idnits 2.17.1 draft-ietf-jose-json-web-encryption-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 6, 2012) is 4305 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 1770 -- Looks like a reference, but probably isn't: '0' on line 1815 -- Looks like a reference, but probably isn't: '69' on line 1768 -- Looks like a reference, but probably isn't: '110' on line 1768 -- Looks like a reference, but probably isn't: '99' on line 1768 -- Looks like a reference, but probably isn't: '114' on line 1768 -- Looks like a reference, but probably isn't: '121' on line 1768 -- Looks like a reference, but probably isn't: '112' on line 1768 -- Looks like a reference, but probably isn't: '116' on line 1768 -- Looks like a reference, but probably isn't: '105' on line 1768 -- Looks like a reference, but probably isn't: '111' on line 1768 -- Looks like a reference, but probably isn't: '2' on line 1815 -- Possible downref: Non-RFC (?) normative reference: ref. 'ITU.X690.1994' -- Possible downref: Non-RFC (?) normative reference: ref. 'JWA' -- Possible downref: Non-RFC (?) normative reference: ref. 'JWK' -- Possible downref: Non-RFC (?) normative reference: ref. 'JWS' ** Downref: Normative reference to an Historic RFC: RFC 1421 ** Downref: Normative reference to an Informational RFC: RFC 1951 ** Obsolete normative reference: RFC 2818 (Obsoleted by RFC 9110) ** Obsolete normative reference: RFC 4288 (Obsoleted by RFC 6838) ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 6 errors (**), 0 flaws (~~), 1 warning (==), 17 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 JOSE Working Group M. Jones 3 Internet-Draft Microsoft 4 Intended status: Standards Track E. Rescorla 5 Expires: January 7, 2013 RTFM 6 J. Hildebrand 7 Cisco 8 July 6, 2012 10 JSON Web Encryption (JWE) 11 draft-ietf-jose-json-web-encryption-03 13 Abstract 15 JSON Web Encryption (JWE) is a means of representing encrypted 16 content using JavaScript Object Notation (JSON) data structures. 17 Cryptographic algorithms and identifiers for use with this 18 specification are described in the separate JSON Web Algorithms (JWA) 19 specification. Related digital signature and MAC capabilities are 20 described in the separate JSON Web Signature (JWS) specification. 22 Status of this Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on January 7, 2013. 39 Copyright Notice 41 Copyright (c) 2012 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 59 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 6 60 3.1. Example JWE with an Integrated Integrity Check . . . . . . 6 61 3.2. Example JWE with a Separate Integrity Check . . . . . . . 8 62 4. JWE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 10 63 4.1. Reserved Header Parameter Names . . . . . . . . . . . . . 10 64 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 11 65 4.1.2. "enc" (Encryption Method) Header Parameter . . . . . . 11 66 4.1.3. "int" (Integrity Algorithm) Header Parameter . . . . . 11 67 4.1.4. "kdf" (Key Derivation Function) Header Parameter . . . 12 68 4.1.5. "iv" (Initialization Vector) Header Parameter . . . . 12 69 4.1.6. "epk" (Ephemeral Public Key) Header Parameter . . . . 12 70 4.1.7. "zip" (Compression Algorithm) Header Parameter . . . . 12 71 4.1.8. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 12 72 4.1.9. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 13 73 4.1.10. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 13 74 4.1.11. "x5t" (X.509 Certificate Thumbprint) Header 75 Parameter . . . . . . . . . . . . . . . . . . . . . . 13 76 4.1.12. "x5c" (X.509 Certificate Chain) Header Parameter . . . 14 77 4.1.13. "kid" (Key ID) Header Parameter . . . . . . . . . . . 14 78 4.1.14. "typ" (Type) Header Parameter . . . . . . . . . . . . 14 79 4.1.15. "cty" (Content Type) Header Parameter . . . . . . . . 15 80 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 15 81 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 15 82 5. Message Encryption . . . . . . . . . . . . . . . . . . . . . . 15 83 6. Message Decryption . . . . . . . . . . . . . . . . . . . . . . 17 84 7. CMK Encryption . . . . . . . . . . . . . . . . . . . . . . . . 18 85 8. Integrity Value Calculation . . . . . . . . . . . . . . . . . 18 86 9. Encrypting JWEs with Cryptographic Algorithms . . . . . . . . 19 87 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 88 10.1. Registration of JWE Header Parameter Names . . . . . . . . 19 89 10.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 19 90 10.2. JSON Web Signature and Encryption Type Values 91 Registration . . . . . . . . . . . . . . . . . . . . . . . 21 92 10.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 21 93 10.3. Media Type Registration . . . . . . . . . . . . . . . . . 22 94 10.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 22 95 11. Security Considerations . . . . . . . . . . . . . . . . . . . 23 96 12. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 23 97 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 98 13.1. Normative References . . . . . . . . . . . . . . . . . . . 24 99 13.2. Informative References . . . . . . . . . . . . . . . . . . 25 100 Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 26 101 A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 26 102 A.1.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 26 103 A.1.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 26 104 A.1.3. Content Master Key (CMK) . . . . . . . . . . . . . . . 26 105 A.1.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 27 106 A.1.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 29 107 A.1.6. "Additional Authenticated Data" Parameter . . . . . . 29 108 A.1.7. Plaintext Encryption . . . . . . . . . . . . . . . . . 30 109 A.1.8. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 30 110 A.1.9. Encoded JWE Integrity Value . . . . . . . . . . . . . 30 111 A.1.10. Complete Representation . . . . . . . . . . . . . . . 30 112 A.1.11. Validation . . . . . . . . . . . . . . . . . . . . . . 31 113 A.2. Example JWE using RSAES-PKCS1-V1_5 and AES CBC . . . . . . 31 114 A.2.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 31 115 A.2.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 32 116 A.2.3. Content Master Key (CMK) . . . . . . . . . . . . . . . 32 117 A.2.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 32 118 A.2.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 35 119 A.2.6. Key Derivation . . . . . . . . . . . . . . . . . . . . 35 120 A.2.7. Plaintext Encryption . . . . . . . . . . . . . . . . . 35 121 A.2.8. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 35 122 A.2.9. Secured Input Value . . . . . . . . . . . . . . . . . 36 123 A.2.10. JWE Integrity Value . . . . . . . . . . . . . . . . . 37 124 A.2.11. Encoded JWE Integrity Value . . . . . . . . . . . . . 37 125 A.2.12. Complete Representation . . . . . . . . . . . . . . . 37 126 A.2.13. Validation . . . . . . . . . . . . . . . . . . . . . . 37 127 A.3. Example Key Derivation with Outputs <= Hash Size . . . . . 38 128 A.3.1. CEK Generation . . . . . . . . . . . . . . . . . . . . 38 129 A.3.2. CIK Generation . . . . . . . . . . . . . . . . . . . . 38 130 A.4. Example Key Derivation with Outputs >= Hash Size . . . . . 39 131 A.4.1. CEK Generation . . . . . . . . . . . . . . . . . . . . 39 132 A.4.2. CIK Generation . . . . . . . . . . . . . . . . . . . . 40 133 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 41 134 Appendix C. Document History . . . . . . . . . . . . . . . . . . 41 135 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 44 137 1. Introduction 139 JSON Web Encryption (JWE) is a compact encryption format intended for 140 space constrained environments such as HTTP Authorization headers and 141 URI query parameters. It represents this content using JavaScript 142 Object Notation (JSON) [RFC4627] data structures. The JWE 143 cryptographic mechanisms encrypt and provide integrity protection for 144 arbitrary sequences of bytes. 146 Cryptographic algorithms and identifiers for use with this 147 specification are described in the separate JSON Web Algorithms (JWA) 148 [JWA] specification. Related digital signature and MAC capabilities 149 are described in the separate JSON Web Signature (JWS) [JWS] 150 specification. 152 1.1. Notational Conventions 154 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 155 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 156 document are to be interpreted as described in Key words for use in 157 RFCs to Indicate Requirement Levels [RFC2119]. 159 2. Terminology 161 JSON Web Encryption (JWE) A data structure representing an encrypted 162 message. The structure consists of four parts: the JWE Header, 163 the JWE Encrypted Key, the JWE Ciphertext, and the JWE Integrity 164 Value. 166 Plaintext The bytes to be encrypted - a.k.a., the message. The 167 plaintext can contain an arbitrary sequence of bytes. 169 Ciphertext An encrypted representation of the Plaintext. 171 Content Encryption Key (CEK) A symmetric key used to encrypt the 172 Plaintext for the recipient to produce the Ciphertext. 174 Content Integrity Key (CIK) A key used with a MAC function to ensure 175 the integrity of the Ciphertext and the parameters used to create 176 it. 178 Content Master Key (CMK) A key from which the CEK and CIK are 179 derived. When key wrapping or key encryption are employed, the 180 CMK is randomly generated and encrypted to the recipient as the 181 JWE Encrypted Key. When key agreement is employed, the CMK is the 182 result of the key agreement algorithm. 184 JWE Header A string representing a JSON object that describes the 185 encryption operations applied to create the JWE Encrypted Key, the 186 JWE Ciphertext, and the JWE Integrity Value. 188 JWE Encrypted Key When key wrapping or key encryption are employed, 189 the Content Master Key (CMK) is encrypted with the intended 190 recipient's key and the resulting encrypted content is recorded as 191 a byte array, which is referred to as the JWE Encrypted Key. 192 Otherwise, when key agreement is employed, the JWE Encrypted Key 193 is the empty byte array. 195 JWE Ciphertext A byte array containing the Ciphertext. 197 JWE Integrity Value A byte array containing a MAC value that ensures 198 the integrity of the Ciphertext and the parameters used to create 199 it. 201 Encoded JWE Header Base64url encoding of the bytes of the UTF-8 202 [RFC3629] representation of the JWE Header. 204 Encoded JWE Encrypted Key Base64url encoding of the JWE Encrypted 205 Key. 207 Encoded JWE Ciphertext Base64url encoding of the JWE Ciphertext. 209 Encoded JWE Integrity Value Base64url encoding of the JWE Integrity 210 Value. 212 Header Parameter Name The name of a member of the JSON object 213 representing a JWE Header. 215 Header Parameter Value The value of a member of the JSON object 216 representing a JWE Header. 218 JWE Compact Serialization A representation of the JWE as the 219 concatenation of the Encoded JWE Header, the Encoded JWE Encrypted 220 Key, the Encoded JWE Ciphertext, and the Encoded JWE Integrity 221 Value in that order, with the four strings being separated by 222 period ('.') characters. 224 AEAD Algorithm An Authenticated Encryption with Associated Data 225 (AEAD) [RFC5116] encryption algorithm is one that provides an 226 integrated content integrity check. AES Galois/Counter Mode (GCM) 227 is one such algorithm. 229 Base64url Encoding For the purposes of this specification, this term 230 always refers to the URL- and filename-safe Base64 encoding 231 described in RFC 4648 [RFC4648], Section 5, with the (non URL- 232 safe) '=' padding characters omitted, as permitted by Section 3.2. 233 (See Appendix C of [JWS] for notes on implementing base64url 234 encoding without padding.) 236 Collision Resistant Namespace A namespace that allows names to be 237 allocated in a manner such that they are highly unlikely to 238 collide with other names. For instance, collision resistance can 239 be achieved through administrative delegation of portions of the 240 namespace or through use of collision-resistant name allocation 241 functions. Examples of Collision Resistant Namespaces include: 242 Domain Names, Object Identifiers (OIDs) as defined in the ITU-T 243 X.660 and X.670 Recommendation series, and Universally Unique 244 IDentifiers (UUIDs) [RFC4122]. When using an administratively 245 delegated namespace, the definer of a name needs to take 246 reasonable precautions to ensure they are in control of the 247 portion of the namespace they use to define the name. 249 StringOrURI A JSON string value, with the additional requirement 250 that while arbitrary string values MAY be used, any value 251 containing a ":" character MUST be a URI [RFC3986]. 253 3. JSON Web Encryption (JWE) Overview 255 JWE represents encrypted content using JSON data structures and 256 base64url encoding. The representation consists of four parts: the 257 JWE Header, the JWE Encrypted Key, the JWE Ciphertext, and the JWE 258 Integrity Value. In the Compact Serialization, the four parts are 259 base64url-encoded for transmission, and represented as the 260 concatenation of the encoded strings in that order, with the four 261 strings being separated by period ('.') characters. (A JSON 262 Serialization for this information is defined in the separate JSON 263 Web Encryption JSON Serialization (JWE-JS) [JWE-JS] specification.) 265 JWE utilizes encryption to ensure the confidentiality of the 266 Plaintext. JWE adds a content integrity check if not provided by the 267 underlying encryption algorithm. 269 3.1. Example JWE with an Integrated Integrity Check 271 This example encrypts the plaintext "Live long and prosper." to the 272 recipient using RSAES OAEP and AES GCM. The AES GCM algorithm has an 273 integrated integrity check. 275 The following example JWE Header declares that: 277 o the Content Master Key is encrypted to the recipient using the 278 RSAES OAEP algorithm to produce the JWE Encrypted Key, 280 o the Plaintext is encrypted using the AES GCM algorithm with a 256 281 bit key to produce the Ciphertext, and 283 o the 96 bit Initialization Vector (IV) with the base64url encoding 284 "48V1_ALb6US04U3b" was used. 286 {"alg":"RSA-OAEP","enc":"A256GCM","iv":"48V1_ALb6US04U3b"} 288 Base64url encoding the bytes of the UTF-8 representation of the JWE 289 Header yields this Encoded JWE Header value (with line breaks for 290 display purposes only): 291 eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJpdiI6IjQ4VjFfQUxi 292 NlVTMDRVM2IifQ 294 The remaining steps to finish creating this JWE are: 296 o Generate a random Content Master Key (CMK) 298 o Encrypt the CMK with the recipient's public key using the RSAES 299 OAEP algorithm to produce the JWE Encrypted Key 301 o Base64url encode the JWE Encrypted Key to produce the Encoded JWE 302 Encrypted Key 304 o Concatenate the Encoded JWE Header value, a period character 305 ('.'), and the Encoded JWE Encrypted Key to create the "additional 306 authenticated data" parameter for the AES GCM algorithm. 308 o Encrypt the Plaintext with AES GCM, using the IV, the CMK as the 309 encryption key, and the "additional authenticated data" value 310 above, requesting a 128 bit "authentication tag" output 312 o Base64url encode the resulting Ciphertext to create the Encoded 313 JWE Ciphertext 315 o Base64url encode the resulting "authentication tag" to create the 316 Encoded JWE Integrity Value 318 o Assemble the final representation: The Compact Serialization of 319 this result is the concatenation of the Encoded JWE Header, the 320 Encoded JWE Encrypted Key, the Encoded JWE Ciphertext, and the 321 Encoded JWE Integrity Value in that order, with the four strings 322 being separated by three period ('.') characters. 324 The final result in this example (with line breaks for display 325 purposes only) is: 326 eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJpdiI6IjQ4VjFfQUxi 327 NlVTMDRVM2IifQ. 328 jvwoyhWxOMboB5cxX6ncAi7Wp3Q5FKRtlmIx35pfR9HpEa6Oy-iEpxEqM30W3YcR 329 Q8WU9ouRoO5jd6tfdcpX-2X-OteHw4dnMXdMLjHGGx86LMDeFRAN2KGz7EGPJiva 330 w0yM80fzT3zY0PKrIvU5ml1M5szqUnX4Jw0-PNcIM_j-L5YkLhv3Yk04XCwTJwxN 331 NmXCflYAQO9f00Aa213TJJr6dbHV6I642FwU-EWvtEfN3evgX3EFIVYSnT3HCHkA 332 AIdBQ9ykD-abRzVA_dGp_yJAZQcrZuNTqzThd_22YMPhIpzTygfC_4k7qqxI6t7L 333 e_l5_o-taUG7vaNAl5FjEQ. 334 _e21tGGhac_peEFkLXr2dMPUZiUkrw. 335 YbZSeHCNDZBqAdzpROlyiw 337 See Appendix A.1 for the complete details of computing this JWE. 339 3.2. Example JWE with a Separate Integrity Check 341 This example encrypts the plaintext "Now is the time for all good men 342 to come to the aid of their country." to the recipient using RSAES- 343 PKCS1-V1_5 and AES CBC. AES CBC does not have an integrated 344 integrity check, so a separate integrity check calculation is 345 performed using HMAC SHA-256, with separate encryption and integrity 346 keys being derived from a master key using the Concat KDF with the 347 SHA-256 digest function. 349 The following example JWE Header (with line breaks for display 350 purposes only) declares that: 352 o the Content Master Key is encrypted to the recipient using the 353 RSAES-PKCS1-V1_5 algorithm to produce the JWE Encrypted Key, 355 o the Plaintext is encrypted using the AES CBC algorithm with a 128 356 bit key to produce the Ciphertext, 358 o the JWE Integrity Value safeguarding the integrity of the 359 Ciphertext and the parameters used to create it was computed with 360 the HMAC SHA-256 algorithm, and 362 o the 128 bit Initialization Vector (IV) with the base64url encoding 363 "AxY8DCtDaGlsbGljb3RoZQ" was used. 365 {"alg":"RSA1_5","enc":"A128CBC","int":"HS256","iv":"AxY8DCtDaGls 366 bGljb3RoZQ"} 368 Base64url encoding the bytes of the UTF-8 representation of the JWE 369 Header yields this Encoded JWE Header value (with line breaks for 370 display purposes only): 371 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp 372 diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ 373 The remaining steps to finish creating this JWE are like the previous 374 example, but with an additional step to compute the separate 375 integrity value: 377 o Generate a random Content Master Key (CMK) 379 o Encrypt the CMK with the recipient's public key using the RSAES- 380 PKCS1-V1_5 algorithm to produce the JWE Encrypted Key 382 o Base64url encode the JWE Encrypted Key to produce the Encoded JWE 383 Encrypted Key 385 o Use the Concat key derivation function to derive Content 386 Encryption Key (CEK) and Content Integrity Key (CIK) values from 387 the CMK 389 o Encrypt the Plaintext with AES CBC using the CEK and IV to produce 390 the Ciphertext 392 o Base64url encode the resulting Ciphertext to create the Encoded 393 JWE Ciphertext 395 o Concatenate the Encoded JWE Header value, a period character 396 ('.'), the Encoded JWE Encrypted Key, a second period character, 397 and the Encoded JWE Ciphertext to create the value to integrity 398 protect 400 o Compute the HMAC SHA-256 of this value using the CIK to create the 401 JWE Integrity Value 403 o Base64url encode the resulting JWE Integrity Value to create the 404 Encoded JWE Integrity Value 406 o Assemble the final representation: The Compact Serialization of 407 this result is the concatenation of the Encoded JWE Header, the 408 Encoded JWE Encrypted Key, the Encoded JWE Ciphertext, and the 409 Encoded JWE Integrity Value in that order, with the four strings 410 being separated by three period ('.') characters. 412 The final result in this example (with line breaks for display 413 purposes only) is: 415 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp 416 diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ. 417 IPI_z172hSWHMFgED8EG9DM6hIXU_6NaO1DImCn0vNeuoBq847Sl6qw_GHSYHJUQ 418 XtXJq7S_CxWVrI82wjrOyaQca5tLZRZc45BfKHeqByThKI261QevEK56SyAwwXfK 419 KZjSvkQ5dwTFSgfy76rMSUvVynHYEhdCatBF9HWTAiXPx7hgZixG1FeP_QCmOylz 420 2VClVyYFCbjKREOwBFf-puNYfO75S3LNlJUtTsGGQL2oTKpMsEiUTdefkje91VX9 421 h8g7908lFsggbjV7NicJsufuXxnTj1fcWIrRDeNIOmakiPEODi0gTSz0ou-W-LWK 422 -3T1zYlOIiIKBjsExQKZ-w. 423 _Z_djlIoC4MDSCKireWS2beti4Q6iSG2UjFujQvdz-_PQdUcFNkOulegD6BgjgdF 424 LjeB4HHOO7UHvP8PEDu0a0sA2a_-CI0w2YQQ2QQe35M. 425 c41k4T4eAgCCt63m8ZNmiOinMciFFypOFpvid7i6D0k 427 See Appendix A.2 for the complete details of computing this JWE. 429 4. JWE Header 431 The members of the JSON object represented by the JWE Header describe 432 the encryption applied to the Plaintext and optionally additional 433 properties of the JWE. The Header Parameter Names within this object 434 MUST be unique; JWEs with duplicate Header Parameter Names MUST be 435 rejected. Implementations MUST understand the entire contents of the 436 header; otherwise, the JWE MUST be rejected. 438 There are two ways of distinguishing whether a header is a JWS Header 439 or a JWE Header. The first is by examining the "alg" (algorithm) 440 header value. If the value represents a digital signature or MAC 441 algorithm, or is the value "none", it is for a JWS; if it represents 442 an encryption or key agreement algorithm, it is for a JWE. A second 443 method is determining whether an "enc" (encryption method) member 444 exists. If the "enc" member exists, it is a JWE; otherwise, it is a 445 JWS. Both methods will yield the same result. 447 There are three classes of Header Parameter Names: Reserved Header 448 Parameter Names, Public Header Parameter Names, and Private Header 449 Parameter Names. 451 4.1. Reserved Header Parameter Names 453 The following header parameter names are reserved with meanings as 454 defined below. All the names are short because a core goal of JWE is 455 for the representations to be compact. 457 Additional reserved header parameter names MAY be defined via the 458 IANA JSON Web Signature and Encryption Header Parameters registry 459 [JWS]. As indicated by the common registry, JWSs and JWEs share a 460 common header parameter space; when a parameter is used by both 461 specifications, its usage must be compatible between the 462 specifications. 464 4.1.1. "alg" (Algorithm) Header Parameter 466 The "alg" (algorithm) header parameter identifies the cryptographic 467 algorithm used to encrypt or reach agreement upon the Content Master 468 Key (CMK). The algorithm specified by the "alg" value MUST be 469 supported by the implementation and there MUST be a key for use with 470 that algorithm associated with the intended recipient or the JWE MUST 471 be rejected. The "alg" value is case sensitive. Its value MUST be a 472 string containing a StringOrURI value. This header parameter is 473 REQUIRED. 475 A list of defined "alg" values for use with JWE is presented in 476 Section 4.1 of the JSON Web Algorithms (JWA) [JWA] specification. 477 "alg" values SHOULD either be registered in the IANA JSON Web 478 Signature and Encryption Algorithms registry [JWA] or be a URI that 479 contains a Collision Resistant Namespace. 481 4.1.2. "enc" (Encryption Method) Header Parameter 483 The "enc" (encryption method) header parameter identifies the 484 symmetric encryption algorithm used to encrypt the Plaintext to 485 produce the Ciphertext. The algorithm specified by the "enc" value 486 MUST be supported by the implementation or the JWE MUST be rejected. 487 The "enc" value is case sensitive. Its value MUST be a string 488 containing a StringOrURI value. This header parameter is REQUIRED. 490 A list of defined "enc" values is presented in Section 4.2 of the 491 JSON Web Algorithms (JWA) [JWA] specification. "enc" values SHOULD 492 either be registered in the IANA JSON Web Signature and Encryption 493 Algorithms registry [JWA] or be a URI that contains a Collision 494 Resistant Namespace. 496 4.1.3. "int" (Integrity Algorithm) Header Parameter 498 The "int" (integrity algorithm) header parameter identifies the 499 cryptographic algorithm used to safeguard the integrity of the 500 Ciphertext and the parameters used to create it. The "int" parameter 501 uses the MAC subset of the algorithm values used by the JWS "alg" 502 parameter. The "int" value is case sensitive. Its value MUST be a 503 string containing a StringOrURI value. This header parameter is 504 REQUIRED when an AEAD algorithm is not used to encrypt the Plaintext 505 and MUST NOT be present when an AEAD algorithm is used. 507 A list of defined "int" values is presented in Section 4.3 of the 508 JSON Web Algorithms (JWA) [JWA] specification. "int" values SHOULD 509 either be registered in the IANA JSON Web Signature and Encryption 510 Algorithms registry [JWA] or be a URI that contains a Collision 511 Resistant Namespace. 513 4.1.4. "kdf" (Key Derivation Function) Header Parameter 515 The "kdf" (key derivation function) header parameter identifies the 516 cryptographic algorithm used to derive the CEK and CIK from the CMK. 517 The "kdf" value is case sensitive. Its value MUST be a string 518 containing a StringOrURI value. This header parameter is OPTIONAL 519 when an AEAD algorithm is not used to encrypt the Plaintext and MUST 520 NOT be present when an AEAD algorithm is used. 522 When an AEAD algorithm is not used and no "kdf" header parameter is 523 present, the "CS256" KDF [JWA] SHALL be used. 525 A list of defined "kdf" values is presented in Section 4.4 of the 526 JSON Web Algorithms (JWA) [JWA] specification. "kdf" values SHOULD 527 either be registered in the IANA JSON Web Signature and Encryption 528 Algorithms registry [JWA] or be a URI that contains a Collision 529 Resistant Namespace. 531 4.1.5. "iv" (Initialization Vector) Header Parameter 533 The "iv" (initialization vector) value for algorithms requiring it, 534 represented as a base64url encoded string. This header parameter is 535 OPTIONAL, although its use is REQUIRED with some "enc" algorithms. 537 4.1.6. "epk" (Ephemeral Public Key) Header Parameter 539 The "epk" (ephemeral public key) value created by the originator for 540 the use in key agreement algorithms. This key is represented as a 541 JSON Web Key [JWK] value. This header parameter is OPTIONAL, 542 although its use is REQUIRED with some "alg" algorithms. 544 4.1.7. "zip" (Compression Algorithm) Header Parameter 546 The "zip" (compression algorithm) applied to the Plaintext before 547 encryption, if any. If present, the value of the "zip" header 548 parameter MUST be the case sensitive string "DEF". Compression is 549 performed with the DEFLATE [RFC1951] algorithm. If no "zip" 550 parameter is present, no compression is applied to the Plaintext 551 before encryption. This header parameter is OPTIONAL. 553 4.1.8. "jku" (JWK Set URL) Header Parameter 555 The "jku" (JWK Set URL) header parameter is a URI [RFC3986] that 556 refers to a resource for a set of JSON-encoded public keys, one of 557 which corresponds to the key used to encrypt the JWE; this can be 558 used to determine the private key needed to decrypt the JWE. The 559 keys MUST be encoded as a JSON Web Key Set (JWK Set) [JWK]. The 560 protocol used to acquire the resource MUST provide integrity 561 protection; an HTTP GET request to retrieve the certificate MUST use 562 TLS [RFC2818] [RFC5246]; the identity of the server MUST be 563 validated, as per Section 3.1 of HTTP Over TLS [RFC2818]. This 564 header parameter is OPTIONAL. 566 4.1.9. "jwk" (JSON Web Key) Header Parameter 568 The "jwk" (JSON Web Key) header parameter is a public key that 569 corresponds to the key used to encrypt the JWE; this can be used to 570 determine the private key needed to decrypt the JWE. This key is 571 represented as a JSON Web Key [JWK]. This header parameter is 572 OPTIONAL. 574 4.1.10. "x5u" (X.509 URL) Header Parameter 576 The "x5u" (X.509 URL) header parameter is a URI [RFC3986] that refers 577 to a resource for the X.509 public key certificate or certificate 578 chain [RFC5280] corresponding to the key used to encrypt the JWE; 579 this can be used to determine the private key needed to decrypt the 580 JWE. The identified resource MUST provide a representation of the 581 certificate or certificate chain that conforms to RFC 5280 [RFC5280] 582 in PEM encoded form [RFC1421]. The certificate containing the public 583 key of the entity that encrypted the JWE MUST be the first 584 certificate. This MAY be followed by additional certificates, with 585 each subsequent certificate being the one used to certify the 586 previous one. The protocol used to acquire the resource MUST provide 587 integrity protection; an HTTP GET request to retrieve the certificate 588 MUST use TLS [RFC2818] [RFC5246]; the identity of the server MUST be 589 validated, as per Section 3.1 of HTTP Over TLS [RFC2818]. This 590 header parameter is OPTIONAL. 592 4.1.11. "x5t" (X.509 Certificate Thumbprint) Header Parameter 594 The "x5t" (X.509 Certificate Thumbprint) header parameter provides a 595 base64url encoded SHA-1 thumbprint (a.k.a. digest) of the DER 596 encoding of the X.509 certificate [RFC5280] corresponding to the key 597 used to encrypt the JWE; this can be used to determine the private 598 key needed to decrypt the JWE. This header parameter is OPTIONAL. 600 If, in the future, certificate thumbprints need to be computed using 601 hash functions other than SHA-1, it is suggested that additional 602 related header parameters be defined for that purpose. For example, 603 it is suggested that a new "x5t#S256" (X.509 Certificate Thumbprint 604 using SHA-256) header parameter could be defined by registering it in 605 the IANA JSON Web Signature and Encryption Header Parameters registry 607 [JWS]. 609 4.1.12. "x5c" (X.509 Certificate Chain) Header Parameter 611 The "x5c" (X.509 Certificate Chain) header parameter contains the 612 X.509 public key certificate or certificate chain [RFC5280] 613 corresponding to the key used to encrypt the JWE; this can be used to 614 determine the private key needed to decrypt the JWE. The certificate 615 or certificate chain is represented as an array of certificate 616 values. Each value is a base64 encoded ([RFC4648] Section 4 - not 617 base64url encoded) DER [ITU.X690.1994] PKIX certificate value. The 618 certificate containing the public key of the entity that encrypted 619 the JWE MUST be the first certificate. This MAY be followed by 620 additional certificates, with each subsequent certificate being the 621 one used to certify the previous one. The recipient MUST verify the 622 certificate chain according to [RFC5280] and reject the JWE if any 623 validation failure occurs. This header parameter is OPTIONAL. 625 See Appendix B of [JWS] for an example "x5c" value. 627 4.1.13. "kid" (Key ID) Header Parameter 629 The "kid" (key ID) header parameter is a hint indicating which key 630 was used to encrypt the JWE; this can be used to determine the 631 private key needed to decrypt the JWE. This parameter allows 632 originators to explicitly signal a change of key to recipients. 633 Should the recipient be unable to locate a key corresponding to the 634 "kid" value, they SHOULD treat that condition as an error. The 635 interpretation of the "kid" value is unspecified. Its value MUST be 636 a string. This header parameter is OPTIONAL. 638 When used with a JWK, the "kid" value MAY be used to match a JWK 639 "kid" parameter value. 641 4.1.14. "typ" (Type) Header Parameter 643 The "typ" (type) header parameter is used to declare the type of this 644 object. The type value "JWE" MAY be used to indicate that this 645 object is a JWE. The "typ" value is case sensitive. Its value MUST 646 be a string. This header parameter is OPTIONAL. 648 MIME Media Type [RFC2046] values MAY be used as "typ" values. 650 "typ" values SHOULD either be registered in the IANA JSON Web 651 Signature and Encryption Type Values registry [JWS] or be a URI that 652 contains a Collision Resistant Namespace. 654 4.1.15. "cty" (Content Type) Header Parameter 656 The "cty" (content type) header parameter is used to declare the type 657 of the encrypted content (the Plaintext). The "cty" value is case 658 sensitive. Its value MUST be a string. This header parameter is 659 OPTIONAL. 661 The values used for the "cty" header parameter come from the same 662 value space as the "typ" header parameter, with the same rules 663 applying. 665 4.2. Public Header Parameter Names 667 Additional header parameter names can be defined by those using JWEs. 668 However, in order to prevent collisions, any new header parameter 669 name SHOULD either be registered in the IANA JSON Web Signature and 670 Encryption Header Parameters registry [JWS] or be a URI that contains 671 a Collision Resistant Namespace. In each case, the definer of the 672 name or value needs to take reasonable precautions to make sure they 673 are in control of the part of the namespace they use to define the 674 header parameter name. 676 New header parameters should be introduced sparingly, as they can 677 result in non-interoperable JWEs. 679 4.3. Private Header Parameter Names 681 A producer and consumer of a JWE may agree to any header parameter 682 name that is not a Reserved Name Section 4.1 or a Public Name 683 Section 4.2. Unlike Public Names, these private names are subject to 684 collision and should be used with caution. 686 5. Message Encryption 688 The message encryption process is as follows. The order of the steps 689 is not significant in cases where there are no dependencies between 690 the inputs and outputs of the steps. 692 1. When key wrapping or key encryption are employed, generate a 693 random Content Master Key (CMK). See RFC 4086 [RFC4086] for 694 considerations on generating random values. Otherwise, when key 695 agreement is employed, use the key agreement algorithm to 696 compute the value of the Content Master Key (CMK). The CMK MUST 697 have a length equal to that of the larger of the required 698 encryption and integrity keys. 700 2. When key wrapping or key encryption are employed, encrypt the 701 CMK for the recipient (see Section 7) and let the result be the 702 JWE Encrypted Key. Otherwise, when key agreement is employed, 703 let the JWE Encrypted Key be an empty byte array. 705 3. Base64url encode the JWE Encrypted Key to create the Encoded JWE 706 Encrypted Key. 708 4. Generate a random Initialization Vector (IV) of the correct size 709 for the algorithm (if required for the algorithm). 711 5. If not using an AEAD algorithm, run the key derivation algorithm 712 specified by the "kdf" header parameter to generate the Content 713 Encryption Key (CEK) and the Content Integrity Key (CIK); 714 otherwise (when using an AEAD algorithm), set the CEK to be the 715 CMK. 717 6. Compress the Plaintext if a "zip" parameter was included. 719 7. Serialize the (compressed) Plaintext into a byte sequence M. 721 8. Create a JWE Header containing the encryption parameters used. 722 Note that white space is explicitly allowed in the 723 representation and no canonicalization need be performed before 724 encoding. 726 9. Base64url encode the bytes of the UTF-8 representation of the 727 JWE Header to create the Encoded JWE Header. 729 10. Encrypt M using the CEK and IV to form the byte sequence C. If 730 an AEAD algorithm is used, use the bytes of the ASCII 731 representation of the concatenation of the Encoded JWE Header, a 732 period ('.') character, and the Encoded JWE Encrypted Key as the 733 "additional authenticated data" parameter value for the 734 encryption. 736 11. Base64url encode C to create the Encoded JWE Ciphertext. 738 12. If not using an AEAD algorithm, run the integrity algorithm (see 739 Section 8) using the CIK to compute the JWE Integrity Value; 740 otherwise (when using an AEAD algorithm), set the JWE Integrity 741 Value to be the "authentication tag" value produced by the AEAD 742 algorithm. 744 13. Base64url encode the JWE Integrity Value to create the Encoded 745 JWE Integrity Value. 747 14. The four encoded parts, taken together, are the result. 749 15. The Compact Serialization of this result is the concatenation of 750 the Encoded JWE Header, the Encoded JWE Encrypted Key, the 751 Encoded JWE Ciphertext, and the Encoded JWE Integrity Value in 752 that order, with the four strings being separated by period 753 ('.') characters. 755 6. Message Decryption 757 The message decryption process is the reverse of the encryption 758 process. The order of the steps is not significant in cases where 759 there are no dependencies between the inputs and outputs of the 760 steps. If any of these steps fails, the JWE MUST be rejected. 762 1. Determine the Encoded JWE Header, the Encoded JWE Encrypted Key, 763 the Encoded JWE Ciphertext, and the Encoded JWE Integrity Value 764 values contained in the JWE. When using the Compact 765 Serialization, these four values are represented in that order, 766 separated by period characters. 768 2. The Encoded JWE Header, the Encoded JWE Encrypted Key, the 769 Encoded JWE Ciphertext, and the Encoded JWE Integrity Value MUST 770 be successfully base64url decoded following the restriction that 771 no padding characters have been used. 773 3. The resulting JWE Header MUST be completely valid JSON syntax 774 conforming to RFC 4627 [RFC4627]. 776 4. The resulting JWE Header MUST be validated to only include 777 parameters and values whose syntax and semantics are both 778 understood and supported. 780 5. Verify that the JWE Header references a key known to the 781 recipient. 783 6. When key wrapping or key encryption are employed, decrypt the 784 JWE Encrypted Key to produce the Content Master Key (CMK). 785 Otherwise, when key agreement is employed, use the key agreement 786 algorithm to compute the value of the Content Master Key (CMK). 787 The CMK MUST have a length equal to that of the larger of the 788 required encryption and integrity keys. 790 7. If not using an AEAD algorithm, run the key derivation algorithm 791 specified by the "kdf" header parameter to generate the Content 792 Encryption Key (CEK) and the Content Integrity Key (CIK); 793 otherwise (when using an AEAD algorithm), set the CEK to be the 794 CMK. 796 8. Decrypt the binary representation of the JWE Ciphertext using 797 the CEK and IV. If an AEAD algorithm is used, use the bytes of 798 the ASCII representation of the concatenation of the Encoded JWE 799 Header, a period ('.') character, and the Encoded JWE Encrypted 800 Key as the "additional authenticated data" parameter value for 801 the decryption. 803 9. If not using an AEAD algorithm, run the integrity algorithm (see 804 Section 8) using the CIK to compute an integrity value for the 805 input received. This computed value MUST match the received JWE 806 Integrity Value; otherwise (when using an AEAD algorithm), the 807 received JWE Integrity Value MUST match the "authentication tag" 808 value produced by the AEAD algorithm. 810 10. Uncompress the result of the previous step, if a "zip" parameter 811 was included. 813 11. Output the resulting Plaintext. 815 7. CMK Encryption 817 JWE supports two forms of Content Master Key (CMK) encryption: 819 o Asymmetric encryption under the recipient's public key. 821 o Symmetric encryption under a key shared between the sender and 822 receiver. 824 See the algorithms registered for "enc" usage in the IANA JSON Web 825 Signature and Encryption Algorithms registry [JWA] and Section 4.1 of 826 the JSON Web Algorithms (JWA) [JWA] specification for lists of 827 encryption algorithms that can be used for CMK encryption. 829 8. Integrity Value Calculation 831 When a non-AEAD algorithm is used (an algorithm without an integrated 832 content check), JWE adds an explicit integrity check value to the 833 representation. This value is computed in the manner described in 834 the JSON Web Signature (JWS) [JWS] specification, with these 835 modifications: 837 o The algorithm used is taken from the "int" (integrity algorithm) 838 header parameter rather than the "alg" header parameter. 840 o The algorithm MUST be a MAC algorithm (such as HMAC SHA-256). 842 o The JWS Secured Input used is the bytes of the ASCII 843 representation of the concatenation of the Encoded JWE Header, a 844 period ('.') character, the Encoded JWE Encrypted Key, a period 845 ('.') character, and the Encoded JWE Ciphertext. 847 o The CIK is used as the MAC key. 849 The computed JWS Signature value is the resulting integrity value. 851 9. Encrypting JWEs with Cryptographic Algorithms 853 JWE uses cryptographic algorithms to encrypt the Plaintext and the 854 Content Encryption Key (CMK) and to provide integrity protection for 855 the JWE Header, JWE Encrypted Key, and JWE Ciphertext. The JSON Web 856 Algorithms (JWA) [JWA] specification specifies a set of cryptographic 857 algorithms and identifiers to be used with this specification and 858 defines registries for additional such algorithms. Specifically, 859 Section 4.1 specifies a set of "alg" (algorithm) header parameter 860 values, Section 4.2 specifies a set of "enc" (encryption method) 861 header parameter values, Section 4.3 specifies a set of "int" 862 (integrity algorithm) header parameter values, and Section 4.4 863 specifies a set of "kdf" (key derivation function) header parameter 864 values intended for use this specification. It also describes the 865 semantics and operations that are specific to these algorithms and 866 algorithm families. 868 Public keys employed for encryption can be identified using the 869 Header Parameter methods described in Section 4.1 or can be 870 distributed using methods that are outside the scope of this 871 specification. 873 10. IANA Considerations 875 10.1. Registration of JWE Header Parameter Names 877 This specification registers the Header Parameter Names defined in 878 Section 4.1 in the IANA JSON Web Signature and Encryption Header 879 Parameters registry [JWS]. 881 10.1.1. Registry Contents 883 o Header Parameter Name: "alg" 884 o Change Controller: IETF 886 o Specification Document(s): Section 4.1.1 of [[ this document ]] 888 o Header Parameter Name: "enc" 890 o Change Controller: IETF 892 o Specification Document(s): Section 4.1.2 of [[ this document ]] 894 o Header Parameter Name: "int" 896 o Change Controller: IETF 898 o Specification Document(s): Section 4.1.3 of [[ this document ]] 900 o Header Parameter Name: "kdf" 902 o Change Controller: IETF 904 o Specification Document(s): Section 4.1.4 of [[ this document ]] 906 o Header Parameter Name: "iv" 908 o Change Controller: IETF 910 o Specification Document(s): Section 4.1.5 of [[ this document ]] 912 o Header Parameter Name: "epk" 914 o Change Controller: IETF 916 o Specification Document(s): Section 4.1.6 of [[ this document ]] 918 o Header Parameter Name: "zip" 920 o Change Controller: IETF 922 o Specification Document(s): Section 4.1.7 of [[ this document ]] 924 o Header Parameter Name: "jku" 926 o Change Controller: IETF 928 o Specification Document(s): Section 4.1.8 of [[ this document ]] 929 o Header Parameter Name: "jwk" 931 o Change Controller: IETF 933 o Specification document(s): Section 4.1.9 of [[ this document ]] 935 o Header Parameter Name: "x5u" 937 o Change Controller: IETF 939 o Specification Document(s): Section 4.1.10 of [[ this document ]] 941 o Header Parameter Name: "x5t" 943 o Change Controller: IETF 945 o Specification Document(s): Section 4.1.11 of [[ this document ]] 947 o Header Parameter Name: "x5c" 949 o Change Controller: IETF 951 o Specification Document(s): Section 4.1.12 of [[ this document ]] 953 o Header Parameter Name: "kid" 955 o Change Controller: IETF 957 o Specification Document(s): Section 4.1.13 of [[ this document ]] 959 o Header Parameter Name: "typ" 961 o Change Controller: IETF 963 o Specification Document(s): Section 4.1.14 of [[ this document ]] 965 o Header Parameter Name: "cty" 967 o Change Controller: IETF 969 o Specification Document(s): Section 4.1.15 of [[ this document ]] 971 10.2. JSON Web Signature and Encryption Type Values Registration 973 10.2.1. Registry Contents 975 This specification registers the "JWE" type value in the IANA JSON 976 Web Signature and Encryption Type Values registry [JWS]: 978 o "typ" Header Parameter Value: "JWE" 980 o Abbreviation for MIME Type: application/jwe 982 o Change Controller: IETF 984 o Specification Document(s): Section 4.1.14 of [[ this document ]] 986 10.3. Media Type Registration 988 10.3.1. Registry Contents 990 This specification registers the "application/jwe" Media Type 991 [RFC2046] in the MIME Media Type registry [RFC4288] to indicate that 992 the content is a JWE using the Compact Serialization. 994 o Type Name: application 996 o Subtype Name: jwe 998 o Required Parameters: n/a 1000 o Optional Parameters: n/a 1002 o Encoding considerations: JWE values are encoded as a series of 1003 base64url encoded values (some of which may be the empty string) 1004 separated by period ('.') characters 1006 o Security Considerations: See the Security Considerations section 1007 of this document 1009 o Interoperability Considerations: n/a 1011 o Published Specification: [[ this document ]] 1013 o Applications that use this media type: OpenID Connect and other 1014 applications using encrypted JWTs 1016 o Additional Information: Magic number(s): n/a, File extension(s): 1017 n/a, Macintosh file type code(s): n/a 1019 o Person & email address to contact for further information: Michael 1020 B. Jones, mbj@microsoft.com 1022 o Intended Usage: COMMON 1024 o Restrictions on Usage: none 1025 o Author: Michael B. Jones, mbj@microsoft.com 1027 o Change Controller: IETF 1029 11. Security Considerations 1031 All of the security issues faced by any cryptographic application 1032 must be faced by a JWS/JWE/JWK agent. Among these issues are 1033 protecting the user's private key, preventing various attacks, and 1034 helping the user avoid mistakes such as inadvertently encrypting a 1035 message for the wrong recipient. The entire list of security 1036 considerations is beyond the scope of this document, but some 1037 significant concerns are listed here. 1039 All the security considerations in the JWS specification also apply 1040 to this specification. Likewise, all the security considerations in 1041 XML Encryption 1.1 [W3C.CR-xmlenc-core1-20120313] also apply to JWE, 1042 other than those that are XML specific. 1044 12. Open Issues 1046 [[ to be removed by the RFC editor before publication as an RFC ]] 1048 The following items remain to be considered or done in this draft: 1050 o Should we define an optional nonce and/or timestamp header 1051 parameter? (Use of a nonce is an effective countermeasure to some 1052 kinds of attacks.) 1054 o When doing key agreement, do we want to also use a separate CMK 1055 and encrypt the CMK with the agreed upon key or just use the 1056 agreed upon key directly as the CMK? Having a CMK would have 1057 value in the multiple recipients case, as it would allow multiple 1058 recipients to share the same ciphertext even when key agreement is 1059 used, but it seems that it's just extra overhead in the single 1060 recipient case. 1062 o Do we want to consolidate the combination of the "enc", "int", and 1063 "kdf" parameters into a single new "enc" parameter defining 1064 composite AEAD algorithms? For instance, we might define a 1065 composite algorithm A128CBC with HS256 and CS256 and another 1066 composite algorithm A256CBC with HS512 and CS512. A symmetry 1067 argument for doing this is that the "int" and "kdf" parameters are 1068 not used with AEAD algorithms. An argument against it is that in 1069 some cases, integrity is not needed because it's provided by other 1070 means, and so having the flexibility to not use an "int" algorithm 1071 or key derivation with a non-AEAD "enc" algorithm could be useful. 1073 13. References 1075 13.1. Normative References 1077 [ITU.X690.1994] 1078 International Telecommunications Union, "Information 1079 Technology - ASN.1 encoding rules: Specification of Basic 1080 Encoding Rules (BER), Canonical Encoding Rules (CER) and 1081 Distinguished Encoding Rules (DER)", ITU-T Recommendation 1082 X.690, 1994. 1084 [JWA] Jones, M., "JSON Web Algorithms (JWA)", July 2012. 1086 [JWK] Jones, M., "JSON Web Key (JWK)", July 2012. 1088 [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web 1089 Signature (JWS)", July 2012. 1091 [RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic 1092 Mail: Part I: Message Encryption and Authentication 1093 Procedures", RFC 1421, February 1993. 1095 [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification 1096 version 1.3", RFC 1951, May 1996. 1098 [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 1099 Extensions (MIME) Part Two: Media Types", RFC 2046, 1100 November 1996. 1102 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1103 Requirement Levels", BCP 14, RFC 2119, March 1997. 1105 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. 1107 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 1108 10646", STD 63, RFC 3629, November 2003. 1110 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 1111 Resource Identifier (URI): Generic Syntax", STD 66, 1112 RFC 3986, January 2005. 1114 [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness 1115 Requirements for Security", BCP 106, RFC 4086, June 2005. 1117 [RFC4288] Freed, N. and J. Klensin, "Media Type Specifications and 1118 Registration Procedures", BCP 13, RFC 4288, December 2005. 1120 [RFC4627] Crockford, D., "The application/json Media Type for 1121 JavaScript Object Notation (JSON)", RFC 4627, July 2006. 1123 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 1124 Encodings", RFC 4648, October 2006. 1126 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 1127 Encryption", RFC 5116, January 2008. 1129 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1130 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1132 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 1133 Housley, R., and W. Polk, "Internet X.509 Public Key 1134 Infrastructure Certificate and Certificate Revocation List 1135 (CRL) Profile", RFC 5280, May 2008. 1137 13.2. Informative References 1139 [I-D.rescorla-jsms] 1140 Rescorla, E. and J. Hildebrand, "JavaScript Message 1141 Security Format", draft-rescorla-jsms-00 (work in 1142 progress), March 2011. 1144 [JSE] Bradley, J. and N. Sakimura (editor), "JSON Simple 1145 Encryption", September 2010. 1147 [JWE-JS] Jones, M., "JSON Web Encryption JSON Serialization 1148 (JWE-JS)", July 2012. 1150 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 1151 Unique IDentifier (UUID) URN Namespace", RFC 4122, 1152 July 2005. 1154 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 1155 RFC 5652, September 2009. 1157 [W3C.CR-xmlenc-core1-20120313] 1158 Eastlake, D., Reagle, J., Hirsch, F., and T. Roessler, 1159 "XML Encryption Syntax and Processing Version 1.1", World 1160 Wide Web Consortium CR CR-xmlenc-core1-20120313, 1161 March 2012, 1162 . 1164 Appendix A. JWE Examples 1166 This section provides examples of JWE computations. 1168 A.1. Example JWE using RSAES OAEP and AES GCM 1170 This example encrypts the plaintext "Live long and prosper." to the 1171 recipient using RSAES OAEP and AES GCM. The AES GCM algorithm has an 1172 integrated integrity check. The representation of this plaintext is: 1174 [76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32, 1175 112, 114, 111, 115, 112, 101, 114, 46] 1177 A.1.1. JWE Header 1179 The following example JWE Header declares that: 1181 o the Content Master Key is encrypted to the recipient using the 1182 RSAES OAEP algorithm to produce the JWE Encrypted Key, 1184 o the Plaintext is encrypted using the AES GCM algorithm with a 256 1185 bit key to produce the Ciphertext, and 1187 o the 96 bit Initialization Vector (IV) [227, 197, 117, 252, 2, 219, 1188 233, 68, 180, 225, 77, 219] with the base64url encoding 1189 "48V1_ALb6US04U3b" was used. 1191 {"alg":"RSA-OAEP","enc":"A256GCM","iv":"48V1_ALb6US04U3b"} 1193 A.1.2. Encoded JWE Header 1195 Base64url encoding the bytes of the UTF-8 representation of the JWE 1196 Header yields this Encoded JWE Header value (with line breaks for 1197 display purposes only): 1198 eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJpdiI6IjQ4VjFfQUxi 1199 NlVTMDRVM2IifQ 1201 A.1.3. Content Master Key (CMK) 1203 Generate a random Content Master Key (CMK). In this example, the key 1204 value is: 1206 [177, 161, 244, 128, 84, 143, 225, 115, 63, 180, 3, 255, 107, 154, 1207 212, 246, 138, 7, 110, 91, 112, 46, 34, 105, 47, 130, 203, 46, 122, 1208 234, 64, 252] 1210 A.1.4. Key Encryption 1212 Encrypt the CMK with the recipient's public key using the RSAES OAEP 1213 algorithm to produce the JWE Encrypted Key. In this example, the RSA 1214 key parameters are: 1216 +-----------+-------------------------------------------------------+ 1217 | Parameter | Value | 1218 | Name | | 1219 +-----------+-------------------------------------------------------+ 1220 | Modulus | [161, 168, 84, 34, 133, 176, 208, 173, 46, 176, 163, | 1221 | | 110, 57, 30, 135, 227, 9, 31, 226, 128, 84, 92, 116, | 1222 | | 241, 70, 248, 27, 227, 193, 62, 5, 91, 241, 145, 224, | 1223 | | 205, 141, 176, 184, 133, 239, 43, 81, 103, 9, 161, | 1224 | | 153, 157, 179, 104, 123, 51, 189, 34, 152, 69, 97, | 1225 | | 69, 78, 93, 140, 131, 87, 182, 169, 101, 92, 142, 3, | 1226 | | 22, 167, 8, 212, 56, 35, 79, 210, 222, 192, 208, 252, | 1227 | | 49, 109, 138, 173, 253, 210, 166, 201, 63, 102, 74, | 1228 | | 5, 158, 41, 90, 144, 108, 160, 79, 10, 89, 222, 231, | 1229 | | 172, 31, 227, 197, 0, 19, 72, 81, 138, 78, 136, 221, | 1230 | | 121, 118, 196, 17, 146, 10, 244, 188, 72, 113, 55, | 1231 | | 221, 162, 217, 171, 27, 57, 233, 210, 101, 236, 154, | 1232 | | 199, 56, 138, 239, 101, 48, 198, 186, 202, 160, 76, | 1233 | | 111, 234, 71, 57, 183, 5, 211, 171, 136, 126, 64, 40, | 1234 | | 75, 58, 89, 244, 254, 107, 84, 103, 7, 236, 69, 163, | 1235 | | 18, 180, 251, 58, 153, 46, 151, 174, 12, 103, 197, | 1236 | | 181, 161, 162, 55, 250, 235, 123, 110, 17, 11, 158, | 1237 | | 24, 47, 133, 8, 199, 235, 107, 126, 130, 246, 73, | 1238 | | 195, 20, 108, 202, 176, 214, 187, 45, 146, 182, 118, | 1239 | | 54, 32, 200, 61, 201, 71, 243, 1, 255, 131, 84, 37, | 1240 | | 111, 211, 168, 228, 45, 192, 118, 27, 197, 235, 232, | 1241 | | 36, 10, 230, 248, 190, 82, 182, 140, 35, 204, 108, | 1242 | | 190, 253, 186, 186, 27] | 1243 | Exponent | [1, 0, 1] | 1244 | Private | [144, 183, 109, 34, 62, 134, 108, 57, 44, 252, 10, | 1245 | Exponent | 66, 73, 54, 16, 181, 233, 92, 54, 219, 101, 42, 35, | 1246 | | 178, 63, 51, 43, 92, 119, 136, 251, 41, 53, 23, 191, | 1247 | | 164, 164, 60, 88, 227, 229, 152, 228, 213, 149, 228, | 1248 | | 169, 237, 104, 71, 151, 75, 88, 252, 216, 77, 251, | 1249 | | 231, 28, 97, 88, 193, 215, 202, 248, 216, 121, 195, | 1250 | | 211, 245, 250, 112, 71, 243, 61, 129, 95, 39, 244, | 1251 | | 122, 225, 217, 169, 211, 165, 48, 253, 220, 59, 122, | 1252 | | 219, 42, 86, 223, 32, 236, 39, 48, 103, 78, 122, 216, | 1253 | | 187, 88, 176, 89, 24, 1, 42, 177, 24, 99, 142, 170, | 1254 | | 1, 146, 43, 3, 108, 64, 194, 121, 182, 95, 187, 134, | 1255 | | 71, 88, 96, 134, 74, 131, 167, 69, 106, 143, 121, 27, | 1256 | | 72, 44, 245, 95, 39, 194, 179, 175, 203, 122, 16, | 1257 | | 112, 183, 17, 200, 202, 31, 17, 138, 156, 184, 210, | 1258 | | 157, 184, 154, 131, 128, 110, 12, 85, 195, 122, 241, | 1259 | | 79, 251, 229, 183, 117, 21, 123, 133, 142, 220, 153, | 1260 | | 9, 59, 57, 105, 81, 255, 138, 77, 82, 54, 62, 216, | 1261 | | 38, 249, 208, 17, 197, 49, 45, 19, 232, 157, 251, | 1262 | | 131, 137, 175, 72, 126, 43, 229, 69, 179, 117, 82, | 1263 | | 157, 213, 83, 35, 57, 210, 197, 252, 171, 143, 194, | 1264 | | 11, 47, 163, 6, 253, 75, 252, 96, 11, 187, 84, 130, | 1265 | | 210, 7, 121, 78, 91, 79, 57, 251, 138, 132, 220, 60, | 1266 | | 224, 173, 56, 224, 201] | 1267 +-----------+-------------------------------------------------------+ 1269 The resulting JWE Encrypted Key value is: 1271 [142, 252, 40, 202, 21, 177, 56, 198, 232, 7, 151, 49, 95, 169, 220, 1272 2, 46, 214, 167, 116, 57, 20, 164, 109, 150, 98, 49, 223, 154, 95, 1273 71, 209, 233, 17, 174, 142, 203, 232, 132, 167, 17, 42, 51, 125, 22, 1274 221, 135, 17, 67, 197, 148, 246, 139, 145, 160, 238, 99, 119, 171, 1275 95, 117, 202, 87, 251, 101, 254, 58, 215, 135, 195, 135, 103, 49, 1276 119, 76, 46, 49, 198, 27, 31, 58, 44, 192, 222, 21, 16, 13, 216, 161, 1277 179, 236, 65, 143, 38, 43, 218, 195, 76, 140, 243, 71, 243, 79, 124, 1278 216, 208, 242, 171, 34, 245, 57, 154, 93, 76, 230, 204, 234, 82, 117, 1279 248, 39, 13, 62, 60, 215, 8, 51, 248, 254, 47, 150, 36, 46, 27, 247, 1280 98, 77, 56, 92, 44, 19, 39, 12, 77, 54, 101, 194, 126, 86, 0, 64, 1281 239, 95, 211, 64, 26, 219, 93, 211, 36, 154, 250, 117, 177, 213, 232, 1282 142, 184, 216, 92, 20, 248, 69, 175, 180, 71, 205, 221, 235, 224, 95, 1283 113, 5, 33, 86, 18, 157, 61, 199, 8, 121, 0, 0, 135, 65, 67, 220, 1284 164, 15, 230, 155, 71, 53, 64, 253, 209, 169, 255, 34, 64, 101, 7, 1285 43, 102, 227, 83, 171, 52, 225, 119, 253, 182, 96, 195, 225, 34, 156, 1286 211, 202, 7, 194, 255, 137, 59, 170, 172, 72, 234, 222, 203, 123, 1287 249, 121, 254, 143, 173, 105, 65, 187, 189, 163, 64, 151, 145, 99, 1288 17] 1290 A.1.5. Encoded JWE Encrypted Key 1292 Base64url encode the JWE Encrypted Key to produce the Encoded JWE 1293 Encrypted Key. This result (with line breaks for display purposes 1294 only) is: 1295 jvwoyhWxOMboB5cxX6ncAi7Wp3Q5FKRtlmIx35pfR9HpEa6Oy-iEpxEqM30W3YcR 1296 Q8WU9ouRoO5jd6tfdcpX-2X-OteHw4dnMXdMLjHGGx86LMDeFRAN2KGz7EGPJiva 1297 w0yM80fzT3zY0PKrIvU5ml1M5szqUnX4Jw0-PNcIM_j-L5YkLhv3Yk04XCwTJwxN 1298 NmXCflYAQO9f00Aa213TJJr6dbHV6I642FwU-EWvtEfN3evgX3EFIVYSnT3HCHkA 1299 AIdBQ9ykD-abRzVA_dGp_yJAZQcrZuNTqzThd_22YMPhIpzTygfC_4k7qqxI6t7L 1300 e_l5_o-taUG7vaNAl5FjEQ 1302 A.1.6. "Additional Authenticated Data" Parameter 1304 Concatenate the Encoded JWE Header value, a period character ('.'), 1305 and the Encoded JWE Encrypted Key to create the "additional 1306 authenticated data" parameter for the AES GCM algorithm. This result 1307 (with line breaks for display purposes only) is: 1308 eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJpdiI6IjQ4VjFfQUxi 1309 NlVTMDRVM2IifQ. 1310 jvwoyhWxOMboB5cxX6ncAi7Wp3Q5FKRtlmIx35pfR9HpEa6Oy-iEpxEqM30W3YcR 1311 Q8WU9ouRoO5jd6tfdcpX-2X-OteHw4dnMXdMLjHGGx86LMDeFRAN2KGz7EGPJiva 1312 w0yM80fzT3zY0PKrIvU5ml1M5szqUnX4Jw0-PNcIM_j-L5YkLhv3Yk04XCwTJwxN 1313 NmXCflYAQO9f00Aa213TJJr6dbHV6I642FwU-EWvtEfN3evgX3EFIVYSnT3HCHkA 1314 AIdBQ9ykD-abRzVA_dGp_yJAZQcrZuNTqzThd_22YMPhIpzTygfC_4k7qqxI6t7L 1315 e_l5_o-taUG7vaNAl5FjEQ 1317 The representation of this value is: 1319 [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, 1320 116, 84, 48, 70, 70, 85, 67, 73, 115, 73, 109, 86, 117, 89, 121, 73, 1321 54, 73, 107, 69, 121, 78, 84, 90, 72, 81, 48, 48, 105, 76, 67, 74, 1322 112, 100, 105, 73, 54, 73, 106, 81, 52, 86, 106, 70, 102, 81, 85, 1323 120, 105, 78, 108, 86, 84, 77, 68, 82, 86, 77, 50, 73, 105, 102, 81, 1324 46, 106, 118, 119, 111, 121, 104, 87, 120, 79, 77, 98, 111, 66, 53, 1325 99, 120, 88, 54, 110, 99, 65, 105, 55, 87, 112, 51, 81, 53, 70, 75, 1326 82, 116, 108, 109, 73, 120, 51, 53, 112, 102, 82, 57, 72, 112, 69, 1327 97, 54, 79, 121, 45, 105, 69, 112, 120, 69, 113, 77, 51, 48, 87, 51, 1328 89, 99, 82, 81, 56, 87, 85, 57, 111, 117, 82, 111, 79, 53, 106, 100, 1329 54, 116, 102, 100, 99, 112, 88, 45, 50, 88, 45, 79, 116, 101, 72, 1330 119, 52, 100, 110, 77, 88, 100, 77, 76, 106, 72, 71, 71, 120, 56, 54, 1331 76, 77, 68, 101, 70, 82, 65, 78, 50, 75, 71, 122, 55, 69, 71, 80, 74, 1332 105, 118, 97, 119, 48, 121, 77, 56, 48, 102, 122, 84, 51, 122, 89, 1333 48, 80, 75, 114, 73, 118, 85, 53, 109, 108, 49, 77, 53, 115, 122, 1334 113, 85, 110, 88, 52, 74, 119, 48, 45, 80, 78, 99, 73, 77, 95, 106, 1335 45, 76, 53, 89, 107, 76, 104, 118, 51, 89, 107, 48, 52, 88, 67, 119, 1336 84, 74, 119, 120, 78, 78, 109, 88, 67, 102, 108, 89, 65, 81, 79, 57, 1337 102, 48, 48, 65, 97, 50, 49, 51, 84, 74, 74, 114, 54, 100, 98, 72, 1338 86, 54, 73, 54, 52, 50, 70, 119, 85, 45, 69, 87, 118, 116, 69, 102, 1339 78, 51, 101, 118, 103, 88, 51, 69, 70, 73, 86, 89, 83, 110, 84, 51, 1340 72, 67, 72, 107, 65, 65, 73, 100, 66, 81, 57, 121, 107, 68, 45, 97, 1341 98, 82, 122, 86, 65, 95, 100, 71, 112, 95, 121, 74, 65, 90, 81, 99, 1342 114, 90, 117, 78, 84, 113, 122, 84, 104, 100, 95, 50, 50, 89, 77, 80, 1343 104, 73, 112, 122, 84, 121, 103, 102, 67, 95, 52, 107, 55, 113, 113, 1344 120, 73, 54, 116, 55, 76, 101, 95, 108, 53, 95, 111, 45, 116, 97, 85, 1345 71, 55, 118, 97, 78, 65, 108, 53, 70, 106, 69, 81] 1347 A.1.7. Plaintext Encryption 1349 Encrypt the Plaintext with AES GCM, using the IV, the CMK as the 1350 encryption key, and the "additional authenticated data" value above, 1351 requesting a 128 bit "authentication tag" output. The resulting 1352 Ciphertext is: 1354 [253, 237, 181, 180, 97, 161, 105, 207, 233, 120, 65, 100, 45, 122, 1355 246, 116, 195, 212, 102, 37, 36, 175] 1357 The resulting "authentication tag" value is: 1359 [97, 182, 82, 120, 112, 141, 13, 144, 106, 1, 220, 233, 68, 233, 114, 1360 139] 1362 A.1.8. Encoded JWE Ciphertext 1364 Base64url encode the resulting Ciphertext to create the Encoded JWE 1365 Ciphertext. This result is: 1366 _e21tGGhac_peEFkLXr2dMPUZiUkrw 1368 A.1.9. Encoded JWE Integrity Value 1370 Base64url encode the resulting "authentication tag" to create the 1371 Encoded JWE Integrity Value. This result is: 1372 YbZSeHCNDZBqAdzpROlyiw 1374 A.1.10. Complete Representation 1376 Assemble the final representation: The Compact Serialization of this 1377 result is the concatenation of the Encoded JWE Header, the Encoded 1378 JWE Encrypted Key, the Encoded JWE Ciphertext, and the Encoded JWE 1379 Integrity Value in that order, with the four strings being separated 1380 by three period ('.') characters. 1382 The final result in this example (with line breaks for display 1383 purposes only) is: 1385 eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJpdiI6IjQ4VjFfQUxi 1386 NlVTMDRVM2IifQ. 1387 jvwoyhWxOMboB5cxX6ncAi7Wp3Q5FKRtlmIx35pfR9HpEa6Oy-iEpxEqM30W3YcR 1388 Q8WU9ouRoO5jd6tfdcpX-2X-OteHw4dnMXdMLjHGGx86LMDeFRAN2KGz7EGPJiva 1389 w0yM80fzT3zY0PKrIvU5ml1M5szqUnX4Jw0-PNcIM_j-L5YkLhv3Yk04XCwTJwxN 1390 NmXCflYAQO9f00Aa213TJJr6dbHV6I642FwU-EWvtEfN3evgX3EFIVYSnT3HCHkA 1391 AIdBQ9ykD-abRzVA_dGp_yJAZQcrZuNTqzThd_22YMPhIpzTygfC_4k7qqxI6t7L 1392 e_l5_o-taUG7vaNAl5FjEQ. 1393 _e21tGGhac_peEFkLXr2dMPUZiUkrw. 1394 YbZSeHCNDZBqAdzpROlyiw 1396 A.1.11. Validation 1398 This example illustrates the process of creating a JWE with an AEAD 1399 algorithm. These results can be used to validate JWE decryption 1400 implementations for these algorithms. However, note that since the 1401 RSAES OAEP computation includes random values, the results above will 1402 not be repeatable. 1404 A.2. Example JWE using RSAES-PKCS1-V1_5 and AES CBC 1406 This example encrypts the plaintext "Now is the time for all good men 1407 to come to the aid of their country." to the recipient using RSAES- 1408 PKCS1-V1_5 and AES CBC. AES CBC does not have an integrated 1409 integrity check, so a separate integrity check calculation is 1410 performed using HMAC SHA-256, with separate encryption and integrity 1411 keys being derived from a master key using the Concat KDF with the 1412 SHA-256 digest function. The representation of this plaintext is: 1414 [78, 111, 119, 32, 105, 115, 32, 116, 104, 101, 32, 116, 105, 109, 1415 101, 32, 102, 111, 114, 32, 97, 108, 108, 32, 103, 111, 111, 100, 32, 1416 109, 101, 110, 32, 116, 111, 32, 99, 111, 109, 101, 32, 116, 111, 32, 1417 116, 104, 101, 32, 97, 105, 100, 32, 111, 102, 32, 116, 104, 101, 1418 105, 114, 32, 99, 111, 117, 110, 116, 114, 121, 46] 1420 A.2.1. JWE Header 1422 The following example JWE Header (with line breaks for display 1423 purposes only) declares that: 1425 o the Content Master Key is encrypted to the recipient using the 1426 RSAES-PKCS1-V1_5 algorithm to produce the JWE Encrypted Key, 1428 o the Plaintext is encrypted using the AES CBC algorithm with a 128 1429 bit key to produce the Ciphertext, 1431 o the JWE Integrity Value safeguarding the integrity of the 1432 Ciphertext and the parameters used to create it was computed with 1433 the HMAC SHA-256 algorithm, and 1435 o the 128 bit Initialization Vector (IV) [3, 22, 60, 12, 43, 67, 1436 104, 105, 108, 108, 105, 99, 111, 116, 104, 101] with the 1437 base64url encoding "AxY8DCtDaGlsbGljb3RoZQ" was used. 1439 {"alg":"RSA1_5","enc":"A128CBC","int":"HS256","iv":"AxY8DCtDaGls 1440 bGljb3RoZQ"} 1442 A.2.2. Encoded JWE Header 1444 Base64url encoding the bytes of the UTF-8 representation of the JWE 1445 Header yields this Encoded JWE Header value (with line breaks for 1446 display purposes only): 1447 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp 1448 diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ 1450 A.2.3. Content Master Key (CMK) 1452 Generate a random Content Master Key (CMK). In this example, the key 1453 value is: 1455 [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 1456 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 1457 44, 207] 1459 A.2.4. Key Encryption 1461 Encrypt the CMK with the recipient's public key using the RSAES- 1462 PKCS1-V1_5 algorithm to produce the JWE Encrypted Key. In this 1463 example, the RSA key parameters are: 1465 +-----------+-------------------------------------------------------+ 1466 | Parameter | Value | 1467 | Name | | 1468 +-----------+-------------------------------------------------------+ 1469 | Modulus | [177, 119, 33, 13, 164, 30, 108, 121, 207, 136, 107, | 1470 | | 242, 12, 224, 19, 226, 198, 134, 17, 71, 173, 75, 42, | 1471 | | 61, 48, 162, 206, 161, 97, 108, 185, 234, 226, 219, | 1472 | | 118, 206, 118, 5, 169, 224, 60, 181, 90, 85, 51, 123, | 1473 | | 6, 224, 4, 122, 29, 230, 151, 12, 244, 127, 121, 25, | 1474 | | 4, 85, 220, 144, 215, 110, 130, 17, 68, 228, 129, | 1475 | | 138, 7, 130, 231, 40, 212, 214, 17, 179, 28, 124, | 1476 | | 151, 178, 207, 20, 14, 154, 222, 113, 176, 24, 198, | 1477 | | 73, 211, 113, 9, 33, 178, 80, 13, 25, 21, 25, 153, | 1478 | | 212, 206, 67, 154, 147, 70, 194, 192, 183, 160, 83, | 1479 | | 98, 236, 175, 85, 23, 97, 75, 199, 177, 73, 145, 50, | 1480 | | 253, 206, 32, 179, 254, 236, 190, 82, 73, 67, 129, | 1481 | | 253, 252, 220, 108, 136, 138, 11, 192, 1, 36, 239, | 1482 | | 228, 55, 81, 113, 17, 25, 140, 63, 239, 146, 3, 172, | 1483 | | 96, 60, 227, 233, 64, 255, 224, 173, 225, 228, 229, | 1484 | | 92, 112, 72, 99, 97, 26, 87, 187, 123, 46, 50, 90, | 1485 | | 202, 117, 73, 10, 153, 47, 224, 178, 163, 77, 48, 46, | 1486 | | 154, 33, 148, 34, 228, 33, 172, 216, 89, 46, 225, | 1487 | | 127, 68, 146, 234, 30, 147, 54, 146, 5, 133, 45, 78, | 1488 | | 254, 85, 55, 75, 213, 86, 194, 218, 215, 163, 189, | 1489 | | 194, 54, 6, 83, 36, 18, 153, 53, 7, 48, 89, 35, 66, | 1490 | | 144, 7, 65, 154, 13, 97, 75, 55, 230, 132, 3, 13, | 1491 | | 239, 71] | 1492 | Exponent | [1, 0, 1] | 1493 | Private | [84, 80, 150, 58, 165, 235, 242, 123, 217, 55, 38, | 1494 | Exponent | 154, 36, 181, 221, 156, 211, 215, 100, 164, 90, 88, | 1495 | | 40, 228, 83, 148, 54, 122, 4, 16, 165, 48, 76, 194, | 1496 | | 26, 107, 51, 53, 179, 165, 31, 18, 198, 173, 78, 61, | 1497 | | 56, 97, 252, 158, 140, 80, 63, 25, 223, 156, 36, 203, | 1498 | | 214, 252, 120, 67, 180, 167, 3, 82, 243, 25, 97, 214, | 1499 | | 83, 133, 69, 16, 104, 54, 160, 200, 41, 83, 164, 187, | 1500 | | 70, 153, 111, 234, 242, 158, 175, 28, 198, 48, 211, | 1501 | | 45, 148, 58, 23, 62, 227, 74, 52, 117, 42, 90, 41, | 1502 | | 249, 130, 154, 80, 119, 61, 26, 193, 40, 125, 10, | 1503 | | 152, 174, 227, 225, 205, 32, 62, 66, 6, 163, 100, 99, | 1504 | | 219, 19, 253, 25, 105, 80, 201, 29, 252, 157, 237, | 1505 | | 69, 1, 80, 171, 167, 20, 196, 156, 109, 249, 88, 0, | 1506 | | 3, 152, 38, 165, 72, 87, 6, 152, 71, 156, 214, 16, | 1507 | | 71, 30, 82, 51, 103, 76, 218, 63, 9, 84, 163, 249, | 1508 | | 91, 215, 44, 238, 85, 101, 240, 148, 1, 82, 224, 91, | 1509 | | 135, 105, 127, 84, 171, 181, 152, 210, 183, 126, 24, | 1510 | | 46, 196, 90, 173, 38, 245, 219, 186, 222, 27, 240, | 1511 | | 212, 194, 15, 66, 135, 226, 178, 190, 52, 245, 74, | 1512 | | 65, 224, 81, 100, 85, 25, 204, 165, 203, 187, 175, | 1513 | | 84, 100, 82, 15, 11, 23, 202, 151, 107, 54, 41, 207, | 1514 | | 3, 136, 229, 134, 131, 93, 139, 50, 182, 204, 93, | 1515 | | 130, 89] | 1516 +-----------+-------------------------------------------------------+ 1518 The resulting JWE Encrypted Key value is: 1520 [32, 242, 63, 207, 94, 246, 133, 37, 135, 48, 88, 4, 15, 193, 6, 244, 1521 51, 58, 132, 133, 212, 255, 163, 90, 59, 80, 200, 152, 41, 244, 188, 1522 215, 174, 160, 26, 188, 227, 180, 165, 234, 172, 63, 24, 116, 152, 1523 28, 149, 16, 94, 213, 201, 171, 180, 191, 11, 21, 149, 172, 143, 54, 1524 194, 58, 206, 201, 164, 28, 107, 155, 75, 101, 22, 92, 227, 144, 95, 1525 40, 119, 170, 7, 36, 225, 40, 141, 186, 213, 7, 175, 16, 174, 122, 1526 75, 32, 48, 193, 119, 202, 41, 152, 210, 190, 68, 57, 119, 4, 197, 1527 74, 7, 242, 239, 170, 204, 73, 75, 213, 202, 113, 216, 18, 23, 66, 1528 106, 208, 69, 244, 117, 147, 2, 37, 207, 199, 184, 96, 102, 44, 70, 1529 212, 87, 143, 253, 0, 166, 59, 41, 115, 217, 80, 165, 87, 38, 5, 9, 1530 184, 202, 68, 67, 176, 4, 87, 254, 166, 227, 88, 124, 238, 249, 75, 1531 114, 205, 148, 149, 45, 78, 193, 134, 64, 189, 168, 76, 170, 76, 176, 1532 72, 148, 77, 215, 159, 146, 55, 189, 213, 85, 253, 135, 200, 59, 247, 1533 79, 37, 22, 200, 32, 110, 53, 123, 54, 39, 9, 178, 231, 238, 95, 25, 1534 211, 143, 87, 220, 88, 138, 209, 13, 227, 72, 58, 102, 164, 136, 241, 1535 14, 14, 45, 32, 77, 44, 244, 162, 239, 150, 248, 181, 138, 251, 116, 1536 245, 205, 137, 78, 34, 34, 10, 6, 59, 4, 197, 2, 153, 251] 1538 A.2.5. Encoded JWE Encrypted Key 1540 Base64url encode the JWE Encrypted Key to produce the Encoded JWE 1541 Encrypted Key. This result (with line breaks for display purposes 1542 only) is: 1543 IPI_z172hSWHMFgED8EG9DM6hIXU_6NaO1DImCn0vNeuoBq847Sl6qw_GHSYHJUQ 1544 XtXJq7S_CxWVrI82wjrOyaQca5tLZRZc45BfKHeqByThKI261QevEK56SyAwwXfK 1545 KZjSvkQ5dwTFSgfy76rMSUvVynHYEhdCatBF9HWTAiXPx7hgZixG1FeP_QCmOylz 1546 2VClVyYFCbjKREOwBFf-puNYfO75S3LNlJUtTsGGQL2oTKpMsEiUTdefkje91VX9 1547 h8g7908lFsggbjV7NicJsufuXxnTj1fcWIrRDeNIOmakiPEODi0gTSz0ou-W-LWK 1548 -3T1zYlOIiIKBjsExQKZ-w 1550 A.2.6. Key Derivation 1552 Use the Concat key derivation function to derive Content Encryption 1553 Key (CEK) and Content Integrity Key (CIK) values from the CMK. The 1554 details of this derivation are shown in Appendix A.3. The resulting 1555 CEK value is: 1557 [249, 255, 87, 218, 224, 223, 221, 53, 204, 121, 166, 130, 195, 184, 1558 50, 69] 1560 The resulting CIK value is: 1562 [218, 209, 130, 50, 169, 45, 70, 214, 29, 187, 123, 20, 3, 158, 111, 1563 122, 182, 94, 57, 133, 245, 76, 97, 44, 193, 80, 81, 246, 115, 177, 1564 225, 159] 1566 A.2.7. Plaintext Encryption 1568 Encrypt the Plaintext with AES CBC using the CEK and IV to produce 1569 the Ciphertext. The resulting Ciphertext is: 1571 [253, 159, 221, 142, 82, 40, 11, 131, 3, 72, 34, 162, 173, 229, 146, 1572 217, 183, 173, 139, 132, 58, 137, 33, 182, 82, 49, 110, 141, 11, 221, 1573 207, 239, 207, 65, 213, 28, 20, 217, 14, 186, 87, 160, 15, 160, 96, 1574 142, 7, 69, 46, 55, 129, 224, 113, 206, 59, 181, 7, 188, 255, 15, 16, 1575 59, 180, 107, 75, 0, 217, 175, 254, 8, 141, 48, 217, 132, 16, 217, 4, 1576 30, 223, 147] 1578 A.2.8. Encoded JWE Ciphertext 1580 Base64url encode the resulting Ciphertext to create the Encoded JWE 1581 Ciphertext. This result (with line breaks for display purposes only) 1582 is: 1583 _Z_djlIoC4MDSCKireWS2beti4Q6iSG2UjFujQvdz-_PQdUcFNkOulegD6BgjgdF 1584 LjeB4HHOO7UHvP8PEDu0a0sA2a_-CI0w2YQQ2QQe35M 1586 A.2.9. Secured Input Value 1588 Concatenate the Encoded JWE Header value, a period character ('.'), 1589 the Encoded JWE Encrypted Key, a second period character, and the 1590 Encoded JWE Ciphertext to create the value to integrity protect. 1591 This result (with line breaks for display purposes only) is: 1592 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp 1593 diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ. 1594 IPI_z172hSWHMFgED8EG9DM6hIXU_6NaO1DImCn0vNeuoBq847Sl6qw_GHSYHJUQ 1595 XtXJq7S_CxWVrI82wjrOyaQca5tLZRZc45BfKHeqByThKI261QevEK56SyAwwXfK 1596 KZjSvkQ5dwTFSgfy76rMSUvVynHYEhdCatBF9HWTAiXPx7hgZixG1FeP_QCmOylz 1597 2VClVyYFCbjKREOwBFf-puNYfO75S3LNlJUtTsGGQL2oTKpMsEiUTdefkje91VX9 1598 h8g7908lFsggbjV7NicJsufuXxnTj1fcWIrRDeNIOmakiPEODi0gTSz0ou-W-LWK 1599 -3T1zYlOIiIKBjsExQKZ-w. 1600 _Z_djlIoC4MDSCKireWS2beti4Q6iSG2UjFujQvdz-_PQdUcFNkOulegD6BgjgdF 1601 LjeB4HHOO7UHvP8PEDu0a0sA2a_-CI0w2YQQ2QQe35M 1603 The representation of this value is: 1605 [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, 1606 120, 88, 122, 85, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 1607 74, 66, 77, 84, 73, 52, 81, 48, 74, 68, 73, 105, 119, 105, 97, 87, 1608 53, 48, 73, 106, 111, 105, 83, 70, 77, 121, 78, 84, 89, 105, 76, 67, 1609 74, 112, 100, 105, 73, 54, 73, 107, 70, 52, 87, 84, 104, 69, 81, 51, 1610 82, 69, 89, 85, 100, 115, 99, 50, 74, 72, 98, 71, 112, 105, 77, 49, 1611 74, 118, 87, 108, 69, 105, 102, 81, 46, 73, 80, 73, 95, 122, 49, 55, 1612 50, 104, 83, 87, 72, 77, 70, 103, 69, 68, 56, 69, 71, 57, 68, 77, 54, 1613 104, 73, 88, 85, 95, 54, 78, 97, 79, 49, 68, 73, 109, 67, 110, 48, 1614 118, 78, 101, 117, 111, 66, 113, 56, 52, 55, 83, 108, 54, 113, 119, 1615 95, 71, 72, 83, 89, 72, 74, 85, 81, 88, 116, 88, 74, 113, 55, 83, 95, 1616 67, 120, 87, 86, 114, 73, 56, 50, 119, 106, 114, 79, 121, 97, 81, 99, 1617 97, 53, 116, 76, 90, 82, 90, 99, 52, 53, 66, 102, 75, 72, 101, 113, 1618 66, 121, 84, 104, 75, 73, 50, 54, 49, 81, 101, 118, 69, 75, 53, 54, 1619 83, 121, 65, 119, 119, 88, 102, 75, 75, 90, 106, 83, 118, 107, 81, 1620 53, 100, 119, 84, 70, 83, 103, 102, 121, 55, 54, 114, 77, 83, 85, 1621 118, 86, 121, 110, 72, 89, 69, 104, 100, 67, 97, 116, 66, 70, 57, 72, 1622 87, 84, 65, 105, 88, 80, 120, 55, 104, 103, 90, 105, 120, 71, 49, 70, 1623 101, 80, 95, 81, 67, 109, 79, 121, 108, 122, 50, 86, 67, 108, 86, 1624 121, 89, 70, 67, 98, 106, 75, 82, 69, 79, 119, 66, 70, 102, 45, 112, 1625 117, 78, 89, 102, 79, 55, 53, 83, 51, 76, 78, 108, 74, 85, 116, 84, 1626 115, 71, 71, 81, 76, 50, 111, 84, 75, 112, 77, 115, 69, 105, 85, 84, 1627 100, 101, 102, 107, 106, 101, 57, 49, 86, 88, 57, 104, 56, 103, 55, 1628 57, 48, 56, 108, 70, 115, 103, 103, 98, 106, 86, 55, 78, 105, 99, 74, 1629 115, 117, 102, 117, 88, 120, 110, 84, 106, 49, 102, 99, 87, 73, 114, 1630 82, 68, 101, 78, 73, 79, 109, 97, 107, 105, 80, 69, 79, 68, 105, 48, 1631 103, 84, 83, 122, 48, 111, 117, 45, 87, 45, 76, 87, 75, 45, 51, 84, 1632 49, 122, 89, 108, 79, 73, 105, 73, 75, 66, 106, 115, 69, 120, 81, 75, 1633 90, 45, 119, 46, 95, 90, 95, 100, 106, 108, 73, 111, 67, 52, 77, 68, 1634 83, 67, 75, 105, 114, 101, 87, 83, 50, 98, 101, 116, 105, 52, 81, 54, 1635 105, 83, 71, 50, 85, 106, 70, 117, 106, 81, 118, 100, 122, 45, 95, 1636 80, 81, 100, 85, 99, 70, 78, 107, 79, 117, 108, 101, 103, 68, 54, 66, 1637 103, 106, 103, 100, 70, 76, 106, 101, 66, 52, 72, 72, 79, 79, 55, 85, 1638 72, 118, 80, 56, 80, 69, 68, 117, 48, 97, 48, 115, 65, 50, 97, 95, 1639 45, 67, 73, 48, 119, 50, 89, 81, 81, 50, 81, 81, 101, 51, 53, 77] 1641 A.2.10. JWE Integrity Value 1643 Compute the HMAC SHA-256 of this value using the CIK to create the 1644 JWE Integrity Value. This result is: 1646 [115, 141, 100, 225, 62, 30, 2, 0, 130, 183, 173, 230, 241, 147, 102, 1647 136, 232, 167, 49, 200, 133, 23, 42, 78, 22, 155, 226, 119, 184, 186, 1648 15, 73] 1650 A.2.11. Encoded JWE Integrity Value 1652 Base64url encode the resulting JWE Integrity Value to create the 1653 Encoded JWE Integrity Value. This result is: 1654 c41k4T4eAgCCt63m8ZNmiOinMciFFypOFpvid7i6D0k 1656 A.2.12. Complete Representation 1658 Assemble the final representation: The Compact Serialization of this 1659 result is the concatenation of the Encoded JWE Header, the Encoded 1660 JWE Encrypted Key, the Encoded JWE Ciphertext, and the Encoded JWE 1661 Integrity Value in that order, with the four strings being separated 1662 by three period ('.') characters. 1664 The final result in this example (with line breaks for display 1665 purposes only) is: 1666 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp 1667 diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ. 1668 IPI_z172hSWHMFgED8EG9DM6hIXU_6NaO1DImCn0vNeuoBq847Sl6qw_GHSYHJUQ 1669 XtXJq7S_CxWVrI82wjrOyaQca5tLZRZc45BfKHeqByThKI261QevEK56SyAwwXfK 1670 KZjSvkQ5dwTFSgfy76rMSUvVynHYEhdCatBF9HWTAiXPx7hgZixG1FeP_QCmOylz 1671 2VClVyYFCbjKREOwBFf-puNYfO75S3LNlJUtTsGGQL2oTKpMsEiUTdefkje91VX9 1672 h8g7908lFsggbjV7NicJsufuXxnTj1fcWIrRDeNIOmakiPEODi0gTSz0ou-W-LWK 1673 -3T1zYlOIiIKBjsExQKZ-w. 1674 _Z_djlIoC4MDSCKireWS2beti4Q6iSG2UjFujQvdz-_PQdUcFNkOulegD6BgjgdF 1675 LjeB4HHOO7UHvP8PEDu0a0sA2a_-CI0w2YQQ2QQe35M. 1676 c41k4T4eAgCCt63m8ZNmiOinMciFFypOFpvid7i6D0k 1678 A.2.13. Validation 1680 This example illustrates the process of creating a JWE with a non- 1681 AEAD algorithm. These results can be used to validate JWE decryption 1682 implementations for these algorithms. Since all the algorithms used 1683 in this example produce deterministic results, the results above 1684 should be repeatable. 1686 A.3. Example Key Derivation with Outputs <= Hash Size 1688 This example uses the Concat KDF to derive the Content Encryption Key 1689 (CEK) and Content Integrity Key (CIK) from the Content Master Key 1690 (CMK) in the manner described in Section 4.12 of [JWA]. In this 1691 example, a 256 bit CMK is used to derive a 128 bit CEK and a 256 bit 1692 CIK. 1694 The CMK value is: 1696 [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 1697 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 1698 44, 207] 1700 A.3.1. CEK Generation 1702 When deriving the CEK from the CMK, the ASCII label "Encryption" 1703 ([69, 110, 99, 114, 121, 112, 116, 105, 111, 110]) is used. The 1704 input to the first hash round is the concatenation of the big endian 1705 number 1 ([0, 0, 0, 1]), the CMK, and the label. Thus the round 1 1706 hash input is: 1708 [0, 0, 0, 1, 4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 1709 63, 170, 106, 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 1710 240, 143, 156, 44, 207, 69, 110, 99, 114, 121, 112, 116, 105, 111, 1711 110] 1713 The SHA-256 hash of this value, which is the round 1 hash output, is: 1715 [249, 255, 87, 218, 224, 223, 221, 53, 204, 121, 166, 130, 195, 184, 1716 50, 69, 11, 237, 202, 71, 10, 96, 59, 199, 140, 88, 126, 147, 146, 1717 113, 222, 41] 1719 Given that 128 bits are needed for the CEK and the hash has produced 1720 256 bits, the CEK value is the first 128 bits of that value: 1722 [249, 255, 87, 218, 224, 223, 221, 53, 204, 121, 166, 130, 195, 184, 1723 50, 69] 1725 A.3.2. CIK Generation 1727 When deriving the CIK from the CMK, the ASCII label "Integrity" ([73, 1728 110, 116, 101, 103, 114, 105, 116, 121]) is used. The input to the 1729 first hash round is the concatenation of the big endian number 1 ([0, 1730 0, 0, 1]), the CMK, and the label. Thus the round 1 hash input is: 1732 [0, 0, 0, 1, 4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 1733 63, 170, 106, 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 1734 240, 143, 156, 44, 207, 73, 110, 116, 101, 103, 114, 105, 116, 121] 1736 The SHA-256 hash of this value, which is the round 1 hash output, is: 1738 [218, 209, 130, 50, 169, 45, 70, 214, 29, 187, 123, 20, 3, 158, 111, 1739 122, 182, 94, 57, 133, 245, 76, 97, 44, 193, 80, 81, 246, 115, 177, 1740 225, 159] 1742 Given that 256 bits are needed for the CIK and the hash has produced 1743 256 bits, the CIK value is that same value: 1745 [218, 209, 130, 50, 169, 45, 70, 214, 29, 187, 123, 20, 3, 158, 111, 1746 122, 182, 94, 57, 133, 245, 76, 97, 44, 193, 80, 81, 246, 115, 177, 1747 225, 159] 1749 A.4. Example Key Derivation with Outputs >= Hash Size 1751 This example uses the Concat KDF to derive the Content Encryption Key 1752 (CEK) and Content Integrity Key (CIK) from the Content Master Key 1753 (CMK) in the manner described in Section 4.12 of [JWA]. In this 1754 example, a 512 bit CMK is used to derive a 256 bit CEK and a 512 bit 1755 CIK. 1757 The CMK value is: 1759 [148, 116, 199, 126, 2, 117, 233, 76, 150, 149, 89, 193, 61, 34, 239, 1760 226, 109, 71, 59, 160, 192, 140, 150, 235, 106, 204, 49, 176, 68, 1761 119, 13, 34, 49, 19, 41, 69, 5, 20, 252, 145, 104, 129, 137, 138, 67, 1762 23, 153, 83, 81, 234, 82, 247, 48, 211, 41, 130, 35, 124, 45, 156, 1763 249, 7, 225, 168] 1765 A.4.1. CEK Generation 1767 When deriving the CEK from the CMK, the ASCII label "Encryption" 1768 ([69, 110, 99, 114, 121, 112, 116, 105, 111, 110]) is used. The 1769 input to the first hash round is the concatenation of the big endian 1770 number 1 ([0, 0, 0, 1]), the CMK, and the label. Thus the round 1 1771 hash input is: 1773 [0, 0, 0, 1, 148, 116, 199, 126, 2, 117, 233, 76, 150, 149, 89, 193, 1774 61, 34, 239, 226, 109, 71, 59, 160, 192, 140, 150, 235, 106, 204, 49, 1775 176, 68, 119, 13, 34, 49, 19, 41, 69, 5, 20, 252, 145, 104, 129, 137, 1776 138, 67, 23, 153, 83, 81, 234, 82, 247, 48, 211, 41, 130, 35, 124, 1777 45, 156, 249, 7, 225, 168, 69, 110, 99, 114, 121, 112, 116, 105, 111, 1778 110] 1780 The SHA-256 hash of this value, which is the round 1 hash output, is: 1782 [137, 5, 92, 9, 17, 47, 17, 86, 253, 235, 34, 247, 121, 78, 11, 144, 1783 10, 172, 38, 247, 108, 243, 201, 237, 95, 80, 49, 150, 116, 240, 159, 1784 64] 1786 Given that 256 bits are needed for the CEK and the hash has produced 1787 256 bits, the CEK value is that same value: 1789 [137, 5, 92, 9, 17, 47, 17, 86, 253, 235, 34, 247, 121, 78, 11, 144, 1790 10, 172, 38, 247, 108, 243, 201, 237, 95, 80, 49, 150, 116, 240, 159, 1791 64] 1793 A.4.2. CIK Generation 1795 When deriving the CIK from the CMK, the ASCII label "Integrity" ([73, 1796 110, 116, 101, 103, 114, 105, 116, 121]) is used. The input to the 1797 first hash round is the concatenation of the big endian number 1 ([0, 1798 0, 0, 1]), the CMK, and the label. Thus the round 1 hash input is: 1800 [0, 0, 0, 1, 148, 116, 199, 126, 2, 117, 233, 76, 150, 149, 89, 193, 1801 61, 34, 239, 226, 109, 71, 59, 160, 192, 140, 150, 235, 106, 204, 49, 1802 176, 68, 119, 13, 34, 49, 19, 41, 69, 5, 20, 252, 145, 104, 129, 137, 1803 138, 67, 23, 153, 83, 81, 234, 82, 247, 48, 211, 41, 130, 35, 124, 1804 45, 156, 249, 7, 225, 168, 73, 110, 116, 101, 103, 114, 105, 116, 1805 121] 1807 The SHA-256 hash of this value, which is the round 1 hash output, is: 1809 [11, 179, 132, 177, 171, 24, 126, 19, 113, 1, 200, 102, 100, 74, 88, 1810 149, 31, 41, 71, 57, 51, 179, 106, 242, 113, 211, 56, 56, 37, 198, 1811 57, 17] 1813 Given that 512 bits are needed for the CIK and the hash has produced 1814 only 256 bits, another round is needed. The input to the second hash 1815 round is the concatenation of the big endian number 2 ([0, 0, 0, 2]), 1816 the CMK, and the label. Thus the round 2 hash input is: 1818 [0, 0, 0, 2, 148, 116, 199, 126, 2, 117, 233, 76, 150, 149, 89, 193, 1819 61, 34, 239, 226, 109, 71, 59, 160, 192, 140, 150, 235, 106, 204, 49, 1820 176, 68, 119, 13, 34, 49, 19, 41, 69, 5, 20, 252, 145, 104, 129, 137, 1821 138, 67, 23, 153, 83, 81, 234, 82, 247, 48, 211, 41, 130, 35, 124, 1822 45, 156, 249, 7, 225, 168, 73, 110, 116, 101, 103, 114, 105, 116, 1823 121] 1825 The SHA-256 hash of this value, which is the round 2 hash output, is: 1827 [149, 209, 221, 113, 40, 191, 95, 252, 142, 254, 141, 230, 39, 113, 1828 139, 84, 44, 156, 247, 47, 223, 101, 229, 180, 82, 231, 38, 96, 170, 1829 119, 236, 81] 1831 Given that 512 bits are needed for the CIK and the two rounds have 1832 collectively produced 512 bits of output, the CIK is the 1833 concatenation of the round 1 and round 2 hash outputs, which is: 1835 [11, 179, 132, 177, 171, 24, 126, 19, 113, 1, 200, 102, 100, 74, 88, 1836 149, 31, 41, 71, 57, 51, 179, 106, 242, 113, 211, 56, 56, 37, 198, 1837 57, 17, 149, 209, 221, 113, 40, 191, 95, 252, 142, 254, 141, 230, 39, 1838 113, 139, 84, 44, 156, 247, 47, 223, 101, 229, 180, 82, 231, 38, 96, 1839 170, 119, 236, 81] 1841 Appendix B. Acknowledgements 1843 Solutions for encrypting JSON content were also explored by JSON 1844 Simple Encryption [JSE] and JavaScript Message Security Format 1845 [I-D.rescorla-jsms], both of which significantly influenced this 1846 draft. This draft attempts to explicitly reuse as many of the 1847 relevant concepts from XML Encryption 1.1 1848 [W3C.CR-xmlenc-core1-20120313] and RFC 5652 [RFC5652] as possible, 1849 while utilizing simple compact JSON-based data structures. 1851 Special thanks are due to John Bradley and Nat Sakimura for the 1852 discussions that helped inform the content of this specification and 1853 to Eric Rescorla and Joe Hildebrand for allowing the reuse of text 1854 from [I-D.rescorla-jsms] in this document. 1856 My thanks to Axel Nennker, Emmanuel Raviart, Brian Campbell, and 1857 Edmund Jay for validating the examples in this specification. 1859 Appendix C. Document History 1861 [[ to be removed by the RFC editor before publication as an RFC ]] 1863 -03 1865 o Added the "kdf" (key derivation function) header parameter to 1866 provide crypto agility for key derivation. The default KDF 1867 remains the Concat KDF with the SHA-256 digest function. 1869 o Reordered encryption steps so that the Encoded JWE Header is 1870 always created before it is needed as an input to the AEAD 1871 "additional authenticated data" parameter. 1873 o Added the "cty" (content type) header parameter for declaring type 1874 information about the secured content, as opposed to the "typ" 1875 (type) header parameter, which declares type information about 1876 this object. 1878 o Moved description of how to determine whether a header is for a 1879 JWS or a JWE from the JWT spec to the JWE spec. 1881 o Added complete encryption examples for both AEAD and non-AEAD 1882 algorithms. 1884 o Added complete key derivation examples. 1886 o Added "Collision Resistant Namespace" to the terminology section. 1888 o Reference ITU.X690.1994 for DER encoding. 1890 o Added Registry Contents sections to populate registry values. 1892 o Numerous editorial improvements. 1894 -02 1896 o When using AEAD algorithms (such as AES GCM), use the "additional 1897 authenticated data" parameter to provide integrity for the header, 1898 encrypted key, and ciphertext and use the resulting 1899 "authentication tag" value as the JWE Integrity Value. 1901 o Defined KDF output key sizes. 1903 o Generalized text to allow key agreement to be employed as an 1904 alternative to key wrapping or key encryption. 1906 o Changed compression algorithm from gzip to DEFLATE. 1908 o Clarified that it is an error when a "kid" value is included and 1909 no matching key is found. 1911 o Clarified that JWEs with duplicate Header Parameter Names MUST be 1912 rejected. 1914 o Clarified the relationship between "typ" header parameter values 1915 and MIME types. 1917 o Registered application/jwe MIME type and "JWE" typ header 1918 parameter value. 1920 o Simplified JWK terminology to get replace the "JWK Key Object" and 1921 "JWK Container Object" terms with simply "JSON Web Key (JWK)" and 1922 "JSON Web Key Set (JWK Set)" and to eliminate potential confusion 1923 between single keys and sets of keys. As part of this change, the 1924 header parameter name for a public key value was changed from 1925 "jpk" (JSON Public Key) to "jwk" (JSON Web Key). 1927 o Added suggestion on defining additional header parameters such as 1928 "x5t#S256" in the future for certificate thumbprints using hash 1929 algorithms other than SHA-1. 1931 o Specify RFC 2818 server identity validation, rather than RFC 6125 1932 (paralleling the same decision in the OAuth specs). 1934 o Generalized language to refer to Message Authentication Codes 1935 (MACs) rather than Hash-based Message Authentication Codes (HMACs) 1936 unless in a context specific to HMAC algorithms. 1938 o Reformatted to give each header parameter its own section heading. 1940 -01 1942 o Added an integrity check for non-AEAD algorithms. 1944 o Added "jpk" and "x5c" header parameters for including JWK public 1945 keys and X.509 certificate chains directly in the header. 1947 o Clarified that this specification is defining the JWE Compact 1948 Serialization. Referenced the new JWE-JS spec, which defines the 1949 JWE JSON Serialization. 1951 o Added text "New header parameters should be introduced sparingly 1952 since an implementation that does not understand a parameter MUST 1953 reject the JWE". 1955 o Clarified that the order of the encryption and decryption steps is 1956 not significant in cases where there are no dependencies between 1957 the inputs and outputs of the steps. 1959 o Made other editorial improvements suggested by JOSE working group 1960 participants. 1962 -00 1964 o Created the initial IETF draft based upon 1965 draft-jones-json-web-encryption-02 with no normative changes. 1967 o Changed terminology to no longer call both digital signatures and 1968 HMACs "signatures". 1970 Authors' Addresses 1972 Michael B. Jones 1973 Microsoft 1975 Email: mbj@microsoft.com 1976 URI: http://self-issued.info/ 1978 Eric Rescorla 1979 RTFM, Inc. 1981 Email: ekr@rtfm.com 1983 Joe Hildebrand 1984 Cisco Systems, Inc. 1986 Email: jhildebr@cisco.com