JSON Web Encryption (JWE)
draft-ietf-jose-json-web-encryption-18
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7516.
|
|
|---|---|---|---|
| Authors | Michael B. Jones , Eric Rescorla , Joe Hildebrand | ||
| Last updated | 2013-11-12 | ||
| Replaces | draft-jones-json-web-encryption | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews | |||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | WG Document | |
| Document shepherd | (None) | ||
| IESG | IESG state | Became RFC 7516 (Proposed Standard) | |
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-ietf-jose-json-web-encryption-18
quot; member
that is integrity protected and shared among all recipients, the
"unprotected" member that is not integrity protected and shared
among all recipients, and the "header" member that is not
integrity protected and specific to a particular recipient. (This
does not affect the JWE Compact Serialization, in which all Header
Parameter values are in a single integrity protected JWE Header
value.)
o Shortened the names "authentication_tag" to "tag" and
"initialization_vector" to "iv" in the JWE JSON Serialization,
addressing issue #20.
o Removed "apv" (agreement PartyVInfo) since it is no longer used.
o Removed suggested compact serialization for multiple recipients.
Jones, et al. Expires May 16, 2014 [Page 47]
Internet-Draft JWE November 2013
o Changed the MIME type name "application/jwe-js" to
"application/jwe+json", addressing issue #22.
o Tightened the description of the "crit" (critical) header
parameter.
-10
o Changed the JWE processing rules for multiple recipients so that a
single AAD value contains the header parameters and encrypted key
values for all the recipients, enabling AES GCM to be safely used
for multiple recipients.
o Added an appendix suggesting a possible compact serialization for
JWEs with multiple recipients.
-09
o Added JWE JSON Serialization, as specified by
draft-jones-jose-jwe-json-serialization-04.
o Registered "application/jwe-js" MIME type and "JWE-JS" typ header
parameter value.
o Defined that the default action for header parameters that are not
understood is to ignore them unless specifically designated as
"MUST be understood" or included in the new "crit" (critical)
header parameter list. This addressed issue #6.
o Corrected "x5c" description. This addressed issue #12.
o Changed from using the term "byte" to "octet" when referring to 8
bit values.
o Added Key Management Mode definitions to terminology section and
used the defined terms to provide clearer key management
instructions. This addressed issue #5.
o Added text about preventing the recipient from behaving as an
oracle during decryption, especially when using RSAES-PKCS1-V1_5.
o Changed from using the term "Integrity Value" to "Authentication
Tag".
o Changed member name from "integrity_value" to "authentication_tag"
in the JWE JSON Serialization.
Jones, et al. Expires May 16, 2014 [Page 48]
Internet-Draft JWE November 2013
o Removed Initialization Vector from the AAD value since it is
already integrity protected by all of the authenticated encryption
algorithms specified in the JWA specification.
o Replaced "A128CBC+HS256" and "A256CBC+HS512" with "A128CBC-HS256"
and "A256CBC-HS512". The new algorithms perform the same
cryptographic computations as [I-D.mcgrew-aead-aes-cbc-hmac-sha2],
but with the Initialization Vector and Authentication Tag values
remaining separate from the Ciphertext value in the output
representation. Also deleted the header parameters "epu"
(encryption PartyUInfo) and "epv" (encryption PartyVInfo), since
they are no longer used.
-08
o Replaced uses of the term "AEAD" with "Authenticated Encryption",
since the term AEAD in the RFC 5116 sense implied the use of a
particular data representation, rather than just referring to the
class of algorithms that perform authenticated encryption with
associated data.
o Applied editorial improvements suggested by Jeff Hodges and Hannes
Tschofenig. Many of these simplified the terminology used.
o Clarified statements of the form "This header parameter is
OPTIONAL" to "Use of this header parameter is OPTIONAL".
o Added a Header Parameter Usage Location(s) field to the IANA JSON
Web Signature and Encryption Header Parameters registry.
o Added seriesInfo information to Internet Draft references.
-07
o Added a data length prefix to PartyUInfo and PartyVInfo values.
o Updated values for example AES CBC calculations.
o Made several local editorial changes to clean up loose ends left
over from to the decision to only support block encryption methods
providing integrity. One of these changes was to explicitly state
that the "enc" (encryption method) algorithm must be an
Authenticated Encryption algorithm with a specified key length.
-06
o Removed the "int" and "kdf" parameters and defined the new
composite Authenticated Encryption algorithms "A128CBC+HS256" and
Jones, et al. Expires May 16, 2014 [Page 49]
Internet-Draft JWE November 2013
"A256CBC+HS512" to replace the former uses of AES CBC, which
required the use of separate integrity and key derivation
functions.
o Included additional values in the Concat KDF calculation -- the
desired output size and the algorithm value, and optionally
PartyUInfo and PartyVInfo values. Added the optional header
parameters "apu" (agreement PartyUInfo), "apv" (agreement
PartyVInfo), "epu" (encryption PartyUInfo), and "epv" (encryption
PartyVInfo). Updated the KDF examples accordingly.
o Promoted Initialization Vector from being a header parameter to
being a top-level JWE element. This saves approximately 16 bytes
in the compact serialization, which is a significant savings for
some use cases. Promoting the Initialization Vector out of the
header also avoids repeating this shared value in the JSON
serialization.
o Changed "x5c" (X.509 Certificate Chain) representation from being
a single string to being an array of strings, each containing a
single base64 encoded DER certificate value, representing elements
of the certificate chain.
o Added an AES Key Wrap example.
o Reordered the encryption steps so CMK creation is first, when
required.
o Correct statements in examples about which algorithms produce
reproducible results.
-05
o Support both direct encryption using a shared or agreed upon
symmetric key, and the use of a shared or agreed upon symmetric
key to key wrap the CMK.
o Added statement that "StringOrURI values are compared as case-
sensitive strings with no transformations or canonicalizations
applied".
o Updated open issues.
o Indented artwork elements to better distinguish them from the body
text.
-04
Jones, et al. Expires May 16, 2014 [Page 50]
Internet-Draft JWE November 2013
o Refer to the registries as the primary sources of defined values
and then secondarily reference the sections defining the initial
contents of the registries.
o Normatively reference XML Encryption 1.1
[W3C.CR-xmlenc-core1-20120313] for its security considerations.
o Reference draft-jones-jose-jwe-json-serialization instead of
draft-jones-json-web-encryption-json-serialization.
o Described additional open issues.
o Applied editorial suggestions.
-03
o Added the "kdf" (key derivation function) header parameter to
provide crypto agility for key derivation. The default KDF
remains the Concat KDF with the SHA-256 digest function.
o Reordered encryption steps so that the Encoded JWE Header is
always created before it is needed as an input to the
Authenticated Encryption "additional authenticated data"
parameter.
o Added the "cty" (content type) header parameter for declaring type
information about the secured content, as opposed to the "typ"
(type) header parameter, which declares type information about
this object.
o Moved description of how to determine whether a header is for a
JWS or a JWE from the JWT spec to the JWE spec.
o Added complete encryption examples for both Authenticated
Encryption and non-Authenticated Encryption algorithms.
o Added complete key derivation examples.
o Added "Collision Resistant Namespace" to the terminology section.
o Reference ITU.X690.1994 for DER encoding.
o Added Registry Contents sections to populate registry values.
o Numerous editorial improvements.
-02
Jones, et al. Expires May 16, 2014 [Page 51]
Internet-Draft JWE November 2013
o When using Authenticated Encryption algorithms (such as AES GCM),
use the "additional authenticated data" parameter to provide
integrity for the header, encrypted key, and ciphertext and use
the resulting "authentication tag" value as the JWE Authentication
Tag.
o Defined KDF output key sizes.
o Generalized text to allow key agreement to be employed as an
alternative to key wrapping or key encryption.
o Changed compression algorithm from gzip to DEFLATE.
o Clarified that it is an error when a "kid" value is included and
no matching key is found.
o Clarified that JWEs with duplicate Header Parameter Names MUST be
rejected.
o Clarified the relationship between "typ" header parameter values
and MIME types.
o Registered application/jwe MIME type and "JWE" typ header
parameter value.
o Simplified JWK terminology to get replace the "JWK Key Object" and
"JWK Container Object" terms with simply "JSON Web Key (JWK)" and
"JSON Web Key Set (JWK Set)" and to eliminate potential confusion
between single keys and sets of keys. As part of this change, the
Header Parameter Name for a public key value was changed from
"jpk" (JSON Public Key) to "jwk" (JSON Web Key).
o Added suggestion on defining additional header parameters such as
"x5t#S256" in the future for certificate thumbprints using hash
algorithms other than SHA-1.
o Specify RFC 2818 server identity validation, rather than RFC 6125
(paralleling the same decision in the OAuth specs).
o Generalized language to refer to Message Authentication Codes
(MACs) rather than Hash-based Message Authentication Codes (HMACs)
unless in a context specific to HMAC algorithms.
o Reformatted to give each header parameter its own section heading.
-01
Jones, et al. Expires May 16, 2014 [Page 52]
Internet-Draft JWE November 2013
o Added an integrity check for non-Authenticated Encryption
algorithms.
o Added "jpk" and "x5c" header parameters for including JWK public
keys and X.509 certificate chains directly in the header.
o Clarified that this specification is defining the JWE Compact
Serialization. Referenced the new JWE-JS spec, which defines the
JWE JSON Serialization.
o Added text "New header parameters should be introduced sparingly
since an implementation that does not understand a parameter MUST
reject the JWE".
o Clarified that the order of the encryption and decryption steps is
not significant in cases where there are no dependencies between
the inputs and outputs of the steps.
o Made other editorial improvements suggested by JOSE working group
participants.
-00
o Created the initial IETF draft based upon
draft-jones-json-web-encryption-02 with no normative changes.
o Changed terminology to no longer call both digital signatures and
HMACs "signatures".
Authors' Addresses
Michael B. Jones
Microsoft
Email: mbj@microsoft.com
URI: http://self-issued.info/
Eric Rescorla
RTFM, Inc.
Email: ekr@rtfm.com
Jones, et al. Expires May 16, 2014 [Page 53]
Internet-Draft JWE November 2013
Joe Hildebrand
Cisco Systems, Inc.
Email: jhildebr@cisco.com
Jones, et al. Expires May 16, 2014 [Page 54]