RFC 7518
JSON Web Algorithms (JWA)
9. Internationalization Considerations
Passwords obtained from users are likely to require preparation and normalization to account for differences of octet sequences generated by different input devices, locales, etc. It is RECOMMENDED that applications perform the steps outlined in [PRECIS] to prepare a password supplied directly by a user before performing key derivation and encryption.10. References
10.1. Normative References
[AES] National Institute of Standards and Technology (NIST), "Advanced Encryption Standard (AES)", FIPS PUB 197, November 2001, <http://csrc.nist.gov/publications/ fips/fips197/fips-197.pdf>. [Boneh99] "Twenty Years of Attacks on the RSA Cryptosystem", Notices of the American Mathematical Society (AMS), Vol. 46, No. 2, pp. 203-213, 1999, <http://crypto.stanford.edu/ ~dabo/pubs/papers/RSA-survey.pdf>.
[DSS] National Institute of Standards and Technology (NIST), "Digital Signature Standard (DSS)", FIPS PUB 186-4, July 2013, <http://nvlpubs.nist.gov/nistpubs/FIPS/ NIST.FIPS.186-4.pdf>. [JWE] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", RFC 7516, DOI 10.17487/RFC7516, May 2015, <http://www.rfc-editor.org/info/rfc7516>. [JWK] Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10.17487/RFC7517, May 2015, <http://www.rfc-editor.org/info/rfc7517>. [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 2015, <http://www.rfc-editor.org/info/rfc7515>. [NIST.800-38A] National Institute of Standards and Technology (NIST), "Recommendation for Block Cipher Modes of Operation", NIST Special Publication 800-38A, December 2001, <http://csrc.nist.gov/publications/nistpubs/800-38a/ sp800-38a.pdf>. [NIST.800-38D] National Institute of Standards and Technology (NIST), "Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC", NIST Special Publication 800-38D, December 2001, <http://csrc.nist.gov/publications/nistpubs/800-38D/ SP-800-38D.pdf>. [NIST.800-56A] National Institute of Standards and Technology (NIST), "Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography", NIST Special Publication 800-56A, Revision 2, May 2013, <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-56Ar2.pdf>. [NIST.800-57] National Institute of Standards and Technology (NIST), "Recommendation for Key Management - Part 1: General (Revision 3)", NIST Special Publication 800-57, Part 1, Revision 3, July 2012, <http://csrc.nist.gov/publications/ nistpubs/800-57/sp800-57_part1_rev3_general.pdf>.
[RFC20] Cerf, V., "ASCII format for Network Interchange", STD 80, RFC 20, DOI 10.17487/RFC0020, October 1969, <http://www.rfc-editor.org/info/rfc20>. [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, <http://www.rfc-editor.org/info/rfc2104>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography Specification Version 2.0", RFC 2898, DOI 10.17487/RFC2898, September 2000, <http://www.rfc-editor.org/info/rfc2898>. [RFC3394] Schaad, J. and R. Housley, "Advanced Encryption Standard (AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394, September 2002, <http://www.rfc-editor.org/info/rfc3394>. [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC 3447, DOI 10.17487/RFC3447, February 2003, <http://www.rfc-editor.org/info/rfc3447>. [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 2003, <http://www.rfc-editor.org/info/rfc3629>. [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec", RFC 4868, DOI 10.17487/RFC4868, May 2007, <http://www.rfc-editor.org/info/rfc4868>. [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, <http://www.rfc-editor.org/info/rfc4949>. [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, DOI 10.17487/RFC5652, September 2009, <http://www.rfc-editor.org/info/rfc5652>.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic Curve Cryptography Algorithms", RFC 6090, DOI 10.17487/RFC6090, February 2011, <http://www.rfc-editor.org/info/rfc6090>. [RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March 2014, <http://www.rfc-editor.org/info/rfc7159>. [SEC1] Standards for Efficient Cryptography Group, "SEC 1: Elliptic Curve Cryptography", Version 2.0, May 2009, <http://www.secg.org/sec1-v2.pdf>. [SHS] National Institute of Standards and Technology (NIST), "Secure Hash Standard (SHS)", FIPS PUB 180-4, March 2012, <http://csrc.nist.gov/publications/fips/fips180-4/ fips-180-4.pdf>. [UNICODE] The Unicode Consortium, "The Unicode Standard", <http://www.unicode.org/versions/latest/>.10.2. Informative References
[AEAD-CBC-SHA] McGrew, D., Foley, J., and K. Paterson, "Authenticated Encryption with AES-CBC and HMAC-SHA", Work in Progress, draft-mcgrew-aead-aes-cbc-hmac-sha2-05, July 2014. [CanvasApp] Facebook, "Canvas Applications", 2010, <http://developers.facebook.com/docs/authentication/ canvas>. [JCA] Oracle, "Java Cryptography Architecture (JCA) Reference Guide", 2014, <http://docs.oracle.com/javase/8/docs/techno tes/guides/security/crypto/CryptoSpec.html>. [JSE] Bradley, J. and N. Sakimura (editor), "JSON Simple Encryption", September 2010, <http://jsonenc.info/enc/1.0/>. [JSMS] Rescorla, E. and J. Hildebrand, "JavaScript Message Security Format", Work in Progress, draft-rescorla-jsms-00, March 2011. [JSS] Bradley, J. and N. Sakimura, Ed., "JSON Simple Sign 1.0", Draft 01, September 2010, <http://jsonenc.info/jss/1.0/>.
[JWE-JWK] Miller, M., "Using JavaScript Object Notation (JSON) Web Encryption (JWE) for Protecting JSON Web Key (JWK) Objects", Work in Progress, draft-miller-jose-jwe-protected-jwk-02, June 2013. [MagicSignatures] Panzer, J., Ed., Laurie, B., and D. Balfanz, "Magic Signatures", January 2011, <http://salmon-protocol.googlecode.com/svn/trunk/ draft-panzer-magicsig-01.html>. [NIST.800-107] National Institute of Standards and Technology (NIST), "Recommendation for Applications Using Approved Hash Algorithms", NIST Special Publication 800-107, Revision 1, August 2012, <http://csrc.nist.gov/publications/ nistpubs/800-107-rev1/sp800-107-rev1.pdf>. [NIST.800-63-2] National Institute of Standards and Technology (NIST), "Electronic Authentication Guideline", NIST Special Publication 800-63-2, August 2013, <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-63-2.pdf>. [PRECIS] Saint-Andre, P. and A. Melnikov, "Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords", Work in Progress, draft-ietf-precis-saslprepbis-16, April 2015. [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631, DOI 10.17487/RFC2631, June 1999, <http://www.rfc-editor.org/info/rfc2631>. [RFC3275] Eastlake 3rd, D., Reagle, J., and D. Solo, "(Extensible Markup Language) XML-Signature Syntax and Processing", RFC 3275, DOI 10.17487/RFC3275, March 2002, <http://www.rfc-editor.org/info/rfc3275>. [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, DOI 10.17487/RFC4086, June 2005, <http://www.rfc-editor.org/info/rfc4086>. [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, <http://www.rfc-editor.org/info/rfc5116>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, DOI 10.17487/RFC5226, May 2008, <http://www.rfc-editor.org/info/rfc5226>. [W3C.NOTE-xmldsig-core2-20130411] Eastlake, D., Reagle, J., Solo, D., Hirsch, F., Roessler, T., Yiu, K., Datta, P., and S. Cantor, "XML Signature Syntax and Processing Version 2.0", World Wide Web Consortium Note NOTE-xmldsig-core2-20130411, April 2013, <http://www.w3.org/TR/2013/NOTE-xmldsig-core2-20130411/>. [W3C.REC-xmlenc-core-20021210] Eastlake, D. and J. Reagle, "XML Encryption Syntax and Processing", World Wide Web Consortium Recommendation REC- xmlenc-core-20021210, December 2002, <http://www.w3.org/TR/2002/REC-xmlenc-core-20021210>. [W3C.REC-xmlenc-core1-20130411] Eastlake, D., Reagle, J., Hirsch, F., and T. Roessler, "XML Encryption Syntax and Processing Version 1.1", World Wide Web Consortium Recommendation REC-xmlenc- core1-20130411, April 2013, <http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/>.
Appendix A. Algorithm Identifier Cross-Reference
This appendix contains tables cross-referencing the cryptographic algorithm identifier values defined in this specification with the equivalent identifiers used by other standards and software packages. See XML DSIG [RFC3275], XML DSIG 2.0 [W3C.NOTE-xmldsig-core2-20130411], XML Encryption [W3C.REC-xmlenc-core-20021210], XML Encryption 1.1 [W3C.REC-xmlenc-core1-20130411], and Java Cryptography Architecture [JCA] for more information about the names defined by those documents.
A.1. Digital Signature/MAC Algorithm Identifier Cross-Reference
This section contains a table cross-referencing the JWS digital signature and MAC "alg" (algorithm) values defined in this specification with the equivalent identifiers used by other standards and software packages. +-------------------------------------------------------------------+ | JWS | XML DSIG | | | JCA | OID | +-------------------------------------------------------------------+ | HS256 | http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 | | | HmacSHA256 | 1.2.840.113549.2.9 | +-------------------------------------------------------------------+ | HS384 | http://www.w3.org/2001/04/xmldsig-more#hmac-sha384 | | | HmacSHA384 | 1.2.840.113549.2.10 | +-------------------------------------------------------------------+ | HS512 | http://www.w3.org/2001/04/xmldsig-more#hmac-sha512 | | | HmacSHA512 | 1.2.840.113549.2.11 | +-------------------------------------------------------------------+ | RS256 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | | | SHA256withRSA | 1.2.840.113549.1.1.11 | +-------------------------------------------------------------------+ | RS384 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 | | | SHA384withRSA | 1.2.840.113549.1.1.12 | +-------------------------------------------------------------------+ | RS512 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 | | | SHA512withRSA | 1.2.840.113549.1.1.13 | +-------------------------------------------------------------------+ | ES256 | http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256 | | | SHA256withECDSA | 1.2.840.10045.4.3.2 | +-------------------------------------------------------------------+ | ES384 | http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384 | | | SHA384withECDSA | 1.2.840.10045.4.3.3 | +-------------------------------------------------------------------+ | ES512 | http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512 | | | SHA512withECDSA | 1.2.840.10045.4.3.4 | +-------------------------------------------------------------------+ | PS256 | http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 | | | SHA256withRSAandMGF1 | 1.2.840.113549.1.1.10 | +-------------------------------------------------------------------+ | PS384 | http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1 | | | SHA384withRSAandMGF1 | 1.2.840.113549.1.1.10 | +-------------------------------------------------------------------+ | PS512 | http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1 | | | SHA512withRSAandMGF1 | 1.2.840.113549.1.1.10 | +-------------------------------------------------------------------+
A.2. Key Management Algorithm Identifier Cross-Reference
This section contains a table cross-referencing the JWE "alg" (algorithm) values defined in this specification with the equivalent identifiers used by other standards and software packages. +-------------------------------------------------------------------+ | JWE | XML ENC | | | JCA | OID | +-------------------------------------------------------------------+ | RSA1_5 | http://www.w3.org/2001/04/xmlenc#rsa-1_5 | | | RSA/ECB/PKCS1Padding | 1.2.840.113549.1.1.1 | +-------------------------------------------------------------------+ | RSA-OAEP | http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p | | | RSA/ECB/OAEPWithSHA-1AndMGF1Padding | 1.2.840.113549.1.1.7 | +-------------------------------------------------------------------+ | RSA-OAEP-256 | http://www.w3.org/2009/xmlenc11#rsa-oaep | | | & http://www.w3.org/2009/xmlenc11#mgf1sha256 | | | RSA/ECB/OAEPWithSHA-256AndMGF1Padding | | | | & MGF1ParameterSpec.SHA256 | 1.2.840.113549.1.1.7 | +-------------------------------------------------------------------+ | ECDH-ES | http://www.w3.org/2009/xmlenc11#ECDH-ES | | | ECDH | 1.3.132.1.12 | +-------------------------------------------------------------------+ | A128KW | http://www.w3.org/2001/04/xmlenc#kw-aes128 | | | AESWrap | 2.16.840.1.101.3.4.1.5 | +-------------------------------------------------------------------+ | A192KW | http://www.w3.org/2001/04/xmlenc#kw-aes192 | | | AESWrap | 2.16.840.1.101.3.4.1.25 | +-------------------------------------------------------------------+ | A256KW | http://www.w3.org/2001/04/xmlenc#kw-aes256 | | | AESWrap | 2.16.840.1.101.3.4.1.45 | +-------------------------------------------------------------------+
A.3. Content Encryption Algorithm Identifier Cross-Reference
This section contains a table cross-referencing the JWE "enc" (encryption algorithm) values defined in this specification with the equivalent identifiers used by other standards and software packages. For the composite algorithms "A128CBC-HS256", "A192CBC-HS384", and "A256CBC-HS512", the corresponding AES-CBC algorithm identifiers are listed. +-------------------------------------------------------------------+ | JWE | XML ENC | | | JCA | OID | +-------------------------------------------------------------------+ | A128CBC-HS256 | http://www.w3.org/2001/04/xmlenc#aes128-cbc | | | AES/CBC/PKCS5Padding | 2.16.840.1.101.3.4.1.2 | +-------------------------------------------------------------------+ | A192CBC-HS384 | http://www.w3.org/2001/04/xmlenc#aes192-cbc | | | AES/CBC/PKCS5Padding | 2.16.840.1.101.3.4.1.22 | +-------------------------------------------------------------------+ | A256CBC-HS512 | http://www.w3.org/2001/04/xmlenc#aes256-cbc | | | AES/CBC/PKCS5Padding | 2.16.840.1.101.3.4.1.42 | +-------------------------------------------------------------------+ | A128GCM | http://www.w3.org/2009/xmlenc11#aes128-gcm | | | AES/GCM/NoPadding | 2.16.840.1.101.3.4.1.6 | +-------------------------------------------------------------------+ | A192GCM | http://www.w3.org/2009/xmlenc11#aes192-gcm | | | AES/GCM/NoPadding | 2.16.840.1.101.3.4.1.26 | +-------------------------------------------------------------------+ | A256GCM | http://www.w3.org/2009/xmlenc11#aes256-gcm | | | AES/GCM/NoPadding | 2.16.840.1.101.3.4.1.46 | +-------------------------------------------------------------------+Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms
The following test cases can be used to validate implementations of the AES_CBC_HMAC_SHA2 algorithms defined in Section 5.2. They are also intended to correspond to test cases that may appear in a future version of [AEAD-CBC-SHA], demonstrating that the cryptographic computations performed are the same. The variable names are those defined in Section 5.2. All values are hexadecimal.
B.1. Test Cases for AES_128_CBC_HMAC_SHA_256
AES_128_CBC_HMAC_SHA_256 K = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f MAC_KEY = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ENC_KEY = 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f P = 41 20 63 69 70 68 65 72 20 73 79 73 74 65 6d 20 6d 75 73 74 20 6e 6f 74 20 62 65 20 72 65 71 75 69 72 65 64 20 74 6f 20 62 65 20 73 65 63 72 65 74 2c 20 61 6e 64 20 69 74 20 6d 75 73 74 20 62 65 20 61 62 6c 65 20 74 6f 20 66 61 6c 6c 20 69 6e 74 6f 20 74 68 65 20 68 61 6e 64 73 20 6f 66 20 74 68 65 20 65 6e 65 6d 79 20 77 69 74 68 6f 75 74 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 IV = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 A = 54 68 65 20 73 65 63 6f 6e 64 20 70 72 69 6e 63 69 70 6c 65 20 6f 66 20 41 75 67 75 73 74 65 20 4b 65 72 63 6b 68 6f 66 66 73 AL = 00 00 00 00 00 00 01 50 E = c8 0e df a3 2d df 39 d5 ef 00 c0 b4 68 83 42 79 a2 e4 6a 1b 80 49 f7 92 f7 6b fe 54 b9 03 a9 c9 a9 4a c9 b4 7a d2 65 5c 5f 10 f9 ae f7 14 27 e2 fc 6f 9b 3f 39 9a 22 14 89 f1 63 62 c7 03 23 36 09 d4 5a c6 98 64 e3 32 1c f8 29 35 ac 40 96 c8 6e 13 33 14 c5 40 19 e8 ca 79 80 df a4 b9 cf 1b 38 4c 48 6f 3a 54 c5 10 78 15 8e e5 d7 9d e5 9f bd 34 d8 48 b3 d6 95 50 a6 76 46 34 44 27 ad e5 4b 88 51 ff b5 98 f7 f8 00 74 b9 47 3c 82 e2 db M = 65 2c 3f a3 6b 0a 7c 5b 32 19 fa b3 a3 0b c1 c4 e6 e5 45 82 47 65 15 f0 ad 9f 75 a2 b7 1c 73 ef T = 65 2c 3f a3 6b 0a 7c 5b 32 19 fa b3 a3 0b c1 c4
B.2. Test Cases for AES_192_CBC_HMAC_SHA_384
K = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f MAC_KEY = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 ENC_KEY = 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f P = 41 20 63 69 70 68 65 72 20 73 79 73 74 65 6d 20 6d 75 73 74 20 6e 6f 74 20 62 65 20 72 65 71 75 69 72 65 64 20 74 6f 20 62 65 20 73 65 63 72 65 74 2c 20 61 6e 64 20 69 74 20 6d 75 73 74 20 62 65 20 61 62 6c 65 20 74 6f 20 66 61 6c 6c 20 69 6e 74 6f 20 74 68 65 20 68 61 6e 64 73 20 6f 66 20 74 68 65 20 65 6e 65 6d 79 20 77 69 74 68 6f 75 74 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 IV = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 A = 54 68 65 20 73 65 63 6f 6e 64 20 70 72 69 6e 63 69 70 6c 65 20 6f 66 20 41 75 67 75 73 74 65 20 4b 65 72 63 6b 68 6f 66 66 73 AL = 00 00 00 00 00 00 01 50 E = ea 65 da 6b 59 e6 1e db 41 9b e6 2d 19 71 2a e5 d3 03 ee b5 00 52 d0 df d6 69 7f 77 22 4c 8e db 00 0d 27 9b dc 14 c1 07 26 54 bd 30 94 42 30 c6 57 be d4 ca 0c 9f 4a 84 66 f2 2b 22 6d 17 46 21 4b f8 cf c2 40 0a dd 9f 51 26 e4 79 66 3f c9 0b 3b ed 78 7a 2f 0f fc bf 39 04 be 2a 64 1d 5c 21 05 bf e5 91 ba e2 3b 1d 74 49 e5 32 ee f6 0a 9a c8 bb 6c 6b 01 d3 5d 49 78 7b cd 57 ef 48 49 27 f2 80 ad c9 1a c0 c4 e7 9c 7b 11 ef c6 00 54 e3 M = 84 90 ac 0e 58 94 9b fe 51 87 5d 73 3f 93 ac 20 75 16 80 39 cc c7 33 d7 45 94 f8 86 b3 fa af d4 86 f2 5c 71 31 e3 28 1e 36 c7 a2 d1 30 af de 57 T = 84 90 ac 0e 58 94 9b fe 51 87 5d 73 3f 93 ac 20 75 16 80 39 cc c7 33 d7
B.3. Test Cases for AES_256_CBC_HMAC_SHA_512
K = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f MAC_KEY = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ENC_KEY = 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f P = 41 20 63 69 70 68 65 72 20 73 79 73 74 65 6d 20 6d 75 73 74 20 6e 6f 74 20 62 65 20 72 65 71 75 69 72 65 64 20 74 6f 20 62 65 20 73 65 63 72 65 74 2c 20 61 6e 64 20 69 74 20 6d 75 73 74 20 62 65 20 61 62 6c 65 20 74 6f 20 66 61 6c 6c 20 69 6e 74 6f 20 74 68 65 20 68 61 6e 64 73 20 6f 66 20 74 68 65 20 65 6e 65 6d 79 20 77 69 74 68 6f 75 74 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 IV = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 A = 54 68 65 20 73 65 63 6f 6e 64 20 70 72 69 6e 63 69 70 6c 65 20 6f 66 20 41 75 67 75 73 74 65 20 4b 65 72 63 6b 68 6f 66 66 73 AL = 00 00 00 00 00 00 01 50 E = 4a ff aa ad b7 8c 31 c5 da 4b 1b 59 0d 10 ff bd 3d d8 d5 d3 02 42 35 26 91 2d a0 37 ec bc c7 bd 82 2c 30 1d d6 7c 37 3b cc b5 84 ad 3e 92 79 c2 e6 d1 2a 13 74 b7 7f 07 75 53 df 82 94 10 44 6b 36 eb d9 70 66 29 6a e6 42 7e a7 5c 2e 08 46 a1 1a 09 cc f5 37 0d c8 0b fe cb ad 28 c7 3f 09 b3 a3 b7 5e 66 2a 25 94 41 0a e4 96 b2 e2 e6 60 9e 31 e6 e0 2c c8 37 f0 53 d2 1f 37 ff 4f 51 95 0b be 26 38 d0 9d d7 a4 93 09 30 80 6d 07 03 b1 f6 M = 4d d3 b4 c0 88 a7 f4 5c 21 68 39 64 5b 20 12 bf 2e 62 69 a8 c5 6a 81 6d bc 1b 26 77 61 95 5b c5 fd 30 a5 65 c6 16 ff b2 f3 64 ba ec e6 8f c4 07 53 bc fc 02 5d de 36 93 75 4a a1 f5 c3 37 3b 9c T = 4d d3 b4 c0 88 a7 f4 5c 21 68 39 64 5b 20 12 bf 2e 62 69 a8 c5 6a 81 6d bc 1b 26 77 61 95 5b c5
Appendix C. Example ECDH-ES Key Agreement Computation
This example uses ECDH-ES Key Agreement and the Concat KDF to derive the CEK in the manner described in Section 4.6. In this example, the ECDH-ES Direct Key Agreement mode ("alg" value "ECDH-ES") is used to produce an agreed-upon key for AES GCM with a 128-bit key ("enc" value "A128GCM"). In this example, a producer Alice is encrypting content to a consumer Bob. The producer (Alice) generates an ephemeral key for the key agreement computation. Alice's ephemeral key (in JWK format) used for the key agreement computation in this example (including the private part) is: {"kty":"EC", "crv":"P-256", "x":"gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0", "y":"SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps", "d":"0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo" } The consumer's (Bob's) key (in JWK format) used for the key agreement computation in this example (including the private part) is: {"kty":"EC", "crv":"P-256", "x":"weNJy2HscCSM6AEDTDg04biOvhFhyyWvOHQfeF_PxMQ", "y":"e8lnCO-AlStT-NJVX-crhB7QRYhiix03illJOVAOyck", "d":"VEmDZpDXXK8p8N0Cndsxs924q6nS1RXFASRl6BfUqdw" } Header Parameter values used in this example are as follows. The "apu" (agreement PartyUInfo) Header Parameter value is the base64url encoding of the UTF-8 string "Alice" and the "apv" (agreement PartyVInfo) Header Parameter value is the base64url encoding of the UTF-8 string "Bob". The "epk" (ephemeral public key) Header Parameter is used to communicate the producer's (Alice's) ephemeral public key value to the consumer (Bob).
{"alg":"ECDH-ES",
"enc":"A128GCM",
"apu":"QWxpY2U",
"apv":"Qm9i",
"epk":
{"kty":"EC",
"crv":"P-256",
"x":"gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0",
"y":"SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps"
}
}
The resulting Concat KDF [NIST.800-56A] parameter values are:
Z
This is set to the ECDH-ES key agreement output. (This value is
often not directly exposed by libraries, due to NIST security
requirements, and only serves as an input to a KDF.) In this
example, Z is following the octet sequence (using JSON array
notation):
[158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132,
38, 156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121,
140, 254, 144, 196].
keydatalen
This value is 128 - the number of bits in the desired output key
(because "A128GCM" uses a 128-bit key).
AlgorithmID
This is set to the octets representing the 32-bit big-endian value
7 - [0, 0, 0, 7] - the number of octets in the AlgorithmID content
"A128GCM", followed, by the octets representing the ASCII string
"A128GCM" - [65, 49, 50, 56, 71, 67, 77].
PartyUInfo
This is set to the octets representing the 32-bit big-endian value
5 - [0, 0, 0, 5] - the number of octets in the PartyUInfo content
"Alice", followed, by the octets representing the UTF-8 string
"Alice" - [65, 108, 105, 99, 101].
PartyVInfo
This is set to the octets representing the 32-bit big-endian value
3 - [0, 0, 0, 3] - the number of octets in the PartyUInfo content
"Bob", followed, by the octets representing the UTF-8 string "Bob"
- [66, 111, 98].
SuppPubInfo
This is set to the octets representing the 32-bit big-endian value
128 - [0, 0, 0, 128] - the keydatalen value.
SuppPrivInfo
This is set to the empty octet sequence.
Concatenating the parameters AlgorithmID through SuppPubInfo results
in an OtherInfo value of:
[0, 0, 0, 7, 65, 49, 50, 56, 71, 67, 77, 0, 0, 0, 5, 65, 108, 105,
99, 101, 0, 0, 0, 3, 66, 111, 98, 0, 0, 0, 128]
Concatenating the round number 1 ([0, 0, 0, 1]), Z, and the OtherInfo
value results in the Concat KDF round 1 hash input of:
[0, 0, 0, 1,
158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132, 38,
156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121, 140,
254, 144, 196,
0, 0, 0, 7, 65, 49, 50, 56, 71, 67, 77, 0, 0, 0, 5, 65, 108, 105, 99,
101, 0, 0, 0, 3, 66, 111, 98, 0, 0, 0, 128]
The resulting derived key, which is the first 128 bits of the round 1
hash output is:
[86, 170, 141, 234, 248, 35, 109, 32, 92, 34, 40, 205, 113, 167, 16,
26]
The base64url-encoded representation of this derived key is:
VqqN6vgjbSBcIijNcacQGg
Acknowledgements
Solutions for signing and encrypting JSON content were previously explored by "Magic Signatures" [MagicSignatures], "JSON Simple Sign 1.0" [JSS], "Canvas Applications" [CanvasApp], "JSON Simple Encryption" [JSE], and "JavaScript Message Security Format" [JSMS], all of which influenced this document. The "Authenticated Encryption with AES-CBC and HMAC-SHA" [AEAD-CBC-SHA] specification, upon which the AES_CBC_HMAC_SHA2 algorithms are based, was written by David A. McGrew and Kenny Paterson. The test cases for AES_CBC_HMAC_SHA2 are based upon those for [AEAD-CBC-SHA] by John Foley. Matt Miller wrote "Using JavaScript Object Notation (JSON) Web Encryption (JWE) for Protecting JSON Web Key (JWK) Objects" [JWE-JWK], upon which the password-based encryption content of this document is based. This specification is the work of the JOSE working group, which includes dozens of active and dedicated participants. In particular, the following individuals contributed ideas, feedback, and wording that influenced this specification: Dirk Balfanz, Richard Barnes, Carsten Bormann, John Bradley, Brian Campbell, Alissa Cooper, Breno de Medeiros, Vladimir Dzhuvinov, Roni Even, Stephen Farrell, Yaron Y. Goland, Dick Hardt, Joe Hildebrand, Jeff Hodges, Edmund Jay, Charlie Kaufman, Barry Leiba, James Manger, Matt Miller, Kathleen Moriarty, Tony Nadalin, Axel Nennker, John Panzer, Emmanuel Raviart, Eric Rescorla, Pete Resnick, Nat Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner. Jim Schaad and Karen O'Donoghue chaired the JOSE working group and Sean Turner, Stephen Farrell, and Kathleen Moriarty served as Security Area Directors during the creation of this specification.Author's Address
Michael B. Jones Microsoft EMail: mbj@microsoft.com URI: http://self-issued.info/