draft-ietf-jose-json-web-algorithms-26.txt   draft-ietf-jose-json-web-algorithms-27.txt 
JOSE Working Group M. Jones JOSE Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track April 30, 2014 Intended status: Standards Track June 10, 2014
Expires: November 1, 2014 Expires: December 12, 2014
JSON Web Algorithms (JWA) JSON Web Algorithms (JWA)
draft-ietf-jose-json-web-algorithms-26 draft-ietf-jose-json-web-algorithms-27
Abstract Abstract
The JSON Web Algorithms (JWA) specification registers cryptographic The JSON Web Algorithms (JWA) specification registers cryptographic
algorithms and identifiers to be used with the JSON Web Signature algorithms and identifiers to be used with the JSON Web Signature
(JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK)
specifications. It defines several IANA registries for these specifications. It defines several IANA registries for these
identifiers. identifiers.
Status of this Memo Status of this Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 1, 2014. This Internet-Draft will expire on December 12, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 4 skipping to change at page 4, line 4
8. Security Considerations . . . . . . . . . . . . . . . . . . . 48 8. Security Considerations . . . . . . . . . . . . . . . . . . . 48
8.1. Algorithms and Key Sizes will be Deprecated . . . . . . . 49 8.1. Algorithms and Key Sizes will be Deprecated . . . . . . . 49
8.2. Key Lifetimes . . . . . . . . . . . . . . . . . . . . . . 49 8.2. Key Lifetimes . . . . . . . . . . . . . . . . . . . . . . 49
8.3. RSAES-PKCS1-v1_5 Security Considerations . . . . . . . . . 49 8.3. RSAES-PKCS1-v1_5 Security Considerations . . . . . . . . . 49
8.4. AES GCM Security Considerations . . . . . . . . . . . . . 49 8.4. AES GCM Security Considerations . . . . . . . . . . . . . 49
8.5. Plaintext JWS Security Considerations . . . . . . . . . . 50 8.5. Plaintext JWS Security Considerations . . . . . . . . . . 50
8.6. Differences between Digital Signatures and MACs . . . . . 50 8.6. Differences between Digital Signatures and MACs . . . . . 50
8.7. Denial of Service Attacks . . . . . . . . . . . . . . . . 51 8.7. Denial of Service Attacks . . . . . . . . . . . . . . . . 51
8.8. Reusing Key Material when Encrypting Keys . . . . . . . . 51 8.8. Reusing Key Material when Encrypting Keys . . . . . . . . 51
8.9. Password Considerations . . . . . . . . . . . . . . . . . 51 8.9. Password Considerations . . . . . . . . . . . . . . . . . 51
8.10. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 52
8.11. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 52
8.12. RSA Private Key Representations and Blinding . . . . . . . 52
9. Internationalization Considerations . . . . . . . . . . . . . 52 9. Internationalization Considerations . . . . . . . . . . . . . 52
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 52 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 52
10.1. Normative References . . . . . . . . . . . . . . . . . . . 52 10.1. Normative References . . . . . . . . . . . . . . . . . . . 52
10.2. Informative References . . . . . . . . . . . . . . . . . . 54 10.2. Informative References . . . . . . . . . . . . . . . . . . 54
Appendix A. Algorithm Identifier Cross-Reference . . . . . . . . 55 Appendix A. Algorithm Identifier Cross-Reference . . . . . . . . 56
A.1. Digital Signature/MAC Algorithm Identifier A.1. Digital Signature/MAC Algorithm Identifier
Cross-Reference . . . . . . . . . . . . . . . . . . . . . 56 Cross-Reference . . . . . . . . . . . . . . . . . . . . . 56
A.2. Key Management Algorithm Identifier Cross-Reference . . . 56 A.2. Key Management Algorithm Identifier Cross-Reference . . . 57
A.3. Content Encryption Algorithm Identifier Cross-Reference . 57 A.3. Content Encryption Algorithm Identifier Cross-Reference . 57
Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms . . . . . 58 Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms . . . . . 58
B.1. Test Cases for AES_128_CBC_HMAC_SHA_256 . . . . . . . . . 59 B.1. Test Cases for AES_128_CBC_HMAC_SHA_256 . . . . . . . . . 59
B.2. Test Cases for AES_192_CBC_HMAC_SHA_384 . . . . . . . . . 60 B.2. Test Cases for AES_192_CBC_HMAC_SHA_384 . . . . . . . . . 60
B.3. Test Cases for AES_256_CBC_HMAC_SHA_512 . . . . . . . . . 61 B.3. Test Cases for AES_256_CBC_HMAC_SHA_512 . . . . . . . . . 61
Appendix C. Example ECDH-ES Key Agreement Computation . . . . . . 62 Appendix C. Example ECDH-ES Key Agreement Computation . . . . . . 62
Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 64 Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 64
Appendix E. Document History . . . . . . . . . . . . . . . . . . 65 Appendix E. Document History . . . . . . . . . . . . . . . . . . 65
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 74 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 74
skipping to change at page 25, line 31 skipping to change at page 25, line 31
input key K as in Step 1 of Section 5.2.2.1. input key K as in Step 1 of Section 5.2.2.1.
2. The integrity and authenticity of A and E are checked by 2. The integrity and authenticity of A and E are checked by
computing an HMAC with the inputs as in Step 5 of computing an HMAC with the inputs as in Step 5 of
Section 5.2.2.1. The value T, from the previous step, is Section 5.2.2.1. The value T, from the previous step, is
compared to the first MAC_KEY length bits of the HMAC output. If compared to the first MAC_KEY length bits of the HMAC output. If
those values are identical, then A and E are considered valid, those values are identical, then A and E are considered valid,
and processing is continued. Otherwise, all of the data used in and processing is continued. Otherwise, all of the data used in
the MAC validation are discarded, and the AEAD decryption the MAC validation are discarded, and the AEAD decryption
operation returns an indication that it failed, and the operation operation returns an indication that it failed, and the operation
halts. (But see Section 11 of [JWE] for security considerations halts. (But see Section 11.2 of [JWE] for security
on thwarting timing attacks.) considerations on thwarting timing attacks.)
3. The value E is decrypted and the PKCS #5 padding is removed. The 3. The value E is decrypted and the PKCS #5 padding is removed. The
value IV is used as the initialization vector. The value ENC_KEY value IV is used as the initialization vector. The value ENC_KEY
is used as the decryption key. is used as the decryption key.
4. The plaintext value is returned. 4. The plaintext value is returned.
5.2.3. AES_128_CBC_HMAC_SHA_256 5.2.3. AES_128_CBC_HMAC_SHA_256
This algorithm is a concrete instantiation of the generic This algorithm is a concrete instantiation of the generic
skipping to change at page 52, line 12 skipping to change at page 52, line 12
used for "PBES2-HS512+A256KW" be no shorter than 32 octets and no used for "PBES2-HS512+A256KW" be no shorter than 32 octets and no
longer than 128 octets long. longer than 128 octets long.
Still, care needs to be taken in where and how password-based Still, care needs to be taken in where and how password-based
encryption is used. These algorithms can still be susceptible to encryption is used. These algorithms can still be susceptible to
dictionary-based attacks if the iteration count is too small; this is dictionary-based attacks if the iteration count is too small; this is
of particular concern if these algorithms are used to protect data of particular concern if these algorithms are used to protect data
that an attacker can have indefinite number of attempts to circumvent that an attacker can have indefinite number of attempts to circumvent
the protection, such as protected data stored on a file system. the protection, such as protected data stored on a file system.
8.10. Adaptive Chosen-Ciphertext Attacks
See Section 11.1 of [JWE] for security considerations on adaptive
chosen-ciphertext attacks.
8.11. Timing Attacks
See Section 11.2 of [JWE] for security considerations on timing
attacks.
8.12. RSA Private Key Representations and Blinding
See Section 9.3 of [JWK] for security considerations on RSA private
key representations and blinding.
9. Internationalization Considerations 9. Internationalization Considerations
Passwords obtained from users are likely to require preparation and Passwords obtained from users are likely to require preparation and
normalization to account for differences of octet sequences generated normalization to account for differences of octet sequences generated
by different input devices, locales, etc. It is RECOMMENDED that by different input devices, locales, etc. It is RECOMMENDED that
applications to perform the steps outlined in applications to perform the steps outlined in
[I-D.ietf-precis-saslprepbis] to prepare a password supplied directly [I-D.ietf-precis-saslprepbis] to prepare a password supplied directly
by a user before performing key derivation and encryption. by a user before performing key derivation and encryption.
10. References 10. References
skipping to change at page 52, line 34 skipping to change at page 52, line 49
[AES] National Institute of Standards and Technology (NIST), [AES] National Institute of Standards and Technology (NIST),
"Advanced Encryption Standard (AES)", FIPS PUB 197, "Advanced Encryption Standard (AES)", FIPS PUB 197,
November 2001. November 2001.
[DSS] National Institute of Standards and Technology, "Digital [DSS] National Institute of Standards and Technology, "Digital
Signature Standard (DSS)", FIPS PUB 186-4, July 2013. Signature Standard (DSS)", FIPS PUB 186-4, July 2013.
[JWE] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", [JWE] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
draft-ietf-jose-json-web-encryption (work in progress), draft-ietf-jose-json-web-encryption (work in progress),
April 2014. June 2014.
[JWK] Jones, M., "JSON Web Key (JWK)", [JWK] Jones, M., "JSON Web Key (JWK)",
draft-ietf-jose-json-web-key (work in progress), draft-ietf-jose-json-web-key (work in progress),
April 2014. June 2014.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", draft-ietf-jose-json-web-signature (work Signature (JWS)", draft-ietf-jose-json-web-signature (work
in progress), April 2014. in progress), June 2014.
[NIST.800-38A] [NIST.800-38A]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Recommendation for Block Cipher Modes of Operation", "Recommendation for Block Cipher Modes of Operation",
NIST PUB 800-38A, December 2001. NIST PUB 800-38A, December 2001.
[NIST.800-38D] [NIST.800-38D]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Recommendation for Block Cipher Modes of Operation: "Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D, Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D,
skipping to change at page 54, line 33 skipping to change at page 54, line 44
Miller, M., "Using JavaScript Object Notation (JSON) Web Miller, M., "Using JavaScript Object Notation (JSON) Web
Encryption (JWE) for Protecting JSON Web Key (JWK) Encryption (JWE) for Protecting JSON Web Key (JWK)
Objects", draft-miller-jose-jwe-protected-jwk-02 (work in Objects", draft-miller-jose-jwe-protected-jwk-02 (work in
progress), June 2013. progress), June 2013.
[I-D.rescorla-jsms] [I-D.rescorla-jsms]
Rescorla, E. and J. Hildebrand, "JavaScript Message Rescorla, E. and J. Hildebrand, "JavaScript Message
Security Format", draft-rescorla-jsms-00 (work in Security Format", draft-rescorla-jsms-00 (work in
progress), March 2011. progress), March 2011.
[JCA] Oracle, "Java Cryptography Architecture", 2013. [JCA] Oracle, "Java Cryptography Architecture (JCA) Reference
Guide", 2014.
[JSE] Bradley, J. and N. Sakimura (editor), "JSON Simple [JSE] Bradley, J. and N. Sakimura (editor), "JSON Simple
Encryption", September 2010. Encryption", September 2010.
[JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign", [JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign",
September 2010. September 2010.
[MagicSignatures] [MagicSignatures]
Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic
Signatures", January 2011. Signatures", January 2011.
skipping to change at page 57, line 14 skipping to change at page 57, line 23
+-------+------------------------+--------------------+-------------+ +-------+------------------------+--------------------+-------------+
| JWE | XML ENC | JCA | OID | | JWE | XML ENC | JCA | OID |
+-------+------------------------+--------------------+-------------+ +-------+------------------------+--------------------+-------------+
| RSA1_ | http://www.w3.org/2001 | RSA/ECB/PKCS1Paddi | 1.2.840.113 | | RSA1_ | http://www.w3.org/2001 | RSA/ECB/PKCS1Paddi | 1.2.840.113 |
| 5 | /04/xmlenc#rsa-1_5 | ng | 549.1.1.1 | | 5 | /04/xmlenc#rsa-1_5 | ng | 549.1.1.1 |
| RSA-O | http://www.w3.org/2001 | RSA/ECB/OAEPWithSH | 1.2.840.113 | | RSA-O | http://www.w3.org/2001 | RSA/ECB/OAEPWithSH | 1.2.840.113 |
| AEP | /04/xmlenc#rsa-oaep-mg | A-1AndMGF1Padding | 549.1.1.7 | | AEP | /04/xmlenc#rsa-oaep-mg | A-1AndMGF1Padding | 549.1.1.7 |
| | f1p | | | | | f1p | | |
| RSA-O | http://www.w3.org/2009 | RSA/ECB/OAEPWithSH | 1.2.840.113 | | RSA-O | http://www.w3.org/2009 | RSA/ECB/OAEPWithSH | 1.2.840.113 |
| AEP-2 | /xmlenc11#rsa-oaep | A-256AndMGF1Paddin | 549.1.1.7 | | AEP-2 | /xmlenc11#rsa-oaep & | A-256AndMGF1Paddin | 549.1.1.7 |
| 56 | | g | | | 56 | http://www.w3.org/200 | g& | |
| ECDH- | http://www.w3.org/2009 | | 1.3.132.1.1 | | | 9/xmlenc11#mgf1sha256 | MGF1ParameterSpec | |
| | | .SHA256 | |
| ECDH- | http://www.w3.org/2009 | ECDH | 1.3.132.1.1 |
| ES | /xmlenc11#ECDH-ES | | 2 | | ES | /xmlenc11#ECDH-ES | | 2 |
| A128K | http://www.w3.org/2001 | | 2.16.840.1. | | A128K | http://www.w3.org/2001 | AESWrap | 2.16.840.1. |
| W | /04/xmlenc#kw-aes128 | | 101.3.4.1.5 | | W | /04/xmlenc#kw-aes128 | | 101.3.4.1.5 |
| A192K | http://www.w3.org/2001 | | 2.16.840.1. | | A192K | http://www.w3.org/2001 | AESWrap | 2.16.840.1. |
| W | /04/xmlenc#kw-aes192 | | 101.3.4.1.2 | | W | /04/xmlenc#kw-aes192 | | 101.3.4.1.2 |
| | | | 5 | | | | | 5 |
| A256K | http://www.w3.org/2001 | | 2.16.840.1. | | A256K | http://www.w3.org/2001 | AESWrap | 2.16.840.1. |
| W | /04/xmlenc#kw-aes256 | | 101.3.4.1.4 | | W | /04/xmlenc#kw-aes256 | | 101.3.4.1.4 |
| | | | 5 | | | | | 5 |
+-------+------------------------+--------------------+-------------+ +-------+------------------------+--------------------+-------------+
A.3. Content Encryption Algorithm Identifier Cross-Reference A.3. Content Encryption Algorithm Identifier Cross-Reference
This section contains a table cross-referencing the JWE "enc" This section contains a table cross-referencing the JWE "enc"
(encryption algorithm) values defined in this specification with the (encryption algorithm) values defined in this specification with the
equivalent identifiers used by other standards and software packages. equivalent identifiers used by other standards and software packages.
skipping to change at page 65, line 27 skipping to change at page 65, line 27
Nat Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner. Nat Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner.
Jim Schaad and Karen O'Donoghue chaired the JOSE working group and Jim Schaad and Karen O'Donoghue chaired the JOSE working group and
Sean Turner, Stephen Farrell, and Kathleen Moriarty served as Sean Turner, Stephen Farrell, and Kathleen Moriarty served as
Security area directors during the creation of this specification. Security area directors during the creation of this specification.
Appendix E. Document History Appendix E. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-27
o Described additional security considerations.
o Updated the JCA and XMLENC parameters for "RSA-OAEP-256" and the
JCA parameters for "A128KW", "A192KW", "A256KW", and "ECDH-ES".
-26 -26
o Added algorithm identifier "RSA-OAEP-256" for RSAES OAEP using o Added algorithm identifier "RSA-OAEP-256" for RSAES OAEP using
SHA-256 and MGF1 with SHA-256. SHA-256 and MGF1 with SHA-256.
o Clarified that the ECDSA signature values R and S are represented o Clarified that the ECDSA signature values R and S are represented
as octet sequences as defined in Section 2.3.7 of SEC1 [SEC1]. as octet sequences as defined in Section 2.3.7 of SEC1 [SEC1].
o Noted that octet sequences are depicted using JSON array notation. o Noted that octet sequences are depicted using JSON array notation.
 End of changes. 17 change blocks. 
19 lines changed or deleted 46 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/