defined by that specification. | specification and IANA registries defined by that specification. | |||
| Related digital signature and MAC capabilities are described in the | Related digital signature and MAC capabilities are described in the | |||
| separate JSON Web Signature (JWS) specification. | separate JSON Web Signature (JWS) specification. | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 23, 2015. | This Internet-Draft will expire on June 12, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 | 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 8 | 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 8 | |||
| 3.1. JWE Compact Serialization Overview . . . . . . . . . . . . 9 | 3.1. JWE Compact Serialization Overview . . . . . . . . . . . . 9 | |||
| 3.2. JWE JSON Serialization Overview . . . . . . . . . . . . . 9 | 3.2. JWE JSON Serialization Overview . . . . . . . . . . . . . 9 | |||
| 3.3. Example JWE . . . . . . . . . . . . . . . . . . . . . . . 10 | 3.3. Example JWE . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4. JOSE Header . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 4. JOSE Header . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 4.1. Registered Header Parameter Names . . . . . . . . . . . . 12 | 4.1. Registered Header Parameter Names . . . . . . . . . . . . 11 | |||
| 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 12 | 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 12 | |||
| 4.1.2. "enc" (Encryption Algorithm) Header Parameter . . . . 12 | 4.1.2. "enc" (Encryption Algorithm) Header Parameter . . . . 12 | |||
| 4.1.3. "zip" (Compression Algorithm) Header Parameter . . . . 13 | 4.1.3. "zip" (Compression Algorithm) Header Parameter . . . . 12 | |||
| 4.1.4. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 13 | 4.1.4. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 13 | |||
| 4.1.5. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 13 | 4.1.5. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 13 | |||
| 4.1.6. "kid" (Key ID) Header Parameter . . . . . . . . . . . 13 | 4.1.6. "kid" (Key ID) Header Parameter . . . . . . . . . . . 13 | |||
| 4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 13 | 4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 13 | |||
| 4.1.8. "x5c" (X.509 Certificate Chain) Header Parameter . . . 14 | 4.1.8. "x5c" (X.509 Certificate Chain) Header Parameter . . . 13 | |||
| 4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header | 4.1.9. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header | |||
| Parameter . . . . . . . . . . . . . . . . . . . . . . 14 | Parameter . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.1.10. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) | 4.1.10. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) | |||
| Header Parameter . . . . . . . . . . . . . . . . . . . 14 | Header Parameter . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.1.11. "typ" (Type) Header Parameter . . . . . . . . . . . . 14 | 4.1.11. "typ" (Type) Header Parameter . . . . . . . . . . . . 14 | |||
| 4.1.12. "cty" (Content Type) Header Parameter . . . . . . . . 14 | 4.1.12. "cty" (Content Type) Header Parameter . . . . . . . . 14 | |||
| 4.1.13. "crit" (Critical) Header Parameter . . . . . . . . . . 14 | 4.1.13. "crit" (Critical) Header Parameter . . . . . . . . . . 14 | |||
| 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 15 | 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 14 | |||
| 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15 | 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15 | |||
| 5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 15 | 5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 15 | |||
| 5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 15 | 5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 17 | 5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 17 | |||
| 5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 20 | 5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 20 | |||
| 6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 20 | 6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 20 | 7. Serializations . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 20 | 7.1. JWE Compact Serialization . . . . . . . . . . . . . . . . 20 | |||
| 7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 21 | 7.2. JWE JSON Serialization . . . . . . . . . . . . . . . . . . 21 | |||
| 7.2.1. General JWE JSON Serialization Syntax . . . . . . . . 21 | 7.2.1. General JWE JSON Serialization Syntax . . . . . . . . 21 | |||
| 7.2.2. Flattened JWE JSON Serialization Syntax . . . . . . . 24 | 7.2.2. Flattened JWE JSON Serialization Syntax . . . . . . . 24 | |||
| 8. TLS Requirements . . . . . . . . . . . . . . . . . . . . . . . 24 | 8. TLS Requirements . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 9. Distinguishing between JWS and JWE Objects . . . . . . . . . . 25 | 9. Distinguishing between JWS and JWE Objects . . . . . . . . . . 24 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 10.1. JSON Web Signature and Encryption Header Parameters | 10.1. JSON Web Signature and Encryption Header Parameters | |||
| Registration . . . . . . . . . . . . . . . . . . . . . . . 25 | Registration . . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 25 | 10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 25 | |||
| 11. Security Considerations . . . . . . . . . . . . . . . . . . . 27 | 11. Security Considerations . . . . . . . . . . . . . . . . . . . 27 | |||
| 11.1. Key Entropy and Random Values . . . . . . . . . . . . . . 28 | 11.1. Key Entropy and Random Values . . . . . . . . . . . . . . 27 | |||
| 11.2. Key Protection . . . . . . . . . . . . . . . . . . . . . . 28 | 11.2. Key Protection . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 11.3. Using Matching Algorithm Strengths . . . . . . . . . . . . 28 | 11.3. Using Matching Algorithm Strengths . . . . . . . . . . . . 28 | |||
| 11.4. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 28 | 11.4. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 28 | |||
| 11.5. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 29 | 11.5. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29 | |||
| 12.1. Normative References . . . . . . . . . . . . . . . . . . . 29 | 12.1. Normative References . . . . . . . . . . . . . . . . . . . 29 | |||
| 12.2. Informative References . . . . . . . . . . . . . . . . . . 30 | 12.2. Informative References . . . . . . . . . . . . . . . . . . 29 | |||
| Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 31 | Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 30 | |||
| A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 31 | A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 31 | |||
| A.1.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 31 | A.1.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 31 | |||
| A.1.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 31 | A.1.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 31 | |||
| A.1.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 32 | A.1.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 31 | |||
| A.1.4. Initialization Vector . . . . . . . . . . . . . . . . 33 | A.1.4. Initialization Vector . . . . . . . . . . . . . . . . 33 | |||
| A.1.5. Additional Authenticated Data . . . . . . . . . . . . 33 | A.1.5. Additional Authenticated Data . . . . . . . . . . . . 33 | |||
| A.1.6. Content Encryption . . . . . . . . . . . . . . . . . . 34 | A.1.6. Content Encryption . . . . . . . . . . . . . . . . . . 33 | |||
| A.1.7. Complete Representation . . . . . . . . . . . . . . . 34 | A.1.7. Complete Representation . . . . . . . . . . . . . . . 34 | |||
| A.1.8. Validation . . . . . . . . . . . . . . . . . . . . . . 35 | A.1.8. Validation . . . . . . . . . . . . . . . . . . . . . . 34 | |||
| A.2. Example JWE using RSAES-PKCS1-V1_5 and | A.2. Example JWE using RSAES-PKCS1-V1_5 and | |||
| AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 35 | AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 35 | |||
| A.2.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 35 | A.2.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 35 | |||
| A.2.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 36 | A.2.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 35 | |||
| A.2.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 36 | A.2.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 35 | |||
| A.2.4. Initialization Vector . . . . . . . . . . . . . . . . 38 | A.2.4. Initialization Vector . . . . . . . . . . . . . . . . 37 | |||
| A.2.5. Additional Authenticated Data . . . . . . . . . . . . 38 | A.2.5. Additional Authenticated Data . . . . . . . . . . . . 37 | |||
| A.2.6. Content Encryption . . . . . . . . . . . . . . . . . . 38 | A.2.6. Content Encryption . . . . . . . . . . . . . . . . . . 37 | |||
| A.2.7. Complete Representation . . . . . . . . . . . . . . . 39 | A.2.7. Complete Representation . . . . . . . . . . . . . . . 38 | |||
| A.2.8. Validation . . . . . . . . . . . . . . . . . . . . . . 39 | A.2.8. Validation . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| A.3. Example JWE using AES Key Wrap and | A.3. Example JWE using AES Key Wrap and | |||
| AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 40 | AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 39 | |||
| A.3.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 40 | A.3.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . 39 | |||
| A.3.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 40 | A.3.2. Content Encryption Key (CEK) . . . . . . . . . . . . . 39 | |||
| A.3.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 40 | A.3.3. Key Encryption . . . . . . . . . . . . . . . . . . . . 39 | |||
| A.3.4. Initialization Vector . . . . . . . . . . . . . . . . 41 | A.3.4. Initialization Vector . . . . . . . . . . . . . . . . 40 | |||
| A.3.5. Additional Authenticated Data . . . . . . . . . . . . 41 | A.3.5. Additional Authenticated Data . . . . . . . . . . . . 40 | |||
| A.3.6. Content Encryption . . . . . . . . . . . . . . . . . . 41 | A.3.6. Content Encryption . . . . . . . . . . . . . . . . . . 40 | |||
| A.3.7. Complete Representation . . . . . . . . . . . . . . . 42 | A.3.7. Complete Representation . . . . . . . . . . . . . . . 41 | |||
| A.3.8. Validation . . . . . . . . . . . . . . . . . . . . . . 42 | A.3.8. Validation . . . . . . . . . . . . . . . . . . . . . . 41 | |||
| A.4. Example JWE using General JWE JSON Serialization . . . . . 43 | A.4. Example JWE using General JWE JSON Serialization . . . . . 42 | |||
| A.4.1. JWE Per-Recipient Unprotected Headers . . . . . . . . 43 | A.4.1. JWE Per-Recipient Unprotected Headers . . . . . . . . 42 | |||
| A.4.2. JWE Protected Header . . . . . . . . . . . . . . . . . 43 | A.4.2. JWE Protected Header . . . . . . . . . . . . . . . . . 42 | |||
| A.4.3. JWE Unprotected Header . . . . . . . . . . . . . . . . 44 | A.4.3. JWE Unprotected Header . . . . . . . . . . . . . . . . 43 | |||
| A.4.4. Complete JOSE Header Values . . . . . . . . . . . . . 44 | A.4.4. Complete JOSE Header Values . . . . . . . . . . . . . 43 | |||
| A.4.5. Additional Authenticated Data . . . . . . . . . . . . 44 | A.4.5. Additional Authenticated Data . . . . . . . . . . . . 43 | |||
| A.4.6. Content Encryption . . . . . . . . . . . . . . . . . . 44 | A.4.6. Content Encryption . . . . . . . . . . . . . . . . . . 43 | |||
| A.4.7. Complete JWE JSON Serialization Representation . . . . 45 | A.4.7. Complete JWE JSON Serialization Representation . . . . 44 | |||
| A.5. Example JWE using Flattened JWE JSON Serialization . . . . 46 | A.5. Example JWE using Flattened JWE JSON Serialization . . . . 45 | |||
| Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 46 | Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 45 | |||
| B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 46 | B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 45 | |||
| B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 47 | B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 46 | |||
| B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 47 | B.3. 64 Bit Big Endian Representation of AAD Length . . . . . . 46 | |||
| B.4. Initialization Vector Value . . . . . . . . . . . . . . . 48 | B.4. Initialization Vector Value . . . . . . . . . . . . . . . 47 | |||
| B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 48 | B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 47 | |||
| B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 48 | B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 47 | |||
| B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 48 | B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 47 | |||
| Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 48 | Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 47 | |||
| Appendix D. Document History . . . . . . . . . . . . . . . . . . 49 | Appendix D. Document History . . . . . . . . . . . . . . . . . . 48 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 60 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 59 | |||
| 1. Introduction | 1. Introduction | |||
| JSON Web Encryption (JWE) represents encrypted content using | JSON Web Encryption (JWE) represents encrypted content using | |||
| JavaScript Object Notation (JSON) [RFC7159] based data structures. | JavaScript Object Notation (JSON) [RFC7159] based data structures. | |||
| The JWE cryptographic mechanisms encrypt and provide integrity | The JWE cryptographic mechanisms encrypt and provide integrity | |||
| protection for an arbitrary sequence of octets. | protection for an arbitrary sequence of octets. | |||
| Two closely related serializations for JWE objects are defined. The | Two closely related serializations for JWEs are defined. The JWE | |||
| JWE Compact Serialization is a compact, URL-safe representation | Compact Serialization is a compact, URL-safe representation intended | |||
| intended for space constrained environments such as HTTP | for space constrained environments such as HTTP Authorization headers | |||
| Authorization headers and URI query parameters. The JWE JSON | and URI query parameters. The JWE JSON Serialization represents JWEs | |||
| Serialization represents JWE objects as JSON objects and enables the | as JSON objects and enables the same content to be encrypted to | |||
| same content to be encrypted to multiple parties. Both share the | multiple parties. Both share the same cryptographic underpinnings. | |||
| same cryptographic underpinnings. | ||||
| Cryptographic algorithms and identifiers for use with this | Cryptographic algorithms and identifiers for use with this | |||
| specification are described in the separate JSON Web Algorithms (JWA) | specification are described in the separate JSON Web Algorithms (JWA) | |||
| [JWA] specification and IANA registries defined by that | [JWA] specification and IANA registries defined by that | |||
| specification. Related digital signature and MAC capabilities are | specification. Related digital signature and MAC capabilities are | |||
| described in the separate JSON Web Signature (JWS) [JWS] | described in the separate JSON Web Signature (JWS) [JWS] | |||
| specification. | specification. | |||
| Names defined by this specification are short because a core goal is | Names defined by this specification are short because a core goal is | |||
| for the resulting representations to be compact. | for the resulting representations to be compact. | |||
| skipping to change at page 9, line 7 ¶ | skipping to change at page 8, line 48 ¶ | |||
| [RFC7159]. A JWE represents these logical values (each of which is | [RFC7159]. A JWE represents these logical values (each of which is | |||
| defined in Section 2): | defined in Section 2): | |||
| o JOSE Header | o JOSE Header | |||
| o JWE Encrypted Key | o JWE Encrypted Key | |||
| o JWE Initialization Vector | o JWE Initialization Vector | |||
| o JWE AAD | o JWE AAD | |||
| o JWE Ciphertext | o JWE Ciphertext | |||
| o JWE Authentication Tag | o JWE Authentication Tag | |||
| For a JWE object, the JOSE Header members are the union of the | For a JWE, the JOSE Header members are the union of the members of | |||
| members of these values (each of which is defined in Section 2): | these values (each of which is defined in Section 2): | |||
| o JWE Protected Header | o JWE Protected Header | |||
| o JWE Shared Unprotected Header | o JWE Shared Unprotected Header | |||
| o JWE Per-Recipient Unprotected Header | o JWE Per-Recipient Unprotected Header | |||
| JWE utilizes authenticated encryption to ensure the confidentiality | JWE utilizes authenticated encryption to ensure the confidentiality | |||
| and integrity of the Plaintext and the integrity of the JWE Protected | and integrity of the Plaintext and the integrity of the JWE Protected | |||
| Header and the JWE AAD. | Header and the JWE AAD. | |||
| This document defines two serializations for JWE objects: a compact, | This document defines two serializations for JWEs: a compact, URL- | |||
| URL-safe serialization called the JWE Compact Serialization and a | safe serialization called the JWE Compact Serialization and a JSON | |||
| JSON serialization called the JWE JSON Serialization. In both | serialization called the JWE JSON Serialization. In both | |||
| serializations, the JWE Protected Header, JWE Encrypted Key, JWE | serializations, the JWE Protected Header, JWE Encrypted Key, JWE | |||
| Initialization Vector, JWE Ciphertext, and JWE Authentication Tag are | Initialization Vector, JWE Ciphertext, and JWE Authentication Tag are | |||
| base64url encoded, since JSON lacks a way to directly represent | base64url encoded, since JSON lacks a way to directly represent | |||
| arbitrary octet sequences. When present, the JWE AAD is also | arbitrary octet sequences. When present, the JWE AAD is also | |||
| base64url encoded. | base64url encoded. | |||
| 3.1. JWE Compact Serialization Overview | 3.1. JWE Compact Serialization Overview | |||
| In the JWE Compact Serialization, no JWE Shared Unprotected Header or | In the JWE Compact Serialization, no JWE Shared Unprotected Header or | |||
| JWE Per-Recipient Unprotected Header are used. In this case, the | JWE Per-Recipient Unprotected Header are used. In this case, the | |||
| JOSE Header and the JWE Protected Header are the same. | JOSE Header and the JWE Protected Header are the same. | |||
| In the JWE Compact Serialization, a JWE object is represented as the | In the JWE Compact Serialization, a JWE is represented as the | |||
| concatenation: | concatenation: | |||
| BASE64URL(UTF8(JWE Protected Header)) || '.' || | BASE64URL(UTF8(JWE Protected Header)) || '.' || | |||
| BASE64URL(JWE Encrypted Key) || '.' || | BASE64URL(JWE Encrypted Key) || '.' || | |||
| BASE64URL(JWE Initialization Vector) || '.' || | BASE64URL(JWE Initialization Vector) || '.' || | |||
| BASE64URL(JWE Ciphertext) || '.' || | BASE64URL(JWE Ciphertext) || '.' || | |||
| BASE64URL(JWE Authentication Tag) | BASE64URL(JWE Authentication Tag) | |||
| See Section 7.1 for more information about the JWE Compact | See Section 7.1 for more information about the JWE Compact | |||
| Serialization. | Serialization. | |||
| 3.2. JWE JSON Serialization Overview | 3.2. JWE JSON Serialization Overview | |||
| In the JWE JSON Serialization, one or more of the JWE Protected | In the JWE JSON Serialization, one or more of the JWE Protected | |||
| Header, JWE Shared Unprotected Header, and JWE Per-Recipient | Header, JWE Shared Unprotected Header, and JWE Per-Recipient | |||
| Unprotected Header MUST be present. In this case, the members of the | Unprotected Header MUST be present. In this case, the members of the | |||
| JOSE Header are the union of the members of the JWE Protected Header, | JOSE Header are the union of the members of the JWE Protected Header, | |||
| JWE Shared Unprotected Header, and JWE Per-Recipient Unprotected | JWE Shared Unprotected Header, and JWE Per-Recipient Unprotected | |||
| Header values that are present. | Header values that are present. | |||
| In the JWE JSON Serialization, a JWE object is represented as the | In the JWE JSON Serialization, a JWE is represented as a JSON object | |||
| combination of these eight values: | containing some or all of these eight members: | |||
| BASE64URL(UTF8(JWE Protected Header)) | ||||
| JWE Shared Unprotected Header | "protected", with the value BASE64URL(UTF8(JWE Protected Header)) | |||
| JWE Per-Recipient Unprotected Header | "unprotected", with the value JWE Shared Unprotected Header | |||
| BASE64URL(JWE Encrypted Key) | "header", with the value JWE Per-Recipient Unprotected Header | |||
| BASE64URL(JWE Initialization Vector) | "encrypted_key", with the value BASE64URL(JWE Encrypted Key) | |||
| BASE64URL(JWE Ciphertext) | "iv", with the value BASE64URL(JWE Initialization Vector) | |||
| BASE64URL(JWE Authentication Tag) | "ciphertext", with the value BASE64URL(JWE Ciphertext) | |||
| BASE64URL(JWE AAD) | "tag", with the value BASE64URL(JWE Authentication Tag) | |||
| "aad", with the value BASE64URL(JWE AAD) | ||||
| The six base64url encoded result strings and the two unprotected JSON | The six base64url encoded result strings and the two unprotected JSON | |||
| object values are represented as members within a JSON object. The | object values are represented as members within a JSON object. The | |||
| inclusion of some of these values is OPTIONAL. The JWE JSON | inclusion of some of these values is OPTIONAL. The JWE JSON | |||
| Serialization can also encrypt the plaintext to multiple recipients. | Serialization can also encrypt the plaintext to multiple recipients. | |||
| See Section 7.2 for more information about the JWE JSON | See Section 7.2 for more information about the JWE JSON | |||
| Serialization. | Serialization. | |||
| 3.3. Example JWE | 3.3. Example JWE | |||
| skipping to change at page 11, line 43 ¶ | skipping to change at page 11, line 38 ¶ | |||
| 5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji | 5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji | |||
| SdiwkIr3ajwQzaBtQD_A. | SdiwkIr3ajwQzaBtQD_A. | |||
| XFBoMYUZodetZdvTiFvSkQ | XFBoMYUZodetZdvTiFvSkQ | |||
| See Appendix A.1 for the complete details of computing this JWE. See | See Appendix A.1 for the complete details of computing this JWE. See | |||
| Appendix A for additional examples, including examples using the JWE | Appendix A for additional examples, including examples using the JWE | |||
| JSON Serialization in Sections A.4 and A.5. | JSON Serialization in Sections A.4 and A.5. | |||
| 4. JOSE Header | 4. JOSE Header | |||
| For a JWE object, the members of the JSON object(s) representing the | For a JWE, the members of the JSON object(s) representing the JOSE | |||
| JOSE Header describe the encryption applied to the Plaintext and | Header describe the encryption applied to the Plaintext and | |||
| optionally additional properties of the JWE. The Header Parameter | optionally additional properties of the JWE. The Header Parameter | |||
| names within the JOSE Header MUST be unique, just as described in | names within the JOSE Header MUST be unique, just as described in | |||
| Section 4 of [JWS]. The rules about handling Header Parameters that | Section 4 of [JWS]. The rules about handling Header Parameters that | |||
| are not understood by the implementation are also the same. The | are not understood by the implementation are also the same. The | |||
| classes of Header Parameter names are likewise the same. | classes of Header Parameter names are likewise the same. | |||
| 4.1. Registered Header Parameter Names | 4.1. Registered Header Parameter Names | |||
| The following Header Parameter names for use in JWE objects are | The following Header Parameter names for use in JWEs are registered | |||
| registered in the IANA JSON Web Signature and Encryption Header | in the IANA JSON Web Signature and Encryption Header Parameters | |||
| Parameters registry defined in [JWS], with meanings as defined below. | registry defined in [JWS], with meanings as defined below. | |||
| As indicated by the common registry, JWSs and JWEs share a common | As indicated by the common registry, JWSs and JWEs share a common | |||
| Header Parameter space; when a parameter is used by both | Header Parameter space; when a parameter is used by both | |||
| specifications, its usage must be compatible between the | specifications, its usage must be compatible between the | |||
| specifications. | specifications. | |||
| 4.1.1. "alg" (Algorithm) Header Parameter | 4.1.1. "alg" (Algorithm) Header Parameter | |||
| This parameter has the same meaning, syntax, and processing rules as | This parameter has the same meaning, syntax, and processing rules as | |||
| the "alg" Header Parameter defined in Section 4.1.1 of [JWS], except | the "alg" Header Parameter defined in Section 4.1.1 of [JWS], except | |||
| skipping to change at page 12, line 37 ¶ | skipping to change at page 12, line 31 ¶ | |||
| JSON Web Signature and Encryption Algorithms registry defined in | JSON Web Signature and Encryption Algorithms registry defined in | |||
| [JWA]; the initial contents of this registry are the values defined | [JWA]; the initial contents of this registry are the values defined | |||
| in Section 4.1 of the JSON Web Algorithms (JWA) [JWA] specification. | in Section 4.1 of the JSON Web Algorithms (JWA) [JWA] specification. | |||
| 4.1.2. "enc" (Encryption Algorithm) Header Parameter | 4.1.2. "enc" (Encryption Algorithm) Header Parameter | |||
| The "enc" (encryption algorithm) Header Parameter identifies the | The "enc" (encryption algorithm) Header Parameter identifies the | |||
| content encryption algorithm used to perform authenticated encryption | content encryption algorithm used to perform authenticated encryption | |||
| on the Plaintext to produce the Ciphertext and the Authentication | on the Plaintext to produce the Ciphertext and the Authentication | |||
| Tag. This algorithm MUST be an AEAD algorithm with a specified key | Tag. This algorithm MUST be an AEAD algorithm with a specified key | |||
| length. The recipient MUST reject the JWE if the "enc" value does | length. The encrypted content is not usable if the "enc" value does | |||
| not represent a supported algorithm. "enc" values should either be | not represent a supported algorithm. "enc" values should either be | |||
| registered in the IANA JSON Web Signature and Encryption Algorithms | registered in the IANA JSON Web Signature and Encryption Algorithms | |||
| registry defined in [JWA] or be a value that contains a Collision- | registry defined in [JWA] or be a value that contains a Collision- | |||
| Resistant Name. The "enc" value is a case-sensitive ASCII string | Resistant Name. The "enc" value is a case-sensitive ASCII string | |||
| containing a StringOrURI value. This Header Parameter MUST be | containing a StringOrURI value. This Header Parameter MUST be | |||
| present and MUST be understood and processed by implementations. | present and MUST be understood and processed by implementations. | |||
| A list of defined "enc" values for this use can be found in the IANA | A list of defined "enc" values for this use can be found in the IANA | |||
| JSON Web Signature and Encryption Algorithms registry defined in | JSON Web Signature and Encryption Algorithms registry defined in | |||
| [JWA]; the initial contents of this registry are the values defined | [JWA]; the initial contents of this registry are the values defined | |||
| skipping to change at page 14, line 40 ¶ | skipping to change at page 14, line 31 ¶ | |||
| except that the certificate referenced by the thumbprint contains the | except that the certificate referenced by the thumbprint contains the | |||
| public key to which the JWE was encrypted; this can be used to | public key to which the JWE was encrypted; this can be used to | |||
| determine the private key needed to decrypt the JWE. Note that | determine the private key needed to decrypt the JWE. Note that | |||
| certificate thumbprints are also sometimes known as certificate | certificate thumbprints are also sometimes known as certificate | |||
| fingerprints. | fingerprints. | |||
| 4.1.11. "typ" (Type) Header Parameter | 4.1.11. "typ" (Type) Header Parameter | |||
| This parameter has the same meaning, syntax, and processing rules as | This parameter has the same meaning, syntax, and processing rules as | |||
| the "typ" Header Parameter defined in Section 4.1.9 of [JWS], except | the "typ" Header Parameter defined in Section 4.1.9 of [JWS], except | |||
| that the type is that of this complete JWE object. | that the type is that of this complete JWE. | |||
| 4.1.12. "cty" (Content Type) Header Parameter | 4.1.12. "cty" (Content Type) Header Parameter | |||
| This parameter has the same meaning, syntax, and processing rules as | This parameter has the same meaning, syntax, and processing rules as | |||
| the "cty" Header Parameter defined in Section 4.1.10 of [JWS], except | the "cty" Header Parameter defined in Section 4.1.10 of [JWS], except | |||
| that the type is that of the secured content (the plaintext). | that the type is that of the secured content (the plaintext). | |||
| 4.1.13. "crit" (Critical) Header Parameter | 4.1.13. "crit" (Critical) Header Parameter | |||
| This parameter has the same meaning, syntax, and processing rules as | This parameter has the same meaning, syntax, and processing rules as | |||
| the "crit" Header Parameter defined in Section 4.1.11 of [JWS], | the "crit" Header Parameter defined in Section 4.1.11 of [JWS], | |||
| except that Header Parameters for a JWE object are being referred to, | except that Header Parameters for a JWE are being referred to, rather | |||
| rather than Header Parameters for a JWS object. | than Header Parameters for a JWS. | |||
| 4.2. Public Header Parameter Names | 4.2. Public Header Parameter Names | |||
| Additional Header Parameter names can be defined by those using JWEs. | Additional Header Parameter names can be defined by those using JWEs. | |||
| However, in order to prevent collisions, any new Header Parameter | However, in order to prevent collisions, any new Header Parameter | |||
| name should either be registered in the IANA JSON Web Signature and | name should either be registered in the IANA JSON Web Signature and | |||
| Encryption Header Parameters registry defined in [JWS] or be a Public | Encryption Header Parameters registry defined in [JWS] or be a Public | |||
| Name: a value that contains a Collision-Resistant Name. In each | Name: a value that contains a Collision-Resistant Name. In each | |||
| case, the definer of the name or value needs to take reasonable | case, the definer of the name or value needs to take reasonable | |||
| precautions to make sure they are in control of the part of the | precautions to make sure they are in control of the part of the | |||
| skipping to change at page 20, line 36 ¶ | skipping to change at page 20, line 26 ¶ | |||
| those defined in Section 5.3 of [JWS]. | those defined in Section 5.3 of [JWS]. | |||
| 6. Key Identification | 6. Key Identification | |||
| The key identification methods for this specification are the same as | The key identification methods for this specification are the same as | |||
| those defined in Section 6 of [JWS], except that the key being | those defined in Section 6 of [JWS], except that the key being | |||
| identified is the public key to which the JWE was encrypted. | identified is the public key to which the JWE was encrypted. | |||
| 7. Serializations | 7. Serializations | |||
| JWE objects use one of two serializations, the JWE Compact | JWEs use one of two serializations: the JWE Compact Serialization or | |||
| Serialization or the JWE JSON Serialization. Applications using this | the JWE JSON Serialization. Applications using this specification | |||
| specification need to specify what serialization and serialization | need to specify what serialization and serialization features are | |||
| features are used for that application. For instance, applications | used for that application. For instance, applications might specify | |||
| might specify that only the JWE JSON Serialization is used, that only | that only the JWE JSON Serialization is used, that only JWE JSON | |||
| JWE JSON Serialization support for a single recipient is used, or | Serialization support for a single recipient is used, or that support | |||
| that support for multiple recipients is used. JWE implementations | for multiple recipients is used. JWE implementations only need to | |||
| only need to implement the features needed for the applications they | implement the features needed for the applications they are designed | |||
| are designed to support. | to support. | |||
| 7.1. JWE Compact Serialization | 7.1. JWE Compact Serialization | |||
| The JWE Compact Serialization represents encrypted content as a | The JWE Compact Serialization represents encrypted content as a | |||
| compact, URL-safe string. This string is: | compact, URL-safe string. This string is: | |||
| BASE64URL(UTF8(JWE Protected Header)) || '.' || | BASE64URL(UTF8(JWE Protected Header)) || '.' || | |||
| BASE64URL(JWE Encrypted Key) || '.' || | BASE64URL(JWE Encrypted Key) || '.' || | |||
| BASE64URL(JWE Initialization Vector) || '.' || | BASE64URL(JWE Initialization Vector) || '.' || | |||
| BASE64URL(JWE Ciphertext) || '.' || | BASE64URL(JWE Ciphertext) || '.' || | |||
| skipping to change at page 25, line 8 ¶ | skipping to change at page 24, line 48 ¶ | |||
| Serialization syntax. | Serialization syntax. | |||
| 8. TLS Requirements | 8. TLS Requirements | |||
| The TLS requirements for this specification are the same as those | The TLS requirements for this specification are the same as those | |||
| defined in Section 8 of [JWS]. | defined in Section 8 of [JWS]. | |||
| 9. Distinguishing between JWS and JWE Objects | 9. Distinguishing between JWS and JWE Objects | |||
| There are several ways of distinguishing whether an object is a JWS | There are several ways of distinguishing whether an object is a JWS | |||
| or JWE object. All these methods will yield the same result for all | or JWE. All these methods will yield the same result for all legal | |||
| legal input values; they may yield different results for malformed | input values; they may yield different results for malformed inputs. | |||
| inputs. | ||||
| o If the object is using the JWS Compact Serialization or the JWE | o If the object is using the JWS Compact Serialization or the JWE | |||
| Compact Serialization, the number of base64url encoded segments | Compact Serialization, the number of base64url encoded segments | |||
| separated by period ('.') characters differs for JWSs and JWEs. | separated by period ('.') characters differs for JWSs and JWEs. | |||
| JWSs have three segments separated by two period ('.') characters. | JWSs have three segments separated by two period ('.') characters. | |||
| JWEs have five segments separated by four period ('.') characters. | JWEs have five segments separated by four period ('.') characters. | |||
| o If the object is using the JWS JSON Serialization or the JWE JSON | o If the object is using the JWS JSON Serialization or the JWE JSON | |||
| Serialization, the members used will be different. JWSs have a | Serialization, the members used will be different. JWSs have a | |||
| "payload" member and JWEs do not. JWEs have a "ciphertext" member | "payload" member and JWEs do not. JWEs have a "ciphertext" member | |||
| and JWSs do not. | and JWSs do not. | |||
| o The JOSE Header for a JWS object can be distinguished from the | o The JOSE Header for a JWS can be distinguished from the JOSE | |||
| JOSE Header for a JWE object by examining the "alg" (algorithm) | Header for a JWE by examining the "alg" (algorithm) Header | |||
| Header Parameter value. If the value represents a digital | Parameter value. If the value represents a digital signature or | |||
| signature or MAC algorithm, or is the value "none", it is for a | MAC algorithm, or is the value "none", it is for a JWS; if it | |||
| JWS; if it represents a Key Encryption, Key Wrapping, Direct Key | represents a Key Encryption, Key Wrapping, Direct Key Agreement, | |||
| Agreement, Key Agreement with Key Wrapping, or Direct Encryption | Key Agreement with Key Wrapping, or Direct Encryption algorithm, | |||
| algorithm, it is for a JWE. (Extracting the "alg" value to | it is for a JWE. (Extracting the "alg" value to examine is | |||
| examine is straightforward when using the JWS Compact | straightforward when using the JWS Compact Serialization or the | |||
| Serialization or the JWE Compact Serialization and may be more | JWE Compact Serialization and may be more difficult when using the | |||
| difficult when using the JWS JSON Serialization or the JWE JSON | JWS JSON Serialization or the JWE JSON Serialization.) | |||
| Serialization.) | ||||
| o The JOSE Header for a JWS object can also be distinguished from | o The JOSE Header for a JWS can also be distinguished from the JOSE | |||
| the JOSE Header for a JWE object by determining whether an "enc" | Header for a JWE by determining whether an "enc" (encryption | |||
| (encryption algorithm) member exists. If the "enc" member exists, | algorithm) member exists. If the "enc" member exists, it is a | |||
| it is a JWE; otherwise, it is a JWS. | JWE; otherwise, it is a JWS. | |||
| 10. IANA Considerations | 10. IANA Considerations | |||
| 10.1. JSON Web Signature and Encryption Header Parameters Registration | 10.1. JSON Web Signature and Encryption Header Parameters Registration | |||
| This specification registers the Header Parameter names defined in | This specification registers the Header Parameter names defined in | |||
| Section 4.1 in the IANA JSON Web Signature and Encryption Header | Section 4.1 in the IANA JSON Web Signature and Encryption Header | |||
| Parameters registry defined in [JWS]. | Parameters registry defined in [JWS]. | |||
| 10.1.1. Registry Contents | 10.1.1. Registry Contents | |||
| skipping to change at page 29, line 21 ¶ | skipping to change at page 29, line 13 ¶ | |||
| of receiving an improperly formatted key, that the recipient | of receiving an improperly formatted key, that the recipient | |||
| substitute a randomly generated CEK and proceed to the next step, to | substitute a randomly generated CEK and proceed to the next step, to | |||
| mitigate timing attacks. | mitigate timing attacks. | |||
| 12. References | 12. References | |||
| 12.1. Normative References | 12.1. Normative References | |||
| [JWA] Jones, M., "JSON Web Algorithms (JWA)", | [JWA] Jones, M., "JSON Web Algorithms (JWA)", | |||
| draft-ietf-jose-json-web-algorithms (work in progress), | draft-ietf-jose-json-web-algorithms (work in progress), | |||
| November 2014. | December 2014. | |||
| [JWK] Jones, M., "JSON Web Key (JWK)", | [JWK] Jones, M., "JSON Web Key (JWK)", | |||
| draft-ietf-jose-json-web-key (work in progress), | draft-ietf-jose-json-web-key (work in progress), | |||
| November 2014. | December 2014. | |||
| [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | |||
| Signature (JWS)", draft-ietf-jose-json-web-signature (work | Signature (JWS)", draft-ietf-jose-json-web-signature (work | |||
| in progress), November 2014. | in progress), December 2014. | |||
| [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification | [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification | |||
| version 1.3", RFC 1951, May 1996. | version 1.3", RFC 1951, May 1996. | |||
| [RFC20] Cerf, V., "ASCII format for Network Interchange", RFC 20, | [RFC20] Cerf, V., "ASCII format for Network Interchange", RFC 20, | |||
| October 1969. | October 1969. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| skipping to change at page 49, line 34 ¶ | skipping to change at page 48, line 34 ¶ | |||
| Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner. | Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner. | |||
| Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | |||
| Sean Turner, Stephen Farrell, and Kathleen Moriarty served as | Sean Turner, Stephen Farrell, and Kathleen Moriarty served as | |||
| Security area directors during the creation of this specification. | Security area directors during the creation of this specification. | |||
| Appendix D. Document History | Appendix D. Document History | |||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
| -38 | ||||
| o Replaced uses of the phrases "JWS object" and "JWE object" with | ||||
| "JWS" and "JWE". | ||||
| o Added member names to the JWE JSON Serialization Overview. | ||||
| o Applied other minor editorial improvements. | ||||
| -37 | -37 | |||
| o Restricted algorithm names to using only ASCII characters. | o Restricted algorithm names to using only ASCII characters. | |||
| o When describing actions taken as a result of validation failures, | o When describing actions taken as a result of validation failures, | |||
| changed statements about rejecting the JWE to statements about | changed statements about rejecting the JWE to statements about | |||
| considering the JWE to be invalid. | considering the JWE to be invalid. | |||
| o Added the CRT parameter values to example RSA private key | o Added the CRT parameter values to example RSA private key | |||
| representations. | representations. | |||
| End of changes. 36 change blocks. | ||||
| 115 lines changed or deleted | 122 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||