draft-ietf-jose-json-web-algorithms-18.txt   draft-ietf-jose-json-web-algorithms-19.txt 
JOSE Working Group M. Jones JOSE Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track November 12, 2013 Intended status: Standards Track December 29, 2013
Expires: May 16, 2014 Expires: July 2, 2014
JSON Web Algorithms (JWA) JSON Web Algorithms (JWA)
draft-ietf-jose-json-web-algorithms-18 draft-ietf-jose-json-web-algorithms-19
Abstract Abstract
The JSON Web Algorithms (JWA) specification registers cryptographic The JSON Web Algorithms (JWA) specification registers cryptographic
algorithms and identifiers to be used with the JSON Web Signature algorithms and identifiers to be used with the JSON Web Signature
(JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK)
specifications. It defines several IANA registries for these specifications. It defines several IANA registries for these
identifiers. identifiers.
Status of this Memo Status of this Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 16, 2014. This Internet-Draft will expire on July 2, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 16 skipping to change at page 2, line 16
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Cryptographic Algorithms for Digital Signatures and MACs . . . 6 3. Cryptographic Algorithms for Digital Signatures and MACs . . . 6
3.1. "alg" (Algorithm) Header Parameter Values for JWS . . . . 6 3.1. "alg" (Algorithm) Header Parameter Values for JWS . . . . 6
3.2. HMAC with SHA-2 Functions . . . . . . . . . . . . . . . . 7 3.2. HMAC with SHA-2 Functions . . . . . . . . . . . . . . . . 7
3.3. Digital Signature with RSASSA-PKCS1-V1_5 . . . . . . . . . 8 3.3. Digital Signature with RSASSA-PKCS1-V1_5 . . . . . . . . . 8
3.4. Digital Signature with ECDSA . . . . . . . . . . . . . . . 9 3.4. Digital Signature with ECDSA . . . . . . . . . . . . . . . 9
3.5. Digital Signature with RSASSA-PSS . . . . . . . . . . . . 10 3.5. Digital Signature with RSASSA-PSS . . . . . . . . . . . . 10
3.6. Using the Algorithm "none" . . . . . . . . . . . . . . . . 10 3.6. Using the Algorithm "none" . . . . . . . . . . . . . . . . 11
4. Cryptographic Algorithms for Key Management . . . . . . . . . 11 4. Cryptographic Algorithms for Key Management . . . . . . . . . 12
4.1. "alg" (Algorithm) Header Parameter Values for JWE . . . . 11 4.1. "alg" (Algorithm) Header Parameter Values for JWE . . . . 12
4.2. Key Encryption with RSAES-PKCS1-V1_5 . . . . . . . . . . . 13 4.2. Key Encryption with RSAES-PKCS1-V1_5 . . . . . . . . . . . 14
4.3. Key Encryption with RSAES OAEP . . . . . . . . . . . . . . 13 4.3. Key Encryption with RSAES OAEP . . . . . . . . . . . . . . 14
4.4. Key Wrapping with AES Key Wrap . . . . . . . . . . . . . . 13 4.4. Key Wrapping with AES Key Wrap . . . . . . . . . . . . . . 14
4.5. Direct Encryption with a Shared Symmetric Key . . . . . . 14 4.5. Direct Encryption with a Shared Symmetric Key . . . . . . 15
4.6. Key Agreement with Elliptic Curve Diffie-Hellman 4.6. Key Agreement with Elliptic Curve Diffie-Hellman
Ephemeral Static (ECDH-ES) . . . . . . . . . . . . . . . . 14 Ephemeral Static (ECDH-ES) . . . . . . . . . . . . . . . . 15
4.6.1. Header Parameters Used for ECDH Key Agreement . . . . 14 4.6.1. Header Parameters Used for ECDH Key Agreement . . . . 16
4.6.1.1. "epk" (Ephemeral Public Key) Header Parameter . . 15 4.6.1.1. "epk" (Ephemeral Public Key) Header Parameter . . 16
4.6.1.2. "apu" (Agreement PartyUInfo) Header Parameter . . 15 4.6.1.2. "apu" (Agreement PartyUInfo) Header Parameter . . 16
4.6.1.3. "apv" (Agreement PartyVInfo) Header Parameter . . 15 4.6.1.3. "apv" (Agreement PartyVInfo) Header Parameter . . 16
4.6.2. Key Derivation for ECDH Key Agreement . . . . . . . . 15 4.6.2. Key Derivation for ECDH Key Agreement . . . . . . . . 17
4.7. Key Encryption with AES GCM . . . . . . . . . . . . . . . 17 4.7. Key Encryption with AES GCM . . . . . . . . . . . . . . . 18
4.7.1. Header Parameters Used for AES GCM Key Encryption . . 17 4.7.1. Header Parameters Used for AES GCM Key Encryption . . 19
4.7.1.1. "iv" (Initialization Vector) Header Parameter . . 17 4.7.1.1. "iv" (Initialization Vector) Header Parameter . . 19
4.7.1.2. "tag" (Authentication Tag) Header Parameter . . . 17 4.7.1.2. "tag" (Authentication Tag) Header Parameter . . . 19
4.8. Key Encryption with PBES2 . . . . . . . . . . . . . . . . 17 4.8. Key Encryption with PBES2 . . . . . . . . . . . . . . . . 19
4.8.1. Header Parameters Used for PBES2 Key Encryption . . . 18 4.8.1. Header Parameters Used for PBES2 Key Encryption . . . 20
4.8.1.1. "p2s" (PBES2 salt) Parameter . . . . . . . . . . . 18 4.8.1.1. "p2s" (PBES2 salt) Parameter . . . . . . . . . . . 20
4.8.1.2. "p2c" (PBES2 count) Parameter . . . . . . . . . . 18 4.8.1.2. "p2c" (PBES2 count) Parameter . . . . . . . . . . 20
5. Cryptographic Algorithms for Content Encryption . . . . . . . 19 5. Cryptographic Algorithms for Content Encryption . . . . . . . 21
5.1. "enc" (Encryption Method) Header Parameter Values for 5.1. "enc" (Encryption Algorithm) Header Parameter Values
JWE . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 for JWE . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.2. AES_CBC_HMAC_SHA2 Algorithms . . . . . . . . . . . . . . . 20 5.2. AES_CBC_HMAC_SHA2 Algorithms . . . . . . . . . . . . . . . 22
5.2.1. Conventions Used in Defining AES_CBC_HMAC_SHA2 . . . . 20 5.2.1. Conventions Used in Defining AES_CBC_HMAC_SHA2 . . . . 22
5.2.2. Generic AES_CBC_HMAC_SHA2 Algorithm . . . . . . . . . 20 5.2.2. Generic AES_CBC_HMAC_SHA2 Algorithm . . . . . . . . . 22
5.2.2.1. AES_CBC_HMAC_SHA2 Encryption . . . . . . . . . . . 20 5.2.2.1. AES_CBC_HMAC_SHA2 Encryption . . . . . . . . . . . 22
5.2.2.2. AES_CBC_HMAC_SHA2 Decryption . . . . . . . . . . . 22 5.2.2.2. AES_CBC_HMAC_SHA2 Decryption . . . . . . . . . . . 24
5.2.3. AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . 23 5.2.3. AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . 25
5.2.4. AES_192_CBC_HMAC_SHA_384 . . . . . . . . . . . . . . . 23 5.2.4. AES_192_CBC_HMAC_SHA_384 . . . . . . . . . . . . . . . 25
5.2.5. AES_256_CBC_HMAC_SHA_512 . . . . . . . . . . . . . . . 23 5.2.5. AES_256_CBC_HMAC_SHA_512 . . . . . . . . . . . . . . . 25
5.2.6. Plaintext Encryption with AES_CBC_HMAC_SHA2 . . . . . 24 5.2.6. Content Encryption with AES_CBC_HMAC_SHA2 . . . . . . 26
5.3. Plaintext Encryption with AES GCM . . . . . . . . . . . . 24 5.3. Content Encryption with AES GCM . . . . . . . . . . . . . 26
6. Cryptographic Algorithms for Keys . . . . . . . . . . . . . . 24 6. Cryptographic Algorithms for Keys . . . . . . . . . . . . . . 27
6.1. "kty" (Key Type) Parameter Values . . . . . . . . . . . . 25 6.1. "kty" (Key Type) Parameter Values . . . . . . . . . . . . 27
6.2. Parameters for Elliptic Curve Keys . . . . . . . . . . . . 25 6.2. Parameters for Elliptic Curve Keys . . . . . . . . . . . . 27
6.2.1. Parameters for Elliptic Curve Public Keys . . . . . . 25 6.2.1. Parameters for Elliptic Curve Public Keys . . . . . . 28
6.2.1.1. "crv" (Curve) Parameter . . . . . . . . . . . . . 25 6.2.1.1. "crv" (Curve) Parameter . . . . . . . . . . . . . 28
6.2.1.2. "x" (X Coordinate) Parameter . . . . . . . . . . . 26 6.2.1.2. "x" (X Coordinate) Parameter . . . . . . . . . . . 28
6.2.1.3. "y" (Y Coordinate) Parameter . . . . . . . . . . . 26 6.2.1.3. "y" (Y Coordinate) Parameter . . . . . . . . . . . 28
6.2.2. Parameters for Elliptic Curve Private Keys . . . . . . 26 6.2.2. Parameters for Elliptic Curve Private Keys . . . . . . 29
6.2.2.1. "d" (ECC Private Key) Parameter . . . . . . . . . 26 6.2.2.1. "d" (ECC Private Key) Parameter . . . . . . . . . 29
6.3. Parameters for RSA Keys . . . . . . . . . . . . . . . . . 26 6.3. Parameters for RSA Keys . . . . . . . . . . . . . . . . . 29
6.3.1. Parameters for RSA Public Keys . . . . . . . . . . . . 27 6.3.1. Parameters for RSA Public Keys . . . . . . . . . . . . 29
6.3.1.1. "n" (Modulus) Parameter . . . . . . . . . . . . . 27 6.3.1.1. "n" (Modulus) Parameter . . . . . . . . . . . . . 29
6.3.1.2. "e" (Exponent) Parameter . . . . . . . . . . . . . 27 6.3.1.2. "e" (Exponent) Parameter . . . . . . . . . . . . . 29
6.3.2. Parameters for RSA Private Keys . . . . . . . . . . . 27 6.3.2. Parameters for RSA Private Keys . . . . . . . . . . . 30
6.3.2.1. "d" (Private Exponent) Parameter . . . . . . . . . 27 6.3.2.1. "d" (Private Exponent) Parameter . . . . . . . . . 30
6.3.2.2. "p" (First Prime Factor) Parameter . . . . . . . . 27 6.3.2.2. "p" (First Prime Factor) Parameter . . . . . . . . 30
6.3.2.3. "q" (Second Prime Factor) Parameter . . . . . . . 28 6.3.2.3. "q" (Second Prime Factor) Parameter . . . . . . . 30
6.3.2.4. "dp" (First Factor CRT Exponent) Parameter . . . . 28 6.3.2.4. "dp" (First Factor CRT Exponent) Parameter . . . . 30
6.3.2.5. "dq" (Second Factor CRT Exponent) Parameter . . . 28 6.3.2.5. "dq" (Second Factor CRT Exponent) Parameter . . . 31
6.3.2.6. "qi" (First CRT Coefficient) Parameter . . . . . . 28 6.3.2.6. "qi" (First CRT Coefficient) Parameter . . . . . . 31
6.3.2.7. "oth" (Other Primes Info) Parameter . . . . . . . 28 6.3.2.7. "oth" (Other Primes Info) Parameter . . . . . . . 31
6.4. Parameters for Symmetric Keys . . . . . . . . . . . . . . 29 6.4. Parameters for Symmetric Keys . . . . . . . . . . . . . . 32
6.4.1. "k" (Key Value) Parameter . . . . . . . . . . . . . . 29 6.4.1. "k" (Key Value) Parameter . . . . . . . . . . . . . . 32
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32
7.1. JSON Web Signature and Encryption Algorithms Registry . . 30 7.1. JSON Web Signature and Encryption Algorithms Registry . . 33
7.1.1. Registration Template . . . . . . . . . . . . . . . . 31 7.1.1. Registration Template . . . . . . . . . . . . . . . . 33
7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 32 7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 34
7.2. JWE Header Parameter Names Registration . . . . . . . . . 37 7.2. JWE Header Parameter Names Registration . . . . . . . . . 40
7.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 38 7.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 40
7.3. JSON Web Encryption Compression Algorithms Registry . . . 38 7.3. JSON Web Encryption Compression Algorithms Registry . . . 41
7.3.1. Registration Template . . . . . . . . . . . . . . . . 39 7.3.1. Registration Template . . . . . . . . . . . . . . . . 41
7.3.2. Initial Registry Contents . . . . . . . . . . . . . . 39 7.3.2. Initial Registry Contents . . . . . . . . . . . . . . 42
7.4. JSON Web Key Types Registry . . . . . . . . . . . . . . . 39 7.4. JSON Web Key Types Registry . . . . . . . . . . . . . . . 42
7.4.1. Registration Template . . . . . . . . . . . . . . . . 40 7.4.1. Registration Template . . . . . . . . . . . . . . . . 42
7.4.2. Initial Registry Contents . . . . . . . . . . . . . . 40 7.4.2. Initial Registry Contents . . . . . . . . . . . . . . 43
7.5. JSON Web Key Parameters Registration . . . . . . . . . . . 41 7.5. JSON Web Key Parameters Registration . . . . . . . . . . . 44
7.5.1. Registry Contents . . . . . . . . . . . . . . . . . . 41 7.5.1. Registry Contents . . . . . . . . . . . . . . . . . . 44
7.6. JSON Web Key Elliptic Curve Registry . . . . . . . . . . . 43 7.6. JSON Web Key Elliptic Curve Registry . . . . . . . . . . . 46
7.6.1. Registration Template . . . . . . . . . . . . . . . . 43 7.6.1. Registration Template . . . . . . . . . . . . . . . . 46
7.6.2. Initial Registry Contents . . . . . . . . . . . . . . 44 7.6.2. Initial Registry Contents . . . . . . . . . . . . . . 47
8. Security Considerations . . . . . . . . . . . . . . . . . . . 45 8. Security Considerations . . . . . . . . . . . . . . . . . . . 47
8.1. Algorithms and Key Sizes will be Deprecated . . . . . . . 45 8.1. Algorithms and Key Sizes will be Deprecated . . . . . . . 48
8.2. Key Lifetimes . . . . . . . . . . . . . . . . . . . . . . 45 8.2. Key Lifetimes . . . . . . . . . . . . . . . . . . . . . . 48
8.3. RSAES-PKCS1-v1_5 Security Considerations . . . . . . . . . 45 8.3. RSAES-PKCS1-v1_5 Security Considerations . . . . . . . . . 48
8.4. AES GCM Security Considerations . . . . . . . . . . . . . 46 8.4. AES GCM Security Considerations . . . . . . . . . . . . . 48
8.5. Plaintext JWS Security Considerations . . . . . . . . . . 46 8.5. Plaintext JWS Security Considerations . . . . . . . . . . 49
8.6. Differences between Digital Signatures and MACs . . . . . 47 8.6. Differences between Digital Signatures and MACs . . . . . 49
8.7. Denial of Service Attacks . . . . . . . . . . . . . . . . 47 8.7. Denial of Service Attacks . . . . . . . . . . . . . . . . 50
8.8. Reusing Key Material when Encrypting Keys . . . . . . . . 47 8.8. Reusing Key Material when Encrypting Keys . . . . . . . . 50
8.9. Password Considerations . . . . . . . . . . . . . . . . . 48 8.9. Password Considerations . . . . . . . . . . . . . . . . . 50
9. Internationalization Considerations . . . . . . . . . . . . . 48 9. Internationalization Considerations . . . . . . . . . . . . . 51
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 48 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 51
10.1. Normative References . . . . . . . . . . . . . . . . . . . 48 10.1. Normative References . . . . . . . . . . . . . . . . . . . 51
10.2. Informative References . . . . . . . . . . . . . . . . . . 50 10.2. Informative References . . . . . . . . . . . . . . . . . . 53
Appendix A. Algorithm Identifier Cross-Reference . . . . . . . . 52 Appendix A. Algorithm Identifier Cross-Reference . . . . . . . . 54
A.1. Digital Signature/MAC Algorithm Identifier A.1. Digital Signature/MAC Algorithm Identifier
Cross-Reference . . . . . . . . . . . . . . . . . . . . . 52 Cross-Reference . . . . . . . . . . . . . . . . . . . . . 55
A.2. Key Management Algorithm Identifier Cross-Reference . . . 53 A.2. Key Management Algorithm Identifier Cross-Reference . . . 55
A.3. Content Encryption Algorithm Identifier Cross-Reference . 53 A.3. Content Encryption Algorithm Identifier Cross-Reference . 56
Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms . . . . . 54 Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms . . . . . 57
B.1. Test Cases for AES_128_CBC_HMAC_SHA_256 . . . . . . . . . 55 B.1. Test Cases for AES_128_CBC_HMAC_SHA_256 . . . . . . . . . 58
B.2. Test Cases for AES_192_CBC_HMAC_SHA_384 . . . . . . . . . 56 B.2. Test Cases for AES_192_CBC_HMAC_SHA_384 . . . . . . . . . 59
B.3. Test Cases for AES_256_CBC_HMAC_SHA_512 . . . . . . . . . 57 B.3. Test Cases for AES_256_CBC_HMAC_SHA_512 . . . . . . . . . 60
Appendix C. Example ECDH-ES Key Agreement Computation . . . . . . 58 Appendix C. Example ECDH-ES Key Agreement Computation . . . . . . 61
Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 60 Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 63
Appendix E. Document History . . . . . . . . . . . . . . . . . . 61 Appendix E. Document History . . . . . . . . . . . . . . . . . . 64
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 68 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 71
1. Introduction 1. Introduction
The JSON Web Algorithms (JWA) specification registers cryptographic The JSON Web Algorithms (JWA) specification registers cryptographic
algorithms and identifiers to be used with the JSON Web Signature algorithms and identifiers to be used with the JSON Web Signature
(JWS) [JWS], JSON Web Encryption (JWE) [JWE], and JSON Web Key (JWK) (JWS) [JWS], JSON Web Encryption (JWE) [JWE], and JSON Web Key (JWK)
[JWK] specifications. It defines several IANA registries for these [JWK] specifications. It defines several IANA registries for these
identifiers. All these specifications utilize JavaScript Object identifiers. All these specifications utilize JavaScript Object
Notation (JSON) [RFC4627] based data structures. This specification Notation (JSON) [RFC4627] based data structures. This specification
also describes the semantics and operations that are specific to also describes the semantics and operations that are specific to
skipping to change at page 7, line 32 skipping to change at page 7, line 32
See Appendix A.1 for a table cross-referencing the JWS digital See Appendix A.1 for a table cross-referencing the JWS digital
signature and MAC "alg" (algorithm) values defined in this signature and MAC "alg" (algorithm) values defined in this
specification with the equivalent identifiers used by other standards specification with the equivalent identifiers used by other standards
and software packages. and software packages.
3.2. HMAC with SHA-2 Functions 3.2. HMAC with SHA-2 Functions
Hash-based Message Authentication Codes (HMACs) enable one to use a Hash-based Message Authentication Codes (HMACs) enable one to use a
secret plus a cryptographic hash function to generate a Message secret plus a cryptographic hash function to generate a Message
Authentication Code (MAC). This can be used to demonstrate that Authentication Code (MAC). This can be used to demonstrate that
whoever generated the MAC was in possession of the MAC key. whoever generated the MAC was in possession of the MAC key. The
algorithm for implementing and validating HMACs is provided in RFC
The algorithm for implementing and validating HMACs is provided in 2104 [RFC2104].
RFC 2104 [RFC2104]. This section defines the use of the HMAC SHA-
256, HMAC SHA-384, and HMAC SHA-512 functions [SHS]. The "alg"
(algorithm) Header Parameter values "HS256", "HS384", and "HS512" are
used in the JWS Header to indicate that the JWS Signature contains an
HMAC value using the respective hash function.
A key of the same size as the hash output (for instance, 256 bits for A key of the same size as the hash output (for instance, 256 bits for
"HS256") or larger MUST be used with this algorithm. "HS256") or larger MUST be used with this algorithm.
The HMAC SHA-256 MAC is generated per RFC 2104, using SHA-256 as the The HMAC SHA-256 MAC is generated per RFC 2104, using SHA-256 as the
hash algorithm "H", using the JWS Signing Input as the "text" value, hash algorithm "H", using the JWS Signing Input as the "text" value,
and using the shared key. The HMAC output value is the JWS and using the shared key. The HMAC output value is the JWS
Signature. Signature.
The following "alg" (algorithm) Header Parameter values are used to
indicate that the JWS Signature is an HMAC value computed using the
corresponding algorithm:
+---------------------+--------------------+
| alg Parameter Value | MAC Algorithm |
+---------------------+--------------------+
| HS256 | HMAC using SHA-256 |
| HS384 | HMAC using SHA-384 |
| HS512 | HMAC using SHA-512 |
+---------------------+--------------------+
The HMAC SHA-256 MAC for a JWS is validated by computing an HMAC The HMAC SHA-256 MAC for a JWS is validated by computing an HMAC
value per RFC 2104, using SHA-256 as the hash algorithm "H", using value per RFC 2104, using SHA-256 as the hash algorithm "H", using
the received JWS Signing Input as the "text" value, and using the the received JWS Signing Input as the "text" value, and using the
shared key. This computed HMAC value is then compared to the result shared key. This computed HMAC value is then compared to the result
of base64url decoding the received encoded JWS Signature value. of base64url decoding the received encoded JWS Signature value.
Alternatively, the computed HMAC value can be base64url encoded and Alternatively, the computed HMAC value can be base64url encoded and
compared to the received encoded JWS Signature value, as this compared to the received encoded JWS Signature value, as this
comparison produces the same result as comparing the unencoded comparison produces the same result as comparing the unencoded
values. In either case, if the values match, the HMAC has been values. In either case, if the values match, the HMAC has been
validated. validated.
Securing content with the HMAC SHA-384 and HMAC SHA-512 algorithms is Securing content and validation with the HMAC SHA-384 and HMAC SHA-
performed identically to the procedure for HMAC SHA-256 -- just using 512 algorithms is performed identically to the procedure for HMAC
the corresponding hash algorithms with correspondingly larger minimum SHA-256 -- just using the corresponding hash algorithms with
key sizes and result values: 384 bits each for HMAC SHA-384 and 512 correspondingly larger minimum key sizes and result values: 384 bits
bits each for HMAC SHA-512. each for HMAC SHA-384 and 512 bits each for HMAC SHA-512.
An example using this algorithm is shown in Appendix A.1 of [JWS]. An example using this algorithm is shown in Appendix A.1 of [JWS].
3.3. Digital Signature with RSASSA-PKCS1-V1_5 3.3. Digital Signature with RSASSA-PKCS1-V1_5
This section defines the use of the RSASSA-PKCS1-V1_5 digital This section defines the use of the RSASSA-PKCS1-V1_5 digital
signature algorithm as defined in Section 8.2 of RFC 3447 [RFC3447] signature algorithm as defined in Section 8.2 of RFC 3447 [RFC3447]
(commonly known as PKCS #1), using SHA-256, SHA-384, or SHA-512 [SHS] (commonly known as PKCS #1), using SHA-2 [SHS] hash functions.
as the hash functions. The "alg" (algorithm) header parameter values
"RS256", "RS384", and "RS512" are used in the JWS Header to indicate
that the JWS Signature contains a RSASSA-PKCS1-V1_5 digital signature
using the respective hash function.
A key of size 2048 bits or larger MUST be used with these algorithms. A key of size 2048 bits or larger MUST be used with these algorithms.
The RSASSA-PKCS1-V1_5 SHA-256 digital signature is generated as The RSASSA-PKCS1-V1_5 SHA-256 digital signature is generated as
follows: Generate a digital signature of the JWS Signing Input using follows: Generate a digital signature of the JWS Signing Input using
RSASSA-PKCS1-V1_5-SIGN and the SHA-256 hash function with the desired RSASSA-PKCS1-V1_5-SIGN and the SHA-256 hash function with the desired
private key. This is the JWS Signature value. private key. This is the JWS Signature value.
The following "alg" (algorithm) Header Parameter values are used to
indicate that the JWS Signature is a digital signature value computed
using the corresponding algorithm:
+---------------------+--------------------------------+
| alg Parameter Value | Digital Signature Algorithm |
+---------------------+--------------------------------+
| RS256 | RSASSA-PKCS-v1_5 using SHA-256 |
| RS384 | RSASSA-PKCS-v1_5 using SHA-384 |
| RS512 | RSASSA-PKCS-v1_5 using SHA-512 |
+---------------------+--------------------------------+
The RSASSA-PKCS1-V1_5 SHA-256 digital signature for a JWS is The RSASSA-PKCS1-V1_5 SHA-256 digital signature for a JWS is
validated as follows: Submit the JWS Signing Input, the JWS validated as follows: Submit the JWS Signing Input, the JWS
Signature, and the public key corresponding to the private key used Signature, and the public key corresponding to the private key used
by the signer to the RSASSA-PKCS1-V1_5-VERIFY algorithm using SHA-256 by the signer to the RSASSA-PKCS1-V1_5-VERIFY algorithm using SHA-256
as the hash function. as the hash function.
Signing with the RSASSA-PKCS1-V1_5 SHA-384 and RSASSA-PKCS1-V1_5 SHA- Signing and validation with the RSASSA-PKCS1-V1_5 SHA-384 and RSASSA-
512 algorithms is performed identically to the procedure for RSASSA- PKCS1-V1_5 SHA-512 algorithms is performed identically to the
PKCS1-V1_5 SHA-256 -- just using the corresponding hash algorithms procedure for RSASSA-PKCS1-V1_5 SHA-256 -- just using the
instead of SHA-256. corresponding hash algorithms instead of SHA-256.
An example using this algorithm is shown in Appendix A.2 of [JWS]. An example using this algorithm is shown in Appendix A.2 of [JWS].
3.4. Digital Signature with ECDSA 3.4. Digital Signature with ECDSA
The Elliptic Curve Digital Signature Algorithm (ECDSA) [DSS] provides The Elliptic Curve Digital Signature Algorithm (ECDSA) [DSS] provides
for the use of Elliptic Curve cryptography, which is able to provide for the use of Elliptic Curve cryptography, which is able to provide
equivalent security to RSA cryptography but using shorter key sizes equivalent security to RSA cryptography but using shorter key sizes
and with greater processing speed. This means that ECDSA digital and with greater processing speed. This means that ECDSA digital
signatures will be substantially smaller in terms of length than signatures will be substantially smaller in terms of length than
equivalently strong RSA digital signatures. equivalently strong RSA digital signatures.
This specification defines the use of ECDSA with the P-256 curve and This specification defines the use of ECDSA with the P-256 curve and
the SHA-256 cryptographic hash function, ECDSA with the P-384 curve the SHA-256 cryptographic hash function, ECDSA with the P-384 curve
and the SHA-384 hash function, and ECDSA with the P-521 curve and the and the SHA-384 hash function, and ECDSA with the P-521 curve and the
SHA-512 hash function. The P-256, P-384, and P-521 curves are SHA-512 hash function. The P-256, P-384, and P-521 curves are
defined in [DSS]. The "alg" (algorithm) Header Parameter values defined in [DSS].
"ES256", "ES384", and "ES512" are used in the JWS Header to indicate
that the JWS Signature contains a base64url encoded ECDSA P-256 SHA-
256, ECDSA P-384 SHA-384, or ECDSA P-521 SHA-512 digital signature,
respectively.
The ECDSA P-256 SHA-256 digital signature is generated as follows: The ECDSA P-256 SHA-256 digital signature is generated as follows:
1. Generate a digital signature of the JWS Signing Input using ECDSA 1. Generate a digital signature of the JWS Signing Input using ECDSA
P-256 SHA-256 with the desired private key. The output will be P-256 SHA-256 with the desired private key. The output will be
the pair (R, S), where R and S are 256 bit unsigned integers. the pair (R, S), where R and S are 256 bit unsigned integers.
2. Turn R and S into octet sequences in big endian order, with each 2. Turn R and S into octet sequences in big endian order, with each
array being be 32 octets long. The octet sequence array being be 32 octets long. The octet sequence
representations MUST NOT be shortened to omit any leading zero representations MUST NOT be shortened to omit any leading zero
octets contained in the values. octets contained in the values.
3. Concatenate the two octet sequences in the order R and then S. 3. Concatenate the two octet sequences in the order R and then S.
(Note that many ECDSA implementations will directly produce this (Note that many ECDSA implementations will directly produce this
concatenation as their output.) concatenation as their output.)
4. The resulting 64 octet sequence is the JWS Signature value. 4. The resulting 64 octet sequence is the JWS Signature value.
The following "alg" (algorithm) Header Parameter values are used to
indicate that the JWS Signature is a digital signature value computed
using the corresponding algorithm:
+---------------------+-------------------------------+
| alg Parameter Value | Digital Signature Algorithm |
+---------------------+-------------------------------+
| ES256 | ECDSA using P-256 and SHA-256 |
| ES384 | ECDSA using P-384 and SHA-384 |
| ES512 | ECDSA using P-521 and SHA-512 |
+---------------------+-------------------------------+
The ECDSA P-256 SHA-256 digital signature for a JWS is validated as The ECDSA P-256 SHA-256 digital signature for a JWS is validated as
follows: follows:
1. The JWS Signature value MUST be a 64 octet sequence. If it is 1. The JWS Signature value MUST be a 64 octet sequence. If it is
not a 64 octet sequence, the validation has failed. not a 64 octet sequence, the validation has failed.
2. Split the 64 octet sequence into two 32 octet sequences. The 2. Split the 64 octet sequence into two 32 octet sequences. The
first array will be R and the second S (with both being in big first array will be R and the second S (with both being in big
endian octet order). endian octet order).
3. Submit the JWS Signing Input R, S and the public key (x, y) to 3. Submit the JWS Signing Input R, S and the public key (x, y) to
the ECDSA P-256 SHA-256 validator. the ECDSA P-256 SHA-256 validator.
Signing with the ECDSA P-384 SHA-384 and ECDSA P-521 SHA-512 Signing and validation with the ECDSA P-384 SHA-384 and ECDSA P-521
algorithms is performed identically to the procedure for ECDSA P-256 SHA-512 algorithms is performed identically to the procedure for
SHA-256 -- just using the corresponding hash algorithms with ECDSA P-256 SHA-256 -- just using the corresponding hash algorithms
correspondingly larger result values. For ECDSA P-384 SHA-384, R and with correspondingly larger result values. For ECDSA P-384 SHA-384,
S will be 384 bits each, resulting in a 96 octet sequence. For ECDSA R and S will be 384 bits each, resulting in a 96 octet sequence. For
P-521 SHA-512, R and S will be 521 bits each, resulting in a 132 ECDSA P-521 SHA-512, R and S will be 521 bits each, resulting in a
octet sequence. 132 octet sequence.
Examples using these algorithms are shown in Appendices A.3 and A.4 Examples using these algorithms are shown in Appendices A.3 and A.4
of [JWS]. of [JWS].
3.5. Digital Signature with RSASSA-PSS 3.5. Digital Signature with RSASSA-PSS
This section defines the use of the RSASSA-PSS digital signature This section defines the use of the RSASSA-PSS digital signature
algorithm as defined in Section 8.1 of RFC 3447 [RFC3447] with the algorithm as defined in Section 8.1 of RFC 3447 [RFC3447] with the
MGF1 mask generation function, always using the same hash function MGF1 mask generation function and SHA-2 hash functions, always using
for both the RSASSA-PSS hash function and the MGF1 hash function. the same hash function for both the RSASSA-PSS hash function and the
Use of SHA-256, SHA-384, and SHA-512 as these hash functions is MGF1 hash function. The size of the salt value is the same size as
defined. The size of the salt value is the same size as the hash the hash function output. All other algorithm parameters use the
function output. All other algorithm parameters use the defaults defaults specified in Section A.2.3 of RFC 3447.
specified in Section A.2.3 of RFC 3447. The "alg" (algorithm) header
parameter values "PS256", "PS384", and "PS512" are used in the JWS
Header to indicate that the JWS Signature contains a base64url
encoded RSASSA-PSS digital signature using the respective hash
function in both roles.
A key of size 2048 bits or larger MUST be used with this algorithm. A key of size 2048 bits or larger MUST be used with this algorithm.
The RSASSA-PSS SHA-256 digital signature is generated as follows: The RSASSA-PSS SHA-256 digital signature is generated as follows:
Generate a digital signature of the JWS Signing Input using RSASSA- Generate a digital signature of the JWS Signing Input using RSASSA-
PSS-SIGN, the SHA-256 hash function, and the MGF1 mask generation PSS-SIGN, the SHA-256 hash function, and the MGF1 mask generation
function with SHA-256 with the desired private key. This is the JWS function with SHA-256 with the desired private key. This is the JWS
signature value. signature value.
The following "alg" (algorithm) Header Parameter values are used to
indicate that the JWS Signature is a digital signature value computed
using the corresponding algorithm:
+---------------------+---------------------------------------------+
| alg Parameter Value | Digital Signature Algorithm |
+---------------------+---------------------------------------------+
| PS256 | RSASSA-PSS using SHA-256 and MGF1 with |
| | SHA-256 |
| PS384 | RSASSA-PSS using SHA-384 and MGF1 with |
| | SHA-384 |
| PS512 | RSASSA-PSS using SHA-512 and MGF1 with |
| | SHA-512 |
+---------------------+---------------------------------------------+
The RSASSA-PSS SHA-256 digital signature for a JWS is validated as The RSASSA-PSS SHA-256 digital signature for a JWS is validated as
follows: Submit the JWS Signing Input, the JWS Signature, and the follows: Submit the JWS Signing Input, the JWS Signature, and the
public key corresponding to the private key used by the signer to the public key corresponding to the private key used by the signer to the
RSASSA-PSS-VERIFY algorithm using SHA-256 as the hash function and RSASSA-PSS-VERIFY algorithm using SHA-256 as the hash function and
using MGF1 as the mask generation function with SHA-256. using MGF1 as the mask generation function with SHA-256.
Signing with the RSASSA-PSS SHA-384 and RSASSA-PSS SHA-512 algorithms Signing and validation with the RSASSA-PSS SHA-384 and RSASSA-PSS
is performed identically to the procedure for RSASSA-PSS SHA-256 -- SHA-512 algorithms is performed identically to the procedure for
just using the alternative hash algorithm in both roles. RSASSA-PSS SHA-256 -- just using the alternative hash algorithm in
both roles.
3.6. Using the Algorithm "none" 3.6. Using the Algorithm "none"
JWSs MAY also be created that do not provide integrity protection. JWSs MAY also be created that do not provide integrity protection.
Such a JWS is called a "Plaintext JWS". A Plaintext JWS MUST use the Such a JWS is called a "Plaintext JWS". A Plaintext JWS MUST use the
"alg" value "none", and is formatted identically to other JWSs, but "alg" value "none", and is formatted identically to other JWSs, but
MUST use the empty octet sequence as its JWS Signature value. MUST use the empty octet sequence as its JWS Signature value.
Receivers MUST verify that the JWS Signature value is the empty octet Receivers MUST verify that the JWS Signature value is the empty octet
sequence. See Section 8.5 for security considerations associated sequence. See Section 8.5 for security considerations associated
with using this algorithm. with using this algorithm.
skipping to change at page 13, line 21 skipping to change at page 14, line 11
the specification. the specification.
See Appendix A.2 for a table cross-referencing the JWE "alg" See Appendix A.2 for a table cross-referencing the JWE "alg"
(algorithm) values defined in this specification with the equivalent (algorithm) values defined in this specification with the equivalent
identifiers used by other standards and software packages. identifiers used by other standards and software packages.
4.2. Key Encryption with RSAES-PKCS1-V1_5 4.2. Key Encryption with RSAES-PKCS1-V1_5
This section defines the specifics of encrypting a JWE CEK with This section defines the specifics of encrypting a JWE CEK with
RSAES-PKCS1-V1_5 [RFC3447]. The "alg" Header Parameter value RSAES-PKCS1-V1_5 [RFC3447]. The "alg" Header Parameter value
"RSA1_5" is used in this case. "RSA1_5" is used for this algorithm.
A key of size 2048 bits or larger MUST be used with this algorithm. A key of size 2048 bits or larger MUST be used with this algorithm.
An example using this algorithm is shown in Appendix A.2 of [JWE]. An example using this algorithm is shown in Appendix A.2 of [JWE].
4.3. Key Encryption with RSAES OAEP 4.3. Key Encryption with RSAES OAEP
This section defines the specifics of encrypting a JWE CEK with RSAES This section defines the specifics of encrypting a JWE CEK with RSAES
using Optimal Asymmetric Encryption Padding (OAEP) [RFC3447], with using Optimal Asymmetric Encryption Padding (OAEP) [RFC3447], with
the default parameters specified by RFC 3447 in Section A.2.1. the default parameters specified by RFC 3447 in Section A.2.1.
(Those default parameters are using a hash function of SHA-1 and a (Those default parameters are using a hash function of SHA-1 and a
mask generation function of MGF1 with SHA-1.) The "alg" Header mask generation function of MGF1 with SHA-1.) The "alg" Header
Parameter value "RSA-OAEP" is used in this case. Parameter value "RSA-OAEP" is used for this algorithm.
A key of size 2048 bits or larger MUST be used with this algorithm. A key of size 2048 bits or larger MUST be used with this algorithm.
An example using this algorithm is shown in Appendix A.1 of [JWE]. An example using this algorithm is shown in Appendix A.1 of [JWE].
4.4. Key Wrapping with AES Key Wrap 4.4. Key Wrapping with AES Key Wrap
This section defines the specifics of encrypting a JWE CEK with the This section defines the specifics of encrypting a JWE CEK with the
Advanced Encryption Standard (AES) Key Wrap Algorithm [RFC3394] using Advanced Encryption Standard (AES) Key Wrap Algorithm [RFC3394] using
the default initial value specified in Section 2.2.3.1 using a 128, the default initial value specified in Section 2.2.3.1.
192, or 256 bit key. The "alg" Header Parameter values "A128KW",
"A192KW", or "A256KW" are respectively used in this case.
The following "alg" (algorithm) Header Parameter values are used to
indicate that the JWE Encrypted Key is the result of encrypting the
CEK using the corresponding algorithm and key size:
+------------------+------------------------------------------------+
| alg Parameter | Key Management Algorithm |
| Value | |
+------------------+------------------------------------------------+
| A128KW | AES Key Wrap with default initial value using |
| | 128 bit key |
| A192KW | AES Key Wrap with default initial value using |
| | 192 bit key |
| A256KW | AES Key Wrap with default initial value using |
| | 256 bit key |
+------------------+------------------------------------------------+
An example using this algorithm is shown in Appendix A.3 of [JWE]. An example using this algorithm is shown in Appendix A.3 of [JWE].
4.5. Direct Encryption with a Shared Symmetric Key 4.5. Direct Encryption with a Shared Symmetric Key
This section defines the specifics of directly performing symmetric This section defines the specifics of directly performing symmetric
key encryption without performing a key wrapping step. In this case, key encryption without performing a key wrapping step. In this case,
the shared symmetric key is used directly as the Content Encryption the shared symmetric key is used directly as the Content Encryption
Key (CEK) value for the "enc" algorithm. An empty octet sequence is Key (CEK) value for the "enc" algorithm. An empty octet sequence is
used as the JWE Encrypted Key value. The "alg" Header Parameter used as the JWE Encrypted Key value. The "alg" Header Parameter
value "dir" is used in this case. value "dir" is used in this case.
skipping to change at page 14, line 33 skipping to change at page 15, line 34
the Concat KDF, as defined in Section 5.8.1 of [NIST.800-56A]. The the Concat KDF, as defined in Section 5.8.1 of [NIST.800-56A]. The
key agreement result can be used in one of two ways: key agreement result can be used in one of two ways:
1. directly as the Content Encryption Key (CEK) for the "enc" 1. directly as the Content Encryption Key (CEK) for the "enc"
algorithm, in the Direct Key Agreement mode, or algorithm, in the Direct Key Agreement mode, or
2. as a symmetric key used to wrap the CEK with the "A128KW", 2. as a symmetric key used to wrap the CEK with the "A128KW",
"A192KW", or "A256KW" algorithms, in the Key Agreement with Key "A192KW", or "A256KW" algorithms, in the Key Agreement with Key
Wrapping mode. Wrapping mode.
The "alg" Header Parameter value "ECDH-ES" is used in the Direct Key A new ephemeral public key value MUST be generated for each key
Agreement mode. In this mode, the output of the Concat KDF MUST be a agreement operation.
key of the same length as that used by the "enc" algorithm; in this
In Direct Key Agreement mode, the output of the Concat KDF MUST be a
key of the same length as that used by the "enc" algorithm. In this
case, the empty octet sequence is used as the JWE Encrypted Key case, the empty octet sequence is used as the JWE Encrypted Key
value. value. The "alg" Header Parameter value "ECDH-ES" is used in the
Direct Key Agreement mode.
The "alg" Header Parameter values "ECDH-ES+A128KW", "ECDH-ES+A192KW", In Key Agreement with Key Wrapping mode, the output of the Concat KDF
or "ECDH-ES+A256KW" are used in the Key Agreement with Key Wrapping MUST be a key of the length needed for the specified key wrapping
mode. In this mode, the output of the Concat KDF MUST be a key of algorithm. In this case, the JWE Encrypted Key is the CEK wrapped
the length needed for the specified key wrapping algorithm, one of with the agreed upon key.
128, 192, or 256 bits respectively.
A new ephemeral public key value MUST be generated for each key The following "alg" (algorithm) Header Parameter values are used to
agreement operation. indicate that the JWE Encrypted Key is the result of encrypting the
CEK using the result of the key agreement algorithm as the key
encryption key for the corresponding key wrapping algorithm:
+-------------------+-----------------------------------------------+
| alg Parameter | Key Management Algorithm |
| Value | |
+-------------------+-----------------------------------------------+
| ECDH-ES+A128KW | ECDH-ES using Concat KDF and CEK wrapped with |
| | "A128KW" |
| ECDH-ES+A192KW | ECDH-ES using Concat KDF and CEK wrapped with |
| | "A192KW" |
| ECDH-ES+A256KW | ECDH-ES using Concat KDF and CEK wrapped with |
| | "A256KW" |
+-------------------+-----------------------------------------------+
4.6.1. Header Parameters Used for ECDH Key Agreement 4.6.1. Header Parameters Used for ECDH Key Agreement
The following Header Parameter names are used for key agreement as The following Header Parameter names are used for key agreement as
defined below. defined below.
4.6.1.1. "epk" (Ephemeral Public Key) Header Parameter 4.6.1.1. "epk" (Ephemeral Public Key) Header Parameter
The "epk" (ephemeral public key) value created by the originator for The "epk" (ephemeral public key) value created by the originator for
the use in key agreement algorithms. This key is represented as a the use in key agreement algorithms. This key is represented as a
skipping to change at page 17, line 9 skipping to change at page 18, line 29
Ephemeral-Static mode in [RFC2631]) and the "apv" field should not be Ephemeral-Static mode in [RFC2631]) and the "apv" field should not be
present. present.
See Appendix C for an example key agreement computation using this See Appendix C for an example key agreement computation using this
method. method.
4.7. Key Encryption with AES GCM 4.7. Key Encryption with AES GCM
This section defines the specifics of encrypting a JWE Content This section defines the specifics of encrypting a JWE Content
Encryption Key (CEK) with Advanced Encryption Standard (AES) in Encryption Key (CEK) with Advanced Encryption Standard (AES) in
Galois/Counter Mode (GCM) [AES] [NIST.800-38D] using a 128, 192, or Galois/Counter Mode (GCM) [AES] [NIST.800-38D].
256 bit key. The "alg" Header Parameter values "A128GCMKW",
"A192GCMKW", or "A256GCMKW" are respectively used in this case.
Use of an Initialization Vector of size 96 bits is REQUIRED with this Use of an Initialization Vector of size 96 bits is REQUIRED with this
algorithm. The Initialization Vector is represented in base64url algorithm. The Initialization Vector is represented in base64url
encoded form as the "iv" (initialization vector) Header Parameter encoded form as the "iv" (initialization vector) Header Parameter
value. value.
The Additional Authenticated Data value used is the empty octet The Additional Authenticated Data value used is the empty octet
string. string.
The requested size of the Authentication Tag output MUST be 128 bits, The requested size of the Authentication Tag output MUST be 128 bits,
regardless of the key size. regardless of the key size.
The JWE Encrypted Key value is the Ciphertext output. The JWE Encrypted Key value is the Ciphertext output.
The Authentication Tag output is represented in base64url encoded The Authentication Tag output is represented in base64url encoded
form as the "tag" (authentication tag) Header Parameter value. form as the "tag" (authentication tag) Header Parameter value.
The following "alg" (algorithm) Header Parameter values are used to
indicate that the JWE Encrypted Key is the result of encrypting the
CEK using the corresponding algorithm and key size:
+---------------------+---------------------------------------------+
| alg Parameter Value | Key Management Algorithm |
+---------------------+---------------------------------------------+
| A128GCMKW | Key wrapping with AES GCM using 128 bit key |
| A192GCMKW | Key wrapping with AES GCM using 192 bit key |
| A256GCMKW | Key wrapping with AES GCM using 256 bit key |
+---------------------+---------------------------------------------+
4.7.1. Header Parameters Used for AES GCM Key Encryption 4.7.1. Header Parameters Used for AES GCM Key Encryption
The following Header Parameters are used for AES GCM key encryption. The following Header Parameters are used for AES GCM key encryption.
4.7.1.1. "iv" (Initialization Vector) Header Parameter 4.7.1.1. "iv" (Initialization Vector) Header Parameter
The "iv" (initialization vector) Header Parameter value is the The "iv" (initialization vector) Header Parameter value is the
base64url encoded representation of the Initialization Vector value base64url encoded representation of the Initialization Vector value
used for the key encryption operation. This Header Parameter MUST be used for the key encryption operation. This Header Parameter MUST be
present and MUST be understood and processed by implementations when present and MUST be understood and processed by implementations when
skipping to change at page 17, line 51 skipping to change at page 19, line 35
4.7.1.2. "tag" (Authentication Tag) Header Parameter 4.7.1.2. "tag" (Authentication Tag) Header Parameter
The "tag" (authentication tag) Header Parameter value is the The "tag" (authentication tag) Header Parameter value is the
base64url encoded representation of the Authentication Tag value base64url encoded representation of the Authentication Tag value
resulting from the key encryption operation. This Header Parameter resulting from the key encryption operation. This Header Parameter
MUST be present and MUST be understood and processed by MUST be present and MUST be understood and processed by
implementations when these algorithms are used. implementations when these algorithms are used.
4.8. Key Encryption with PBES2 4.8. Key Encryption with PBES2
The "PBES2-HS256+A128KW", "PBES2-HS384+A192KW", and This section defines the specifies of performing password-based
"PBES2-HS512+A256KW" composite algorithms are used to perform encryption of a JWE CEK, by first deriving a key encryption key from
password-based encryption of a JWE CEK, by first deriving a key a user-supplied password using PBES2 schemes as specified in Section
encryption key from a user-supplied password, then encrypting the JWE 6.2 of [RFC2898], then by encrypting the JWE CEK using the derived
CEK using the derived key. These algorithms are PBES2 schemes as key.
specified in Section 6.2 of [RFC2898].
These algorithms use HMAC SHA-2 algorithms as the Pseudo-Random These algorithms use HMAC SHA-2 algorithms as the Pseudo-Random
Function (PRF) for the PBKDF2 key derivation and AES Key Wrap Function (PRF) for the PBKDF2 key derivation and AES Key Wrap
[RFC3394] for the encryption scheme. The PBES2 password input is an [RFC3394] for the encryption scheme. The PBES2 password input is an
octet sequence; if the password to be used is represented as a text octet sequence; if the password to be used is represented as a text
string rather than an octet sequence, the UTF-8 encoding of the text string rather than an octet sequence, the UTF-8 encoding of the text
string MUST be used as the octet sequence. The salt MUST be provided string MUST be used as the octet sequence. The salt MUST be provided
as the "p2s" Header Parameter value, and MUST be base64url decoded to as the "p2s" Header Parameter value, and MUST be base64url decoded to
obtain the value. The iteration count parameter MUST be provided as obtain the value. The iteration count parameter MUST be provided as
the "p2c" Header Parameter value. The algorithms respectively use the "p2c" Header Parameter value. The algorithms respectively use
HMAC SHA-256, HMAC SHA-384, and HMAC SHA-512 as the PRF and use 128, HMAC SHA-256, HMAC SHA-384, and HMAC SHA-512 as the PRF and use 128,
192, and 256 bit AES Key Wrap keys. Their derived-key lengths 192, and 256 bit AES Key Wrap keys. Their derived-key lengths
respectively are 16, 24, and 32 octets. respectively are 16, 24, and 32 octets.
The following "alg" (algorithm) Header Parameter values are used to
indicate that the JWE Encrypted Key is the result of encrypting the
CEK using the result of the corresponding password-based encryption
algorithm as the key encryption key for the corresponding key
wrapping algorithm:
+---------------------+---------------------------------------------+
| alg Parameter Value | Key Management Algorithm |
+---------------------+---------------------------------------------+
| PBES2-HS256+A128KW | PBES2 with HMAC SHA-256 and "A128KW" |
| | wrapping |
| PBES2-HS384+A192KW | PBES2 with HMAC SHA-384 and "A192KW" |
| | wrapping |
| PBES2-HS512+A256KW | PBES2 with HMAC SHA-512 and "A256KW" |
| | wrapping |
+---------------------+---------------------------------------------+
See Appendix C of JSON Web Key (JWK) [JWK] for an example key See Appendix C of JSON Web Key (JWK) [JWK] for an example key
encryption computation using "PBES2-HS256+A128KW". encryption computation using "PBES2-HS256+A128KW".
4.8.1. Header Parameters Used for PBES2 Key Encryption 4.8.1. Header Parameters Used for PBES2 Key Encryption
The following Header Parameters are used for Key Encryption with The following Header Parameters are used for Key Encryption with
PBES2. PBES2.
4.8.1.1. "p2s" (PBES2 salt) Parameter 4.8.1.1. "p2s" (PBES2 salt) Parameter
skipping to change at page 19, line 10 skipping to change at page 21, line 9
implementations when these algorithms are used. implementations when these algorithms are used.
The iteration count adds computational expense, ideally compounded by The iteration count adds computational expense, ideally compounded by
the possible range of keys introduced by the salt. A minimum the possible range of keys introduced by the salt. A minimum
iteration count of 1000 is RECOMMENDED. iteration count of 1000 is RECOMMENDED.
5. Cryptographic Algorithms for Content Encryption 5. Cryptographic Algorithms for Content Encryption
JWE uses cryptographic algorithms to encrypt the Plaintext. JWE uses cryptographic algorithms to encrypt the Plaintext.
5.1. "enc" (Encryption Method) Header Parameter Values for JWE 5.1. "enc" (Encryption Algorithm) Header Parameter Values for JWE
The table below is the set of "enc" (encryption method) Header The table below is the set of "enc" (encryption algorithm) Header
Parameter values that are defined by this specification for use with Parameter values that are defined by this specification for use with
JWE. These algorithms are used to encrypt the Plaintext, which JWE. These algorithms are used to encrypt the Plaintext, which
produces the Ciphertext. produces the Ciphertext.
+-------------+------------------------+------------+---------------+ +-------------+------------------------+------------+---------------+
| enc | Content Encryption | Additional | Implementatio | | enc | Content Encryption | Additional | Implementatio |
| Parameter | Algorithm | Header | nRequirements | | Parameter | Algorithm | Header | nRequirements |
| Value | | Parameters | | | Value | | Parameters | |
+-------------+------------------------+------------+---------------+ +-------------+------------------------+------------+---------------+
| A128CBC-HS2 | AES_128_CBC_HMAC_SHA_2 | (none) | Required | | A128CBC-HS2 | AES_128_CBC_HMAC_SHA_2 | (none) | Required |
skipping to change at page 20, line 4 skipping to change at page 21, line 50
| A256GCM | AES GCM using 256 bit | (none) | Recommended | | A256GCM | AES GCM using 256 bit | (none) | Recommended |
| | key | | | | | key | | |
+-------------+------------------------+------------+---------------+ +-------------+------------------------+------------+---------------+
The Additional Header Parameters column indicates what additional The Additional Header Parameters column indicates what additional
Header Parameters are used by the algorithm, beyond "enc", which all Header Parameters are used by the algorithm, beyond "enc", which all
use. All also use a JWE Initialization Vector value and produce JWE use. All also use a JWE Initialization Vector value and produce JWE
Ciphertext and JWE Authentication Tag values. Ciphertext and JWE Authentication Tag values.
See Appendix A.3 for a table cross-referencing the JWE "enc" See Appendix A.3 for a table cross-referencing the JWE "enc"
(encryption method) values defined in this specification with the (encryption algorithm) values defined in this specification with the
equivalent identifiers used by other standards and software packages. equivalent identifiers used by other standards and software packages.
5.2. AES_CBC_HMAC_SHA2 Algorithms 5.2. AES_CBC_HMAC_SHA2 Algorithms
This section defines a family of authenticated encryption algorithms This section defines a family of authenticated encryption algorithms
built using a composition of Advanced Encryption Standard (AES) in built using a composition of Advanced Encryption Standard (AES) in
Cipher Block Chaining (CBC) mode with PKCS #5 padding [AES] Cipher Block Chaining (CBC) mode with PKCS #5 padding [AES]
[NIST.800-38A] operations and HMAC [RFC2104] [SHS] operations. This [NIST.800-38A] operations and HMAC [RFC2104] [SHS] operations. This
algorithm family is called AES_CBC_HMAC_SHA2. It also defines three algorithm family is called AES_CBC_HMAC_SHA2. It also defines three
instances of this family, the first using 128 bit CBC keys and HMAC instances of this family, the first using 128 bit CBC keys and HMAC
skipping to change at page 23, line 16 skipping to change at page 25, line 14
5.2.3. AES_128_CBC_HMAC_SHA_256 5.2.3. AES_128_CBC_HMAC_SHA_256
This algorithm is a concrete instantiation of the generic This algorithm is a concrete instantiation of the generic
AES_CBC_HMAC_SHA2 algorithm above. It uses the HMAC message AES_CBC_HMAC_SHA2 algorithm above. It uses the HMAC message
authentication code [RFC2104] with the SHA-256 hash function [SHS] to authentication code [RFC2104] with the SHA-256 hash function [SHS] to
provide message authentication, with the HMAC output truncated to 128 provide message authentication, with the HMAC output truncated to 128
bits, corresponding to the HMAC-SHA-256-128 algorithm defined in bits, corresponding to the HMAC-SHA-256-128 algorithm defined in
[RFC4868]. For encryption, it uses AES in the Cipher Block Chaining [RFC4868]. For encryption, it uses AES in the Cipher Block Chaining
(CBC) mode of operation as defined in Section 6.2 of [NIST.800-38A], (CBC) mode of operation as defined in Section 6.2 of [NIST.800-38A],
with PKCS #5 padding. with PKCS #5 padding and a 128 bit initialization vector (IV) value.
The input key K is 32 octets long. The AES_CBC_HMAC_SHA2 parameters specific to AES_128_CBC_HMAC_SHA_256
are:
The AES CBC IV is 16 octets long. ENC_KEY_LEN is 16 octets. The input key K is 32 octets long.
The SHA-256 hash algorithm is used in HMAC. MAC_KEY_LEN is 16 ENC_KEY_LEN is 16 octets.
octets. The HMAC-SHA-256 output is truncated to T_LEN=16 octets, by
stripping off the final 16 octets. MAC_KEY_LEN is 16 octets.
The SHA-256 hash algorithm is used for the HMAC.
The HMAC-SHA-256 output is truncated to T_LEN=16 octets, by
stripping off the final 16 octets.
5.2.4. AES_192_CBC_HMAC_SHA_384 5.2.4. AES_192_CBC_HMAC_SHA_384
AES_192_CBC_HMAC_SHA_384 is based on AES_128_CBC_HMAC_SHA_256, but AES_192_CBC_HMAC_SHA_384 is based on AES_128_CBC_HMAC_SHA_256, but
with the following differences: with the following differences:
A 192 bit AES CBC key is used instead of 128. The input key K is 48 octets long instead of 32.
SHA-384 is used in HMAC instead of SHA-256.
ENC_KEY_LEN is 24 octets instead of 16. ENC_KEY_LEN is 24 octets instead of 16.
MAC_KEY_LEN is 24 octets instead of 16. MAC_KEY_LEN is 24 octets instead of 16.
The length of the input key K is 48 octets instead of 32. SHA-384 is used for the HMAC instead of SHA-256.
The HMAC SHA-384 value is truncated to T_LEN=24 octets instead of The HMAC SHA-384 value is truncated to T_LEN=24 octets instead of
16. 16.
5.2.5. AES_256_CBC_HMAC_SHA_512 5.2.5. AES_256_CBC_HMAC_SHA_512
AES_256_CBC_HMAC_SHA_512 is based on AES_128_CBC_HMAC_SHA_256, but AES_256_CBC_HMAC_SHA_512 is based on AES_128_CBC_HMAC_SHA_256, but
with the following differences: with the following differences:
A 256 bit AES CBC key is used instead of 128. The input key K is 64 octets long instead of 32.
SHA-512 is used in HMAC instead of SHA-256.
ENC_KEY_LEN is 32 octets instead of 16. ENC_KEY_LEN is 32 octets instead of 16.
MAC_KEY_LEN is 32 octets instead of 16. MAC_KEY_LEN is 32 octets instead of 16.
The length of the input key K is 64 octets instead of 32. SHA-512 is used for the HMAC instead of SHA-256.
The HMAC SHA-512 value is truncated to T_LEN=32 octets instead of The HMAC SHA-512 value is truncated to T_LEN=32 octets instead of
16. 16.
5.2.6. Plaintext Encryption with AES_CBC_HMAC_SHA2 5.2.6. Content Encryption with AES_CBC_HMAC_SHA2
The algorithm value "A128CBC-HS256" is used as the "alg" value when The following "enc" (encryption algorithm) Header Parameter values
using AES_128_CBC_HMAC_SHA_256 with JWE. The algorithm value are used to indicate that the JWE Ciphertext and JWE Authentication
"A192CBC-HS384" is used as the "alg" value when using Tag values have been computed using the corresponding algorithm:
AES_192_CBC_HMAC_SHA_384 with JWE. The algorithm value
"A256CBC-HS512" is used as the "alg" value when using
AES_256_CBC_HMAC_SHA_512 with JWE.
5.3. Plaintext Encryption with AES GCM +---------------+---------------------------------------------------+
| enc Parameter | Content Encryption Algorithm |
| Value | |
+---------------+---------------------------------------------------+
| A128CBC-HS256 | AES_128_CBC_HMAC_SHA_256 authenticated encryption |
| | algorithm, as defined in Section 5.2.3 |
| A192CBC-HS384 | AES_192_CBC_HMAC_SHA_384 authenticated encryption |
| | algorithm, as defined in Section 5.2.4 |
| A256CBC-HS512 | AES_256_CBC_HMAC_SHA_512 authenticated encryption |
| | algorithm, as defined in Section 5.2.5 |
+---------------+---------------------------------------------------+
5.3. Content Encryption with AES GCM
This section defines the specifics of encrypting the JWE Plaintext This section defines the specifics of encrypting the JWE Plaintext
with Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) with Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM)
[AES] [NIST.800-38D] using a 128, 192, or 256 bit key. The "enc" [AES] [NIST.800-38D]. The "enc" Header Parameter values "A128GCM",
Header Parameter values "A128GCM", "A192GCM", or "A256GCM" are "A192GCM", or "A256GCM" are respectively used in this case.
respectively used in this case.
The CEK is used as the encryption key. The CEK is used as the encryption key.
Use of an initialization vector of size 96 bits is REQUIRED with this Use of an initialization vector of size 96 bits is REQUIRED with this
algorithm. algorithm.
The requested size of the Authentication Tag output MUST be 128 bits, The requested size of the Authentication Tag output MUST be 128 bits,
regardless of the key size. regardless of the key size.
The JWE Authentication Tag is set to be the Authentication Tag value The JWE Authentication Tag is set to be the Authentication Tag value
produced by the encryption. During decryption, the received JWE produced by the encryption. During decryption, the received JWE
Authentication Tag is used as the Authentication Tag value. Authentication Tag is used as the Authentication Tag value.
The following "enc" (encryption algorithm) Header Parameter values
are used to indicate that the JWE Ciphertext and JWE Authentication
Tag values have been computed using the corresponding algorithm and
key size:
+---------------------+------------------------------+
| enc Parameter Value | Content Encryption Algorithm |
+---------------------+------------------------------+
| A128GCM | AES GCM using 128 bit key |
| A192GCM | AES GCM using 192 bit key |
| A256GCM | AES GCM using 256 bit key |
+---------------------+------------------------------+
An example using this algorithm is shown in Appendix A.1 of [JWE]. An example using this algorithm is shown in Appendix A.1 of [JWE].
6. Cryptographic Algorithms for Keys 6. Cryptographic Algorithms for Keys
A JSON Web Key (JWK) [JWK] is a JSON data structure that represents a A JSON Web Key (JWK) [JWK] is a JSON data structure that represents a
cryptographic key. These keys can be either asymmetric or symmetric. cryptographic key. These keys can be either asymmetric or symmetric.
They can hold both public and private information about the key. They can hold both public and private information about the key.
This section defines the parameters for keys using the algorithms This section defines the parameters for keys using the algorithms
specified by this document. specified by this document.
skipping to change at page 30, line 48 skipping to change at page 33, line 29
this specification, in order to enable broadly-informed review of this specification, in order to enable broadly-informed review of
registration decisions. In cases where a registration decision could registration decisions. In cases where a registration decision could
be perceived as creating a conflict of interest for a particular be perceived as creating a conflict of interest for a particular
Expert, that Expert should defer to the judgment of the other Expert, that Expert should defer to the judgment of the other
Expert(s). Expert(s).
7.1. JSON Web Signature and Encryption Algorithms Registry 7.1. JSON Web Signature and Encryption Algorithms Registry
This specification establishes the IANA JSON Web Signature and This specification establishes the IANA JSON Web Signature and
Encryption Algorithms registry for values of the JWS and JWE "alg" Encryption Algorithms registry for values of the JWS and JWE "alg"
(algorithm) and "enc" (encryption method) Header Parameters. The (algorithm) and "enc" (encryption algorithm) Header Parameters. The
registry records the algorithm name, the algorithm usage locations, registry records the algorithm name, the algorithm usage locations,
implementation requirements, and a reference to the specification implementation requirements, and a reference to the specification
that defines it. The same algorithm name can be registered multiple that defines it. The same algorithm name can be registered multiple
times, provided that the sets of usage locations are disjoint. times, provided that the sets of usage locations are disjoint.
It is suggested that when algorithms can use keys of different It is suggested that when algorithms can use keys of different
lengths, that the length of the key be included in the algorithm lengths, that the length of the key be included in the algorithm
name. This allows readers of the JSON text to easily make security name. This allows readers of the JSON text to easily make security
consideration decisions. consideration decisions.
skipping to change at page 31, line 39 skipping to change at page 34, line 23
Algorithm Usage Location(s): Algorithm Usage Location(s):
The algorithm usage location. This must be one or more of the The algorithm usage location. This must be one or more of the
values "alg" or "enc" if the algorithm is to be used with JWS or values "alg" or "enc" if the algorithm is to be used with JWS or
JWE. The value "JWK" is used if the algorithm identifier will be JWE. The value "JWK" is used if the algorithm identifier will be
used as a JWK "alg" member value, but will not be used with JWS or used as a JWK "alg" member value, but will not be used with JWS or
JWE; this could be the case, for instance, for non-authenticated JWE; this could be the case, for instance, for non-authenticated
encryption algorithms. Other values may be used with the approval encryption algorithms. Other values may be used with the approval
of a Designated Expert. of a Designated Expert.
Implementation Requirements: JOSE Implementation Requirements:
The algorithm implementation requirements, which must be one the The algorithm implementation requirements for JWS and JWE, which
words Required, Recommended, Optional, Deprecated, or Prohibited. must be one the words Required, Recommended, Optional, Deprecated,
Optionally, the word can be followed by a "+" or "-". The use of or Prohibited. Optionally, the word can be followed by a "+" or
"+" indicates that the requirement strength is likely to be "-". The use of "+" indicates that the requirement strength is
increased in a future version of the specification. The use of likely to be increased in a future version of the specification.
"-" indicates that the requirement strength is likely to be The use of "-" indicates that the requirement strength is likely
decreased in a future version of the specification. Any to be decreased in a future version of the specification. Any
identifiers registered for non-authenticated encryption algorithms identifiers registered for non-authenticated encryption algorithms
or other algorithms that are otherwise unsuitable for direct use or other algorithms that are otherwise unsuitable for direct use
as JWS or JWE algorithms must be registered as "Prohibited". as JWS or JWE algorithms must be registered as "Prohibited".
Change Controller: Change Controller:
For Standards Track RFCs, state "IESG". For others, give the name For Standards Track RFCs, state "IESG". For others, give the name
of the responsible party. Other details (e.g., postal address, of the responsible party. Other details (e.g., postal address,
email address, home page URI) may also be included. email address, home page URI) may also be included.
Specification Document(s): Specification Document(s):
Reference to the document(s) that specify the parameter, Reference to the document(s) that specify the parameter,
preferably including URI(s) that can be used to retrieve copies of preferably including URI(s) that can be used to retrieve copies of
the document(s). An indication of the relevant sections may also the document(s). An indication of the relevant sections may also
be included but is not required. be included but is not required.
7.1.2. Initial Registry Contents 7.1.2. Initial Registry Contents
o Algorithm Name: "HS256" o Algorithm Name: "HS256"
o Algorithm Description: HMAC using SHA-256 o Algorithm Description: HMAC using SHA-256
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Required o JOSE Implementation Requirements: Required
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.1 of [[ this document ]] o Specification Document(s): Section 3.1 of [[ this document ]]
o Algorithm Name: "HS384" o Algorithm Name: "HS384"
o Algorithm Description: HMAC using SHA-384 o Algorithm Description: HMAC using SHA-384
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.1 of [[ this document ]] o Specification Document(s): Section 3.1 of [[ this document ]]
o Algorithm Name: "HS512" o Algorithm Name: "HS512"
o Algorithm Description: HMAC using SHA-512 o Algorithm Description: HMAC using SHA-512
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.1 of [[ this document ]] o Specification Document(s): Section 3.1 of [[ this document ]]
o Algorithm Name: "RS256" o Algorithm Name: "RS256"
o Algorithm Description: RSASSA-PKCS-v1_5 using SHA-256 o Algorithm Description: RSASSA-PKCS-v1_5 using SHA-256
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Recommended o JOSE Implementation Requirements: Recommended
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.1 of [[ this document ]] o Specification Document(s): Section 3.1 of [[ this document ]]
o Algorithm Name: "RS384" o Algorithm Name: "RS384"
o Algorithm Description: RSASSA-PKCS-v1_5 using SHA-384 o Algorithm Description: RSASSA-PKCS-v1_5 using SHA-384
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.1 of [[ this document ]] o Specification Document(s): Section 3.1 of [[ this document ]]
o Algorithm Name: "RS512" o Algorithm Name: "RS512"
o Algorithm Description: RSASSA-PKCS-v1_5 using SHA-512 o Algorithm Description: RSASSA-PKCS-v1_5 using SHA-512
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.1 of [[ this document ]] o Specification Document(s): Section 3.1 of [[ this document ]]
o Algorithm Name: "ES256" o Algorithm Name: "ES256"
o Algorithm Description: ECDSA using P-256 and SHA-256 o Algorithm Description: ECDSA using P-256 and SHA-256
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Recommended+ o JOSE Implementation Requirements: Recommended+
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.1 of [[ this document ]] o Specification Document(s): Section 3.1 of [[ this document ]]
o Algorithm Name: "ES384" o Algorithm Name: "ES384"
o Algorithm Description: ECDSA using P-384 and SHA-384 o Algorithm Description: ECDSA using P-384 and SHA-384
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.1 of [[ this document ]] o Specification Document(s): Section 3.1 of [[ this document ]]
o Algorithm Name: "ES512" o Algorithm Name: "ES512"
o Algorithm Description: ECDSA using P-521 and SHA-512 o Algorithm Description: ECDSA using P-521 and SHA-512
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.1 of [[ this document ]] o Specification Document(s): Section 3.1 of [[ this document ]]
o Algorithm Name: "PS256" o Algorithm Name: "PS256"
o Algorithm Description: RSASSA-PSS using SHA-256 and MGF1 with SHA- o Algorithm Description: RSASSA-PSS using SHA-256 and MGF1 with SHA-
256 256
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.1 of [[ this document ]] o Specification Document(s): Section 3.1 of [[ this document ]]
o Algorithm Name: "PS384" o Algorithm Name: "PS384"
o Algorithm Description: RSASSA-PSS using SHA-384 and MGF1 with SHA- o Algorithm Description: RSASSA-PSS using SHA-384 and MGF1 with SHA-
384 384
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.1 of [[ this document ]] o Specification Document(s): Section 3.1 of [[ this document ]]
o Algorithm Name: "PS512" o Algorithm Name: "PS512"
o Algorithm Description: RSASSA-PSS using SHA-512 and MGF1 with SHA- o Algorithm Description: RSASSA-PSS using SHA-512 and MGF1 with SHA-
512 512
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.1 of [[ this document ]] o Specification Document(s): Section 3.1 of [[ this document ]]
o Algorithm Name: "none" o Algorithm Name: "none"
o Algorithm Description: No digital signature or MAC performed o Algorithm Description: No digital signature or MAC performed
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.1 of [[ this document ]] o Specification Document(s): Section 3.1 of [[ this document ]]
o Algorithm Name: "RSA1_5" o Algorithm Name: "RSA1_5"
o Algorithm Description: RSAES-PKCS1-V1_5 o Algorithm Description: RSAES-PKCS1-V1_5
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Required o JOSE Implementation Requirements: Required
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1 of [[ this document ]] o Specification Document(s): Section 4.1 of [[ this document ]]
o Algorithm Name: "RSA-OAEP" o Algorithm Name: "RSA-OAEP"
o Algorithm Description: RSAES using OAEP with default parameters o Algorithm Description: RSAES using OAEP with default parameters
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1 of [[ this document ]] o Specification Document(s): Section 4.1 of [[ this document ]]
o Algorithm Name: "A128KW" o Algorithm Name: "A128KW"
o Algorithm Description: AES Key Wrap using 128 bit key o Algorithm Description: AES Key Wrap using 128 bit key
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Recommended o JOSE Implementation Requirements: Recommended
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1 of [[ this document ]] o Specification Document(s): Section 4.1 of [[ this document ]]
o Algorithm Name: "A192KW" o Algorithm Name: "A192KW"
o Algorithm Description: AES Key Wrap using 192 bit key o Algorithm Description: AES Key Wrap using 192 bit key
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1 of [[ this document ]] o Specification Document(s): Section 4.1 of [[ this document ]]
o Algorithm Name: "A256KW" o Algorithm Name: "A256KW"
o Algorithm Description: AES Key Wrap using 256 bit key o Algorithm Description: AES Key Wrap using 256 bit key
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Recommended o JOSE Implementation Requirements: Recommended
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1 of [[ this document ]] o Specification Document(s): Section 4.1 of [[ this document ]]
o Algorithm Name: "dir" o Algorithm Name: "dir"
o Algorithm Description: Direct use of a shared symmetric key o Algorithm Description: Direct use of a shared symmetric key
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Recommended o JOSE Implementation Requirements: Recommended
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1 of [[ this document ]] o Specification Document(s): Section 4.1 of [[ this document ]]
o Algorithm Name: "ECDH-ES" o Algorithm Name: "ECDH-ES"
o Algorithm Description: ECDH-ES using Concat KDF o Algorithm Description: ECDH-ES using Concat KDF
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Recommended+ o JOSE Implementation Requirements: Recommended+
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1 of [[ this document ]] o Specification Document(s): Section 4.1 of [[ this document ]]
o Algorithm Name: "ECDH-ES+A128KW" o Algorithm Name: "ECDH-ES+A128KW"
o Algorithm Description: ECDH-ES using Concat KDF and "A128KW" o Algorithm Description: ECDH-ES using Concat KDF and "A128KW"
wrapping wrapping
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Recommended o JOSE Implementation Requirements: Recommended
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1 of [[ this document ]] o Specification Document(s): Section 4.1 of [[ this document ]]
o Algorithm Name: "ECDH-ES+A192KW" o Algorithm Name: "ECDH-ES+A192KW"
o Algorithm Description: ECDH-ES using Concat KDF and "A192KW" o Algorithm Description: ECDH-ES using Concat KDF and "A192KW"
wrapping wrapping
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1 of [[ this document ]] o Specification Document(s): Section 4.1 of [[ this document ]]
o Algorithm Name: "ECDH-ES+A256KW" o Algorithm Name: "ECDH-ES+A256KW"
o Algorithm Description: ECDH-ES using Concat KDF and "A256KW" o Algorithm Description: ECDH-ES using Concat KDF and "A256KW"
wrapping wrapping
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Recommended o JOSE Implementation Requirements: Recommended
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1 of [[ this document ]] o Specification Document(s): Section 4.1 of [[ this document ]]
o Algorithm Name: "A128GCMKW" o Algorithm Name: "A128GCMKW"
o Algorithm Description: Key wrapping with AES GCM using 128 bit key o Algorithm Description: Key wrapping with AES GCM using 128 bit key
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.7 of [[ this document ]] o Specification Document(s): Section 4.7 of [[ this document ]]
o Algorithm Name: "A192GCMKW" o Algorithm Name: "A192GCMKW"
o Algorithm Description: Key wrapping with AES GCM using 192 bit key o Algorithm Description: Key wrapping with AES GCM using 192 bit key
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.7 of [[ this document ]] o Specification Document(s): Section 4.7 of [[ this document ]]
o Algorithm Name: "A256GCMKW" o Algorithm Name: "A256GCMKW"
o Algorithm Description: Key wrapping with AES GCM using 256 bit key o Algorithm Description: Key wrapping with AES GCM using 256 bit key
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.7 of [[ this document ]] o Specification Document(s): Section 4.7 of [[ this document ]]
o Algorithm Name: "PBES2-HS256+A128KW" o Algorithm Name: "PBES2-HS256+A128KW"
o Algorithm Description: PBES2 with HMAC SHA-256 and "A128KW" o Algorithm Description: PBES2 with HMAC SHA-256 and "A128KW"
wrapping wrapping
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.8 of [[ this document ]] o Specification Document(s): Section 4.8 of [[ this document ]]
o Algorithm Name: "PBES2-HS384+A192KW" o Algorithm Name: "PBES2-HS384+A192KW"
o Algorithm Description: PBES2 with HMAC SHA-384 and "A192KW" o Algorithm Description: PBES2 with HMAC SHA-384 and "A192KW"
wrapping wrapping
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.8 of [[ this document ]] o Specification Document(s): Section 4.8 of [[ this document ]]
o Algorithm Name: "PBES2-HS512+A256KW" o Algorithm Name: "PBES2-HS512+A256KW"
o Algorithm Description: PBES2 with HMAC SHA-512 and "A256KW" o Algorithm Description: PBES2 with HMAC SHA-512 and "A256KW"
wrapping wrapping
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.8 of [[ this document ]] o Specification Document(s): Section 4.8 of [[ this document ]]
o Algorithm Name: "A128CBC-HS256" o Algorithm Name: "A128CBC-HS256"
o Algorithm Description: AES_128_CBC_HMAC_SHA_256 authenticated o Algorithm Description: AES_128_CBC_HMAC_SHA_256 authenticated
encryption algorithm encryption algorithm
o Algorithm Usage Location(s): "enc" o Algorithm Usage Location(s): "enc"
o Implementation Requirements: Required o JOSE Implementation Requirements: Required
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 5.1 of [[ this document ]] o Specification Document(s): Section 5.1 of [[ this document ]]
o Algorithm Name: "A192CBC-HS384" o Algorithm Name: "A192CBC-HS384"
o Algorithm Description: AES_192_CBC_HMAC_SHA_384 authenticated o Algorithm Description: AES_192_CBC_HMAC_SHA_384 authenticated
encryption algorithm encryption algorithm
o Algorithm Usage Location(s): "enc" o Algorithm Usage Location(s): "enc"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 5.1 of [[ this document ]] o Specification Document(s): Section 5.1 of [[ this document ]]
o Algorithm Name: "A256CBC-HS512" o Algorithm Name: "A256CBC-HS512"
o Algorithm Description: AES_256_CBC_HMAC_SHA_512 authenticated o Algorithm Description: AES_256_CBC_HMAC_SHA_512 authenticated
encryption algorithm encryption algorithm
o Algorithm Usage Location(s): "enc" o Algorithm Usage Location(s): "enc"
o Implementation Requirements: Required o JOSE Implementation Requirements: Required
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 5.1 of [[ this document ]] o Specification Document(s): Section 5.1 of [[ this document ]]
o Algorithm Name: "A128GCM" o Algorithm Name: "A128GCM"
o Algorithm Description: AES GCM using 128 bit key o Algorithm Description: AES GCM using 128 bit key
o Algorithm Usage Location(s): "enc" o Algorithm Usage Location(s): "enc"
o Implementation Requirements: Recommended o JOSE Implementation Requirements: Recommended
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 5.1 of [[ this document ]] o Specification Document(s): Section 5.1 of [[ this document ]]
o Algorithm Name: "A192GCM" o Algorithm Name: "A192GCM"
o Algorithm Description: AES GCM using 192 bit key o Algorithm Description: AES GCM using 192 bit key
o Algorithm Usage Location(s): "enc" o Algorithm Usage Location(s): "enc"
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 5.1 of [[ this document ]] o Specification Document(s): Section 5.1 of [[ this document ]]
o Algorithm Name: "A256GCM" o Algorithm Name: "A256GCM"
o Algorithm Description: AES GCM using 256 bit key o Algorithm Description: AES GCM using 256 bit key
o Algorithm Usage Location(s): "enc" o Algorithm Usage Location(s): "enc"
o Implementation Requirements: Recommended o JOSE Implementation Requirements: Recommended
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 5.1 of [[ this document ]] o Specification Document(s): Section 5.1 of [[ this document ]]
7.2. JWE Header Parameter Names Registration 7.2. JWE Header Parameter Names Registration
This specification registers the Header Parameter names defined in This specification registers the Header Parameter names defined in
Section 4.6.1, Section 4.7.1, and Section 4.8.1 in the IANA JSON Web Section 4.6.1, Section 4.7.1, and Section 4.8.1 in the IANA JSON Web
Signature and Encryption Header Parameters registry defined in [JWS]. Signature and Encryption Header Parameters registry defined in [JWS].
7.2.1. Registry Contents 7.2.1. Registry Contents
skipping to change at page 40, line 28 skipping to change at page 43, line 13
particular case. particular case.
Key Type Description: Key Type Description:
Brief description of the Key Type (e.g., "Example description"). Brief description of the Key Type (e.g., "Example description").
Change Controller: Change Controller:
For Standards Track RFCs, state "IESG". For others, give the name For Standards Track RFCs, state "IESG". For others, give the name
of the responsible party. Other details (e.g., postal address, of the responsible party. Other details (e.g., postal address,
email address, home page URI) may also be included. email address, home page URI) may also be included.
Implementation Requirements: JOSE Implementation Requirements:
The key type implementation requirements, which must be one the The key type implementation requirements for JWS and JWE, which
words Required, Recommended, Optional, or Deprecated. Optionally, must be one the words Required, Recommended, Optional, Deprecated,
the word can be followed by a "+" or "-". The use of "+" or Prohibited. Optionally, the word can be followed by a "+" or
indicates that the requirement strength is likely to be increased "-". The use of "+" indicates that the requirement strength is
in a future version of the specification. The use of "-" likely to be increased in a future version of the specification.
indicates that the requirement strength is likely to be decreased The use of "-" indicates that the requirement strength is likely
in a future version of the specification. to be decreased in a future version of the specification.
Specification Document(s): Specification Document(s):
Reference to the document(s) that specify the parameter, Reference to the document(s) that specify the parameter,
preferably including URI(s) that can be used to retrieve copies of preferably including URI(s) that can be used to retrieve copies of
the document(s). An indication of the relevant sections may also the document(s). An indication of the relevant sections may also
be included but is not required. be included but is not required.
7.4.2. Initial Registry Contents 7.4.2. Initial Registry Contents
This specification registers the values defined in Section 6.1. This specification registers the values defined in Section 6.1.
o "kty" Parameter Value: "EC" o "kty" Parameter Value: "EC"
o Key Type Description: Elliptic Curve o Key Type Description: Elliptic Curve
o Implementation Requirements: Recommended+ o JOSE Implementation Requirements: Recommended+
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 6.2 of [[ this document ]] o Specification Document(s): Section 6.2 of [[ this document ]]
o "kty" Parameter Value: "RSA" o "kty" Parameter Value: "RSA"
o Key Type Description: RSA o Key Type Description: RSA
o Implementation Requirements: Required o JOSE Implementation Requirements: Required
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 6.3 of [[ this document ]] o Specification Document(s): Section 6.3 of [[ this document ]]
o "kty" Parameter Value: "oct" o "kty" Parameter Value: "oct"
o Key Type Description: Octet sequence o Key Type Description: Octet sequence
o Implementation Requirements: Required o JOSE Implementation Requirements: Required
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 6.4 of [[ this document ]] o Specification Document(s): Section 6.4 of [[ this document ]]
7.5. JSON Web Key Parameters Registration 7.5. JSON Web Key Parameters Registration
This specification registers the parameter names defined in Sections This specification registers the parameter names defined in Sections
6.2, 6.3, and 6.4 in the IANA JSON Web Key Parameters registry 6.2, 6.3, and 6.4 in the IANA JSON Web Key Parameters registry
defined in [JWK]. defined in [JWK].
7.5.1. Registry Contents 7.5.1. Registry Contents
skipping to change at page 44, line 17 skipping to change at page 47, line 5
it is RECOMMENDED that the name be short -- not to exceed 8 it is RECOMMENDED that the name be short -- not to exceed 8
characters without a compelling reason to do so. This name is characters without a compelling reason to do so. This name is
case-sensitive. Names may not match other registered names in a case-sensitive. Names may not match other registered names in a
case-insensitive manner unless the Designated Expert(s) state that case-insensitive manner unless the Designated Expert(s) state that
there is a compelling reason to allow an exception in this there is a compelling reason to allow an exception in this
particular case. particular case.
Curve Description: Curve Description:
Brief description of the curve (e.g., "Example description"). Brief description of the curve (e.g., "Example description").
Implementation Requirements: JOSE Implementation Requirements:
The curve implementation requirements, which must be one the words The curve implementation requirements for JWS and JWE, which must
Required, Recommended, Optional, or Deprecated. Optionally, the be one the words Required, Recommended, Optional, Deprecated, or
word can be followed by a "+" or "-". The use of "+" indicates Prohibited. Optionally, the word can be followed by a "+" or "-".
that the requirement strength is likely to be increased in a The use of "+" indicates that the requirement strength is likely
future version of the specification. The use of "-" indicates to be increased in a future version of the specification. The use
that the requirement strength is likely to be decreased in a of "-" indicates that the requirement strength is likely to be
future version of the specification. decreased in a future version of the specification.
Change Controller: Change Controller:
For Standards Track RFCs, state "IESG". For others, give the name For Standards Track RFCs, state "IESG". For others, give the name
of the responsible party. Other details (e.g., postal address, of the responsible party. Other details (e.g., postal address,
email address, home page URI) may also be included. email address, home page URI) may also be included.
Specification Document(s): Specification Document(s):
Reference to the document(s) that specify the parameter, Reference to the document(s) that specify the parameter,
preferably including URI(s) that can be used to retrieve copies of preferably including URI(s) that can be used to retrieve copies of
the document(s). An indication of the relevant sections may also the document(s). An indication of the relevant sections may also
be included but is not required. be included but is not required.
7.6.2. Initial Registry Contents 7.6.2. Initial Registry Contents
o Curve Name: "P-256" o Curve Name: "P-256"
o Curve Description: P-256 curve o Curve Description: P-256 curve
o Implementation Requirements: Recommended+ o JOSE Implementation Requirements: Recommended+
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 6.2.1.1 of [[ this document ]] o Specification Document(s): Section 6.2.1.1 of [[ this document ]]
o Curve Name: "P-384" o Curve Name: "P-384"
o Curve Description: P-384 curve o Curve Description: P-384 curve
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 6.2.1.1 of [[ this document ]] o Specification Document(s): Section 6.2.1.1 of [[ this document ]]
o Curve Name: "P-521" o Curve Name: "P-521"
o Curve Description: P-521 curve o Curve Description: P-521 curve
o Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 6.2.1.1 of [[ this document ]] o Specification Document(s): Section 6.2.1.1 of [[ this document ]]
8. Security Considerations 8. Security Considerations
All of the security issues faced by any cryptographic application All of the security issues faced by any cryptographic application
must be faced by a JWS/JWE/JWK agent. Among these issues are must be faced by a JWS/JWE/JWK agent. Among these issues are
protecting the user's private and symmetric keys, preventing various protecting the user's private and symmetric keys, preventing various
attacks, and helping the user avoid mistakes such as inadvertently attacks, and helping the user avoid mistakes such as inadvertently
encrypting a message for the wrong recipient. The entire list of encrypting a message for the wrong recipient. The entire list of
skipping to change at page 47, line 23 skipping to change at page 50, line 11
the security properties that each of them provides. These need to be the security properties that each of them provides. These need to be
taken into consideration when designing protocols and selecting the taken into consideration when designing protocols and selecting the
algorithms to be used in protocols. algorithms to be used in protocols.
Both signatures and MACs provide for integrity checking -- verifying Both signatures and MACs provide for integrity checking -- verifying
that the message has not been modified since the integrity value was that the message has not been modified since the integrity value was
computed. However, MACs provide for origination identification only computed. However, MACs provide for origination identification only
under specific circumstances. It can normally be assumed that a under specific circumstances. It can normally be assumed that a
private key used for a signature is only in the hands of a single private key used for a signature is only in the hands of a single
entity (although perhaps a distributed entity, in the case of entity (although perhaps a distributed entity, in the case of
replicated servers), however a MAC key needs to be in the hands of replicated servers); however, a MAC key needs to be in the hands of
all the entities that use it for integrity computation and checking. all the entities that use it for integrity computation and checking.
This means that origination can only be determined if a MAC key is This means that origination can only be determined if a MAC key is
known only to two entities and the receiver knows that it did not known only to two entities and the receiver knows that it did not
create the message. MAC validation cannot be used to prove create the message. MAC validation cannot be used to prove
origination to a third party. origination to a third party.
8.7. Denial of Service Attacks 8.7. Denial of Service Attacks
Receiving agents that validate signatures and sending agents that Receiving agents that validate signatures and sending agents that
encrypt messages need to be cautious of cryptographic processing encrypt messages need to be cautious of cryptographic processing
skipping to change at page 49, line 14 skipping to change at page 51, line 48
[I-D.melnikov-precis-saslprepbis] [I-D.melnikov-precis-saslprepbis]
Saint-Andre, P. and A. Melnikov, "Preparation and Saint-Andre, P. and A. Melnikov, "Preparation and
Comparison of Internationalized Strings Representing Comparison of Internationalized Strings Representing
Simple User Names and Passwords", Simple User Names and Passwords",
draft-melnikov-precis-saslprepbis-04 (work in progress), draft-melnikov-precis-saslprepbis-04 (work in progress),
September 2012. September 2012.
[JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web
Encryption (JWE)", draft-ietf-jose-json-web-encryption Encryption (JWE)", draft-ietf-jose-json-web-encryption
(work in progress), November 2013. (work in progress), December 2013.
[JWK] Jones, M., "JSON Web Key (JWK)", [JWK] Jones, M., "JSON Web Key (JWK)",
draft-ietf-jose-json-web-key (work in progress), draft-ietf-jose-json-web-key (work in progress),
November 2013. December 2013.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", draft-ietf-jose-json-web-signature (work Signature (JWS)", draft-ietf-jose-json-web-signature (work
in progress), November 2013. in progress), December 2013.
[NIST.800-38A] [NIST.800-38A]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Recommendation for Block Cipher Modes of Operation", "Recommendation for Block Cipher Modes of Operation",
NIST PUB 800-38A, December 2001. NIST PUB 800-38A, December 2001.
[NIST.800-38D] [NIST.800-38D]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Recommendation for Block Cipher Modes of Operation: "Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D, Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D,
skipping to change at page 51, line 39 skipping to change at page 54, line 29
[RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup [RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup
Language) XML-Signature Syntax and Processing", RFC 3275, Language) XML-Signature Syntax and Processing", RFC 3275,
March 2002. March 2002.
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1", RFC 3447, February 2003. Version 2.1", RFC 3447, February 2003.
[W3C.CR-xmldsig-core2-20120124] [W3C.CR-xmldsig-core2-20120124]
Eastlake, D., Reagle, J., Yiu, K., Solo, D., Datta, P., Cantor, S., Roessler, T., Eastlake, D., Yiu, K., Reagle,
Hirsch, F., Cantor, S., and T. Roessler, "XML Signature J., Solo, D., Datta, P., and F. Hirsch, "XML Signature
Syntax and Processing Version 2.0", World Wide Web Syntax and Processing Version 2.0", World Wide Web
Consortium CR CR-xmldsig-core2-20120124, January 2012, Consortium CR CR-xmldsig-core2-20120124, January 2012,
<http://www.w3.org/TR/2012/CR-xmldsig-core2-20120124>. <http://www.w3.org/TR/2012/CR-xmldsig-core2-20120124>.
[W3C.CR-xmlenc-core1-20120313] [W3C.CR-xmlenc-core1-20120313]
Eastlake, D., Reagle, J., Roessler, T., and F. Hirsch, Eastlake, D., Reagle, J., Roessler, T., and F. Hirsch,
"XML Encryption Syntax and Processing Version 1.1", World "XML Encryption Syntax and Processing Version 1.1", World
Wide Web Consortium CR CR-xmlenc-core1-20120313, Wide Web Consortium CR CR-xmlenc-core1-20120313,
March 2012, March 2012,
<http://www.w3.org/TR/2012/CR-xmlenc-core1-20120313>. <http://www.w3.org/TR/2012/CR-xmlenc-core1-20120313>.
skipping to change at page 53, line 37 skipping to change at page 56, line 26
| KW | /04/xmlenc#kw-aes128 | | 01.3.4.1.5 | | KW | /04/xmlenc#kw-aes128 | | 01.3.4.1.5 |
| A192 | http://www.w3.org/2001 | | 2.16.840.1.1 | | A192 | http://www.w3.org/2001 | | 2.16.840.1.1 |
| KW | /04/xmlenc#kw-aes192 | | 01.3.4.1.25 | | KW | /04/xmlenc#kw-aes192 | | 01.3.4.1.25 |
| A256 | http://www.w3.org/2001 | | 2.16.840.1.1 | | A256 | http://www.w3.org/2001 | | 2.16.840.1.1 |
| KW | /04/xmlenc#kw-aes256 | | 01.3.4.1.45 | | KW | /04/xmlenc#kw-aes256 | | 01.3.4.1.45 |
+------+------------------------+--------------------+--------------+ +------+------------------------+--------------------+--------------+
A.3. Content Encryption Algorithm Identifier Cross-Reference A.3. Content Encryption Algorithm Identifier Cross-Reference
This section contains a table cross-referencing the JWE "enc" This section contains a table cross-referencing the JWE "enc"
(encryption method) values defined in this specification with the (encryption algorithm) values defined in this specification with the
equivalent identifiers used by other standards and software packages. equivalent identifiers used by other standards and software packages.
For the composite algorithms "A128CBC-HS256", "A192CBC-HS384", and For the composite algorithms "A128CBC-HS256", "A192CBC-HS384", and
"A256CBC-HS512", the corresponding AES CBC algorithm identifiers are "A256CBC-HS512", the corresponding AES CBC algorithm identifiers are
listed. listed.
+---------+-------------------------+--------------+----------------+ +---------+-------------------------+--------------+----------------+
| JWE | XML ENC | JCA | OID | | JWE | XML ENC | JCA | OID |
+---------+-------------------------+--------------+----------------+ +---------+-------------------------+--------------+----------------+
| A128CBC | http://www.w3.org/2001/ | AES/CBC/PKCS | 2.16.840.1.101 | | A128CBC | http://www.w3.org/2001/ | AES/CBC/PKCS | 2.16.840.1.101 |
skipping to change at page 61, line 17 skipping to change at page 64, line 17
Hannes Tschofenig, and Sean Turner. Hannes Tschofenig, and Sean Turner.
Jim Schaad and Karen O'Donoghue chaired the JOSE working group and Jim Schaad and Karen O'Donoghue chaired the JOSE working group and
Sean Turner and Stephen Farrell served as Security area directors Sean Turner and Stephen Farrell served as Security area directors
during the creation of this specification. during the creation of this specification.
Appendix E. Document History Appendix E. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-19
o Used tables to show the correspondence between algorithm
identifiers and algorithm descriptions and parameters in the
algorithm definition sections, addressing issue #183.
o Changed the "Implementation Requirements" registry field names to
"JOSE Implementation Requirements" to make it clear that these
implementation requirements apply only to JWS and JWE
implementations.
-18 -18
o Changes to address editorial and minor issues #129, #134, #135, o Changes to address editorial and minor issues #129, #134, #135,
#158, #161, #185, #186, and #187. #158, #161, #185, #186, and #187.
o Added and used Description registry fields. o Added and used Description registry fields.
-17 -17
o Explicitly named all the logical components of a JWS and JWE and o Explicitly named all the logical components of a JWS and JWE and
 End of changes. 103 change blocks. 
279 lines changed or deleted 402 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/