draft-ietf-jose-json-web-algorithms-34.txt | draft-ietf-jose-json-web-algorithms-35.txt | |||
---|---|---|---|---|

JOSE Working Group M. Jones | JOSE Working Group M. Jones | |||

Internet-Draft Microsoft | Internet-Draft Microsoft | |||

Intended status: Standards Track October 14, 2014 | Intended status: Standards Track October 17, 2014 | |||

Expires: April 17, 2015 | Expires: April 20, 2015 | |||

JSON Web Algorithms (JWA) | JSON Web Algorithms (JWA) | |||

draft-ietf-jose-json-web-algorithms-34 | draft-ietf-jose-json-web-algorithms-35 | |||

Abstract | Abstract | |||

The JSON Web Algorithms (JWA) specification registers cryptographic | The JSON Web Algorithms (JWA) specification registers cryptographic | |||

algorithms and identifiers to be used with the JSON Web Signature | algorithms and identifiers to be used with the JSON Web Signature | |||

(JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) | (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) | |||

specifications. It defines several IANA registries for these | specifications. It defines several IANA registries for these | |||

identifiers. | identifiers. | |||

Status of this Memo | Status of this Memo | |||

skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||

Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||

Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||

working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||

Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||

Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||

and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||

time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||

material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||

This Internet-Draft will expire on April 17, 2015. | This Internet-Draft will expire on April 20, 2015. | |||

Copyright Notice | Copyright Notice | |||

Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||

document authors. All rights reserved. | document authors. All rights reserved. | |||

This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||

Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||

(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||

publication of this document. Please review these documents | publication of this document. Please review these documents | |||

skipping to change at page 2, line 16 | skipping to change at page 2, line 16 | |||

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||

1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 | 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 | |||

2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||

3. Cryptographic Algorithms for Digital Signatures and MACs . . . 6 | 3. Cryptographic Algorithms for Digital Signatures and MACs . . . 6 | |||

3.1. "alg" (Algorithm) Header Parameter Values for JWS . . . . 6 | 3.1. "alg" (Algorithm) Header Parameter Values for JWS . . . . 6 | |||

3.2. HMAC with SHA-2 Functions . . . . . . . . . . . . . . . . 7 | 3.2. HMAC with SHA-2 Functions . . . . . . . . . . . . . . . . 7 | |||

3.3. Digital Signature with RSASSA-PKCS1-V1_5 . . . . . . . . . 8 | 3.3. Digital Signature with RSASSA-PKCS1-V1_5 . . . . . . . . . 8 | |||

3.4. Digital Signature with ECDSA . . . . . . . . . . . . . . . 9 | 3.4. Digital Signature with ECDSA . . . . . . . . . . . . . . . 9 | |||

3.5. Digital Signature with RSASSA-PSS . . . . . . . . . . . . 11 | 3.5. Digital Signature with RSASSA-PSS . . . . . . . . . . . . 11 | |||

3.6. Using the Algorithm "none" . . . . . . . . . . . . . . . . 11 | 3.6. Using the Algorithm "none" . . . . . . . . . . . . . . . . 12 | |||

4. Cryptographic Algorithms for Key Management . . . . . . . . . 12 | 4. Cryptographic Algorithms for Key Management . . . . . . . . . 12 | |||

4.1. "alg" (Algorithm) Header Parameter Values for JWE . . . . 12 | 4.1. "alg" (Algorithm) Header Parameter Values for JWE . . . . 12 | |||

4.2. Key Encryption with RSAES-PKCS1-V1_5 . . . . . . . . . . . 14 | 4.2. Key Encryption with RSAES-PKCS1-V1_5 . . . . . . . . . . . 14 | |||

4.3. Key Encryption with RSAES OAEP . . . . . . . . . . . . . . 14 | 4.3. Key Encryption with RSAES OAEP . . . . . . . . . . . . . . 14 | |||

4.4. Key Wrapping with AES Key Wrap . . . . . . . . . . . . . . 15 | 4.4. Key Wrapping with AES Key Wrap . . . . . . . . . . . . . . 15 | |||

4.5. Direct Encryption with a Shared Symmetric Key . . . . . . 15 | 4.5. Direct Encryption with a Shared Symmetric Key . . . . . . 15 | |||

4.6. Key Agreement with Elliptic Curve Diffie-Hellman | 4.6. Key Agreement with Elliptic Curve Diffie-Hellman | |||

Ephemeral Static (ECDH-ES) . . . . . . . . . . . . . . . . 15 | Ephemeral Static (ECDH-ES) . . . . . . . . . . . . . . . . 15 | |||

4.6.1. Header Parameters Used for ECDH Key Agreement . . . . 16 | 4.6.1. Header Parameters Used for ECDH Key Agreement . . . . 16 | |||

4.6.1.1. "epk" (Ephemeral Public Key) Header Parameter . . 17 | 4.6.1.1. "epk" (Ephemeral Public Key) Header Parameter . . 16 | |||

4.6.1.2. "apu" (Agreement PartyUInfo) Header Parameter . . 17 | 4.6.1.2. "apu" (Agreement PartyUInfo) Header Parameter . . 17 | |||

4.6.1.3. "apv" (Agreement PartyVInfo) Header Parameter . . 17 | 4.6.1.3. "apv" (Agreement PartyVInfo) Header Parameter . . 17 | |||

4.6.2. Key Derivation for ECDH Key Agreement . . . . . . . . 17 | 4.6.2. Key Derivation for ECDH Key Agreement . . . . . . . . 17 | |||

4.7. Key Encryption with AES GCM . . . . . . . . . . . . . . . 19 | 4.7. Key Encryption with AES GCM . . . . . . . . . . . . . . . 19 | |||

4.7.1. Header Parameters Used for AES GCM Key Encryption . . 19 | 4.7.1. Header Parameters Used for AES GCM Key Encryption . . 19 | |||

4.7.1.1. "iv" (Initialization Vector) Header Parameter . . 19 | 4.7.1.1. "iv" (Initialization Vector) Header Parameter . . 19 | |||

4.7.1.2. "tag" (Authentication Tag) Header Parameter . . . 20 | 4.7.1.2. "tag" (Authentication Tag) Header Parameter . . . 20 | |||

4.8. Key Encryption with PBES2 . . . . . . . . . . . . . . . . 20 | 4.8. Key Encryption with PBES2 . . . . . . . . . . . . . . . . 20 | |||

4.8.1. Header Parameters Used for PBES2 Key Encryption . . . 21 | 4.8.1. Header Parameters Used for PBES2 Key Encryption . . . 21 | |||

4.8.1.1. "p2s" (PBES2 salt input) Parameter . . . . . . . . 21 | 4.8.1.1. "p2s" (PBES2 salt input) Parameter . . . . . . . . 21 | |||

4.8.1.2. "p2c" (PBES2 count) Parameter . . . . . . . . . . 21 | 4.8.1.2. "p2c" (PBES2 count) Parameter . . . . . . . . . . 21 | |||

5. Cryptographic Algorithms for Content Encryption . . . . . . . 21 | 5. Cryptographic Algorithms for Content Encryption . . . . . . . 21 | |||

5.1. "enc" (Encryption Algorithm) Header Parameter Values | 5.1. "enc" (Encryption Algorithm) Header Parameter Values | |||

for JWE . . . . . . . . . . . . . . . . . . . . . . . . . 21 | for JWE . . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||

5.2. AES_CBC_HMAC_SHA2 Algorithms . . . . . . . . . . . . . . . 22 | 5.2. AES_CBC_HMAC_SHA2 Algorithms . . . . . . . . . . . . . . . 22 | |||

5.2.1. Conventions Used in Defining AES_CBC_HMAC_SHA2 . . . . 23 | 5.2.1. Conventions Used in Defining AES_CBC_HMAC_SHA2 . . . . 23 | |||

5.2.2. Generic AES_CBC_HMAC_SHA2 Algorithm . . . . . . . . . 23 | 5.2.2. Generic AES_CBC_HMAC_SHA2 Algorithm . . . . . . . . . 23 | |||

5.2.2.1. AES_CBC_HMAC_SHA2 Encryption . . . . . . . . . . . 23 | 5.2.2.1. AES_CBC_HMAC_SHA2 Encryption . . . . . . . . . . . 23 | |||

5.2.2.2. AES_CBC_HMAC_SHA2 Decryption . . . . . . . . . . . 25 | 5.2.2.2. AES_CBC_HMAC_SHA2 Decryption . . . . . . . . . . . 24 | |||

5.2.3. AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . 25 | 5.2.3. AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . 25 | |||

5.2.4. AES_192_CBC_HMAC_SHA_384 . . . . . . . . . . . . . . . 26 | 5.2.4. AES_192_CBC_HMAC_SHA_384 . . . . . . . . . . . . . . . 26 | |||

5.2.5. AES_256_CBC_HMAC_SHA_512 . . . . . . . . . . . . . . . 26 | 5.2.5. AES_256_CBC_HMAC_SHA_512 . . . . . . . . . . . . . . . 26 | |||

5.2.6. Content Encryption with AES_CBC_HMAC_SHA2 . . . . . . 26 | 5.2.6. Content Encryption with AES_CBC_HMAC_SHA2 . . . . . . 26 | |||

5.3. Content Encryption with AES GCM . . . . . . . . . . . . . 27 | 5.3. Content Encryption with AES GCM . . . . . . . . . . . . . 27 | |||

6. Cryptographic Algorithms for Keys . . . . . . . . . . . . . . 28 | 6. Cryptographic Algorithms for Keys . . . . . . . . . . . . . . 27 | |||

6.1. "kty" (Key Type) Parameter Values . . . . . . . . . . . . 28 | 6.1. "kty" (Key Type) Parameter Values . . . . . . . . . . . . 28 | |||

6.2. Parameters for Elliptic Curve Keys . . . . . . . . . . . . 28 | 6.2. Parameters for Elliptic Curve Keys . . . . . . . . . . . . 28 | |||

6.2.1. Parameters for Elliptic Curve Public Keys . . . . . . 28 | 6.2.1. Parameters for Elliptic Curve Public Keys . . . . . . 28 | |||

6.2.1.1. "crv" (Curve) Parameter . . . . . . . . . . . . . 29 | 6.2.1.1. "crv" (Curve) Parameter . . . . . . . . . . . . . 28 | |||

6.2.1.2. "x" (X Coordinate) Parameter . . . . . . . . . . . 29 | 6.2.1.2. "x" (X Coordinate) Parameter . . . . . . . . . . . 29 | |||

6.2.1.3. "y" (Y Coordinate) Parameter . . . . . . . . . . . 29 | 6.2.1.3. "y" (Y Coordinate) Parameter . . . . . . . . . . . 29 | |||

6.2.2. Parameters for Elliptic Curve Private Keys . . . . . . 29 | 6.2.2. Parameters for Elliptic Curve Private Keys . . . . . . 29 | |||

6.2.2.1. "d" (ECC Private Key) Parameter . . . . . . . . . 29 | 6.2.2.1. "d" (ECC Private Key) Parameter . . . . . . . . . 29 | |||

6.3. Parameters for RSA Keys . . . . . . . . . . . . . . . . . 30 | 6.3. Parameters for RSA Keys . . . . . . . . . . . . . . . . . 30 | |||

6.3.1. Parameters for RSA Public Keys . . . . . . . . . . . . 30 | 6.3.1. Parameters for RSA Public Keys . . . . . . . . . . . . 30 | |||

6.3.1.1. "n" (Modulus) Parameter . . . . . . . . . . . . . 30 | 6.3.1.1. "n" (Modulus) Parameter . . . . . . . . . . . . . 30 | |||

6.3.1.2. "e" (Exponent) Parameter . . . . . . . . . . . . . 30 | 6.3.1.2. "e" (Exponent) Parameter . . . . . . . . . . . . . 30 | |||

6.3.2. Parameters for RSA Private Keys . . . . . . . . . . . 30 | 6.3.2. Parameters for RSA Private Keys . . . . . . . . . . . 30 | |||

6.3.2.1. "d" (Private Exponent) Parameter . . . . . . . . . 31 | 6.3.2.1. "d" (Private Exponent) Parameter . . . . . . . . . 30 | |||

6.3.2.2. "p" (First Prime Factor) Parameter . . . . . . . . 31 | 6.3.2.2. "p" (First Prime Factor) Parameter . . . . . . . . 31 | |||

6.3.2.3. "q" (Second Prime Factor) Parameter . . . . . . . 31 | 6.3.2.3. "q" (Second Prime Factor) Parameter . . . . . . . 31 | |||

6.3.2.4. "dp" (First Factor CRT Exponent) Parameter . . . . 31 | 6.3.2.4. "dp" (First Factor CRT Exponent) Parameter . . . . 31 | |||

6.3.2.5. "dq" (Second Factor CRT Exponent) Parameter . . . 31 | 6.3.2.5. "dq" (Second Factor CRT Exponent) Parameter . . . 31 | |||

6.3.2.6. "qi" (First CRT Coefficient) Parameter . . . . . . 31 | 6.3.2.6. "qi" (First CRT Coefficient) Parameter . . . . . . 31 | |||

6.3.2.7. "oth" (Other Primes Info) Parameter . . . . . . . 32 | 6.3.2.7. "oth" (Other Primes Info) Parameter . . . . . . . 31 | |||

6.4. Parameters for Symmetric Keys . . . . . . . . . . . . . . 32 | 6.4. Parameters for Symmetric Keys . . . . . . . . . . . . . . 32 | |||

6.4.1. "k" (Key Value) Parameter . . . . . . . . . . . . . . 33 | 6.4.1. "k" (Key Value) Parameter . . . . . . . . . . . . . . 32 | |||

7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 | |||

7.1. JSON Web Signature and Encryption Algorithms Registry . . 34 | 7.1. JSON Web Signature and Encryption Algorithms Registry . . 33 | |||

7.1.1. Registration Template . . . . . . . . . . . . . . . . 35 | 7.1.1. Registration Template . . . . . . . . . . . . . . . . 34 | |||

7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 36 | 7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 35 | |||

7.2. Header Parameter Names Registration . . . . . . . . . . . 41 | 7.2. Header Parameter Names Registration . . . . . . . . . . . 41 | |||

7.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 42 | 7.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 41 | |||

7.3. JSON Web Encryption Compression Algorithms Registry . . . 42 | 7.3. JSON Web Encryption Compression Algorithms Registry . . . 42 | |||

7.3.1. Registration Template . . . . . . . . . . . . . . . . 43 | 7.3.1. Registration Template . . . . . . . . . . . . . . . . 42 | |||

7.3.2. Initial Registry Contents . . . . . . . . . . . . . . 43 | 7.3.2. Initial Registry Contents . . . . . . . . . . . . . . 43 | |||

7.4. JSON Web Key Types Registry . . . . . . . . . . . . . . . 43 | 7.4. JSON Web Key Types Registry . . . . . . . . . . . . . . . 43 | |||

7.4.1. Registration Template . . . . . . . . . . . . . . . . 44 | 7.4.1. Registration Template . . . . . . . . . . . . . . . . 43 | |||

7.4.2. Initial Registry Contents . . . . . . . . . . . . . . 44 | 7.4.2. Initial Registry Contents . . . . . . . . . . . . . . 44 | |||

7.5. JSON Web Key Parameters Registration . . . . . . . . . . . 45 | 7.5. JSON Web Key Parameters Registration . . . . . . . . . . . 44 | |||

7.5.1. Registry Contents . . . . . . . . . . . . . . . . . . 45 | 7.5.1. Registry Contents . . . . . . . . . . . . . . . . . . 44 | |||

7.6. JSON Web Key Elliptic Curve Registry . . . . . . . . . . . 47 | 7.6. JSON Web Key Elliptic Curve Registry . . . . . . . . . . . 47 | |||

7.6.1. Registration Template . . . . . . . . . . . . . . . . 48 | 7.6.1. Registration Template . . . . . . . . . . . . . . . . 47 | |||

7.6.2. Initial Registry Contents . . . . . . . . . . . . . . 48 | 7.6.2. Initial Registry Contents . . . . . . . . . . . . . . 48 | |||

8. Security Considerations . . . . . . . . . . . . . . . . . . . 49 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 48 | |||

8.1. Cryptographic Agility . . . . . . . . . . . . . . . . . . 49 | 8.1. Cryptographic Agility . . . . . . . . . . . . . . . . . . 48 | |||

8.2. Key Lifetimes . . . . . . . . . . . . . . . . . . . . . . 49 | 8.2. Key Lifetimes . . . . . . . . . . . . . . . . . . . . . . 49 | |||

8.3. RSAES-PKCS1-v1_5 Security Considerations . . . . . . . . . 49 | 8.3. RSAES-PKCS1-v1_5 Security Considerations . . . . . . . . . 49 | |||

8.4. AES GCM Security Considerations . . . . . . . . . . . . . 50 | 8.4. AES GCM Security Considerations . . . . . . . . . . . . . 49 | |||

8.5. Unsecured JWS Security Considerations . . . . . . . . . . 50 | 8.5. Unsecured JWS Security Considerations . . . . . . . . . . 49 | |||

8.6. Denial of Service Attacks . . . . . . . . . . . . . . . . 51 | 8.6. Denial of Service Attacks . . . . . . . . . . . . . . . . 50 | |||

8.7. Reusing Key Material when Encrypting Keys . . . . . . . . 51 | 8.7. Reusing Key Material when Encrypting Keys . . . . . . . . 50 | |||

8.8. Password Considerations . . . . . . . . . . . . . . . . . 51 | 8.8. Password Considerations . . . . . . . . . . . . . . . . . 51 | |||

8.9. Key Entropy and Random Values . . . . . . . . . . . . . . 52 | 8.9. Key Entropy and Random Values . . . . . . . . . . . . . . 51 | |||

8.10. Differences between Digital Signatures and MACs . . . . . 52 | 8.10. Differences between Digital Signatures and MACs . . . . . 51 | |||

8.11. Using Matching Algorithm Strengths . . . . . . . . . . . . 52 | 8.11. Using Matching Algorithm Strengths . . . . . . . . . . . . 51 | |||

8.12. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 52 | 8.12. Adaptive Chosen-Ciphertext Attacks . . . . . . . . . . . . 52 | |||

8.13. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 52 | 8.13. Timing Attacks . . . . . . . . . . . . . . . . . . . . . . 52 | |||

8.14. RSA Private Key Representations and Blinding . . . . . . . 52 | 8.14. RSA Private Key Representations and Blinding . . . . . . . 52 | |||

9. Internationalization Considerations . . . . . . . . . . . . . 52 | 9. Internationalization Considerations . . . . . . . . . . . . . 52 | |||

10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 53 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 52 | |||

10.1. Normative References . . . . . . . . . . . . . . . . . . . 53 | 10.1. Normative References . . . . . . . . . . . . . . . . . . . 52 | |||

10.2. Informative References . . . . . . . . . . . . . . . . . . 55 | 10.2. Informative References . . . . . . . . . . . . . . . . . . 54 | |||

Appendix A. Algorithm Identifier Cross-Reference . . . . . . . . 56 | Appendix A. Algorithm Identifier Cross-Reference . . . . . . . . 56 | |||

A.1. Digital Signature/MAC Algorithm Identifier | A.1. Digital Signature/MAC Algorithm Identifier | |||

Cross-Reference . . . . . . . . . . . . . . . . . . . . . 57 | Cross-Reference . . . . . . . . . . . . . . . . . . . . . 56 | |||

A.2. Key Management Algorithm Identifier Cross-Reference . . . 57 | A.2. Key Management Algorithm Identifier Cross-Reference . . . 57 | |||

A.3. Content Encryption Algorithm Identifier Cross-Reference . 58 | A.3. Content Encryption Algorithm Identifier Cross-Reference . 58 | |||

Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms . . . . . 59 | Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms . . . . . 59 | |||

B.1. Test Cases for AES_128_CBC_HMAC_SHA_256 . . . . . . . . . 60 | B.1. Test Cases for AES_128_CBC_HMAC_SHA_256 . . . . . . . . . 60 | |||

B.2. Test Cases for AES_192_CBC_HMAC_SHA_384 . . . . . . . . . 61 | B.2. Test Cases for AES_192_CBC_HMAC_SHA_384 . . . . . . . . . 61 | |||

B.3. Test Cases for AES_256_CBC_HMAC_SHA_512 . . . . . . . . . 62 | B.3. Test Cases for AES_256_CBC_HMAC_SHA_512 . . . . . . . . . 62 | |||

Appendix C. Example ECDH-ES Key Agreement Computation . . . . . . 63 | Appendix C. Example ECDH-ES Key Agreement Computation . . . . . . 63 | |||

Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 65 | Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 65 | |||

Appendix E. Document History . . . . . . . . . . . . . . . . . . 66 | Appendix E. Document History . . . . . . . . . . . . . . . . . . 66 | |||

Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 76 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 76 | |||

skipping to change at page 5, line 41 | skipping to change at page 5, line 41 | |||

words for use in RFCs to Indicate Requirement Levels [RFC2119]. If | words for use in RFCs to Indicate Requirement Levels [RFC2119]. If | |||

these words are used without being spelled in uppercase then they are | these words are used without being spelled in uppercase then they are | |||

to be interpreted with their normal natural language meanings. | to be interpreted with their normal natural language meanings. | |||

BASE64URL(OCTETS) denotes the base64url encoding of OCTETS, per | BASE64URL(OCTETS) denotes the base64url encoding of OCTETS, per | |||

Section 2 of [JWS]. | Section 2 of [JWS]. | |||

UTF8(STRING) denotes the octets of the UTF-8 [RFC3629] representation | UTF8(STRING) denotes the octets of the UTF-8 [RFC3629] representation | |||

of STRING. | of STRING. | |||

ASCII(STRING) denotes the octets of the ASCII [USASCII] | ASCII(STRING) denotes the octets of the ASCII [RFC20] representation | |||

representation of STRING. | of STRING. | |||

The concatenation of two values A and B is denoted as A || B. | The concatenation of two values A and B is denoted as A || B. | |||

2. Terminology | 2. Terminology | |||

These terms defined by the JSON Web Signature (JWS) [JWS] | These terms defined by the JSON Web Signature (JWS) [JWS] | |||

specification are incorporated into this specification: "JSON Web | specification are incorporated into this specification: "JSON Web | |||

Signature (JWS)", "Base64url Encoding", "Header Parameter", "JOSE | Signature (JWS)", "Base64url Encoding", "Header Parameter", "JOSE | |||

Header", "JWS Payload", "JWS Protected Header", "JWS Signature", "JWS | Header", "JWS Payload", "JWS Protected Header", "JWS Signature", "JWS | |||

Signing Input", and "Unsecured JWS". | Signing Input", and "Unsecured JWS". | |||

skipping to change at page 6, line 20 | skipping to change at page 6, line 20 | |||

Encryption", "Direct Key Agreement", "JWE Authentication Tag", "JWE | Encryption", "Direct Key Agreement", "JWE Authentication Tag", "JWE | |||

Ciphertext", "JWE Encrypted Key", "JWE Initialization Vector", "JWE | Ciphertext", "JWE Encrypted Key", "JWE Initialization Vector", "JWE | |||

Protected Header", "Key Agreement with Key Wrapping", "Key | Protected Header", "Key Agreement with Key Wrapping", "Key | |||

Encryption", "Key Management Mode", and "Key Wrapping". | Encryption", "Key Management Mode", and "Key Wrapping". | |||

These terms defined by the JSON Web Key (JWK) [JWK] specification are | These terms defined by the JSON Web Key (JWK) [JWK] specification are | |||

incorporated into this specification: "JSON Web Key (JWK)" and "JSON | incorporated into this specification: "JSON Web Key (JWK)" and "JSON | |||

Web Key Set (JWK Set)". | Web Key Set (JWK Set)". | |||

These terms defined by the Internet Security Glossary, Version 2 | These terms defined by the Internet Security Glossary, Version 2 | |||

[RFC4949] are incorporated into this specification: "Ciphertext" and | [RFC4949] are incorporated into this specification: "Ciphertext", | |||

"Digital Signature", "Message Authentication Code (MAC)", and | ||||

"Plaintext". | "Plaintext". | |||

This term is defined by this specification: | ||||

Base64urlUInt | ||||

The representation of a positive or zero integer value as the | ||||

base64url encoding of the value's unsigned big endian | ||||

representation as an octet sequence. The octet sequence MUST | ||||

utilize the minimum number of octets needed to represent the | ||||

value. Zero is represented as BASE64URL(single zero-valued | ||||

octet), which is "AA". | ||||

3. Cryptographic Algorithms for Digital Signatures and MACs | 3. Cryptographic Algorithms for Digital Signatures and MACs | |||

JWS uses cryptographic algorithms to digitally sign or create a | JWS uses cryptographic algorithms to digitally sign or create a | |||

Message Authentication Code (MAC) of the contents of the JWS | Message Authentication Code (MAC) of the contents of the JWS | |||

Protected Header and the JWS Payload. | Protected Header and the JWS Payload. | |||

3.1. "alg" (Algorithm) Header Parameter Values for JWS | 3.1. "alg" (Algorithm) Header Parameter Values for JWS | |||

The table below is the set of "alg" (algorithm) header parameter | The table below is the set of "alg" (algorithm) header parameter | |||

values defined by this specification for use with JWS, each of which | values defined by this specification for use with JWS, each of which | |||

is explained in more detail in the following sections: | is explained in more detail in the following sections: | |||

+---------------+------------------------------+--------------------+ | +--------------+-----------------------------------+----------------+ | |||

| alg Parameter | Digital Signature or MAC | Implementation | | | alg Param | Digital Signature or MAC | Implementation | | |||

| Value | Algorithm | Requirements | | | Value | Algorithm | Requirements | | |||

+---------------+------------------------------+--------------------+ | +--------------+-----------------------------------+----------------+ | |||

| HS256 | HMAC using SHA-256 | Required | | | HS256 | HMAC using SHA-256 | Required | | |||

| HS384 | HMAC using SHA-384 | Optional | | | HS384 | HMAC using SHA-384 | Optional | | |||

| HS512 | HMAC using SHA-512 | Optional | | | HS512 | HMAC using SHA-512 | Optional | | |||

| RS256 | RSASSA-PKCS-v1_5 using | Recommended | | | RS256 | RSASSA-PKCS-v1_5 using SHA-256 | Recommended | | |||

| | SHA-256 | | | | RS384 | RSASSA-PKCS-v1_5 using SHA-384 | Optional | | |||

| RS384 | RSASSA-PKCS-v1_5 using | Optional | | | RS512 | RSASSA-PKCS-v1_5 using SHA-512 | Optional | | |||

| | SHA-384 | | | | ES256 | ECDSA using P-256 and SHA-256 | Recommended+ | | |||

| RS512 | RSASSA-PKCS-v1_5 using | Optional | | | ES384 | ECDSA using P-384 and SHA-384 | Optional | | |||

| | SHA-512 | | | | ES512 | ECDSA using P-521 and SHA-512 | Optional | | |||

| ES256 | ECDSA using P-256 and | Recommended+ | | | PS256 | RSASSA-PSS using SHA-256 and MGF1 | Optional | | |||

| | SHA-256 | | | | | with SHA-256 | | | |||

| ES384 | ECDSA using P-384 and | Optional | | | PS384 | RSASSA-PSS using SHA-384 and MGF1 | Optional | | |||

| | SHA-384 | | | | | with SHA-384 | | | |||

| ES512 | ECDSA using P-521 and | Optional | | | PS512 | RSASSA-PSS using SHA-512 and MGF1 | Optional | | |||

| | SHA-512 | | | | | with SHA-512 | | | |||

| PS256 | RSASSA-PSS using SHA-256 and | Optional | | | none | No digital signature or MAC | Optional | | |||

| | MGF1 with SHA-256 | | | | | performed | | | |||

| PS384 | RSASSA-PSS using SHA-384 and | Optional | | +--------------+-----------------------------------+----------------+ | |||

| | MGF1 with SHA-384 | | | ||||

| PS512 | RSASSA-PSS using SHA-512 and | Optional | | ||||

| | MGF1 with SHA-512 | | | ||||

| none | No digital signature or MAC | Optional | | ||||

| | performed | | | ||||

+---------------+------------------------------+--------------------+ | ||||

The use of "+" in the Implementation Requirements indicates that the | The use of "+" in the Implementation Requirements indicates that the | |||

requirement strength is likely to be increased in a future version of | requirement strength is likely to be increased in a future version of | |||

the specification. | the specification. | |||

See Appendix A.1 for a table cross-referencing the JWS digital | See Appendix A.1 for a table cross-referencing the JWS digital | |||

signature and MAC "alg" (algorithm) values defined in this | signature and MAC "alg" (algorithm) values defined in this | |||

specification with the equivalent identifiers used by other standards | specification with the equivalent identifiers used by other standards | |||

and software packages. | and software packages. | |||

skipping to change at page 7, line 42 | skipping to change at page 8, line 4 | |||

whoever generated the MAC was in possession of the MAC key. The | whoever generated the MAC was in possession of the MAC key. The | |||

algorithm for implementing and validating HMACs is provided in RFC | algorithm for implementing and validating HMACs is provided in RFC | |||

2104 [RFC2104]. | 2104 [RFC2104]. | |||

A key of the same size as the hash output (for instance, 256 bits for | A key of the same size as the hash output (for instance, 256 bits for | |||

"HS256") or larger MUST be used with this algorithm. (This | "HS256") or larger MUST be used with this algorithm. (This | |||

requirement is based on Section 5.3.4 (Security Effect of the HMAC | requirement is based on Section 5.3.4 (Security Effect of the HMAC | |||

Key) of NIST SP 800-117 [NIST.800-107], which states that the | Key) of NIST SP 800-117 [NIST.800-107], which states that the | |||

effective security strength is the minimum of the security strength | effective security strength is the minimum of the security strength | |||

of the key and two times the size of the internal hash value.) | of the key and two times the size of the internal hash value.) | |||

The HMAC SHA-256 MAC is generated per RFC 2104, using SHA-256 as the | The HMAC SHA-256 MAC is generated per RFC 2104, using SHA-256 as the | |||

hash algorithm "H", using the JWS Signing Input as the "text" value, | hash algorithm "H", using the JWS Signing Input as the "text" value, | |||

and using the shared key. The HMAC output value is the JWS | and using the shared key. The HMAC output value is the JWS | |||

Signature. | Signature. | |||

The following "alg" (algorithm) Header Parameter values are used to | The following "alg" (algorithm) Header Parameter values are used to | |||

indicate that the JWS Signature is an HMAC value computed using the | indicate that the JWS Signature is an HMAC value computed using the | |||

corresponding algorithm: | corresponding algorithm: | |||

+---------------------+--------------------+ | +-----------------+--------------------+ | |||

| alg Parameter Value | MAC Algorithm | | | alg Param Value | MAC Algorithm | | |||

+---------------------+--------------------+ | +-----------------+--------------------+ | |||

| HS256 | HMAC using SHA-256 | | | HS256 | HMAC using SHA-256 | | |||

| HS384 | HMAC using SHA-384 | | | HS384 | HMAC using SHA-384 | | |||

| HS512 | HMAC using SHA-512 | | | HS512 | HMAC using SHA-512 | | |||

+---------------------+--------------------+ | +-----------------+--------------------+ | |||

The HMAC SHA-256 MAC for a JWS is validated by computing an HMAC | The HMAC SHA-256 MAC for a JWS is validated by computing an HMAC | |||

value per RFC 2104, using SHA-256 as the hash algorithm "H", using | value per RFC 2104, using SHA-256 as the hash algorithm "H", using | |||

the received JWS Signing Input as the "text" value, and using the | the received JWS Signing Input as the "text" value, and using the | |||

shared key. This computed HMAC value is then compared to the result | shared key. This computed HMAC value is then compared to the result | |||

of base64url decoding the received encoded JWS Signature value. The | of base64url decoding the received encoded JWS Signature value. The | |||

comparison of the computed HMAC value to the JWS Signature value MUST | comparison of the computed HMAC value to the JWS Signature value MUST | |||

be done in a constant-time manner to thwart timing attacks. | be done in a constant-time manner to thwart timing attacks. | |||

Alternatively, the computed HMAC value can be base64url encoded and | Alternatively, the computed HMAC value can be base64url encoded and | |||

compared to the received encoded JWS Signature value (also in a | compared to the received encoded JWS Signature value (also in a | |||

skipping to change at page 9, line 5 | skipping to change at page 9, line 11 | |||

The RSASSA-PKCS1-V1_5 SHA-256 digital signature is generated as | The RSASSA-PKCS1-V1_5 SHA-256 digital signature is generated as | |||

follows: Generate a digital signature of the JWS Signing Input using | follows: Generate a digital signature of the JWS Signing Input using | |||

RSASSA-PKCS1-V1_5-SIGN and the SHA-256 hash function with the desired | RSASSA-PKCS1-V1_5-SIGN and the SHA-256 hash function with the desired | |||

private key. This is the JWS Signature value. | private key. This is the JWS Signature value. | |||

The following "alg" (algorithm) Header Parameter values are used to | The following "alg" (algorithm) Header Parameter values are used to | |||

indicate that the JWS Signature is a digital signature value computed | indicate that the JWS Signature is a digital signature value computed | |||

using the corresponding algorithm: | using the corresponding algorithm: | |||

+---------------------+--------------------------------+ | +-----------------+--------------------------------+ | |||

| alg Parameter Value | Digital Signature Algorithm | | | alg Param Value | Digital Signature Algorithm | | |||

+---------------------+--------------------------------+ | +-----------------+--------------------------------+ | |||

| RS256 | RSASSA-PKCS-v1_5 using SHA-256 | | | RS256 | RSASSA-PKCS-v1_5 using SHA-256 | | |||

| RS384 | RSASSA-PKCS-v1_5 using SHA-384 | | | RS384 | RSASSA-PKCS-v1_5 using SHA-384 | | |||

| RS512 | RSASSA-PKCS-v1_5 using SHA-512 | | | RS512 | RSASSA-PKCS-v1_5 using SHA-512 | | |||

+---------------------+--------------------------------+ | +-----------------+--------------------------------+ | |||

The RSASSA-PKCS1-V1_5 SHA-256 digital signature for a JWS is | The RSASSA-PKCS1-V1_5 SHA-256 digital signature for a JWS is | |||

validated as follows: Submit the JWS Signing Input, the JWS | validated as follows: Submit the JWS Signing Input, the JWS | |||

Signature, and the public key corresponding to the private key used | Signature, and the public key corresponding to the private key used | |||

by the signer to the RSASSA-PKCS1-V1_5-VERIFY algorithm using SHA-256 | by the signer to the RSASSA-PKCS1-V1_5-VERIFY algorithm using SHA-256 | |||

as the hash function. | as the hash function. | |||

Signing and validation with the RSASSA-PKCS1-V1_5 SHA-384 and RSASSA- | Signing and validation with the RSASSA-PKCS1-V1_5 SHA-384 and RSASSA- | |||

PKCS1-V1_5 SHA-512 algorithms is performed identically to the | PKCS1-V1_5 SHA-512 algorithms is performed identically to the | |||

procedure for RSASSA-PKCS1-V1_5 SHA-256 -- just using the | procedure for RSASSA-PKCS1-V1_5 SHA-256 -- just using the | |||

skipping to change at page 10, line 15 | skipping to change at page 10, line 20 | |||

3. Concatenate the two octet sequences in the order R and then S. | 3. Concatenate the two octet sequences in the order R and then S. | |||

(Note that many ECDSA implementations will directly produce this | (Note that many ECDSA implementations will directly produce this | |||

concatenation as their output.) | concatenation as their output.) | |||

4. The resulting 64 octet sequence is the JWS Signature value. | 4. The resulting 64 octet sequence is the JWS Signature value. | |||

The following "alg" (algorithm) Header Parameter values are used to | The following "alg" (algorithm) Header Parameter values are used to | |||

indicate that the JWS Signature is a digital signature value computed | indicate that the JWS Signature is a digital signature value computed | |||

using the corresponding algorithm: | using the corresponding algorithm: | |||

+---------------------+-------------------------------+ | +-----------------+-------------------------------+ | |||

| alg Parameter Value | Digital Signature Algorithm | | | alg Param Value | Digital Signature Algorithm | | |||

+---------------------+-------------------------------+ | +-----------------+-------------------------------+ | |||

| ES256 | ECDSA using P-256 and SHA-256 | | | ES256 | ECDSA using P-256 and SHA-256 | | |||

| ES384 | ECDSA using P-384 and SHA-384 | | | ES384 | ECDSA using P-384 and SHA-384 | | |||

| ES512 | ECDSA using P-521 and SHA-512 | | | ES512 | ECDSA using P-521 and SHA-512 | | |||

+---------------------+-------------------------------+ | +-----------------+-------------------------------+ | |||

The ECDSA P-256 SHA-256 digital signature for a JWS is validated as | The ECDSA P-256 SHA-256 digital signature for a JWS is validated as | |||

follows: | follows: | |||

1. The JWS Signature value MUST be a 64 octet sequence. If it is | 1. The JWS Signature value MUST be a 64 octet sequence. If it is | |||

not a 64 octet sequence, the validation has failed. | not a 64 octet sequence, the validation has failed. | |||

2. Split the 64 octet sequence into two 32 octet sequences. The | 2. Split the 64 octet sequence into two 32 octet sequences. The | |||

first octet sequence represents R and the second S. The values R | first octet sequence represents R and the second S. The values R | |||

and S are represented as octet sequences using the Integer-to- | and S are represented as octet sequences using the Integer-to- | |||

skipping to change at page 11, line 27 | skipping to change at page 11, line 31 | |||

The RSASSA-PSS SHA-256 digital signature is generated as follows: | The RSASSA-PSS SHA-256 digital signature is generated as follows: | |||

Generate a digital signature of the JWS Signing Input using RSASSA- | Generate a digital signature of the JWS Signing Input using RSASSA- | |||

PSS-SIGN, the SHA-256 hash function, and the MGF1 mask generation | PSS-SIGN, the SHA-256 hash function, and the MGF1 mask generation | |||

function with SHA-256 with the desired private key. This is the JWS | function with SHA-256 with the desired private key. This is the JWS | |||

signature value. | signature value. | |||

The following "alg" (algorithm) Header Parameter values are used to | The following "alg" (algorithm) Header Parameter values are used to | |||

indicate that the JWS Signature is a digital signature value computed | indicate that the JWS Signature is a digital signature value computed | |||

using the corresponding algorithm: | using the corresponding algorithm: | |||

+---------------------+---------------------------------------------+ | +-----------------+------------------------------------------------+ | |||

| alg Parameter Value | Digital Signature Algorithm | | | alg Param Value | Digital Signature Algorithm | | |||

+---------------------+---------------------------------------------+ | +-----------------+------------------------------------------------+ | |||

| PS256 | RSASSA-PSS using SHA-256 and MGF1 with | | | PS256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256 | | |||

| | SHA-256 | | | PS384 | RSASSA-PSS using SHA-384 and MGF1 with SHA-384 | | |||

| PS384 | RSASSA-PSS using SHA-384 and MGF1 with | | | PS512 | RSASSA-PSS using SHA-512 and MGF1 with SHA-512 | | |||

| | SHA-384 | | +-----------------+------------------------------------------------+ | |||

| PS512 | RSASSA-PSS using SHA-512 and MGF1 with | | ||||

| | SHA-512 | | ||||

+---------------------+---------------------------------------------+ | ||||

The RSASSA-PSS SHA-256 digital signature for a JWS is validated as | The RSASSA-PSS SHA-256 digital signature for a JWS is validated as | |||

follows: Submit the JWS Signing Input, the JWS Signature, and the | follows: Submit the JWS Signing Input, the JWS Signature, and the | |||

public key corresponding to the private key used by the signer to the | public key corresponding to the private key used by the signer to the | |||

RSASSA-PSS-VERIFY algorithm using SHA-256 as the hash function and | RSASSA-PSS-VERIFY algorithm using SHA-256 as the hash function and | |||

using MGF1 as the mask generation function with SHA-256. | using MGF1 as the mask generation function with SHA-256. | |||

Signing and validation with the RSASSA-PSS SHA-384 and RSASSA-PSS | Signing and validation with the RSASSA-PSS SHA-384 and RSASSA-PSS | |||

SHA-512 algorithms is performed identically to the procedure for | SHA-512 algorithms is performed identically to the procedure for | |||

RSASSA-PSS SHA-256 -- just using the alternative hash algorithm in | RSASSA-PSS SHA-256 -- just using the alternative hash algorithm in | |||

skipping to change at page 12, line 22 | skipping to change at page 12, line 27 | |||

JWE uses cryptographic algorithms to encrypt or determine the Content | JWE uses cryptographic algorithms to encrypt or determine the Content | |||

Encryption Key (CEK). | Encryption Key (CEK). | |||

4.1. "alg" (Algorithm) Header Parameter Values for JWE | 4.1. "alg" (Algorithm) Header Parameter Values for JWE | |||

The table below is the set of "alg" (algorithm) Header Parameter | The table below is the set of "alg" (algorithm) Header Parameter | |||

values that are defined by this specification for use with JWE. | values that are defined by this specification for use with JWE. | |||

These algorithms are used to encrypt the CEK, producing the JWE | These algorithms are used to encrypt the CEK, producing the JWE | |||

Encrypted Key, or to use key agreement to agree upon the CEK. | Encrypted Key, or to use key agreement to agree upon the CEK. | |||

+-------------------+-----------------+------------+----------------+ | +--------------------+--------------------+--------+----------------+ | |||

| alg Parameter | Key Management | Additional | Implementation | | | alg Param Value | Key Management | More | Implementation | | |||

| Value | Algorithm | Header | Requirements | | | | Algorithm | Header | Requirements | | |||

| | | Parameters | | | | | | Params | | | |||

+-------------------+-----------------+------------+----------------+ | +--------------------+--------------------+--------+----------------+ | |||

| RSA1_5 | RSAES-PKCS1-V1_ | (none) | Recommended- | | | RSA1_5 | RSAES-PKCS1-V1_5 | (none) | Recommended- | | |||

| | 5 | | | | | RSA-OAEP | RSAES OAEP using | (none) | Recommended+ | | |||

| RSA-OAEP | RSAES OAEP | (none) | Recommended+ | | | | default parameters | | | | |||

| | using default | | | | | RSA-OAEP-256 | RSAES OAEP using | (none) | Optional | | |||

| | parameters | | | | | | SHA-256 and MGF1 | | | | |||

| RSA-OAEP-256 | RSAES OAEP | (none) | Optional | | | | with SHA-256 | | | | |||

| | using SHA-256 | | | | | A128KW | AES Key Wrap with | (none) | Recommended | | |||

| | and MGF1 with | | | | | | default initial | | | | |||

| | SHA-256 | | | | | | value using 128 | | | | |||

| A128KW | AES Key Wrap | (none) | Recommended | | | | bit key | | | | |||

| | with default | | | | | A192KW | AES Key Wrap with | (none) | Optional | | |||

| | initial value | | | | | | default initial | | | | |||

| | using 128 bit | | | | | | value using 192 | | | | |||

| | key | | | | | | bit key | | | | |||

| A192KW | AES Key Wrap | (none) | Optional | | | A256KW | AES Key Wrap with | (none) | Recommended | | |||

| | with default | | | | | | default initial | | | | |||

| | initial value | | | | | | value using 256 | | | | |||

| | using 192 bit | | | | | | bit key | | | | |||

| | key | | | | | dir | Direct use of a | (none) | Recommended | | |||

| A256KW | AES Key Wrap | (none) | Recommended | | | | shared symmetric | | | | |||

| | with default | | | | | | key as the CEK | | | | |||

| | initial value | | | | | ECDH-ES | Elliptic Curve | "epk", | Recommended+ | | |||

| | using 256 bit | | | | | | Diffie-Hellman | "apu", | | | |||

| | key | | | | | | Ephemeral Static | "apv" | | | |||

| dir | Direct use of a | (none) | Recommended | | | | key agreement | | | | |||

| | shared | | | | | | using Concat KDF | | | | |||

| | symmetric key | | | | | ECDH-ES+A128KW | ECDH-ES using | "epk", | Recommended | | |||

| | as the CEK | | | | | | Concat KDF and CEK | "apu", | | | |||

| ECDH-ES | Elliptic Curve | "epk", | Recommended+ | | | | wrapped with | "apv" | | | |||

| | Diffie-Hellman | "apu", | | | | | "A128KW" | | | | |||

| | Ephemeral | "apv" | | | | ECDH-ES+A192KW | ECDH-ES using | "epk", | Optional | | |||

| | Static key | | | | | | Concat KDF and CEK | "apu", | | | |||

| | agreement using | | | | | | wrapped with | "apv" | | | |||

| | Concat KDF | | | | | | "A192KW" | | | | |||

| ECDH-ES+A128KW | ECDH-ES using | "epk", | Recommended | | | ECDH-ES+A256KW | ECDH-ES using | "epk", | Recommended | | |||

| | Concat KDF and | "apu", | | | | | Concat KDF and CEK | "apu", | | | |||

| | CEK wrapped | "apv" | | | | | wrapped with | "apv" | | | |||

| | with "A128KW" | | | | | | "A256KW" | | | | |||

| ECDH-ES+A192KW | ECDH-ES using | "epk", | Optional | | | A128GCMKW | Key wrapping with | "iv", | Optional | | |||

| | Concat KDF and | "apu", | | | | | AES GCM using 128 | "tag" | | | |||

| | CEK wrapped | "apv" | | | | | bit key | | | | |||

| | with "A192KW" | | | | | A192GCMKW | Key wrapping with | "iv", | Optional | | |||

| ECDH-ES+A256KW | ECDH-ES using | "epk", | Recommended | | | | AES GCM using 192 | "tag" | | | |||

| | Concat KDF and | "apu", | | | | | bit key | | | | |||

| | CEK wrapped | "apv" | | | | A256GCMKW | Key wrapping with | "iv", | Optional | | |||

| | with "A256KW" | | | | | | AES GCM using 256 | "tag" | | | |||

| A128GCMKW | Key wrapping | "iv", | Optional | | | | bit key | | | | |||

| | with AES GCM | "tag" | | | | PBES2-HS256+A128KW | PBES2 with HMAC | "p2s", | Optional | | |||

| | using 128 bit | | | | | | SHA-256 and | "p2c" | | | |||

| | key | | | | | | "A128KW" wrapping | | | | |||

| A192GCMKW | Key wrapping | "iv", | Optional | | | PBES2-HS384+A192KW | PBES2 with HMAC | "p2s", | Optional | | |||

| | with AES GCM | "tag" | | | | | SHA-384 and | "p2c" | | | |||

| | using 192 bit | | | | | | "A192KW" wrapping | | | | |||

| | key | | | | | PBES2-HS512+A256KW | PBES2 with HMAC | "p2s", | Optional | | |||

| A256GCMKW | Key wrapping | "iv", | Optional | | | | SHA-512 and | "p2c" | | | |||

| | with AES GCM | "tag" | | | | | "A256KW" wrapping | | | | |||

| | using 256 bit | | | | +--------------------+--------------------+--------+----------------+ | |||

| | key | | | | ||||

| PBES2-HS256+A128K | PBES2 with HMAC | "p2s", | Optional | | The More Header Params column indicates what additional Header | |||

| W | SHA-256 and | "p2c" | | | Parameters are used by the algorithm, beyond "alg", which all use. | |||

| | "A128KW" | | | | All but "dir" and "ECDH-ES" also produce a JWE Encrypted Key value. | |||

| | wrapping | | | | ||||

| PBES2-HS384+A192K | PBES2 with HMAC | "p2s", | Optional | | ||||

| W | SHA-384 and | "p2c" | | | ||||

| | "A192KW" | | | | ||||

| | wrapping | | | | ||||

| PBES2-HS512+A256K | PBES2 with HMAC | "p2s", | Optional | | ||||

| W | SHA-512 and | "p2c" | | | ||||

| | "A256KW" | | | | ||||

| | wrapping | | | | ||||

+-------------------+-----------------+------------+----------------+ | ||||

The Additional Header Parameters column indicates what additional | ||||

Header Parameters are used by the algorithm, beyond "alg", which all | ||||

use. All but "dir" and "ECDH-ES" also produce a JWE Encrypted Key | ||||

value. | ||||

The use of "+" in the Implementation Requirements indicates that the | The use of "+" in the Implementation Requirements indicates that the | |||

requirement strength is likely to be increased in a future version of | requirement strength is likely to be increased in a future version of | |||

the specification. | the specification. | |||

See Appendix A.2 for a table cross-referencing the JWE "alg" | See Appendix A.2 for a table cross-referencing the JWE "alg" | |||

(algorithm) values defined in this specification with the equivalent | (algorithm) values defined in this specification with the equivalent | |||

identifiers used by other standards and software packages. | identifiers used by other standards and software packages. | |||

4.2. Key Encryption with RSAES-PKCS1-V1_5 | 4.2. Key Encryption with RSAES-PKCS1-V1_5 | |||

skipping to change at page 14, line 42 | skipping to change at page 14, line 34 | |||

hash functions. In the first case, the default parameters specified | hash functions. In the first case, the default parameters specified | |||

by RFC 3447 in Section A.2.1 are used. (Those default parameters are | by RFC 3447 in Section A.2.1 are used. (Those default parameters are | |||

the SHA-1 hash function and the MGF1 with SHA-1 mask generation | the SHA-1 hash function and the MGF1 with SHA-1 mask generation | |||

function.) In the second case, the SHA-256 hash function and the | function.) In the second case, the SHA-256 hash function and the | |||

MGF1 with SHA-256 mask generation function are used. | MGF1 with SHA-256 mask generation function are used. | |||

The following "alg" (algorithm) Header Parameter values are used to | The following "alg" (algorithm) Header Parameter values are used to | |||

indicate that the JWE Encrypted Key is the result of encrypting the | indicate that the JWE Encrypted Key is the result of encrypting the | |||

CEK using the corresponding algorithm: | CEK using the corresponding algorithm: | |||

+---------------------+---------------------------------------------+ | +-----------------+------------------------------------------------+ | |||

| alg Parameter Value | Key Management Algorithm | | | alg Param Value | Key Management Algorithm | | |||

+---------------------+---------------------------------------------+ | +-----------------+------------------------------------------------+ | |||

| RSA-OAEP | RSAES OAEP using default parameters | | | RSA-OAEP | RSAES OAEP using default parameters | | |||

| RSA-OAEP-256 | RSAES OAEP using SHA-256 and MGF1 with | | | RSA-OAEP-256 | RSAES OAEP using SHA-256 and MGF1 with SHA-256 | | |||

| | SHA-256 | | +-----------------+------------------------------------------------+ | |||

+---------------------+---------------------------------------------+ | ||||

A key of size 2048 bits or larger MUST be used with these algorithms. | A key of size 2048 bits or larger MUST be used with these algorithms. | |||

(This requirement is based on Table 4 (Security-strength time frames) | (This requirement is based on Table 4 (Security-strength time frames) | |||

of NIST SP 800-57 [NIST.800-57], which requires 112 bits of security | of NIST SP 800-57 [NIST.800-57], which requires 112 bits of security | |||

for new uses, and Table 2 (Comparable strengths) of the same, which | for new uses, and Table 2 (Comparable strengths) of the same, which | |||

states that 2048 bit RSA keys provide 112 bits of security.) | states that 2048 bit RSA keys provide 112 bits of security.) | |||

An example using RSAES OAEP with the default parameters is shown in | An example using RSAES OAEP with the default parameters is shown in | |||

Appendix A.1 of [JWE]. | Appendix A.1 of [JWE]. | |||

4.4. Key Wrapping with AES Key Wrap | 4.4. Key Wrapping with AES Key Wrap | |||

This section defines the specifics of encrypting a JWE CEK with the | This section defines the specifics of encrypting a JWE CEK with the | |||

Advanced Encryption Standard (AES) Key Wrap Algorithm [RFC3394] using | Advanced Encryption Standard (AES) Key Wrap Algorithm [RFC3394] using | |||

the default initial value specified in Section 2.2.3.1. | the default initial value specified in Section 2.2.3.1. | |||

The following "alg" (algorithm) Header Parameter values are used to | The following "alg" (algorithm) Header Parameter values are used to | |||

indicate that the JWE Encrypted Key is the result of encrypting the | indicate that the JWE Encrypted Key is the result of encrypting the | |||

CEK using the corresponding algorithm and key size: | CEK using the corresponding algorithm and key size: | |||

+------------------+------------------------------------------------+ | +---------------+---------------------------------------------------+ | |||

| alg Parameter | Key Management Algorithm | | | alg Param | Key Management Algorithm | | |||

| Value | | | | Value | | | |||

+------------------+------------------------------------------------+ | +---------------+---------------------------------------------------+ | |||

| A128KW | AES Key Wrap with default initial value using | | | A128KW | AES Key Wrap with default initial value using 128 | | |||

| | 128 bit key | | | | bit key | | |||

| A192KW | AES Key Wrap with default initial value using | | | A192KW | AES Key Wrap with default initial value using 192 | | |||

| | 192 bit key | | | | bit key | | |||

| A256KW | AES Key Wrap with default initial value using | | | A256KW | AES Key Wrap with default initial value using 256 | | |||

| | 256 bit key | | | | bit key | | |||

+------------------+------------------------------------------------+ | +---------------+---------------------------------------------------+ | |||

An example using this algorithm is shown in Appendix A.3 of [JWE]. | An example using this algorithm is shown in Appendix A.3 of [JWE]. | |||

4.5. Direct Encryption with a Shared Symmetric Key | 4.5. Direct Encryption with a Shared Symmetric Key | |||

This section defines the specifics of directly performing symmetric | This section defines the specifics of directly performing symmetric | |||

key encryption without performing a key wrapping step. In this case, | key encryption without performing a key wrapping step. In this case, | |||

the shared symmetric key is used directly as the Content Encryption | the shared symmetric key is used directly as the Content Encryption | |||

Key (CEK) value for the "enc" algorithm. An empty octet sequence is | Key (CEK) value for the "enc" algorithm. An empty octet sequence is | |||

used as the JWE Encrypted Key value. The "alg" Header Parameter | used as the JWE Encrypted Key value. The "alg" Header Parameter | |||

skipping to change at page 16, line 34 | skipping to change at page 16, line 28 | |||

In Key Agreement with Key Wrapping mode, the output of the Concat KDF | In Key Agreement with Key Wrapping mode, the output of the Concat KDF | |||

MUST be a key of the length needed for the specified key wrapping | MUST be a key of the length needed for the specified key wrapping | |||

algorithm. In this case, the JWE Encrypted Key is the CEK wrapped | algorithm. In this case, the JWE Encrypted Key is the CEK wrapped | |||

with the agreed upon key. | with the agreed upon key. | |||

The following "alg" (algorithm) Header Parameter values are used to | The following "alg" (algorithm) Header Parameter values are used to | |||

indicate that the JWE Encrypted Key is the result of encrypting the | indicate that the JWE Encrypted Key is the result of encrypting the | |||

CEK using the result of the key agreement algorithm as the key | CEK using the result of the key agreement algorithm as the key | |||

encryption key for the corresponding key wrapping algorithm: | encryption key for the corresponding key wrapping algorithm: | |||

+-------------------+-----------------------------------------------+ | +----------------+--------------------------------------------------+ | |||

| alg Parameter | Key Management Algorithm | | | alg Param | Key Management Algorithm | | |||

| Value | | | | Value | | | |||

+-------------------+-----------------------------------------------+ | +----------------+--------------------------------------------------+ | |||

| ECDH-ES+A128KW | ECDH-ES using Concat KDF and CEK wrapped with | | | ECDH-ES+A128KW | ECDH-ES using Concat KDF and CEK wrapped with | | |||

| | "A128KW" | | | | "A128KW" | | |||

| ECDH-ES+A192KW | ECDH-ES using Concat KDF and CEK wrapped with | | | ECDH-ES+A192KW | ECDH-ES using Concat KDF and CEK wrapped with | | |||

| | "A192KW" | | | | "A192KW" | | |||

| ECDH-ES+A256KW | ECDH-ES using Concat KDF and CEK wrapped with | | | ECDH-ES+A256KW | ECDH-ES using Concat KDF and CEK wrapped with | | |||

| | "A256KW" | | | | "A256KW" | | |||

+-------------------+-----------------------------------------------+ | +----------------+--------------------------------------------------+ | |||

4.6.1. Header Parameters Used for ECDH Key Agreement | 4.6.1. Header Parameters Used for ECDH Key Agreement | |||

The following Header Parameter names are used for key agreement as | The following Header Parameter names are used for key agreement as | |||

defined below. | defined below. | |||

4.6.1.1. "epk" (Ephemeral Public Key) Header Parameter | 4.6.1.1. "epk" (Ephemeral Public Key) Header Parameter | |||

The "epk" (ephemeral public key) value created by the originator for | The "epk" (ephemeral public key) value created by the originator for | |||

the use in key agreement algorithms. This key is represented as a | the use in key agreement algorithms. This key is represented as a | |||

skipping to change at page 19, line 34 | skipping to change at page 19, line 31 | |||

The JWE Encrypted Key value is the Ciphertext output. | The JWE Encrypted Key value is the Ciphertext output. | |||

The Authentication Tag output is represented in base64url encoded | The Authentication Tag output is represented in base64url encoded | |||

form as the "tag" (authentication tag) Header Parameter value. | form as the "tag" (authentication tag) Header Parameter value. | |||

The following "alg" (algorithm) Header Parameter values are used to | The following "alg" (algorithm) Header Parameter values are used to | |||

indicate that the JWE Encrypted Key is the result of encrypting the | indicate that the JWE Encrypted Key is the result of encrypting the | |||

CEK using the corresponding algorithm and key size: | CEK using the corresponding algorithm and key size: | |||

+---------------------+---------------------------------------------+ | +-----------------+---------------------------------------------+ | |||

| alg Parameter Value | Key Management Algorithm | | | alg Param Value | Key Management Algorithm | | |||

+---------------------+---------------------------------------------+ | +-----------------+---------------------------------------------+ | |||

| A128GCMKW | Key wrapping with AES GCM using 128 bit key | | | A128GCMKW | Key wrapping with AES GCM using 128 bit key | | |||

| A192GCMKW | Key wrapping with AES GCM using 192 bit key | | | A192GCMKW | Key wrapping with AES GCM using 192 bit key | | |||

| A256GCMKW | Key wrapping with AES GCM using 256 bit key | | | A256GCMKW | Key wrapping with AES GCM using 256 bit key | | |||

+---------------------+---------------------------------------------+ | +-----------------+---------------------------------------------+ | |||

4.7.1. Header Parameters Used for AES GCM Key Encryption | 4.7.1. Header Parameters Used for AES GCM Key Encryption | |||

The following Header Parameters are used for AES GCM key encryption. | The following Header Parameters are used for AES GCM key encryption. | |||

4.7.1.1. "iv" (Initialization Vector) Header Parameter | 4.7.1.1. "iv" (Initialization Vector) Header Parameter | |||

The "iv" (initialization vector) Header Parameter value is the | The "iv" (initialization vector) Header Parameter value is the | |||

base64url encoded representation of the 96 bit Initialization Vector | base64url encoded representation of the 96 bit Initialization Vector | |||

value used for the key encryption operation. This Header Parameter | value used for the key encryption operation. This Header Parameter | |||

skipping to change at page 20, line 41 | skipping to change at page 20, line 41 | |||

respectively use HMAC SHA-256, HMAC SHA-384, and HMAC SHA-512 as the | respectively use HMAC SHA-256, HMAC SHA-384, and HMAC SHA-512 as the | |||

PRF and use 128, 192, and 256 bit AES Key Wrap keys. Their derived- | PRF and use 128, 192, and 256 bit AES Key Wrap keys. Their derived- | |||

key lengths respectively are 16, 24, and 32 octets. | key lengths respectively are 16, 24, and 32 octets. | |||

The following "alg" (algorithm) Header Parameter values are used to | The following "alg" (algorithm) Header Parameter values are used to | |||

indicate that the JWE Encrypted Key is the result of encrypting the | indicate that the JWE Encrypted Key is the result of encrypting the | |||

CEK using the result of the corresponding password-based encryption | CEK using the result of the corresponding password-based encryption | |||

algorithm as the key encryption key for the corresponding key | algorithm as the key encryption key for the corresponding key | |||

wrapping algorithm: | wrapping algorithm: | |||

+---------------------+---------------------------------------------+ | +--------------------+----------------------------------------------+ | |||

| alg Parameter Value | Key Management Algorithm | | | alg Param Value | Key Management Algorithm | | |||

+---------------------+---------------------------------------------+ | +--------------------+----------------------------------------------+ | |||

| PBES2-HS256+A128KW | PBES2 with HMAC SHA-256 and "A128KW" | | | PBES2-HS256+A128KW | PBES2 with HMAC SHA-256 and "A128KW" | | |||

| | wrapping | | | | wrapping | | |||

| PBES2-HS384+A192KW | PBES2 with HMAC SHA-384 and "A192KW" | | | PBES2-HS384+A192KW | PBES2 with HMAC SHA-384 and "A192KW" | | |||

| | wrapping | | | | wrapping | | |||

| PBES2-HS512+A256KW | PBES2 with HMAC SHA-512 and "A256KW" | | | PBES2-HS512+A256KW | PBES2 with HMAC SHA-512 and "A256KW" | | |||

| | wrapping | | | | wrapping | | |||

+---------------------+---------------------------------------------+ | +--------------------+----------------------------------------------+ | |||

See Appendix C of JSON Web Key (JWK) [JWK] for an example key | See Appendix C of JSON Web Key (JWK) [JWK] for an example key | |||

encryption computation using "PBES2-HS256+A128KW". | encryption computation using "PBES2-HS256+A128KW". | |||

4.8.1. Header Parameters Used for PBES2 Key Encryption | 4.8.1. Header Parameters Used for PBES2 Key Encryption | |||

The following Header Parameters are used for Key Encryption with | The following Header Parameters are used for Key Encryption with | |||

PBES2. | PBES2. | |||

4.8.1.1. "p2s" (PBES2 salt input) Parameter | 4.8.1.1. "p2s" (PBES2 salt input) Parameter | |||

skipping to change at page 21, line 29 | skipping to change at page 21, line 29 | |||

The salt expands the possible keys that can be derived from a given | The salt expands the possible keys that can be derived from a given | |||

password. A Salt Input value containing 8 or more octets MUST be | password. A Salt Input value containing 8 or more octets MUST be | |||

used. A new Salt Input value MUST be generated randomly for every | used. A new Salt Input value MUST be generated randomly for every | |||

encryption operation; see RFC 4086 [RFC4086] for considerations on | encryption operation; see RFC 4086 [RFC4086] for considerations on | |||

generating random values. The salt value used is (UTF8(Alg) || 0x00 | generating random values. The salt value used is (UTF8(Alg) || 0x00 | |||

|| Salt Input), where Alg is the "alg" Header Parameter value. | || Salt Input), where Alg is the "alg" Header Parameter value. | |||

4.8.1.2. "p2c" (PBES2 count) Parameter | 4.8.1.2. "p2c" (PBES2 count) Parameter | |||

The "p2c" (PBES2 count) Header Parameter contains the PBKDF2 | The "p2c" (PBES2 count) Header Parameter contains the PBKDF2 | |||

iteration count, represented as a positive integer. This Header | iteration count, represented as a positive JSON integer. This Header | |||

Parameter MUST be present and MUST be understood and processed by | Parameter MUST be present and MUST be understood and processed by | |||

implementations when these algorithms are used. | implementations when these algorithms are used. | |||

The iteration count adds computational expense, ideally compounded by | The iteration count adds computational expense, ideally compounded by | |||

the possible range of keys introduced by the salt. A minimum | the possible range of keys introduced by the salt. A minimum | |||

iteration count of 1000 is RECOMMENDED. | iteration count of 1000 is RECOMMENDED. | |||

5. Cryptographic Algorithms for Content Encryption | 5. Cryptographic Algorithms for Content Encryption | |||

JWE uses cryptographic algorithms to encrypt and integrity protect | JWE uses cryptographic algorithms to encrypt and integrity protect | |||

the Plaintext and to also integrity protect additional authenticated | the Plaintext and to also integrity protect additional authenticated | |||

data. | data. | |||

5.1. "enc" (Encryption Algorithm) Header Parameter Values for JWE | 5.1. "enc" (Encryption Algorithm) Header Parameter Values for JWE | |||

The table below is the set of "enc" (encryption algorithm) Header | The table below is the set of "enc" (encryption algorithm) Header | |||

Parameter values that are defined by this specification for use with | Parameter values that are defined by this specification for use with | |||

JWE. | JWE. | |||

+-------------+------------------------+------------+---------------+ | +---------------+----------------------------------+----------------+ | |||

| enc | Content Encryption | Additional | Implementatio | | | enc Param | Content Encryption Algorithm | Implementation | | |||

| Parameter | Algorithm | Header | nRequirements | | | Value | | Requirements | | |||

| Value | | Parameters | | | +---------------+----------------------------------+----------------+ | |||

+-------------+------------------------+------------+---------------+ | | A128CBC-HS256 | AES_128_CBC_HMAC_SHA_256 | Required | | |||

| A128CBC-HS2 | AES_128_CBC_HMAC_SHA_2 | (none) | Required | | | | authenticated encryption | | | |||

| 56 | 56 authenticated | | | | | | algorithm, as defined in | | | |||

| | encryption algorithm, | | | | | | Section 5.2.3 | | | |||

| | as defined in | | | | | A192CBC-HS384 | AES_192_CBC_HMAC_SHA_384 | Optional | | |||

| | Section 5.2.3 | | | | | | authenticated encryption | | | |||

| A192CBC-HS3 | AES_192_CBC_HMAC_SHA_3 | (none) | Optional | | | | algorithm, as defined in | | | |||

| 84 | 84 authenticated | | | | | | Section 5.2.4 | | | |||

| | encryption algorithm, | | | | | A256CBC-HS512 | AES_256_CBC_HMAC_SHA_512 | Required | | |||

| | as defined in | | | | | | authenticated encryption | | | |||

| | Section 5.2.4 | | | | | | algorithm, as defined in | | | |||

| A256CBC-HS5 | AES_256_CBC_HMAC_SHA_5 | (none) | Required | | | | Section 5.2.5 | | | |||

| 12 | 12 authenticated | | | | | A128GCM | AES GCM using 128 bit key | Recommended | | |||

| | encryption algorithm, | | | | | A192GCM | AES GCM using 192 bit key | Optional | | |||

| | as defined in | | | | | A256GCM | AES GCM using 256 bit key | Recommended | | |||

| | Section 5.2.5 | | | | +---------------+----------------------------------+----------------+ | |||

| A128GCM | AES GCM using 128 bit | (none) | Recommended | | ||||

| | key | | | | ||||

| A192GCM | AES GCM using 192 bit | (none) | Optional | | ||||

| | key | | | | ||||

| A256GCM | AES GCM using 256 bit | (none) | Recommended | | ||||

| | key | | | | ||||

+-------------+------------------------+------------+---------------+ | ||||

The Additional Header Parameters column indicates what additional | All also use a JWE Initialization Vector value and produce JWE | |||

Header Parameters are used by the algorithm, beyond "enc", which all | ||||

use. All also use a JWE Initialization Vector value and produce JWE | ||||

Ciphertext and JWE Authentication Tag values. | Ciphertext and JWE Authentication Tag values. | |||

See Appendix A.3 for a table cross-referencing the JWE "enc" | See Appendix A.3 for a table cross-referencing the JWE "enc" | |||

(encryption algorithm) values defined in this specification with the | (encryption algorithm) values defined in this specification with the | |||

equivalent identifiers used by other standards and software packages. | equivalent identifiers used by other standards and software packages. | |||

5.2. AES_CBC_HMAC_SHA2 Algorithms | 5.2. AES_CBC_HMAC_SHA2 Algorithms | |||

This section defines a family of authenticated encryption algorithms | This section defines a family of authenticated encryption algorithms | |||

built using a composition of Advanced Encryption Standard (AES) in | built using a composition of Advanced Encryption Standard (AES) [AES] | |||

Cipher Block Chaining (CBC) mode with PKCS #7 padding [AES, | in Cipher Block Chaining (CBC) mode [NIST.800-38A] with PKCS #7 | |||

NIST.800-38A] operations and HMAC [RFC2104, SHS] operations. This | padding [RFC5652], Section 6.3 operations and HMAC [RFC2104, SHS] | |||

algorithm family is called AES_CBC_HMAC_SHA2. It also defines three | operations. This algorithm family is called AES_CBC_HMAC_SHA2. It | |||

instances of this family, the first using 128 bit CBC keys and HMAC | also defines three instances of this family, the first using 128 bit | |||

SHA-256, the second using 192 bit CBC keys and HMAC SHA-384, and the | CBC keys and HMAC SHA-256, the second using 192 bit CBC keys and HMAC | |||

third using 256 bit CBC keys and HMAC SHA-512. Test cases for these | SHA-384, and the third using 256 bit CBC keys and HMAC SHA-512. Test | |||

algorithms can be found in Appendix B. | cases for these algorithms can be found in Appendix B. | |||

These algorithms are based upon Authenticated Encryption with AES-CBC | These algorithms are based upon Authenticated Encryption with AES-CBC | |||

and HMAC-SHA [I-D.mcgrew-aead-aes-cbc-hmac-sha2], performing the same | and HMAC-SHA [I-D.mcgrew-aead-aes-cbc-hmac-sha2], performing the same | |||

cryptographic computations, but with the Initialization Vector and | cryptographic computations, but with the Initialization Vector and | |||

Authentication Tag values remaining separate, rather than being | Authentication Tag values remaining separate, rather than being | |||

concatenated with the Ciphertext value in the output representation. | concatenated with the Ciphertext value in the output representation. | |||

This option is discussed in Appendix B of that specification. This | This option is discussed in Appendix B of that specification. This | |||

algorithm family is a generalization of the algorithm family in | algorithm family is a generalization of the algorithm family in | |||

[I-D.mcgrew-aead-aes-cbc-hmac-sha2], and can be used to implement | [I-D.mcgrew-aead-aes-cbc-hmac-sha2], and can be used to implement | |||

those algorithms. | those algorithms. | |||

skipping to change at page 25, line 32 | skipping to change at page 25, line 21 | |||

computing an HMAC with the inputs as in Step 5 of | computing an HMAC with the inputs as in Step 5 of | |||

Section 5.2.2.1. The value T, from the previous step, is | Section 5.2.2.1. The value T, from the previous step, is | |||

compared to the first MAC_KEY length bits of the HMAC output. If | compared to the first MAC_KEY length bits of the HMAC output. If | |||

those values are identical, then A and E are considered valid, | those values are identical, then A and E are considered valid, | |||

and processing is continued. Otherwise, all of the data used in | and processing is continued. Otherwise, all of the data used in | |||

the MAC validation are discarded, and the Authenticated | the MAC validation are discarded, and the Authenticated | |||

Encryption decryption operation returns an indication that it | Encryption decryption operation returns an indication that it | |||

failed, and the operation halts. (But see Section 11.5 of [JWE] | failed, and the operation halts. (But see Section 11.5 of [JWE] | |||

for security considerations on thwarting timing attacks.) | for security considerations on thwarting timing attacks.) | |||

3. The value E is decrypted and the PKCS #7 padding is removed. The | 3. The value E is decrypted and the PKCS #7 padding is checked and | |||

value IV is used as the initialization vector. The value ENC_KEY | removed. The value IV is used as the initialization vector. The | |||

is used as the decryption key. | value ENC_KEY is used as the decryption key. | |||

4. The plaintext value is returned. | 4. The plaintext value is returned. | |||

5.2.3. AES_128_CBC_HMAC_SHA_256 | 5.2.3. AES_128_CBC_HMAC_SHA_256 | |||

This algorithm is a concrete instantiation of the generic | This algorithm is a concrete instantiation of the generic | |||

AES_CBC_HMAC_SHA2 algorithm above. It uses the HMAC message | AES_CBC_HMAC_SHA2 algorithm above. It uses the HMAC message | |||

authentication code [RFC2104] with the SHA-256 hash function [SHS] to | authentication code [RFC2104] with the SHA-256 hash function [SHS] to | |||

provide message authentication, with the HMAC output truncated to 128 | provide message authentication, with the HMAC output truncated to 128 | |||

bits, corresponding to the HMAC-SHA-256-128 algorithm defined in | bits, corresponding to the HMAC-SHA-256-128 algorithm defined in | |||

skipping to change at page 27, line 12 | skipping to change at page 27, line 6 | |||

This section defines the specifics of performing authenticated | This section defines the specifics of performing authenticated | |||

encryption with the AES_CBC_HMAC_SHA2 algorithms. | encryption with the AES_CBC_HMAC_SHA2 algorithms. | |||

The CEK is used as the secret key K. | The CEK is used as the secret key K. | |||

The following "enc" (encryption algorithm) Header Parameter values | The following "enc" (encryption algorithm) Header Parameter values | |||

are used to indicate that the JWE Ciphertext and JWE Authentication | are used to indicate that the JWE Ciphertext and JWE Authentication | |||

Tag values have been computed using the corresponding algorithm: | Tag values have been computed using the corresponding algorithm: | |||

+---------------+---------------------------------------------------+ | +---------------+---------------------------------------------------+ | |||

| enc Parameter | Content Encryption Algorithm | | | enc Param | Content Encryption Algorithm | | |||

| Value | | | | Value | | | |||

+---------------+---------------------------------------------------+ | +---------------+---------------------------------------------------+ | |||

| A128CBC-HS256 | AES_128_CBC_HMAC_SHA_256 authenticated encryption | | | A128CBC-HS256 | AES_128_CBC_HMAC_SHA_256 authenticated encryption | | |||

| | algorithm, as defined in Section 5.2.3 | | | | algorithm, as defined in Section 5.2.3 | | |||

| A192CBC-HS384 | AES_192_CBC_HMAC_SHA_384 authenticated encryption | | | A192CBC-HS384 | AES_192_CBC_HMAC_SHA_384 authenticated encryption | | |||

| | algorithm, as defined in Section 5.2.4 | | | | algorithm, as defined in Section 5.2.4 | | |||

| A256CBC-HS512 | AES_256_CBC_HMAC_SHA_512 authenticated encryption | | | A256CBC-HS512 | AES_256_CBC_HMAC_SHA_512 authenticated encryption | | |||

| | algorithm, as defined in Section 5.2.5 | | | | algorithm, as defined in Section 5.2.5 | | |||

+---------------+---------------------------------------------------+ | +---------------+---------------------------------------------------+ | |||

skipping to change at page 27, line 42 | skipping to change at page 27, line 36 | |||

algorithm. | algorithm. | |||

The requested size of the Authentication Tag output MUST be 128 bits, | The requested size of the Authentication Tag output MUST be 128 bits, | |||

regardless of the key size. | regardless of the key size. | |||

The following "enc" (encryption algorithm) Header Parameter values | The following "enc" (encryption algorithm) Header Parameter values | |||

are used to indicate that the JWE Ciphertext and JWE Authentication | are used to indicate that the JWE Ciphertext and JWE Authentication | |||

Tag values have been computed using the corresponding algorithm and | Tag values have been computed using the corresponding algorithm and | |||

key size: | key size: | |||

+---------------------+------------------------------+ | +-----------------+------------------------------+ | |||

| enc Parameter Value | Content Encryption Algorithm | | | enc Param Value | Content Encryption Algorithm | | |||

+---------------------+------------------------------+ | +-----------------+------------------------------+ | |||

| A128GCM | AES GCM using 128 bit key | | | A128GCM | AES GCM using 128 bit key | | |||

| A192GCM | AES GCM using 192 bit key | | | A192GCM | AES GCM using 192 bit key | | |||

| A256GCM | AES GCM using 256 bit key | | | A256GCM | AES GCM using 256 bit key | | |||

+---------------------+------------------------------+ | +-----------------+------------------------------+ | |||

An example using this algorithm is shown in Appendix A.1 of [JWE]. | An example using this algorithm is shown in Appendix A.1 of [JWE]. | |||

6. Cryptographic Algorithms for Keys | 6. Cryptographic Algorithms for Keys | |||

A JSON Web Key (JWK) [JWK] is a JSON data structure that represents a | A JSON Web Key (JWK) [JWK] is a JSON data structure that represents a | |||

cryptographic key. These keys can be either asymmetric or symmetric. | cryptographic key. These keys can be either asymmetric or symmetric. | |||

They can hold both public and private information about the key. | They can hold both public and private information about the key. | |||

This section defines the parameters for keys using the algorithms | This section defines the parameters for keys using the algorithms | |||

specified by this document. | specified by this document. | |||

6.1. "kty" (Key Type) Parameter Values | 6.1. "kty" (Key Type) Parameter Values | |||

The table below is the set of "kty" (key type) parameter values that | The table below is the set of "kty" (key type) parameter values that | |||

are defined by this specification for use in JWKs. | are defined by this specification for use in JWKs. | |||

+--------------+--------------------------------+-------------------+ | +-------------+------------------------------------+----------------+ | |||

| kty | Key Type | Implementation | | | kty Param | Key Type | Implementation | | |||

| Parameter | | Requirements | | | Value | | Requirements | | |||

| Value | | | | +-------------+------------------------------------+----------------+ | |||

+--------------+--------------------------------+-------------------+ | | EC | Elliptic Curve [DSS] | Recommended+ | | |||

| EC | Elliptic Curve [DSS] | Recommended+ | | | RSA | RSA [RFC3447] | Required | | |||

| RSA | RSA [RFC3447] | Required | | | oct | Octet sequence (used to represent | Required | | |||

| oct | Octet sequence (used to | Required | | | | symmetric keys) | | | |||

| | represent symmetric keys) | | | +-------------+------------------------------------+----------------+ | |||

+--------------+--------------------------------+-------------------+ | ||||

The use of "+" in the Implementation Requirements indicates that the | The use of "+" in the Implementation Requirements indicates that the | |||

requirement strength is likely to be increased in a future version of | requirement strength is likely to be increased in a future version of | |||

the specification. | the specification. | |||

6.2. Parameters for Elliptic Curve Keys | 6.2. Parameters for Elliptic Curve Keys | |||

JWKs can represent Elliptic Curve [DSS] keys. In this case, the | JWKs can represent Elliptic Curve [DSS] keys. In this case, the | |||

"kty" member value is "EC". | "kty" member value is "EC". | |||

6.2.1. Parameters for Elliptic Curve Public Keys | 6.2.1. Parameters for Elliptic Curve Public Keys | |||

An elliptic curve public key is represented by a pair of coordinates | An elliptic curve public key is represented by a pair of coordinates | |||

drawn from a finite field, which together define a point on an | drawn from a finite field, which together define a point on an | |||

elliptic curve. The following members MUST be present for elliptic | elliptic curve. The following members MUST be present for all | |||

curve public keys: | elliptic curve public keys: | |||

o "crv" | o "crv" | |||

o "x" | o "x" | |||

o "y" | ||||

SEC1 [SEC1] point compression is not supported for any values. | The following member MUST also be present for elliptic curve public | |||

keys for the three curves defined in the following section: | ||||

o "y" | ||||

6.2.1.1. "crv" (Curve) Parameter | 6.2.1.1. "crv" (Curve) Parameter | |||

The "crv" (curve) member identifies the cryptographic curve used with | The "crv" (curve) member identifies the cryptographic curve used with | |||

the key. Curve values from [DSS] used by this specification are: | the key. Curve values from [DSS] used by this specification are: | |||

o "P-256" | o "P-256" | |||

o "P-384" | o "P-384" | |||

o "P-521" | o "P-521" | |||

These values are registered in the IANA JSON Web Key Elliptic Curve | These values are registered in the IANA JSON Web Key Elliptic Curve | |||

registry defined in Section 7.6. Additional "crv" values can be | registry defined in Section 7.6. Additional "crv" values can be | |||

registered by other specifications. Additional "crv" values MAY be | registered by other specifications. Specifications registering | |||

used, provided they are understood by implementations using that | additional curves must define what parameters are used to represent | |||

Elliptic Curve key. The "crv" value is a case-sensitive string. | keys for the curves registered. The "crv" value is a case-sensitive | |||

string. | ||||

SEC1 [SEC1] point compression is not supported for any of these three | ||||

curves. | ||||

6.2.1.2. "x" (X Coordinate) Parameter | 6.2.1.2. "x" (X Coordinate) Parameter | |||

The "x" (x coordinate) member contains the x coordinate for the | The "x" (x coordinate) member contains the x coordinate for the | |||

elliptic curve point. It is represented as the base64url encoding of | elliptic curve point. It is represented as the base64url encoding of | |||

the octet string representation of the coordinate, as defined in | the octet string representation of the coordinate, as defined in | |||

Section 2.3.5 of SEC1 [SEC1]. The length of this octet string MUST | Section 2.3.5 of SEC1 [SEC1]. The length of this octet string MUST | |||

be the full size of a coordinate for the curve specified in the "crv" | be the full size of a coordinate for the curve specified in the "crv" | |||

parameter. For example, if the value of "crv" is "P-521", the octet | parameter. For example, if the value of "crv" is "P-521", the octet | |||

string must be 66 octets long. | string must be 66 octets long. | |||

skipping to change at page 29, line 50 | skipping to change at page 29, line 49 | |||

6.2.2. Parameters for Elliptic Curve Private Keys | 6.2.2. Parameters for Elliptic Curve Private Keys | |||

In addition to the members used to represent Elliptic Curve public | In addition to the members used to represent Elliptic Curve public | |||

keys, the following member MUST be present to represent Elliptic | keys, the following member MUST be present to represent Elliptic | |||

Curve private keys. | Curve private keys. | |||

6.2.2.1. "d" (ECC Private Key) Parameter | 6.2.2.1. "d" (ECC Private Key) Parameter | |||

The "d" (ECC private key) member contains the Elliptic Curve private | The "d" (ECC private key) member contains the Elliptic Curve private | |||

key value. It is represented as the base64url encoding of the octet | key value. It is represented as the base64url encoding of the octet | |||

string representation of the private key value, as defined in | string representation of the private key value, as defined in Section | |||

Sections C.4 and 2.3.7 of SEC1 [SEC1]. The length of this octet | 2.3.7 of SEC1 [SEC1]. The length of this octet string MUST be | |||

string MUST be ceiling(log-base-2(n)/8) octets (where n is the order | ceiling(log-base-2(n)/8) octets (where n is the order of the curve). | |||

of the curve). | ||||

6.3. Parameters for RSA Keys | 6.3. Parameters for RSA Keys | |||

JWKs can represent RSA [RFC3447] keys. In this case, the "kty" | JWKs can represent RSA [RFC3447] keys. In this case, the "kty" | |||

member value is "RSA". | member value is "RSA". | |||

6.3.1. Parameters for RSA Public Keys | 6.3.1. Parameters for RSA Public Keys | |||

The following members MUST be present for RSA public keys. | The following members MUST be present for RSA public keys. | |||

6.3.1.1. "n" (Modulus) Parameter | 6.3.1.1. "n" (Modulus) Parameter | |||

The "n" (modulus) member contains the modulus value for the RSA | The "n" (modulus) member contains the modulus value for the RSA | |||

public key. It is represented as the base64url encoding of the | public key. It is represented as a Base64urlUInt encoded value. | |||

value's unsigned big endian representation as an octet sequence. The | ||||

octet sequence MUST utilize the minimum number of octets to represent | ||||

the value. | ||||

Note that implementers have found that some cryptographic libraries | Note that implementers have found that some cryptographic libraries | |||

prefix an extra zero-valued octet to the modulus representations they | prefix an extra zero-valued octet to the modulus representations they | |||

return, for instance, returning 257 octets for a 2048 bit key, rather | return, for instance, returning 257 octets for a 2048 bit key, rather | |||

than 256. Implementations using such libraries will need to take | than 256. Implementations using such libraries will need to take | |||

care to omit the extra octet from the base64url encoded | care to omit the extra octet from the base64url encoded | |||

representation. | representation. | |||

6.3.1.2. "e" (Exponent) Parameter | 6.3.1.2. "e" (Exponent) Parameter | |||

The "e" (exponent) member contains the exponent value for the RSA | The "e" (exponent) member contains the exponent value for the RSA | |||

public key. It is represented as the base64url encoding of the | public key. It is represented as a Base64urlUInt encoded value. | |||

value's unsigned big endian representation as an octet sequence. The | ||||

octet sequence MUST utilize the minimum number of octets to represent | For instance, when representing the value 65537, the octet sequence | |||

the value. For instance, when representing the value 65537, the | to be base64url encoded MUST consist of the three octets [1, 0, 1]; | |||

octet sequence to be base64url encoded MUST consist of the three | the resulting representation for this value is "AQAB". | |||

octets [1, 0, 1]. | ||||

6.3.2. Parameters for RSA Private Keys | 6.3.2. Parameters for RSA Private Keys | |||

In addition to the members used to represent RSA public keys, the | In addition to the members used to represent RSA public keys, the | |||

following members are used to represent RSA private keys. The | following members are used to represent RSA private keys. The | |||

parameter "d" is REQUIRED for RSA private keys. The others enable | parameter "d" is REQUIRED for RSA private keys. The others enable | |||

optimizations and SHOULD be included by producers of JWKs | optimizations and SHOULD be included by producers of JWKs | |||

representing RSA private keys. If the producer includes any of the | representing RSA private keys. If the producer includes any of the | |||

other private key parameters, then all of the others MUST be present, | other private key parameters, then all of the others MUST be present, | |||

with the exception of "oth", which MUST only be present when more | with the exception of "oth", which MUST only be present when more | |||

than two prime factors were used. The consumer of a JWK MAY choose | than two prime factors were used. | |||

to accept an RSA private key that does not contain a complete set of | ||||

the private key parameters other than "d", including JWKs in which | ||||

"d" is the only RSA private key parameter included. | ||||

6.3.2.1. "d" (Private Exponent) Parameter | 6.3.2.1. "d" (Private Exponent) Parameter | |||

The "d" (private exponent) member contains the private exponent value | The "d" (private exponent) member contains the private exponent value | |||

for the RSA private key. It is represented as the base64url encoding | for the RSA private key. It is represented as a Base64urlUInt | |||

of the value's unsigned big endian representation as an octet | encoded value. | |||

sequence. The octet sequence MUST utilize the minimum number of | ||||

octets to represent the value. | ||||

6.3.2.2. "p" (First Prime Factor) Parameter | 6.3.2.2. "p" (First Prime Factor) Parameter | |||

The "p" (first prime factor) member contains the first prime factor, | The "p" (first prime factor) member contains the first prime factor. | |||

a positive integer. It is represented as the base64url encoding of | It is represented as a Base64urlUInt encoded value. | |||

the value's unsigned big endian representation as an octet sequence. | ||||

The octet sequence MUST utilize the minimum number of octets to | ||||

represent the value. | ||||

6.3.2.3. "q" (Second Prime Factor) Parameter | 6.3.2.3. "q" (Second Prime Factor) Parameter | |||

The "q" (second prime factor) member contains the second prime | The "q" (second prime factor) member contains the second prime | |||

factor, a positive integer. It is represented as the base64url | factor. It is represented as a Base64urlUInt encoded value. | |||

encoding of the value's unsigned big endian representation as an | ||||

octet sequence. The octet sequence MUST utilize the minimum number | ||||

of octets to represent the value. | ||||

6.3.2.4. "dp" (First Factor CRT Exponent) Parameter | 6.3.2.4. "dp" (First Factor CRT Exponent) Parameter | |||

The "dp" (first factor CRT exponent) member contains the Chinese | The "dp" (first factor CRT exponent) member contains the Chinese | |||

Remainder Theorem (CRT) exponent of the first factor, a positive | Remainder Theorem (CRT) exponent of the first factor. It is | |||

integer. It is represented as the base64url encoding of the value's | represented as a Base64urlUInt encoded value. | |||

unsigned big endian representation as an octet sequence. The octet | ||||

sequence MUST utilize the minimum number of octets to represent the | ||||

value. | ||||

6.3.2.5. "dq" (Second Factor CRT Exponent) Parameter | 6.3.2.5. "dq" (Second Factor CRT Exponent) Parameter | |||

The "dq" (second factor CRT exponent) member contains the Chinese | The "dq" (second factor CRT exponent) member contains the Chinese | |||

Remainder Theorem (CRT) exponent of the second factor, a positive | Remainder Theorem (CRT) exponent of the second factor. It is | |||

integer. It is represented as the base64url encoding of the value's | represented as a Base64urlUInt encoded value. | |||

unsigned big endian representation as an octet sequence. The octet | ||||

sequence MUST utilize the minimum number of octets to represent the | ||||

value. | ||||

6.3.2.6. "qi" (First CRT Coefficient) Parameter | 6.3.2.6. "qi" (First CRT Coefficient) Parameter | |||

The "qi" (first CRT coefficient) member contains the Chinese | The "qi" (first CRT coefficient) member contains the Chinese | |||

Remainder Theorem (CRT) coefficient of the second factor, a positive | Remainder Theorem (CRT) coefficient of the second factor. It is | |||

integer. It is represented as the base64url encoding of the value's | represented as a Base64urlUInt encoded value. | |||

unsigned big endian representation as an octet sequence. The octet | ||||

sequence MUST utilize the minimum number of octets to represent the | ||||

value. | ||||

6.3.2.7. "oth" (Other Primes Info) Parameter | 6.3.2.7. "oth" (Other Primes Info) Parameter | |||

The "oth" (other primes info) member contains an array of information | The "oth" (other primes info) member contains an array of information | |||

about any third and subsequent primes, should they exist. When only | about any third and subsequent primes, should they exist. When only | |||

two primes have been used (the normal case), this parameter MUST be | two primes have been used (the normal case), this parameter MUST be | |||

omitted. When three or more primes have been used, the number of | omitted. When three or more primes have been used, the number of | |||

array elements MUST be the number of primes used minus two. For more | array elements MUST be the number of primes used minus two. For more | |||

information on this case, see the description of the OtherPrimeInfo | information on this case, see the description of the OtherPrimeInfo | |||

parameters in Section A.1.2 of RFC 3447 [RFC3447], upon which the | parameters in Section A.1.2 of RFC 3447 [RFC3447], upon which the | |||

following parameters are modelled. Each array element MUST be an | following parameters are modelled. Each array element MUST be an | |||

object with the following members: | object with the following members: | |||

6.3.2.7.1. "r" (Prime Factor) | 6.3.2.7.1. "r" (Prime Factor) | |||

The "r" (prime factor) parameter within an "oth" array member | The "r" (prime factor) parameter within an "oth" array member | |||

represents the value of a subsequent prime factor, a positive | represents the value of a subsequent prime factor. It is represented | |||

integer. It is represented as the base64url encoding of the value's | as a Base64urlUInt encoded value. | |||

unsigned big endian representation as an octet sequence. The octet | ||||

sequence MUST utilize the minimum number of octets to represent the | ||||

value. | ||||

6.3.2.7.2. "d" (Factor CRT Exponent) | 6.3.2.7.2. "d" (Factor CRT Exponent) | |||

The "d" (Factor CRT Exponent) parameter within an "oth" array member | The "d" (Factor CRT Exponent) parameter within an "oth" array member | |||

represents the CRT exponent of the corresponding prime factor, a | represents the CRT exponent of the corresponding prime factor. It is | |||

positive integer. It is represented as the base64url encoding of the | represented as a Base64urlUInt encoded value. | |||

value's unsigned big endian representation as an octet sequence. The | ||||

octet sequence MUST utilize the minimum number of octets to represent | ||||

the value. | ||||

6.3.2.7.3. "t" (Factor CRT Coefficient) | 6.3.2.7.3. "t" (Factor CRT Coefficient) | |||

The "t" (factor CRT coefficient) parameter within an "oth" array | The "t" (factor CRT coefficient) parameter within an "oth" array | |||

member represents the CRT coefficient of the corresponding prime | member represents the CRT coefficient of the corresponding prime | |||

factor, a positive integer. It is represented as the base64url | factor. It is represented as a Base64urlUInt encoded value. | |||

encoding of the value's unsigned big endian representation as an | ||||

octet sequence. The octet sequence MUST utilize the minimum number | ||||

of octets to represent the value. | ||||

6.4. Parameters for Symmetric Keys | 6.4. Parameters for Symmetric Keys | |||

When the JWK "kty" member value is "oct" (octet sequence), the member | When the JWK "kty" member value is "oct" (octet sequence), the member | |||

"k" is used to represent a symmetric key (or another key whose value | "k" is used to represent a symmetric key (or another key whose value | |||

is a single octet sequence). An "alg" member SHOULD also be present | is a single octet sequence). An "alg" member SHOULD also be present | |||

to identify the algorithm intended to be used with the key, unless | to identify the algorithm intended to be used with the key, unless | |||

the application uses another means or convention to determine the | the application uses another means or convention to determine the | |||

algorithm used. | algorithm used. | |||

skipping to change at page 35, line 15 | skipping to change at page 34, line 31 | |||

the status of an algorithm to Deprecated, or to change the status of | the status of an algorithm to Deprecated, or to change the status of | |||

an algorithm from Optional to Recommended+ or Required. Changes of | an algorithm from Optional to Recommended+ or Required. Changes of | |||

implementation requirements are only permitted on a Specification | implementation requirements are only permitted on a Specification | |||

Required basis after review by the Designated Experts(s), with the | Required basis after review by the Designated Experts(s), with the | |||

new specification defining the revised implementation requirements | new specification defining the revised implementation requirements | |||

level. | level. | |||

7.1.1. Registration Template | 7.1.1. Registration Template | |||

Algorithm Name: | Algorithm Name: | |||

The name requested (e.g., "example"). This name is case- | The name requested (e.g., "HS256"). This name is case-sensitive. | |||

sensitive. Names may not match other registered names in a case- | Names may not match other registered names in a case-insensitive | |||

insensitive manner unless the Designated Expert(s) state that | manner unless the Designated Expert(s) state that there is a | |||

there is a compelling reason to allow an exception in this | compelling reason to allow an exception in this particular case. | |||

particular case. | ||||

Algorithm Description: | Algorithm Description: | |||

Brief description of the Algorithm (e.g., "Example description"). | Brief description of the Algorithm (e.g., "HMAC using SHA-256"). | |||

Algorithm Usage Location(s): | Algorithm Usage Location(s): | |||

The algorithm usage location. This must be one or more of the | The algorithm usage location. This must be one or more of the | |||

values "alg" or "enc" if the algorithm is to be used with JWS or | values "alg" or "enc" if the algorithm is to be used with JWS or | |||

JWE. The value "JWK" is used if the algorithm identifier will be | JWE. The value "JWK" is used if the algorithm identifier will be | |||

used as a JWK "alg" member value, but will not be used with JWS or | used as a JWK "alg" member value, but will not be used with JWS or | |||

JWE; this could be the case, for instance, for non-authenticated | JWE; this could be the case, for instance, for non-authenticated | |||

encryption algorithms. Other values may be used with the approval | encryption algorithms. Other values may be used with the approval | |||

of a Designated Expert. | of a Designated Expert. | |||

skipping to change at page 43, line 10 | skipping to change at page 42, line 28 | |||

7.3. JSON Web Encryption Compression Algorithms Registry | 7.3. JSON Web Encryption Compression Algorithms Registry | |||

This specification establishes the IANA JSON Web Encryption | This specification establishes the IANA JSON Web Encryption | |||

Compression Algorithms registry for JWE "zip" member values. The | Compression Algorithms registry for JWE "zip" member values. The | |||

registry records the compression algorithm value and a reference to | registry records the compression algorithm value and a reference to | |||

the specification that defines it. | the specification that defines it. | |||

7.3.1. Registration Template | 7.3.1. Registration Template | |||

Compression Algorithm Value: | Compression Algorithm Value: | |||

The name requested (e.g., "example"). Because a core goal of this | The name requested (e.g., "DEF"). Because a core goal of this | |||

specification is for the resulting representations to be compact, | specification is for the resulting representations to be compact, | |||

it is RECOMMENDED that the name be short -- not to exceed 8 | it is RECOMMENDED that the name be short -- not to exceed 8 | |||

characters without a compelling reason to do so. This name is | characters without a compelling reason to do so. This name is | |||

case-sensitive. Names may not match other registered names in a | case-sensitive. Names may not match other registered names in a | |||

case-insensitive manner unless the Designated Expert(s) state that | case-insensitive manner unless the Designated Expert(s) state that | |||

there is a compelling reason to allow an exception in this | there is a compelling reason to allow an exception in this | |||

particular case. | particular case. | |||

Compression Algorithm Description: | Compression Algorithm Description: | |||

Brief description of the compression algorithm (e.g., "Example | Brief description of the compression algorithm (e.g., "DEFLATE"). | |||

description"). | ||||

Change Controller: | Change Controller: | |||

For Standards Track RFCs, state "IESG". For others, give the name | For Standards Track RFCs, state "IESG". For others, give the name | |||

of the responsible party. Other details (e.g., postal address, | of the responsible party. Other details (e.g., postal address, | |||

email address, home page URI) may also be included. | email address, home page URI) may also be included. | |||

Specification Document(s): | Specification Document(s): | |||

Reference to the document(s) that specify the parameter, | Reference to the document(s) that specify the parameter, | |||

preferably including URI(s) that can be used to retrieve copies of | preferably including URI(s) that can be used to retrieve copies of | |||

the document(s). An indication of the relevant sections may also | the document(s). An indication of the relevant sections may also | |||

skipping to change at page 44, line 12 | skipping to change at page 43, line 31 | |||

the status of a key type to Deprecated, or to change the status of a | the status of a key type to Deprecated, or to change the status of a | |||

key type from Optional to Recommended+ or Required. Changes of | key type from Optional to Recommended+ or Required. Changes of | |||

implementation requirements are only permitted on a Specification | implementation requirements are only permitted on a Specification | |||

Required basis after review by the Designated Experts(s), with the | Required basis after review by the Designated Experts(s), with the | |||

new specification defining the revised implementation requirements | new specification defining the revised implementation requirements | |||

level. | level. | |||

7.4.1. Registration Template | 7.4.1. Registration Template | |||

"kty" Parameter Value: | "kty" Parameter Value: | |||

The name requested (e.g., "example"). Because a core goal of this | The name requested (e.g., "EC"). Because a core goal of this | |||

specification is for the resulting representations to be compact, | specification is for the resulting representations to be compact, | |||

it is RECOMMENDED that the name be short -- not to exceed 8 | it is RECOMMENDED that the name be short -- not to exceed 8 | |||

characters without a compelling reason to do so. This name is | characters without a compelling reason to do so. This name is | |||

case-sensitive. Names may not match other registered names in a | case-sensitive. Names may not match other registered names in a | |||

case-insensitive manner unless the Designated Expert(s) state that | case-insensitive manner unless the Designated Expert(s) state that | |||

there is a compelling reason to allow an exception in this | there is a compelling reason to allow an exception in this | |||

particular case. | particular case. | |||

Key Type Description: | Key Type Description: | |||

Brief description of the Key Type (e.g., "Example description"). | Brief description of the Key Type (e.g., "Elliptic Curve"). | |||

Change Controller: | Change Controller: | |||

For Standards Track RFCs, state "IESG". For others, give the name | For Standards Track RFCs, state "IESG". For others, give the name | |||

of the responsible party. Other details (e.g., postal address, | of the responsible party. Other details (e.g., postal address, | |||

email address, home page URI) may also be included. | email address, home page URI) may also be included. | |||

JOSE Implementation Requirements: | JOSE Implementation Requirements: | |||

The key type implementation requirements for JWS and JWE, which | The key type implementation requirements for JWS and JWE, which | |||

must be one the words Required, Recommended, Optional, Deprecated, | must be one the words Required, Recommended, Optional, Deprecated, | |||

or Prohibited. Optionally, the word can be followed by a "+" or | or Prohibited. Optionally, the word can be followed by a "+" or | |||

skipping to change at page 48, line 8 | skipping to change at page 47, line 24 | |||

as the cryptographic landscape evolves, for instance, to change the | as the cryptographic landscape evolves, for instance, to change the | |||

status of a curve to Deprecated, or to change the status of a curve | status of a curve to Deprecated, or to change the status of a curve | |||

from Optional to Recommended+ or Required. Changes of implementation | from Optional to Recommended+ or Required. Changes of implementation | |||

requirements are only permitted on a Specification Required basis | requirements are only permitted on a Specification Required basis | |||

after review by the Designated Experts(s), with the new specification | after review by the Designated Experts(s), with the new specification | |||

defining the revised implementation requirements level. | defining the revised implementation requirements level. | |||

7.6.1. Registration Template | 7.6.1. Registration Template | |||

Curve Name: | Curve Name: | |||

The name requested (e.g., "example"). Because a core goal of this | The name requested (e.g., "P-256"). Because a core goal of this | |||

specification is for the resulting representations to be compact, | specification is for the resulting representations to be compact, | |||

it is RECOMMENDED that the name be short -- not to exceed 8 | it is RECOMMENDED that the name be short -- not to exceed 8 | |||

characters without a compelling reason to do so. This name is | characters without a compelling reason to do so. This name is | |||

case-sensitive. Names may not match other registered names in a | case-sensitive. Names may not match other registered names in a | |||

case-insensitive manner unless the Designated Expert(s) state that | case-insensitive manner unless the Designated Expert(s) state that | |||

there is a compelling reason to allow an exception in this | there is a compelling reason to allow an exception in this | |||

particular case. | particular case. | |||

Curve Description: | Curve Description: | |||

Brief description of the curve (e.g., "Example description"). | Brief description of the curve (e.g., "P-256 curve"). | |||

JOSE Implementation Requirements: | JOSE Implementation Requirements: | |||

The curve implementation requirements for JWS and JWE, which must | The curve implementation requirements for JWS and JWE, which must | |||

be one the words Required, Recommended, Optional, Deprecated, or | be one the words Required, Recommended, Optional, Deprecated, or | |||

Prohibited. Optionally, the word can be followed by a "+" or "-". | Prohibited. Optionally, the word can be followed by a "+" or "-". | |||

The use of "+" indicates that the requirement strength is likely | The use of "+" indicates that the requirement strength is likely | |||

to be increased in a future version of the specification. The use | to be increased in a future version of the specification. The use | |||

of "-" indicates that the requirement strength is likely to be | of "-" indicates that the requirement strength is likely to be | |||

decreased in a future version of the specification. | decreased in a future version of the specification. | |||

skipping to change at page 49, line 21 | skipping to change at page 48, line 39 | |||

o Specification Document(s): Section 6.2.1.1 of [[ this document ]] | o Specification Document(s): Section 6.2.1.1 of [[ this document ]] | |||

8. Security Considerations | 8. Security Considerations | |||

All of the security issues that are pertinent to any cryptographic | All of the security issues that are pertinent to any cryptographic | |||

application must be addressed by JWS/JWE/JWK agents. Among these | application must be addressed by JWS/JWE/JWK agents. Among these | |||

issues are protecting the user's asymmetric private and symmetric | issues are protecting the user's asymmetric private and symmetric | |||

secret keys and employing countermeasures to various attacks. | secret keys and employing countermeasures to various attacks. | |||

The security considerations in [AES], [DSS], [JWE], [JWK], [JWS], | The security considerations in [AES], [DSS], [JWE], [JWK], [JWS], | |||

[NIST.800-38A], [NIST.800-38D], [NIST.800-56A], [NIST.800-107], | [NIST.800-38D], [NIST.800-56A], [NIST.800-107], [RFC2104], [RFC3394], | |||

[RFC2104], [RFC3394], [RFC3447], [RFC5116], [RFC6090], and [SHS] | [RFC3447], [RFC5116], [RFC6090], and [SHS] apply to this | |||

apply to this specification. | specification. | |||

8.1. Cryptographic Agility | 8.1. Cryptographic Agility | |||

Implementers should be aware that cryptographic algorithms become | Implementers should be aware that cryptographic algorithms become | |||

weaker with time. As new cryptanalysis techniques are developed and | weaker with time. As new cryptanalysis techniques are developed and | |||

computing performance improves, the work factor to break a particular | computing performance improves, the work factor to break a particular | |||

cryptographic algorithm will be reduced. Therefore, implementers and | cryptographic algorithm will be reduced. Therefore, implementers and | |||

deployments must be prepared for the set of algorithms that are | deployments must be prepared for the set of algorithms that are | |||

supported and used to change over time. Thus, cryptographic | supported and used to change over time. Thus, cryptographic | |||

algorithm implementations should be modular, allowing new algorithms | algorithm implementations should be modular, allowing new algorithms | |||

skipping to change at page 49, line 49 | skipping to change at page 49, line 19 | |||

key lifetimes and/or the number of times that a key may be used. | key lifetimes and/or the number of times that a key may be used. | |||

Those security considerations continue to apply when using those | Those security considerations continue to apply when using those | |||

algorithms with JOSE data structures. See NIST SP 800-57 | algorithms with JOSE data structures. See NIST SP 800-57 | |||

[NIST.800-57] for specific guidance on key lifetimes. | [NIST.800-57] for specific guidance on key lifetimes. | |||

8.3. RSAES-PKCS1-v1_5 Security Considerations | 8.3. RSAES-PKCS1-v1_5 Security Considerations | |||

While Section 8 of RFC 3447 [RFC3447] explicitly calls for people not | While Section 8 of RFC 3447 [RFC3447] explicitly calls for people not | |||

to adopt RSASSA-PKCS-v1_5 for new applications and instead requests | to adopt RSASSA-PKCS-v1_5 for new applications and instead requests | |||

that people transition to RSASSA-PSS, this specification does include | that people transition to RSASSA-PSS, this specification does include | |||

RSASSA-PKCS-v1_5, for interoperability reasons, because it commonly | RSASSA-PKCS-v1_5, for interoperability reasons, because it is | |||

implemented. | commonly implemented. | |||

Keys used with RSAES-PKCS1-v1_5 must follow the constraints in | Keys used with RSAES-PKCS1-v1_5 must follow the constraints in | |||

Section 7.2 of RFC 3447. Also, keys with a low public key exponent | Section 7.2 of RFC 3447. Also, keys with a low public key exponent | |||

value, as described in Section 3 of Twenty years of attacks on the | value, as described in Section 3 of Twenty years of attacks on the | |||

RSA cryptosystem [Boneh99], must not be used. | RSA cryptosystem [Boneh99], must not be used. | |||

8.4. AES GCM Security Considerations | 8.4. AES GCM Security Considerations | |||

Keys used with AES GCM must follow the constraints in Section 8.3 of | Keys used with AES GCM must follow the constraints in Section 8.3 of | |||

[NIST.800-38D], which states: "The total number of invocations of the | [NIST.800-38D], which states: "The total number of invocations of the | |||

skipping to change at page 51, line 26 | skipping to change at page 50, line 44 | |||

supply content using keys that would result in excessive | supply content using keys that would result in excessive | |||

cryptographic processing, for example, keys larger than those | cryptographic processing, for example, keys larger than those | |||

mandated in this specification. Implementations should set and | mandated in this specification. Implementations should set and | |||

enforce upper limits on the key sizes they accept. Section 5.6.1 | enforce upper limits on the key sizes they accept. Section 5.6.1 | |||

(Comparable Algorithm Strengths) of NIST SP 800-57 [NIST.800-57] | (Comparable Algorithm Strengths) of NIST SP 800-57 [NIST.800-57] | |||

contains statements on largest approved key sizes that may be | contains statements on largest approved key sizes that may be | |||

applicable. | applicable. | |||

8.7. Reusing Key Material when Encrypting Keys | 8.7. Reusing Key Material when Encrypting Keys | |||

It is NOT RECOMMENDED to reuse the same key material (Key Encryption | It is NOT RECOMMENDED to reuse the same entire set of key material | |||

Key, Content Encryption Key, Initialization Vector, etc.) to encrypt | (Key Encryption Key, Content Encryption Key, Initialization Vector, | |||

multiple JWK or JWK Set objects, or to encrypt the same JWK or JWK | etc.) to encrypt multiple JWK or JWK Set objects, or to encrypt the | |||

Set object multiple times. One suggestion for preventing re-use is | same JWK or JWK Set object multiple times. One suggestion for | |||

to always generate a new set of key material for each encryption | preventing re-use is to always generate at least one new piece of key | |||

operation, based on the considerations noted in this document as well | material for each encryption operation (e.g., a new Content | |||

as from RFC 4086 [RFC4086]. | Encryption Key, a new Initialization Vector, and/or a new PBES2 | |||

Salt), based on the considerations noted in this document as well as | ||||

from RFC 4086 [RFC4086]. | ||||

8.8. Password Considerations | 8.8. Password Considerations | |||

Passwords are vulnerable to a number of attacks. To help mitigate | Passwords are vulnerable to a number of attacks. To help mitigate | |||

some of these limitations, this document applies principles from RFC | some of these limitations, this document applies principles from RFC | |||

2898 [RFC2898] to derive cryptographic keys from user-supplied | 2898 [RFC2898] to derive cryptographic keys from user-supplied | |||

passwords. | passwords. | |||

However, the strength of the password still has a significant impact. | However, the strength of the password still has a significant impact. | |||

A high-entropy password has greater resistance to dictionary attacks. | A high-entropy password has greater resistance to dictionary attacks. | |||

skipping to change at page 54, line 11 | skipping to change at page 53, line 33 | |||

"Recommendation for Pair-Wise Key Establishment Schemes | "Recommendation for Pair-Wise Key Establishment Schemes | |||

Using Discrete Logarithm Cryptography", NIST Special | Using Discrete Logarithm Cryptography", NIST Special | |||

Publication 800-56A, Revision 2, May 2013. | Publication 800-56A, Revision 2, May 2013. | |||

[NIST.800-57] | [NIST.800-57] | |||

National Institute of Standards and Technology (NIST), | National Institute of Standards and Technology (NIST), | |||

"Recommendation for Key Management - Part 1: General | "Recommendation for Key Management - Part 1: General | |||

(Revision 3)", NIST Special Publication 800-57, Part 1, | (Revision 3)", NIST Special Publication 800-57, Part 1, | |||

Revision 3, July 2012. | Revision 3, July 2012. | |||

[RFC20] Cerf, V., "ASCII format for Network Interchange", RFC 20, | ||||

October 1969. | ||||

[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- | [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- | |||

Hashing for Message Authentication", RFC 2104, | Hashing for Message Authentication", RFC 2104, | |||

February 1997. | February 1997. | |||

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||

Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||

[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography | [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography | |||

Specification Version 2.0", RFC 2898, September 2000. | Specification Version 2.0", RFC 2898, September 2000. | |||

skipping to change at page 54, line 37 | skipping to change at page 54, line 14 | |||

[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | |||

10646", STD 63, RFC 3629, November 2003. | 10646", STD 63, RFC 3629, November 2003. | |||

[RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA- | [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA- | |||

384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007. | 384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007. | |||

[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", | [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", | |||

RFC 4949, August 2007. | RFC 4949, August 2007. | |||

[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | ||||

RFC 5652, September 2009. | ||||

[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic | [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic | |||

Curve Cryptography Algorithms", RFC 6090, February 2011. | Curve Cryptography Algorithms", RFC 6090, February 2011. | |||

[RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data | [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data | |||

Interchange Format", RFC 7159, March 2014. | Interchange Format", RFC 7159, March 2014. | |||

[SEC1] Standards for Efficient Cryptography Group, "SEC 1: | [SEC1] Standards for Efficient Cryptography Group, "SEC 1: | |||

Elliptic Curve Cryptography", May 2009. | Elliptic Curve Cryptography", Version 2.0, May 2009. | |||

[SHS] National Institute of Standards and Technology, "Secure | [SHS] National Institute of Standards and Technology, "Secure | |||

Hash Standard (SHS)", FIPS PUB 180-4, March 2012. | Hash Standard (SHS)", FIPS PUB 180-4, March 2012. | |||

[USASCII] American National Standards Institute, "Coded Character | [USASCII] American National Standards Institute, "Coded Character | |||

Set -- 7-bit American Standard Code for Information | Set -- 7-bit American Standard Code for Information | |||

Interchange", ANSI X3.4, 1986. | Interchange", ANSI X3.4, 1986. | |||

10.2. Informative References | 10.2. Informative References | |||

[CanvasApp] | [CanvasApp] | |||

Facebook, "Canvas Applications", 2010. | Facebook, "Canvas Applications", 2010. | |||

[I-D.ietf-precis-saslprepbis] | [I-D.ietf-precis-saslprepbis] | |||

Saint-Andre, P. and A. Melnikov, "Preparation and | Saint-Andre, P. and A. Melnikov, "Preparation and | |||

Comparison of Internationalized Strings Representing | Comparison of Internationalized Strings Representing | |||

Usernames and Passwords", draft-ietf-precis-saslprepbis-07 | Usernames and Passwords", draft-ietf-precis-saslprepbis-08 | |||

(work in progress), March 2014. | (work in progress), October 2014. | |||

[I-D.mcgrew-aead-aes-cbc-hmac-sha2] | [I-D.mcgrew-aead-aes-cbc-hmac-sha2] | |||

McGrew, D., Foley, J., and K. Paterson, "Authenticated | McGrew, D., Foley, J., and K. Paterson, "Authenticated | |||

Encryption with AES-CBC and HMAC-SHA", | Encryption with AES-CBC and HMAC-SHA", | |||

draft-mcgrew-aead-aes-cbc-hmac-sha2-05 (work in progress), | draft-mcgrew-aead-aes-cbc-hmac-sha2-05 (work in progress), | |||

July 2014. | July 2014. | |||

[I-D.miller-jose-jwe-protected-jwk] | [I-D.miller-jose-jwe-protected-jwk] | |||

Miller, M., "Using JavaScript Object Notation (JSON) Web | Miller, M., "Using JavaScript Object Notation (JSON) Web | |||

Encryption (JWE) for Protecting JSON Web Key (JWK) | Encryption (JWE) for Protecting JSON Web Key (JWK) | |||

skipping to change at page 57, line 18 | skipping to change at page 57, line 5 | |||

[JCA] for more information about the names defined by those | [JCA] for more information about the names defined by those | |||

documents. | documents. | |||

A.1. Digital Signature/MAC Algorithm Identifier Cross-Reference | A.1. Digital Signature/MAC Algorithm Identifier Cross-Reference | |||

This section contains a table cross-referencing the JWS digital | This section contains a table cross-referencing the JWS digital | |||

signature and MAC "alg" (algorithm) values defined in this | signature and MAC "alg" (algorithm) values defined in this | |||

specification with the equivalent identifiers used by other standards | specification with the equivalent identifiers used by other standards | |||

and software packages. | and software packages. | |||

+-----+-------------------------------+--------------+--------------+ | +-------+------------------------------+-------------+--------------+ | |||

| JWS | XML DSIG | JCA | OID | | | JWS | XML DSIG | JCA | OID | | |||

+-----+-------------------------------+--------------+--------------+ | +-------+------------------------------+-------------+--------------+ | |||

| HS2 | http://www.w3.org/2001/04/xml | HmacSHA256 | 1.2.840.1135 | | | HS256 | http://www.w3.org/2001/04/xm | HmacSHA256 | 1.2.840.1135 | | |||

| 56 | dsig-more#hmac-sha256 | | 49.2.9 | | | | ldsig-more#hmac-sha256 | | 49.2.9 | | |||

| HS3 | http://www.w3.org/2001/04/xml | HmacSHA384 | 1.2.840.1135 | | | HS384 | http://www.w3.org/2001/04/xm | HmacSHA384 | 1.2.840.1135 | | |||

| 84 | dsig-more#hmac-sha384 | | 49.2.10 | | | | ldsig-more#hmac-sha384 | | 49.2.10 | | |||

| HS5 | http://www.w3.org/2001/04/xml | HmacSHA512 | 1.2.840.1135 | | | HS512 | http://www.w3.org/2001/04/xm | HmacSHA512 | 1.2.840.1135 | | |||

| 12 | dsig-more#hmac-sha512 | | 49.2.11 | | | | ldsig-more#hmac-sha512 | | 49.2.11 | | |||

| RS2 | http://www.w3.org/2001/04/xml | SHA256withRS | 1.2.840.1135 | | | RS256 | http://www.w3.org/2001/04/xm | SHA256withR | 1.2.840.1135 | | |||

| 56 | dsig-more#rsa-sha256 | A | 49.1.1.11 | | | | ldsig-more#rsa-sha256 | SA | 49.1.1.11 | | |||

| RS3 | http://www.w3.org/2001/04/xml | SHA384withRS | 1.2.840.1135 | | | RS384 | http://www.w3.org/2001/04/xm | SHA384withR | 1.2.840.1135 | | |||

| 84 | dsig-more#rsa-sha384 | A | 49.1.1.12 | | | | ldsig-more#rsa-sha384 | SA | 49.1.1.12 | | |||

| RS5 | http://www.w3.org/2001/04/xml | SHA512withRS | 1.2.840.1135 | | | RS512 | http://www.w3.org/2001/04/xm | SHA512withR | 1.2.840.1135 | | |||

| 12 | dsig-more#rsa-sha512 | A | 49.1.1.13 | | | | ldsig-more#rsa-sha512 | SA | 49.1.1.13 | | |||

| ES2 | http://www.w3.org/2001/04/xml | SHA256withEC | 1.2.840.1004 | | | ES256 | http://www.w3.org/2001/04/xm | SHA256withE | 1.2.840.1004 | | |||

| 56 | dsig-more#ecdsa-sha256 | DSA | 5.4.3.2 | | | | ldsig-more#ecdsa-sha256 | CDSA | 5.4.3.2 | | |||

| ES3 | http://www.w3.org/2001/04/xml | SHA384withEC | 1.2.840.1004 | | | ES384 | http://www.w3.org/2001/04/xm | SHA384withE | 1.2.840.1004 | | |||

| 84 | dsig-more#ecdsa-sha384 | DSA | 5.4.3.3 | | | | ldsig-more#ecdsa-sha384 | CDSA | 5.4.3.3 | | |||

| ES5 | http://www.w3.org/2001/04/xml | SHA512withEC | 1.2.840.1004 | | | ES512 | http://www.w3.org/2001/04/xm | SHA512withE | 1.2.840.1004 | | |||

| 12 | dsig-more#ecdsa-sha512 | DSA | 5.4.3.4 | | | | ldsig-more#ecdsa-sha512 | CDSA | 5.4.3.4 | | |||

| PS2 | http://www.w3.org/2007/05/xml | SHA256withRS | 1.2.840.1135 | | | PS256 | http://www.w3.org/2007/05/xm | SHA256withR | 1.2.840.1135 | | |||

| 56 | dsig-more#sha256-rsa-MGF1 | AandMGF1 | 49.1.1.10 | | | | ldsig-more#sha256-rsa-MGF1 | SAandMGF1 | 49.1.1.10 | | |||

| PS3 | http://www.w3.org/2007/05/xml | SHA384withRS | 1.2.840.1135 | | | PS384 | http://www.w3.org/2007/05/xm | SHA384withR | 1.2.840.1135 | | |||

| 84 | dsig-more#sha384-rsa-MGF1 | AandMGF1 | 49.1.1.10 | | | | ldsig-more#sha384-rsa-MGF1 | SAandMGF1 | 49.1.1.10 | | |||

| PS5 | http://www.w3.org/2007/05/xml | SHA512withRS | 1.2.840.1135 | | | PS512 | http://www.w3.org/2007/05/xm | SHA512withR | 1.2.840.1135 | | |||

| 12 | dsig-more#sha512-rsa-MGF1 | AandMGF1 | 49.1.1.10 | | | | ldsig-more#sha512-rsa-MGF1 | SAandMGF1 | 49.1.1.10 | | |||

+-----+-------------------------------+--------------+--------------+ | +-------+------------------------------+-------------+--------------+ | |||

A.2. Key Management Algorithm Identifier Cross-Reference | A.2. Key Management Algorithm Identifier Cross-Reference | |||

This section contains a table cross-referencing the JWE "alg" | This section contains a table cross-referencing the JWE "alg" | |||

(algorithm) values defined in this specification with the equivalent | (algorithm) values defined in this specification with the equivalent | |||

identifiers used by other standards and software packages. | identifiers used by other standards and software packages. | |||

+-------+------------------------+--------------------+-------------+ | +----------+----------------------+-------------------+-------------+ | |||

| JWE | XML ENC | JCA | OID | | | JWE | XML ENC | JCA | OID | | |||

+-------+------------------------+--------------------+-------------+ | +----------+----------------------+-------------------+-------------+ | |||

| RSA1_ | http://www.w3.org/2001 | RSA/ECB/PKCS1Paddi | 1.2.840.113 | | | RSA1_5 | http://www.w3.org/20 | RSA/ECB/PKCS1Padd | 1.2.840.113 | | |||

| 5 | /04/xmlenc#rsa-1_5 | ng | 549.1.1.1 | | | | 01/04/xmlenc#rsa-1_5 | ing | 549.1.1.1 | | |||

| RSA-O | http://www.w3.org/2001 | RSA/ECB/OAEPWithSH | 1.2.840.113 | | | RSA-OAEP | http://www.w3.org/20 | RSA/ECB/OAEPWithS | 1.2.840.113 | | |||

| AEP | /04/xmlenc#rsa-oaep-mg | A-1AndMGF1Padding | 549.1.1.7 | | | | 01/04/xmlenc#rsa-oae | HA-1AndMGF1Paddin | 549.1.1.7 | | |||

| | f1p | | | | | | p-mgf1p | g | | | |||

| RSA-O | http://www.w3.org/2009 | RSA/ECB/OAEPWithSH | 1.2.840.113 | | | RSA-OAEP | http://www.w3.org/20 | RSA/ECB/OAEPWithS | 1.2.840.113 | | |||

| AEP-2 | /xmlenc11#rsa-oaep & | A-256AndMGF1Paddin | 549.1.1.7 | | | -256 | 09/xmlenc11#rsa-oaep | HA-256AndMGF1Padd | 549.1.1.7 | | |||

| 56 | http://www.w3.org/200 | g& | | | | | & | ing & | | | |||

| | 9/xmlenc11#mgf1sha256 | MGF1ParameterSpec | | | | | http://www.w3.org/2 | MGF1ParameterSp | | | |||

| | | .SHA256 | | | | | 009/xmlenc11#mgf1sha | ec.SHA256 | | | |||

| ECDH- | http://www.w3.org/2009 | ECDH | 1.3.132.1.1 | | | | 256 | | | | |||

| ES | /xmlenc11#ECDH-ES | | 2 | | | ECDH-ES | http://www.w3.org/20 | ECDH | 1.3.132.1.1 | | |||

| A128K | http://www.w3.org/2001 | AESWrap | 2.16.840.1. | | | | 09/xmlenc11#ECDH-ES | | 2 | | |||

| W | /04/xmlenc#kw-aes128 | | 101.3.4.1.5 | | | A128KW | http://www.w3.org/20 | AESWrap | 2.16.840.1. | | |||

| A192K | http://www.w3.org/2001 | AESWrap | 2.16.840.1. | | | | 01/04/xmlenc#kw-aes1 | | 101.3.4.1.5 | | |||

| W | /04/xmlenc#kw-aes192 | | 101.3.4.1.2 | | | | 28 | | | | |||

| | | | 5 | | | A192KW | http://www.w3.org/20 | AESWrap | 2.16.840.1. | | |||

| A256K | http://www.w3.org/2001 | AESWrap | 2.16.840.1. | | | | 01/04/xmlenc#kw-aes1 | | 101.3.4.1.2 | | |||

| W | /04/xmlenc#kw-aes256 | | 101.3.4.1.4 | | | | 92 | | 5 | | |||

| | | | 5 | | | A256KW | http://www.w3.org/20 | AESWrap | 2.16.840.1. | | |||

+-------+------------------------+--------------------+-------------+ | | | 01/04/xmlenc#kw-aes2 | | 101.3.4.1.4 | | |||

| | 56 | | 5 | | ||||

+----------+----------------------+-------------------+-------------+ | ||||

A.3. Content Encryption Algorithm Identifier Cross-Reference | A.3. Content Encryption Algorithm Identifier Cross-Reference | |||

This section contains a table cross-referencing the JWE "enc" | This section contains a table cross-referencing the JWE "enc" | |||

(encryption algorithm) values defined in this specification with the | (encryption algorithm) values defined in this specification with the | |||

equivalent identifiers used by other standards and software packages. | equivalent identifiers used by other standards and software packages. | |||

For the composite algorithms "A128CBC-HS256", "A192CBC-HS384", and | For the composite algorithms "A128CBC-HS256", "A192CBC-HS384", and | |||

"A256CBC-HS512", the corresponding AES CBC algorithm identifiers are | "A256CBC-HS512", the corresponding AES CBC algorithm identifiers are | |||

listed. | listed. | |||

+---------+-------------------------+--------------+----------------+ | +----------+-------------------------+--------------+---------------+ | |||

| JWE | XML ENC | JCA | OID | | | JWE | XML ENC | JCA | OID | | |||

+---------+-------------------------+--------------+----------------+ | +----------+-------------------------+--------------+---------------+ | |||

| A128CBC | http://www.w3.org/2001/ | AES/CBC/PKCS | 2.16.840.1.101 | | | A128CBC- | http://www.w3.org/2001/ | AES/CBC/PKCS | 2.16.840.1.10 | | |||

| -HS256 | 04/xmlenc#aes128-cbc | 5Padding | .3.4.1.2 | | | HS256 | 04/xmlenc#aes128-cbc | 5Padding | 1.3.4.1.2 | | |||

| A192CBC | http://www.w3.org/2001/ | AES/CBC/PKCS | 2.16.840.1.101 | | | A192CBC- | http://www.w3.org/2001/ | AES/CBC/PKCS | 2.16.840.1.10 | | |||

| -HS384 | 04/xmlenc#aes192-cbc | 5Padding | .3.4.1.22 | | | HS384 | 04/xmlenc#aes192-cbc | 5Padding | 1.3.4.1.22 | | |||

| A256CBC | http://www.w3.org/2001/ | AES/CBC/PKCS | 2.16.840.1.101 | | | A256CBC- | http://www.w3.org/2001/ | AES/CBC/PKCS | 2.16.840.1.10 | | |||

| -HS512 | 04/xmlenc#aes256-cbc | 5Padding | .3.4.1.42 | | | HS512 | 04/xmlenc#aes256-cbc | 5Padding | 1.3.4.1.42 | | |||

| A128GCM | http://www.w3.org/2009/ | AES/GCM/NoPa | 2.16.840.1.101 | | | A128GCM | http://www.w3.org/2009/ | AES/GCM/NoPa | 2.16.840.1.10 | | |||

| | xmlenc11#aes128-gcm | dding | .3.4.1.6 | | | | xmlenc11#aes128-gcm | dding | 1.3.4.1.6 | | |||

| A192GCM | http://www.w3.org/2009/ | AES/GCM/NoPa | 2.16.840.1.101 | | | A192GCM | http://www.w3.org/2009/ | AES/GCM/NoPa | 2.16.840.1.10 | | |||

| | xmlenc11#aes192-gcm | dding | .3.4.1.26 | | | | xmlenc11#aes192-gcm | dding | 1.3.4.1.26 | | |||

| A256GCM | http://www.w3.org/2009/ | AES/GCM/NoPa | 2.16.840.1.101 | | | A256GCM | http://www.w3.org/2009/ | AES/GCM/NoPa | 2.16.840.1.10 | | |||

| | xmlenc11#aes256-gcm | dding | .3.4.1.46 | | | | xmlenc11#aes256-gcm | dding | 1.3.4.1.46 | | |||

+---------+-------------------------+--------------+----------------+ | +----------+-------------------------+--------------+---------------+ | |||

Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms | Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms | |||

The following test cases can be used to validate implementations of | The following test cases can be used to validate implementations of | |||

the AES_CBC_HMAC_SHA2 algorithms defined in Section 5.2. They are | the AES_CBC_HMAC_SHA2 algorithms defined in Section 5.2. They are | |||

also intended to correspond to test cases that may appear in a future | also intended to correspond to test cases that may appear in a future | |||

version of [I-D.mcgrew-aead-aes-cbc-hmac-sha2], demonstrating that | version of [I-D.mcgrew-aead-aes-cbc-hmac-sha2], demonstrating that | |||

the cryptographic computations performed are the same. | the cryptographic computations performed are the same. | |||

The variable names are those defined in Section 5.2. All values are | The variable names are those defined in Section 5.2. All values are | |||

skipping to change at page 66, line 13 | skipping to change at page 66, line 13 | |||

Encryption (JWE) for Protecting JSON Web Key (JWK) Objects | Encryption (JWE) for Protecting JSON Web Key (JWK) Objects | |||

[I-D.miller-jose-jwe-protected-jwk], which the password-based | [I-D.miller-jose-jwe-protected-jwk], which the password-based | |||

encryption content of this draft is based upon. | encryption content of this draft is based upon. | |||

This specification is the work of the JOSE Working Group, which | This specification is the work of the JOSE Working Group, which | |||

includes dozens of active and dedicated participants. In particular, | includes dozens of active and dedicated participants. In particular, | |||

the following individuals contributed ideas, feedback, and wording | the following individuals contributed ideas, feedback, and wording | |||

that influenced this specification: | that influenced this specification: | |||

Dirk Balfanz, Richard Barnes, John Bradley, Brian Campbell, Alissa | Dirk Balfanz, Richard Barnes, Carsten Bormann, John Bradley, Brian | |||

Cooper, Breno de Medeiros, Vladimir Dzhuvinov, Roni Even, Stephen | Campbell, Alissa Cooper, Breno de Medeiros, Vladimir Dzhuvinov, Roni | |||

Farrell, Yaron Y. Goland, Dick Hardt, Joe Hildebrand, Jeff Hodges, | Even, Stephen Farrell, Yaron Y. Goland, Dick Hardt, Joe Hildebrand, | |||

Edmund Jay, Charlie Kaufman, Barry Leiba, James Manger, Matt Miller, | Jeff Hodges, Edmund Jay, Charlie Kaufman, Barry Leiba, James Manger, | |||

Kathleen Moriarty, Tony Nadalin, Axel Nennker, John Panzer, Emmanuel | Matt Miller, Kathleen Moriarty, Tony Nadalin, Axel Nennker, John | |||

Raviart, Eric Rescorla, Pete Resnick, Nat Sakimura, Jim Schaad, | Panzer, Emmanuel Raviart, Eric Rescorla, Pete Resnick, Nat Sakimura, | |||

Hannes Tschofenig, and Sean Turner. | Jim Schaad, Hannes Tschofenig, and Sean Turner. | |||

Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | |||

Sean Turner, Stephen Farrell, and Kathleen Moriarty served as | Sean Turner, Stephen Farrell, and Kathleen Moriarty served as | |||

Security area directors during the creation of this specification. | Security area directors during the creation of this specification. | |||

Appendix E. Document History | Appendix E. Document History | |||

[[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||

-35 | ||||

o Addressed AppsDir reviews by Carsten Bormann. | ||||

o Adjusted some table column widths. | ||||

-34 | -34 | |||

o Addressed IESG review comments by Barry Leiba, Alissa Cooper, Pete | o Addressed IESG review comments by Barry Leiba, Alissa Cooper, Pete | |||

Resnick, Stephen Farrell, and Richard Barnes. | Resnick, Stephen Farrell, and Richard Barnes. | |||

-33 | -33 | |||

o Changed the registration review period to three weeks. | o Changed the registration review period to three weeks. | |||

o Acknowledged additional contributors. | o Acknowledged additional contributors. | |||

End of changes. 81 change blocks. | ||||

454 lines changed or deleted | | 416 lines changed or added | ||

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |