tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 7516

 
 
 

JSON Web Encryption (JWE)

Part 3 of 3, p. 29 to 51
Prev RFC Part

 


prevText      Top      Up      ToC       Page 29 
12.  References

12.1.  Normative References

   [JWA]      Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
              DOI 10.17487/RFC7518, May 2015,
              <http://www.rfc-editor.org/info/rfc7518>.

   [JWK]      Jones, M., "JSON Web Key (JWK)", RFC 7517,
              DOI 10.17487/RFC7517, May 2015,
              <http://www.rfc-editor.org/info/rfc7517>.

   [JWS]      Jones, M., Bradley, J., and N. Sakimura, "JSON Web
              Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
              2015, <http://www.rfc-editor.org/info/rfc7515>.

   [RFC1951]  Deutsch, P., "DEFLATE Compressed Data Format Specification
              version 1.3", RFC 1951, DOI 10.17487/RFC1951, May 1996,
              <http://www.rfc-editor.org/info/rfc1951>.

   [RFC20]    Cerf, V., "ASCII format for Network Interchange", STD 80,
              RFC 20, DOI 10.17487/RFC0020, October 1969,
              <http://www.rfc-editor.org/info/rfc20>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
              2003, <http://www.rfc-editor.org/info/rfc3629>.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
              FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
              <http://www.rfc-editor.org/info/rfc4949>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <http://www.rfc-editor.org/info/rfc5280>.

   [RFC7159]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
              2014, <http://www.rfc-editor.org/info/rfc7159>.

Top      Up      ToC       Page 30 
   [UNICODE]  The Unicode Consortium, "The Unicode Standard",
              <http://www.unicode.org/versions/latest/>.

12.2.  Informative References

   [AES]      National Institute of Standards and Technology (NIST),
              "Advanced Encryption Standard (AES)", FIPS PUB 197,
              November 2001, <http://csrc.nist.gov/publications/
              fips/fips197/fips-197.pdf>.

   [JSE]      Bradley, J. and N. Sakimura (editor), "JSON Simple
              Encryption", September 2010,
              <http://jsonenc.info/enc/1.0/>.

   [JSMS]     Rescorla, E. and J. Hildebrand, "JavaScript Message
              Security Format", Work in Progress,
              draft-rescorla-jsms-00, March 2011.

   [NIST.800-38D]
              National Institute of Standards and Technology (NIST),
              "Recommendation for Block Cipher Modes of Operation:
              Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D,
              November 2007, <http://csrc.nist.gov/publications/
              nistpubs/800-38D/SP-800-38D.pdf>.

   [RFC3218]  Rescorla, E., "Preventing the Million Message Attack on
              Cryptographic Message Syntax", RFC 3218,
              DOI 10.17487/RFC3218, January 2002,
              <http://www.rfc-editor.org/info/rfc3218>.

   [RFC3447]  Jonsson, J. and B. Kaliski, "Public-Key Cryptography
              Standards (PKCS) #1: RSA Cryptography Specifications
              Version 2.1", RFC 3447, DOI 10.17487/RFC3447, February
              2003, <http://www.rfc-editor.org/info/rfc3447>.

   [RFC3766]  Orman, H. and P. Hoffman, "Determining Strengths For
              Public Keys Used For Exchanging Symmetric Keys", BCP 86,
              RFC 3766, DOI 10.17487/RFC3766, April 2004,
              <http://www.rfc-editor.org/info/rfc3766>.

   [RFC4086]  Eastlake 3rd, D., Schiller, J., and S. Crocker,
              "Randomness Requirements for Security", BCP 106, RFC 4086,
              DOI 10.17487/RFC4086, June 2005,
              <http://www.rfc-editor.org/info/rfc4086>.

Top      Up      ToC       Page 31 
   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
              RFC 5652, DOI 10.17487/RFC5652, September 2009,
              <http://www.rfc-editor.org/info/rfc5652>.

   [W3C.REC-xmlenc-core1-20130411]
              Eastlake, D., Reagle, J., Hirsch, F., and T. Roessler,
              "XML Encryption Syntax and Processing Version 1.1", World
              Wide Web Consortium Recommendation
              REC-xmlenc-core1-20130411, April 2013,
              <http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/>.

Top      Up      ToC       Page 32 
Appendix A.  JWE Examples

   This section provides examples of JWE computations.

A.1.  Example JWE using RSAES-OAEP and AES GCM

   This example encrypts the plaintext "The true sign of intelligence is
   not knowledge but imagination." to the recipient using RSAES-OAEP for
   key encryption and AES GCM for content encryption.  The
   representation of this plaintext (using JSON array notation) is:

   [84, 104, 101, 32, 116, 114, 117, 101, 32, 115, 105, 103, 110, 32,
   111, 102, 32, 105, 110, 116, 101, 108, 108, 105, 103, 101, 110, 99,
   101, 32, 105, 115, 32, 110, 111, 116, 32, 107, 110, 111, 119, 108,
   101, 100, 103, 101, 32, 98, 117, 116, 32, 105, 109, 97, 103, 105,
   110, 97, 116, 105, 111, 110, 46]

A.1.1.  JOSE Header

   The following example JWE Protected Header declares that:

   o  The Content Encryption Key is encrypted to the recipient using the
      RSAES-OAEP algorithm to produce the JWE Encrypted Key.
   o  Authenticated encryption is performed on the plaintext using the
      AES GCM algorithm with a 256-bit key to produce the ciphertext and
      the Authentication Tag.

     {"alg":"RSA-OAEP","enc":"A256GCM"}

   Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected
   Header)) gives this value:

     eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ

A.1.2.  Content Encryption Key (CEK)

   Generate a 256-bit random CEK.  In this example, the value (using
   JSON array notation) is:

   [177, 161, 244, 128, 84, 143, 225, 115, 63, 180, 3, 255, 107, 154,
   212, 246, 138, 7, 110, 91, 112, 46, 34, 105, 47, 130, 203, 46, 122,
   234, 64, 252]

Top      Up      ToC       Page 33 
A.1.3.  Key Encryption

   Encrypt the CEK with the recipient's public key using the RSAES-OAEP
   algorithm to produce the JWE Encrypted Key.  This example uses the
   RSA key represented in JSON Web Key [JWK] format below (with line
   breaks within values for display purposes only):

     {"kty":"RSA",
      "n":"oahUIoWw0K0usKNuOR6H4wkf4oBUXHTxRvgb48E-BVvxkeDNjbC4he8rUW
           cJoZmds2h7M70imEVhRU5djINXtqllXI4DFqcI1DgjT9LewND8MW2Krf3S
           psk_ZkoFnilakGygTwpZ3uesH-PFABNIUYpOiN15dsQRkgr0vEhxN92i2a
           sbOenSZeyaxziK72UwxrrKoExv6kc5twXTq4h-QChLOln0_mtUZwfsRaMS
           tPs6mS6XrgxnxbWhojf663tuEQueGC-FCMfra36C9knDFGzKsNa7LZK2dj
           YgyD3JR_MB_4NUJW_TqOQtwHYbxevoJArm-L5StowjzGy-_bq6Gw",
      "e":"AQAB",
      "d":"kLdtIj6GbDks_ApCSTYQtelcNttlKiOyPzMrXHeI-yk1F7-kpDxY4-WY5N
           WV5KntaEeXS1j82E375xxhWMHXyvjYecPT9fpwR_M9gV8n9Hrh2anTpTD9
           3Dt62ypW3yDsJzBnTnrYu1iwWRgBKrEYY46qAZIrA2xAwnm2X7uGR1hghk
           qDp0Vqj3kbSCz1XyfCs6_LehBwtxHIyh8Ripy40p24moOAbgxVw3rxT_vl
           t3UVe4WO3JkJOzlpUf-KTVI2Ptgm-dARxTEtE-id-4OJr0h-K-VFs3VSnd
           VTIznSxfyrj8ILL6MG_Uv8YAu7VILSB3lOW085-4qE3DzgrTjgyQ",
      "p":"1r52Xk46c-LsfB5P442p7atdPUrxQSy4mti_tZI3Mgf2EuFVbUoDBvaRQ-
           SWxkbkmoEzL7JXroSBjSrK3YIQgYdMgyAEPTPjXv_hI2_1eTSPVZfzL0lf
           fNn03IXqWF5MDFuoUYE0hzb2vhrlN_rKrbfDIwUbTrjjgieRbwC6Cl0",
      "q":"wLb35x7hmQWZsWJmB_vle87ihgZ19S8lBEROLIsZG4ayZVe9Hi9gDVCOBm
           UDdaDYVTSNx_8Fyw1YYa9XGrGnDew00J28cRUoeBB_jKI1oma0Orv1T9aX
           IWxKwd4gvxFImOWr3QRL9KEBRzk2RatUBnmDZJTIAfwTs0g68UZHvtc",
      "dp":"ZK-YwE7diUh0qR1tR7w8WHtolDx3MZ_OTowiFvgfeQ3SiresXjm9gZ5KL
           hMXvo-uz-KUJWDxS5pFQ_M0evdo1dKiRTjVw_x4NyqyXPM5nULPkcpU827
           rnpZzAJKpdhWAgqrXGKAECQH0Xt4taznjnd_zVpAmZZq60WPMBMfKcuE",
      "dq":"Dq0gfgJ1DdFGXiLvQEZnuKEN0UUmsJBxkjydc3j4ZYdBiMRAy86x0vHCj
           ywcMlYYg4yoC4YZa9hNVcsjqA3FeiL19rk8g6Qn29Tt0cj8qqyFpz9vNDB
           UfCAiJVeESOjJDZPYHdHY8v1b-o-Z2X5tvLx-TCekf7oxyeKDUqKWjis",
      "qi":"VIMpMYbPf47dT1w_zDUXfPimsSegnMOA1zTaX7aGk_8urY6R8-ZW1FxU7
           AlWAyLWybqq6t16VFd7hQd0y6flUK4SlOydB61gwanOsXGOAOv82cHq0E3
           eL4HrtZkUuKvnPrMnsUUFlfUdybVzxyjz9JF_XyaY14ardLSjf4L_FNY"
     }

Top      Up      ToC       Page 34 
   The resulting JWE Encrypted Key value is:

   [56, 163, 154, 192, 58, 53, 222, 4, 105, 218, 136, 218, 29, 94, 203,
   22, 150, 92, 129, 94, 211, 232, 53, 89, 41, 60, 138, 56, 196, 216,
   82, 98, 168, 76, 37, 73, 70, 7, 36, 8, 191, 100, 136, 196, 244, 220,
   145, 158, 138, 155, 4, 117, 141, 230, 199, 247, 173, 45, 182, 214,
   74, 177, 107, 211, 153, 11, 205, 196, 171, 226, 162, 128, 171, 182,
   13, 237, 239, 99, 193, 4, 91, 219, 121, 223, 107, 167, 61, 119, 228,
   173, 156, 137, 134, 200, 80, 219, 74, 253, 56, 185, 91, 177, 34, 158,
   89, 154, 205, 96, 55, 18, 138, 43, 96, 218, 215, 128, 124, 75, 138,
   243, 85, 25, 109, 117, 140, 26, 155, 249, 67, 167, 149, 231, 100, 6,
   41, 65, 214, 251, 232, 87, 72, 40, 182, 149, 154, 168, 31, 193, 126,
   215, 89, 28, 111, 219, 125, 182, 139, 235, 195, 197, 23, 234, 55, 58,
   63, 180, 68, 202, 206, 149, 75, 205, 248, 176, 67, 39, 178, 60, 98,
   193, 32, 238, 122, 96, 158, 222, 57, 183, 111, 210, 55, 188, 215,
   206, 180, 166, 150, 166, 106, 250, 55, 229, 72, 40, 69, 214, 216,
   104, 23, 40, 135, 212, 28, 127, 41, 80, 175, 174, 168, 115, 171, 197,
   89, 116, 92, 103, 246, 83, 216, 182, 176, 84, 37, 147, 35, 45, 219,
   172, 99, 226, 233, 73, 37, 124, 42, 72, 49, 242, 35, 127, 184, 134,
   117, 114, 135, 206]

   Encoding this JWE Encrypted Key as BASE64URL(JWE Encrypted Key) gives
   this value (with line breaks for display purposes only):

     OKOawDo13gRp2ojaHV7LFpZcgV7T6DVZKTyKOMTYUmKoTCVJRgckCL9kiMT03JGe
     ipsEdY3mx_etLbbWSrFr05kLzcSr4qKAq7YN7e9jwQRb23nfa6c9d-StnImGyFDb
     Sv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lDp5XnZAYpQdb76FdIKLaV
     mqgfwX7XWRxv2322i-vDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je8
     1860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi
     6UklfCpIMfIjf7iGdXKHzg

A.1.4.  Initialization Vector

   Generate a random 96-bit JWE Initialization Vector.  In this example,
   the value is:

   [227, 197, 117, 252, 2, 219, 233, 68, 180, 225, 77, 219]

   Encoding this JWE Initialization Vector as BASE64URL(JWE
   Initialization Vector) gives this value:

     48V1_ALb6US04U3b

Top      Up      ToC       Page 35 
A.1.5.  Additional Authenticated Data

   Let the Additional Authenticated Data encryption parameter be
   ASCII(BASE64URL(UTF8(JWE Protected Header))).  This value is:

   [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69,
   116, 84, 48, 70, 70, 85, 67, 73, 115, 73, 109, 86, 117, 89, 121, 73,
   54, 73, 107, 69, 121, 78, 84, 90, 72, 81, 48, 48, 105, 102, 81]

A.1.6.  Content Encryption

   Perform authenticated encryption on the plaintext with the AES GCM
   algorithm using the CEK as the encryption key, the JWE Initialization
   Vector, and the Additional Authenticated Data value above, requesting
   a 128-bit Authentication Tag output.  The resulting ciphertext is:

   [229, 236, 166, 241, 53, 191, 115, 196, 174, 43, 73, 109, 39, 122,
   233, 96, 140, 206, 120, 52, 51, 237, 48, 11, 190, 219, 186, 80, 111,
   104, 50, 142, 47, 167, 59, 61, 181, 127, 196, 21, 40, 82, 242, 32,
   123, 143, 168, 226, 73, 216, 176, 144, 138, 247, 106, 60, 16, 205,
   160, 109, 64, 63, 192]

   The resulting Authentication Tag value is:

   [92, 80, 104, 49, 133, 25, 161, 215, 173, 101, 219, 211, 136, 91,
   210, 145]

   Encoding this JWE Ciphertext as BASE64URL(JWE Ciphertext) gives this
   value (with line breaks for display purposes only):

     5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji
     SdiwkIr3ajwQzaBtQD_A

   Encoding this JWE Authentication Tag as BASE64URL(JWE Authentication
   Tag) gives this value:

     XFBoMYUZodetZdvTiFvSkQ

Top      Up      ToC       Page 36 
A.1.7.  Complete Representation

   Assemble the final representation: The Compact Serialization of this
   result is the string BASE64URL(UTF8(JWE Protected Header)) || '.' ||
   BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE Initialization
   Vector) || '.' || BASE64URL(JWE Ciphertext) || '.' || BASE64URL(JWE
   Authentication Tag).

   The final result in this example (with line breaks for display
   purposes only) is:

     eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.
     OKOawDo13gRp2ojaHV7LFpZcgV7T6DVZKTyKOMTYUmKoTCVJRgckCL9kiMT03JGe
     ipsEdY3mx_etLbbWSrFr05kLzcSr4qKAq7YN7e9jwQRb23nfa6c9d-StnImGyFDb
     Sv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lDp5XnZAYpQdb76FdIKLaV
     mqgfwX7XWRxv2322i-vDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je8
     1860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi
     6UklfCpIMfIjf7iGdXKHzg.
     48V1_ALb6US04U3b.
     5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji
     SdiwkIr3ajwQzaBtQD_A.
     XFBoMYUZodetZdvTiFvSkQ

A.1.8.  Validation

   This example illustrates the process of creating a JWE with
   RSAES-OAEP for key encryption and AES GCM for content encryption.
   These results can be used to validate JWE decryption implementations
   for these algorithms.  Note that since the RSAES-OAEP computation
   includes random values, the encryption results above will not be
   completely reproducible.  However, since the AES GCM computation is
   deterministic, the JWE Encrypted Ciphertext values will be the same
   for all encryptions performed using these inputs.

A.2.  Example JWE using RSAES-PKCS1-v1_5 and AES_128_CBC_HMAC_SHA_256

   This example encrypts the plaintext "Live long and prosper." to the
   recipient using RSAES-PKCS1-v1_5 for key encryption and
   AES_128_CBC_HMAC_SHA_256 for content encryption.  The representation
   of this plaintext (using JSON array notation) is:

   [76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32,
   112, 114, 111, 115, 112, 101, 114, 46]

Top      Up      ToC       Page 37 
A.2.1.  JOSE Header

   The following example JWE Protected Header declares that:

   o  The Content Encryption Key is encrypted to the recipient using the
      RSAES-PKCS1-v1_5 algorithm to produce the JWE Encrypted Key.
   o  Authenticated encryption is performed on the plaintext using the
      AES_128_CBC_HMAC_SHA_256 algorithm to produce the ciphertext and
      the Authentication Tag.

     {"alg":"RSA1_5","enc":"A128CBC-HS256"}

   Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected
   Header)) gives this value:

     eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0

A.2.2.  Content Encryption Key (CEK)

   Generate a 256-bit random CEK.  In this example, the key value is:

   [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106,
   206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156,
   44, 207]

Top      Up      ToC       Page 38 
A.2.3.  Key Encryption

   Encrypt the CEK with the recipient's public key using the
   RSAES-PKCS1-v1_5 algorithm to produce the JWE Encrypted Key.  This
   example uses the RSA key represented in JSON Web Key [JWK] format
   below (with line breaks within values for display purposes only):

     {"kty":"RSA",
      "n":"sXchDaQebHnPiGvyDOAT4saGEUetSyo9MKLOoWFsueri23bOdgWp4Dy1Wl
           UzewbgBHod5pcM9H95GQRV3JDXboIRROSBigeC5yjU1hGzHHyXss8UDpre
           cbAYxknTcQkhslANGRUZmdTOQ5qTRsLAt6BTYuyvVRdhS8exSZEy_c4gs_
           7svlJJQ4H9_NxsiIoLwAEk7-Q3UXERGYw_75IDrGA84-lA_-Ct4eTlXHBI
           Y2EaV7t7LjJaynVJCpkv4LKjTTAumiGUIuQhrNhZLuF_RJLqHpM2kgWFLU
           7-VTdL1VbC2tejvcI2BlMkEpk1BzBZI0KQB0GaDWFLN-aEAw3vRw",
      "e":"AQAB",
      "d":"VFCWOqXr8nvZNyaaJLXdnNPXZKRaWCjkU5Q2egQQpTBMwhprMzWzpR8Sxq
           1OPThh_J6MUD8Z35wky9b8eEO0pwNS8xlh1lOFRRBoNqDIKVOku0aZb-ry
           nq8cxjDTLZQ6Fz7jSjR1Klop-YKaUHc9GsEofQqYruPhzSA-QgajZGPbE_
           0ZaVDJHfyd7UUBUKunFMScbflYAAOYJqVIVwaYR5zWEEceUjNnTNo_CVSj
           -VvXLO5VZfCUAVLgW4dpf1SrtZjSt34YLsRarSb127reG_DUwg9Ch-Kyvj
           T1SkHgUWRVGcyly7uvVGRSDwsXypdrNinPA4jlhoNdizK2zF2CWQ",
      "p":"9gY2w6I6S6L0juEKsbeDAwpd9WMfgqFoeA9vEyEUuk4kLwBKcoe1x4HG68
           ik918hdDSE9vDQSccA3xXHOAFOPJ8R9EeIAbTi1VwBYnbTp87X-xcPWlEP
           krdoUKW60tgs1aNd_Nnc9LEVVPMS390zbFxt8TN_biaBgelNgbC95sM",
      "q":"uKlCKvKv_ZJMVcdIs5vVSU_6cPtYI1ljWytExV_skstvRSNi9r66jdd9-y
           BhVfuG4shsp2j7rGnIio901RBeHo6TPKWVVykPu1iYhQXw1jIABfw-MVsN
           -3bQ76WLdt2SDxsHs7q7zPyUyHXmps7ycZ5c72wGkUwNOjYelmkiNS0",
      "dp":"w0kZbV63cVRvVX6yk3C8cMxo2qCM4Y8nsq1lmMSYhG4EcL6FWbX5h9yuv
           ngs4iLEFk6eALoUS4vIWEwcL4txw9LsWH_zKI-hwoReoP77cOdSL4AVcra
           Hawlkpyd2TWjE5evgbhWtOxnZee3cXJBkAi64Ik6jZxbvk-RR3pEhnCs",
      "dq":"o_8V14SezckO6CNLKs_btPdFiO9_kC1DsuUTd2LAfIIVeMZ7jn1Gus_Ff
           7B7IVx3p5KuBGOVF8L-qifLb6nQnLysgHDh132NDioZkhH7mI7hPG-PYE_
           odApKdnqECHWw0J-F0JWnUd6D2B_1TvF9mXA2Qx-iGYn8OVV1Bsmp6qU",
      "qi":"eNho5yRBEBxhGBtQRww9QirZsB66TrfFReG_CcteI1aCneT0ELGhYlRlC
           tUkTRclIfuEPmNsNDPbLoLqqCVznFbvdB7x-Tl-m0l_eFTj2KiqwGqE9PZ
           B9nNTwMVvH3VRRSLWACvPnSiwP8N5Usy-WRXS-V7TbpxIhvepTfE0NNo"
     }

Top      Up      ToC       Page 39 
   The resulting JWE Encrypted Key value is:

   [80, 104, 72, 58, 11, 130, 236, 139, 132, 189, 255, 205, 61, 86, 151,
   176, 99, 40, 44, 233, 176, 189, 205, 70, 202, 169, 72, 40, 226, 181,
   156, 223, 120, 156, 115, 232, 150, 209, 145, 133, 104, 112, 237, 156,
   116, 250, 65, 102, 212, 210, 103, 240, 177, 61, 93, 40, 71, 231, 223,
   226, 240, 157, 15, 31, 150, 89, 200, 215, 198, 203, 108, 70, 117, 66,
   212, 238, 193, 205, 23, 161, 169, 218, 243, 203, 128, 214, 127, 253,
   215, 139, 43, 17, 135, 103, 179, 220, 28, 2, 212, 206, 131, 158, 128,
   66, 62, 240, 78, 186, 141, 125, 132, 227, 60, 137, 43, 31, 152, 199,
   54, 72, 34, 212, 115, 11, 152, 101, 70, 42, 219, 233, 142, 66, 151,
   250, 126, 146, 141, 216, 190, 73, 50, 177, 146, 5, 52, 247, 28, 197,
   21, 59, 170, 247, 181, 89, 131, 241, 169, 182, 246, 99, 15, 36, 102,
   166, 182, 172, 197, 136, 230, 120, 60, 58, 219, 243, 149, 94, 222,
   150, 154, 194, 110, 227, 225, 112, 39, 89, 233, 112, 207, 211, 241,
   124, 174, 69, 221, 179, 107, 196, 225, 127, 167, 112, 226, 12, 242,
   16, 24, 28, 120, 182, 244, 213, 244, 153, 194, 162, 69, 160, 244,
   248, 63, 165, 141, 4, 207, 249, 193, 79, 131, 0, 169, 233, 127, 167,
   101, 151, 125, 56, 112, 111, 248, 29, 232, 90, 29, 147, 110, 169,
   146, 114, 165, 204, 71, 136, 41, 252]

   Encoding this JWE Encrypted Key as BASE64URL(JWE Encrypted Key) gives
   this value (with line breaks for display purposes only):

     UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0-kFm
     1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ__deLKxGHZ7Pc
     HALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRirb6Y5Cl_p-ko3YvkkysZIF
     NPccxRU7qve1WYPxqbb2Yw8kZqa2rMWI5ng8OtvzlV7elprCbuPhcCdZ6XDP0_F8
     rkXds2vE4X-ncOIM8hAYHHi29NX0mcKiRaD0-D-ljQTP-cFPgwCp6X-nZZd9OHBv
     -B3oWh2TbqmScqXMR4gp_A

A.2.4.  Initialization Vector

   Generate a random 128-bit JWE Initialization Vector.  In this
   example, the value is:

   [3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104,
   101]

   Encoding this JWE Initialization Vector as BASE64URL(JWE
   Initialization Vector) gives this value:

     AxY8DCtDaGlsbGljb3RoZQ

Top      Up      ToC       Page 40 
A.2.5.  Additional Authenticated Data

   Let the Additional Authenticated Data encryption parameter be
   ASCII(BASE64URL(UTF8(JWE Protected Header))).  This value is:

   [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69,
   120, 88, 122, 85, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105,
   74, 66, 77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85,
   50, 73, 110, 48]

A.2.6.  Content Encryption

   Perform authenticated encryption on the plaintext with the
   AES_128_CBC_HMAC_SHA_256 algorithm using the CEK as the encryption
   key, the JWE Initialization Vector, and the Additional Authenticated
   Data value above.  The steps for doing this using the values from
   Appendix A.3 are detailed in Appendix B.  The resulting ciphertext
   is:

   [40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6,
   75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143,
   112, 56, 102]

   The resulting Authentication Tag value is:

   [246, 17, 244, 190, 4, 95, 98, 3, 231, 0, 115, 157, 242, 203, 100,
   191]

   Encoding this JWE Ciphertext as BASE64URL(JWE Ciphertext) gives this
   value:

     KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY

   Encoding this JWE Authentication Tag as BASE64URL(JWE Authentication
   Tag) gives this value:

     9hH0vgRfYgPnAHOd8stkvw

A.2.7.  Complete Representation

   Assemble the final representation: The Compact Serialization of this
   result is the string BASE64URL(UTF8(JWE Protected Header)) || '.' ||
   BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE Initialization
   Vector) || '.' || BASE64URL(JWE Ciphertext) || '.' || BASE64URL(JWE
   Authentication Tag).

Top      Up      ToC       Page 41 
   The final result in this example (with line breaks for display
   purposes only) is:

     eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.
     UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0-kFm
     1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ__deLKxGHZ7Pc
     HALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRirb6Y5Cl_p-ko3YvkkysZIF
     NPccxRU7qve1WYPxqbb2Yw8kZqa2rMWI5ng8OtvzlV7elprCbuPhcCdZ6XDP0_F8
     rkXds2vE4X-ncOIM8hAYHHi29NX0mcKiRaD0-D-ljQTP-cFPgwCp6X-nZZd9OHBv
     -B3oWh2TbqmScqXMR4gp_A.
     AxY8DCtDaGlsbGljb3RoZQ.
     KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY.
     9hH0vgRfYgPnAHOd8stkvw

A.2.8.  Validation

   This example illustrates the process of creating a JWE with
   RSAES-PKCS1-v1_5 for key encryption and AES_CBC_HMAC_SHA2 for content
   encryption.  These results can be used to validate JWE decryption
   implementations for these algorithms.  Note that since the
   RSAES-PKCS1-v1_5 computation includes random values, the encryption
   results above will not be completely reproducible.  However, since
   the AES-CBC computation is deterministic, the JWE Encrypted
   Ciphertext values will be the same for all encryptions performed
   using these inputs.

A.3.  Example JWE Using AES Key Wrap and AES_128_CBC_HMAC_SHA_256

   This example encrypts the plaintext "Live long and prosper." to the
   recipient using AES Key Wrap for key encryption and
   AES_128_CBC_HMAC_SHA_256 for content encryption.  The representation
   of this plaintext (using JSON array notation) is:

   [76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32,
   112, 114, 111, 115, 112, 101, 114, 46]

A.3.1.  JOSE Header

   The following example JWE Protected Header declares that:

   o  The Content Encryption Key is encrypted to the recipient using the
      AES Key Wrap algorithm with a 128-bit key to produce the JWE
      Encrypted Key.
   o  Authenticated encryption is performed on the plaintext using the
      AES_128_CBC_HMAC_SHA_256 algorithm to produce the ciphertext and
      the Authentication Tag.

     {"alg":"A128KW","enc":"A128CBC-HS256"}

Top      Up      ToC       Page 42 
   Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected
   Header)) gives this value:

     eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0

A.3.2.  Content Encryption Key (CEK)

   Generate a 256-bit random CEK.  In this example, the value is:

   [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106,
   206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156,
   44, 207]

A.3.3.  Key Encryption

   Encrypt the CEK with the shared symmetric key using the AES Key Wrap
   algorithm to produce the JWE Encrypted Key.  This example uses the
   symmetric key represented in JSON Web Key [JWK] format below:

     {"kty":"oct",
      "k":"GawgguFyGrWKav7AX4VKUg"
     }

   The resulting JWE Encrypted Key value is:

   [232, 160, 123, 211, 183, 76, 245, 132, 200, 128, 123, 75, 190, 216,
   22, 67, 201, 138, 193, 186, 9, 91, 122, 31, 246, 90, 28, 139, 57, 3,
   76, 124, 193, 11, 98, 37, 173, 61, 104, 57]

   Encoding this JWE Encrypted Key as BASE64URL(JWE Encrypted Key) gives
   this value:

     6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ

A.3.4.  Initialization Vector

   Generate a random 128-bit JWE Initialization Vector.  In this
   example, the value is:

   [3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104,
   101]

   Encoding this JWE Initialization Vector as BASE64URL(JWE
   Initialization Vector) gives this value:

     AxY8DCtDaGlsbGljb3RoZQ

Top      Up      ToC       Page 43 
A.3.5.  Additional Authenticated Data

   Let the Additional Authenticated Data encryption parameter be
   ASCII(BASE64URL(UTF8(JWE Protected Header))).  This value is:

   [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 66, 77, 84, 73, 52,
   83, 49, 99, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66,
   77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73,
   110, 48]

A.3.6.  Content Encryption

   Perform authenticated encryption on the plaintext with the
   AES_128_CBC_HMAC_SHA_256 algorithm using the CEK as the encryption
   key, the JWE Initialization Vector, and the Additional Authenticated
   Data value above.  The steps for doing this using the values from
   this example are detailed in Appendix B.  The resulting ciphertext
   is:

   [40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6,
   75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143,
   112, 56, 102]

   The resulting Authentication Tag value is:

   [83, 73, 191, 98, 104, 205, 211, 128, 201, 189, 199, 133, 32, 38,
   194, 85]

   Encoding this JWE Ciphertext as BASE64URL(JWE Ciphertext) gives this
   value:

     KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY

   Encoding this JWE Authentication Tag as BASE64URL(JWE Authentication
   Tag) gives this value:

     U0m_YmjN04DJvceFICbCVQ

A.3.7.  Complete Representation

   Assemble the final representation: The Compact Serialization of this
   result is the string BASE64URL(UTF8(JWE Protected Header)) || '.' ||
   BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE Initialization
   Vector) || '.' || BASE64URL(JWE Ciphertext) || '.' || BASE64URL(JWE
   Authentication Tag).

Top      Up      ToC       Page 44 
   The final result in this example (with line breaks for display
   purposes only) is:

     eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.
     6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ.
     AxY8DCtDaGlsbGljb3RoZQ.
     KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY.
     U0m_YmjN04DJvceFICbCVQ

A.3.8.  Validation

   This example illustrates the process of creating a JWE with AES Key
   Wrap for key encryption and AES GCM for content encryption.  These
   results can be used to validate JWE decryption implementations for
   these algorithms.  Also, since both the AES Key Wrap and AES GCM
   computations are deterministic, the resulting JWE value will be the
   same for all encryptions performed using these inputs.  Since the
   computation is reproducible, these results can also be used to
   validate JWE encryption implementations for these algorithms.

A.4.  Example JWE Using General JWE JSON Serialization

   This section contains an example using the general JWE JSON
   Serialization syntax.  This example demonstrates the capability for
   encrypting the same plaintext to multiple recipients.

   Two recipients are present in this example.  The algorithm and key
   used for the first recipient are the same as that used in
   Appendix A.2.  The algorithm and key used for the second recipient
   are the same as that used in Appendix A.3.  The resulting JWE
   Encrypted Key values are therefore the same; those computations are
   not repeated here.

   The plaintext, the CEK, JWE Initialization Vector, and JWE Protected
   Header are shared by all recipients (which must be the case, since
   the ciphertext and Authentication Tag are also shared).

Top      Up      ToC       Page 45 
A.4.1.  JWE Per-Recipient Unprotected Headers

   The first recipient uses the RSAES-PKCS1-v1_5 algorithm to encrypt
   the CEK.  The second uses AES Key Wrap to encrypt the CEK.  Key ID
   values are supplied for both keys.  The two JWE Per-Recipient
   Unprotected Header values used to represent these algorithms and key
   IDs are:

     {"alg":"RSA1_5","kid":"2011-04-29"}

   and

     {"alg":"A128KW","kid":"7"}

A.4.2.  JWE Protected Header

   Authenticated encryption is performed on the plaintext using the
   AES_128_CBC_HMAC_SHA_256 algorithm to produce the common JWE
   Ciphertext and JWE Authentication Tag values.  The JWE Protected
   Header value representing this is:

     {"enc":"A128CBC-HS256"}

   Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected
   Header)) gives this value:

     eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0

A.4.3.  JWE Shared Unprotected Header

   This JWE uses the "jku" Header Parameter to reference a JWK Set.
   This is represented in the following JWE Shared Unprotected Header
   value as:

     {"jku":"https://server.example.com/keys.jwks"}

A.4.4.  Complete JOSE Header Values

   Combining the JWE Per-Recipient Unprotected Header, JWE Protected
   Header, and JWE Shared Unprotected Header values supplied, the JOSE
   Header values used for the first and second recipient, respectively,
   are:

     {"alg":"RSA1_5",
      "kid":"2011-04-29",
      "enc":"A128CBC-HS256",
      "jku":"https://server.example.com/keys.jwks"}

Top      Up      ToC       Page 46 
   and

     {"alg":"A128KW",
      "kid":"7",
      "enc":"A128CBC-HS256",
      "jku":"https://server.example.com/keys.jwks"}

A.4.5.  Additional Authenticated Data

   Let the Additional Authenticated Data encryption parameter be
   ASCII(BASE64URL(UTF8(JWE Protected Header))).  This value is:

   [101, 121, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 77, 84, 73,
   52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73, 110, 48]

A.4.6.  Content Encryption

   Perform authenticated encryption on the plaintext with the
   AES_128_CBC_HMAC_SHA_256 algorithm using the CEK as the encryption
   key, the JWE Initialization Vector, and the Additional Authenticated
   Data value above.  The steps for doing this using the values from
   Appendix A.3 are detailed in Appendix B.  The resulting ciphertext
   is:

   [40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6,
   75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143,
   112, 56, 102]

   The resulting Authentication Tag value is:

   [51, 63, 149, 60, 252, 148, 225, 25, 92, 185, 139, 245, 35, 2, 47,
   207]

   Encoding this JWE Ciphertext as BASE64URL(JWE Ciphertext) gives this
   value:

     KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY

   Encoding this JWE Authentication Tag as BASE64URL(JWE Authentication
   Tag) gives this value:

     Mz-VPPyU4RlcuYv1IwIvzw

Top      Up      ToC       Page 47 
A.4.7.  Complete JWE JSON Serialization Representation

   The complete JWE JSON Serialization for these values is as follows
   (with line breaks within values for display purposes only):

     {
      "protected":
       "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0",
      "unprotected":
       {"jku":"https://server.example.com/keys.jwks"},
      "recipients":[
       {"header":
         {"alg":"RSA1_5","kid":"2011-04-29"},
        "encrypted_key":
         "UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0-
          kFm1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ__deLKx
          GHZ7PcHALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRirb6Y5Cl_p-ko3
          YvkkysZIFNPccxRU7qve1WYPxqbb2Yw8kZqa2rMWI5ng8OtvzlV7elprCbuPh
          cCdZ6XDP0_F8rkXds2vE4X-ncOIM8hAYHHi29NX0mcKiRaD0-D-ljQTP-cFPg
          wCp6X-nZZd9OHBv-B3oWh2TbqmScqXMR4gp_A"},
       {"header":
         {"alg":"A128KW","kid":"7"},
        "encrypted_key":
         "6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ"}],
      "iv":
       "AxY8DCtDaGlsbGljb3RoZQ",
      "ciphertext":
       "KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY",
      "tag":
       "Mz-VPPyU4RlcuYv1IwIvzw"
     }

A.5.  Example JWE Using Flattened JWE JSON Serialization

   This section contains an example using the flattened JWE JSON
   Serialization syntax.  This example demonstrates the capability for
   encrypting the plaintext to a single recipient in a flattened JSON
   structure.

   The values in this example are the same as those for the second
   recipient of the previous example in Appendix A.4.

Top      Up      ToC       Page 48 
   The complete JWE JSON Serialization for these values is as follows
   (with line breaks within values for display purposes only):

     {
      "protected":
       "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0",
      "unprotected":
       {"jku":"https://server.example.com/keys.jwks"},
      "header":
       {"alg":"A128KW","kid":"7"},
      "encrypted_key":
       "6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ",
      "iv":
       "AxY8DCtDaGlsbGljb3RoZQ",
      "ciphertext":
       "KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY",
      "tag":
       "Mz-VPPyU4RlcuYv1IwIvzw"
     }

Appendix B.  Example AES_128_CBC_HMAC_SHA_256 Computation

   This example shows the steps in the AES_128_CBC_HMAC_SHA_256
   authenticated encryption computation using the values from the
   example in Appendix A.3.  As described where this algorithm is
   defined in Sections 5.2 and 5.2.3 of JWA, the AES_CBC_HMAC_SHA2
   family of algorithms are implemented using Advanced Encryption
   Standard (AES) in Cipher Block Chaining (CBC) mode with Public-Key
   Cryptography Standards (PKCS) #7 padding to perform the encryption
   and an HMAC SHA-2 function to perform the integrity calculation -- in
   this case, HMAC SHA-256.

B.1.  Extract MAC_KEY and ENC_KEY from Key

   The 256 bit AES_128_CBC_HMAC_SHA_256 key K used in this example
   (using JSON array notation) is:

   [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106,
   206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156,
   44, 207]

   Use the first 128 bits of this key as the HMAC SHA-256 key MAC_KEY,
   which is:

   [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106,
   206]

Top      Up      ToC       Page 49 
   Use the last 128 bits of this key as the AES-CBC key ENC_KEY, which
   is:

   [107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 44,
   207]

   Note that the MAC key comes before the encryption key in the input
   key K; this is in the opposite order of the algorithm names in the
   identifiers "AES_128_CBC_HMAC_SHA_256" and "A128CBC-HS256".

B.2.  Encrypt Plaintext to Create Ciphertext

   Encrypt the plaintext with AES in CBC mode using PKCS #7 padding
   using the ENC_KEY above.  The plaintext in this example is:

   [76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32,
   112, 114, 111, 115, 112, 101, 114, 46]

   The encryption result is as follows, which is the ciphertext output:

   [40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6,
   75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143,
   112, 56, 102]

B.3.  64-Bit Big-Endian Representation of AAD Length

   The Additional Authenticated Data (AAD) in this example is:

   [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 66, 77, 84, 73, 52,
   83, 49, 99, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66,
   77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73,
   110, 48]

   This AAD is 51-bytes long, which is 408-bits long.  The octet string
   AL, which is the number of bits in AAD expressed as a big-endian
   64-bit unsigned integer is:

   [0, 0, 0, 0, 0, 0, 1, 152]

B.4.  Initialization Vector Value

   The Initialization Vector value used in this example is:

   [3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104,
   101]

Top      Up      ToC       Page 50 
B.5.  Create Input to HMAC Computation

   Concatenate the AAD, the Initialization Vector, the ciphertext, and
   the AL value.  The result of this concatenation is:

   [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 66, 77, 84, 73, 52,
   83, 49, 99, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66,
   77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73,
   110, 48, 3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111,
   116, 104, 101, 40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24,
   152, 230, 6, 75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215,
   104, 143, 112, 56, 102, 0, 0, 0, 0, 0, 0, 1, 152]

B.6.  Compute HMAC Value

   Compute the HMAC SHA-256 of the concatenated value above.  This
   result M is:

   [83, 73, 191, 98, 104, 205, 211, 128, 201, 189, 199, 133, 32, 38,
   194, 85, 9, 84, 229, 201, 219, 135, 44, 252, 145, 102, 179, 140, 105,
   86, 229, 116]

B.7.  Truncate HMAC Value to Create Authentication Tag

   Use the first half (128 bits) of the HMAC output M as the
   Authentication Tag output T.  This truncated value is:

   [83, 73, 191, 98, 104, 205, 211, 128, 201, 189, 199, 133, 32, 38,
   194, 85]

Acknowledgements

   Solutions for encrypting JSON content were also explored by "JSON
   Simple Encryption" [JSE] and "JavaScript Message Security Format"
   [JSMS], both of which significantly influenced this document.  This
   document attempts to explicitly reuse as many of the relevant
   concepts from XML Encryption 1.1 [W3C.REC-xmlenc-core1-20130411] and
   RFC 5652 [RFC5652] as possible, while utilizing simple, compact JSON-
   based data structures.

   Special thanks are due to John Bradley, Eric Rescorla, and Nat
   Sakimura for the discussions that helped inform the content of this
   specification; to Eric Rescorla and Joe Hildebrand for allowing the
   reuse of text from [JSMS] in this document; and to Eric Rescorla for
   co-authoring many drafts of this specification.

   Thanks to Axel Nennker, Emmanuel Raviart, Brian Campbell, and Edmund
   Jay for validating the examples in this specification.

Top      Up      ToC       Page 51 
   This specification is the work of the JOSE working group, which
   includes dozens of active and dedicated participants.  In particular,
   the following individuals contributed ideas, feedback, and wording
   that influenced this specification:

   Richard Barnes, John Bradley, Brian Campbell, Alissa Cooper, Breno de
   Medeiros, Stephen Farrell, Dick Hardt, Jeff Hodges, Russ Housley,
   Edmund Jay, Scott Kelly, Stephen Kent, Barry Leiba, James Manger,
   Matt Miller, Kathleen Moriarty, Tony Nadalin, Hideki Nara, Axel
   Nennker, Ray Polk, Emmanuel Raviart, Eric Rescorla, Pete Resnick, Nat
   Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner.

   Jim Schaad and Karen O'Donoghue chaired the JOSE working group and
   Sean Turner, Stephen Farrell, and Kathleen Moriarty served as
   Security Area Directors during the creation of this specification.

Authors' Addresses

   Michael B. Jones
   Microsoft

   EMail: mbj@microsoft.com
   URI:   http://self-issued.info/


   Joe Hildebrand
   Cisco Systems, Inc.

   EMail: jhildebr@cisco.com