draft-ietf-jose-json-web-algorithms-21.txt   draft-ietf-jose-json-web-algorithms-22.txt 
JOSE Working Group M. Jones JOSE Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track February 14, 2014 Intended status: Standards Track March 2, 2014
Expires: August 18, 2014 Expires: September 3, 2014
JSON Web Algorithms (JWA) JSON Web Algorithms (JWA)
draft-ietf-jose-json-web-algorithms-21 draft-ietf-jose-json-web-algorithms-22
Abstract Abstract
The JSON Web Algorithms (JWA) specification registers cryptographic The JSON Web Algorithms (JWA) specification registers cryptographic
algorithms and identifiers to be used with the JSON Web Signature algorithms and identifiers to be used with the JSON Web Signature
(JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK)
specifications. It defines several IANA registries for these specifications. It defines several IANA registries for these
identifiers. identifiers.
Status of this Memo Status of this Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 18, 2014. This Internet-Draft will expire on September 3, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 44 skipping to change at page 2, line 44
4.8. Key Encryption with PBES2 . . . . . . . . . . . . . . . . 19 4.8. Key Encryption with PBES2 . . . . . . . . . . . . . . . . 19
4.8.1. Header Parameters Used for PBES2 Key Encryption . . . 20 4.8.1. Header Parameters Used for PBES2 Key Encryption . . . 20
4.8.1.1. "p2s" (PBES2 salt input) Parameter . . . . . . . . 20 4.8.1.1. "p2s" (PBES2 salt input) Parameter . . . . . . . . 20
4.8.1.2. "p2c" (PBES2 count) Parameter . . . . . . . . . . 20 4.8.1.2. "p2c" (PBES2 count) Parameter . . . . . . . . . . 20
5. Cryptographic Algorithms for Content Encryption . . . . . . . 21 5. Cryptographic Algorithms for Content Encryption . . . . . . . 21
5.1. "enc" (Encryption Algorithm) Header Parameter Values 5.1. "enc" (Encryption Algorithm) Header Parameter Values
for JWE . . . . . . . . . . . . . . . . . . . . . . . . . 21 for JWE . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.2. AES_CBC_HMAC_SHA2 Algorithms . . . . . . . . . . . . . . . 22 5.2. AES_CBC_HMAC_SHA2 Algorithms . . . . . . . . . . . . . . . 22
5.2.1. Conventions Used in Defining AES_CBC_HMAC_SHA2 . . . . 22 5.2.1. Conventions Used in Defining AES_CBC_HMAC_SHA2 . . . . 22
5.2.2. Generic AES_CBC_HMAC_SHA2 Algorithm . . . . . . . . . 22 5.2.2. Generic AES_CBC_HMAC_SHA2 Algorithm . . . . . . . . . 22
5.2.2.1. AES_CBC_HMAC_SHA2 Encryption . . . . . . . . . . . 22 5.2.2.1. AES_CBC_HMAC_SHA2 Encryption . . . . . . . . . . . 23
5.2.2.2. AES_CBC_HMAC_SHA2 Decryption . . . . . . . . . . . 24 5.2.2.2. AES_CBC_HMAC_SHA2 Decryption . . . . . . . . . . . 24
5.2.3. AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . 25 5.2.3. AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . 25
5.2.4. AES_192_CBC_HMAC_SHA_384 . . . . . . . . . . . . . . . 25 5.2.4. AES_192_CBC_HMAC_SHA_384 . . . . . . . . . . . . . . . 25
5.2.5. AES_256_CBC_HMAC_SHA_512 . . . . . . . . . . . . . . . 25 5.2.5. AES_256_CBC_HMAC_SHA_512 . . . . . . . . . . . . . . . 26
5.2.6. Content Encryption with AES_CBC_HMAC_SHA2 . . . . . . 26 5.2.6. Content Encryption with AES_CBC_HMAC_SHA2 . . . . . . 26
5.3. Content Encryption with AES GCM . . . . . . . . . . . . . 26 5.3. Content Encryption with AES GCM . . . . . . . . . . . . . 26
6. Cryptographic Algorithms for Keys . . . . . . . . . . . . . . 27 6. Cryptographic Algorithms for Keys . . . . . . . . . . . . . . 27
6.1. "kty" (Key Type) Parameter Values . . . . . . . . . . . . 27 6.1. "kty" (Key Type) Parameter Values . . . . . . . . . . . . 27
6.2. Parameters for Elliptic Curve Keys . . . . . . . . . . . . 27 6.2. Parameters for Elliptic Curve Keys . . . . . . . . . . . . 28
6.2.1. Parameters for Elliptic Curve Public Keys . . . . . . 28 6.2.1. Parameters for Elliptic Curve Public Keys . . . . . . 28
6.2.1.1. "crv" (Curve) Parameter . . . . . . . . . . . . . 28 6.2.1.1. "crv" (Curve) Parameter . . . . . . . . . . . . . 28
6.2.1.2. "x" (X Coordinate) Parameter . . . . . . . . . . . 28 6.2.1.2. "x" (X Coordinate) Parameter . . . . . . . . . . . 28
6.2.1.3. "y" (Y Coordinate) Parameter . . . . . . . . . . . 28 6.2.1.3. "y" (Y Coordinate) Parameter . . . . . . . . . . . 29
6.2.2. Parameters for Elliptic Curve Private Keys . . . . . . 29 6.2.2. Parameters for Elliptic Curve Private Keys . . . . . . 29
6.2.2.1. "d" (ECC Private Key) Parameter . . . . . . . . . 29 6.2.2.1. "d" (ECC Private Key) Parameter . . . . . . . . . 29
6.3. Parameters for RSA Keys . . . . . . . . . . . . . . . . . 29 6.3. Parameters for RSA Keys . . . . . . . . . . . . . . . . . 29
6.3.1. Parameters for RSA Public Keys . . . . . . . . . . . . 29 6.3.1. Parameters for RSA Public Keys . . . . . . . . . . . . 29
6.3.1.1. "n" (Modulus) Parameter . . . . . . . . . . . . . 29 6.3.1.1. "n" (Modulus) Parameter . . . . . . . . . . . . . 29
6.3.1.2. "e" (Exponent) Parameter . . . . . . . . . . . . . 29 6.3.1.2. "e" (Exponent) Parameter . . . . . . . . . . . . . 29
6.3.2. Parameters for RSA Private Keys . . . . . . . . . . . 30 6.3.2. Parameters for RSA Private Keys . . . . . . . . . . . 30
6.3.2.1. "d" (Private Exponent) Parameter . . . . . . . . . 30 6.3.2.1. "d" (Private Exponent) Parameter . . . . . . . . . 30
6.3.2.2. "p" (First Prime Factor) Parameter . . . . . . . . 30 6.3.2.2. "p" (First Prime Factor) Parameter . . . . . . . . 30
6.3.2.3. "q" (Second Prime Factor) Parameter . . . . . . . 30 6.3.2.3. "q" (Second Prime Factor) Parameter . . . . . . . 30
skipping to change at page 4, line 9 skipping to change at page 4, line 9
8.5. Plaintext JWS Security Considerations . . . . . . . . . . 49 8.5. Plaintext JWS Security Considerations . . . . . . . . . . 49
8.6. Differences between Digital Signatures and MACs . . . . . 49 8.6. Differences between Digital Signatures and MACs . . . . . 49
8.7. Denial of Service Attacks . . . . . . . . . . . . . . . . 50 8.7. Denial of Service Attacks . . . . . . . . . . . . . . . . 50
8.8. Reusing Key Material when Encrypting Keys . . . . . . . . 50 8.8. Reusing Key Material when Encrypting Keys . . . . . . . . 50
8.9. Password Considerations . . . . . . . . . . . . . . . . . 50 8.9. Password Considerations . . . . . . . . . . . . . . . . . 50
9. Internationalization Considerations . . . . . . . . . . . . . 51 9. Internationalization Considerations . . . . . . . . . . . . . 51
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 51 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 51
10.1. Normative References . . . . . . . . . . . . . . . . . . . 51 10.1. Normative References . . . . . . . . . . . . . . . . . . . 51
10.2. Informative References . . . . . . . . . . . . . . . . . . 53 10.2. Informative References . . . . . . . . . . . . . . . . . . 53
Appendix A. Algorithm Identifier Cross-Reference . . . . . . . . 55 Appendix A. Algorithm Identifier Cross-Reference . . . . . . . . 54
A.1. Digital Signature/MAC Algorithm Identifier A.1. Digital Signature/MAC Algorithm Identifier
Cross-Reference . . . . . . . . . . . . . . . . . . . . . 55 Cross-Reference . . . . . . . . . . . . . . . . . . . . . 55
A.2. Key Management Algorithm Identifier Cross-Reference . . . 56 A.2. Key Management Algorithm Identifier Cross-Reference . . . 55
A.3. Content Encryption Algorithm Identifier Cross-Reference . 56 A.3. Content Encryption Algorithm Identifier Cross-Reference . 56
Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms . . . . . 57 Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms . . . . . 57
B.1. Test Cases for AES_128_CBC_HMAC_SHA_256 . . . . . . . . . 58 B.1. Test Cases for AES_128_CBC_HMAC_SHA_256 . . . . . . . . . 58
B.2. Test Cases for AES_192_CBC_HMAC_SHA_384 . . . . . . . . . 59 B.2. Test Cases for AES_192_CBC_HMAC_SHA_384 . . . . . . . . . 59
B.3. Test Cases for AES_256_CBC_HMAC_SHA_512 . . . . . . . . . 60 B.3. Test Cases for AES_256_CBC_HMAC_SHA_512 . . . . . . . . . 60
Appendix C. Example ECDH-ES Key Agreement Computation . . . . . . 61 Appendix C. Example ECDH-ES Key Agreement Computation . . . . . . 61
Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 63 Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 63
Appendix E. Document History . . . . . . . . . . . . . . . . . . 64 Appendix E. Document History . . . . . . . . . . . . . . . . . . 64
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 72 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 72
1. Introduction 1. Introduction
The JSON Web Algorithms (JWA) specification registers cryptographic The JSON Web Algorithms (JWA) specification registers cryptographic
algorithms and identifiers to be used with the JSON Web Signature algorithms and identifiers to be used with the JSON Web Signature
(JWS) [JWS], JSON Web Encryption (JWE) [JWE], and JSON Web Key (JWK) (JWS) [JWS], JSON Web Encryption (JWE) [JWE], and JSON Web Key (JWK)
[JWK] specifications. It defines several IANA registries for these [JWK] specifications. It defines several IANA registries for these
identifiers. All these specifications utilize JavaScript Object identifiers. All these specifications utilize JavaScript Object
Notation (JSON) [I-D.ietf-json-rfc4627bis] based data structures. Notation (JSON) [RFC7158] based data structures. This specification
This specification also describes the semantics and operations that also describes the semantics and operations that are specific to
are specific to these algorithms and key types. these algorithms and key types.
Registering the algorithms and identifiers here, rather than in the Registering the algorithms and identifiers here, rather than in the
JWS, JWE, and JWK specifications, is intended to allow them to remain JWS, JWE, and JWK specifications, is intended to allow them to remain
unchanged in the face of changes in the set of Required, Recommended, unchanged in the face of changes in the set of Required, Recommended,
Optional, and Deprecated algorithms over time. This also allows Optional, and Deprecated algorithms over time. This also allows
changes to the JWS, JWE, and JWK specifications without changing this changes to the JWS, JWE, and JWK specifications without changing this
document. document.
Names defined by this specification are short because a core goal is Names defined by this specification are short because a core goal is
for the resulting representations to be compact. for the resulting representations to be compact.
1.1. Notational Conventions 1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in Key words for use in "OPTIONAL" in this document are to be interpreted as described in Key
RFCs to Indicate Requirement Levels [RFC2119]. If these words are words for use in RFCs to Indicate Requirement Levels [RFC2119]. If
used without being spelled in uppercase then they are to be these words are used without being spelled in uppercase then they are
interpreted with their normal natural language meanings. to be interpreted with their normal natural language meanings.
BASE64URL(OCTETS) denotes the base64url encoding of OCTETS, per BASE64URL(OCTETS) denotes the base64url encoding of OCTETS, per
Section 2. Section 2.
UTF8(STRING) denotes the octets of the UTF-8 [RFC3629] representation UTF8(STRING) denotes the octets of the UTF-8 [RFC3629] representation
of STRING. of STRING.
ASCII(STRING) denotes the octets of the ASCII [USASCII] ASCII(STRING) denotes the octets of the ASCII [USASCII]
representation of STRING. representation of STRING.
skipping to change at page 6, line 21 skipping to change at page 6, line 21
Authentication Tag", "JWE Protected Header", "Key Management Mode", Authentication Tag", "JWE Protected Header", "Key Management Mode",
"Key Encryption", "Key Wrapping", "Direct Key Agreement", "Key "Key Encryption", "Key Wrapping", "Direct Key Agreement", "Key
Agreement with Key Wrapping", and "Direct Encryption". Agreement with Key Wrapping", and "Direct Encryption".
These terms defined by the JSON Web Key (JWK) [JWK] specification are These terms defined by the JSON Web Key (JWK) [JWK] specification are
incorporated into this specification: "JSON Web Key (JWK)" and "JSON incorporated into this specification: "JSON Web Key (JWK)" and "JSON
Web Key Set (JWK Set)". Web Key Set (JWK Set)".
These terms are defined for use by this specification: These terms are defined for use by this specification:
Header Parameter A name/value pair that is member of a JWS Header or Header Parameter
JWE Header. A name/value pair that is member of a JWS Header or JWE Header.
3. Cryptographic Algorithms for Digital Signatures and MACs 3. Cryptographic Algorithms for Digital Signatures and MACs
JWS uses cryptographic algorithms to digitally sign or create a JWS uses cryptographic algorithms to digitally sign or create a
Message Authentication Codes (MAC) of the contents of the JWS Header Message Authentication Codes (MAC) of the contents of the JWS Header
and the JWS Payload. and the JWS Payload.
3.1. "alg" (Algorithm) Header Parameter Values for JWS 3.1. "alg" (Algorithm) Header Parameter Values for JWS
The table below is the set of "alg" (algorithm) header parameter The table below is the set of "alg" (algorithm) header parameter
skipping to change at page 17, line 15 skipping to change at page 17, line 15
4.6.2. Key Derivation for ECDH Key Agreement 4.6.2. Key Derivation for ECDH Key Agreement
The key derivation process derives the agreed upon key from the The key derivation process derives the agreed upon key from the
shared secret Z established through the ECDH algorithm, per Section shared secret Z established through the ECDH algorithm, per Section
6.2.2.2 of [NIST.800-56A]. 6.2.2.2 of [NIST.800-56A].
Key derivation is performed using the Concat KDF, as defined in Key derivation is performed using the Concat KDF, as defined in
Section 5.8.1 of [NIST.800-56A], where the Digest Method is SHA-256. Section 5.8.1 of [NIST.800-56A], where the Digest Method is SHA-256.
The Concat KDF parameters are set as follows: The Concat KDF parameters are set as follows:
Z This is set to the representation of the shared secret Z as an Z
This is set to the representation of the shared secret Z as an
octet sequence. octet sequence.
keydatalen This is set to the number of bits in the desired output keydatalen
key. For "ECDH-ES", this is length of the key used by the "enc" This is set to the number of bits in the desired output key. For
algorithm. For "ECDH-ES+A128KW", "ECDH-ES+A192KW", and "ECDH-ES", this is length of the key used by the "enc" algorithm.
"ECDH-ES+A256KW", this is 128, 192, and 256, respectively. For "ECDH-ES+A128KW", "ECDH-ES+A192KW", and "ECDH-ES+A256KW", this
is 128, 192, and 256, respectively.
AlgorithmID The AlgorithmID value is of the form Datalen || Data, AlgorithmID
where Data is a variable-length string of zero or more octets, and The AlgorithmID value is of the form Datalen || Data, where Data
Datalen is a fixed-length, big endian 32 bit counter that is a variable-length string of zero or more octets, and Datalen is
indicates the length (in octets) of Data. In the Direct Key a fixed-length, big endian 32 bit counter that indicates the
Agreement case, Data is set to the octets of the UTF-8 length (in octets) of Data. In the Direct Key Agreement case,
representation of the "enc" Header Parameter value. In the Key Data is set to the octets of the UTF-8 representation of the "enc"
Agreement with Key Wrapping case, Data is set to the octets of the Header Parameter value. In the Key Agreement with Key Wrapping
UTF-8 representation of the "alg" Header Parameter value. case, Data is set to the octets of the UTF-8 representation of the
"alg" Header Parameter value.
PartyUInfo The PartyUInfo value is of the form Datalen || Data, PartyUInfo
where Data is a variable-length string of zero or more octets, and The PartyUInfo value is of the form Datalen || Data, where Data is
Datalen is a fixed-length, big endian 32 bit counter that a variable-length string of zero or more octets, and Datalen is a
indicates the length (in octets) of Data. If an "apu" (agreement fixed-length, big endian 32 bit counter that indicates the length
PartyUInfo) Header Parameter is present, Data is set to the result (in octets) of Data. If an "apu" (agreement PartyUInfo) Header
of base64url decoding the "apu" value and Datalen is set to the Parameter is present, Data is set to the result of base64url
number of octets in Data. Otherwise, Datalen is set to 0 and Data decoding the "apu" value and Datalen is set to the number of
is set to the empty octet sequence. octets in Data. Otherwise, Datalen is set to 0 and Data is set to
the empty octet sequence.
PartyVInfo The PartyVInfo value is of the form Datalen || Data, PartyVInfo
where Data is a variable-length string of zero or more octets, and The PartyVInfo value is of the form Datalen || Data, where Data is
Datalen is a fixed-length, big endian 32 bit counter that a variable-length string of zero or more octets, and Datalen is a
indicates the length (in octets) of Data. If an "apv" (agreement fixed-length, big endian 32 bit counter that indicates the length
PartyVInfo) Header Parameter is present, Data is set to the result (in octets) of Data. If an "apv" (agreement PartyVInfo) Header
of base64url decoding the "apv" value and Datalen is set to the Parameter is present, Data is set to the result of base64url
number of octets in Data. Otherwise, Datalen is set to 0 and Data decoding the "apv" value and Datalen is set to the number of
is set to the empty octet sequence. octets in Data. Otherwise, Datalen is set to 0 and Data is set to
the empty octet sequence.
SuppPubInfo This is set to the keydatalen represented as a 32 bit SuppPubInfo
big endian integer. This is set to the keydatalen represented as a 32 bit big endian
integer.
SuppPrivInfo This is set to the empty octet sequence. SuppPrivInfo
This is set to the empty octet sequence.
Applications need to specify how the "apu" and "apv" parameters are Applications need to specify how the "apu" and "apv" parameters are
used for that application. The "apu" and "apv" values MUST be used for that application. The "apu" and "apv" values MUST be
distinct, when used. Applications wishing to conform to distinct, when used. Applications wishing to conform to
[NIST.800-56A] need to provide values that meet the requirements of [NIST.800-56A] need to provide values that meet the requirements of
that document, e.g., by using values that identify the sender and that document, e.g., by using values that identify the sender and
recipient. Alternatively, applications MAY conduct key derivation in recipient. Alternatively, applications MAY conduct key derivation in
a manner similar to The Diffie-Hellman Key Agreement Method a manner similar to The Diffie-Hellman Key Agreement Method
[RFC2631]: In that case, the "apu" field MAY either be omitted or [RFC2631]: In that case, the "apu" field MAY either be omitted or
represent a random 512-bit value (analogous to PartyAInfo in represent a random 512-bit value (analogous to PartyAInfo in
Ephemeral-Static mode in [RFC2631]) and the "apv" field should not be Ephemeral-Static mode in [RFC2631]) and the "apv" field SHOULD NOT be
present. present.
See Appendix C for an example key agreement computation using this See Appendix C for an example key agreement computation using this
method. method.
4.7. Key Encryption with AES GCM 4.7. Key Encryption with AES GCM
This section defines the specifics of encrypting a JWE Content This section defines the specifics of encrypting a JWE Content
Encryption Key (CEK) with Advanced Encryption Standard (AES) in Encryption Key (CEK) with Advanced Encryption Standard (AES) in
Galois/Counter Mode (GCM) [AES] [NIST.800-38D]. Galois/Counter Mode (GCM) [AES] [NIST.800-38D].
skipping to change at page 51, line 39 skipping to change at page 51, line 39
10.1. Normative References 10.1. Normative References
[AES] National Institute of Standards and Technology (NIST), [AES] National Institute of Standards and Technology (NIST),
"Advanced Encryption Standard (AES)", FIPS PUB 197, "Advanced Encryption Standard (AES)", FIPS PUB 197,
November 2001. November 2001.
[DSS] National Institute of Standards and Technology, "Digital [DSS] National Institute of Standards and Technology, "Digital
Signature Standard (DSS)", FIPS PUB 186-4, July 2013. Signature Standard (DSS)", FIPS PUB 186-4, July 2013.
[I-D.ietf-json-rfc4627bis]
Bray, T., "The JSON Data Interchange Format",
draft-ietf-json-rfc4627bis-10 (work in progress),
December 2013.
[JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web
Encryption (JWE)", draft-ietf-jose-json-web-encryption Encryption (JWE)", draft-ietf-jose-json-web-encryption
(work in progress), February 2014. (work in progress), March 2014.
[JWK] Jones, M., "JSON Web Key (JWK)", [JWK] Jones, M., "JSON Web Key (JWK)",
draft-ietf-jose-json-web-key (work in progress), draft-ietf-jose-json-web-key (work in progress),
February 2014. March 2014.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", draft-ietf-jose-json-web-signature (work Signature (JWS)", draft-ietf-jose-json-web-signature (work
in progress), February 2014. in progress), March 2014.
[NIST.800-38A] [NIST.800-38A]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Recommendation for Block Cipher Modes of Operation", "Recommendation for Block Cipher Modes of Operation",
NIST PUB 800-38A, December 2001. NIST PUB 800-38A, December 2001.
[NIST.800-38D] [NIST.800-38D]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Recommendation for Block Cipher Modes of Operation: "Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D, Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D,
skipping to change at page 52, line 49 skipping to change at page 52, line 44
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003. 10646", STD 63, RFC 3629, November 2003.
[RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA- [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-
384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007. 384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
Curve Cryptography Algorithms", RFC 6090, February 2011. Curve Cryptography Algorithms", RFC 6090, February 2011.
[RFC7158] Bray, T., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7158, March 2014.
[SEC1] Standards for Efficient Cryptography Group, "SEC 1: [SEC1] Standards for Efficient Cryptography Group, "SEC 1:
Elliptic Curve Cryptography", May 2009. Elliptic Curve Cryptography", May 2009.
[SHS] National Institute of Standards and Technology, "Secure [SHS] National Institute of Standards and Technology, "Secure
Hash Standard (SHS)", FIPS PUB 180-3, October 2008. Hash Standard (SHS)", FIPS PUB 180-3, October 2008.
[USASCII] American National Standards Institute, "Coded Character [USASCII] American National Standards Institute, "Coded Character
Set -- 7-bit American Standard Code for Information Set -- 7-bit American Standard Code for Information
Interchange", ANSI X3.4, 1986. Interchange", ANSI X3.4, 1986.
skipping to change at page 62, line 19 skipping to change at page 62, line 19
"epk": "epk":
{"kty":"EC", {"kty":"EC",
"crv":"P-256", "crv":"P-256",
"x":"gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0", "x":"gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0",
"y":"SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps" "y":"SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps"
} }
} }
The resulting Concat KDF [NIST.800-56A] parameter values are: The resulting Concat KDF [NIST.800-56A] parameter values are:
Z This is set to the ECDH-ES key agreement output. (This value is Z
This is set to the ECDH-ES key agreement output. (This value is
often not directly exposed by libraries, due to NIST security often not directly exposed by libraries, due to NIST security
requirements, and only serves as an input to a KDF.) In this requirements, and only serves as an input to a KDF.) In this
example, Z is the octet sequence: example, Z is the octet sequence:
[158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132, [158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132,
38, 156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121, 38, 156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121,
140, 254, 144, 196]. 140, 254, 144, 196].
keydatalen This value is 128 - the number of bits in the desired keydatalen
output key (because "A128GCM" uses a 128 bit key). This value is 128 - the number of bits in the desired output key
(because "A128GCM" uses a 128 bit key).
AlgorithmID This is set to the octets representing the 32 bit big AlgorithmID
endian value 7 - [0, 0, 0, 7] - the number of octets in the This is set to the octets representing the 32 bit big endian value
AlgorithmID content "A128GCM", followed, by the octets 7 - [0, 0, 0, 7] - the number of octets in the AlgorithmID content
representing the UTF-8 string "A128GCM" - [65, 49, 50, 56, 71, 67, "A128GCM", followed, by the octets representing the UTF-8 string
77]. "A128GCM" - [65, 49, 50, 56, 71, 67, 77].
PartyUInfo This is set to the octets representing the 32 bit big PartyUInfo
endian value 5 - [0, 0, 0, 5] - the number of octets in the This is set to the octets representing the 32 bit big endian value
PartyUInfo content "Alice", followed, by the octets representing 5 - [0, 0, 0, 5] - the number of octets in the PartyUInfo content
the UTF-8 string "Alice" - [65, 108, 105, 99, 101]. "Alice", followed, by the octets representing the UTF-8 string
"Alice" - [65, 108, 105, 99, 101].
PartyVInfo This is set to the octets representing the 32 bit big PartyVInfo
endian value 3 - [0, 0, 0, 3] - the number of octets in the This is set to the octets representing the 32 bit big endian value
PartyUInfo content "Bob", followed, by the octets representing the 3 - [0, 0, 0, 3] - the number of octets in the PartyUInfo content
UTF-8 string "Bob" - [66, 111, 98]. "Bob", followed, by the octets representing the UTF-8 string "Bob"
- [66, 111, 98].
SuppPubInfo This is set to the octets representing the 32 bit big SuppPubInfo
endian value 128 - [0, 0, 0, 128] - the keydatalen value. This is set to the octets representing the 32 bit big endian value
128 - [0, 0, 0, 128] - the keydatalen value.
SuppPrivInfo This is set to the empty octet sequence. SuppPrivInfo
This is set to the empty octet sequence.
Concatenating the parameters AlgorithmID through SuppPubInfo results Concatenating the parameters AlgorithmID through SuppPubInfo results
in an OtherInfo value of: in an OtherInfo value of:
[0, 0, 0, 7, 65, 49, 50, 56, 71, 67, 77, 0, 0, 0, 5, 65, 108, 105, [0, 0, 0, 7, 65, 49, 50, 56, 71, 67, 77, 0, 0, 0, 5, 65, 108, 105,
99, 101, 0, 0, 0, 3, 66, 111, 98, 0, 0, 0, 128] 99, 101, 0, 0, 0, 3, 66, 111, 98, 0, 0, 0, 128]
Concatenating the round number 1 ([0, 0, 0, 1]), Z, and the OtherInfo Concatenating the round number 1 ([0, 0, 0, 1]), Z, and the OtherInfo
value results in the Concat KDF round 1 hash input of: value results in the Concat KDF round 1 hash input of:
[0, 0, 0, 1, [0, 0, 0, 1,
158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132, 38, 158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132, 38,
156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121, 140, 156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121, 140,
254, 144, 196, 254, 144, 196,
0, 0, 0, 7, 65, 49, 50, 56, 71, 67, 77, 0, 0, 0, 5, 65, 108, 105, 99, 0, 0, 0, 7, 65, 49, 50, 56, 71, 67, 77, 0, 0, 0, 5, 65, 108, 105, 99,
skipping to change at page 64, line 17 skipping to change at page 64, line 27
Hannes Tschofenig, and Sean Turner. Hannes Tschofenig, and Sean Turner.
Jim Schaad and Karen O'Donoghue chaired the JOSE working group and Jim Schaad and Karen O'Donoghue chaired the JOSE working group and
Sean Turner and Stephen Farrell served as Security area directors Sean Turner and Stephen Farrell served as Security area directors
during the creation of this specification. during the creation of this specification.
Appendix E. Document History Appendix E. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-22
o Corrected RFC 2119 terminology usage.
o Replaced references to draft-ietf-json-rfc4627bis with RFC 7158.
-21 -21
o Compute the PBES2 salt parameter as (UTF8(Alg) || 0x00 || Salt o Compute the PBES2 salt parameter as (UTF8(Alg) || 0x00 || Salt
Input), where the "p2s" Header Parameter encodes the Salt Input Input), where the "p2s" Header Parameter encodes the Salt Input
value and Alg is the "alg" Header Parameter value. value and Alg is the "alg" Header Parameter value.
o Changed some references from being normative to informative, o Changed some references from being normative to informative,
addressing issue #90. addressing issue #90.
-20 -20
 End of changes. 34 change blocks. 
81 lines changed or deleted 97 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/