draft-ietf-jose-json-web-algorithms-28.txt   draft-ietf-jose-json-web-algorithms-29.txt 
JOSE Working Group M. Jones JOSE Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track June 20, 2014 Intended status: Standards Track June 20, 2014
Expires: December 22, 2014 Expires: December 22, 2014
JSON Web Algorithms (JWA) JSON Web Algorithms (JWA)
draft-ietf-jose-json-web-algorithms-28 draft-ietf-jose-json-web-algorithms-29
Abstract Abstract
The JSON Web Algorithms (JWA) specification registers cryptographic The JSON Web Algorithms (JWA) specification registers cryptographic
algorithms and identifiers to be used with the JSON Web Signature algorithms and identifiers to be used with the JSON Web Signature
(JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK)
specifications. It defines several IANA registries for these specifications. It defines several IANA registries for these
identifiers. identifiers.
Status of this Memo Status of this Memo
skipping to change at page 2, line 17 skipping to change at page 2, line 17
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Cryptographic Algorithms for Digital Signatures and MACs . . . 6 3. Cryptographic Algorithms for Digital Signatures and MACs . . . 6
3.1. "alg" (Algorithm) Header Parameter Values for JWS . . . . 6 3.1. "alg" (Algorithm) Header Parameter Values for JWS . . . . 6
3.2. HMAC with SHA-2 Functions . . . . . . . . . . . . . . . . 7 3.2. HMAC with SHA-2 Functions . . . . . . . . . . . . . . . . 7
3.3. Digital Signature with RSASSA-PKCS1-V1_5 . . . . . . . . . 8 3.3. Digital Signature with RSASSA-PKCS1-V1_5 . . . . . . . . . 8
3.4. Digital Signature with ECDSA . . . . . . . . . . . . . . . 9 3.4. Digital Signature with ECDSA . . . . . . . . . . . . . . . 9
3.5. Digital Signature with RSASSA-PSS . . . . . . . . . . . . 10 3.5. Digital Signature with RSASSA-PSS . . . . . . . . . . . . 10
3.6. Using the Algorithm "none" . . . . . . . . . . . . . . . . 11 3.6. Using the Algorithm "none" . . . . . . . . . . . . . . . . 11
4. Cryptographic Algorithms for Key Management . . . . . . . . . 12 4. Cryptographic Algorithms for Key Management . . . . . . . . . 11
4.1. "alg" (Algorithm) Header Parameter Values for JWE . . . . 12 4.1. "alg" (Algorithm) Header Parameter Values for JWE . . . . 12
4.2. Key Encryption with RSAES-PKCS1-V1_5 . . . . . . . . . . . 14 4.2. Key Encryption with RSAES-PKCS1-V1_5 . . . . . . . . . . . 14
4.3. Key Encryption with RSAES OAEP . . . . . . . . . . . . . . 14 4.3. Key Encryption with RSAES OAEP . . . . . . . . . . . . . . 14
4.4. Key Wrapping with AES Key Wrap . . . . . . . . . . . . . . 15 4.4. Key Wrapping with AES Key Wrap . . . . . . . . . . . . . . 14
4.5. Direct Encryption with a Shared Symmetric Key . . . . . . 15 4.5. Direct Encryption with a Shared Symmetric Key . . . . . . 15
4.6. Key Agreement with Elliptic Curve Diffie-Hellman 4.6. Key Agreement with Elliptic Curve Diffie-Hellman
Ephemeral Static (ECDH-ES) . . . . . . . . . . . . . . . . 15 Ephemeral Static (ECDH-ES) . . . . . . . . . . . . . . . . 15
4.6.1. Header Parameters Used for ECDH Key Agreement . . . . 16 4.6.1. Header Parameters Used for ECDH Key Agreement . . . . 16
4.6.1.1. "epk" (Ephemeral Public Key) Header Parameter . . 16 4.6.1.1. "epk" (Ephemeral Public Key) Header Parameter . . 16
4.6.1.2. "apu" (Agreement PartyUInfo) Header Parameter . . 17 4.6.1.2. "apu" (Agreement PartyUInfo) Header Parameter . . 16
4.6.1.3. "apv" (Agreement PartyVInfo) Header Parameter . . 17 4.6.1.3. "apv" (Agreement PartyVInfo) Header Parameter . . 17
4.6.2. Key Derivation for ECDH Key Agreement . . . . . . . . 17 4.6.2. Key Derivation for ECDH Key Agreement . . . . . . . . 17
4.7. Key Encryption with AES GCM . . . . . . . . . . . . . . . 19 4.7. Key Encryption with AES GCM . . . . . . . . . . . . . . . 18
4.7.1. Header Parameters Used for AES GCM Key Encryption . . 19 4.7.1. Header Parameters Used for AES GCM Key Encryption . . 19
4.7.1.1. "iv" (Initialization Vector) Header Parameter . . 19 4.7.1.1. "iv" (Initialization Vector) Header Parameter . . 19
4.7.1.2. "tag" (Authentication Tag) Header Parameter . . . 20 4.7.1.2. "tag" (Authentication Tag) Header Parameter . . . 19
4.8. Key Encryption with PBES2 . . . . . . . . . . . . . . . . 20 4.8. Key Encryption with PBES2 . . . . . . . . . . . . . . . . 19
4.8.1. Header Parameters Used for PBES2 Key Encryption . . . 21 4.8.1. Header Parameters Used for PBES2 Key Encryption . . . 20
4.8.1.1. "p2s" (PBES2 salt input) Parameter . . . . . . . . 21 4.8.1.1. "p2s" (PBES2 salt input) Parameter . . . . . . . . 20
4.8.1.2. "p2c" (PBES2 count) Parameter . . . . . . . . . . 21 4.8.1.2. "p2c" (PBES2 count) Parameter . . . . . . . . . . 21
5. Cryptographic Algorithms for Content Encryption . . . . . . . 21 5. Cryptographic Algorithms for Content Encryption . . . . . . . 21
5.1. "enc" (Encryption Algorithm) Header Parameter Values 5.1. "enc" (Encryption Algorithm) Header Parameter Values
for JWE . . . . . . . . . . . . . . . . . . . . . . . . . 21 for JWE . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.2. AES_CBC_HMAC_SHA2 Algorithms . . . . . . . . . . . . . . . 22 5.2. AES_CBC_HMAC_SHA2 Algorithms . . . . . . . . . . . . . . . 22
5.2.1. Conventions Used in Defining AES_CBC_HMAC_SHA2 . . . . 23 5.2.1. Conventions Used in Defining AES_CBC_HMAC_SHA2 . . . . 22
5.2.2. Generic AES_CBC_HMAC_SHA2 Algorithm . . . . . . . . . 23 5.2.2. Generic AES_CBC_HMAC_SHA2 Algorithm . . . . . . . . . 23
5.2.2.1. AES_CBC_HMAC_SHA2 Encryption . . . . . . . . . . . 23 5.2.2.1. AES_CBC_HMAC_SHA2 Encryption . . . . . . . . . . . 23
5.2.2.2. AES_CBC_HMAC_SHA2 Decryption . . . . . . . . . . . 25 5.2.2.2. AES_CBC_HMAC_SHA2 Decryption . . . . . . . . . . . 24
5.2.3. AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . 25 5.2.3. AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . 25
5.2.4. AES_192_CBC_HMAC_SHA_384 . . . . . . . . . . . . . . . 26 5.2.4. AES_192_CBC_HMAC_SHA_384 . . . . . . . . . . . . . . . 26
5.2.5. AES_256_CBC_HMAC_SHA_512 . . . . . . . . . . . . . . . 26 5.2.5. AES_256_CBC_HMAC_SHA_512 . . . . . . . . . . . . . . . 26
5.2.6. Content Encryption with AES_CBC_HMAC_SHA2 . . . . . . 27 5.2.6. Content Encryption with AES_CBC_HMAC_SHA2 . . . . . . 26
5.3. Content Encryption with AES GCM . . . . . . . . . . . . . 27 5.3. Content Encryption with AES GCM . . . . . . . . . . . . . 27
6. Cryptographic Algorithms for Keys . . . . . . . . . . . . . . 28 6. Cryptographic Algorithms for Keys . . . . . . . . . . . . . . 27
6.1. "kty" (Key Type) Parameter Values . . . . . . . . . . . . 28 6.1. "kty" (Key Type) Parameter Values . . . . . . . . . . . . 28
6.2. Parameters for Elliptic Curve Keys . . . . . . . . . . . . 28 6.2. Parameters for Elliptic Curve Keys . . . . . . . . . . . . 28
6.2.1. Parameters for Elliptic Curve Public Keys . . . . . . 28 6.2.1. Parameters for Elliptic Curve Public Keys . . . . . . 28
6.2.1.1. "crv" (Curve) Parameter . . . . . . . . . . . . . 29 6.2.1.1. "crv" (Curve) Parameter . . . . . . . . . . . . . 28
6.2.1.2. "x" (X Coordinate) Parameter . . . . . . . . . . . 29 6.2.1.2. "x" (X Coordinate) Parameter . . . . . . . . . . . 29
6.2.1.3. "y" (Y Coordinate) Parameter . . . . . . . . . . . 29 6.2.1.3. "y" (Y Coordinate) Parameter . . . . . . . . . . . 29
6.2.2. Parameters for Elliptic Curve Private Keys . . . . . . 29 6.2.2. Parameters for Elliptic Curve Private Keys . . . . . . 29
6.2.2.1. "d" (ECC Private Key) Parameter . . . . . . . . . 30 6.2.2.1. "d" (ECC Private Key) Parameter . . . . . . . . . 29
6.3. Parameters for RSA Keys . . . . . . . . . . . . . . . . . 30 6.3. Parameters for RSA Keys . . . . . . . . . . . . . . . . . 29
6.3.1. Parameters for RSA Public Keys . . . . . . . . . . . . 30 6.3.1. Parameters for RSA Public Keys . . . . . . . . . . . . 30
6.3.1.1. "n" (Modulus) Parameter . . . . . . . . . . . . . 30 6.3.1.1. "n" (Modulus) Parameter . . . . . . . . . . . . . 30
6.3.1.2. "e" (Exponent) Parameter . . . . . . . . . . . . . 30 6.3.1.2. "e" (Exponent) Parameter . . . . . . . . . . . . . 30
6.3.2. Parameters for RSA Private Keys . . . . . . . . . . . 30 6.3.2. Parameters for RSA Private Keys . . . . . . . . . . . 30
6.3.2.1. "d" (Private Exponent) Parameter . . . . . . . . . 31 6.3.2.1. "d" (Private Exponent) Parameter . . . . . . . . . 30
6.3.2.2. "p" (First Prime Factor) Parameter . . . . . . . . 31 6.3.2.2. "p" (First Prime Factor) Parameter . . . . . . . . 30
6.3.2.3. "q" (Second Prime Factor) Parameter . . . . . . . 31 6.3.2.3. "q" (Second Prime Factor) Parameter . . . . . . . 31
6.3.2.4. "dp" (First Factor CRT Exponent) Parameter . . . . 31 6.3.2.4. "dp" (First Factor CRT Exponent) Parameter . . . . 31
6.3.2.5. "dq" (Second Factor CRT Exponent) Parameter . . . 31 6.3.2.5. "dq" (Second Factor CRT Exponent) Parameter . . . 31
6.3.2.6. "qi" (First CRT Coefficient) Parameter . . . . . . 31 6.3.2.6. "qi" (First CRT Coefficient) Parameter . . . . . . 31
6.3.2.7. "oth" (Other Primes Info) Parameter . . . . . . . 32 6.3.2.7. "oth" (Other Primes Info) Parameter . . . . . . . 31
6.4. Parameters for Symmetric Keys . . . . . . . . . . . . . . 32 6.4. Parameters for Symmetric Keys . . . . . . . . . . . . . . 32
6.4.1. "k" (Key Value) Parameter . . . . . . . . . . . . . . 33 6.4.1. "k" (Key Value) Parameter . . . . . . . . . . . . . . 32
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32
7.1. JSON Web Signature and Encryption Algorithms Registry . . 34 7.1. JSON Web Signature and Encryption Algorithms Registry . . 33
7.1.1. Registration Template . . . . . . . . . . . . . . . . 34 7.1.1. Registration Template . . . . . . . . . . . . . . . . 34
7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 35 7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 35
7.2. JWE Header Parameter Names Registration . . . . . . . . . 41 7.2. Header Parameter Names Registration . . . . . . . . . . . 41
7.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 41 7.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 41
7.3. JSON Web Encryption Compression Algorithms Registry . . . 42 7.3. JSON Web Encryption Compression Algorithms Registry . . . 42
7.3.1. Registration Template . . . . . . . . . . . . . . . . 42 7.3.1. Registration Template . . . . . . . . . . . . . . . . 42
7.3.2. Initial Registry Contents . . . . . . . . . . . . . . 43 7.3.2. Initial Registry Contents . . . . . . . . . . . . . . 42
7.4. JSON Web Key Types Registry . . . . . . . . . . . . . . . 43 7.4. JSON Web Key Types Registry . . . . . . . . . . . . . . . 43
7.4.1. Registration Template . . . . . . . . . . . . . . . . 43 7.4.1. Registration Template . . . . . . . . . . . . . . . . 43
7.4.2. Initial Registry Contents . . . . . . . . . . . . . . 44 7.4.2. Initial Registry Contents . . . . . . . . . . . . . . 44
7.5. JSON Web Key Parameters Registration . . . . . . . . . . . 44 7.5. JSON Web Key Parameters Registration . . . . . . . . . . . 44
7.5.1. Registry Contents . . . . . . . . . . . . . . . . . . 44 7.5.1. Registry Contents . . . . . . . . . . . . . . . . . . 44
7.6. JSON Web Key Elliptic Curve Registry . . . . . . . . . . . 47 7.6. JSON Web Key Elliptic Curve Registry . . . . . . . . . . . 46
7.6.1. Registration Template . . . . . . . . . . . . . . . . 47 7.6.1. Registration Template . . . . . . . . . . . . . . . . 47
7.6.2. Initial Registry Contents . . . . . . . . . . . . . . 48 7.6.2. Initial Registry Contents . . . . . . . . . . . . . . 47
8. Security Considerations . . . . . . . . . . . . . . . . . . . 48 8. Security Considerations . . . . . . . . . . . . . . . . . . . 48
8.1. Algorithms and Key Sizes will be Deprecated . . . . . . . 49 8.1. Algorithms and Key Sizes will be Deprecated . . . . . . . 48
8.2. Key Lifetimes . . . . . . . . . . . . . . . . . . . . . . 49 8.2. Key Lifetimes . . . . . . . . . . . . . . . . . . . . . . 48
8.3. RSAES-PKCS1-v1_5 Security Considerations . . . . . . . . . 49 8.3. RSAES-PKCS1-v1_5 Security Considerations . . . . . . . . . 49
8.4. AES GCM Security Considerations . . . . . . . . . . . . . 49 8.4. AES GCM Security Considerations . . . . . . . . . . . . . 49
8.5. Plaintext JWS Security Considerations . . . . . . . . . . 49 8.5. Plaintext JWS Security Considerations . . . . . . . . . . 49
8.6. Denial of Service Attacks . . . . . . . . . . . . . . . . 50 8.6. Denial of Service Attacks . . . . . . . . . . . . . . . . 50
8.7. Reusing Key Material when Encrypting Keys . . . . . . . . 50 8.7. Reusing Key Material when Encrypting Keys . . . . . . . . 50
8.8. Password Considerations . . . . . . . . . . . . . . . . . 51 8.8. Password Considerations . . . . . . . . . . . . . . . . . 50
8.9. Key Entropy . . . . . . . . . . . . . . . . . . . . . . . 51 8.9. Key Entropy . . . . . . . . . . . . . . . . . . . . . . . 51
8.10. Differences between Digital Signatures and MACs . . . . . 51 8.10. Differences between Digital Signatures and MACs . . . . . 51
8.11. Using Matching Algorithm Strengths . . . . . . . . . . . . 51 8.11. Using Matching Algorithm Strengths . . . . . . . . . . . . 51
8.12. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 51 8.12. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 51
8.13. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 52 8.13. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 51
8.14. RSA Private Key Representations and Blinding . . . . . . . 52 8.14. RSA Private Key Representations and Blinding . . . . . . . 51
9. Internationalization Considerations . . . . . . . . . . . . . 52 9. Internationalization Considerations . . . . . . . . . . . . . 51
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 52 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 52
10.1. Normative References . . . . . . . . . . . . . . . . . . . 52 10.1. Normative References . . . . . . . . . . . . . . . . . . . 52
10.2. Informative References . . . . . . . . . . . . . . . . . . 54 10.2. Informative References . . . . . . . . . . . . . . . . . . 53
Appendix A. Algorithm Identifier Cross-Reference . . . . . . . . 55 Appendix A. Algorithm Identifier Cross-Reference . . . . . . . . 55
A.1. Digital Signature/MAC Algorithm Identifier A.1. Digital Signature/MAC Algorithm Identifier
Cross-Reference . . . . . . . . . . . . . . . . . . . . . 56 Cross-Reference . . . . . . . . . . . . . . . . . . . . . 55
A.2. Key Management Algorithm Identifier Cross-Reference . . . 56 A.2. Key Management Algorithm Identifier Cross-Reference . . . 56
A.3. Content Encryption Algorithm Identifier Cross-Reference . 57 A.3. Content Encryption Algorithm Identifier Cross-Reference . 57
Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms . . . . . 58 Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms . . . . . 57
B.1. Test Cases for AES_128_CBC_HMAC_SHA_256 . . . . . . . . . 59 B.1. Test Cases for AES_128_CBC_HMAC_SHA_256 . . . . . . . . . 58
B.2. Test Cases for AES_192_CBC_HMAC_SHA_384 . . . . . . . . . 60 B.2. Test Cases for AES_192_CBC_HMAC_SHA_384 . . . . . . . . . 59
B.3. Test Cases for AES_256_CBC_HMAC_SHA_512 . . . . . . . . . 61 B.3. Test Cases for AES_256_CBC_HMAC_SHA_512 . . . . . . . . . 60
Appendix C. Example ECDH-ES Key Agreement Computation . . . . . . 62 Appendix C. Example ECDH-ES Key Agreement Computation . . . . . . 61
Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 64 Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 63
Appendix E. Document History . . . . . . . . . . . . . . . . . . 65 Appendix E. Document History . . . . . . . . . . . . . . . . . . 64
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 74 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 73
1. Introduction 1. Introduction
The JSON Web Algorithms (JWA) specification registers cryptographic The JSON Web Algorithms (JWA) specification registers cryptographic
algorithms and identifiers to be used with the JSON Web Signature algorithms and identifiers to be used with the JSON Web Signature
(JWS) [JWS], JSON Web Encryption (JWE) [JWE], and JSON Web Key (JWK) (JWS) [JWS], JSON Web Encryption (JWE) [JWE], and JSON Web Key (JWK)
[JWK] specifications. It defines several IANA registries for these [JWK] specifications. It defines several IANA registries for these
identifiers. All these specifications utilize JavaScript Object identifiers. All these specifications utilize JavaScript Object
Notation (JSON) [RFC7159] based data structures. This specification Notation (JSON) [RFC7159] based data structures. This specification
also describes the semantics and operations that are specific to also describes the semantics and operations that are specific to
skipping to change at page 5, line 50 skipping to change at page 5, line 50
ASCII(STRING) denotes the octets of the ASCII [USASCII] ASCII(STRING) denotes the octets of the ASCII [USASCII]
representation of STRING. representation of STRING.
The concatenation of two values A and B is denoted as A || B. The concatenation of two values A and B is denoted as A || B.
2. Terminology 2. Terminology
These terms defined by the JSON Web Signature (JWS) [JWS] These terms defined by the JSON Web Signature (JWS) [JWS]
specification are incorporated into this specification: "JSON Web specification are incorporated into this specification: "JSON Web
Signature (JWS)", "JWS Header", "JWS Payload", "JWS Signature", "JWS Signature (JWS)", "Base64url Encoding", "Header Parameter", "JOSE
Protected Header", "Base64url Encoding", and "JWS Signing Input". Header", "JWS Payload", "JWS Protected Header", "JWS Signature", "JWS
Signing Input", and "Plaintext JWS".
These terms defined by the JSON Web Encryption (JWE) [JWE] These terms defined by the JSON Web Encryption (JWE) [JWE]
specification are incorporated into this specification: "JSON Web specification are incorporated into this specification: "JSON Web
Encryption (JWE)", "Authenticated Encryption", "Plaintext", Encryption (JWE)", "Additional Authenticated Data (AAD)",
"Ciphertext", "Additional Authenticated Data (AAD)", "Authentication "Authentication Tag", "Ciphertext", "Content Encryption Key (CEK)",
Tag", "Content Encryption Key (CEK)", "JWE Header", "JWE Encrypted "Direct Encryption", "Direct Key Agreement", "JWE Authentication
Key", "JWE Initialization Vector", "JWE Ciphertext", "JWE Tag", "JWE Ciphertext", "JWE Encrypted Key", "JWE Initialization
Authentication Tag", "JWE Protected Header", "Key Management Mode", Vector", "JWE Protected Header", "Key Agreement with Key Wrapping",
"Key Encryption", "Key Wrapping", "Direct Key Agreement", "Key "Key Encryption", "Key Management Mode", "Key Wrapping", and
Agreement with Key Wrapping", and "Direct Encryption". "Plaintext".
These terms defined by the JSON Web Key (JWK) [JWK] specification are These terms defined by the JSON Web Key (JWK) [JWK] specification are
incorporated into this specification: "JSON Web Key (JWK)" and "JSON incorporated into this specification: "JSON Web Key (JWK)" and "JSON
Web Key Set (JWK Set)". Web Key Set (JWK Set)".
These terms are defined for use by this specification:
Header Parameter
A name/value pair that is member of a JWS Header or JWE Header.
3. Cryptographic Algorithms for Digital Signatures and MACs 3. Cryptographic Algorithms for Digital Signatures and MACs
JWS uses cryptographic algorithms to digitally sign or create a JWS uses cryptographic algorithms to digitally sign or create a
Message Authentication Codes (MAC) of the contents of the JWS Header Message Authentication Codes (MAC) of the contents of the JWS
and the JWS Payload. Protected Header and the JWS Payload.
3.1. "alg" (Algorithm) Header Parameter Values for JWS 3.1. "alg" (Algorithm) Header Parameter Values for JWS
The table below is the set of "alg" (algorithm) header parameter The table below is the set of "alg" (algorithm) header parameter
values defined by this specification for use with JWS, each of which values defined by this specification for use with JWS, each of which
is explained in more detail in the following sections: is explained in more detail in the following sections:
+---------------+------------------------------+--------------------+ +---------------+------------------------------+--------------------+
| alg Parameter | Digital Signature or MAC | Implementation | | alg Parameter | Digital Signature or MAC | Implementation |
| Value | Algorithm | Requirements | | Value | Algorithm | Requirements |
skipping to change at page 21, line 39 skipping to change at page 21, line 26
iteration count, represented as a positive integer. This Header iteration count, represented as a positive integer. This Header
Parameter MUST be present and MUST be understood and processed by Parameter MUST be present and MUST be understood and processed by
implementations when these algorithms are used. implementations when these algorithms are used.
The iteration count adds computational expense, ideally compounded by The iteration count adds computational expense, ideally compounded by
the possible range of keys introduced by the salt. A minimum the possible range of keys introduced by the salt. A minimum
iteration count of 1000 is RECOMMENDED. iteration count of 1000 is RECOMMENDED.
5. Cryptographic Algorithms for Content Encryption 5. Cryptographic Algorithms for Content Encryption
JWE uses cryptographic algorithms to encrypt the Plaintext. JWE uses cryptographic algorithms to encrypt and integrity protect
the Plaintext and to also integrity protect additional authenticated
data.
5.1. "enc" (Encryption Algorithm) Header Parameter Values for JWE 5.1. "enc" (Encryption Algorithm) Header Parameter Values for JWE
The table below is the set of "enc" (encryption algorithm) Header The table below is the set of "enc" (encryption algorithm) Header
Parameter values that are defined by this specification for use with Parameter values that are defined by this specification for use with
JWE. These algorithms are used to encrypt the Plaintext, which JWE.
produces the Ciphertext.
+-------------+------------------------+------------+---------------+ +-------------+------------------------+------------+---------------+
| enc | Content Encryption | Additional | Implementatio | | enc | Content Encryption | Additional | Implementatio |
| Parameter | Algorithm | Header | nRequirements | | Parameter | Algorithm | Header | nRequirements |
| Value | | Parameters | | | Value | | Parameters | |
+-------------+------------------------+------------+---------------+ +-------------+------------------------+------------+---------------+
| A128CBC-HS2 | AES_128_CBC_HMAC_SHA_2 | (none) | Required | | A128CBC-HS2 | AES_128_CBC_HMAC_SHA_2 | (none) | Required |
| 56 | 56 authenticated | | | | 56 | 56 authenticated | | |
| | encryption algorithm, | | | | | encryption algorithm, | | |
| | as defined in | | | | | as defined in | | |
skipping to change at page 41, line 18 skipping to change at page 41, line 6
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 5.1 of [[ this document ]] o Specification Document(s): Section 5.1 of [[ this document ]]
o Algorithm Name: "A256GCM" o Algorithm Name: "A256GCM"
o Algorithm Description: AES GCM using 256 bit key o Algorithm Description: AES GCM using 256 bit key
o Algorithm Usage Location(s): "enc" o Algorithm Usage Location(s): "enc"
o JOSE Implementation Requirements: Recommended o JOSE Implementation Requirements: Recommended
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 5.1 of [[ this document ]] o Specification Document(s): Section 5.1 of [[ this document ]]
7.2. JWE Header Parameter Names Registration 7.2. Header Parameter Names Registration
This specification registers the Header Parameter names defined in This specification registers the Header Parameter names defined in
Section 4.6.1, Section 4.7.1, and Section 4.8.1 in the IANA JSON Web Section 4.6.1, Section 4.7.1, and Section 4.8.1 in the IANA JSON Web
Signature and Encryption Header Parameters registry defined in [JWS]. Signature and Encryption Header Parameters registry defined in [JWS].
7.2.1. Registry Contents 7.2.1. Registry Contents
o Header Parameter Name: "epk" o Header Parameter Name: "epk"
o Header Parameter Description: Ephemeral Public Key o Header Parameter Description: Ephemeral Public Key
o Header Parameter Usage Location(s): JWE o Header Parameter Usage Location(s): JWE
skipping to change at page 50, line 6 skipping to change at page 49, line 41
This security consideration does not apply to the composite AES-CBC This security consideration does not apply to the composite AES-CBC
HMAC SHA-2 or AES Key Wrap algorithms. HMAC SHA-2 or AES Key Wrap algorithms.
8.5. Plaintext JWS Security Considerations 8.5. Plaintext JWS Security Considerations
Plaintext JWSs (JWSs that use the "alg" value "none") provide no Plaintext JWSs (JWSs that use the "alg" value "none") provide no
integrity protection. Thus, they must only be used in contexts where integrity protection. Thus, they must only be used in contexts where
the payload is secured by means other than a digital signature or MAC the payload is secured by means other than a digital signature or MAC
value, or need not be secured. value, or need not be secured.
Implementations that support plaintext JWS objects MUST NOT accept Implementations that support Plaintext JWS objects MUST NOT accept
such objects as valid unless the application specifies that it is such objects as valid unless the application specifies that it is
acceptable for a specific object to not be integrity-protected. acceptable for a specific object to not be integrity-protected.
Implementations MUST NOT accept plaintext JWS objects by default. Implementations MUST NOT accept Plaintext JWS objects by default.
For example, the "verify" method of a hypothetical JWS software For example, the "verify" method of a hypothetical JWS software
library might have a Boolean "acceptUnsigned" parameter that library might have a Boolean "acceptUnsigned" parameter that
indicates "none" is an acceptable "alg" value. As another example, indicates "none" is an acceptable "alg" value. As another example,
the "verify" method might take a list of algorithms that are the "verify" method might take a list of algorithms that are
acceptable to the application as a parameter and would reject acceptable to the application as a parameter and would reject
plaintext JWS values if "none" is not in that list. Plaintext JWS values if "none" is not in that list.
In order to mitigate downgrade attacks, applications MUST NOT signal In order to mitigate downgrade attacks, applications MUST NOT signal
acceptance of plaintext JWS objects at a global level, and SHOULD acceptance of Plaintext JWS objects at a global level, and SHOULD
signal acceptance on a per-object basis. For example, suppose an signal acceptance on a per-object basis. For example, suppose an
application accepts JWS objects over two channels, (1) HTTP and (2) application accepts JWS objects over two channels, (1) HTTP and (2)
HTTPS with client authentication. It requires a JWS signature on HTTPS with client authentication. It requires a JWS signature on
objects received over HTTP, but accepts plaintext JWS objects over objects received over HTTP, but accepts Plaintext JWS objects over
HTTPS. If the application were to globally indicate that "none" is HTTPS. If the application were to globally indicate that "none" is
acceptable, then an attacker could provide it with an unsigned object acceptable, then an attacker could provide it with an unsigned object
over HTTP and still have that object successfully validate. Instead, over HTTP and still have that object successfully validate. Instead,
the application needs to indicate acceptance of "none" for each the application needs to indicate acceptance of "none" for each
object received over HTTPS (e.g., by setting "acceptUnsigned" to object received over HTTPS (e.g., by setting "acceptUnsigned" to
"true" for the first hypothetical JWS software library above), but "true" for the first hypothetical JWS software library above), but
not for each object received over HTTP. not for each object received over HTTP.
8.6. Denial of Service Attacks 8.6. Denial of Service Attacks
skipping to change at page 65, line 27 skipping to change at page 64, line 27
Nat Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner. Nat Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner.
Jim Schaad and Karen O'Donoghue chaired the JOSE working group and Jim Schaad and Karen O'Donoghue chaired the JOSE working group and
Sean Turner, Stephen Farrell, and Kathleen Moriarty served as Sean Turner, Stephen Farrell, and Kathleen Moriarty served as
Security area directors during the creation of this specification. Security area directors during the creation of this specification.
Appendix E. Document History Appendix E. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-29
o Replaced the terms JWS Header, JWE Header, and JWT Header with a
single JOSE Header term defined in the JWS specification. This
also enabled a single Header Parameter definition to be used and
reduced other areas of duplication between specifications.
-28 -28
o Specified the use of PKCS #7 padding with AES CBC, rather than o Specified the use of PKCS #7 padding with AES CBC, rather than
PKCS #5. (PKCS #7 is a superset of PKCS #5, and is appropriate PKCS #5. (PKCS #7 is a superset of PKCS #5, and is appropriate
for the 16 octet blocks used by AES CBC.) for the 16 octet blocks used by AES CBC.)
o Revised the introduction to the Security Considerations section. o Revised the introduction to the Security Considerations section.
Also introduced additional subsection headings for security Also introduced additional subsection headings for security
considerations items and moved a few security consideration items considerations items and moved a few security consideration items
from here to the JWS and JWE drafts. from here to the JWS and JWE drafts.
 End of changes. 38 change blocks. 
67 lines changed or deleted 71 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/