idnits 2.17.00 (12 Aug 2021) /tmp/idnits64668/draft-ietf-jose-json-web-encryption-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 6, 2012) is 3482 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 1979 -- Looks like a reference, but probably isn't: '0' on line 1994 -- Looks like a reference, but probably isn't: '227' on line 1246 -- Looks like a reference, but probably isn't: '197' on line 1246 -- Looks like a reference, but probably isn't: '117' on line 1246 -- Looks like a reference, but probably isn't: '252' on line 1246 -- Looks like a reference, but probably isn't: '2' on line 1246 -- Looks like a reference, but probably isn't: '219' on line 1246 -- Looks like a reference, but probably isn't: '233' on line 1246 -- Looks like a reference, but probably isn't: '68' on line 1246 -- Looks like a reference, but probably isn't: '180' on line 1246 -- Looks like a reference, but probably isn't: '225' on line 1246 -- Looks like a reference, but probably isn't: '77' on line 1246 -- Looks like a reference, but probably isn't: '253' on line 1715 -- Looks like a reference, but probably isn't: '220' on line 1715 -- Looks like a reference, but probably isn't: '80' on line 1715 -- Looks like a reference, but probably isn't: '25' on line 1715 -- Looks like a reference, but probably isn't: '166' on line 1715 -- Looks like a reference, but probably isn't: '152' on line 1715 -- Looks like a reference, but probably isn't: '178' on line 1715 -- Looks like a reference, but probably isn't: '168' on line 1715 -- Looks like a reference, but probably isn't: '97' on line 1715 -- Looks like a reference, but probably isn't: '99' on line 1948 -- Looks like a reference, but probably isn't: '67' on line 1715 -- Looks like a reference, but probably isn't: '89' on line 1715 -- Looks like a reference, but probably isn't: '69' on line 1948 -- Looks like a reference, but probably isn't: '110' on line 1997 -- Looks like a reference, but probably isn't: '114' on line 1997 -- Looks like a reference, but probably isn't: '121' on line 1997 -- Looks like a reference, but probably isn't: '112' on line 1948 -- Looks like a reference, but probably isn't: '116' on line 1997 -- Looks like a reference, but probably isn't: '105' on line 1997 -- Looks like a reference, but probably isn't: '111' on line 1948 -- Looks like a reference, but probably isn't: '73' on line 1997 -- Looks like a reference, but probably isn't: '101' on line 1997 -- Looks like a reference, but probably isn't: '103' on line 1997 -- Possible downref: Non-RFC (?) normative reference: ref. 'ITU.X690.1994' -- Possible downref: Non-RFC (?) normative reference: ref. 'JWA' -- Possible downref: Non-RFC (?) normative reference: ref. 'JWK' -- Possible downref: Non-RFC (?) normative reference: ref. 'JWS' ** Downref: Normative reference to an Historic RFC: RFC 1421 ** Downref: Normative reference to an Informational RFC: RFC 1951 ** Downref: Normative reference to an Informational RFC: RFC 2818 ** Obsolete normative reference: RFC 4288 (Obsoleted by RFC 6838) ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 6 errors (**), 0 flaws (~~), 1 warning (==), 41 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 JOSE Working Group M. Jones 3 Internet-Draft Microsoft 4 Intended status: Standards Track E. Rescorla 5 Expires: May 10, 2013 RTFM 6 J. Hildebrand 7 Cisco 8 November 6, 2012 10 JSON Web Encryption (JWE) 11 draft-ietf-jose-json-web-encryption-07 13 Abstract 15 JSON Web Encryption (JWE) is a means of representing encrypted 16 content using JavaScript Object Notation (JSON) data structures. 17 Cryptographic algorithms and identifiers for use with this 18 specification are described in the separate JSON Web Algorithms (JWA) 19 specification. Related digital signature and MAC capabilities are 20 described in the separate JSON Web Signature (JWS) specification. 22 Status of this Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on May 10, 2013. 39 Copyright Notice 41 Copyright (c) 2012 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 59 3. JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . . 7 60 3.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 8 61 3.2. Example JWE using RSAES-PKCS1-V1_5 and AES CBC . . . . . . 9 62 4. JWE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 11 63 4.1. Reserved Header Parameter Names . . . . . . . . . . . . . 12 64 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 12 65 4.1.2. "enc" (Encryption Method) Header Parameter . . . . . . 12 66 4.1.3. "epk" (Ephemeral Public Key) Header Parameter . . . . 13 67 4.1.4. "zip" (Compression Algorithm) Header Parameter . . . . 13 68 4.1.5. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 13 69 4.1.6. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 13 70 4.1.7. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 13 71 4.1.8. "x5t" (X.509 Certificate Thumbprint) Header 72 Parameter . . . . . . . . . . . . . . . . . . . . . . 14 73 4.1.9. "x5c" (X.509 Certificate Chain) Header Parameter . . . 14 74 4.1.10. "kid" (Key ID) Header Parameter . . . . . . . . . . . 15 75 4.1.11. "typ" (Type) Header Parameter . . . . . . . . . . . . 15 76 4.1.12. "cty" (Content Type) Header Parameter . . . . . . . . 15 77 4.1.13. "apu" (Agreement PartyUInfo) Header Parameter . . . . 15 78 4.1.14. "apv" (Agreement PartyVInfo) Header Parameter . . . . 15 79 4.1.15. "epu" (Encryption PartyUInfo) Header Parameter . . . . 16 80 4.1.16. "epv" (Encryption PartyVInfo) Header Parameter . . . . 16 81 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 16 82 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 16 83 5. Message Encryption . . . . . . . . . . . . . . . . . . . . . . 16 84 6. Message Decryption . . . . . . . . . . . . . . . . . . . . . . 18 85 7. CMK Encryption . . . . . . . . . . . . . . . . . . . . . . . . 19 86 8. Encrypting JWEs with Cryptographic Algorithms . . . . . . . . 20 87 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 88 9.1. Registration of JWE Header Parameter Names . . . . . . . . 20 89 9.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 20 90 9.2. JSON Web Signature and Encryption Type Values 91 Registration . . . . . . . . . . . . . . . . . . . . . . . 22 92 9.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 22 93 9.3. Media Type Registration . . . . . . . . . . . . . . . . . 22 94 9.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 22 95 10. Security Considerations . . . . . . . . . . . . . . . . . . . 23 96 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 97 11.1. Normative References . . . . . . . . . . . . . . . . . . . 23 98 11.2. Informative References . . . . . . . . . . . . . . . . . . 24 99 Appendix A. JWE Examples . . . . . . . . . . . . . . . . . . . . 25 100 A.1. Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 25 101 A.1.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 25 102 A.1.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 25 103 A.1.3. Content Master Key (CMK) . . . . . . . . . . . . . . . 26 104 A.1.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 26 105 A.1.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 28 106 A.1.6. Initialization Vector . . . . . . . . . . . . . . . . 28 107 A.1.7. "Additional Authenticated Data" Parameter . . . . . . 28 108 A.1.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 29 109 A.1.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 29 110 A.1.10. Encoded JWE Integrity Value . . . . . . . . . . . . . 30 111 A.1.11. Complete Representation . . . . . . . . . . . . . . . 30 112 A.1.12. Validation . . . . . . . . . . . . . . . . . . . . . . 30 113 A.2. Example JWE using RSAES-PKCS1-V1_5 and AES CBC . . . . . . 30 114 A.2.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 31 115 A.2.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 31 116 A.2.3. Content Master Key (CMK) . . . . . . . . . . . . . . . 31 117 A.2.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 31 118 A.2.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 34 119 A.2.6. Key Derivation . . . . . . . . . . . . . . . . . . . . 34 120 A.2.7. Initialization Vector . . . . . . . . . . . . . . . . 34 121 A.2.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 34 122 A.2.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 35 123 A.2.10. Secured Input Value . . . . . . . . . . . . . . . . . 35 124 A.2.11. JWE Integrity Value . . . . . . . . . . . . . . . . . 36 125 A.2.12. Encoded JWE Integrity Value . . . . . . . . . . . . . 36 126 A.2.13. Complete Representation . . . . . . . . . . . . . . . 36 127 A.2.14. Validation . . . . . . . . . . . . . . . . . . . . . . 37 128 A.3. Example JWE using AES Key Wrap and AES GCM . . . . . . . . 37 129 A.3.1. JWE Header . . . . . . . . . . . . . . . . . . . . . . 37 130 A.3.2. Encoded JWE Header . . . . . . . . . . . . . . . . . . 38 131 A.3.3. Content Master Key (CMK) . . . . . . . . . . . . . . . 38 132 A.3.4. Key Encryption . . . . . . . . . . . . . . . . . . . . 38 133 A.3.5. Encoded JWE Encrypted Key . . . . . . . . . . . . . . 38 134 A.3.6. Initialization Vector . . . . . . . . . . . . . . . . 38 135 A.3.7. "Additional Authenticated Data" Parameter . . . . . . 39 136 A.3.8. Plaintext Encryption . . . . . . . . . . . . . . . . . 39 137 A.3.9. Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 39 138 A.3.10. Encoded JWE Integrity Value . . . . . . . . . . . . . 40 139 A.3.11. Complete Representation . . . . . . . . . . . . . . . 40 140 A.3.12. Validation . . . . . . . . . . . . . . . . . . . . . . 40 141 A.4. Example Key Derivation for "enc" value "A128CBC+HS256" . . 40 142 A.4.1. CEK Generation . . . . . . . . . . . . . . . . . . . . 41 143 A.4.2. CIK Generation . . . . . . . . . . . . . . . . . . . . 42 145 A.5. Example Key Derivation for "enc" value "A256CBC+HS512" . . 43 146 A.5.1. CEK Generation . . . . . . . . . . . . . . . . . . . . 43 147 A.5.2. CIK Generation . . . . . . . . . . . . . . . . . . . . 44 148 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 45 149 Appendix C. Open Issues . . . . . . . . . . . . . . . . . . . . . 45 150 Appendix D. Document History . . . . . . . . . . . . . . . . . . 46 151 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 50 153 1. Introduction 155 JSON Web Encryption (JWE) is a compact encryption format intended for 156 space constrained environments such as HTTP Authorization headers and 157 URI query parameters. It represents this content using JavaScript 158 Object Notation (JSON) [RFC4627] based data structures. The JWE 159 cryptographic mechanisms encrypt and provide integrity protection for 160 arbitrary sequences of bytes. 162 Cryptographic algorithms and identifiers for use with this 163 specification are described in the separate JSON Web Algorithms (JWA) 164 [JWA] specification. Related digital signature and MAC capabilities 165 are described in the separate JSON Web Signature (JWS) [JWS] 166 specification. 168 1.1. Notational Conventions 170 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 171 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 172 document are to be interpreted as described in Key words for use in 173 RFCs to Indicate Requirement Levels [RFC2119]. 175 2. Terminology 177 JSON Web Encryption (JWE) A data structure representing an encrypted 178 message. The structure consists of five parts: the JWE Header, 179 the JWE Encrypted Key, the JWE Initialization Vector, the JWE 180 Ciphertext, and the JWE Integrity Value. 182 Plaintext The bytes to be encrypted -- a.k.a., the message. The 183 plaintext can contain an arbitrary sequence of bytes. 185 Ciphertext An encrypted representation of the Plaintext. 187 Content Encryption Key (CEK) A symmetric key used to encrypt the 188 Plaintext for the recipient to produce the Ciphertext. 190 Content Integrity Key (CIK) A key used with a MAC function to ensure 191 the integrity of the Ciphertext and the parameters used to create 192 it. 194 Content Master Key (CMK) A key from which the CEK and CIK are 195 derived. When key wrapping or key encryption are employed, the 196 CMK is randomly generated and encrypted to the recipient as the 197 JWE Encrypted Key. When direct encryption with a shared symmetric 198 key is employed, the CMK is the shared key. When key agreement 199 without key wrapping is employed, the CMK is the result of the key 200 agreement algorithm. 202 JWE Header A string representing a JSON object that describes the 203 encryption operations applied to create the JWE Encrypted Key, the 204 JWE Ciphertext, and the JWE Integrity Value. 206 JWE Encrypted Key When key wrapping or key encryption are employed, 207 the Content Master Key (CMK) is encrypted with the intended 208 recipient's key and the resulting encrypted content is recorded as 209 a byte array, which is referred to as the JWE Encrypted Key. 210 Otherwise, when direct encryption with a shared or agreed upon 211 symmetric key is employed, the JWE Encrypted Key is the empty byte 212 array. 214 JWE Initialization Vector A byte array containing the Initialization 215 Vector used when encrypting the Plaintext. 217 JWE Ciphertext A byte array containing the Ciphertext. 219 JWE Integrity Value A byte array containing a MAC value that ensures 220 the integrity of the Ciphertext and the parameters used to create 221 it. 223 Base64url Encoding The URL- and filename-safe Base64 encoding 224 described in RFC 4648 [RFC4648], Section 5, with the (non URL- 225 safe) '=' padding characters omitted, as permitted by Section 3.2. 226 (See Appendix C of [JWS] for notes on implementing base64url 227 encoding without padding.) 229 Encoded JWE Header Base64url encoding of the bytes of the UTF-8 230 [RFC3629] representation of the JWE Header. 232 Encoded JWE Encrypted Key Base64url encoding of the JWE Encrypted 233 Key. 235 Encoded JWE Initialization Vector Base64url encoding of the JWE 236 Initialization Vector. 238 Encoded JWE Ciphertext Base64url encoding of the JWE Ciphertext. 240 Encoded JWE Integrity Value Base64url encoding of the JWE Integrity 241 Value. 243 Header Parameter Name The name of a member of the JSON object 244 representing a JWE Header. 246 Header Parameter Value The value of a member of the JSON object 247 representing a JWE Header. 249 JWE Compact Serialization A representation of the JWE as the 250 concatenation of the Encoded JWE Header, the Encoded JWE Encrypted 251 Key, the Encoded JWE Initialization Vector, the Encoded JWE 252 Ciphertext, and the Encoded JWE Integrity Value in that order, 253 with the five strings being separated by four period ('.') 254 characters. 256 AEAD Algorithm An Authenticated Encryption with Associated Data 257 (AEAD) [RFC5116] encryption algorithm is one that provides an 258 integrated content integrity check. AEAD encryption algorithms 259 accept two inputs, the plaintext and the "additional authenticated 260 data" value, and produce two outputs, the ciphertext and the 261 "authentication tag" value. AES Galois/Counter Mode (GCM) is one 262 such algorithm. 264 Collision Resistant Namespace A namespace that allows names to be 265 allocated in a manner such that they are highly unlikely to 266 collide with other names. For instance, collision resistance can 267 be achieved through administrative delegation of portions of the 268 namespace or through use of collision-resistant name allocation 269 functions. Examples of Collision Resistant Namespaces include: 270 Domain Names, Object Identifiers (OIDs) as defined in the ITU-T 271 X.660 and X.670 Recommendation series, and Universally Unique 272 IDentifiers (UUIDs) [RFC4122]. When using an administratively 273 delegated namespace, the definer of a name needs to take 274 reasonable precautions to ensure they are in control of the 275 portion of the namespace they use to define the name. 277 StringOrURI A JSON string value, with the additional requirement 278 that while arbitrary string values MAY be used, any value 279 containing a ":" character MUST be a URI [RFC3986]. StringOrURI 280 values are compared as case-sensitive strings with no 281 transformations or canonicalizations applied. 283 3. JSON Web Encryption (JWE) Overview 285 JWE represents encrypted content using JSON data structures and 286 base64url encoding. The representation consists of five parts: the 287 JWE Header, the JWE Encrypted Key, the JWE Initialization Vector, the 288 JWE Ciphertext, and the JWE Integrity Value. In the Compact 289 Serialization, the five parts are base64url-encoded for transmission, 290 and represented as the concatenation of the encoded strings in that 291 order, with the five strings being separated by four period ('.') 292 characters. (A JSON Serialization for this information is defined in 293 the separate JSON Web Encryption JSON Serialization (JWE-JS) [JWE-JS] 294 specification.) 296 JWE utilizes encryption to ensure the confidentiality of the 297 Plaintext. JWE adds a content integrity check if not provided by the 298 underlying encryption algorithm. 300 3.1. Example JWE using RSAES OAEP and AES GCM 302 This example encrypts the plaintext "Live long and prosper." to the 303 recipient using RSAES OAEP and AES GCM. The AES GCM algorithm has an 304 integrated integrity check. 306 The following example JWE Header declares that: 308 o the Content Master Key is encrypted to the recipient using the 309 RSAES OAEP algorithm to produce the JWE Encrypted Key and 311 o the Plaintext is encrypted using the AES GCM algorithm with a 256 312 bit key to produce the Ciphertext. 314 {"alg":"RSA-OAEP","enc":"A256GCM"} 316 Base64url encoding the bytes of the UTF-8 representation of the JWE 317 Header yields this Encoded JWE Header value: 319 eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ 321 The remaining steps to finish creating this JWE are: 323 o Generate a random Content Master Key (CMK) 325 o Encrypt the CMK with the recipient's public key using the RSAES 326 OAEP algorithm to produce the JWE Encrypted Key 328 o Base64url encode the JWE Encrypted Key to produce the Encoded JWE 329 Encrypted Key 331 o Generate a random JWE Initialization Vector 333 o Base64url encode the JWE Initialization Vector to produce the 334 Encoded JWE Initialization Vector 336 o Concatenate the Encoded JWE Header value, a period character 337 ('.'), the Encoded JWE Encrypted Key, a second period character 338 ('.'), and the Encoded JWE Initialization Vector to create the 339 "additional authenticated data" parameter for the AES GCM 340 algorithm 342 o Encrypt the Plaintext with AES GCM, using the CMK as the 343 encryption key, the JWE Initialization Vector, and the "additional 344 authenticated data" value above, requesting a 128 bit 345 "authentication tag" output 347 o Base64url encode the resulting Ciphertext to create the Encoded 348 JWE Ciphertext 350 o Base64url encode the resulting "authentication tag" to create the 351 Encoded JWE Integrity Value 353 o Assemble the final representation: The Compact Serialization of 354 this result is the concatenation of the Encoded JWE Header, the 355 Encoded JWE Encrypted Key, the Encoded JWE Initialization Vector, 356 the Encoded JWE Ciphertext, and the Encoded JWE Integrity Value in 357 that order, with the five strings being separated by four period 358 ('.') characters. 360 The final result in this example (with line breaks for display 361 purposes only) is: 363 eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ. 364 M2XxpbORKezKSzzQL_95-GjiudRBTqn_omS8z9xgoRb7L0Jw5UsEbxmtyHn2T71m 365 rZLkjg4Mp8gbhYoltPkEOHvAopz25-vZ8C2e1cOaAo5WPcbSIuFcB4DjBOM3t0UA 366 O6JHkWLuAEYoe58lcxIQneyKdaYSLbV9cKqoUoFQpvKWYRHZbfszIyfsa18rmgTj 367 zrtLDTPnc09DSJE24aQ8w3i8RXEDthW9T1J6LsTH_vwHdwUgkI-tC2PNeGrnM-dN 368 SfzF3Y7-lwcGy0FsdXkPXytvDV7y4pZeeUiQ-0VdibIN2AjjfW60nfrPuOjepMFG 369 6BBBbR37pHcyzext9epOAQ. 370 48V1_ALb6US04U3b. 371 _e21tGGhac_peEFkLXr2dMPUZiUkrw. 372 7V5ZDko0v_mf2PAc4JMiUg 374 See Appendix A.1 for the complete details of computing this JWE. 376 3.2. Example JWE using RSAES-PKCS1-V1_5 and AES CBC 378 This example encrypts the plaintext "No matter where you go, there 379 you are." to the recipient using RSAES-PKCS1-V1_5 and AES CBC. AES 380 CBC does not have an integrated integrity check, so a separate 381 integrity check calculation is performed using HMAC SHA-256, with 382 separate encryption and integrity keys being derived from a master 383 key using the Concat KDF with the SHA-256 digest function. 385 The following example JWE Header (with line breaks for display 386 purposes only) declares that: 388 o the Content Master Key is encrypted to the recipient using the 389 RSAES-PKCS1-V1_5 algorithm to produce the JWE Encrypted Key and 391 o the Plaintext is encrypted using the AES CBC algorithm with a 128 392 bit key to produce the Ciphertext, with the integrity of the 393 Ciphertext and the parameters used to create it being secured 394 using the HMAC SHA-256 algorithm. 396 {"alg":"RSA1_5","enc":"A128CBC+HS256"} 398 Base64url encoding the bytes of the UTF-8 representation of the JWE 399 Header yields this Encoded JWE Header value: 401 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDK0hTMjU2In0 403 The remaining steps to finish creating this JWE are like the previous 404 example, but with an additional step to compute the separate 405 integrity value: 407 o Generate a random Content Master Key (CMK) 409 o Encrypt the CMK with the recipient's public key using the RSAES- 410 PKCS1-V1_5 algorithm to produce the JWE Encrypted Key 412 o Base64url encode the JWE Encrypted Key to produce the Encoded JWE 413 Encrypted Key 415 o Generate a random JWE Initialization Vector 417 o Base64url encode the JWE Initialization Vector to produce the 418 Encoded JWE Initialization Vector 420 o Use the Concat key derivation function to derive Content 421 Encryption Key (CEK) and Content Integrity Key (CIK) values from 422 the CMK 424 o Encrypt the Plaintext with AES CBC using the CEK and JWE 425 Initialization Vector to produce the Ciphertext 427 o Base64url encode the resulting Ciphertext to create the Encoded 428 JWE Ciphertext 430 o Concatenate the Encoded JWE Header value, a period character 431 ('.'), the Encoded JWE Encrypted Key, a second period character 432 ('.'), the Encoded JWE Initialization Vector, a third period ('.') 433 character, and the Encoded JWE Ciphertext to create the value to 434 integrity protect 436 o Compute the HMAC SHA-256 of this value using the CIK to create the 437 JWE Integrity Value 439 o Base64url encode the resulting JWE Integrity Value to create the 440 Encoded JWE Integrity Value 442 o Assemble the final representation: The Compact Serialization of 443 this result is the concatenation of the Encoded JWE Header, the 444 Encoded JWE Encrypted Key, the Encoded JWE Initialization Vector, 445 the Encoded JWE Ciphertext, and the Encoded JWE Integrity Value in 446 that order, with the five strings being separated by four period 447 ('.') characters. 449 The final result in this example (with line breaks for display 450 purposes only) is: 452 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDK0hTMjU2In0. 453 O6AqXqgVlJJ4c4lp5sXZd7bpGHAw6ARkHUeXQxD1cAW4-X1x0qtj_AN0mukqEOl4 454 Y6UOwJXIJY9-G1ELK-RQWrKH_StR-AM9H7GpKmSEji8QYOcMOjr-u9H1Lt_pBEie 455 G802SxWz0rbFTXRcj4BWLxcpCtjUZ31AP-sc-L_eCZ5UNl0aSRNqFskuPkzRsFZR 456 DJqSSJeVOyJ7pZCQ83fli19Vgi_3R7XMUqluQuuc7ZHOWixi47jXlBTlWRZ5iFxa 457 S8G6J8wUrd4BKggAw3qX5XoIfXQVlQZE0Vmkq_zQSIo5LnFKyowooRcdsEuNh9B9 458 Mkyt0ZQElG-jGdtHWjZSOA. 459 AxY8DCtDaGlsbGljb3RoZQ. 460 1eBWFgcrz40wC88cgv8rPgu3EfmC1p4zT0kIxxfSF2zDJcQ-iEHk1jQM95xAdr5Z. 461 RBGhYzE8_cZLHjJqqHuLhzbgWgL_wV3LDSUrcbkOiIA 463 See Appendix A.2 for the complete details of computing this JWE. 465 4. JWE Header 467 The members of the JSON object represented by the JWE Header describe 468 the encryption applied to the Plaintext and optionally additional 469 properties of the JWE. The Header Parameter Names within this object 470 MUST be unique; JWEs with duplicate Header Parameter Names MUST be 471 rejected. Implementations MUST understand the entire contents of the 472 header; otherwise, the JWE MUST be rejected. 474 There are two ways of distinguishing whether a header is a JWS Header 475 or a JWE Header. The first is by examining the "alg" (algorithm) 476 header value. If the value represents a digital signature or MAC 477 algorithm, or is the value "none", it is for a JWS; if it represents 478 an encryption or key agreement algorithm, it is for a JWE. A second 479 method is determining whether an "enc" (encryption method) member 480 exists. If the "enc" member exists, it is a JWE; otherwise, it is a 481 JWS. Both methods will yield the same result for all legal input 482 values. 484 There are three classes of Header Parameter Names: Reserved Header 485 Parameter Names, Public Header Parameter Names, and Private Header 486 Parameter Names. 488 4.1. Reserved Header Parameter Names 490 The following header parameter names are reserved with meanings as 491 defined below. All the names are short because a core goal of JWE is 492 for the representations to be compact. 494 Additional reserved header parameter names MAY be defined via the 495 IANA JSON Web Signature and Encryption Header Parameters registry 496 [JWS]. As indicated by the common registry, JWSs and JWEs share a 497 common header parameter space; when a parameter is used by both 498 specifications, its usage must be compatible between the 499 specifications. 501 4.1.1. "alg" (Algorithm) Header Parameter 503 The "alg" (algorithm) header parameter identifies the cryptographic 504 algorithm used to encrypt or determine the value of the Content 505 Master Key (CMK). The algorithm specified by the "alg" value MUST be 506 supported by the implementation and there MUST be a key for use with 507 that algorithm associated with the intended recipient or the JWE MUST 508 be rejected. "alg" values SHOULD either be registered in the IANA 509 JSON Web Signature and Encryption Algorithms registry [JWA] or be a 510 URI that contains a Collision Resistant Namespace. The "alg" value 511 is a case sensitive string containing a StringOrURI value. This 512 header parameter is REQUIRED. 514 A list of defined "alg" values can be found in the IANA JSON Web 515 Signature and Encryption Algorithms registry [JWA]; the initial 516 contents of this registry are the values defined in Section 4.1 of 517 the JSON Web Algorithms (JWA) [JWA] specification. 519 4.1.2. "enc" (Encryption Method) Header Parameter 521 The "enc" (encryption method) header parameter identifies the block 522 encryption algorithm used to encrypt the Plaintext to produce the 523 Ciphertext. This algorithm MUST be an AEAD algorithm with a 524 specified key length. The algorithm specified by the "enc" value 525 MUST be supported by the implementation or the JWE MUST be rejected. 526 "enc" values SHOULD either be registered in the IANA JSON Web 527 Signature and Encryption Algorithms registry [JWA] or be a URI that 528 contains a Collision Resistant Namespace. The "enc" value is a case 529 sensitive string containing a StringOrURI value. This header 530 parameter is REQUIRED. 532 A list of defined "enc" values can be found in the IANA JSON Web 533 Signature and Encryption Algorithms registry [JWA]; the initial 534 contents of this registry are the values defined in Section 4.2 of 535 the JSON Web Algorithms (JWA) [JWA] specification. 537 4.1.3. "epk" (Ephemeral Public Key) Header Parameter 539 The "epk" (ephemeral public key) value created by the originator for 540 the use in key agreement algorithms. This key is represented as a 541 JSON Web Key [JWK] value. This header parameter is OPTIONAL, 542 although its use is REQUIRED with some "alg" algorithms. 544 4.1.4. "zip" (Compression Algorithm) Header Parameter 546 The "zip" (compression algorithm) applied to the Plaintext before 547 encryption, if any. If present, the value of the "zip" header 548 parameter MUST be the case sensitive string "DEF". Compression is 549 performed with the DEFLATE [RFC1951] algorithm. If no "zip" 550 parameter is present, no compression is applied to the Plaintext 551 before encryption. This header parameter is OPTIONAL. 553 4.1.5. "jku" (JWK Set URL) Header Parameter 555 The "jku" (JWK Set URL) header parameter is a URI [RFC3986] that 556 refers to a resource for a set of JSON-encoded public keys, one of 557 which corresponds to the key used to encrypt the JWE; this can be 558 used to determine the private key needed to decrypt the JWE. The 559 keys MUST be encoded as a JSON Web Key Set (JWK Set) [JWK]. The 560 protocol used to acquire the resource MUST provide integrity 561 protection; an HTTP GET request to retrieve the certificate MUST use 562 TLS [RFC2818] [RFC5246]; the identity of the server MUST be 563 validated, as per Section 3.1 of HTTP Over TLS [RFC2818]. This 564 header parameter is OPTIONAL. 566 4.1.6. "jwk" (JSON Web Key) Header Parameter 568 The "jwk" (JSON Web Key) header parameter is a public key that 569 corresponds to the key used to encrypt the JWE; this can be used to 570 determine the private key needed to decrypt the JWE. This key is 571 represented as a JSON Web Key [JWK]. This header parameter is 572 OPTIONAL. 574 4.1.7. "x5u" (X.509 URL) Header Parameter 576 The "x5u" (X.509 URL) header parameter is a URI [RFC3986] that refers 577 to a resource for the X.509 public key certificate or certificate 578 chain [RFC5280] corresponding to the key used to encrypt the JWE; 579 this can be used to determine the private key needed to decrypt the 580 JWE. The identified resource MUST provide a representation of the 581 certificate or certificate chain that conforms to RFC 5280 [RFC5280] 582 in PEM encoded form [RFC1421]. The certificate containing the public 583 key of the entity that encrypted the JWE MUST be the first 584 certificate. This MAY be followed by additional certificates, with 585 each subsequent certificate being the one used to certify the 586 previous one. The protocol used to acquire the resource MUST provide 587 integrity protection; an HTTP GET request to retrieve the certificate 588 MUST use TLS [RFC2818] [RFC5246]; the identity of the server MUST be 589 validated, as per Section 3.1 of HTTP Over TLS [RFC2818]. This 590 header parameter is OPTIONAL. 592 4.1.8. "x5t" (X.509 Certificate Thumbprint) Header Parameter 594 The "x5t" (X.509 Certificate Thumbprint) header parameter provides a 595 base64url encoded SHA-1 thumbprint (a.k.a. digest) of the DER 596 encoding of the X.509 certificate [RFC5280] corresponding to the key 597 used to encrypt the JWE; this can be used to determine the private 598 key needed to decrypt the JWE. This header parameter is OPTIONAL. 600 If, in the future, certificate thumbprints need to be computed using 601 hash functions other than SHA-1, it is suggested that additional 602 related header parameters be defined for that purpose. For example, 603 it is suggested that a new "x5t#S256" (X.509 Certificate Thumbprint 604 using SHA-256) header parameter could be defined by registering it in 605 the IANA JSON Web Signature and Encryption Header Parameters registry 606 [JWS]. 608 4.1.9. "x5c" (X.509 Certificate Chain) Header Parameter 610 The "x5c" (X.509 Certificate Chain) header parameter contains the 611 X.509 public key certificate or certificate chain [RFC5280] 612 corresponding to the key used to encrypt the JWE; this can be used to 613 determine the private key needed to decrypt the JWE. The certificate 614 or certificate chain is represented as an array of certificate value 615 strings. Each string is a base64 encoded ([RFC4648] Section 4 -- not 616 base64url encoded) DER [ITU.X690.1994] PKIX certificate value. The 617 certificate containing the public key of the entity that encrypted 618 the JWE MUST be the first certificate. This MAY be followed by 619 additional certificates, with each subsequent certificate being the 620 one used to certify the previous one. The recipient MUST verify the 621 certificate chain according to [RFC5280] and reject the JWE if any 622 validation failure occurs. This header parameter is OPTIONAL. 624 See Appendix B of [JWS] for an example "x5c" value. 626 4.1.10. "kid" (Key ID) Header Parameter 628 The "kid" (key ID) header parameter is a hint indicating which key 629 was used to encrypt the JWE; this can be used to determine the 630 private key needed to decrypt the JWE. This parameter allows 631 originators to explicitly signal a change of key to recipients. 632 Should the recipient be unable to locate a key corresponding to the 633 "kid" value, they SHOULD treat that condition as an error. The 634 interpretation of the "kid" value is unspecified. Its value MUST be 635 a string. This header parameter is OPTIONAL. 637 When used with a JWK, the "kid" value MAY be used to match a JWK 638 "kid" parameter value. 640 4.1.11. "typ" (Type) Header Parameter 642 The "typ" (type) header parameter is used to declare the type of this 643 object. The type value "JWE" MAY be used to indicate that this 644 object is a JWE. The "typ" value is a case sensitive string. This 645 header parameter is OPTIONAL. 647 MIME Media Type [RFC2046] values MAY be used as "typ" values. 649 "typ" values SHOULD either be registered in the IANA JSON Web 650 Signature and Encryption Type Values registry [JWS] or be a URI that 651 contains a Collision Resistant Namespace. 653 4.1.12. "cty" (Content Type) Header Parameter 655 The "cty" (content type) header parameter is used to declare the type 656 of the encrypted content (the Plaintext). The "cty" value is a case 657 sensitive string. This header parameter is OPTIONAL. 659 The values used for the "cty" header parameter come from the same 660 value space as the "typ" header parameter, with the same rules 661 applying. 663 4.1.13. "apu" (Agreement PartyUInfo) Header Parameter 665 The "apu" (agreement PartyUInfo) value for key agreement algorithms 666 using it (such as "ECDH-ES"), represented as a base64url encoded 667 string. This header parameter is OPTIONAL. 669 4.1.14. "apv" (Agreement PartyVInfo) Header Parameter 671 The "apv" (agreement PartyVInfo) value for key agreement algorithms 672 using it (such as "ECDH-ES"), represented as a base64url encoded 673 string. This header parameter is OPTIONAL. 675 4.1.15. "epu" (Encryption PartyUInfo) Header Parameter 677 The "epu" (encryption PartyUInfo) value for plaintext encryption 678 algorithms using it (such as "A128CBC+HS256"), represented as a 679 base64url encoded string. This header parameter is OPTIONAL. 681 4.1.16. "epv" (Encryption PartyVInfo) Header Parameter 683 The "epv" (encryption PartyVInfo) value for plaintext encryption 684 algorithms using it (such as "A128CBC+HS256"), represented as a 685 base64url encoded string. This header parameter is OPTIONAL. 687 4.2. Public Header Parameter Names 689 Additional header parameter names can be defined by those using JWEs. 690 However, in order to prevent collisions, any new header parameter 691 name SHOULD either be registered in the IANA JSON Web Signature and 692 Encryption Header Parameters registry [JWS] or be a URI that contains 693 a Collision Resistant Namespace. In each case, the definer of the 694 name or value needs to take reasonable precautions to make sure they 695 are in control of the part of the namespace they use to define the 696 header parameter name. 698 New header parameters should be introduced sparingly, as they can 699 result in non-interoperable JWEs. 701 4.3. Private Header Parameter Names 703 A producer and consumer of a JWE may agree to any header parameter 704 name that is not a Reserved Name Section 4.1 or a Public Name 705 Section 4.2. Unlike Public Names, these private names are subject to 706 collision and should be used with caution. 708 5. Message Encryption 710 The message encryption process is as follows. The order of the steps 711 is not significant in cases where there are no dependencies between 712 the inputs and outputs of the steps. 714 1. When key wrapping, key encryption, or key agreement with key 715 wrapping are employed, generate a random Content Master Key 716 (CMK). See RFC 4086 [RFC4086] for considerations on generating 717 random values. The CMK MUST have a length equal to that 718 required for the block encryption algorithm. 720 2. When key agreement is employed, use the key agreement algorithm 721 to compute the value of the agreed upon key. When key agreement 722 without key wrapping is employed, let the Content Master Key 723 (CMK) be the agreed upon key. When key agreement with key 724 wrapping is employed, the agreed upon key will be used to wrap 725 the CMK. 727 3. When key wrapping, key encryption, or key agreement with key 728 wrapping are employed, encrypt the CMK for the recipient (see 729 Section 7) and let the result be the JWE Encrypted Key. 730 Otherwise, when direct encryption with a shared or agreed upon 731 symmetric key is employed, let the JWE Encrypted Key be the 732 empty byte array. 734 4. When direct encryption with a shared symmetric key is employed, 735 let the Content Master Key (CMK) be the shared key. 737 5. Base64url encode the JWE Encrypted Key to create the Encoded JWE 738 Encrypted Key. 740 6. Generate a random JWE Initialization Vector of the correct size 741 for the block encryption algorithm (if required for the 742 algorithm); otherwise, let the JWE Initialization Vector be the 743 empty byte string. 745 7. Base64url encode the JWE Initialization Vector to create the 746 Encoded JWE Initialization Vector. 748 8. Compress the Plaintext if a "zip" parameter was included. 750 9. Serialize the (compressed) Plaintext into a byte sequence M. 752 10. Create a JWE Header containing the encryption parameters used. 753 Note that white space is explicitly allowed in the 754 representation and no canonicalization need be performed before 755 encoding. 757 11. Base64url encode the bytes of the UTF-8 representation of the 758 JWE Header to create the Encoded JWE Header. 760 12. Let the "additional authenticated data" value be the bytes of 761 the ASCII representation of the concatenation of the Encoded JWE 762 Header, a period ('.') character, the Encoded JWE Encrypted Key, 763 a second period character ('.'), and the Encoded JWE 764 Initialization Vector. 766 13. Encrypt M using the CMK, the JWE Initialization Vector, and the 767 "additional authenticated data" value using the specified block 768 encryption algorithm to create the JWE Ciphertext value and the 769 JWE Integrity Value (which is the "authentication tag" output 770 from the calculation). 772 14. Base64url encode the JWE Ciphertext to create the Encoded JWE 773 Ciphertext. 775 15. Base64url encode the JWE Integrity Value to create the Encoded 776 JWE Integrity Value. 778 16. The five encoded parts, taken together, are the result. 780 17. The Compact Serialization of this result is the concatenation of 781 the Encoded JWE Header, the Encoded JWE Encrypted Key, the 782 Encoded JWE Initialization Vector, the Encoded JWE Ciphertext, 783 and the Encoded JWE Integrity Value in that order, with the five 784 strings being separated by four period ('.') characters. 786 6. Message Decryption 788 The message decryption process is the reverse of the encryption 789 process. The order of the steps is not significant in cases where 790 there are no dependencies between the inputs and outputs of the 791 steps. If any of these steps fails, the JWE MUST be rejected. 793 1. Determine the Encoded JWE Header, the Encoded JWE Encrypted Key, 794 the Encoded JWE Initialization Vector, the Encoded JWE 795 Ciphertext, and the Encoded JWE Integrity Value values contained 796 in the JWE. When using the Compact Serialization, these five 797 values are represented in that order, separated by four period 798 ('.') characters. 800 2. The Encoded JWE Header, the Encoded JWE Encrypted Key, the 801 Encoded JWE Initialization Vector, the Encoded JWE Ciphertext, 802 and the Encoded JWE Integrity Value MUST be successfully 803 base64url decoded following the restriction that no padding 804 characters have been used. 806 3. The resulting JWE Header MUST be completely valid JSON syntax 807 conforming to RFC 4627 [RFC4627]. 809 4. The resulting JWE Header MUST be validated to only include 810 parameters and values whose syntax and semantics are both 811 understood and supported. 813 5. Verify that the JWE uses a key known to the recipient. 815 6. When key agreement is employed, use the key agreement algorithm 816 to compute the value of the agreed upon key. When key agreement 817 without key wrapping is employed, let the Content Master Key 818 (CMK) be the agreed upon key. When key agreement with key 819 wrapping is employed, the agreed upon key will be used to 820 decrypt the JWE Encrypted Key. 822 7. When key wrapping, key encryption, or key agreement with key 823 wrapping are employed, decrypt the JWE Encrypted Key to produce 824 the Content Master Key (CMK). The CMK MUST have a length equal 825 to that required for the block encryption algorithm. 827 8. When direct encryption with a shared symmetric key is employed, 828 let the Content Master Key (CMK) be the shared key. 830 9. Let the "additional authenticated data" value be the bytes of 831 the ASCII representation of the concatenation of the Encoded JWE 832 Header, a period ('.') character, the Encoded JWE Encrypted Key, 833 a second period character ('.'), and the Encoded JWE 834 Initialization Vector. 836 10. Decrypt the JWE Ciphertext using the CMK, the JWE Initialization 837 Vector, the "additional authenticated data" value, and the JWE 838 Integrity Value (which is the "authentication tag" input to the 839 calculation) using the specified block encryption algorithm, 840 returning the decrypted plaintext and verifying the JWE 841 Integrity Value in the manner specified for the algorithm, 842 rejecting the input without emitting any decrypted output if the 843 JWE Integrity Value is incorrect. 845 11. Uncompress the decrypted plaintext if a "zip" parameter was 846 included. 848 12. Output the resulting Plaintext. 850 7. CMK Encryption 852 JWE supports three forms of Content Master Key (CMK) encryption: 854 o Asymmetric encryption under the recipient's public key. 856 o Symmetric encryption under a key shared between the sender and 857 receiver. 859 o Symmetric encryption under a key agreed upon between the sender 860 and receiver. 862 See the algorithms registered for "enc" usage in the IANA JSON Web 863 Signature and Encryption Algorithms registry [JWA] and Section 4.1 of 864 the JSON Web Algorithms (JWA) [JWA] specification for lists of 865 encryption algorithms that can be used for CMK encryption. 867 8. Encrypting JWEs with Cryptographic Algorithms 869 JWE uses cryptographic algorithms to encrypt the Plaintext and the 870 Content Encryption Key (CMK) and to provide integrity protection for 871 the JWE Header, JWE Encrypted Key, and JWE Ciphertext. The JSON Web 872 Algorithms (JWA) [JWA] specification specifies a set of cryptographic 873 algorithms and identifiers to be used with this specification and 874 defines registries for additional such algorithms. Specifically, 875 Section 4.1 specifies a set of "alg" (algorithm) header parameter 876 values and Section 4.2 specifies a set of "enc" (encryption method) 877 header parameter values intended for use this specification. It also 878 describes the semantics and operations that are specific to these 879 algorithms and algorithm families. 881 Public keys employed for encryption can be identified using the 882 Header Parameter methods described in Section 4.1 or can be 883 distributed using methods that are outside the scope of this 884 specification. 886 9. IANA Considerations 888 9.1. Registration of JWE Header Parameter Names 890 This specification registers the Header Parameter Names defined in 891 Section 4.1 in the IANA JSON Web Signature and Encryption Header 892 Parameters registry [JWS]. 894 9.1.1. Registry Contents 896 o Header Parameter Name: "alg" 897 o Change Controller: IETF 898 o Specification Document(s): Section 4.1.1 of [[ this document ]] 900 o Header Parameter Name: "enc" 901 o Change Controller: IETF 902 o Specification Document(s): Section 4.1.2 of [[ this document ]] 904 o Header Parameter Name: "epk" 905 o Change Controller: IETF 906 o Specification Document(s): Section 4.1.3 of [[ this document ]] 907 o Header Parameter Name: "zip" 908 o Change Controller: IETF 909 o Specification Document(s): Section 4.1.4 of [[ this document ]] 911 o Header Parameter Name: "jku" 912 o Change Controller: IETF 913 o Specification Document(s): Section 4.1.5 of [[ this document ]] 915 o Header Parameter Name: "jwk" 916 o Change Controller: IETF 917 o Specification document(s): Section 4.1.6 of [[ this document ]] 919 o Header Parameter Name: "x5u" 920 o Change Controller: IETF 921 o Specification Document(s): Section 4.1.7 of [[ this document ]] 923 o Header Parameter Name: "x5t" 924 o Change Controller: IETF 925 o Specification Document(s): Section 4.1.8 of [[ this document ]] 927 o Header Parameter Name: "x5c" 928 o Change Controller: IETF 929 o Specification Document(s): Section 4.1.9 of [[ this document ]] 931 o Header Parameter Name: "kid" 932 o Change Controller: IETF 933 o Specification Document(s): Section 4.1.10 of [[ this document ]] 935 o Header Parameter Name: "typ" 936 o Change Controller: IETF 937 o Specification Document(s): Section 4.1.11 of [[ this document ]] 939 o Header Parameter Name: "cty" 940 o Change Controller: IETF 941 o Specification Document(s): Section 4.1.12 of [[ this document ]] 943 o Header Parameter Name: "apu" 944 o Change Controller: IETF 945 o Specification Document(s): Section 4.1.13 of [[ this document ]] 947 o Header Parameter Name: "apv" 948 o Change Controller: IETF 949 o Specification Document(s): Section 4.1.14 of [[ this document ]] 951 o Header Parameter Name: "epu" 952 o Change Controller: IETF 953 o Specification Document(s): Section 4.1.15 of [[ this document ]] 955 o Header Parameter Name: "epv" 956 o Change Controller: IETF 957 o Specification Document(s): Section 4.1.16 of [[ this document ]] 959 9.2. JSON Web Signature and Encryption Type Values Registration 961 9.2.1. Registry Contents 963 This specification registers the "JWE" type value in the IANA JSON 964 Web Signature and Encryption Type Values registry [JWS]: 966 o "typ" Header Parameter Value: "JWE" 967 o Abbreviation for MIME Type: application/jwe 968 o Change Controller: IETF 969 o Specification Document(s): Section 4.1.11 of [[ this document ]] 971 9.3. Media Type Registration 973 9.3.1. Registry Contents 975 This specification registers the "application/jwe" Media Type 976 [RFC2046] in the MIME Media Type registry [RFC4288] to indicate that 977 the content is a JWE using the Compact Serialization. 979 o Type Name: application 980 o Subtype Name: jwe 981 o Required Parameters: n/a 982 o Optional Parameters: n/a 983 o Encoding considerations: JWE values are encoded as a series of 984 base64url encoded values (some of which may be the empty string) 985 separated by period ('.') characters 986 o Security Considerations: See the Security Considerations section 987 of this document 988 o Interoperability Considerations: n/a 989 o Published Specification: [[ this document ]] 990 o Applications that use this media type: OpenID Connect and other 991 applications using encrypted JWTs 992 o Additional Information: Magic number(s): n/a, File extension(s): 993 n/a, Macintosh file type code(s): n/a 994 o Person & email address to contact for further information: Michael 995 B. Jones, mbj@microsoft.com 996 o Intended Usage: COMMON 997 o Restrictions on Usage: none 998 o Author: Michael B. Jones, mbj@microsoft.com 999 o Change Controller: IETF 1001 10. Security Considerations 1003 All of the security issues faced by any cryptographic application 1004 must be faced by a JWS/JWE/JWK agent. Among these issues are 1005 protecting the user's private key, preventing various attacks, and 1006 helping the user avoid mistakes such as inadvertently encrypting a 1007 message for the wrong recipient. The entire list of security 1008 considerations is beyond the scope of this document, but some 1009 significant concerns are listed here. 1011 All the security considerations in the JWS specification also apply 1012 to this specification. Likewise, all the security considerations in 1013 XML Encryption 1.1 [W3C.CR-xmlenc-core1-20120313] also apply to JWE, 1014 other than those that are XML specific. 1016 11. References 1018 11.1. Normative References 1020 [ITU.X690.1994] 1021 International Telecommunications Union, "Information 1022 Technology - ASN.1 encoding rules: Specification of Basic 1023 Encoding Rules (BER), Canonical Encoding Rules (CER) and 1024 Distinguished Encoding Rules (DER)", ITU-T Recommendation 1025 X.690, 1994. 1027 [JWA] Jones, M., "JSON Web Algorithms (JWA)", November 2012. 1029 [JWK] Jones, M., "JSON Web Key (JWK)", November 2012. 1031 [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web 1032 Signature (JWS)", November 2012. 1034 [RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic 1035 Mail: Part I: Message Encryption and Authentication 1036 Procedures", RFC 1421, February 1993. 1038 [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification 1039 version 1.3", RFC 1951, May 1996. 1041 [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 1042 Extensions (MIME) Part Two: Media Types", RFC 2046, 1043 November 1996. 1045 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1046 Requirement Levels", BCP 14, RFC 2119, March 1997. 1048 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. 1050 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 1051 10646", STD 63, RFC 3629, November 2003. 1053 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 1054 Resource Identifier (URI): Generic Syntax", STD 66, 1055 RFC 3986, January 2005. 1057 [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness 1058 Requirements for Security", BCP 106, RFC 4086, June 2005. 1060 [RFC4288] Freed, N. and J. Klensin, "Media Type Specifications and 1061 Registration Procedures", BCP 13, RFC 4288, December 2005. 1063 [RFC4627] Crockford, D., "The application/json Media Type for 1064 JavaScript Object Notation (JSON)", RFC 4627, July 2006. 1066 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 1067 Encodings", RFC 4648, October 2006. 1069 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 1070 Encryption", RFC 5116, January 2008. 1072 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1073 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1075 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 1076 Housley, R., and W. Polk, "Internet X.509 Public Key 1077 Infrastructure Certificate and Certificate Revocation List 1078 (CRL) Profile", RFC 5280, May 2008. 1080 [W3C.CR-xmlenc-core1-20120313] 1081 Eastlake, D., Reagle, J., Roessler, T., and F. Hirsch, 1082 "XML Encryption Syntax and Processing Version 1.1", World 1083 Wide Web Consortium CR CR-xmlenc-core1-20120313, 1084 March 2012, 1085 . 1087 11.2. Informative References 1089 [I-D.rescorla-jsms] 1090 Rescorla, E. and J. Hildebrand, "JavaScript Message 1091 Security Format", draft-rescorla-jsms-00 (work in 1092 progress), March 2011. 1094 [JSE] Bradley, J. and N. Sakimura (editor), "JSON Simple 1095 Encryption", September 2010. 1097 [JWE-JS] Jones, M., "JSON Web Encryption JSON Serialization 1098 (JWE-JS)", November 2012. 1100 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 1101 Unique IDentifier (UUID) URN Namespace", RFC 4122, 1102 July 2005. 1104 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 1105 RFC 5652, September 2009. 1107 Appendix A. JWE Examples 1109 This section provides examples of JWE computations. 1111 A.1. Example JWE using RSAES OAEP and AES GCM 1113 This example encrypts the plaintext "Live long and prosper." to the 1114 recipient using RSAES OAEP and AES GCM. The AES GCM algorithm has an 1115 integrated integrity check. The representation of this plaintext is: 1117 [76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32, 1118 112, 114, 111, 115, 112, 101, 114, 46] 1120 A.1.1. JWE Header 1122 The following example JWE Header declares that: 1124 o the Content Master Key is encrypted to the recipient using the 1125 RSAES OAEP algorithm to produce the JWE Encrypted Key and 1127 o the Plaintext is encrypted using the AES GCM algorithm with a 256 1128 bit key to produce the Ciphertext. 1130 {"alg":"RSA-OAEP","enc":"A256GCM"} 1132 A.1.2. Encoded JWE Header 1134 Base64url encoding the bytes of the UTF-8 representation of the JWE 1135 Header yields this Encoded JWE Header value: 1137 eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ 1139 A.1.3. Content Master Key (CMK) 1141 Generate a 256 bit random Content Master Key (CMK). In this example, 1142 the value is: 1144 [177, 161, 244, 128, 84, 143, 225, 115, 63, 180, 3, 255, 107, 154, 1145 212, 246, 138, 7, 110, 91, 112, 46, 34, 105, 47, 130, 203, 46, 122, 1146 234, 64, 252] 1148 A.1.4. Key Encryption 1150 Encrypt the CMK with the recipient's public key using the RSAES OAEP 1151 algorithm to produce the JWE Encrypted Key. In this example, the RSA 1152 key parameters are: 1154 +-----------+-------------------------------------------------------+ 1155 | Parameter | Value | 1156 | Name | | 1157 +-----------+-------------------------------------------------------+ 1158 | Modulus | [161, 168, 84, 34, 133, 176, 208, 173, 46, 176, 163, | 1159 | | 110, 57, 30, 135, 227, 9, 31, 226, 128, 84, 92, 116, | 1160 | | 241, 70, 248, 27, 227, 193, 62, 5, 91, 241, 145, 224, | 1161 | | 205, 141, 176, 184, 133, 239, 43, 81, 103, 9, 161, | 1162 | | 153, 157, 179, 104, 123, 51, 189, 34, 152, 69, 97, | 1163 | | 69, 78, 93, 140, 131, 87, 182, 169, 101, 92, 142, 3, | 1164 | | 22, 167, 8, 212, 56, 35, 79, 210, 222, 192, 208, 252, | 1165 | | 49, 109, 138, 173, 253, 210, 166, 201, 63, 102, 74, | 1166 | | 5, 158, 41, 90, 144, 108, 160, 79, 10, 89, 222, 231, | 1167 | | 172, 31, 227, 197, 0, 19, 72, 81, 138, 78, 136, 221, | 1168 | | 121, 118, 196, 17, 146, 10, 244, 188, 72, 113, 55, | 1169 | | 221, 162, 217, 171, 27, 57, 233, 210, 101, 236, 154, | 1170 | | 199, 56, 138, 239, 101, 48, 198, 186, 202, 160, 76, | 1171 | | 111, 234, 71, 57, 183, 5, 211, 171, 136, 126, 64, 40, | 1172 | | 75, 58, 89, 244, 254, 107, 84, 103, 7, 236, 69, 163, | 1173 | | 18, 180, 251, 58, 153, 46, 151, 174, 12, 103, 197, | 1174 | | 181, 161, 162, 55, 250, 235, 123, 110, 17, 11, 158, | 1175 | | 24, 47, 133, 8, 199, 235, 107, 126, 130, 246, 73, | 1176 | | 195, 20, 108, 202, 176, 214, 187, 45, 146, 182, 118, | 1177 | | 54, 32, 200, 61, 201, 71, 243, 1, 255, 131, 84, 37, | 1178 | | 111, 211, 168, 228, 45, 192, 118, 27, 197, 235, 232, | 1179 | | 36, 10, 230, 248, 190, 82, 182, 140, 35, 204, 108, | 1180 | | 190, 253, 186, 186, 27] | 1181 | Exponent | [1, 0, 1] | 1182 | Private | [144, 183, 109, 34, 62, 134, 108, 57, 44, 252, 10, | 1183 | Exponent | 66, 73, 54, 16, 181, 233, 92, 54, 219, 101, 42, 35, | 1184 | | 178, 63, 51, 43, 92, 119, 136, 251, 41, 53, 23, 191, | 1185 | | 164, 164, 60, 88, 227, 229, 152, 228, 213, 149, 228, | 1186 | | 169, 237, 104, 71, 151, 75, 88, 252, 216, 77, 251, | 1187 | | 231, 28, 97, 88, 193, 215, 202, 248, 216, 121, 195, | 1188 | | 211, 245, 250, 112, 71, 243, 61, 129, 95, 39, 244, | 1189 | | 122, 225, 217, 169, 211, 165, 48, 253, 220, 59, 122, | 1190 | | 219, 42, 86, 223, 32, 236, 39, 48, 103, 78, 122, 216, | 1191 | | 187, 88, 176, 89, 24, 1, 42, 177, 24, 99, 142, 170, | 1192 | | 1, 146, 43, 3, 108, 64, 194, 121, 182, 95, 187, 134, | 1193 | | 71, 88, 96, 134, 74, 131, 167, 69, 106, 143, 121, 27, | 1194 | | 72, 44, 245, 95, 39, 194, 179, 175, 203, 122, 16, | 1195 | | 112, 183, 17, 200, 202, 31, 17, 138, 156, 184, 210, | 1196 | | 157, 184, 154, 131, 128, 110, 12, 85, 195, 122, 241, | 1197 | | 79, 251, 229, 183, 117, 21, 123, 133, 142, 220, 153, | 1198 | | 9, 59, 57, 105, 81, 255, 138, 77, 82, 54, 62, 216, | 1199 | | 38, 249, 208, 17, 197, 49, 45, 19, 232, 157, 251, | 1200 | | 131, 137, 175, 72, 126, 43, 229, 69, 179, 117, 82, | 1201 | | 157, 213, 83, 35, 57, 210, 197, 252, 171, 143, 194, | 1202 | | 11, 47, 163, 6, 253, 75, 252, 96, 11, 187, 84, 130, | 1203 | | 210, 7, 121, 78, 91, 79, 57, 251, 138, 132, 220, 60, | 1204 | | 224, 173, 56, 224, 201] | 1205 +-----------+-------------------------------------------------------+ 1207 The resulting JWE Encrypted Key value is: 1209 [51, 101, 241, 165, 179, 145, 41, 236, 202, 75, 60, 208, 47, 255, 1210 121, 248, 104, 226, 185, 212, 65, 78, 169, 255, 162, 100, 188, 207, 1211 220, 96, 161, 22, 251, 47, 66, 112, 229, 75, 4, 111, 25, 173, 200, 1212 121, 246, 79, 189, 102, 173, 146, 228, 142, 14, 12, 167, 200, 27, 1213 133, 138, 37, 180, 249, 4, 56, 123, 192, 162, 156, 246, 231, 235, 1214 217, 240, 45, 158, 213, 195, 154, 2, 142, 86, 61, 198, 210, 34, 225, 1215 92, 7, 128, 227, 4, 227, 55, 183, 69, 0, 59, 162, 71, 145, 98, 238, 1216 0, 70, 40, 123, 159, 37, 115, 18, 16, 157, 236, 138, 117, 166, 18, 1217 45, 181, 125, 112, 170, 168, 82, 129, 80, 166, 242, 150, 97, 17, 217, 1218 109, 251, 51, 35, 39, 236, 107, 95, 43, 154, 4, 227, 206, 187, 75, 1219 13, 51, 231, 115, 79, 67, 72, 145, 54, 225, 164, 60, 195, 120, 188, 1220 69, 113, 3, 182, 21, 189, 79, 82, 122, 46, 196, 199, 254, 252, 7, 1221 119, 5, 32, 144, 143, 173, 11, 99, 205, 120, 106, 231, 51, 231, 77, 1222 73, 252, 197, 221, 142, 254, 151, 7, 6, 203, 65, 108, 117, 121, 15, 1223 95, 43, 111, 13, 94, 242, 226, 150, 94, 121, 72, 144, 251, 69, 93, 1224 137, 178, 13, 216, 8, 227, 125, 110, 180, 157, 250, 207, 184, 232, 1225 222, 164, 193, 70, 232, 16, 65, 109, 29, 251, 164, 119, 50, 205, 236, 1226 109, 245, 234, 78, 1] 1228 A.1.5. Encoded JWE Encrypted Key 1230 Base64url encode the JWE Encrypted Key to produce the Encoded JWE 1231 Encrypted Key. This result (with line breaks for display purposes 1232 only) is: 1234 M2XxpbORKezKSzzQL_95-GjiudRBTqn_omS8z9xgoRb7L0Jw5UsEbxmtyHn2T71m 1235 rZLkjg4Mp8gbhYoltPkEOHvAopz25-vZ8C2e1cOaAo5WPcbSIuFcB4DjBOM3t0UA 1236 O6JHkWLuAEYoe58lcxIQneyKdaYSLbV9cKqoUoFQpvKWYRHZbfszIyfsa18rmgTj 1237 zrtLDTPnc09DSJE24aQ8w3i8RXEDthW9T1J6LsTH_vwHdwUgkI-tC2PNeGrnM-dN 1238 SfzF3Y7-lwcGy0FsdXkPXytvDV7y4pZeeUiQ-0VdibIN2AjjfW60nfrPuOjepMFG 1239 6BBBbR37pHcyzext9epOAQ 1241 A.1.6. Initialization Vector 1243 Generate a random 96 bit JWE Initialization Vector. In this example, 1244 the value is: 1246 [227, 197, 117, 252, 2, 219, 233, 68, 180, 225, 77, 219] 1248 Base64url encoding this value yields the Encoded JWE Initialization 1249 Vector value: 1251 48V1_ALb6US04U3b 1253 A.1.7. "Additional Authenticated Data" Parameter 1255 Concatenate the Encoded JWE Header value, a period character ('.'), 1256 the Encoded JWE Encrypted Key, a second period character ('.'), and 1257 the Encoded JWE Initialization Vector to create the "additional 1258 authenticated data" parameter for the AES GCM algorithm. This result 1259 (with line breaks for display purposes only) is: 1261 eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ. 1262 M2XxpbORKezKSzzQL_95-GjiudRBTqn_omS8z9xgoRb7L0Jw5UsEbxmtyHn2T71m 1263 rZLkjg4Mp8gbhYoltPkEOHvAopz25-vZ8C2e1cOaAo5WPcbSIuFcB4DjBOM3t0UA 1264 O6JHkWLuAEYoe58lcxIQneyKdaYSLbV9cKqoUoFQpvKWYRHZbfszIyfsa18rmgTj 1265 zrtLDTPnc09DSJE24aQ8w3i8RXEDthW9T1J6LsTH_vwHdwUgkI-tC2PNeGrnM-dN 1266 SfzF3Y7-lwcGy0FsdXkPXytvDV7y4pZeeUiQ-0VdibIN2AjjfW60nfrPuOjepMFG 1267 6BBBbR37pHcyzext9epOAQ. 1268 48V1_ALb6US04U3b 1270 The representation of this value is: 1272 [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, 1273 116, 84, 48, 70, 70, 85, 67, 73, 115, 73, 109, 86, 117, 89, 121, 73, 1274 54, 73, 107, 69, 121, 78, 84, 90, 72, 81, 48, 48, 105, 102, 81, 46, 1275 77, 50, 88, 120, 112, 98, 79, 82, 75, 101, 122, 75, 83, 122, 122, 81, 1276 76, 95, 57, 53, 45, 71, 106, 105, 117, 100, 82, 66, 84, 113, 110, 95, 1277 111, 109, 83, 56, 122, 57, 120, 103, 111, 82, 98, 55, 76, 48, 74, 1278 119, 53, 85, 115, 69, 98, 120, 109, 116, 121, 72, 110, 50, 84, 55, 1279 49, 109, 114, 90, 76, 107, 106, 103, 52, 77, 112, 56, 103, 98, 104, 1280 89, 111, 108, 116, 80, 107, 69, 79, 72, 118, 65, 111, 112, 122, 50, 1281 53, 45, 118, 90, 56, 67, 50, 101, 49, 99, 79, 97, 65, 111, 53, 87, 1282 80, 99, 98, 83, 73, 117, 70, 99, 66, 52, 68, 106, 66, 79, 77, 51, 1283 116, 48, 85, 65, 79, 54, 74, 72, 107, 87, 76, 117, 65, 69, 89, 111, 1284 101, 53, 56, 108, 99, 120, 73, 81, 110, 101, 121, 75, 100, 97, 89, 1285 83, 76, 98, 86, 57, 99, 75, 113, 111, 85, 111, 70, 81, 112, 118, 75, 1286 87, 89, 82, 72, 90, 98, 102, 115, 122, 73, 121, 102, 115, 97, 49, 56, 1287 114, 109, 103, 84, 106, 122, 114, 116, 76, 68, 84, 80, 110, 99, 48, 1288 57, 68, 83, 74, 69, 50, 52, 97, 81, 56, 119, 51, 105, 56, 82, 88, 69, 1289 68, 116, 104, 87, 57, 84, 49, 74, 54, 76, 115, 84, 72, 95, 118, 119, 1290 72, 100, 119, 85, 103, 107, 73, 45, 116, 67, 50, 80, 78, 101, 71, 1291 114, 110, 77, 45, 100, 78, 83, 102, 122, 70, 51, 89, 55, 45, 108, 1292 119, 99, 71, 121, 48, 70, 115, 100, 88, 107, 80, 88, 121, 116, 118, 1293 68, 86, 55, 121, 52, 112, 90, 101, 101, 85, 105, 81, 45, 48, 86, 100, 1294 105, 98, 73, 78, 50, 65, 106, 106, 102, 87, 54, 48, 110, 102, 114, 1295 80, 117, 79, 106, 101, 112, 77, 70, 71, 54, 66, 66, 66, 98, 82, 51, 1296 55, 112, 72, 99, 121, 122, 101, 120, 116, 57, 101, 112, 79, 65, 81, 1297 46, 52, 56, 86, 49, 95, 65, 76, 98, 54, 85, 83, 48, 52, 85, 51, 98] 1299 A.1.8. Plaintext Encryption 1301 Encrypt the Plaintext with AES GCM using the CMK as the encryption 1302 key, the JWE Initialization Vector, and the "additional authenticated 1303 data" value above, requesting a 128 bit "authentication tag" output. 1304 The resulting Ciphertext is: 1306 [253, 237, 181, 180, 97, 161, 105, 207, 233, 120, 65, 100, 45, 122, 1307 246, 116, 195, 212, 102, 37, 36, 175] 1309 The resulting "authentication tag" value is: 1311 [237, 94, 89, 14, 74, 52, 191, 249, 159, 216, 240, 28, 224, 147, 34, 1312 82] 1314 A.1.9. Encoded JWE Ciphertext 1316 Base64url encode the resulting Ciphertext to create the Encoded JWE 1317 Ciphertext. This result is: 1319 _e21tGGhac_peEFkLXr2dMPUZiUkrw 1321 A.1.10. Encoded JWE Integrity Value 1323 Base64url encode the resulting "authentication tag" to create the 1324 Encoded JWE Integrity Value. This result is: 1326 7V5ZDko0v_mf2PAc4JMiUg 1328 A.1.11. Complete Representation 1330 Assemble the final representation: The Compact Serialization of this 1331 result is the concatenation of the Encoded JWE Header, the Encoded 1332 JWE Encrypted Key, the Encoded JWE Initialization Vector, the Encoded 1333 JWE Ciphertext, and the Encoded JWE Integrity Value in that order, 1334 with the five strings being separated by four period ('.') 1335 characters. 1337 The final result in this example (with line breaks for display 1338 purposes only) is: 1340 eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ. 1341 M2XxpbORKezKSzzQL_95-GjiudRBTqn_omS8z9xgoRb7L0Jw5UsEbxmtyHn2T71m 1342 rZLkjg4Mp8gbhYoltPkEOHvAopz25-vZ8C2e1cOaAo5WPcbSIuFcB4DjBOM3t0UA 1343 O6JHkWLuAEYoe58lcxIQneyKdaYSLbV9cKqoUoFQpvKWYRHZbfszIyfsa18rmgTj 1344 zrtLDTPnc09DSJE24aQ8w3i8RXEDthW9T1J6LsTH_vwHdwUgkI-tC2PNeGrnM-dN 1345 SfzF3Y7-lwcGy0FsdXkPXytvDV7y4pZeeUiQ-0VdibIN2AjjfW60nfrPuOjepMFG 1346 6BBBbR37pHcyzext9epOAQ. 1347 48V1_ALb6US04U3b. 1348 _e21tGGhac_peEFkLXr2dMPUZiUkrw. 1349 7V5ZDko0v_mf2PAc4JMiUg 1351 A.1.12. Validation 1353 This example illustrates the process of creating a JWE with an AEAD 1354 algorithm. These results can be used to validate JWE decryption 1355 implementations for these algorithms. Note that since the RSAES OAEP 1356 computation includes random values, the encryption results above will 1357 not be completely reproducible. However, since the AES GCM 1358 computation is deterministic, the JWE Encrypted Ciphertext values 1359 will be the same for all encryptions performed using these inputs. 1361 A.2. Example JWE using RSAES-PKCS1-V1_5 and AES CBC 1363 This example encrypts the plaintext "No matter where you go, there 1364 you are." to the recipient using RSAES-PKCS1-V1_5 and AES CBC. AES 1365 CBC does not have an integrated integrity check, so a separate 1366 integrity check calculation is performed using HMAC SHA-256, with 1367 separate encryption and integrity keys being derived from a master 1368 key using the Concat KDF with the SHA-256 digest function. The 1369 representation of this plaintext is: 1371 [78, 111, 32, 109, 97, 116, 116, 101, 114, 32, 119, 104, 101, 114, 1372 101, 32, 121, 111, 117, 32, 103, 111, 44, 32, 116, 104, 101, 114, 1373 101, 32, 121, 111, 117, 32, 97, 114, 101, 46] 1375 A.2.1. JWE Header 1377 The following example JWE Header (with line breaks for display 1378 purposes only) declares that: 1380 o the Content Master Key is encrypted to the recipient using the 1381 RSAES-PKCS1-V1_5 algorithm to produce the JWE Encrypted Key and 1383 o the Plaintext is encrypted using the AES CBC algorithm with a 128 1384 bit key to produce the Ciphertext, with the integrity of the 1385 Ciphertext and the parameters used to create it being secured with 1386 the HMAC SHA-256 algorithm. 1388 {"alg":"RSA1_5","enc":"A128CBC+HS256"} 1390 A.2.2. Encoded JWE Header 1392 Base64url encoding the bytes of the UTF-8 representation of the JWE 1393 Header yields this Encoded JWE Header value: 1395 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDK0hTMjU2In0 1397 A.2.3. Content Master Key (CMK) 1399 Generate a 256 bit random Content Master Key (CMK). In this example, 1400 the key value is: 1402 [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 1403 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 1404 44, 207] 1406 A.2.4. Key Encryption 1408 Encrypt the CMK with the recipient's public key using the RSAES- 1409 PKCS1-V1_5 algorithm to produce the JWE Encrypted Key. In this 1410 example, the RSA key parameters are: 1412 +-----------+-------------------------------------------------------+ 1413 | Parameter | Value | 1414 | Name | | 1415 +-----------+-------------------------------------------------------+ 1416 | Modulus | [177, 119, 33, 13, 164, 30, 108, 121, 207, 136, 107, | 1417 | | 242, 12, 224, 19, 226, 198, 134, 17, 71, 173, 75, 42, | 1418 | | 61, 48, 162, 206, 161, 97, 108, 185, 234, 226, 219, | 1419 | | 118, 206, 118, 5, 169, 224, 60, 181, 90, 85, 51, 123, | 1420 | | 6, 224, 4, 122, 29, 230, 151, 12, 244, 127, 121, 25, | 1421 | | 4, 85, 220, 144, 215, 110, 130, 17, 68, 228, 129, | 1422 | | 138, 7, 130, 231, 40, 212, 214, 17, 179, 28, 124, | 1423 | | 151, 178, 207, 20, 14, 154, 222, 113, 176, 24, 198, | 1424 | | 73, 211, 113, 9, 33, 178, 80, 13, 25, 21, 25, 153, | 1425 | | 212, 206, 67, 154, 147, 70, 194, 192, 183, 160, 83, | 1426 | | 98, 236, 175, 85, 23, 97, 75, 199, 177, 73, 145, 50, | 1427 | | 253, 206, 32, 179, 254, 236, 190, 82, 73, 67, 129, | 1428 | | 253, 252, 220, 108, 136, 138, 11, 192, 1, 36, 239, | 1429 | | 228, 55, 81, 113, 17, 25, 140, 63, 239, 146, 3, 172, | 1430 | | 96, 60, 227, 233, 64, 255, 224, 173, 225, 228, 229, | 1431 | | 92, 112, 72, 99, 97, 26, 87, 187, 123, 46, 50, 90, | 1432 | | 202, 117, 73, 10, 153, 47, 224, 178, 163, 77, 48, 46, | 1433 | | 154, 33, 148, 34, 228, 33, 172, 216, 89, 46, 225, | 1434 | | 127, 68, 146, 234, 30, 147, 54, 146, 5, 133, 45, 78, | 1435 | | 254, 85, 55, 75, 213, 86, 194, 218, 215, 163, 189, | 1436 | | 194, 54, 6, 83, 36, 18, 153, 53, 7, 48, 89, 35, 66, | 1437 | | 144, 7, 65, 154, 13, 97, 75, 55, 230, 132, 3, 13, | 1438 | | 239, 71] | 1439 | Exponent | [1, 0, 1] | 1440 | Private | [84, 80, 150, 58, 165, 235, 242, 123, 217, 55, 38, | 1441 | Exponent | 154, 36, 181, 221, 156, 211, 215, 100, 164, 90, 88, | 1442 | | 40, 228, 83, 148, 54, 122, 4, 16, 165, 48, 76, 194, | 1443 | | 26, 107, 51, 53, 179, 165, 31, 18, 198, 173, 78, 61, | 1444 | | 56, 97, 252, 158, 140, 80, 63, 25, 223, 156, 36, 203, | 1445 | | 214, 252, 120, 67, 180, 167, 3, 82, 243, 25, 97, 214, | 1446 | | 83, 133, 69, 16, 104, 54, 160, 200, 41, 83, 164, 187, | 1447 | | 70, 153, 111, 234, 242, 158, 175, 28, 198, 48, 211, | 1448 | | 45, 148, 58, 23, 62, 227, 74, 52, 117, 42, 90, 41, | 1449 | | 249, 130, 154, 80, 119, 61, 26, 193, 40, 125, 10, | 1450 | | 152, 174, 227, 225, 205, 32, 62, 66, 6, 163, 100, 99, | 1451 | | 219, 19, 253, 25, 105, 80, 201, 29, 252, 157, 237, | 1452 | | 69, 1, 80, 171, 167, 20, 196, 156, 109, 249, 88, 0, | 1453 | | 3, 152, 38, 165, 72, 87, 6, 152, 71, 156, 214, 16, | 1454 | | 71, 30, 82, 51, 103, 76, 218, 63, 9, 84, 163, 249, | 1455 | | 91, 215, 44, 238, 85, 101, 240, 148, 1, 82, 224, 91, | 1456 | | 135, 105, 127, 84, 171, 181, 152, 210, 183, 126, 24, | 1457 | | 46, 196, 90, 173, 38, 245, 219, 186, 222, 27, 240, | 1458 | | 212, 194, 15, 66, 135, 226, 178, 190, 52, 245, 74, | 1459 | | 65, 224, 81, 100, 85, 25, 204, 165, 203, 187, 175, | 1460 | | 84, 100, 82, 15, 11, 23, 202, 151, 107, 54, 41, 207, | 1461 | | 3, 136, 229, 134, 131, 93, 139, 50, 182, 204, 93, | 1462 | | 130, 89] | 1463 +-----------+-------------------------------------------------------+ 1465 The resulting JWE Encrypted Key value is: 1467 [102, 105, 229, 169, 104, 35, 95, 42, 176, 142, 190, 220, 92, 124, 1468 172, 240, 94, 253, 106, 114, 20, 35, 162, 118, 81, 103, 64, 201, 20, 1469 4, 112, 96, 84, 248, 163, 199, 177, 227, 204, 247, 93, 63, 70, 132, 1470 195, 26, 237, 72, 91, 141, 3, 159, 71, 111, 113, 213, 68, 142, 146, 1471 92, 60, 243, 72, 111, 53, 156, 51, 16, 226, 215, 125, 68, 141, 232, 1472 62, 111, 197, 98, 91, 150, 23, 230, 132, 93, 97, 216, 145, 226, 3, 1473 18, 12, 48, 119, 153, 185, 8, 156, 195, 84, 21, 63, 143, 43, 144, 1474 174, 101, 25, 199, 7, 106, 212, 43, 151, 225, 62, 225, 122, 92, 90, 1475 139, 45, 144, 134, 229, 15, 235, 38, 110, 132, 189, 236, 126, 92, 1476 183, 13, 64, 2, 77, 107, 95, 186, 8, 133, 53, 217, 104, 247, 152, 1477 241, 49, 199, 15, 111, 110, 123, 16, 13, 78, 193, 224, 23, 230, 133, 1478 220, 162, 126, 82, 192, 236, 7, 185, 100, 106, 21, 70, 93, 192, 255, 1479 252, 139, 61, 124, 81, 140, 113, 97, 164, 231, 131, 167, 246, 157, 1480 199, 195, 114, 122, 49, 121, 115, 63, 114, 12, 165, 11, 186, 3, 108, 1481 12, 199, 101, 29, 226, 80, 56, 193, 149, 45, 134, 146, 102, 221, 202, 1482 63, 166, 150, 53, 42, 133, 3, 83, 199, 14, 15, 181, 209, 199, 174, 1483 76, 75, 106, 254, 243, 196, 227, 225, 173, 122, 254, 13, 224, 174, 4, 1484 185, 217, 99, 225] 1486 A.2.5. Encoded JWE Encrypted Key 1488 Base64url encode the JWE Encrypted Key to produce the Encoded JWE 1489 Encrypted Key. This result (with line breaks for display purposes 1490 only) is: 1492 ZmnlqWgjXyqwjr7cXHys8F79anIUI6J2UWdAyRQEcGBU-KPHsePM910_RoTDGu1I 1493 W40Dn0dvcdVEjpJcPPNIbzWcMxDi131Ejeg-b8ViW5YX5oRdYdiR4gMSDDB3mbkI 1494 nMNUFT-PK5CuZRnHB2rUK5fhPuF6XFqLLZCG5Q_rJm6Evex-XLcNQAJNa1-6CIU1 1495 2Wj3mPExxw9vbnsQDU7B4BfmhdyiflLA7Ae5ZGoVRl3A__yLPXxRjHFhpOeDp_ad 1496 x8NyejF5cz9yDKULugNsDMdlHeJQOMGVLYaSZt3KP6aWNSqFA1PHDg-10ceuTEtq 1497 _vPE4-Gtev4N4K4Eudlj4Q 1499 A.2.6. Key Derivation 1501 Use the Concat key derivation function to derive Content Encryption 1502 Key (CEK) and Content Integrity Key (CIK) values from the CMK. The 1503 details of this derivation are shown in Appendix A.4. The resulting 1504 CEK value is: 1506 [203, 165, 180, 113, 62, 195, 22, 98, 91, 153, 210, 38, 112, 35, 230, 1507 236] 1509 The resulting CIK value is: 1511 [218, 24, 160, 17, 160, 50, 235, 35, 216, 209, 100, 174, 155, 163, 1512 10, 117, 180, 111, 172, 200, 127, 201, 206, 173, 40, 45, 58, 170, 35, 1513 93, 9, 60] 1515 A.2.7. Initialization Vector 1517 Generate a random 128 bit JWE Initialization Vector. In this 1518 example, the value is: 1520 [3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104, 1521 101] 1523 Base64url encoding this value yields the Encoded JWE Initialization 1524 Vector value: 1526 AxY8DCtDaGlsbGljb3RoZQ 1528 A.2.8. Plaintext Encryption 1530 Encrypt the Plaintext with AES CBC using the CEK and the JWE 1531 Initialization Vector to produce the Ciphertext. The resulting 1532 Ciphertext is: 1534 [71, 27, 35, 131, 163, 200, 19, 23, 38, 25, 33, 123, 46, 116, 132, 1535 144, 58, 150, 32, 167, 192, 195, 92, 25, 207, 101, 233, 105, 181, 1536 121, 63, 4, 44, 162, 82, 176, 17, 171, 150, 97, 147, 68, 245, 13, 97, 1537 100, 145, 25] 1539 A.2.9. Encoded JWE Ciphertext 1541 Base64url encode the resulting Ciphertext to create the Encoded JWE 1542 Ciphertext. This result is: 1544 Rxsjg6PIExcmGSF7LnSEkDqWIKfAw1wZz2XpabV5PwQsolKwEauWYZNE9Q1hZJEZ 1546 A.2.10. Secured Input Value 1548 Concatenate the Encoded JWE Header value, a period character ('.'), 1549 the Encoded JWE Encrypted Key, a second period character, the Encoded 1550 JWE Initialization Vector, a third period ('.') character, and the 1551 Encoded JWE Ciphertext to create the value to integrity protect. 1552 This result (with line breaks for display purposes only) is: 1554 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDK0hTMjU2In0. 1555 ZmnlqWgjXyqwjr7cXHys8F79anIUI6J2UWdAyRQEcGBU-KPHsePM910_RoTDGu1I 1556 W40Dn0dvcdVEjpJcPPNIbzWcMxDi131Ejeg-b8ViW5YX5oRdYdiR4gMSDDB3mbkI 1557 nMNUFT-PK5CuZRnHB2rUK5fhPuF6XFqLLZCG5Q_rJm6Evex-XLcNQAJNa1-6CIU1 1558 2Wj3mPExxw9vbnsQDU7B4BfmhdyiflLA7Ae5ZGoVRl3A__yLPXxRjHFhpOeDp_ad 1559 x8NyejF5cz9yDKULugNsDMdlHeJQOMGVLYaSZt3KP6aWNSqFA1PHDg-10ceuTEtq 1560 _vPE4-Gtev4N4K4Eudlj4Q. 1561 AxY8DCtDaGlsbGljb3RoZQ. 1562 Rxsjg6PIExcmGSF7LnSEkDqWIKfAw1wZz2XpabV5PwQsolKwEauWYZNE9Q1hZJEZ 1564 The representation of this value is: 1566 [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, 1567 120, 88, 122, 85, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 1568 74, 66, 77, 84, 73, 52, 81, 48, 74, 68, 75, 48, 104, 84, 77, 106, 85, 1569 50, 73, 110, 48, 46, 90, 109, 110, 108, 113, 87, 103, 106, 88, 121, 1570 113, 119, 106, 114, 55, 99, 88, 72, 121, 115, 56, 70, 55, 57, 97, 1571 110, 73, 85, 73, 54, 74, 50, 85, 87, 100, 65, 121, 82, 81, 69, 99, 1572 71, 66, 85, 45, 75, 80, 72, 115, 101, 80, 77, 57, 49, 48, 95, 82, 1573 111, 84, 68, 71, 117, 49, 73, 87, 52, 48, 68, 110, 48, 100, 118, 99, 1574 100, 86, 69, 106, 112, 74, 99, 80, 80, 78, 73, 98, 122, 87, 99, 77, 1575 120, 68, 105, 49, 51, 49, 69, 106, 101, 103, 45, 98, 56, 86, 105, 87, 1576 53, 89, 88, 53, 111, 82, 100, 89, 100, 105, 82, 52, 103, 77, 83, 68, 1577 68, 66, 51, 109, 98, 107, 73, 110, 77, 78, 85, 70, 84, 45, 80, 75, 1578 53, 67, 117, 90, 82, 110, 72, 66, 50, 114, 85, 75, 53, 102, 104, 80, 1579 117, 70, 54, 88, 70, 113, 76, 76, 90, 67, 71, 53, 81, 95, 114, 74, 1580 109, 54, 69, 118, 101, 120, 45, 88, 76, 99, 78, 81, 65, 74, 78, 97, 1581 49, 45, 54, 67, 73, 85, 49, 50, 87, 106, 51, 109, 80, 69, 120, 120, 1582 119, 57, 118, 98, 110, 115, 81, 68, 85, 55, 66, 52, 66, 102, 109, 1583 104, 100, 121, 105, 102, 108, 76, 65, 55, 65, 101, 53, 90, 71, 111, 1584 86, 82, 108, 51, 65, 95, 95, 121, 76, 80, 88, 120, 82, 106, 72, 70, 1585 104, 112, 79, 101, 68, 112, 95, 97, 100, 120, 56, 78, 121, 101, 106, 1586 70, 53, 99, 122, 57, 121, 68, 75, 85, 76, 117, 103, 78, 115, 68, 77, 1587 100, 108, 72, 101, 74, 81, 79, 77, 71, 86, 76, 89, 97, 83, 90, 116, 1588 51, 75, 80, 54, 97, 87, 78, 83, 113, 70, 65, 49, 80, 72, 68, 103, 45, 1589 49, 48, 99, 101, 117, 84, 69, 116, 113, 95, 118, 80, 69, 52, 45, 71, 1590 116, 101, 118, 52, 78, 52, 75, 52, 69, 117, 100, 108, 106, 52, 81, 1591 46, 65, 120, 89, 56, 68, 67, 116, 68, 97, 71, 108, 115, 98, 71, 108, 1592 106, 98, 51, 82, 111, 90, 81, 46, 82, 120, 115, 106, 103, 54, 80, 73, 1593 69, 120, 99, 109, 71, 83, 70, 55, 76, 110, 83, 69, 107, 68, 113, 87, 1594 73, 75, 102, 65, 119, 49, 119, 90, 122, 50, 88, 112, 97, 98, 86, 53, 1595 80, 119, 81, 115, 111, 108, 75, 119, 69, 97, 117, 87, 89, 90, 78, 69, 1596 57, 81, 49, 104, 90, 74, 69, 90] 1598 A.2.11. JWE Integrity Value 1600 Compute the HMAC SHA-256 of this value using the CIK to create the 1601 JWE Integrity Value. This result is: 1603 [240, 181, 234, 49, 221, 9, 44, 107, 49, 49, 160, 121, 186, 131, 90, 1604 50, 152, 59, 185, 69, 191, 167, 141, 17, 149, 166, 71, 11, 3, 8, 203, 1605 57] 1607 A.2.12. Encoded JWE Integrity Value 1609 Base64url encode the resulting JWE Integrity Value to create the 1610 Encoded JWE Integrity Value. This result is: 1612 8LXqMd0JLGsxMaB5uoNaMpg7uUW_p40RlaZHCwMIyzk 1614 A.2.13. Complete Representation 1616 Assemble the final representation: The Compact Serialization of this 1617 result is the concatenation of the Encoded JWE Header, the Encoded 1618 JWE Encrypted Key, the Encoded JWE Initialization Vector, the Encoded 1619 JWE Ciphertext, and the Encoded JWE Integrity Value in that order, 1620 with the five strings being separated by four period ('.') 1621 characters. 1623 The final result in this example (with line breaks for display 1624 purposes only) is: 1626 eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDK0hTMjU2In0. 1627 ZmnlqWgjXyqwjr7cXHys8F79anIUI6J2UWdAyRQEcGBU-KPHsePM910_RoTDGu1I 1628 W40Dn0dvcdVEjpJcPPNIbzWcMxDi131Ejeg-b8ViW5YX5oRdYdiR4gMSDDB3mbkI 1629 nMNUFT-PK5CuZRnHB2rUK5fhPuF6XFqLLZCG5Q_rJm6Evex-XLcNQAJNa1-6CIU1 1630 2Wj3mPExxw9vbnsQDU7B4BfmhdyiflLA7Ae5ZGoVRl3A__yLPXxRjHFhpOeDp_ad 1631 x8NyejF5cz9yDKULugNsDMdlHeJQOMGVLYaSZt3KP6aWNSqFA1PHDg-10ceuTEtq 1632 _vPE4-Gtev4N4K4Eudlj4Q. 1633 AxY8DCtDaGlsbGljb3RoZQ. 1634 Rxsjg6PIExcmGSF7LnSEkDqWIKfAw1wZz2XpabV5PwQsolKwEauWYZNE9Q1hZJEZ. 1635 8LXqMd0JLGsxMaB5uoNaMpg7uUW_p40RlaZHCwMIyzk 1637 A.2.14. Validation 1639 This example illustrates the process of creating a JWE with a 1640 composite AEAD algorithm created from a non-AEAD algorithm by adding 1641 a separate integrity check calculation. These results can be used to 1642 validate JWE decryption implementations for these algorithms. Note 1643 that since the RSAES-PKCS1-V1_5 computation includes random values, 1644 the encryption results above will not be completely reproducible. 1645 However, since the AES CBC computation is deterministic, the JWE 1646 Encrypted Ciphertext values will be the same for all encryptions 1647 performed using these inputs. 1649 A.3. Example JWE using AES Key Wrap and AES GCM 1651 This example encrypts the plaintext "The true sign of intelligence is 1652 not knowledge but imagination." to the recipient using AES Key Wrap 1653 and AES GCM. The representation of this plaintext is: 1655 [84, 104, 101, 32, 116, 114, 117, 101, 32, 115, 105, 103, 110, 32, 1656 111, 102, 32, 105, 110, 116, 101, 108, 108, 105, 103, 101, 110, 99, 1657 101, 32, 105, 115, 32, 110, 111, 116, 32, 107, 110, 111, 119, 108, 1658 101, 100, 103, 101, 32, 98, 117, 116, 32, 105, 109, 97, 103, 105, 1659 110, 97, 116, 105, 111, 110, 46] 1661 A.3.1. JWE Header 1663 The following example JWE Header declares that: 1665 o the Content Master Key is encrypted to the recipient using the AES 1666 Key Wrap algorithm with a 128 bit key to produce the JWE Encrypted 1667 Key and 1669 o the Plaintext is encrypted using the AES GCM algorithm with a 128 1670 bit key to produce the Ciphertext. 1672 {"alg":"A128KW","enc":"A128GCM"} 1674 A.3.2. Encoded JWE Header 1676 Base64url encoding the bytes of the UTF-8 representation of the JWE 1677 Header yields this Encoded JWE Header value: 1679 eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIn0 1681 A.3.3. Content Master Key (CMK) 1683 Generate a 128 bit random Content Master Key (CMK). In this example, 1684 the value is: 1686 [64, 154, 239, 170, 64, 40, 195, 99, 19, 84, 192, 142, 192, 238, 207, 1687 217] 1689 A.3.4. Key Encryption 1691 Encrypt the CMK with the shared symmetric key using the AES Key Wrap 1692 algorithm to produce the JWE Encrypted Key. In this example, the 1693 shared symmetric key value is: 1695 [25, 172, 32, 130, 225, 114, 26, 181, 138, 106, 254, 192, 95, 133, 1696 74, 82] 1698 The resulting JWE Encrypted Key value is: 1700 [164, 255, 251, 1, 64, 200, 65, 200, 34, 197, 81, 143, 43, 211, 240, 1701 38, 191, 161, 181, 117, 119, 68, 44, 80] 1703 A.3.5. Encoded JWE Encrypted Key 1705 Base64url encode the JWE Encrypted Key to produce the Encoded JWE 1706 Encrypted Key. This result is: 1708 pP_7AUDIQcgixVGPK9PwJr-htXV3RCxQ 1710 A.3.6. Initialization Vector 1712 Generate a random 96 bit JWE Initialization Vector. In this example, 1713 the value is: 1715 [253, 220, 80, 25, 166, 152, 178, 168, 97, 99, 67, 89] 1717 Base64url encoding this value yields the Encoded JWE Initialization 1718 Vector value: 1720 _dxQGaaYsqhhY0NZ 1722 A.3.7. "Additional Authenticated Data" Parameter 1724 Concatenate the Encoded JWE Header value, a period character ('.'), 1725 the Encoded JWE Encrypted Key, a second period character ('.'), and 1726 the Encoded JWE Initialization Vector to create the "additional 1727 authenticated data" parameter for the AES GCM algorithm. This result 1728 (with line breaks for display purposes only) is: 1730 eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIn0. 1731 pP_7AUDIQcgixVGPK9PwJr-htXV3RCxQ. 1732 _dxQGaaYsqhhY0NZ 1734 The representation of this value is: 1736 [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 66, 77, 84, 73, 52, 1737 83, 49, 99, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 1738 77, 84, 73, 52, 82, 48, 78, 78, 73, 110, 48, 46, 112, 80, 95, 55, 65, 1739 85, 68, 73, 81, 99, 103, 105, 120, 86, 71, 80, 75, 57, 80, 119, 74, 1740 114, 45, 104, 116, 88, 86, 51, 82, 67, 120, 81, 46, 95, 100, 120, 81, 1741 71, 97, 97, 89, 115, 113, 104, 104, 89, 48, 78, 90] 1743 A.3.8. Plaintext Encryption 1745 Encrypt the Plaintext with AES GCM using the CMK as the encryption 1746 key, the JWE Initialization Vector, and the "additional authenticated 1747 data" value above, requesting a 128 bit "authentication tag" output. 1748 The resulting Ciphertext is: 1750 [227, 12, 89, 132, 185, 16, 248, 93, 145, 87, 53, 130, 95, 115, 62, 1751 104, 138, 96, 109, 71, 124, 211, 165, 103, 202, 99, 21, 193, 4, 226, 1752 84, 229, 254, 106, 144, 241, 39, 86, 148, 132, 160, 104, 88, 232, 1753 228, 109, 85, 7, 86, 80, 134, 106, 166, 24, 92, 199, 210, 188, 153, 1754 187, 218, 69, 227] 1756 The resulting "authentication tag" value is: 1758 [154, 35, 80, 107, 37, 148, 81, 6, 103, 4, 60, 206, 171, 165, 113, 1759 67] 1761 A.3.9. Encoded JWE Ciphertext 1763 Base64url encode the resulting Ciphertext to create the Encoded JWE 1764 Ciphertext. This result (with line breaks for display purposes only) 1765 is: 1767 4wxZhLkQ-F2RVzWCX3M-aIpgbUd806VnymMVwQTiVOX-apDxJ1aUhKBoWOjkbVUH 1768 VlCGaqYYXMfSvJm72kXj 1770 A.3.10. Encoded JWE Integrity Value 1772 Base64url encode the resulting "authentication tag" to create the 1773 Encoded JWE Integrity Value. This result is: 1775 miNQayWUUQZnBDzOq6VxQw 1777 A.3.11. Complete Representation 1779 Assemble the final representation: The Compact Serialization of this 1780 result is the concatenation of the Encoded JWE Header, the Encoded 1781 JWE Encrypted Key, the Encoded JWE Initialization Vector, the Encoded 1782 JWE Ciphertext, and the Encoded JWE Integrity Value in that order, 1783 with the five strings being separated by four period ('.') 1784 characters. 1786 The final result in this example (with line breaks for display 1787 purposes only) is: 1789 eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIn0. 1790 pP_7AUDIQcgixVGPK9PwJr-htXV3RCxQ. 1791 _dxQGaaYsqhhY0NZ. 1792 4wxZhLkQ-F2RVzWCX3M-aIpgbUd806VnymMVwQTiVOX-apDxJ1aUhKBoWOjkbVUH 1793 VlCGaqYYXMfSvJm72kXj. 1794 miNQayWUUQZnBDzOq6VxQw 1796 A.3.12. Validation 1798 This example illustrates the process of creating a JWE with symmetric 1799 key wrap and an AEAD algorithm. These results can be used to 1800 validate JWE decryption implementations for these algorithms. Also, 1801 since both the AES Key Wrap and AES GCM computations are 1802 deterministic, the resulting JWE value will be the same for all 1803 encryptions performed using these inputs. Since the computation is 1804 reproducible, these results can also be used to validate JWE 1805 encryption implementations for these algorithms. 1807 A.4. Example Key Derivation for "enc" value "A128CBC+HS256" 1809 This example uses the Concat KDF to derive the Content Encryption Key 1810 (CEK) and Content Integrity Key (CIK) from the Content Master Key 1811 (CMK) in the manner described in Section 4.8.1 of [JWA]. In this 1812 example, a 256 bit CMK is used to derive a 128 bit CEK and a 256 bit 1813 CIK. 1815 The CMK value used is: 1817 [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 1818 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 1819 44, 207] 1821 A.4.1. CEK Generation 1823 These values are concatenated to produce the round 1 hash input: 1825 o the round number 1 as a 32 bit big endian integer ([0, 0, 0, 1]), 1827 o the CMK value (as above), 1829 o the output bit size 128 as a 32 bit big endian number ([0, 0, 0, 1830 128]), 1832 o the bytes of the UTF-8 representation of the "enc" value 1833 "A128CBC+HS256" -- [65, 49, 50, 56, 67, 66, 67, 43, 72, 83, 50, 1834 53, 54], 1836 o the Datalen value of zero for the omitted "epu" (encryption 1837 PartyUInfo) value ([0, 0, 0, 0]), 1839 o the Datalen value of zero for the omitted "epv" (encryption 1840 PartyVInfo) value ([0, 0, 0, 0]), 1842 o the bytes of the ASCII representation of the label "Encryption" -- 1843 [69, 110, 99, 114, 121, 112, 116, 105, 111, 110]. 1845 Thus the round 1 hash input is: 1847 [0, 0, 0, 1, 4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 1848 63, 170, 106, 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 1849 240, 143, 156, 44, 207, 0, 0, 0, 128, 65, 49, 50, 56, 67, 66, 67, 43, 1850 72, 83, 50, 53, 54, 0, 0, 0, 0, 0, 0, 0, 0, 69, 110, 99, 114, 121, 1851 112, 116, 105, 111, 110] 1853 The SHA-256 hash of this value, which is the round 1 hash output, is: 1855 [203, 165, 180, 113, 62, 195, 22, 98, 91, 153, 210, 38, 112, 35, 230, 1856 236, 181, 193, 129, 233, 251, 107, 70, 80, 36, 150, 216, 251, 182, 1857 29, 104, 150] 1859 Given that 128 bits are needed for the CEK and the hash has produced 1860 256 bits, the CEK value is the first 128 bits of that value: 1862 [203, 165, 180, 113, 62, 195, 22, 98, 91, 153, 210, 38, 112, 35, 230, 1863 236] 1865 A.4.2. CIK Generation 1867 These values are concatenated to produce the round 1 hash input: 1869 o the round number 1 as a 32 bit big endian integer ([0, 0, 0, 1]), 1871 o the CMK value (as above), 1873 o the output bit size 256 as a 32 bit big endian number ([0, 0, 1, 1874 0]), 1876 o the bytes of the UTF-8 representation of the "enc" value 1877 "A128CBC+HS256" -- [65, 49, 50, 56, 67, 66, 67, 43, 72, 83, 50, 1878 53, 54], 1880 o the Datalen value of zero for the omitted "epu" (encryption 1881 PartyUInfo) value ([0, 0, 0, 0]), 1883 o the Datalen value of zero for the omitted "epv" (encryption 1884 PartyVInfo) value ([0, 0, 0, 0]), 1886 o the bytes of the ASCII representation of the label "Integrity" -- 1887 [73, 110, 116, 101, 103, 114, 105, 116, 121]. 1889 Thus the round 1 hash input is: 1891 [0, 0, 0, 1, 4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 1892 63, 170, 106, 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 1893 240, 143, 156, 44, 207, 0, 0, 1, 0, 65, 49, 50, 56, 67, 66, 67, 43, 1894 72, 83, 50, 53, 54, 0, 0, 0, 0, 0, 0, 0, 0, 73, 110, 116, 101, 103, 1895 114, 105, 116, 121] 1897 The SHA-256 hash of this value, which is the round 1 hash output, is: 1899 [218, 24, 160, 17, 160, 50, 235, 35, 216, 209, 100, 174, 155, 163, 1900 10, 117, 180, 111, 172, 200, 127, 201, 206, 173, 40, 45, 58, 170, 35, 1901 93, 9, 60] 1903 Given that 256 bits are needed for the CIK and the hash has produced 1904 256 bits, the CIK value is that same value: 1906 [218, 24, 160, 17, 160, 50, 235, 35, 216, 209, 100, 174, 155, 163, 1907 10, 117, 180, 111, 172, 200, 127, 201, 206, 173, 40, 45, 58, 170, 35, 1908 93, 9, 60] 1910 A.5. Example Key Derivation for "enc" value "A256CBC+HS512" 1912 This example uses the Concat KDF to derive the Content Encryption Key 1913 (CEK) and Content Integrity Key (CIK) from the Content Master Key 1914 (CMK) in the manner described in Section 4.8.1 of [JWA]. In this 1915 example, a 512 bit CMK is used to derive a 256 bit CEK and a 512 bit 1916 CIK. 1918 The CMK value used is: 1920 [148, 116, 199, 126, 2, 117, 233, 76, 150, 149, 89, 193, 61, 34, 239, 1921 226, 109, 71, 59, 160, 192, 140, 150, 235, 106, 204, 49, 176, 68, 1922 119, 13, 34, 49, 19, 41, 69, 5, 20, 252, 145, 104, 129, 137, 138, 67, 1923 23, 153, 83, 81, 234, 82, 247, 48, 211, 41, 130, 35, 124, 45, 156, 1924 249, 7, 225, 168] 1926 A.5.1. CEK Generation 1928 These values are concatenated to produce the round 1 hash input: 1930 o the round number 1 as a 32 bit big endian integer ([0, 0, 0, 1]), 1932 o the CMK value (as above), 1934 o the output bit size 256 as a 32 bit big endian number ([0, 0, 1, 1935 0]), 1937 o the bytes of the UTF-8 representation of the "enc" value 1938 "A256CBC+HS512" -- [65, 50, 53, 54, 67, 66, 67, 43, 72, 83, 53, 1939 49, 50], 1941 o the Datalen value of zero for the omitted "epu" (encryption 1942 PartyUInfo) value ([0, 0, 0, 0]), 1944 o the Datalen value of zero for the omitted "epv" (encryption 1945 PartyVInfo) value ([0, 0, 0, 0]), 1947 o the bytes of the ASCII representation of the label "Encryption" -- 1948 [69, 110, 99, 114, 121, 112, 116, 105, 111, 110]. 1950 Thus the round 1 hash input is: 1952 [0, 0, 0, 1, 148, 116, 199, 126, 2, 117, 233, 76, 150, 149, 89, 193, 1953 61, 34, 239, 226, 109, 71, 59, 160, 192, 140, 150, 235, 106, 204, 49, 1954 176, 68, 119, 13, 34, 49, 19, 41, 69, 5, 20, 252, 145, 104, 129, 137, 1955 138, 67, 23, 153, 83, 81, 234, 82, 247, 48, 211, 41, 130, 35, 124, 1956 45, 156, 249, 7, 225, 168, 0, 0, 1, 0, 65, 50, 53, 54, 67, 66, 67, 1957 43, 72, 83, 53, 49, 50, 0, 0, 0, 0, 0, 0, 0, 0, 69, 110, 99, 114, 1958 121, 112, 116, 105, 111, 110] 1960 The SHA-512 hash of this value, which is the round 1 hash output, is: 1962 [157, 19, 75, 205, 31, 190, 110, 46, 117, 217, 137, 19, 116, 166, 1963 126, 60, 18, 244, 226, 114, 38, 153, 78, 198, 26, 0, 181, 168, 113, 1964 45, 149, 89, 107, 213, 109, 183, 207, 164, 86, 131, 51, 105, 214, 29, 1965 229, 32, 243, 46, 40, 53, 123, 4, 13, 7, 250, 48, 227, 207, 167, 211, 1966 147, 91, 0, 171] 1968 Given that 256 bits are needed for the CEK and the hash has produced 1969 512 bits, the CEK value is the first 256 bits of that value: 1971 [157, 19, 75, 205, 31, 190, 110, 46, 117, 217, 137, 19, 116, 166, 1972 126, 60, 18, 244, 226, 114, 38, 153, 78, 198, 26, 0, 181, 168, 113, 1973 45, 149, 89] 1975 A.5.2. CIK Generation 1977 These values are concatenated to produce the round 1 hash input: 1979 o the round number 1 as a 32 bit big endian integer ([0, 0, 0, 1]), 1981 o the CMK value (as above), 1983 o the output bit size 512 as a 32 bit big endian number ([0, 0, 2, 1984 0]), 1986 o the bytes of the UTF-8 representation of the "enc" value 1987 "A256CBC+HS512" -- [65, 50, 53, 54, 67, 66, 67, 43, 72, 83, 53, 1988 49, 50], 1990 o the Datalen value of zero for the omitted "epu" (encryption 1991 PartyUInfo) value ([0, 0, 0, 0]), 1993 o the Datalen value of zero for the omitted "epv" (encryption 1994 PartyVInfo) value ([0, 0, 0, 0]), 1996 o the bytes of the ASCII representation of the label "Integrity" -- 1997 [73, 110, 116, 101, 103, 114, 105, 116, 121]. 1999 Thus the round 1 hash input is: 2001 [0, 0, 0, 1, 148, 116, 199, 126, 2, 117, 233, 76, 150, 149, 89, 193, 2002 61, 34, 239, 226, 109, 71, 59, 160, 192, 140, 150, 235, 106, 204, 49, 2003 176, 68, 119, 13, 34, 49, 19, 41, 69, 5, 20, 252, 145, 104, 129, 137, 2004 138, 67, 23, 153, 83, 81, 234, 82, 247, 48, 211, 41, 130, 35, 124, 2005 45, 156, 249, 7, 225, 168, 0, 0, 2, 0, 65, 50, 53, 54, 67, 66, 67, 2006 43, 72, 83, 53, 49, 50, 0, 0, 0, 0, 0, 0, 0, 0, 73, 110, 116, 101, 2007 103, 114, 105, 116, 121] 2009 The SHA-512 hash of this value, which is the round 1 hash output, is: 2011 [81, 249, 131, 194, 25, 166, 147, 155, 47, 249, 146, 160, 200, 236, 2012 115, 72, 103, 248, 228, 30, 130, 225, 164, 61, 105, 172, 198, 31, 2013 137, 170, 215, 141, 27, 247, 73, 236, 125, 113, 151, 33, 0, 251, 72, 2014 53, 72, 63, 146, 117, 247, 13, 49, 20, 210, 169, 232, 156, 118, 1, 2015 16, 45, 29, 21, 15, 208] 2017 Given that 512 bits are needed for the CIK and the hash has produced 2018 512 bits, the CIK value is that same value: 2020 [81, 249, 131, 194, 25, 166, 147, 155, 47, 249, 146, 160, 200, 236, 2021 115, 72, 103, 248, 228, 30, 130, 225, 164, 61, 105, 172, 198, 31, 2022 137, 170, 215, 141, 27, 247, 73, 236, 125, 113, 151, 33, 0, 251, 72, 2023 53, 72, 63, 146, 117, 247, 13, 49, 20, 210, 169, 232, 156, 118, 1, 2024 16, 45, 29, 21, 15, 208] 2026 Appendix B. Acknowledgements 2028 Solutions for encrypting JSON content were also explored by JSON 2029 Simple Encryption [JSE] and JavaScript Message Security Format 2030 [I-D.rescorla-jsms], both of which significantly influenced this 2031 draft. This draft attempts to explicitly reuse as many of the 2032 relevant concepts from XML Encryption 1.1 2033 [W3C.CR-xmlenc-core1-20120313] and RFC 5652 [RFC5652] as possible, 2034 while utilizing simple compact JSON-based data structures. 2036 Special thanks are due to John Bradley and Nat Sakimura for the 2037 discussions that helped inform the content of this specification and 2038 to Eric Rescorla and Joe Hildebrand for allowing the reuse of text 2039 from [I-D.rescorla-jsms] in this document. 2041 Thanks to Axel Nennker, Emmanuel Raviart, Brian Campbell, and Edmund 2042 Jay for validating the examples in this specification. 2044 Jim Schaad and Karen O'Donoghue chaired the JOSE working group and 2045 Sean Turner and Stephen Farrell served as Security area directors 2046 during the creation of this specification. 2048 Appendix C. Open Issues 2050 [[ to be removed by the RFC editor before publication as an RFC ]] 2051 The following items remain to be considered or done in this draft: 2053 o Should we define optional nonce, timestamp, and/or uninterpreted 2054 string header parameter(s)? 2056 Appendix D. Document History 2058 [[ to be removed by the RFC editor before publication as an RFC ]] 2060 -07 2062 o Added a data length prefix to PartyUInfo and PartyVInfo values. 2064 o Updated values for example AES CBC calculations. 2066 o Made several local editorial changes to clean up loose ends left 2067 over from to the decision to only support block encryption methods 2068 providing integrity. One of these changes was to explicitly state 2069 that the "enc" (encryption method) algorithm must be an AEAD 2070 algorithm with a specified key length. 2072 -06 2074 o Removed the "int" and "kdf" parameters and defined the new 2075 composite AEAD algorithms "A128CBC+HS256" and "A256CBC+HS512" to 2076 replace the former uses of AES CBC, which required the use of 2077 separate integrity and key derivation functions. 2079 o Included additional values in the Concat KDF calculation -- the 2080 desired output size and the algorithm value, and optionally 2081 PartyUInfo and PartyVInfo values. Added the optional header 2082 parameters "apu" (agreement PartyUInfo), "apv" (agreement 2083 PartyVInfo), "epu" (encryption PartyUInfo), and "epv" (encryption 2084 PartyVInfo). Updated the KDF examples accordingly. 2086 o Promoted Initialization Vector from being a header parameter to 2087 being a top-level JWE element. This saves approximately 16 bytes 2088 in the compact serialization, which is a significant savings for 2089 some use cases. Promoting the Initialization Vector out of the 2090 header also avoids repeating this shared value in the JSON 2091 serialization. 2093 o Changed "x5c" (X.509 Certificate Chain) representation from being 2094 a single string to being an array of strings, each containing a 2095 single base64 encoded DER certificate value, representing elements 2096 of the certificate chain. 2098 o Added an AES Key Wrap example. 2100 o Reordered the encryption steps so CMK creation is first, when 2101 required. 2103 o Correct statements in examples about which algorithms produce 2104 reproducible results. 2106 -05 2108 o Support both direct encryption using a shared or agreed upon 2109 symmetric key, and the use of a shared or agreed upon symmetric 2110 key to key wrap the CMK. 2112 o Added statement that "StringOrURI values are compared as case- 2113 sensitive strings with no transformations or canonicalizations 2114 applied". 2116 o Updated open issues. 2118 o Indented artwork elements to better distinguish them from the body 2119 text. 2121 -04 2123 o Refer to the registries as the primary sources of defined values 2124 and then secondarily reference the sections defining the initial 2125 contents of the registries. 2127 o Normatively reference XML Encryption 1.1 2128 [W3C.CR-xmlenc-core1-20120313] for its security considerations. 2130 o Reference draft-jones-jose-jwe-json-serialization instead of 2131 draft-jones-json-web-encryption-json-serialization. 2133 o Described additional open issues. 2135 o Applied editorial suggestions. 2137 -03 2139 o Added the "kdf" (key derivation function) header parameter to 2140 provide crypto agility for key derivation. The default KDF 2141 remains the Concat KDF with the SHA-256 digest function. 2143 o Reordered encryption steps so that the Encoded JWE Header is 2144 always created before it is needed as an input to the AEAD 2145 "additional authenticated data" parameter. 2147 o Added the "cty" (content type) header parameter for declaring type 2148 information about the secured content, as opposed to the "typ" 2149 (type) header parameter, which declares type information about 2150 this object. 2152 o Moved description of how to determine whether a header is for a 2153 JWS or a JWE from the JWT spec to the JWE spec. 2155 o Added complete encryption examples for both AEAD and non-AEAD 2156 algorithms. 2158 o Added complete key derivation examples. 2160 o Added "Collision Resistant Namespace" to the terminology section. 2162 o Reference ITU.X690.1994 for DER encoding. 2164 o Added Registry Contents sections to populate registry values. 2166 o Numerous editorial improvements. 2168 -02 2170 o When using AEAD algorithms (such as AES GCM), use the "additional 2171 authenticated data" parameter to provide integrity for the header, 2172 encrypted key, and ciphertext and use the resulting 2173 "authentication tag" value as the JWE Integrity Value. 2175 o Defined KDF output key sizes. 2177 o Generalized text to allow key agreement to be employed as an 2178 alternative to key wrapping or key encryption. 2180 o Changed compression algorithm from gzip to DEFLATE. 2182 o Clarified that it is an error when a "kid" value is included and 2183 no matching key is found. 2185 o Clarified that JWEs with duplicate Header Parameter Names MUST be 2186 rejected. 2188 o Clarified the relationship between "typ" header parameter values 2189 and MIME types. 2191 o Registered application/jwe MIME type and "JWE" typ header 2192 parameter value. 2194 o Simplified JWK terminology to get replace the "JWK Key Object" and 2195 "JWK Container Object" terms with simply "JSON Web Key (JWK)" and 2196 "JSON Web Key Set (JWK Set)" and to eliminate potential confusion 2197 between single keys and sets of keys. As part of this change, the 2198 header parameter name for a public key value was changed from 2199 "jpk" (JSON Public Key) to "jwk" (JSON Web Key). 2201 o Added suggestion on defining additional header parameters such as 2202 "x5t#S256" in the future for certificate thumbprints using hash 2203 algorithms other than SHA-1. 2205 o Specify RFC 2818 server identity validation, rather than RFC 6125 2206 (paralleling the same decision in the OAuth specs). 2208 o Generalized language to refer to Message Authentication Codes 2209 (MACs) rather than Hash-based Message Authentication Codes (HMACs) 2210 unless in a context specific to HMAC algorithms. 2212 o Reformatted to give each header parameter its own section heading. 2214 -01 2216 o Added an integrity check for non-AEAD algorithms. 2218 o Added "jpk" and "x5c" header parameters for including JWK public 2219 keys and X.509 certificate chains directly in the header. 2221 o Clarified that this specification is defining the JWE Compact 2222 Serialization. Referenced the new JWE-JS spec, which defines the 2223 JWE JSON Serialization. 2225 o Added text "New header parameters should be introduced sparingly 2226 since an implementation that does not understand a parameter MUST 2227 reject the JWE". 2229 o Clarified that the order of the encryption and decryption steps is 2230 not significant in cases where there are no dependencies between 2231 the inputs and outputs of the steps. 2233 o Made other editorial improvements suggested by JOSE working group 2234 participants. 2236 -00 2238 o Created the initial IETF draft based upon 2239 draft-jones-json-web-encryption-02 with no normative changes. 2241 o Changed terminology to no longer call both digital signatures and 2242 HMACs "signatures". 2244 Authors' Addresses 2246 Michael B. Jones 2247 Microsoft 2249 Email: mbj@microsoft.com 2250 URI: http://self-issued.info/ 2252 Eric Rescorla 2253 RTFM, Inc. 2255 Email: ekr@rtfm.com 2257 Joe Hildebrand 2258 Cisco Systems, Inc. 2260 Email: jhildebr@cisco.com