idnits 2.17.1 draft-ietf-jose-json-web-encryption-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 23, 2013) is 4014 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 1696 -- Looks like a reference, but probably isn't: '0' on line 2095 -- Looks like a reference, but probably isn't: '227' on line 1508 -- Looks like a reference, but probably isn't: '197' on line 1508 -- Looks like a reference, but probably isn't: '117' on line 1508 -- Looks like a reference, but probably isn't: '252' on line 1508 -- Looks like a reference, but probably isn't: '2' on line 1508 -- Looks like a reference, but probably isn't: '219' on line 1508 -- Looks like a reference, but probably isn't: '233' on line 1508 -- Looks like a reference, but probably isn't: '68' on line 1508 -- Looks like a reference, but probably isn't: '180' on line 1508 -- Looks like a reference, but probably isn't: '225' on line 1508 -- Looks like a reference, but probably isn't: '77' on line 1508 -- Looks like a reference, but probably isn't: '3' on line 2095 -- Looks like a reference, but probably isn't: '80' on line 2095 -- Possible downref: Non-RFC (?) normative reference: ref. 'ITU.X690.1994' ** Downref: Normative reference to an Historic RFC: RFC 1421 ** Downref: Normative reference to an Informational RFC: RFC 1951 ** Obsolete normative reference: RFC 2818 (Obsoleted by RFC 9110) ** Obsolete normative reference: RFC 4288 (Obsoleted by RFC 6838) ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) == Outdated reference: A later version (-05) exists of draft-mcgrew-aead-aes-cbc-hmac-sha2-01 Summary: 6 errors (**), 0 flaws (~~), 2 warnings (==), 17 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 JOSE Working Group M. Jones 3 Internet-Draft Microsoft 4 Intended status: Standards Track E. Rescorla 5 Expires: October 25, 2013 RTFM 6 J. Hildebrand 7 Cisco 8 April 23, 2013 10 JSON Web Encryption (JWE) 11 draft-ietf-jose-json-web-encryption-09 13 Abstract 15 JSON Web Encryption (JWE) is a means of representing encrypted 16 content using JavaScript Object Notation (JSON) data structures. 17 Cryptographic algorithms and identifiers for use with this 18 specification are described in the separate JSON Web Algorithms (JWA) 19 specification. Related digital signature and MAC capabilities are 20 described in the separate JSON Web Signature (JWS) specification. 22 Status of this Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on October 25, 2013. 39 Copyright Notice 41 Copyright (c) 2013 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 59 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 8 60 3.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 8 61 3.2. Example JWE using RSAES-PKCS1-V1_5 and 62 AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 10 63 4. JWE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 11 64 4.1. Reserved Header Parameter Names . . . . . . . . . . . . . 12 65 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 12 66 4.1.2. "enc" (Encryption Method) Header Parameter . . . . . . 12 67 4.1.3. "epk" (Ephemeral Public Key) Header Parameter . . . . 13 68 4.1.4. "zip" (Compression Algorithm) Header Parameter . . . . 13 69 4.1.5. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 13 70 4.1.6. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 13 71 4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 13 72 4.1.8. "x5t" (X.509 Certificate Thumbprint) Header 73 Parameter . . . . . . . . . . . . . . . . . . . . . . 14 74 4.1.9. "x5c" (X.509 Certificate Chain) Header Parameter . . . 14 75 4.1.10. "kid" (Key ID) Header Parameter . . . . . . . . . . . 15 76 4.1.11. "typ" (Type) Header Parameter . . . . . . . . . . . . 15 77 4.1.12. "cty" (Content Type) Header Parameter . . . . . . . . 15 78 4.1.13. "apu" (Agreement PartyUInfo) Header Parameter . . . . 15 79 4.1.14. "apv" (Agreement PartyVInfo) Header Parameter . . . . 16 80 4.1.15. "crit" (Critical) Header Parameter . . . . . . . . . . 16 81 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 16 82 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 16 83 5. Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 17 84 5.1. Message Encryption . . . . . . . . . . . . . . . . . . . . 17 85 5.2. Message Decryption . . . . . . . . . . . . . . . . . . . . 19 86 5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 20 87 6. Encrypting JWEs with Cryptographic Algorithms . . . . . . . . 21 88 6.1. CEK Encryption . . . . . . . . . . . . . . . . . . . . . . 21 89 7. JSON Serialization . . . . . . . . . . . . . . . . . . . . . . 21 90 7.1. Example JWE-JS . . . . . . . . . . . . . . . . . . . . . . 23 91 8. Implementation Considerations . . . . . . . . . . . . . . . . 24 92 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 93 9.1. Registration of JWE Header Parameter Names . . . . . . . . 24 94 9.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 24 95 9.2. JSON Web Signature and Encryption Type Values 96 Registration . . . . . . . . . . . . . . . . . . . . . . . 26 97 9.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 26 98 9.3. Media Type Registration . . . . . . . . . . . . . . . . . 26 99 9.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 26 100 10. Security Considerations . . . . . . . . . . . . . . . . . . . 28 101 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28 102 11.1. Normative References . . . . . . . . . . . . . . . . . . . 28 103 11.2. Informative References . . . . . . . . . . . . . . . . . . 30 104 Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 30 105 A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 31 106 A.1.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 31 107 A.1.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 31 108 A.1.3. Content Encryption Key (CEK) . . . . . . . . . . . . . 31 109 A.1.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 31 110 A.1.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 34 111 A.1.6. Initialization Vector . . . . . . . . . . . . . . . . 34 112 A.1.7. Additional Authenticated Data Parameter . . . . . . . 34 113 A.1.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 35 114 A.1.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 35 115 A.1.10. Encoded JWE Authentication Tag . . . . . . . . . . . . 36 116 A.1.11. Complete Representation . . . . . . . . . . . . . . . 36 117 A.1.12. Validation . . . . . . . . . . . . . . . . . . . . . . 36 118 A.2. Example JWE using RSAES-PKCS1-V1_5 and 119 AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 36 120 A.2.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 37 121 A.2.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 37 122 A.2.3. Content Encryption Key (CEK) . . . . . . . . . . . . . 37 123 A.2.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 37 124 A.2.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 40 125 A.2.6. Initialization Vector . . . . . . . . . . . . . . . . 40 126 A.2.7. Additional Authenticated Data Parameter . . . . . . . 40 127 A.2.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 41 128 A.2.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 41 129 A.2.10. Encoded JWE Authentication Tag . . . . . . . . . . . . 42 130 A.2.11. Complete Representation . . . . . . . . . . . . . . . 42 131 A.2.12. Validation . . . . . . . . . . . . . . . . . . . . . . 42 132 A.3. Example JWE using AES Key Wrap and AES GCM . . . . . . . . 42 133 A.3.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 43 134 A.3.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 43 135 A.3.3. Content Encryption Key (CEK) . . . . . . . . . . . . . 43 136 A.3.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 43 137 A.3.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 44 138 A.3.6. Initialization Vector . . . . . . . . . . . . . . . . 44 139 A.3.7. Additional Authenticated Data Parameter . . . . . . . 44 140 A.3.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 44 141 A.3.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 45 142 A.3.10. Encoded JWE Authentication Tag . . . . . . . . . . . . 45 143 A.3.11. Complete Representation . . . . . . . . . . . . . . . 45 144 A.3.12. Validation . . . . . . . . . . . . . . . . . . . . . . 45 145 Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation . . . . 46 146 B.1. Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 46 147 B.2. Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 46 148 B.3. Create 64 Bit Big Endian Representation of AAD Length . . 47 149 B.4. Initialization Vector Value . . . . . . . . . . . . . . . 47 150 B.5. Create Input to HMAC Computation . . . . . . . . . . . . . 47 151 B.6. Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 48 152 B.7. Truncate HMAC Value to Create Authentication Tag . . . . . 48 153 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 48 154 Appendix D. Document History . . . . . . . . . . . . . . . . . . 49 155 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 54 157 1. Introduction 159 JSON Web Encryption (JWE) is a compact encryption format intended for 160 space constrained environments such as HTTP Authorization headers and 161 URI query parameters. It represents this content using JavaScript 162 Object Notation (JSON) [RFC4627] based data structures. The JWE 163 cryptographic mechanisms encrypt and provide integrity protection for 164 arbitrary sequences of octets. 166 Cryptographic algorithms and identifiers for use with this 167 specification are described in the separate JSON Web Algorithms (JWA) 168 [JWA] specification. Related digital signature and MAC capabilities 169 are described in the separate JSON Web Signature (JWS) [JWS] 170 specification. 172 1.1. Notational Conventions 174 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 175 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 176 document are to be interpreted as described in Key words for use in 177 RFCs to Indicate Requirement Levels [RFC2119]. 179 2. Terminology 181 JSON Web Encryption (JWE) A data structure representing an encrypted 182 message. The structure represents five values: the JWE Header, 183 the JWE Encrypted Key, the JWE Initialization Vector, the JWE 184 Ciphertext, and the JWE Authentication Tag. 186 Authenticated Encryption An Authenticated Encryption algorithm is 187 one that provides an integrated content integrity check. 188 Authenticated Encryption algorithms accept two inputs, the 189 Plaintext and the Additional Authenticated Data value, and produce 190 two outputs, the Ciphertext and the Authentication Tag value. AES 191 Galois/Counter Mode (GCM) is one such algorithm. 193 Plaintext The sequence of octets to be encrypted -- a.k.a., the 194 message. The plaintext can contain an arbitrary sequence of 195 octets. 197 Ciphertext An encrypted representation of the Plaintext. 199 Additional Associated Data (AAD) An input to an Authenticated 200 Encryption operation that is integrity protected but not 201 encrypted. 203 Authentication Tag An output of an Authenticated Encryption 204 operation that ensures the integrity of the Ciphertext and the 205 Additional Associated Data. 207 Content Encryption Key (CEK) A symmetric key for the Authenticated 208 Encryption algorithm used to encrypt the Plaintext for the 209 recipient to produce the Ciphertext and the Authentication Tag. 211 JSON Text Object A UTF-8 [RFC3629] encoded text string representing 212 a JSON object; the syntax of JSON objects is defined in Section 213 2.2 of [RFC4627]. 215 JWE Header A JSON Text Object that describes the encryption 216 operations applied to create the JWE Encrypted Key, the JWE 217 Ciphertext, and the JWE Authentication Tag. 219 JWE Encrypted Key The result of encrypting the Content Encryption 220 Key (CEK) with the intended recipient's key using the specified 221 algorithm. Note that for some algorithms, the JWE Encrypted Key 222 value is specified as being the empty octet sequence. 224 JWE Initialization Vector A sequence of octets containing the 225 Initialization Vector used when encrypting the Plaintext. Note 226 that some algorithms may not use an Initialization Vector, in 227 which case this value is the empty octet sequence. 229 JWE Ciphertext A sequence of octets containing the Ciphertext for a 230 JWE. 232 JWE Authentication Tag A sequence of octets containing the 233 Authentication Tag for a JWE. 235 Base64url Encoding The URL- and filename-safe Base64 encoding 236 described in RFC 4648 [RFC4648], Section 5, with the (non URL- 237 safe) '=' padding characters omitted, as permitted by Section 3.2. 238 (See Appendix C of [JWS] for notes on implementing base64url 239 encoding without padding.) 241 Encoded JWE Header Base64url encoding of the JWE Header. 243 Encoded JWE Encrypted Key Base64url encoding of the JWE Encrypted 244 Key. 246 Encoded JWE Initialization Vector Base64url encoding of the JWE 247 Initialization Vector. 249 Encoded JWE Ciphertext Base64url encoding of the JWE Ciphertext. 251 Encoded JWE Authentication Tag Base64url encoding of the JWE 252 Authentication Tag. 254 Header Parameter Name The name of a member of the JWE Header. 256 Header Parameter Value The value of a member of the JWE Header. 258 JWE Compact Serialization A representation of the JWE as the 259 concatenation of the Encoded JWE Header, the Encoded JWE Encrypted 260 Key, the Encoded JWE Initialization Vector, the Encoded JWE 261 Ciphertext, and the Encoded JWE Authentication Tag in that order, 262 with the five strings being separated by four period ('.') 263 characters. This results in a compact, URL-safe representation. 265 JWE JSON Serialization A representation of the JWE as a JSON 266 structure containing Encoded JWE Header, Encoded JWE Encrypted 267 Key, Encoded JWE Initialization Vector, Encoded JWE Ciphertext, 268 and Encoded JWE Authentication Tag values. Unlike the JWE Compact 269 Serialization, the JWE JSON Serialization enables the same content 270 to be encrypted to multiple parties. This representation is 271 neither compact nor URL-safe. 273 Collision Resistant Namespace A namespace that allows names to be 274 allocated in a manner such that they are highly unlikely to 275 collide with other names. For instance, collision resistance can 276 be achieved through administrative delegation of portions of the 277 namespace or through use of collision-resistant name allocation 278 functions. Examples of Collision Resistant Namespaces include: 279 Domain Names, Object Identifiers (OIDs) as defined in the ITU-T 280 X.660 and X.670 Recommendation series, and Universally Unique 281 IDentifiers (UUIDs) [RFC4122]. When using an administratively 282 delegated namespace, the definer of a name needs to take 283 reasonable precautions to ensure they are in control of the 284 portion of the namespace they use to define the name. 286 StringOrURI A JSON string value, with the additional requirement 287 that while arbitrary string values MAY be used, any value 288 containing a ":" character MUST be a URI [RFC3986]. StringOrURI 289 values are compared as case-sensitive strings with no 290 transformations or canonicalizations applied. 292 Key Management Mode A method of determining the Content Encryption 293 Key (CEK) value to use. Each algorithm used for determining the 294 CEK value uses a specific Key Management Mode. Key Management 295 Modes employed by this specification are Key Encryption, Key 296 Wrapping, Direct Key Agreement, Key Agreement with Key Wrapping, 297 and Direct Encryption. 299 Key Encryption A Key Management Mode in which the Content Encryption 300 Key (CEK) value is encrypted to the intended recipient using an 301 asymmetric encryption algorithm. 303 Key Wrapping A Key Management Mode in which the Content Encryption 304 Key (CEK) value is encrypted to the intended recipient using a 305 symmetric key wrapping algorithm. 307 Direct Key Agreement A Key Management Mode in which a key agreement 308 algorithm is used to agree upon the Content Encryption Key (CEK) 309 value. 311 Key Agreement with Key Wrapping A Key Management Mode in which a key 312 agreement algorithm is used to agree upon a symmetric key used to 313 encrypt the Content Encryption Key (CEK) value to the intended 314 recipient using a symmetric key wrapping algorithm. 316 Direct Encryption A Key Management Mode in which the Content 317 Encryption Key (CEK) value used is the secret symmetric key value 318 shared between the parties. 320 3. JSON Web Encryption (JWE) Overview 322 JWE represents encrypted content using JSON data structures and 323 base64url encoding. Five values are represented in a JWE: the JWE 324 Header, the JWE Encrypted Key, the JWE Initialization Vector, the JWE 325 Ciphertext, and the JWE Authentication Tag. In the Compact 326 Serialization, the five values are base64url-encoded for 327 transmission, and represented as the concatenation of the encoded 328 strings in that order, with the five strings being separated by four 329 period ('.') characters. A JSON Serialization for this information 330 is also defined in Section 7. 332 JWE utilizes authenticated encryption to ensure the confidentiality 333 and integrity of the Plaintext. 335 3.1. Example JWE using RSAES OAEP and AES GCM 337 This example encrypts the plaintext "The true sign of intelligence is 338 not knowledge but imagination." to the recipient using RSAES OAEP and 339 AES GCM. 341 The following example JWE Header declares that: 343 o the Content Encryption Key is encrypted to the recipient using the 344 RSAES OAEP algorithm to produce the JWE Encrypted Key and 346 o the Plaintext is encrypted using the AES GCM algorithm with a 256 347 bit key to produce the Ciphertext. 349 {"alg":"RSA-OAEP","enc":"A256GCM"} 351 Base64url encoding the octets of the UTF-8 representation of the JWE 352 Header yields this Encoded JWE Header value: 354 eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ 356 The remaining steps to finish creating this JWE are: 358 o Generate a random Content Encryption Key (CEK) 360 o Encrypt the CEK with the recipient's public key using the RSAES 361 OAEP algorithm to produce the JWE Encrypted Key 363 o Base64url encode the JWE Encrypted Key to produce the Encoded JWE 364 Encrypted Key 366 o Generate a random JWE Initialization Vector 368 o Base64url encode the JWE Initialization Vector to produce the 369 Encoded JWE Initialization Vector 371 o Concatenate the Encoded JWE Header value, a period ('.') 372 character, and the Encoded JWE Encrypted Key to create the 373 Additional Authenticated Data parameter 375 o Encrypt the Plaintext with AES GCM using the CEK as the encryption 376 key, the JWE Initialization Vector, and the Additional 377 Authenticated Data value, requesting a 128 bit Authentication Tag 378 output 380 o Base64url encode the Ciphertext to create the Encoded JWE 381 Ciphertext 383 o Base64url encode the Authentication Tag to create the Encoded JWE 384 Authentication Tag 386 o Assemble the final representation: The Compact Serialization of 387 this result is the concatenation of the Encoded JWE Header, the 388 Encoded JWE Encrypted Key, the Encoded JWE Initialization Vector, 389 the Encoded JWE Ciphertext, and the Encoded JWE Authentication Tag 390 in that order, with the five strings being separated by four 391 period ('.') characters. 393 The final result in this example (with line breaks for display 394 purposes only) is: 396 eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ. 397 ApfOLCaDbqs_JXPYy2I937v_xmrzj-Iss1mG6NAHmeJViM6j2l0MHvfseIdHVyU2 398 BIoGVu9ohvkkWiRq5DL2jYZTPA9TAdwq3FUIVyoH-Pedf6elHIVFi2KGDEspYMtQ 399 ARMMSBcS7pslx6flh1Cfh3GBKysztVMEhZ_maFkm4PYVCsJsvq6Ct3fg2CJPOs0X 400 1DHuxZKoIGIqcbeK4XEO5a0h5TAuJObKdfO0dKwfNSSbpu5sFrpRFwV2FTTYoqF4 401 zI46N9-_hMIznlEpftRXhScEJuZ9HG8C8CHB1WRZ_J48PleqdhF4o7fB5J1wFqUX 402 BtbtuGJ_A2Xe6AEhrlzCOw. 403 48V1_ALb6US04U3b. 404 5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji 405 SdiwkIr3ajwQzaBtQD_A. 406 ghEgxninkHEAMp4xZtB2mA 408 See Appendix A.1 for the complete details of computing this JWE. 410 3.2. Example JWE using RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256 412 This example encrypts the plaintext "Live long and prosper." to the 413 recipient using RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. 415 The following example JWE Header (with line breaks for display 416 purposes only) declares that: 418 o the Content Encryption Key is encrypted to the recipient using the 419 RSAES-PKCS1-V1_5 algorithm to produce the JWE Encrypted Key and 421 o the Plaintext is encrypted using the AES_128_CBC_HMAC_SHA_256 422 algorithm to produce the Ciphertext. 424 {"alg":"RSA1_5","enc":"A128CBC-HS256"} 426 Base64url encoding the octets of the UTF-8 representation of the JWE 427 Header yields this Encoded JWE Header value: 429 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDK0hTMjU2In0 431 The remaining steps to finish creating this JWE are the same as for 432 the previous example, but using RSAES-PKCS1-v1_5 instead of RSAES 433 OAEP and using the AES_128_CBC_HMAC_SHA_256 algorithm (which is 434 specified in Sections 4.8 and 4.8.3 of JWA) instead of AES GCM. 436 The final result in this example (with line breaks for display 437 purposes only) is: 439 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0. 440 nJa_uE2D0wlKz-OcwSbKFzj302xYSI-RLBM6hbVGmP4axtJQPA9S0po3s3NMkmOm 441 kkawnfwPNjpc0mc3z79cuQWkQPFQo-mDxmogz8dxBcheaTUg3ZvpbGCXxZjDYENR 442 WiZ5M9BiLy09BIF5mHp85QL6XED1JEZMOh-1uT1lqPDcDD79qWtrCfEJmNmfsx5f 443 cB2PfAcVtQ0t_YmOXx5_Gu0it1nILKXLR2Ynf9mfLhEcC5LebpWyEHW6WzQ4iH9S 444 IcIupPV1iKCzmJcPrDBJ5Fc_KMBcXBinaS__wftNywaGgfi_NSsx24LxtK6fIkej 445 RlMBmCfxv0Tg8CtxpURigg. 446 AxY8DCtDaGlsbGljb3RoZQ. 447 KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY. 448 fY2U_Hx5VcfXmipEldHhMA 450 See Appendix A.2 for the complete details of computing this JWE. 452 4. JWE Header 454 The members of the JSON object represented by the JWE Header describe 455 the encryption applied to the Plaintext and optionally additional 456 properties of the JWE. The Header Parameter Names within this object 457 MUST be unique; JWEs with duplicate Header Parameter Names MUST be 458 rejected. 460 Implementations are required to understand the specific header 461 parameters defined by this specification that are designated as "MUST 462 be understood" and process them in the manner defined in this 463 specification. All other header parameters defined by this 464 specification that are not so designated MUST be ignored when not 465 understood. Unless listed as a critical header parameter, per 466 Section 4.1.15, all other header parameters MUST be ignored when not 467 understood. 469 There are two ways of distinguishing whether a header is a JWS Header 470 or a JWE Header. The first is by examining the "alg" (algorithm) 471 header parameter value. If the value represents a digital signature 472 or MAC algorithm, or is the value "none", it is for a JWS; if it 473 represents a Key Encryption, Key Wrapping, Direct Key Agreement, Key 474 Agreement with Key Wrapping, or Direct Encryption algorithm, it is 475 for a JWE. A second method is determining whether an "enc" 476 (encryption method) member exists. If the "enc" member exists, it is 477 a JWE; otherwise, it is a JWS. Both methods will yield the same 478 result for all legal input values. 480 There are three classes of Header Parameter Names: Reserved Header 481 Parameter Names, Public Header Parameter Names, and Private Header 482 Parameter Names. 484 4.1. Reserved Header Parameter Names 486 The following Header Parameter Names are reserved with meanings as 487 defined below. All the names are short because a core goal of this 488 specification is for the resulting representations using the JWE 489 Compact Serialization to be compact. 491 Additional reserved Header Parameter Names MAY be defined via the 492 IANA JSON Web Signature and Encryption Header Parameters registry 493 [JWS]. As indicated by the common registry, JWSs and JWEs share a 494 common header parameter space; when a parameter is used by both 495 specifications, its usage must be compatible between the 496 specifications. 498 4.1.1. "alg" (Algorithm) Header Parameter 500 The "alg" (algorithm) header parameter identifies the cryptographic 501 algorithm used to encrypt or determine the value of the Content 502 Encryption Key (CEK). The algorithm specified by the "alg" value 503 MUST be supported by the implementation and there MUST be a key for 504 use with that algorithm associated with the intended recipient or the 505 JWE MUST be rejected. "alg" values SHOULD either be registered in the 506 IANA JSON Web Signature and Encryption Algorithms registry [JWA] or 507 be a value that contains a Collision Resistant Namespace. The "alg" 508 value is a case sensitive string containing a StringOrURI value. Use 509 of this header parameter is REQUIRED. This header parameter MUST be 510 understood by implementations. 512 A list of defined "alg" values can be found in the IANA JSON Web 513 Signature and Encryption Algorithms registry [JWA]; the initial 514 contents of this registry are the values defined in Section 4.1 of 515 the JSON Web Algorithms (JWA) [JWA] specification. 517 4.1.2. "enc" (Encryption Method) Header Parameter 519 The "enc" (encryption method) header parameter identifies the block 520 encryption algorithm used to encrypt the Plaintext to produce the 521 Ciphertext. This algorithm MUST be an Authenticated Encryption 522 algorithm with a specified key length. The algorithm specified by 523 the "enc" value MUST be supported by the implementation or the JWE 524 MUST be rejected. "enc" values SHOULD either be registered in the 525 IANA JSON Web Signature and Encryption Algorithms registry [JWA] or 526 be a value that contains a Collision Resistant Namespace. The "enc" 527 value is a case sensitive string containing a StringOrURI value. Use 528 of this header parameter is REQUIRED. This header parameter MUST be 529 understood by implementations. 531 A list of defined "enc" values can be found in the IANA JSON Web 532 Signature and Encryption Algorithms registry [JWA]; the initial 533 contents of this registry are the values defined in Section 4.2 of 534 the JSON Web Algorithms (JWA) [JWA] specification. 536 4.1.3. "epk" (Ephemeral Public Key) Header Parameter 538 The "epk" (ephemeral public key) value created by the originator for 539 the use in key agreement algorithms. This key is represented as a 540 JSON Web Key [JWK] value. Use of this header parameter is OPTIONAL, 541 although its use is REQUIRED with some "alg" algorithms. When its 542 use is REQUIRED, this header parameter MUST be understood by 543 implementations. 545 4.1.4. "zip" (Compression Algorithm) Header Parameter 547 The "zip" (compression algorithm) applied to the Plaintext before 548 encryption, if any. If present, the value of the "zip" header 549 parameter MUST be the case sensitive string "DEF". Compression is 550 performed with the DEFLATE [RFC1951] algorithm. If no "zip" 551 parameter is present, no compression is applied to the Plaintext 552 before encryption. Use of this header parameter is OPTIONAL. This 553 header parameter MUST be understood by implementations. 555 4.1.5. "jku" (JWK Set URL) Header Parameter 557 The "jku" (JWK Set URL) header parameter is a URI [RFC3986] that 558 refers to a resource for a set of JSON-encoded public keys, one of 559 which is the key to which the JWE was encrypted; this can be used to 560 determine the private key needed to decrypt the JWE. The keys MUST 561 be encoded as a JSON Web Key Set (JWK Set) [JWK]. The protocol used 562 to acquire the resource MUST provide integrity protection; an HTTP 563 GET request to retrieve the certificate MUST use TLS [RFC2818] 564 [RFC5246]; the identity of the server MUST be validated, as per 565 Section 3.1 of HTTP Over TLS [RFC2818]. Use of this header parameter 566 is OPTIONAL. 568 4.1.6. "jwk" (JSON Web Key) Header Parameter 570 The "jwk" (JSON Web Key) header parameter is the public key to which 571 the JWE was encrypted; this can be used to determine the private key 572 needed to decrypt the JWE. This key is represented as a JSON Web Key 573 [JWK]. Use of this header parameter is OPTIONAL. 575 4.1.7. "x5u" (X.509 URL) Header Parameter 577 The "x5u" (X.509 URL) header parameter is a URI [RFC3986] that refers 578 to a resource for the X.509 public key certificate or certificate 579 chain [RFC5280] containing the key to which the JWE was encrypted; 580 this can be used to determine the private key needed to decrypt the 581 JWE. The identified resource MUST provide a representation of the 582 certificate or certificate chain that conforms to RFC 5280 [RFC5280] 583 in PEM encoded form [RFC1421]. The certificate containing the public 584 key to which the JWE was encrypted MUST be the first certificate. 585 This MAY be followed by additional certificates, with each subsequent 586 certificate being the one used to certify the previous one. The 587 protocol used to acquire the resource MUST provide integrity 588 protection; an HTTP GET request to retrieve the certificate MUST use 589 TLS [RFC2818] [RFC5246]; the identity of the server MUST be 590 validated, as per Section 3.1 of HTTP Over TLS [RFC2818]. Use of 591 this header parameter is OPTIONAL. 593 4.1.8. "x5t" (X.509 Certificate Thumbprint) Header Parameter 595 The "x5t" (X.509 Certificate Thumbprint) header parameter provides a 596 base64url encoded SHA-1 thumbprint (a.k.a. digest) of the DER 597 encoding of the X.509 certificate [RFC5280] containing the key to 598 which the JWE was encrypted; this can be used to determine the 599 private key needed to decrypt the JWE. Use of this header parameter 600 is OPTIONAL. 602 If, in the future, certificate thumbprints need to be computed using 603 hash functions other than SHA-1, it is suggested that additional 604 related header parameters be defined for that purpose. For example, 605 it is suggested that a new "x5t#S256" (X.509 Certificate Thumbprint 606 using SHA-256) header parameter could be defined by registering it in 607 the IANA JSON Web Signature and Encryption Header Parameters registry 608 [JWS]. 610 4.1.9. "x5c" (X.509 Certificate Chain) Header Parameter 612 The "x5c" (X.509 Certificate Chain) header parameter contains the 613 X.509 public key certificate or certificate chain [RFC5280] 614 containing the key to which the JWE was encrypted; this can be used 615 to determine the private key needed to decrypt the JWE. The 616 certificate or certificate chain is represented as an array of 617 certificate value strings. Each string is a base64 encoded 618 ([RFC4648] Section 4 -- not base64url encoded) DER [ITU.X690.1994] 619 PKIX certificate value. The certificate containing the public key to 620 which the JWE was encrypted MUST be the first certificate. This MAY 621 be followed by additional certificates, with each subsequent 622 certificate being the one used to certify the previous one. Use of 623 this header parameter is OPTIONAL. 625 See Appendix B of [JWS] for an example "x5c" value. 627 4.1.10. "kid" (Key ID) Header Parameter 629 The "kid" (key ID) header parameter is a hint indicating which key to 630 which the JWE was encrypted; this can be used to determine the 631 private key needed to decrypt the JWE. This parameter allows 632 originators to explicitly signal a change of key to recipients. 633 Should the recipient be unable to locate a key corresponding to the 634 "kid" value, they SHOULD treat that condition as an error. The 635 interpretation of the "kid" value is unspecified. Its value MUST be 636 a string. Use of this header parameter is OPTIONAL. 638 When used with a JWK, the "kid" value can be used to match a JWK 639 "kid" parameter value. 641 4.1.11. "typ" (Type) Header Parameter 643 The "typ" (type) header parameter is used to declare the type of this 644 object. The type value "JWE" is used to indicate that this object is 645 a JWE using the JWE Compact Serialization. The type value "JWE-JS" 646 is used to indicate that this object is a JWE using the JWE JSON 647 Serialization. The "typ" value is a case sensitive string. Use of 648 this header parameter is OPTIONAL. 650 MIME Media Type [RFC2046] values MAY be used as "typ" values. 652 "typ" values SHOULD either be registered in the IANA JSON Web 653 Signature and Encryption Type Values registry [JWS] or be a value 654 that contains a Collision Resistant Namespace. 656 4.1.12. "cty" (Content Type) Header Parameter 658 The "cty" (content type) header parameter is used to declare the type 659 of the encrypted content (the Plaintext). For example, the JSON Web 660 Token (JWT) [JWT] specification uses the "cty" value "JWT" to 661 indicate that the Plaintext is a JSON Web Token (JWT). The "cty" 662 value is a case sensitive string. Use of this header parameter is 663 OPTIONAL. 665 The values used for the "cty" header parameter come from the same 666 value space as the "typ" header parameter, with the same rules 667 applying. 669 4.1.13. "apu" (Agreement PartyUInfo) Header Parameter 671 The "apu" (agreement PartyUInfo) value for key agreement algorithms 672 using it (such as "ECDH-ES"), represented as a base64url encoded 673 string. Use of this header parameter is OPTIONAL. When the "alg" 674 value used identifies an algorithm for which "apu" is a parameter, 675 this header parameter MUST be understood by implementations. 677 4.1.14. "apv" (Agreement PartyVInfo) Header Parameter 679 The "apv" (agreement PartyVInfo) value for key agreement algorithms 680 using it (such as "ECDH-ES"), represented as a base64url encoded 681 string. Use of this header parameter is OPTIONAL. When the "alg" 682 value used identifies an algorithm for which "apv" is a parameter, 683 this header parameter MUST be understood by implementations. 685 4.1.15. "crit" (Critical) Header Parameter 687 The "crit" (critical) header parameter is array listing the names of 688 header parameters that are present in the JWE Header that MUST be 689 understood and processed by the implementation or if not understood, 690 MUST cause the JWE to be rejected. This list MUST NOT include header 691 parameters defined by this specification, duplicate names, or names 692 that do not occur as header parameters within the JWE. Use of this 693 header parameter is OPTIONAL. This header parameter MUST be 694 understood by implementations. 696 An example use, along with a hypothetical "exp" (expiration-time) 697 field is: 699 {"alg":"RSA-OAEP", 700 "enc":"A256GCM", 701 "crit":["exp"], 702 "exp":1363284000 703 } 705 4.2. Public Header Parameter Names 707 Additional Header Parameter Names can be defined by those using JWEs. 708 However, in order to prevent collisions, any new Header Parameter 709 Name SHOULD either be registered in the IANA JSON Web Signature and 710 Encryption Header Parameters registry [JWS] or be a Public Name: a 711 value that contains a Collision Resistant Namespace. In each case, 712 the definer of the name or value needs to take reasonable precautions 713 to make sure they are in control of the part of the namespace they 714 use to define the Header Parameter Name. 716 New header parameters should be introduced sparingly, as they can 717 result in non-interoperable JWEs. 719 4.3. Private Header Parameter Names 721 A producer and consumer of a JWE may agree to use Header Parameter 722 Names that are Private Names: names that are not Reserved Names 723 Section 4.1 or Public Names Section 4.2. Unlike Public Names, 724 Private Names are subject to collision and should be used with 725 caution. 727 5. Producing and Consuming JWEs 729 5.1. Message Encryption 731 The message encryption process is as follows. The order of the steps 732 is not significant in cases where there are no dependencies between 733 the inputs and outputs of the steps. 735 1. Determine the Key Management Mode employed by the algorithm used 736 to determine the Content Encryption Key (CEK) value. (This is 737 the algorithm recorded in the "alg" (algorithm) header parameter 738 of the resulting JWE.) 740 2. When Key Wrapping, Key Encryption, or Key Agreement with Key 741 Wrapping are employed, generate a random Content Encryption Key 742 (CEK) value. See RFC 4086 [RFC4086] for considerations on 743 generating random values. The CEK MUST have a length equal to 744 that required for the block encryption algorithm. 746 3. When Direct Key Agreement or Key Agreement with Key Wrapping are 747 employed, use the key agreement algorithm to compute the value 748 of the agreed upon key. When Direct Key Agreement is employed, 749 let the Content Encryption Key (CEK) be the agreed upon key. 750 When Key Agreement with Key Wrapping is employed, the agreed 751 upon key will be used to wrap the CEK. 753 4. When Key Wrapping, Key Encryption, or Key Agreement with Key 754 Wrapping are employed, encrypt the CEK to the recipient (see 755 Section 6.1) and let the result be the JWE Encrypted Key. 757 5. Otherwise, when Direct Key Agreement or Direct Encryption are 758 employed, let the JWE Encrypted Key be the empty octet sequence. 760 6. When Direct Encryption is employed, let the Content Encryption 761 Key (CEK) be the shared symmetric key. 763 7. Base64url encode the JWE Encrypted Key to create the Encoded JWE 764 Encrypted Key. 766 8. Generate a random JWE Initialization Vector of the correct size 767 for the block encryption algorithm (if required for the 768 algorithm); otherwise, let the JWE Initialization Vector be the 769 empty octet sequence. 771 9. Base64url encode the JWE Initialization Vector to create the 772 Encoded JWE Initialization Vector. 774 10. Compress the Plaintext if a "zip" parameter was included. 776 11. Serialize the (compressed) Plaintext into an octet sequence M. 778 12. Create a JWE Header containing the encryption parameters used. 779 Note that white space is explicitly allowed in the 780 representation and no canonicalization need be performed before 781 encoding. 783 13. Base64url encode the octets of the UTF-8 representation of the 784 JWE Header to create the Encoded JWE Header. 786 14. Let the Additional Authenticated Data value be the octets of the 787 ASCII representation of the concatenation of the Encoded JWE 788 Header, a period ('.') character, and the Encoded JWE Encrypted 789 Key. 791 15. Encrypt M using the CEK, the JWE Initialization Vector, and the 792 Additional Authenticated Data value using the specified block 793 encryption algorithm to create the JWE Ciphertext value and the 794 JWE Authentication Tag (which is the Authentication Tag output 795 from the calculation). 797 16. Base64url encode the JWE Ciphertext to create the Encoded JWE 798 Ciphertext. 800 17. Base64url encode the JWE Authentication Tag to create the 801 Encoded JWE Authentication Tag. 803 18. The five encoded parts are the result values used in both the 804 JWE Compact Serialization and the JWE JSON Serialization 805 representations. 807 19. If the JWE JSON Serialization is being used, repeat this process 808 for each recipient. 810 20. Create the desired serialized output. The JWE Compact 811 Serialization of this result is the concatenation of the Encoded 812 JWE Header, the Encoded JWE Encrypted Key, the Encoded JWE 813 Initialization Vector, the Encoded JWE Ciphertext, and the 814 Encoded JWE Authentication Tag in that order, with the five 815 strings being separated by four period ('.') characters. The 816 JWE JSON Serialization is described in Section 7. 818 5.2. Message Decryption 820 The message decryption process is the reverse of the encryption 821 process. The order of the steps is not significant in cases where 822 there are no dependencies between the inputs and outputs of the 823 steps. If any of these steps fails, the JWE MUST be rejected. 825 1. Parse the serialized input to determine the values of the 826 Encoded JWE Header, the Encoded JWE Encrypted Key, the Encoded 827 JWE Initialization Vector, the Encoded JWE Ciphertext, and the 828 Encoded JWE Authentication Tag. When using the JWE Compact 829 Serialization, these five values are represented as text strings 830 in that order, separated by four period ('.') characters. The 831 JWE JSON Serialization is described in Section 7. 833 2. The Encoded JWE Header, the Encoded JWE Encrypted Key, the 834 Encoded JWE Initialization Vector, the Encoded JWE Ciphertext, 835 and the Encoded JWE Authentication Tag MUST be successfully 836 base64url decoded following the restriction that no padding 837 characters have been used. 839 3. The resulting JWE Header MUST be completely valid JSON syntax 840 conforming to RFC 4627 [RFC4627]. 842 4. The resulting JWE Header MUST be validated to only include 843 parameters and values whose syntax and semantics are both 844 understood and supported or that are specified as being ignored 845 when not understood. 847 5. Determine the Key Management Mode employed by the algorithm 848 specified by the "alg" (algorithm) header parameter. 850 6. Verify that the JWE uses a key known to the recipient. 852 7. When Direct Key Agreement or Key Agreement with Key Wrapping are 853 employed, use the key agreement algorithm to compute the value 854 of the agreed upon key. When Direct Key Agreement is employed, 855 let the Content Encryption Key (CEK) be the agreed upon key. 856 When Key Agreement with Key Wrapping is employed, the agreed 857 upon key will be used to decrypt the JWE Encrypted Key. 859 8. When Key Wrapping, Key Encryption, or Key Agreement with Key 860 Wrapping are employed, decrypt the JWE Encrypted Key to produce 861 the Content Encryption Key (CEK). The CEK MUST have a length 862 equal to that required for the block encryption algorithm. To 863 mitigate against attacks described in RFC 3218 [RFC3218], the 864 recipient MUST NOT distinguish between format, padding, and 865 length errors of encrypted keys. It is strongly recommended, in 866 the event of receiving an improperly formatted key, that the 867 receiver substitute a randomly generated CEK and proceed to the 868 next step, to mitigate timing attacks. 870 9. Otherwise, when Direct Key Agreement or Direct Encryption are 871 employed, verify that the JWE Encrypted Key value is empty octet 872 sequence. 874 10. When Direct Encryption is employed, let the Content Encryption 875 Key (CEK) be the shared symmetric key. 877 11. Let the Additional Authenticated Data value be the octets of the 878 ASCII representation of the concatenation of the Encoded JWE 879 Header, a period ('.') character, and the Encoded JWE Encrypted 880 Key. 882 12. Decrypt the JWE Ciphertext using the CEK, the JWE Initialization 883 Vector, the Additional Authenticated Data value, and the JWE 884 Authentication Tag (which is the Authentication Tag input to the 885 calculation) using the specified block encryption algorithm, 886 returning the decrypted plaintext and verifying the JWE 887 Authentication Tag in the manner specified for the algorithm, 888 rejecting the input without emitting any decrypted output if the 889 JWE Authentication Tag is incorrect. 891 13. Uncompress the decrypted plaintext if a "zip" parameter was 892 included. 894 14. Output the resulting Plaintext. 896 15. If the JWE JSON Serialization is being used, repeat this process 897 for each recipient contained in the representation. 899 5.3. String Comparison Rules 901 Processing a JWE inevitably requires comparing known strings to 902 values in JSON objects. For example, in checking what the encryption 903 method is, the Unicode string encoding "enc" will be checked against 904 the member names in the JWE Header to see if there is a matching 905 Header Parameter Name. 907 Comparisons between JSON strings and other Unicode strings MUST be 908 performed by comparing Unicode code points without normalization as 909 specified in the String Comparison Rules in Section 5.3 of [JWS]. 911 6. Encrypting JWEs with Cryptographic Algorithms 913 JWE uses cryptographic algorithms to encrypt the Plaintext and the 914 Content Encryption Key (CEK) and to provide integrity protection for 915 the JWE Header, JWE Encrypted Key, and JWE Ciphertext. The JSON Web 916 Algorithms (JWA) [JWA] specification specifies a set of cryptographic 917 algorithms and identifiers to be used with this specification and 918 defines registries for additional such algorithms. Specifically, 919 Section 4.1 specifies a set of "alg" (algorithm) header parameter 920 values and Section 4.2 specifies a set of "enc" (encryption method) 921 header parameter values intended for use this specification. It also 922 describes the semantics and operations that are specific to these 923 algorithms. 925 Public keys employed for encryption can be identified using the 926 Header Parameter methods described in Section 4.1 or can be 927 distributed using methods that are outside the scope of this 928 specification. 930 6.1. CEK Encryption 932 JWE supports three forms of Content Encryption Key (CEK) encryption: 934 o Asymmetric encryption under the recipient's public key. 936 o Symmetric encryption under a key shared between the sender and 937 receiver. 939 o Symmetric encryption under a key agreed upon between the sender 940 and receiver. 942 See the algorithms registered for "enc" usage in the IANA JSON Web 943 Signature and Encryption Algorithms registry [JWA] and Section 4.1 of 944 the JSON Web Algorithms (JWA) [JWA] specification for lists of 945 encryption algorithms that can be used for CEK encryption. 947 7. JSON Serialization 949 The JWE JSON Serialization represents encrypted content as a JSON 950 object with a "recipients" member containing an array of per- 951 recipient information, an "initialization_vector" member containing a 952 shared Encoded JWE Initialization Vector value, and a "ciphertext" 953 member containing a shared Encoded JWE Ciphertext value. Each member 954 of the "recipients" array is a JSON object with a "header" member 955 containing an Encoded JWE Header value, an "encrypted_key" member 956 containing an Encoded JWE Encrypted Key value, and an 957 "authentication_tag" member containing an Encoded JWE Authentication 958 Tag value. 960 Unlike the JWE Compact Serialization, content using the JWE JSON 961 Serialization MAY be encrypted to more than one recipient. Each 962 recipient requires: 964 o a JWE Header value specifying the cryptographic parameters used to 965 encrypt the JWE Encrypted Key to that recipient and the parameters 966 used to encrypt the plaintext to produce the JWE Ciphertext; this 967 is represented as an Encoded JWE Header value in the "header" 968 member of an object in the "recipients" array. 970 o a JWE Encrypted Key value used to encrypt the ciphertext; this is 971 represented as an Encoded JWE Encrypted Key value in the 972 "encrypted_key" member of the same object in the "recipients" 973 array. 975 o a JWE Authentication Tag that ensures the integrity of the 976 Ciphertext and the parameters used to create it; this is 977 represented as an Encoded JWE Authentication Tag value in the 978 "authentication_tag" member of the same object in the "recipients" 979 array. 981 Therefore, the syntax is: 983 {"recipients":[ 984 {"header":"
", 985 "encrypted_key":"", 986 "authentication_tag":""}, 987 ... 988 {"header":"
", 989 "encrypted_key":"", 990 "authentication_tag":""}], 991 "initialization_vector":"", 992 "ciphertext":"" 993 } 995 The contents of the Encoded JWE Header, Encoded JWE Encrypted Key, 996 Encoded JWE Initialization Vector, Encoded JWE Ciphertext, and 997 Encoded JWE Authentication Tag values are exactly as specified in the 998 rest of this specification. They are interpreted and validated in 999 the same manner, with each corresponding "header", "encrypted_key", 1000 and "authentication_tag" value being created and validated together. 1002 Each JWE Encrypted Key value and the corresponding JWE Authentication 1003 Tag are computed using the parameters of the corresponding JWE Header 1004 value in the same manner as for the JWE Compact Serialization. This 1005 has the desirable result that each Encoded JWE Encrypted Key value in 1006 the "recipients" array and each Encoded JWE Authentication Tag in the 1007 same array element are identical to the values that would have been 1008 computed for the same parameters in the JWE Compact Serialization, as 1009 are the shared JWE Ciphertext and JWE Initialization Vector values. 1011 All recipients use the same JWE Ciphertext and JWE Initialization 1012 Vector values, resulting in potentially significant space savings if 1013 the message is large. Therefore, all header parameters that specify 1014 the treatment of the JWE Ciphertext value MUST be the same for all 1015 recipients. This primarily means that the "enc" (encryption method) 1016 header parameter value in the JWE Header for each recipient MUST be 1017 the same. 1019 7.1. Example JWE-JS 1021 This section contains an example using the JWE JSON Serialization. 1022 This example demonstrates the capability for encrypting the same 1023 plaintext to multiple recipients. 1025 Two recipients are present in this example: the first using the 1026 RSAES-PKCS1-V1_5 algorithm to encrypt the Content Encryption Key 1027 (CEK) and the second using RSAES OAEP to encrypt the CEK. The 1028 Plaintext is encrypted using the AES_128_CBC_HMAC_SHA_256 algorithm 1029 and the same block encryption parameters to produce the common JWE 1030 Ciphertext value. The two Decoded JWE Header Segments used are: 1032 {"alg":"RSA1_5","enc":"A128CBC-HS256"} 1034 and: 1036 {"alg":"RSA-OAEP","enc":"A128CBC-HS256"} 1038 The keys used for the first recipient are the same as those in 1039 Appendix A.2, as is the Plaintext used. The encryption key used for 1040 the second recipient is the same as that used in Appendix A.3; the 1041 block encryption keys and parameters for the second recipient are the 1042 same as those for the first recipient (which must be the case, since 1043 the Initialization Vector and Ciphertext are shared). 1045 The complete JSON Web Encryption JSON Serialization (JWE-JS) for 1046 these values is as follows (with line breaks for display purposes 1047 only): 1049 {"recipients":[ 1050 {"header": 1051 "eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0", 1052 "encrypted_key": 1053 "nJa_uE2D0wlKz-OcwSbKFzj302xYSI-RLBM6hbVGmP4axtJQPA9S0po3s3NMk 1054 mOmkkawnfwPNjpc0mc3z79cuQWkQPFQo-mDxmogz8dxBcheaTUg3ZvpbGCXxZ 1055 jDYENRWiZ5M9BiLy09BIF5mHp85QL6XED1JEZMOh-1uT1lqPDcDD79qWtrCfE 1056 JmNmfsx5fcB2PfAcVtQ0t_YmOXx5_Gu0it1nILKXLR2Ynf9mfLhEcC5LebpWy 1057 EHW6WzQ4iH9SIcIupPV1iKCzmJcPrDBJ5Fc_KMBcXBinaS__wftNywaGgfi_N 1058 Ssx24LxtK6fIkejRlMBmCfxv0Tg8CtxpURigg", 1059 "authentication_tag": 1060 "fY2U_Hx5VcfXmipEldHhMA"}, 1061 {"header": 1062 "eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0", 1063 "encrypted_key": 1064 "6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ", 1065 "authentication_tag": 1066 "CEH4ZS25HNrocFNPVN0SrA"}], 1067 "initialization_vector": 1068 "AxY8DCtDaGlsbGljb3RoZQ", 1069 "ciphertext": 1070 "KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY" 1071 } 1073 8. Implementation Considerations 1075 The JWE Compact Serialization is mandatory to implement. 1076 Implementation of the JWE JSON Serialization is OPTIONAL. 1078 9. IANA Considerations 1080 9.1. Registration of JWE Header Parameter Names 1082 This specification registers the Header Parameter Names defined in 1083 Section 4.1 in the IANA JSON Web Signature and Encryption Header 1084 Parameters registry [JWS]. 1086 9.1.1. Registry Contents 1088 o Header Parameter Name: "alg" 1089 o Header Parameter Usage Location(s): JWE 1090 o Change Controller: IETF 1091 o Specification Document(s): Section 4.1.1 of [[ this document ]] 1092 o Header Parameter Name: "enc" 1093 o Header Parameter Usage Location(s): JWE 1094 o Change Controller: IETF 1095 o Specification Document(s): Section 4.1.2 of [[ this document ]] 1097 o Header Parameter Name: "epk" 1098 o Header Parameter Usage Location(s): JWE 1099 o Change Controller: IETF 1100 o Specification Document(s): Section 4.1.3 of [[ this document ]] 1102 o Header Parameter Name: "zip" 1103 o Header Parameter Usage Location(s): JWE 1104 o Change Controller: IETF 1105 o Specification Document(s): Section 4.1.4 of [[ this document ]] 1107 o Header Parameter Name: "jku" 1108 o Header Parameter Usage Location(s): JWE 1109 o Change Controller: IETF 1110 o Specification Document(s): Section 4.1.5 of [[ this document ]] 1112 o Header Parameter Name: "jwk" 1113 o Header Parameter Usage Location(s): JWE 1114 o Change Controller: IETF 1115 o Specification document(s): Section 4.1.6 of [[ this document ]] 1117 o Header Parameter Name: "x5u" 1118 o Header Parameter Usage Location(s): JWE 1119 o Change Controller: IETF 1120 o Specification Document(s): Section 4.1.7 of [[ this document ]] 1122 o Header Parameter Name: "x5t" 1123 o Header Parameter Usage Location(s): JWE 1124 o Change Controller: IETF 1125 o Specification Document(s): Section 4.1.8 of [[ this document ]] 1127 o Header Parameter Name: "x5c" 1128 o Header Parameter Usage Location(s): JWE 1129 o Change Controller: IETF 1130 o Specification Document(s): Section 4.1.9 of [[ this document ]] 1132 o Header Parameter Name: "kid" 1133 o Header Parameter Usage Location(s): JWE 1134 o Change Controller: IETF 1135 o Specification Document(s): Section 4.1.10 of [[ this document ]] 1137 o Header Parameter Name: "typ" 1138 o Header Parameter Usage Location(s): JWE 1139 o Change Controller: IETF 1140 o Specification Document(s): Section 4.1.11 of [[ this document ]] 1142 o Header Parameter Name: "cty" 1143 o Header Parameter Usage Location(s): JWE 1144 o Change Controller: IETF 1145 o Specification Document(s): Section 4.1.12 of [[ this document ]] 1147 o Header Parameter Name: "apu" 1148 o Header Parameter Usage Location(s): JWE 1149 o Change Controller: IETF 1150 o Specification Document(s): Section 4.1.13 of [[ this document ]] 1152 o Header Parameter Name: "apv" 1153 o Header Parameter Usage Location(s): JWE 1154 o Change Controller: IETF 1155 o Specification Document(s): Section 4.1.14 of [[ this document ]] 1157 o Header Parameter Name: "crit" 1158 o Header Parameter Usage Location(s): JWS 1159 o Change Controller: IETF 1160 o Specification Document(s): Section 4.1.15 of [[ this document ]] 1162 9.2. JSON Web Signature and Encryption Type Values Registration 1164 9.2.1. Registry Contents 1166 This specification registers the "JWE" and "JWE-JS" type values in 1167 the IANA JSON Web Signature and Encryption Type Values registry 1168 [JWS]: 1170 o "typ" Header Parameter Value: "JWE" 1171 o Abbreviation for MIME Type: application/jwe 1172 o Change Controller: IETF 1173 o Specification Document(s): Section 4.1.11 of [[ this document ]] 1175 o "typ" Header Parameter Value: "JWE-JS" 1176 o Abbreviation for MIME Type: application/jwe-js 1177 o Change Controller: IETF 1178 o Specification Document(s): Section 4.1.11 of [[ this document ]] 1180 9.3. Media Type Registration 1182 9.3.1. Registry Contents 1184 This specification registers the "application/jwe" and 1185 "application/jwe-js" Media Types [RFC2046] in the MIME Media Type 1186 registry [RFC4288] to indicate, respectively, that the content is a 1187 JWE using the JWE Compact Serialization or a JWE using the JWE JSON 1188 Serialization. 1190 o Type Name: application 1191 o Subtype Name: jwe 1192 o Required Parameters: n/a 1193 o Optional Parameters: n/a 1194 o Encoding considerations: JWE values are encoded as a series of 1195 base64url encoded values (some of which may be the empty string) 1196 separated by period ('.') characters 1197 o Security Considerations: See the Security Considerations section 1198 of [[ this document ]] 1199 o Interoperability Considerations: n/a 1200 o Published Specification: [[ this document ]] 1201 o Applications that use this media type: OpenID Connect and other 1202 applications using encrypted JWTs 1203 o Additional Information: Magic number(s): n/a, File extension(s): 1204 n/a, Macintosh file type code(s): n/a 1205 o Person & email address to contact for further information: Michael 1206 B. Jones, mbj@microsoft.com 1207 o Intended Usage: COMMON 1208 o Restrictions on Usage: none 1209 o Author: Michael B. Jones, mbj@microsoft.com 1210 o Change Controller: IETF 1212 o Type Name: application 1213 o Subtype Name: jwe-js 1214 o Required Parameters: n/a 1215 o Optional Parameters: n/a 1216 o Encoding considerations: JWE-JS values are represented as a JSON 1217 Object; UTF-8 encoding SHOULD be employed for the JSON object. 1218 o Security Considerations: See the Security Considerations section 1219 of [[ this document ]] 1220 o Interoperability Considerations: n/a 1221 o Published Specification: [[ this document ]] 1222 o Applications that use this media type: TBD 1223 o Additional Information: Magic number(s): n/a, File extension(s): 1224 n/a, Macintosh file type code(s): n/a 1225 o Person & email address to contact for further information: Michael 1226 B. Jones, mbj@microsoft.com 1227 o Intended Usage: COMMON 1228 o Restrictions on Usage: none 1229 o Author: Michael B. Jones, mbj@microsoft.com 1230 o Change Controller: IETF 1232 10. Security Considerations 1234 All of the security issues faced by any cryptographic application 1235 must be faced by a JWS/JWE/JWK agent. Among these issues are 1236 protecting the user's private and symmetric keys, preventing various 1237 attacks, and helping the user avoid mistakes such as inadvertently 1238 encrypting a message for the wrong recipient. The entire list of 1239 security considerations is beyond the scope of this document. 1241 All the security considerations in the JWS specification also apply 1242 to this specification. Likewise, all the security considerations in 1243 XML Encryption 1.1 [W3C.CR-xmlenc-core1-20120313] also apply, other 1244 than those that are XML specific. 1246 When decrypting, particular care must be taken not to allow the JWE 1247 recipient to be used as an oracle for decrypting messages. RFC 3218 1248 [RFC3218] should be consulted for specific countermeasures to attacks 1249 on RSAES-PKCS1-V1_5. An attacker might modify the contents of the 1250 "alg" parameter from "RSA-OAEP" to "RSA1_5" in order to generate a 1251 formatting error that can be detected and used to recover the CEK 1252 even if RSAES OAEP was used to encrypt the CEK. It is therefore 1253 particularly important to report all formatting errors to the CEK, 1254 Additional Authenticated Data, or ciphertext as a single error when 1255 the JWE is rejected. 1257 AES GCM MUST NOT be used when using the JWE JSON Serialization for 1258 multiple recipients, since this would result in the same 1259 Initialization Vector and Plaintext values being used for multiple 1260 GCM encryptions. This is prohibited by the GCM specification because 1261 of severe security vulnerabilities that would result, were GCM used 1262 in this way. 1264 11. References 1266 11.1. Normative References 1268 [ITU.X690.1994] 1269 International Telecommunications Union, "Information 1270 Technology - ASN.1 encoding rules: Specification of Basic 1271 Encoding Rules (BER), Canonical Encoding Rules (CER) and 1272 Distinguished Encoding Rules (DER)", ITU-T Recommendation 1273 X.690, 1994. 1275 [JWA] Jones, M., "JSON Web Algorithms (JWA)", 1276 draft-ietf-jose-json-web-algorithms (work in progress), 1277 April 2013. 1279 [JWK] Jones, M., "JSON Web Key (JWK)", 1280 draft-ietf-jose-json-web-key (work in progress), 1281 April 2013. 1283 [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web 1284 Signature (JWS)", draft-ietf-jose-json-web-signature (work 1285 in progress), April 2013. 1287 [RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic 1288 Mail: Part I: Message Encryption and Authentication 1289 Procedures", RFC 1421, February 1993. 1291 [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification 1292 version 1.3", RFC 1951, May 1996. 1294 [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 1295 Extensions (MIME) Part Two: Media Types", RFC 2046, 1296 November 1996. 1298 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1299 Requirement Levels", BCP 14, RFC 2119, March 1997. 1301 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. 1303 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 1304 10646", STD 63, RFC 3629, November 2003. 1306 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 1307 Resource Identifier (URI): Generic Syntax", STD 66, 1308 RFC 3986, January 2005. 1310 [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness 1311 Requirements for Security", BCP 106, RFC 4086, June 2005. 1313 [RFC4288] Freed, N. and J. Klensin, "Media Type Specifications and 1314 Registration Procedures", RFC 4288, December 2005. 1316 [RFC4627] Crockford, D., "The application/json Media Type for 1317 JavaScript Object Notation (JSON)", RFC 4627, July 2006. 1319 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 1320 Encodings", RFC 4648, October 2006. 1322 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1323 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1325 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 1326 Housley, R., and W. Polk, "Internet X.509 Public Key 1327 Infrastructure Certificate and Certificate Revocation List 1328 (CRL) Profile", RFC 5280, May 2008. 1330 [W3C.CR-xmlenc-core1-20120313] 1331 Eastlake, D., Reagle, J., Roessler, T., and F. Hirsch, 1332 "XML Encryption Syntax and Processing Version 1.1", World 1333 Wide Web Consortium CR CR-xmlenc-core1-20120313, 1334 March 2012, 1335 . 1337 11.2. Informative References 1339 [I-D.mcgrew-aead-aes-cbc-hmac-sha2] 1340 McGrew, D. and K. Paterson, "Authenticated Encryption with 1341 AES-CBC and HMAC-SHA", 1342 draft-mcgrew-aead-aes-cbc-hmac-sha2-01 (work in progress), 1343 October 2012. 1345 [I-D.rescorla-jsms] 1346 Rescorla, E. and J. Hildebrand, "JavaScript Message 1347 Security Format", draft-rescorla-jsms-00 (work in 1348 progress), March 2011. 1350 [JSE] Bradley, J. and N. Sakimura (editor), "JSON Simple 1351 Encryption", September 2010. 1353 [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token 1354 (JWT)", draft-ietf-oauth-json-web-token (work in 1355 progress), April 2013. 1357 [RFC3218] Rescorla, E., "Preventing the Million Message Attack on 1358 Cryptographic Message Syntax", RFC 3218, January 2002. 1360 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 1361 Unique IDentifier (UUID) URN Namespace", RFC 4122, 1362 July 2005. 1364 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 1365 RFC 5652, September 2009. 1367 Appendix A. JWE Examples 1369 This section provides examples of JWE computations. 1371 A.1. Example JWE using RSAES OAEP and AES GCM 1373 This example encrypts the plaintext "The true sign of intelligence is 1374 not knowledge but imagination." to the recipient using RSAES OAEP and 1375 AES GCM. The representation of this plaintext is: 1377 [84, 104, 101, 32, 116, 114, 117, 101, 32, 115, 105, 103, 110, 32, 1378 111, 102, 32, 105, 110, 116, 101, 108, 108, 105, 103, 101, 110, 99, 1379 101, 32, 105, 115, 32, 110, 111, 116, 32, 107, 110, 111, 119, 108, 1380 101, 100, 103, 101, 32, 98, 117, 116, 32, 105, 109, 97, 103, 105, 1381 110, 97, 116, 105, 111, 110, 46] 1383 A.1.1. JWE Header 1385 The following example JWE Header declares that: 1387 o the Content Encryption Key is encrypted to the recipient using the 1388 RSAES OAEP algorithm to produce the JWE Encrypted Key and 1390 o the Plaintext is encrypted using the AES GCM algorithm with a 256 1391 bit key to produce the Ciphertext. 1393 {"alg":"RSA-OAEP","enc":"A256GCM"} 1395 A.1.2. Encoded JWE Header 1397 Base64url encoding the octets of the UTF-8 representation of the JWE 1398 Header yields this Encoded JWE Header value: 1400 eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ 1402 A.1.3. Content Encryption Key (CEK) 1404 Generate a 256 bit random Content Encryption Key (CEK). In this 1405 example, the value is: 1407 [177, 161, 244, 128, 84, 143, 225, 115, 63, 180, 3, 255, 107, 154, 1408 212, 246, 138, 7, 110, 91, 112, 46, 34, 105, 47, 130, 203, 46, 122, 1409 234, 64, 252] 1411 A.1.4. Key Encryption 1413 Encrypt the CEK with the recipient's public key using the RSAES OAEP 1414 algorithm to produce the JWE Encrypted Key. In this example, the RSA 1415 key parameters are: 1417 +-----------+-------------------------------------------------------+ 1418 | Parameter | Value | 1419 | Name | | 1420 +-----------+-------------------------------------------------------+ 1421 | Modulus | [161, 168, 84, 34, 133, 176, 208, 173, 46, 176, 163, | 1422 | | 110, 57, 30, 135, 227, 9, 31, 226, 128, 84, 92, 116, | 1423 | | 241, 70, 248, 27, 227, 193, 62, 5, 91, 241, 145, 224, | 1424 | | 205, 141, 176, 184, 133, 239, 43, 81, 103, 9, 161, | 1425 | | 153, 157, 179, 104, 123, 51, 189, 34, 152, 69, 97, | 1426 | | 69, 78, 93, 140, 131, 87, 182, 169, 101, 92, 142, 3, | 1427 | | 22, 167, 8, 212, 56, 35, 79, 210, 222, 192, 208, 252, | 1428 | | 49, 109, 138, 173, 253, 210, 166, 201, 63, 102, 74, | 1429 | | 5, 158, 41, 90, 144, 108, 160, 79, 10, 89, 222, 231, | 1430 | | 172, 31, 227, 197, 0, 19, 72, 81, 138, 78, 136, 221, | 1431 | | 121, 118, 196, 17, 146, 10, 244, 188, 72, 113, 55, | 1432 | | 221, 162, 217, 171, 27, 57, 233, 210, 101, 236, 154, | 1433 | | 199, 56, 138, 239, 101, 48, 198, 186, 202, 160, 76, | 1434 | | 111, 234, 71, 57, 183, 5, 211, 171, 136, 126, 64, 40, | 1435 | | 75, 58, 89, 244, 254, 107, 84, 103, 7, 236, 69, 163, | 1436 | | 18, 180, 251, 58, 153, 46, 151, 174, 12, 103, 197, | 1437 | | 181, 161, 162, 55, 250, 235, 123, 110, 17, 11, 158, | 1438 | | 24, 47, 133, 8, 199, 235, 107, 126, 130, 246, 73, | 1439 | | 195, 20, 108, 202, 176, 214, 187, 45, 146, 182, 118, | 1440 | | 54, 32, 200, 61, 201, 71, 243, 1, 255, 131, 84, 37, | 1441 | | 111, 211, 168, 228, 45, 192, 118, 27, 197, 235, 232, | 1442 | | 36, 10, 230, 248, 190, 82, 182, 140, 35, 204, 108, | 1443 | | 190, 253, 186, 186, 27] | 1444 | Exponent | [1, 0, 1] | 1445 | Private | [144, 183, 109, 34, 62, 134, 108, 57, 44, 252, 10, | 1446 | Exponent | 66, 73, 54, 16, 181, 233, 92, 54, 219, 101, 42, 35, | 1447 | | 178, 63, 51, 43, 92, 119, 136, 251, 41, 53, 23, 191, | 1448 | | 164, 164, 60, 88, 227, 229, 152, 228, 213, 149, 228, | 1449 | | 169, 237, 104, 71, 151, 75, 88, 252, 216, 77, 251, | 1450 | | 231, 28, 97, 88, 193, 215, 202, 248, 216, 121, 195, | 1451 | | 211, 245, 250, 112, 71, 243, 61, 129, 95, 39, 244, | 1452 | | 122, 225, 217, 169, 211, 165, 48, 253, 220, 59, 122, | 1453 | | 219, 42, 86, 223, 32, 236, 39, 48, 103, 78, 122, 216, | 1454 | | 187, 88, 176, 89, 24, 1, 42, 177, 24, 99, 142, 170, | 1455 | | 1, 146, 43, 3, 108, 64, 194, 121, 182, 95, 187, 134, | 1456 | | 71, 88, 96, 134, 74, 131, 167, 69, 106, 143, 121, 27, | 1457 | | 72, 44, 245, 95, 39, 194, 179, 175, 203, 122, 16, | 1458 | | 112, 183, 17, 200, 202, 31, 17, 138, 156, 184, 210, | 1459 | | 157, 184, 154, 131, 128, 110, 12, 85, 195, 122, 241, | 1460 | | 79, 251, 229, 183, 117, 21, 123, 133, 142, 220, 153, | 1461 | | 9, 59, 57, 105, 81, 255, 138, 77, 82, 54, 62, 216, | 1462 | | 38, 249, 208, 17, 197, 49, 45, 19, 232, 157, 251, | 1463 | | 131, 137, 175, 72, 126, 43, 229, 69, 179, 117, 82, | 1464 | | 157, 213, 83, 35, 57, 210, 197, 252, 171, 143, 194, | 1465 | | 11, 47, 163, 6, 253, 75, 252, 96, 11, 187, 84, 130, | 1466 | | 210, 7, 121, 78, 91, 79, 57, 251, 138, 132, 220, 60, | 1467 | | 224, 173, 56, 224, 201] | 1468 +-----------+-------------------------------------------------------+ 1470 The resulting JWE Encrypted Key value is: 1472 [2, 151, 206, 44, 38, 131, 110, 171, 63, 37, 115, 216, 203, 98, 61, 1473 223, 187, 255, 198, 106, 243, 143, 226, 44, 179, 89, 134, 232, 208, 1474 7, 153, 226, 85, 136, 206, 163, 218, 93, 12, 30, 247, 236, 120, 135, 1475 71, 87, 37, 54, 4, 138, 6, 86, 239, 104, 134, 249, 36, 90, 36, 106, 1476 228, 50, 246, 141, 134, 83, 60, 15, 83, 1, 220, 42, 220, 85, 8, 87, 1477 42, 7, 248, 247, 157, 127, 167, 165, 28, 133, 69, 139, 98, 134, 12, 1478 75, 41, 96, 203, 80, 1, 19, 12, 72, 23, 18, 238, 155, 37, 199, 167, 1479 229, 135, 80, 159, 135, 113, 129, 43, 43, 51, 181, 83, 4, 133, 159, 1480 230, 104, 89, 38, 224, 246, 21, 10, 194, 108, 190, 174, 130, 183, 1481 119, 224, 216, 34, 79, 58, 205, 23, 212, 49, 238, 197, 146, 168, 32, 1482 98, 42, 113, 183, 138, 225, 113, 14, 229, 173, 33, 229, 48, 46, 36, 1483 230, 202, 117, 243, 180, 116, 172, 31, 53, 36, 155, 166, 238, 108, 1484 22, 186, 81, 23, 5, 118, 21, 52, 216, 162, 161, 120, 204, 142, 58, 1485 55, 223, 191, 132, 194, 51, 158, 81, 41, 126, 212, 87, 133, 39, 4, 1486 38, 230, 125, 28, 111, 2, 240, 33, 193, 213, 100, 89, 252, 158, 60, 1487 62, 87, 170, 118, 17, 120, 163, 183, 193, 228, 157, 112, 22, 165, 23, 1488 6, 214, 237, 184, 98, 127, 3, 101, 222, 232, 1, 33, 174, 92, 194, 59] 1490 A.1.5. Encoded JWE Encrypted Key 1492 Base64url encode the JWE Encrypted Key to produce the Encoded JWE 1493 Encrypted Key. This result (with line breaks for display purposes 1494 only) is: 1496 ApfOLCaDbqs_JXPYy2I937v_xmrzj-Iss1mG6NAHmeJViM6j2l0MHvfseIdHVyU2 1497 BIoGVu9ohvkkWiRq5DL2jYZTPA9TAdwq3FUIVyoH-Pedf6elHIVFi2KGDEspYMtQ 1498 ARMMSBcS7pslx6flh1Cfh3GBKysztVMEhZ_maFkm4PYVCsJsvq6Ct3fg2CJPOs0X 1499 1DHuxZKoIGIqcbeK4XEO5a0h5TAuJObKdfO0dKwfNSSbpu5sFrpRFwV2FTTYoqF4 1500 zI46N9-_hMIznlEpftRXhScEJuZ9HG8C8CHB1WRZ_J48PleqdhF4o7fB5J1wFqUX 1501 BtbtuGJ_A2Xe6AEhrlzCOw 1503 A.1.6. Initialization Vector 1505 Generate a random 96 bit JWE Initialization Vector. In this example, 1506 the value is: 1508 [227, 197, 117, 252, 2, 219, 233, 68, 180, 225, 77, 219] 1510 Base64url encoding this value yields the Encoded JWE Initialization 1511 Vector value: 1513 48V1_ALb6US04U3b 1515 A.1.7. Additional Authenticated Data Parameter 1517 Concatenate the Encoded JWE Header value, a period ('.') character, 1518 and the Encoded JWE Encrypted Key to create the Additional 1519 Authenticated Data parameter. This result (with line breaks for 1520 display purposes only) is: 1522 eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ. 1523 ApfOLCaDbqs_JXPYy2I937v_xmrzj-Iss1mG6NAHmeJViM6j2l0MHvfseIdHVyU2 1524 BIoGVu9ohvkkWiRq5DL2jYZTPA9TAdwq3FUIVyoH-Pedf6elHIVFi2KGDEspYMtQ 1525 ARMMSBcS7pslx6flh1Cfh3GBKysztVMEhZ_maFkm4PYVCsJsvq6Ct3fg2CJPOs0X 1526 1DHuxZKoIGIqcbeK4XEO5a0h5TAuJObKdfO0dKwfNSSbpu5sFrpRFwV2FTTYoqF4 1527 zI46N9-_hMIznlEpftRXhScEJuZ9HG8C8CHB1WRZ_J48PleqdhF4o7fB5J1wFqUX 1528 BtbtuGJ_A2Xe6AEhrlzCOw 1530 The representation of this value is: 1532 [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, 1533 116, 84, 48, 70, 70, 85, 67, 73, 115, 73, 109, 86, 117, 89, 121, 73, 1534 54, 73, 107, 69, 121, 78, 84, 90, 72, 81, 48, 48, 105, 102, 81, 46, 1535 65, 112, 102, 79, 76, 67, 97, 68, 98, 113, 115, 95, 74, 88, 80, 89, 1536 121, 50, 73, 57, 51, 55, 118, 95, 120, 109, 114, 122, 106, 45, 73, 1537 115, 115, 49, 109, 71, 54, 78, 65, 72, 109, 101, 74, 86, 105, 77, 54, 1538 106, 50, 108, 48, 77, 72, 118, 102, 115, 101, 73, 100, 72, 86, 121, 1539 85, 50, 66, 73, 111, 71, 86, 117, 57, 111, 104, 118, 107, 107, 87, 1540 105, 82, 113, 53, 68, 76, 50, 106, 89, 90, 84, 80, 65, 57, 84, 65, 1541 100, 119, 113, 51, 70, 85, 73, 86, 121, 111, 72, 45, 80, 101, 100, 1542 102, 54, 101, 108, 72, 73, 86, 70, 105, 50, 75, 71, 68, 69, 115, 112, 1543 89, 77, 116, 81, 65, 82, 77, 77, 83, 66, 99, 83, 55, 112, 115, 108, 1544 120, 54, 102, 108, 104, 49, 67, 102, 104, 51, 71, 66, 75, 121, 115, 1545 122, 116, 86, 77, 69, 104, 90, 95, 109, 97, 70, 107, 109, 52, 80, 89, 1546 86, 67, 115, 74, 115, 118, 113, 54, 67, 116, 51, 102, 103, 50, 67, 1547 74, 80, 79, 115, 48, 88, 49, 68, 72, 117, 120, 90, 75, 111, 73, 71, 1548 73, 113, 99, 98, 101, 75, 52, 88, 69, 79, 53, 97, 48, 104, 53, 84, 1549 65, 117, 74, 79, 98, 75, 100, 102, 79, 48, 100, 75, 119, 102, 78, 83, 1550 83, 98, 112, 117, 53, 115, 70, 114, 112, 82, 70, 119, 86, 50, 70, 84, 1551 84, 89, 111, 113, 70, 52, 122, 73, 52, 54, 78, 57, 45, 95, 104, 77, 1552 73, 122, 110, 108, 69, 112, 102, 116, 82, 88, 104, 83, 99, 69, 74, 1553 117, 90, 57, 72, 71, 56, 67, 56, 67, 72, 66, 49, 87, 82, 90, 95, 74, 1554 52, 56, 80, 108, 101, 113, 100, 104, 70, 52, 111, 55, 102, 66, 53, 1555 74, 49, 119, 70, 113, 85, 88, 66, 116, 98, 116, 117, 71, 74, 95, 65, 1556 50, 88, 101, 54, 65, 69, 104, 114, 108, 122, 67, 79, 119] 1558 A.1.8. Plaintext Encryption 1560 Encrypt the Plaintext with AES GCM using the CEK as the encryption 1561 key, the JWE Initialization Vector, and the Additional Authenticated 1562 Data value above, requesting a 128 bit Authentication Tag output. 1563 The resulting Ciphertext is: 1565 [229, 236, 166, 241, 53, 191, 115, 196, 174, 43, 73, 109, 39, 122, 1566 233, 96, 140, 206, 120, 52, 51, 237, 48, 11, 190, 219, 186, 80, 111, 1567 104, 50, 142, 47, 167, 59, 61, 181, 127, 196, 21, 40, 82, 242, 32, 1568 123, 143, 168, 226, 73, 216, 176, 144, 138, 247, 106, 60, 16, 205, 1569 160, 109, 64, 63, 192] 1571 The resulting Authentication Tag value is: 1573 [130, 17, 32, 198, 120, 167, 144, 113, 0, 50, 158, 49, 102, 208, 118, 1574 152] 1576 A.1.9. Encoded JWE Ciphertext 1578 Base64url encode the Ciphertext to create the Encoded JWE Ciphertext. 1579 This result (with line breaks for display purposes only) is: 1581 5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji 1582 SdiwkIr3ajwQzaBtQD_A 1584 A.1.10. Encoded JWE Authentication Tag 1586 Base64url encode the Authentication Tag to create the Encoded JWE 1587 Authentication Tag. This result is: 1589 ghEgxninkHEAMp4xZtB2mA 1591 A.1.11. Complete Representation 1593 Assemble the final representation: The Compact Serialization of this 1594 result is the concatenation of the Encoded JWE Header, the Encoded 1595 JWE Encrypted Key, the Encoded JWE Initialization Vector, the Encoded 1596 JWE Ciphertext, and the Encoded JWE Authentication Tag in that order, 1597 with the five strings being separated by four period ('.') 1598 characters. 1600 The final result in this example (with line breaks for display 1601 purposes only) is: 1603 eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ. 1604 ApfOLCaDbqs_JXPYy2I937v_xmrzj-Iss1mG6NAHmeJViM6j2l0MHvfseIdHVyU2 1605 BIoGVu9ohvkkWiRq5DL2jYZTPA9TAdwq3FUIVyoH-Pedf6elHIVFi2KGDEspYMtQ 1606 ARMMSBcS7pslx6flh1Cfh3GBKysztVMEhZ_maFkm4PYVCsJsvq6Ct3fg2CJPOs0X 1607 1DHuxZKoIGIqcbeK4XEO5a0h5TAuJObKdfO0dKwfNSSbpu5sFrpRFwV2FTTYoqF4 1608 zI46N9-_hMIznlEpftRXhScEJuZ9HG8C8CHB1WRZ_J48PleqdhF4o7fB5J1wFqUX 1609 BtbtuGJ_A2Xe6AEhrlzCOw. 1610 48V1_ALb6US04U3b. 1611 5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji 1612 SdiwkIr3ajwQzaBtQD_A. 1613 ghEgxninkHEAMp4xZtB2mA 1615 A.1.12. Validation 1617 This example illustrates the process of creating a JWE with RSA OAEP 1618 and AES GCM. These results can be used to validate JWE decryption 1619 implementations for these algorithms. Note that since the RSAES OAEP 1620 computation includes random values, the encryption results above will 1621 not be completely reproducible. However, since the AES GCM 1622 computation is deterministic, the JWE Encrypted Ciphertext values 1623 will be the same for all encryptions performed using these inputs. 1625 A.2. Example JWE using RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256 1627 This example encrypts the plaintext "Live long and prosper." to the 1628 recipient using RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. The 1629 representation of this plaintext is: 1631 [76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32, 1632 112, 114, 111, 115, 112, 101, 114, 46] 1634 A.2.1. JWE Header 1636 The following example JWE Header (with line breaks for display 1637 purposes only) declares that: 1639 o the Content Encryption Key is encrypted to the recipient using the 1640 RSAES-PKCS1-V1_5 algorithm to produce the JWE Encrypted Key and 1642 o the Plaintext is encrypted using the AES_128_CBC_HMAC_SHA_256 1643 algorithm to produce the Ciphertext. 1645 {"alg":"RSA1_5","enc":"A128CBC-HS256"} 1647 A.2.2. Encoded JWE Header 1649 Base64url encoding the octets of the UTF-8 representation of the JWE 1650 Header yields this Encoded JWE Header value: 1652 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0 1654 A.2.3. Content Encryption Key (CEK) 1656 Generate a 256 bit random Content Encryption Key (CEK). In this 1657 example, the key value is: 1659 [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 1660 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 1661 44, 207] 1663 A.2.4. Key Encryption 1665 Encrypt the CEK with the recipient's public key using the RSAES- 1666 PKCS1-V1_5 algorithm to produce the JWE Encrypted Key. In this 1667 example, the RSA key parameters are: 1669 +-----------+-------------------------------------------------------+ 1670 | Parameter | Value | 1671 | Name | | 1672 +-----------+-------------------------------------------------------+ 1673 | Modulus | [177, 119, 33, 13, 164, 30, 108, 121, 207, 136, 107, | 1674 | | 242, 12, 224, 19, 226, 198, 134, 17, 71, 173, 75, 42, | 1675 | | 61, 48, 162, 206, 161, 97, 108, 185, 234, 226, 219, | 1676 | | 118, 206, 118, 5, 169, 224, 60, 181, 90, 85, 51, 123, | 1677 | | 6, 224, 4, 122, 29, 230, 151, 12, 244, 127, 121, 25, | 1678 | | 4, 85, 220, 144, 215, 110, 130, 17, 68, 228, 129, | 1679 | | 138, 7, 130, 231, 40, 212, 214, 17, 179, 28, 124, | 1680 | | 151, 178, 207, 20, 14, 154, 222, 113, 176, 24, 198, | 1681 | | 73, 211, 113, 9, 33, 178, 80, 13, 25, 21, 25, 153, | 1682 | | 212, 206, 67, 154, 147, 70, 194, 192, 183, 160, 83, | 1683 | | 98, 236, 175, 85, 23, 97, 75, 199, 177, 73, 145, 50, | 1684 | | 253, 206, 32, 179, 254, 236, 190, 82, 73, 67, 129, | 1685 | | 253, 252, 220, 108, 136, 138, 11, 192, 1, 36, 239, | 1686 | | 228, 55, 81, 113, 17, 25, 140, 63, 239, 146, 3, 172, | 1687 | | 96, 60, 227, 233, 64, 255, 224, 173, 225, 228, 229, | 1688 | | 92, 112, 72, 99, 97, 26, 87, 187, 123, 46, 50, 90, | 1689 | | 202, 117, 73, 10, 153, 47, 224, 178, 163, 77, 48, 46, | 1690 | | 154, 33, 148, 34, 228, 33, 172, 216, 89, 46, 225, | 1691 | | 127, 68, 146, 234, 30, 147, 54, 146, 5, 133, 45, 78, | 1692 | | 254, 85, 55, 75, 213, 86, 194, 218, 215, 163, 189, | 1693 | | 194, 54, 6, 83, 36, 18, 153, 53, 7, 48, 89, 35, 66, | 1694 | | 144, 7, 65, 154, 13, 97, 75, 55, 230, 132, 3, 13, | 1695 | | 239, 71] | 1696 | Exponent | [1, 0, 1] | 1697 | Private | [84, 80, 150, 58, 165, 235, 242, 123, 217, 55, 38, | 1698 | Exponent | 154, 36, 181, 221, 156, 211, 215, 100, 164, 90, 88, | 1699 | | 40, 228, 83, 148, 54, 122, 4, 16, 165, 48, 76, 194, | 1700 | | 26, 107, 51, 53, 179, 165, 31, 18, 198, 173, 78, 61, | 1701 | | 56, 97, 252, 158, 140, 80, 63, 25, 223, 156, 36, 203, | 1702 | | 214, 252, 120, 67, 180, 167, 3, 82, 243, 25, 97, 214, | 1703 | | 83, 133, 69, 16, 104, 54, 160, 200, 41, 83, 164, 187, | 1704 | | 70, 153, 111, 234, 242, 158, 175, 28, 198, 48, 211, | 1705 | | 45, 148, 58, 23, 62, 227, 74, 52, 117, 42, 90, 41, | 1706 | | 249, 130, 154, 80, 119, 61, 26, 193, 40, 125, 10, | 1707 | | 152, 174, 227, 225, 205, 32, 62, 66, 6, 163, 100, 99, | 1708 | | 219, 19, 253, 25, 105, 80, 201, 29, 252, 157, 237, | 1709 | | 69, 1, 80, 171, 167, 20, 196, 156, 109, 249, 88, 0, | 1710 | | 3, 152, 38, 165, 72, 87, 6, 152, 71, 156, 214, 16, | 1711 | | 71, 30, 82, 51, 103, 76, 218, 63, 9, 84, 163, 249, | 1712 | | 91, 215, 44, 238, 85, 101, 240, 148, 1, 82, 224, 91, | 1713 | | 135, 105, 127, 84, 171, 181, 152, 210, 183, 126, 24, | 1714 | | 46, 196, 90, 173, 38, 245, 219, 186, 222, 27, 240, | 1715 | | 212, 194, 15, 66, 135, 226, 178, 190, 52, 245, 74, | 1716 | | 65, 224, 81, 100, 85, 25, 204, 165, 203, 187, 175, | 1717 | | 84, 100, 82, 15, 11, 23, 202, 151, 107, 54, 41, 207, | 1718 | | 3, 136, 229, 134, 131, 93, 139, 50, 182, 204, 93, | 1719 | | 130, 89] | 1720 +-----------+-------------------------------------------------------+ 1722 The resulting JWE Encrypted Key value is: 1724 [156, 150, 191, 184, 77, 131, 211, 9, 74, 207, 227, 156, 193, 38, 1725 202, 23, 56, 247, 211, 108, 88, 72, 143, 145, 44, 19, 58, 133, 181, 1726 70, 152, 254, 26, 198, 210, 80, 60, 15, 82, 210, 154, 55, 179, 115, 1727 76, 146, 99, 166, 146, 70, 176, 157, 252, 15, 54, 58, 92, 210, 103, 1728 55, 207, 191, 92, 185, 5, 164, 64, 241, 80, 163, 233, 131, 198, 106, 1729 32, 207, 199, 113, 5, 200, 94, 105, 53, 32, 221, 155, 233, 108, 96, 1730 151, 197, 152, 195, 96, 67, 81, 90, 38, 121, 51, 208, 98, 47, 45, 61, 1731 4, 129, 121, 152, 122, 124, 229, 2, 250, 92, 64, 245, 36, 70, 76, 58, 1732 31, 181, 185, 61, 101, 168, 240, 220, 12, 62, 253, 169, 107, 107, 9, 1733 241, 9, 152, 217, 159, 179, 30, 95, 112, 29, 143, 124, 7, 21, 181, 1734 13, 45, 253, 137, 142, 95, 30, 127, 26, 237, 34, 183, 89, 200, 44, 1735 165, 203, 71, 102, 39, 127, 217, 159, 46, 17, 28, 11, 146, 222, 110, 1736 149, 178, 16, 117, 186, 91, 52, 56, 136, 127, 82, 33, 194, 46, 164, 1737 245, 117, 136, 160, 179, 152, 151, 15, 172, 48, 73, 228, 87, 63, 40, 1738 192, 92, 92, 24, 167, 105, 47, 255, 193, 251, 77, 203, 6, 134, 129, 1739 248, 191, 53, 43, 49, 219, 130, 241, 180, 174, 159, 34, 71, 163, 70, 1740 83, 1, 152, 39, 241, 191, 68, 224, 240, 43, 113, 165, 68, 98, 130] 1742 A.2.5. Encoded JWE Encrypted Key 1744 Base64url encode the JWE Encrypted Key to produce the Encoded JWE 1745 Encrypted Key. This result (with line breaks for display purposes 1746 only) is: 1748 nJa_uE2D0wlKz-OcwSbKFzj302xYSI-RLBM6hbVGmP4axtJQPA9S0po3s3NMkmOm 1749 kkawnfwPNjpc0mc3z79cuQWkQPFQo-mDxmogz8dxBcheaTUg3ZvpbGCXxZjDYENR 1750 WiZ5M9BiLy09BIF5mHp85QL6XED1JEZMOh-1uT1lqPDcDD79qWtrCfEJmNmfsx5f 1751 cB2PfAcVtQ0t_YmOXx5_Gu0it1nILKXLR2Ynf9mfLhEcC5LebpWyEHW6WzQ4iH9S 1752 IcIupPV1iKCzmJcPrDBJ5Fc_KMBcXBinaS__wftNywaGgfi_NSsx24LxtK6fIkej 1753 RlMBmCfxv0Tg8CtxpURigg 1755 A.2.6. Initialization Vector 1757 Generate a random 128 bit JWE Initialization Vector. In this 1758 example, the value is: 1760 [3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104, 1761 101] 1763 Base64url encoding this value yields the Encoded JWE Initialization 1764 Vector value: 1766 AxY8DCtDaGlsbGljb3RoZQ 1768 A.2.7. Additional Authenticated Data Parameter 1770 Concatenate the Encoded JWE Header value, a period ('.') character, 1771 and the Encoded JWE Encrypted Key to create the Additional 1772 Authenticated Data parameter. This result (with line breaks for 1773 display purposes only) is: 1775 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0. 1776 nJa_uE2D0wlKz-OcwSbKFzj302xYSI-RLBM6hbVGmP4axtJQPA9S0po3s3NMkmOm 1777 kkawnfwPNjpc0mc3z79cuQWkQPFQo-mDxmogz8dxBcheaTUg3ZvpbGCXxZjDYENR 1778 WiZ5M9BiLy09BIF5mHp85QL6XED1JEZMOh-1uT1lqPDcDD79qWtrCfEJmNmfsx5f 1779 cB2PfAcVtQ0t_YmOXx5_Gu0it1nILKXLR2Ynf9mfLhEcC5LebpWyEHW6WzQ4iH9S 1780 IcIupPV1iKCzmJcPrDBJ5Fc_KMBcXBinaS__wftNywaGgfi_NSsx24LxtK6fIkej 1781 RlMBmCfxv0Tg8CtxpURigg 1783 The representation of this value is: 1785 [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, 1786 120, 88, 122, 85, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 1787 74, 66, 77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 1788 50, 73, 110, 48, 46, 110, 74, 97, 95, 117, 69, 50, 68, 48, 119, 108, 1789 75, 122, 45, 79, 99, 119, 83, 98, 75, 70, 122, 106, 51, 48, 50, 120, 1790 89, 83, 73, 45, 82, 76, 66, 77, 54, 104, 98, 86, 71, 109, 80, 52, 97, 1791 120, 116, 74, 81, 80, 65, 57, 83, 48, 112, 111, 51, 115, 51, 78, 77, 1792 107, 109, 79, 109, 107, 107, 97, 119, 110, 102, 119, 80, 78, 106, 1793 112, 99, 48, 109, 99, 51, 122, 55, 57, 99, 117, 81, 87, 107, 81, 80, 1794 70, 81, 111, 45, 109, 68, 120, 109, 111, 103, 122, 56, 100, 120, 66, 1795 99, 104, 101, 97, 84, 85, 103, 51, 90, 118, 112, 98, 71, 67, 88, 120, 1796 90, 106, 68, 89, 69, 78, 82, 87, 105, 90, 53, 77, 57, 66, 105, 76, 1797 121, 48, 57, 66, 73, 70, 53, 109, 72, 112, 56, 53, 81, 76, 54, 88, 1798 69, 68, 49, 74, 69, 90, 77, 79, 104, 45, 49, 117, 84, 49, 108, 113, 1799 80, 68, 99, 68, 68, 55, 57, 113, 87, 116, 114, 67, 102, 69, 74, 109, 1800 78, 109, 102, 115, 120, 53, 102, 99, 66, 50, 80, 102, 65, 99, 86, 1801 116, 81, 48, 116, 95, 89, 109, 79, 88, 120, 53, 95, 71, 117, 48, 105, 1802 116, 49, 110, 73, 76, 75, 88, 76, 82, 50, 89, 110, 102, 57, 109, 102, 1803 76, 104, 69, 99, 67, 53, 76, 101, 98, 112, 87, 121, 69, 72, 87, 54, 1804 87, 122, 81, 52, 105, 72, 57, 83, 73, 99, 73, 117, 112, 80, 86, 49, 1805 105, 75, 67, 122, 109, 74, 99, 80, 114, 68, 66, 74, 53, 70, 99, 95, 1806 75, 77, 66, 99, 88, 66, 105, 110, 97, 83, 95, 95, 119, 102, 116, 78, 1807 121, 119, 97, 71, 103, 102, 105, 95, 78, 83, 115, 120, 50, 52, 76, 1808 120, 116, 75, 54, 102, 73, 107, 101, 106, 82, 108, 77, 66, 109, 67, 1809 102, 120, 118, 48, 84, 103, 56, 67, 116, 120, 112, 85, 82, 105, 103, 1810 103] 1812 A.2.8. Plaintext Encryption 1814 Encrypt the Plaintext with AES_128_CBC_HMAC_SHA_256 using the CEK as 1815 the encryption key, the JWE Initialization Vector, and the Additional 1816 Authenticated Data value above. The steps for doing this using the 1817 values from Appendix A.3 are detailed in Appendix B. The resulting 1818 Ciphertext is: 1820 [40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6, 1821 75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143, 1822 112, 56, 102] 1824 The resulting Authentication Tag value is: 1826 [125, 141, 148, 252, 124, 121, 85, 199, 215, 154, 42, 68, 149, 209, 1827 225, 48] 1829 A.2.9. Encoded JWE Ciphertext 1831 Base64url encode the Ciphertext to create the Encoded JWE Ciphertext. 1832 This result is: 1834 KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY 1836 A.2.10. Encoded JWE Authentication Tag 1838 Base64url encode the Authentication Tag to create the Encoded JWE 1839 Authentication Tag. This result is: 1841 fY2U_Hx5VcfXmipEldHhMA 1843 A.2.11. Complete Representation 1845 Assemble the final representation: The Compact Serialization of this 1846 result is the concatenation of the Encoded JWE Header, the Encoded 1847 JWE Encrypted Key, the Encoded JWE Initialization Vector, the Encoded 1848 JWE Ciphertext, and the Encoded JWE Authentication Tag in that order, 1849 with the five strings being separated by four period ('.') 1850 characters. 1852 The final result in this example (with line breaks for display 1853 purposes only) is: 1855 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0. 1856 nJa_uE2D0wlKz-OcwSbKFzj302xYSI-RLBM6hbVGmP4axtJQPA9S0po3s3NMkmOm 1857 kkawnfwPNjpc0mc3z79cuQWkQPFQo-mDxmogz8dxBcheaTUg3ZvpbGCXxZjDYENR 1858 WiZ5M9BiLy09BIF5mHp85QL6XED1JEZMOh-1uT1lqPDcDD79qWtrCfEJmNmfsx5f 1859 cB2PfAcVtQ0t_YmOXx5_Gu0it1nILKXLR2Ynf9mfLhEcC5LebpWyEHW6WzQ4iH9S 1860 IcIupPV1iKCzmJcPrDBJ5Fc_KMBcXBinaS__wftNywaGgfi_NSsx24LxtK6fIkej 1861 RlMBmCfxv0Tg8CtxpURigg. 1862 AxY8DCtDaGlsbGljb3RoZQ. 1863 KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY. 1864 fY2U_Hx5VcfXmipEldHhMA 1866 A.2.12. Validation 1868 This example illustrates the process of creating a JWE with RSAES- 1869 PKCS1-V1_5 and AES_CBC_HMAC_SHA2. These results can be used to 1870 validate JWE decryption implementations for these algorithms. Note 1871 that since the RSAES-PKCS1-V1_5 computation includes random values, 1872 the encryption results above will not be completely reproducible. 1873 However, since the AES CBC computation is deterministic, the JWE 1874 Encrypted Ciphertext values will be the same for all encryptions 1875 performed using these inputs. 1877 A.3. Example JWE using AES Key Wrap and AES GCM 1879 This example encrypts the plaintext "Live long and prosper." to the 1880 recipient using AES Key Wrap and AES GCM. The representation of this 1881 plaintext is: 1883 [76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32, 1884 112, 114, 111, 115, 112, 101, 114, 46] 1886 A.3.1. JWE Header 1888 The following example JWE Header declares that: 1890 o the Content Encryption Key is encrypted to the recipient using the 1891 AES Key Wrap algorithm with a 128 bit key to produce the JWE 1892 Encrypted Key and 1894 o the Plaintext is encrypted using the AES_128_CBC_HMAC_SHA_256 1895 algorithm to produce the Ciphertext. 1897 {"alg":"A128KW","enc":"A128CBC-HS256"} 1899 A.3.2. Encoded JWE Header 1901 Base64url encoding the octets of the UTF-8 representation of the JWE 1902 Header yields this Encoded JWE Header value: 1904 eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0 1906 A.3.3. Content Encryption Key (CEK) 1908 Generate a 256 bit random Content Encryption Key (CEK). In this 1909 example, the value is: 1911 [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 1912 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 1913 44, 207] 1915 A.3.4. Key Encryption 1917 Encrypt the CEK with the shared symmetric key using the AES Key Wrap 1918 algorithm to produce the JWE Encrypted Key. In this example, the 1919 shared symmetric key value is: 1921 [25, 172, 32, 130, 225, 114, 26, 181, 138, 106, 254, 192, 95, 133, 1922 74, 82] 1924 The resulting JWE Encrypted Key value is: 1926 [232, 160, 123, 211, 183, 76, 245, 132, 200, 128, 123, 75, 190, 216, 1927 22, 67, 201, 138, 193, 186, 9, 91, 122, 31, 246, 90, 28, 139, 57, 3, 1928 76, 124, 193, 11, 98, 37, 173, 61, 104, 57] 1930 A.3.5. Encoded JWE Encrypted Key 1932 Base64url encode the JWE Encrypted Key to produce the Encoded JWE 1933 Encrypted Key. This result is: 1935 6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ 1937 A.3.6. Initialization Vector 1939 Generate a random 128 bit JWE Initialization Vector. In this 1940 example, the value is: 1942 [3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104, 1943 101] 1945 Base64url encoding this value yields the Encoded JWE Initialization 1946 Vector value: 1948 AxY8DCtDaGlsbGljb3RoZQ 1950 A.3.7. Additional Authenticated Data Parameter 1952 Concatenate the Encoded JWE Header value, a period ('.') character, 1953 and the Encoded JWE Encrypted Key to create the Additional 1954 Authenticated Data parameter. This result (with line breaks for 1955 display purposes only) is: 1957 eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0. 1958 6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ 1960 The representation of this value is: 1962 [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 66, 77, 84, 73, 52, 1963 83, 49, 99, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 1964 77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73, 1965 110, 48, 46, 54, 75, 66, 55, 48, 55, 100, 77, 57, 89, 84, 73, 103, 1966 72, 116, 76, 118, 116, 103, 87, 81, 56, 109, 75, 119, 98, 111, 74, 1967 87, 51, 111, 102, 57, 108, 111, 99, 105, 122, 107, 68, 84, 72, 122, 1968 66, 67, 50, 73, 108, 114, 84, 49, 111, 79, 81] 1970 A.3.8. Plaintext Encryption 1972 Encrypt the Plaintext with AES_128_CBC_HMAC_SHA_256 using the CEK as 1973 the encryption key, the JWE Initialization Vector, and the Additional 1974 Authenticated Data value above. The steps for doing this using the 1975 values from this example are detailed in Appendix B. The resulting 1976 Ciphertext is: 1978 [40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6, 1979 75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143, 1980 112, 56, 102] 1982 The resulting Authentication Tag value is: 1984 [8, 65, 248, 101, 45, 185, 28, 218, 232, 112, 83, 79, 84, 221, 18, 1985 172] 1987 A.3.9. Encoded JWE Ciphertext 1989 Base64url encode the Ciphertext to create the Encoded JWE Ciphertext. 1990 This result is: 1992 KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY 1994 A.3.10. Encoded JWE Authentication Tag 1996 Base64url encode the Authentication Tag to create the Encoded JWE 1997 Authentication Tag. This result is: 1999 CEH4ZS25HNrocFNPVN0SrA 2001 A.3.11. Complete Representation 2003 Assemble the final representation: The Compact Serialization of this 2004 result is the concatenation of the Encoded JWE Header, the Encoded 2005 JWE Encrypted Key, the Encoded JWE Initialization Vector, the Encoded 2006 JWE Ciphertext, and the Encoded JWE Authentication Tag in that order, 2007 with the five strings being separated by four period ('.') 2008 characters. 2010 The final result in this example (with line breaks for display 2011 purposes only) is: 2013 eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0. 2014 6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ. 2015 AxY8DCtDaGlsbGljb3RoZQ. 2016 KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY. 2017 CEH4ZS25HNrocFNPVN0SrA 2019 A.3.12. Validation 2021 This example illustrates the process of creating a JWE with symmetric 2022 key wrap and AES_CBC_HMAC_SHA2. These results can be used to 2023 validate JWE decryption implementations for these algorithms. Also, 2024 since both the AES Key Wrap and AES GCM computations are 2025 deterministic, the resulting JWE value will be the same for all 2026 encryptions performed using these inputs. Since the computation is 2027 reproducible, these results can also be used to validate JWE 2028 encryption implementations for these algorithms. 2030 Appendix B. Example AES_128_CBC_HMAC_SHA_256 Computation 2032 This example shows the steps in the AES_128_CBC_HMAC_SHA_256 2033 authenticated encryption computation using the values from the 2034 example in Appendix A.3. As described where this algorithm is 2035 defined in Sections 4.8 and 4.8.3 of JWA, the AES_CBC_HMAC_SHA2 2036 family of algorithms are implemented using Advanced Encryption 2037 Standard (AES) in Cipher Block Chaining (CBC) mode with PKCS #5 2038 padding to perform the encryption and an HMAC SHA-2 function to 2039 perform the integrity calculation - in this case, HMAC SHA-256. 2041 B.1. Extract MAC_KEY and ENC_KEY from Key 2043 The 256 bit AES_128_CBC_HMAC_SHA_256 key K used in this example is: 2045 [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 2046 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 2047 44, 207] 2049 Use the first 128 bits of this key as the HMAC SHA-256 key MAC_KEY, 2050 which is: 2052 [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 2053 206] 2055 Use the last 128 bits of this key as the AES CBC key ENC_KEY, which 2056 is: 2058 [107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 44, 2059 207] 2061 Note that the MAC key comes before the encryption key in the input 2062 key K; this is in the opposite order of the algorithm names in the 2063 identifiers "AES_128_CBC_HMAC_SHA_256" and "A128CBC-HS256". 2065 B.2. Encrypt Plaintext to Create Ciphertext 2067 Encrypt the Plaintext with AES in Cipher Block Chaining (CBC) mode 2068 using PKCS #5 padding using the ENC_KEY above. The Plaintext in this 2069 example is: 2071 [76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32, 2072 112, 114, 111, 115, 112, 101, 114, 46] 2073 The encryption result is as follows, which is the Ciphertext output: 2075 [40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6, 2076 75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143, 2077 112, 56, 102] 2079 B.3. Create 64 Bit Big Endian Representation of AAD Length 2081 The Additional Authenticated Data (AAD) in this example is: 2083 [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 66, 77, 84, 73, 52, 2084 83, 49, 99, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 2085 77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73, 2086 110, 48, 46, 54, 75, 66, 55, 48, 55, 100, 77, 57, 89, 84, 73, 103, 2087 72, 116, 76, 118, 116, 103, 87, 81, 56, 109, 75, 119, 98, 111, 74, 2088 87, 51, 111, 102, 57, 108, 111, 99, 105, 122, 107, 68, 84, 72, 122, 2089 66, 67, 50, 73, 108, 114, 84, 49, 111, 79, 81] 2091 This AAD is 106 bytes long, which is 848 bits long. The octet string 2092 AL, which is the number of bits in AAD expressed as a big endian 64 2093 bit unsigned integer is: 2095 [0, 0, 0, 0, 0, 0, 3, 80] 2097 B.4. Initialization Vector Value 2099 The Initialization Vector value used in this example is: 2101 [3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104, 2102 101] 2104 B.5. Create Input to HMAC Computation 2106 Concatenate the AAD, the Initialization Vector, the Ciphertext, and 2107 the AL value. The result of this concatenation is: 2109 [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 66, 77, 84, 73, 52, 2110 83, 49, 99, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 2111 77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73, 2112 110, 48, 46, 54, 75, 66, 55, 48, 55, 100, 77, 57, 89, 84, 73, 103, 2113 72, 116, 76, 118, 116, 103, 87, 81, 56, 109, 75, 119, 98, 111, 74, 2114 87, 51, 111, 102, 57, 108, 111, 99, 105, 122, 107, 68, 84, 72, 122, 2115 66, 67, 50, 73, 108, 114, 84, 49, 111, 79, 81, 3, 22, 60, 12, 43, 67, 2116 104, 105, 108, 108, 105, 99, 111, 116, 104, 101, 40, 57, 83, 181, 2117 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6, 75, 129, 223, 127, 2118 19, 210, 82, 183, 230, 168, 33, 215, 104, 143, 112, 56, 102, 0, 0, 0, 2119 0, 0, 0, 3, 80] 2121 B.6. Compute HMAC Value 2123 Compute the HMAC SHA-256 of the concatenated value above. This 2124 result M is: 2126 [8, 65, 248, 101, 45, 185, 28, 218, 232, 112, 83, 79, 84, 221, 18, 2127 172, 50, 145, 207, 8, 14, 74, 44, 220, 100, 117, 32, 57, 239, 149, 2128 173, 226] 2130 B.7. Truncate HMAC Value to Create Authentication Tag 2132 Use the first half (128 bits) of the HMAC output M as the 2133 Authentication Tag output T. This truncated value is: 2135 [8, 65, 248, 101, 45, 185, 28, 218, 232, 112, 83, 79, 84, 221, 18, 2136 172] 2138 Appendix C. Acknowledgements 2140 Solutions for encrypting JSON content were also explored by JSON 2141 Simple Encryption [JSE] and JavaScript Message Security Format 2142 [I-D.rescorla-jsms], both of which significantly influenced this 2143 draft. This draft attempts to explicitly reuse as many of the 2144 relevant concepts from XML Encryption 1.1 2145 [W3C.CR-xmlenc-core1-20120313] and RFC 5652 [RFC5652] as possible, 2146 while utilizing simple compact JSON-based data structures. 2148 Special thanks are due to John Bradley and Nat Sakimura for the 2149 discussions that helped inform the content of this specification and 2150 to Eric Rescorla and Joe Hildebrand for allowing the reuse of text 2151 from [I-D.rescorla-jsms] in this document. 2153 Thanks to Axel Nennker, Emmanuel Raviart, Brian Campbell, and Edmund 2154 Jay for validating the examples in this specification. 2156 This specification is the work of the JOSE Working Group, which 2157 includes dozens of active and dedicated participants. In particular, 2158 the following individuals contributed ideas, feedback, and wording 2159 that influenced this specification: 2161 Richard Barnes, John Bradley, Brian Campbell, Breno de Medeiros, Dick 2162 Hardt, Jeff Hodges, Edmund Jay, James Manger, Tony Nadalin, Axel 2163 Nennker, Emmanuel Raviart, Nat Sakimura, Jim Schaad, Hannes 2164 Tschofenig, and Sean Turner. 2166 Jim Schaad and Karen O'Donoghue chaired the JOSE working group and 2167 Sean Turner and Stephen Farrell served as Security area directors 2168 during the creation of this specification. 2170 Appendix D. Document History 2172 [[ to be removed by the RFC editor before publication as an RFC ]] 2174 -09 2176 o Added JWE JSON Serialization, as specified by 2177 draft-jones-jose-jwe-json-serialization-04. 2179 o Registered "application/jwe-js" MIME type and "JWE-JS" typ header 2180 parameter value. 2182 o Defined that the default action for header parameters that are not 2183 understood is to ignore them unless specifically designated as 2184 "MUST be understood" or included in the new "crit" (critical) 2185 header parameter list. This addressed issue #6. 2187 o Corrected "x5c" description. This addressed issue #12. 2189 o Changed from using the term "byte" to "octet" when referring to 8 2190 bit values. 2192 o Added Key Management Mode definitions to terminology section and 2193 used the defined terms to provide clearer key management 2194 instructions. This addressed issue #5. 2196 o Added text about preventing the recipient from behaving as an 2197 oracle during decryption, especially when using RSAES-PKCS1-V1_5. 2199 o Changed from using the term "Integrity Value" to "Authentication 2200 Tag". 2202 o Changed member name from "integrity_value" to "authentication_tag" 2203 in the JWE JSON Serialization. 2205 o Removed Initialization Vector from the AAD value since it is 2206 already integrity protected by all of the authenticated encryption 2207 algorithms specified in the JWA specification. 2209 o Replaced "A128CBC+HS256" and "A256CBC+HS512" with "A128CBC-HS256" 2210 and "A256CBC-HS512". The new algorithms perform the same 2211 cryptographic computations as [I-D.mcgrew-aead-aes-cbc-hmac-sha2], 2212 but with the Initialization Vector and Authentication Tag values 2213 remaining separate from the Ciphertext value in the output 2214 representation. Also deleted the header parameters "epu" 2215 (encryption PartyUInfo) and "epv" (encryption PartyVInfo), since 2216 they are no longer used. 2218 -08 2220 o Replaced uses of the term "AEAD" with "Authenticated Encryption", 2221 since the term AEAD in the RFC 5116 sense implied the use of a 2222 particular data representation, rather than just referring to the 2223 class of algorithms that perform authenticated encryption with 2224 associated data. 2226 o Applied editorial improvements suggested by Jeff Hodges and Hannes 2227 Tschofenig. Many of these simplified the terminology used. 2229 o Clarified statements of the form "This header parameter is 2230 OPTIONAL" to "Use of this header parameter is OPTIONAL". 2232 o Added a Header Parameter Usage Location(s) field to the IANA JSON 2233 Web Signature and Encryption Header Parameters registry. 2235 o Added seriesInfo information to Internet Draft references. 2237 -07 2239 o Added a data length prefix to PartyUInfo and PartyVInfo values. 2241 o Updated values for example AES CBC calculations. 2243 o Made several local editorial changes to clean up loose ends left 2244 over from to the decision to only support block encryption methods 2245 providing integrity. One of these changes was to explicitly state 2246 that the "enc" (encryption method) algorithm must be an 2247 Authenticated Encryption algorithm with a specified key length. 2249 -06 2251 o Removed the "int" and "kdf" parameters and defined the new 2252 composite Authenticated Encryption algorithms "A128CBC+HS256" and 2253 "A256CBC+HS512" to replace the former uses of AES CBC, which 2254 required the use of separate integrity and key derivation 2255 functions. 2257 o Included additional values in the Concat KDF calculation -- the 2258 desired output size and the algorithm value, and optionally 2259 PartyUInfo and PartyVInfo values. Added the optional header 2260 parameters "apu" (agreement PartyUInfo), "apv" (agreement 2261 PartyVInfo), "epu" (encryption PartyUInfo), and "epv" (encryption 2262 PartyVInfo). Updated the KDF examples accordingly. 2264 o Promoted Initialization Vector from being a header parameter to 2265 being a top-level JWE element. This saves approximately 16 bytes 2266 in the compact serialization, which is a significant savings for 2267 some use cases. Promoting the Initialization Vector out of the 2268 header also avoids repeating this shared value in the JSON 2269 serialization. 2271 o Changed "x5c" (X.509 Certificate Chain) representation from being 2272 a single string to being an array of strings, each containing a 2273 single base64 encoded DER certificate value, representing elements 2274 of the certificate chain. 2276 o Added an AES Key Wrap example. 2278 o Reordered the encryption steps so CMK creation is first, when 2279 required. 2281 o Correct statements in examples about which algorithms produce 2282 reproducible results. 2284 -05 2286 o Support both direct encryption using a shared or agreed upon 2287 symmetric key, and the use of a shared or agreed upon symmetric 2288 key to key wrap the CMK. 2290 o Added statement that "StringOrURI values are compared as case- 2291 sensitive strings with no transformations or canonicalizations 2292 applied". 2294 o Updated open issues. 2296 o Indented artwork elements to better distinguish them from the body 2297 text. 2299 -04 2301 o Refer to the registries as the primary sources of defined values 2302 and then secondarily reference the sections defining the initial 2303 contents of the registries. 2305 o Normatively reference XML Encryption 1.1 2306 [W3C.CR-xmlenc-core1-20120313] for its security considerations. 2308 o Reference draft-jones-jose-jwe-json-serialization instead of 2309 draft-jones-json-web-encryption-json-serialization. 2311 o Described additional open issues. 2313 o Applied editorial suggestions. 2315 -03 2317 o Added the "kdf" (key derivation function) header parameter to 2318 provide crypto agility for key derivation. The default KDF 2319 remains the Concat KDF with the SHA-256 digest function. 2321 o Reordered encryption steps so that the Encoded JWE Header is 2322 always created before it is needed as an input to the 2323 Authenticated Encryption "additional authenticated data" 2324 parameter. 2326 o Added the "cty" (content type) header parameter for declaring type 2327 information about the secured content, as opposed to the "typ" 2328 (type) header parameter, which declares type information about 2329 this object. 2331 o Moved description of how to determine whether a header is for a 2332 JWS or a JWE from the JWT spec to the JWE spec. 2334 o Added complete encryption examples for both Authenticated 2335 Encryption and non-Authenticated Encryption algorithms. 2337 o Added complete key derivation examples. 2339 o Added "Collision Resistant Namespace" to the terminology section. 2341 o Reference ITU.X690.1994 for DER encoding. 2343 o Added Registry Contents sections to populate registry values. 2345 o Numerous editorial improvements. 2347 -02 2349 o When using Authenticated Encryption algorithms (such as AES GCM), 2350 use the "additional authenticated data" parameter to provide 2351 integrity for the header, encrypted key, and ciphertext and use 2352 the resulting "authentication tag" value as the JWE Authentication 2353 Tag. 2355 o Defined KDF output key sizes. 2357 o Generalized text to allow key agreement to be employed as an 2358 alternative to key wrapping or key encryption. 2360 o Changed compression algorithm from gzip to DEFLATE. 2362 o Clarified that it is an error when a "kid" value is included and 2363 no matching key is found. 2365 o Clarified that JWEs with duplicate Header Parameter Names MUST be 2366 rejected. 2368 o Clarified the relationship between "typ" header parameter values 2369 and MIME types. 2371 o Registered application/jwe MIME type and "JWE" typ header 2372 parameter value. 2374 o Simplified JWK terminology to get replace the "JWK Key Object" and 2375 "JWK Container Object" terms with simply "JSON Web Key (JWK)" and 2376 "JSON Web Key Set (JWK Set)" and to eliminate potential confusion 2377 between single keys and sets of keys. As part of this change, the 2378 Header Parameter Name for a public key value was changed from 2379 "jpk" (JSON Public Key) to "jwk" (JSON Web Key). 2381 o Added suggestion on defining additional header parameters such as 2382 "x5t#S256" in the future for certificate thumbprints using hash 2383 algorithms other than SHA-1. 2385 o Specify RFC 2818 server identity validation, rather than RFC 6125 2386 (paralleling the same decision in the OAuth specs). 2388 o Generalized language to refer to Message Authentication Codes 2389 (MACs) rather than Hash-based Message Authentication Codes (HMACs) 2390 unless in a context specific to HMAC algorithms. 2392 o Reformatted to give each header parameter its own section heading. 2394 -01 2396 o Added an integrity check for non-Authenticated Encryption 2397 algorithms. 2399 o Added "jpk" and "x5c" header parameters for including JWK public 2400 keys and X.509 certificate chains directly in the header. 2402 o Clarified that this specification is defining the JWE Compact 2403 Serialization. Referenced the new JWE-JS spec, which defines the 2404 JWE JSON Serialization. 2406 o Added text "New header parameters should be introduced sparingly 2407 since an implementation that does not understand a parameter MUST 2408 reject the JWE". 2410 o Clarified that the order of the encryption and decryption steps is 2411 not significant in cases where there are no dependencies between 2412 the inputs and outputs of the steps. 2414 o Made other editorial improvements suggested by JOSE working group 2415 participants. 2417 -00 2419 o Created the initial IETF draft based upon 2420 draft-jones-json-web-encryption-02 with no normative changes. 2422 o Changed terminology to no longer call both digital signatures and 2423 HMACs "signatures". 2425 Authors' Addresses 2427 Michael B. Jones 2428 Microsoft 2430 Email: mbj@microsoft.com 2431 URI: http://self-issued.info/ 2433 Eric Rescorla 2434 RTFM, Inc. 2436 Email: ekr@rtfm.com 2438 Joe Hildebrand 2439 Cisco Systems, Inc. 2441 Email: jhildebr@cisco.com