draft-ietf-jose-json-web-algorithms-30.txt   draft-ietf-jose-json-web-algorithms-31.txt 
JOSE Working Group M. Jones JOSE Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track July 1, 2014 Intended status: Standards Track July 4, 2014
Expires: January 2, 2015 Expires: January 5, 2015
JSON Web Algorithms (JWA) JSON Web Algorithms (JWA)
draft-ietf-jose-json-web-algorithms-30 draft-ietf-jose-json-web-algorithms-31
Abstract Abstract
The JSON Web Algorithms (JWA) specification registers cryptographic The JSON Web Algorithms (JWA) specification registers cryptographic
algorithms and identifiers to be used with the JSON Web Signature algorithms and identifiers to be used with the JSON Web Signature
(JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK)
specifications. It defines several IANA registries for these specifications. It defines several IANA registries for these
identifiers. identifiers.
Status of this Memo Status of this Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 2, 2015. This Internet-Draft will expire on January 5, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 12 skipping to change at page 4, line 12
8.8. Password Considerations . . . . . . . . . . . . . . . . . 50 8.8. Password Considerations . . . . . . . . . . . . . . . . . 50
8.9. Key Entropy . . . . . . . . . . . . . . . . . . . . . . . 51 8.9. Key Entropy . . . . . . . . . . . . . . . . . . . . . . . 51
8.10. Differences between Digital Signatures and MACs . . . . . 51 8.10. Differences between Digital Signatures and MACs . . . . . 51
8.11. Using Matching Algorithm Strengths . . . . . . . . . . . . 51 8.11. Using Matching Algorithm Strengths . . . . . . . . . . . . 51
8.12. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 51 8.12. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 51
8.13. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 51 8.13. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 51
8.14. RSA Private Key Representations and Blinding . . . . . . . 51 8.14. RSA Private Key Representations and Blinding . . . . . . . 51
9. Internationalization Considerations . . . . . . . . . . . . . 52 9. Internationalization Considerations . . . . . . . . . . . . . 52
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 52 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 52
10.1. Normative References . . . . . . . . . . . . . . . . . . . 52 10.1. Normative References . . . . . . . . . . . . . . . . . . . 52
10.2. Informative References . . . . . . . . . . . . . . . . . . 53 10.2. Informative References . . . . . . . . . . . . . . . . . . 54
Appendix A. Algorithm Identifier Cross-Reference . . . . . . . . 55 Appendix A. Algorithm Identifier Cross-Reference . . . . . . . . 55
A.1. Digital Signature/MAC Algorithm Identifier A.1. Digital Signature/MAC Algorithm Identifier
Cross-Reference . . . . . . . . . . . . . . . . . . . . . 55 Cross-Reference . . . . . . . . . . . . . . . . . . . . . 56
A.2. Key Management Algorithm Identifier Cross-Reference . . . 56 A.2. Key Management Algorithm Identifier Cross-Reference . . . 56
A.3. Content Encryption Algorithm Identifier Cross-Reference . 57 A.3. Content Encryption Algorithm Identifier Cross-Reference . 57
Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms . . . . . 57 Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms . . . . . 58
B.1. Test Cases for AES_128_CBC_HMAC_SHA_256 . . . . . . . . . 58 B.1. Test Cases for AES_128_CBC_HMAC_SHA_256 . . . . . . . . . 59
B.2. Test Cases for AES_192_CBC_HMAC_SHA_384 . . . . . . . . . 59 B.2. Test Cases for AES_192_CBC_HMAC_SHA_384 . . . . . . . . . 60
B.3. Test Cases for AES_256_CBC_HMAC_SHA_512 . . . . . . . . . 60 B.3. Test Cases for AES_256_CBC_HMAC_SHA_512 . . . . . . . . . 61
Appendix C. Example ECDH-ES Key Agreement Computation . . . . . . 61 Appendix C. Example ECDH-ES Key Agreement Computation . . . . . . 62
Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 63 Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 64
Appendix E. Document History . . . . . . . . . . . . . . . . . . 64 Appendix E. Document History . . . . . . . . . . . . . . . . . . 65
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 73 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 74
1. Introduction 1. Introduction
The JSON Web Algorithms (JWA) specification registers cryptographic The JSON Web Algorithms (JWA) specification registers cryptographic
algorithms and identifiers to be used with the JSON Web Signature algorithms and identifiers to be used with the JSON Web Signature
(JWS) [JWS], JSON Web Encryption (JWE) [JWE], and JSON Web Key (JWK) (JWS) [JWS], JSON Web Encryption (JWE) [JWE], and JSON Web Key (JWK)
[JWK] specifications. It defines several IANA registries for these [JWK] specifications. It defines several IANA registries for these
identifiers. All these specifications utilize JavaScript Object identifiers. All these specifications utilize JavaScript Object
Notation (JSON) [RFC7159] based data structures. This specification Notation (JSON) [RFC7159] based data structures. This specification
also describes the semantics and operations that are specific to also describes the semantics and operations that are specific to
skipping to change at page 48, line 46 skipping to change at page 48, line 46
Eventually the algorithms and/or key sizes currently described in Eventually the algorithms and/or key sizes currently described in
this specification will no longer be considered sufficiently secure this specification will no longer be considered sufficiently secure
and will be deprecated. Therefore, implementers and deployments must and will be deprecated. Therefore, implementers and deployments must
be prepared for this eventuality. be prepared for this eventuality.
8.2. Key Lifetimes 8.2. Key Lifetimes
Many algorithms have associated security considerations related to Many algorithms have associated security considerations related to
key lifetimes and/or the number of times that a key may be used. key lifetimes and/or the number of times that a key may be used.
Those security considerations continue to apply when using those Those security considerations continue to apply when using those
algorithms with JOSE data structures. algorithms with JOSE data structures. See NIST SP 800-57
[NIST.800-57] for specific guidance on key lifetimes.
8.3. RSAES-PKCS1-v1_5 Security Considerations 8.3. RSAES-PKCS1-v1_5 Security Considerations
While Section 8 of RFC 3447 [RFC3447] explicitly calls for people not While Section 8 of RFC 3447 [RFC3447] explicitly calls for people not
to adopt RSASSA-PKCS-v1_5 for new applications and instead requests to adopt RSASSA-PKCS-v1_5 for new applications and instead requests
that people transition to RSASSA-PSS, this specification does include that people transition to RSASSA-PSS, this specification does include
RSASSA-PKCS-v1_5, for interoperability reasons, because it commonly RSASSA-PKCS-v1_5, for interoperability reasons, because it commonly
implemented. implemented.
Keys used with RSAES-PKCS1-v1_5 must follow the constraints in Keys used with RSAES-PKCS1-v1_5 must follow the constraints in
skipping to change at page 53, line 6 skipping to change at page 53, line 6
"Recommendation for Block Cipher Modes of Operation: "Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D, Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D,
December 2001. December 2001.
[NIST.800-56A] [NIST.800-56A]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Recommendation for Pair-Wise Key Establishment Schemes "Recommendation for Pair-Wise Key Establishment Schemes
Using Discrete Logarithm Cryptography", NIST Special Using Discrete Logarithm Cryptography", NIST Special
Publication 800-56A, Revision 2, May 2013. Publication 800-56A, Revision 2, May 2013.
[NIST.800-57]
National Institute of Standards and Technology (NIST),
"Recommendation for Key Management - Part 1: General
(Revision 3)", NIST Special Publication 800-57, Part 1,
Revision 3, July 2012.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104,
February 1997. February 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography
Specification Version 2.0", RFC 2898, September 2000. Specification Version 2.0", RFC 2898, September 2000.
skipping to change at page 54, line 11 skipping to change at page 54, line 19
[I-D.ietf-precis-saslprepbis] [I-D.ietf-precis-saslprepbis]
Saint-Andre, P. and A. Melnikov, "Preparation and Saint-Andre, P. and A. Melnikov, "Preparation and
Comparison of Internationalized Strings Representing Comparison of Internationalized Strings Representing
Usernames and Passwords", draft-ietf-precis-saslprepbis-07 Usernames and Passwords", draft-ietf-precis-saslprepbis-07
(work in progress), March 2014. (work in progress), March 2014.
[I-D.mcgrew-aead-aes-cbc-hmac-sha2] [I-D.mcgrew-aead-aes-cbc-hmac-sha2]
McGrew, D., Foley, J., and K. Paterson, "Authenticated McGrew, D., Foley, J., and K. Paterson, "Authenticated
Encryption with AES-CBC and HMAC-SHA", Encryption with AES-CBC and HMAC-SHA",
draft-mcgrew-aead-aes-cbc-hmac-sha2-04 (work in progress), draft-mcgrew-aead-aes-cbc-hmac-sha2-05 (work in progress),
February 2014. July 2014.
[I-D.miller-jose-jwe-protected-jwk] [I-D.miller-jose-jwe-protected-jwk]
Miller, M., "Using JavaScript Object Notation (JSON) Web Miller, M., "Using JavaScript Object Notation (JSON) Web
Encryption (JWE) for Protecting JSON Web Key (JWK) Encryption (JWE) for Protecting JSON Web Key (JWK)
Objects", draft-miller-jose-jwe-protected-jwk-02 (work in Objects", draft-miller-jose-jwe-protected-jwk-02 (work in
progress), June 2013. progress), June 2013.
[I-D.rescorla-jsms] [I-D.rescorla-jsms]
Rescorla, E. and J. Hildebrand, "JavaScript Message Rescorla, E. and J. Hildebrand, "JavaScript Message
Security Format", draft-rescorla-jsms-00 (work in Security Format", draft-rescorla-jsms-00 (work in
skipping to change at page 64, line 28 skipping to change at page 65, line 28
and Sean Turner. and Sean Turner.
Jim Schaad and Karen O'Donoghue chaired the JOSE working group and Jim Schaad and Karen O'Donoghue chaired the JOSE working group and
Sean Turner, Stephen Farrell, and Kathleen Moriarty served as Sean Turner, Stephen Farrell, and Kathleen Moriarty served as
Security area directors during the creation of this specification. Security area directors during the creation of this specification.
Appendix E. Document History Appendix E. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-31
o Referenced NIST SP 800-57 for guidance on key lifetimes.
o Updated the reference to draft-mcgrew-aead-aes-cbc-hmac-sha2.
-30 -30
o Cleaned up the reference syntax in a few places. o Cleaned up the reference syntax in a few places.
o Applied minor wording changes to the Security Considerations o Applied minor wording changes to the Security Considerations
section. section.
-29 -29
o Replaced the terms JWS Header, JWE Header, and JWT Header with a o Replaced the terms JWS Header, JWE Header, and JWT Header with a
 End of changes. 10 change blocks. 
17 lines changed or deleted 30 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/