Internet DRAFT - draft-barnes-jose-key-wrapping
draft-barnes-jose-key-wrapping
JOSE Working Group R. Barnes
Internet-Draft BBN
Intended status: Informational May 06, 2013
Expires: November 7, 2013
Proposed Refactoring of JOSE to Align Encryption and Key Wrapping
draft-barnes-jose-key-wrapping-01
Abstract
The discussions around key wrapping in the JOSE working group have
raised new requirements for wrapped keys, namely: (1) Wrapping keys
other than symmetric keys, (2) cryptographically binding attributes
to keys, and (3) allowing the use of AEAD cryptographic algorithms
for key wrapping (other than AES-KW). This document proposes a
refactoring of the JOSE document set that provides a cleaner
conceptual structure for JWS / JWE and transparent support for
wrapped keys, all with a relatively minor impact on the compact form
of JWS and JWE objects.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 7, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Barnes Expires November 7, 2013 [Page 1]
Internet-Draft JOSE Refactor May 2013
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Wrapped Key Format [1] . . . . . . . . . . . . . . . . . . . . 6
3. "kdf" (Key Derivation Function) Parameter [3] . . . . . . . . 7
4. Compact form [4] . . . . . . . . . . . . . . . . . . . . . . . 8
4.1. Sample JavaScript Conversion Routines . . . . . . . . . . 9
5. Detailed Examples . . . . . . . . . . . . . . . . . . . . . . 12
5.1. RSA Direct . . . . . . . . . . . . . . . . . . . . . . . . 12
5.2. Direct Encryption with a Symmetric Algorithm . . . . . . . 13
5.3. Direct Symmetric Encryption with an ECDH-derived key . . . 14
5.4. Indirect Encryption with an AES-wrapped Key . . . . . . . 15
5.5. Indirect Encryption with RSA- and ECDH-Wrapped Keys . . . 16
6. Security Considerations . . . . . . . . . . . . . . . . . . . 18
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
8. Normative References . . . . . . . . . . . . . . . . . . . . . 20
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 21
Barnes Expires November 7, 2013 [Page 2]
Internet-Draft JOSE Refactor May 2013
1. Introduction
The goal of a JOSE object is to provide the recipient with the result
of a cryptographic operation (encryption, MAC, or signature) and
instructions for how to process that result. These instructutions
are in two main parts: (1) A cryptographic algorithm to be applied,
and (2) the key to be used with that algorithm (in wrapped form).
The current structure of the JWE and JWS headers scatters these two
information elements across several different header parameters. JWE
contains parameters for two different encryptions, the content
encryption and the key encryption. It would be simpler if these two
encryptions could be handled in the same way. Namely, the encrypted
key within a JWE should become a JWE itself. Thus, we make the
following proposal:
1. Define a simple, JWE-based format for wrapped keys. This
provides a consolidated format for wrapped keys, within JWE and
without.
2. Define the "recipients" parameter in JWE to be an array of JWE
objects representeing wrapped keys.
3. Add a "kdf" parameter which is used to signal the use of a key
derivation function such as ECDH or PBKDF2. This takes the place
of the "alg" parameter for ECDH, and is the natural way to
include PBKDF2.
4. Adjust the mapping between the compact and JSON serializations to
account for the above changes.
These major changes will then drive several smaller, more editorial
changes, including:
o Remove the "dir" value of the "alg" parameter. The use of direct
encryption is signalled by the lack of a "recipients" parameter
with wrapped keys.
o Removing the "ECDH-ES+A128KW" value of the "alg" parameter, since
this is specified jointly, e.g., by setting "enc" to "A128KW" and
"kdf" to "ECDH-ES".
o Combine "alg" and "enc" registries for JWE into a single registry,
since the same set of algorithms can now be used for content
encryption and key encryption.
o Remove the "alg" parameter from JWE. It is no longer necessary,
since the algorithm used for key wrapping is signalled in the
Barnes Expires November 7, 2013 [Page 3]
Internet-Draft JOSE Refactor May 2013
"enc" parameter of the inner JWE.
This restructuring simplifies key wrapping, by using JWE for key
wrapping. Since the encrypted CMK is just another encrypted object,
and because the wrapped key is encapsulated in the "key" object, JOSE
implementations need only a single "unwrap" operation, instead of
separate "JWE unwrap" and "key unwrap" operations.
It also resolves the ambiguity that arises in the current JWE design
as to what parameters should go in the overall header vs. per-
recipient headers. Namely, the parameters in the overall header
relate to encryption of content, and parameters in per-recipient
content relate to encryption of keys.
CURRENT:
{
"header": { "enc": "A128GCM" },
"recipients:" [{
"header": { "alg": "A128KW", "kid": "1" },
"encrypted_key": "..."
}],
"initialization_vector": "...",
"ciphertext": "...",
"authentication_tag": "..."
}
PROPOSED:
{
"header": { "enc": "A128GCM" },
"recipients:" [{
"header": { "enc": "A128KW", "kid": "1" },
"ciphertext": "..."
}],
"initialization_vector": "...",
"ciphertext": "...",
"authentication_tag": "..."
}
Figure 1
This example shows how the change from the current syntax can be very
minor. The only change here is that the "enc" parameter is used for
both the outer JWE and the inner JWE; the fact that direct encryption
is being done in the inner JWE is apparent from the lack of a
"recipients" parameter in the inner JWE. The "encrypted_key"
parameter is renamed "ciphertext" for compatibility with JWE.
This structure also provides a neat division of JWEs into "direct"
Barnes Expires November 7, 2013 [Page 4]
Internet-Draft JOSE Refactor May 2013
and "indirect" modes. If there is no "recipients" parameter, then
the JWE is "direct"; no wrapped keys are provided. If there is a
"recipients" parameter, then the JWE is "indirect"; the recipient
knows that it needs to unwrap the CEK before decrypting content.
This proposal also allows the use of AEAD algorithms for key wrapping
[[NIST-SP800-38F]], without the need for special code for key
encryption vs. content encryption. For example, the following JWE
object uses AES-GCM for key encryption:
{
"header": { "enc": "A128CBC-HS256" },
"recipients": [{
"header": { "alg":"A128GCM", "kid":"1" }
"initialization_vector": "..."
"ciphertext": "...",
"authentication_tag": "..."
}],
"initialization_vector": "...",
"ciphertext": "...",
"authentication_tag": "..."
}
Figure 2
In the remainder of this document, we provide text for the proposed
changes, in cases where text is not immediately clear:
o Part 1: Wrapped Key format
o Part 3: "kdf" (Key Derivation Function) Header Parameter
o Part 4: Changes to the compact serialization
We also provide a set of detailed examples that show the proposed
changes affect the representation of JWE objects in several important
cases.
Barnes Expires November 7, 2013 [Page 5]
Internet-Draft JOSE Refactor May 2013
2. Wrapped Key Format [1]
[[To be included in JWK]]
A wrapped key is a JWE object with a key as its payload. If the key
is a symmetric key with no attributes, it is express directly as an
octet string; otherwise it is encoded in JSON as a JWK. The
processing of wrapped keys is identical to normal JWE processing,
with two additional rules:
1. If a wrapped key has no "cty" parameter, then its MUST be
interpreted as the octets of a symmetric key. That is, the
payload is equivalent to a JWK with "kty" equal to "oct", and "k"
equal to the payload octets (base64url encoded).
2. If a wrapped key contains something other than a bare symmetric
key, then a "cty" attribute MUST be present to specify the type
of the wrapped key. For a JWK, the relevant "cty" value is
"application/jwk+json".
Barnes Expires November 7, 2013 [Page 6]
Internet-Draft JOSE Refactor May 2013
3. "kdf" (Key Derivation Function) Parameter [3]
[[To be included in JWE]]
The "kdf" parameter indicates an algorithm that the recipient must
apply to the the private key indicated in a JWE before it is used as
an encryption key. For example, the value "ECDH-ES" for the "kdf"
parameter indicates that the recipient must use ECDH key agreement
and the Concat KDF to derive the encryption key. Likewise, a
"PBKDF2" value for this parameter would indicate that the encryption
key must be derived from the identified key by way of PBKDF2.
The "kdf" parameter MUST NOT be used in indirect mode. Use of this
header parameter is OPTIONAL. This parameter MUST be understood by
implementations.
Barnes Expires November 7, 2013 [Page 7]
Internet-Draft JOSE Refactor May 2013
4. Compact form [4]
[[To be included in JWE]]
The JWE compact form is a compact, URL-safe representation of a JWE
JSON object. In order to be compatible with the compact form, all
top level header parametrs in the JSON-formatted JWE object MUST be
protected. Only the "protect" field is encoded; the "header" field
is ignored. All parameters in the JWE objects in the "recipients"
object MUST be unprotected. This section describes the
transformation between the JSON and compact forms of a JWE object.
The translation from JSON form to compact form is as follows:
1. Set the Encoded JWE Header to the value of the "protect" field
2. If the "recipients" field is present, compute a Encoded JWE Key
Header and Encoded JWE Encrypted Key for each recipient in the
"recipients" field
* If the "initialization_vector" or "authentication_tag" fields
are present in the JWE, add them to the "header" field
* Base64url encode the octets of the UTF-8 representation of the
value of the "protect" field to create the Encoded JWE Key
Header
* Set the Encoded JWE Encrypted Key to the value of the
"ciphertext" field
3. Set the Encoded JWE Key Headers value to the concatenation of the
Encoded JWE Key Header values, separated by the tilde ('~')
character, in the same order as the "recipients" array
4. Set the Encoded JWE Encrypted Keys value to the concatenation of
the Encoded JWE Encrypted Key values, separated by the tilde
('~') character, in the same order as the "recipients" array
5. Set the Encoded JWE Initialization Vector to be the value of the
"initialization_vector" field
6. Set the Encoded JWE Ciphertext to be the value of the
"ciphertext" field
7. Set the Encoded JWE AUthentication Tag to be the value of the
"authentication_tag" field
Barnes Expires November 7, 2013 [Page 8]
Internet-Draft JOSE Refactor May 2013
8. The compact form of the JWE is the concatenation of the following
values, separated by five period ('.') characters.
* Encoded JWE Header
* Encoded JWE Key Headers
* Encoded JWE Encrypted Keys
* Encoded JWE Initialization Vector
* Encoded JWE Ciphertext
* Encoded JWE Authentication Tag
The translation from compact to JSON form is the reverse of this
process. First the compact object is split on the period ('.')
character to obtain the six parts listed above. If the Encoded JWE
Key Headers and Encoded JWE Encrypted Keys segments are present, then
they are split on the tilde ('~') character and used to reconstruct
the "recipients" array. (If these two segments have different
numbers of entries, then the implementation MUST reject the object as
having invalid syntax.)
4.1. Sample JavaScript Conversion Routines
The following JavaScript function code samples illustrate the process
of converting between the compact and JSON encodings (actually,
between compact form and a JavaScript object equivalent to the JSON
form). We make the following assumptions:
o PERIOD = '.'
o TILDE = '~'
o base64url_decode() and base64url_encode() perform their eponymous
functions
Barnes Expires November 7, 2013 [Page 9]
Internet-Draft JOSE Refactor May 2013
function JWE_js2compact(jwe) {
// Encode per-recipient information, if present
var keyHeaders = [];
var encryptedKeys = [];
if (jwe.recipients) {
for (var i=0; i < jwe.recipients.length; ++i) {
if (jwe.recipients[i].initialization_vector) {
jwe.recipients[i].header.initialization_vector
= jwe.recipients[i].initialization_vector;
}
if (jwe.recipients[i].authentication_tag) {
jwe.recipients[i].header.authentication_tag
= jwe.recipients[i].authentication_tag;
}
keyHeaders.push( base64url_encode(
JSON.stringify( jwe.recipients[i].header ) ) );
encryptedKeys.push( jwe.recipients[i].ciphertext );
}
}
return jwe.protect
+ "." + keyHeaders.join(TILDE)
+ "." + encryptedKeys.join(TILDE)
+ "." + (jwe.initialization_vector || "")
+ "." + (jwe.ciphertext || "")
+ "." + (jwe.authentication_tag || "");
}
Figure 3
Barnes Expires November 7, 2013 [Page 10]
Internet-Draft JOSE Refactor May 2013
function JWE_compact2js(compact) {
var parts = compact.split(PERIOD);
if (parts.length != 6) {
throw "Syntax error: compact form must have 6 components";
}
var jwe = {
"protect": parts[0],
"initialization_vector": parts[3],
"ciphertext": parts[4],
"authentication_tag": parts[5]
};
// Reconstruct per-recipient information, if present
if (parts[1].length > 0 && parts[2].length > 0) {
keyHeaders = parts[1].split(TILDE);
encryptedKeys = parts[2].split(TILDE);
if (keyHeaders.length != encryptedKeys.length) {
throw "Syntax error: recipient arrays different lengths";
}
jwe.recipients = [];
for (var i=0; i < keyHeaders.length; ++i) {
var recipientJWE = {};
var header = JSON.parse( base64url_decode(keyHeaders[i]) );
if ("initialization_vector" in header) {
recipientJWE.initialization_vector =
header.initialization_vector;
delete header["initialization_vector"];
}
if ("authentication_tag" in header) {
recipientJWE.authentication_tag =
header.authentication_tag;
delete header["authentication_tag"];
}
recipientJWE.header = header;
recipientJWE.ciphertext = encryptedKeys[i];
jwe.recipients.push(recipientJWE);
}
}
return jwe;
}
Figure 4
Barnes Expires November 7, 2013 [Page 11]
Internet-Draft JOSE Refactor May 2013
5. Detailed Examples
In this section, we present detailed examples for several important
use cases. Note that binary values in this section are not generated
using the indicated cryptographic algorithms; rather, they are
randomly generated strings of appropriate length. Line breaks and
white space are for readability only.
In the provided compact forms, we have assumed that all top-level
header parameters are moved to the "protect" field from the "header"
field.
5.1. RSA Direct
{
"header": {
"enc": "RSA-OAEP",
"kid": "1"
},
"ciphertext": "badbLWEFcivAgcGXeKpm3YuCmldtqy
t8Z6BkdaSR6PufFlzhTXINRthq9jwSVLWY1iGnMj8
afGZ3AkF-mhl1f90Gt2ER-PON3eKL8pt19HkZnGUr
koWeZ5b6mXSvOIg95zfnj4wgkY6CD-GahCMIjSBm8
BE6HgL0liLrAy1A0uw"
}
Figure 5
The recipient can recognize that direct encryption is being done by
the lack of a "recipient" parameter. The recipient then uses the
private key corresponding to the "kid" parameter to decrypt the
ciphertext using RSA-OAEP.
The compact form of this JWE is 214 octets long
eyJlbmMiOiJSU0EtT0FFUCIsImtpZCI6IjEifQ
.
.
.
.badbLWEFcivAgcGXeKpm3YuCmldtqyt8Z6BkdaSR6PufFlzh
TXINRthq9jwSVLWY1iGnMj8afGZ3AkF-mhl1f90Gt2ER-PON
3eKL8pt19HkZnGUrkoWeZ5b6mXSvOIg95zfnj4wgkY6CD-Ga
hCMIjSBm8BE6HgL0liLrAy1A0uw
.
Figure 6
Barnes Expires November 7, 2013 [Page 12]
Internet-Draft JOSE Refactor May 2013
5.2. Direct Encryption with a Symmetric Algorithm
{
"header": {
"enc": "A128GCM",
"kid": "1"
},
"initialization_vector": "dRdeCTjt3255QKjrpvZVsA",
"ciphertext": "uRgFnOogcs7MnOnzPpzsojlrMXuZb96D",
"authentication_tag": "66Z3o-ArcjmCMtbGhDVEaA"
}
Figure 7
The recipient can recognize that direct encryption is being done by
the lack of a "recipient" parameter. The recipient then uses the
symmetric key identified by the "kid" parameter to decrypt the
ciphertext using AES-GCM.
The compact form of this JWE is 117 octets long
eyJlbmMiOiJBMTI4R0NNIiwia2lkIjoiMSJ9
.
.
.dRdeCTjt3255QKjrpvZVsA
.uRgFnOogcs7MnOnzPpzsojlrMXuZb96D
.66Z3o-ArcjmCMtbGhDVEaA
Figure 8
Barnes Expires November 7, 2013 [Page 13]
Internet-Draft JOSE Refactor May 2013
5.3. Direct Symmetric Encryption with an ECDH-derived key
{
"header": {
"enc": "A128GCM",
"kdf": "ECDH",
"kid": "1",
"epk": {
"kty":"EC",
"crv":"P-256",
"x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
"y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM"
},
"apu": "VaBLqlyRDFQdstcg8ZcJ0ea9hUC_LH2K4YCezuVj3qx_rM_
DurEUHC_PqFUA7HcXmaxtOax4uO6-p6rmNFIvSA"
},
"initialization_vector": "dRdeCTjt3255QKjrpvZVsA",
"ciphertext": "uRgFnOogcs7MnOnzPpzsojlrMXuZb96D",
"authentication_tag": "66Z3o-ArcjmCMtbGhDVEaA"
}
Figure 9
The recipient can recognize that direct encryption is being done by
the lack of a "recipient" parameter. The presence of the "kdf"
parameter indicates the need to derive a CEK from the shared secret
identified by the "kid" value (in this case, an ECDH private key).
The recipient combines the identified private key with the ephemeral
ECDH public key in the "epk" parameter to obtain a shared secret ZZ.
The shared secret ZZ is then combined with the information in the
"apu" field and used with the Concat KDF to derive the encryption
key. Finally, the recipient uses the derived encryption key to
decrypt the content using AES-GCM.
The compact form of this JWE is 439 octets long
Barnes Expires November 7, 2013 [Page 14]
Internet-Draft JOSE Refactor May 2013
eyJlbmMiOiJBMTI4R0NNIiwia2RmIjoiRUNESCIsImtpZCI6
IjEiLCJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIs
IngiOiJNS0JDVE5JY0tVU0RpaTExeVNzMzUyNmlEWjhBaVRv
N1R1NktQQXF2N0Q0IiwieSI6IjRFdGw2U1JXMllpTFVyTjV2
ZnZWSHVocDd4OFB4bHRtV1dsYmJNNElGeU0ifSwiYXB1Ijoi
VmFCTHFseVJERlFkc3RjZzhaY0owZWE5aFVDX0xIMks0WUNl
enVWajNxeF9yTV9EdXJFVUhDX1BxRlVBN0hjWG1heHRPYXg0
dU82LXA2cm1ORkl2U0EifQ
.
.
.dRdeCTjt3255QKjrpvZVsA
.uRgFnOogcs7MnOnzPpzsojlrMXuZb96D
.66Z3o-ArcjmCMtbGhDVEaA
Figure 10
5.4. Indirect Encryption with an AES-wrapped Key
{
"header": {
"enc": "A128GCM",
},
"recipients": [{
"header": {
"enc": "A128KW",
"kid": "1"
},
"ciphertext": "A8nMMWXKxQCw8UYQsNCH6_mdAKOUDqJI"
}],
"initialization_vector": "dRdeCTjt3255QKjrpvZVsA",
"ciphertext": "uRgFnOogcs7MnOnzPpzsojlrMXuZb96D",
"authentication_tag": "66Z3o-ArcjmCMtbGhDVEaA"
}
Figure 11
The recipient can recognize by the presence of the "recipients"
header that indirect encryption is being used, and thus that it needs
to decrypt the CEK from one of the wrapped keys in the "recipients"
array. Assuming the recipient has access to the identified symmetric
key, it decrypts the encrypted key and uses it to decrypt the content
using AES-GCM.
The compact form of this JWE is 171 octets long
Barnes Expires November 7, 2013 [Page 15]
Internet-Draft JOSE Refactor May 2013
eyJlbmMiOiJBMTI4R0NNIn0
.eyJlbmMiOiJBMTI4S1ciLCJraWQiOiIxIn0
.A8nMMWXKxQCw8UYQsNCH6_mdAKOUDqJI
.dRdeCTjt3255QKjrpvZVsA
.uRgFnOogcs7MnOnzPpzsojlrMXuZb96D
.66Z3o-ArcjmCMtbGhDVEaA
Figure 12
5.5. Indirect Encryption with RSA- and ECDH-Wrapped Keys
{
"header": {
"enc": "A128GCM"
},
"recipients": [{
"header": {
"enc": "RSA-OAEP",
"kid": "1"
},
"ciphertext": "badbLWEFcivAgcGXeKpm3YuCmldtqy
t8Z6BkdaSR6PufFlzhTXINRthq9jwSVLWY1iGnMj8
afGZ3AkF-mhl1f90Gt2ER-PON3eKL8pt19HkZnGUr
koWeZ5b6mXSvOIg95zfnj4wgkY6CD-GahCMIjSBm8
BE6HgL0liLrAy1A0uw"
},{
"header": {
"enc": "A128KW",
"kdf": "ECDH",
"kid": "1",
"epk": {
"kty":"EC",
"crv":"P-256",
"x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
"y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM"
},
"apu": "VaBLqlyRDFQdstcg8ZcJ0ea9hUC_LH2K4YCezuVj3qx_rM_
DurEUHC_PqFUA7HcXmaxtOax4uO6-p6rmNFIvSA"
},
"ciphertext": "A8nMMWXKxQCw8UYQsNCH6_mdAKOUDqJI"
}],
"initialization_vector": "dRdeCTjt3255QKjrpvZVsA",
"ciphertext": "uRgFnOogcs7MnOnzPpzsojlrMXuZb96D",
"authentication_tag": "66Z3o-ArcjmCMtbGhDVEaA"
}
Figure 13
Barnes Expires November 7, 2013 [Page 16]
Internet-Draft JOSE Refactor May 2013
The recipient can recognize by the presence of the "recipients"
header that indirect encryption is being used, and thus that it needs
to decrypt the CEK from one of the wrapped keys in the "recipients"
array. Assuming the recipient has the private key corresponding to
the identified RSA or ECDH keys, it processes the corresponding
wrapped key object as a direct JWE to decrypt the CEK. The recipient
then uses the CEK to decrypt the content using AES-GCM.
The compact form of this JWE is 703 octets long
eyJlbmMiOiJBMTI4R0NNIn0
.eyJlbmMiOiJSU0EtT0FFUCIsImtpZCI6IjEifQ
~eyJlbmMiOiJBMTI4S1ciLCJrZGYiOiJFQ0RIIiwia2lkIjoi
MSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwi
eCI6Ik1LQkNUTkljS1VTRGlpMTF5U3MzNTI2aURaOEFpVG83
VHU2S1BBcXY3RDQiLCJ5IjoiNEV0bDZTUlcyWWlMVXJONXZm
dlZIdWhwN3g4UHhsdG1XV2xiYk00SUZ5TSJ9LCJhcHUiOiJW
YUJMcWx5UkRGUWRzdGNnOFpjSjBlYTloVUNfTEgySzRZQ2V6
dVZqM3F4X3JNX0R1ckVVSENfUHFGVUE3SGNYbWF4dE9heDR1
TzYtcDZybU5GSXZTQSJ9
.badbLWEFcivAgcGXeKpm3YuCmldtqyt8Z6BkdaSR6PufFlzh
TXINRthq9jwSVLWY1iGnMj8afGZ3AkF-mhl1f90Gt2ER-PON
3eKL8pt19HkZnGUrkoWeZ5b6mXSvOIg95zfnj4wgkY6CD-Ga
hCMIjSBm8BE6HgL0liLrAy1A0uw
~A8nMMWXKxQCw8UYQsNCH6_mdAKOUDqJI
.dRdeCTjt3255QKjrpvZVsA
.uRgFnOogcs7MnOnzPpzsojlrMXuZb96D
.66Z3o-ArcjmCMtbGhDVEaA
Figure 14
Barnes Expires November 7, 2013 [Page 17]
Internet-Draft JOSE Refactor May 2013
6. Security Considerations
The refactoring proposed in this document has several security
benefits.
First, by using the JWE format for wrapped keys in JWE, JWE can
benefit from general AEAD algorithms for key wrapping, for example,
AES-GCM as opposed to AES key wrap. These other AEAD algorithms are
more widely available than AES key wrap, and offer better security
properties in some situations. This benefit is available to the
compact serialization as well as the revised JSON format.
Second, by using the same format for key encryption and content
encryption, code for processing objects in the proposed format will
only have to have support one way of decrypting objects. This
simplification will reduce the chance for bugs in implementations.
Third, the use of consolidated algorithm and key objects allows for
simpler validation rules on JOSE objects, again reducing the chance
that an improperly-constructed JOSE object will be able to trigger
implementation bugs.
There are two areas where this proposal might require increased
caution by applications. The first is in the choice of JWE mode,
direct vs. indirect. The revised JWE specification should emphasize
that indirect-mode JWE is much more secure, because attackers have to
break two levels of encryption to access long-lived keys, instead of
just one.
The second area of concern is the selection of algorithms. The
security considerations in the revised JWE specification should note
that applications that use indirect JWEs should choose different
algorithms for key encryption and content encryption. That way, an
attacker must compromise two different algorithms in order to mis-use
a JWE object.
Barnes Expires November 7, 2013 [Page 18]
Internet-Draft JOSE Refactor May 2013
7. IANA Considerations
This memo makes no request of IANA. However, changes to the JOSE
specs resulting from this proposal might require adjustments to some
IANA registrations.
Barnes Expires November 7, 2013 [Page 19]
Internet-Draft JOSE Refactor May 2013
8. Normative References
[I-D.ietf-jose-json-web-algorithms]
Jones, M., "JSON Web Algorithms (JWA)",
draft-ietf-jose-json-web-algorithms-08 (work in progress),
December 2012.
[I-D.ietf-jose-json-web-encryption]
Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web
Encryption (JWE)", draft-ietf-jose-json-web-encryption-08
(work in progress), December 2012.
[I-D.ietf-jose-json-web-key]
Jones, M., "JSON Web Key (JWK)",
draft-ietf-jose-json-web-key-08 (work in progress),
December 2012.
[I-D.ietf-jose-json-web-signature]
Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", draft-ietf-jose-json-web-signature-08
(work in progress), December 2012.
Barnes Expires November 7, 2013 [Page 20]
Internet-Draft JOSE Refactor May 2013
Author's Address
Richard Barnes
BBN
Email: rlb@ipv.sx
Barnes Expires November 7, 2013 [Page 21]