tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search     info

RFC 7518

 
 
 

JSON Web Algorithms (JWA)

Part 4 of 4, p. 53 to 69
Prev RFC Part

 


prevText      Top      Up      ToC       Page 53 
9.  Internationalization Considerations

   Passwords obtained from users are likely to require preparation and
   normalization to account for differences of octet sequences generated
   by different input devices, locales, etc.  It is RECOMMENDED that
   applications perform the steps outlined in [PRECIS] to prepare a
   password supplied directly by a user before performing key derivation
   and encryption.

10.  References

10.1.  Normative References

   [AES]      National Institute of Standards and Technology (NIST),
              "Advanced Encryption Standard (AES)", FIPS PUB 197,
              November 2001, <http://csrc.nist.gov/publications/
              fips/fips197/fips-197.pdf>.

   [Boneh99]  "Twenty Years of Attacks on the RSA Cryptosystem", Notices
              of the American Mathematical Society (AMS), Vol. 46,
              No. 2, pp. 203-213, 1999, <http://crypto.stanford.edu/
              ~dabo/pubs/papers/RSA-survey.pdf>.

Top      Up      ToC       Page 54 
   [DSS]      National Institute of Standards and Technology (NIST),
              "Digital Signature Standard (DSS)", FIPS PUB 186-4, July
              2013, <http://nvlpubs.nist.gov/nistpubs/FIPS/
              NIST.FIPS.186-4.pdf>.

   [JWE]      Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
              RFC 7516, DOI 10.17487/RFC7516, May 2015,
              <http://www.rfc-editor.org/info/rfc7516>.

   [JWK]      Jones, M., "JSON Web Key (JWK)", RFC 7517,
              DOI 10.17487/RFC7517, May 2015,
              <http://www.rfc-editor.org/info/rfc7517>.

   [JWS]      Jones, M., Bradley, J., and N. Sakimura, "JSON Web
              Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
              2015, <http://www.rfc-editor.org/info/rfc7515>.

   [NIST.800-38A]
              National Institute of Standards and Technology (NIST),
              "Recommendation for Block Cipher Modes of Operation", NIST
              Special Publication 800-38A, December 2001,
              <http://csrc.nist.gov/publications/nistpubs/800-38a/
              sp800-38a.pdf>.

   [NIST.800-38D]
              National Institute of Standards and Technology (NIST),
              "Recommendation for Block Cipher Modes of Operation:
              Galois/Counter Mode (GCM) and GMAC", NIST Special
              Publication 800-38D, December 2001,
              <http://csrc.nist.gov/publications/nistpubs/800-38D/
              SP-800-38D.pdf>.

   [NIST.800-56A]
              National Institute of Standards and Technology (NIST),
              "Recommendation for Pair-Wise Key Establishment Schemes
              Using Discrete Logarithm Cryptography", NIST Special
              Publication 800-56A, Revision 2, May 2013,
              <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
              NIST.SP.800-56Ar2.pdf>.

   [NIST.800-57]
              National Institute of Standards and Technology (NIST),
              "Recommendation for Key Management - Part 1: General
              (Revision 3)", NIST Special Publication 800-57, Part 1,
              Revision 3, July 2012, <http://csrc.nist.gov/publications/
              nistpubs/800-57/sp800-57_part1_rev3_general.pdf>.

Top      Up      ToC       Page 55 
   [RFC20]    Cerf, V., "ASCII format for Network Interchange", STD 80,
              RFC 20, DOI 10.17487/RFC0020, October 1969,
              <http://www.rfc-editor.org/info/rfc20>.

   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC:
              Keyed-Hashing for Message Authentication", RFC 2104,
              DOI 10.17487/RFC2104, February 1997,
              <http://www.rfc-editor.org/info/rfc2104>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC2898]  Kaliski, B., "PKCS #5: Password-Based Cryptography
              Specification Version 2.0", RFC 2898,
              DOI 10.17487/RFC2898, September 2000,
              <http://www.rfc-editor.org/info/rfc2898>.

   [RFC3394]  Schaad, J. and R. Housley, "Advanced Encryption Standard
              (AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394,
              September 2002, <http://www.rfc-editor.org/info/rfc3394>.

   [RFC3447]  Jonsson, J. and B. Kaliski, "Public-Key Cryptography
              Standards (PKCS) #1: RSA Cryptography Specifications
              Version 2.1", RFC 3447, DOI 10.17487/RFC3447, February
              2003, <http://www.rfc-editor.org/info/rfc3447>.

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
              2003, <http://www.rfc-editor.org/info/rfc3629>.

   [RFC4868]  Kelly, S. and S. Frankel, "Using HMAC-SHA-256,
              HMAC-SHA-384, and HMAC-SHA-512 with IPsec", RFC 4868,
              DOI 10.17487/RFC4868, May 2007,
              <http://www.rfc-editor.org/info/rfc4868>.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
              FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
              <http://www.rfc-editor.org/info/rfc4949>.

   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
              RFC 5652, DOI 10.17487/RFC5652, September 2009,
              <http://www.rfc-editor.org/info/rfc5652>.

Top      Up      ToC       Page 56 
   [RFC6090]  McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
              Curve Cryptography Algorithms", RFC 6090,
              DOI 10.17487/RFC6090, February 2011,
              <http://www.rfc-editor.org/info/rfc6090>.

   [RFC7159]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
              2014, <http://www.rfc-editor.org/info/rfc7159>.

   [SEC1]     Standards for Efficient Cryptography Group, "SEC 1:
              Elliptic Curve Cryptography", Version 2.0, May 2009,
              <http://www.secg.org/sec1-v2.pdf>.

   [SHS]      National Institute of Standards and Technology (NIST),
              "Secure Hash Standard (SHS)", FIPS PUB 180-4, March 2012,
              <http://csrc.nist.gov/publications/fips/fips180-4/
              fips-180-4.pdf>.

   [UNICODE]  The Unicode Consortium, "The Unicode Standard",
              <http://www.unicode.org/versions/latest/>.

10.2.  Informative References

   [AEAD-CBC-SHA]
              McGrew, D., Foley, J., and K. Paterson, "Authenticated
              Encryption with AES-CBC and HMAC-SHA", Work in Progress,
              draft-mcgrew-aead-aes-cbc-hmac-sha2-05, July 2014.

   [CanvasApp]
              Facebook, "Canvas Applications", 2010,
              <http://developers.facebook.com/docs/authentication/
              canvas>.

   [JCA]      Oracle, "Java Cryptography Architecture (JCA) Reference
              Guide", 2014, <http://docs.oracle.com/javase/8/docs/techno
              tes/guides/security/crypto/CryptoSpec.html>.

   [JSE]      Bradley, J. and N. Sakimura (editor), "JSON Simple
              Encryption", September 2010,
              <http://jsonenc.info/enc/1.0/>.

   [JSMS]     Rescorla, E. and J. Hildebrand, "JavaScript Message
              Security Format", Work in Progress,
              draft-rescorla-jsms-00, March 2011.

   [JSS]      Bradley, J. and N. Sakimura, Ed., "JSON Simple Sign 1.0",
              Draft 01, September 2010, <http://jsonenc.info/jss/1.0/>.

Top      Up      ToC       Page 57 
   [JWE-JWK]  Miller, M., "Using JavaScript Object Notation (JSON) Web
              Encryption (JWE) for Protecting JSON Web Key (JWK)
              Objects", Work in Progress,
              draft-miller-jose-jwe-protected-jwk-02, June 2013.

   [MagicSignatures]
              Panzer, J., Ed., Laurie, B., and D. Balfanz, "Magic
              Signatures", January 2011,
              <http://salmon-protocol.googlecode.com/svn/trunk/
              draft-panzer-magicsig-01.html>.

   [NIST.800-107]
              National Institute of Standards and Technology (NIST),
              "Recommendation for Applications Using Approved Hash
              Algorithms", NIST Special Publication 800-107, Revision 1,
              August 2012, <http://csrc.nist.gov/publications/
              nistpubs/800-107-rev1/sp800-107-rev1.pdf>.

   [NIST.800-63-2]
              National Institute of Standards and Technology (NIST),
              "Electronic Authentication Guideline", NIST Special
              Publication 800-63-2, August 2013,
              <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
              NIST.SP.800-63-2.pdf>.

   [PRECIS]   Saint-Andre, P. and A. Melnikov, "Preparation,
              Enforcement, and Comparison of Internationalized Strings
              Representing Usernames and Passwords", Work in Progress,
              draft-ietf-precis-saslprepbis-16, April 2015.

   [RFC2631]  Rescorla, E., "Diffie-Hellman Key Agreement Method",
              RFC 2631, DOI 10.17487/RFC2631, June 1999,
              <http://www.rfc-editor.org/info/rfc2631>.

   [RFC3275]  Eastlake 3rd, D., Reagle, J., and D. Solo, "(Extensible
              Markup Language) XML-Signature Syntax and Processing",
              RFC 3275, DOI 10.17487/RFC3275, March 2002,
              <http://www.rfc-editor.org/info/rfc3275>.

   [RFC4086]  Eastlake 3rd, D., Schiller, J., and S. Crocker,
              "Randomness Requirements for Security", BCP 106, RFC 4086,
              DOI 10.17487/RFC4086, June 2005,
              <http://www.rfc-editor.org/info/rfc4086>.

   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated
              Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
              <http://www.rfc-editor.org/info/rfc5116>.

Top      Up      ToC       Page 58 
   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              DOI 10.17487/RFC5226, May 2008,
              <http://www.rfc-editor.org/info/rfc5226>.

   [W3C.NOTE-xmldsig-core2-20130411]
              Eastlake, D., Reagle, J., Solo, D., Hirsch, F., Roessler,
              T., Yiu, K., Datta, P., and S. Cantor, "XML Signature
              Syntax and Processing Version 2.0", World Wide Web
              Consortium Note NOTE-xmldsig-core2-20130411, April 2013,
              <http://www.w3.org/TR/2013/NOTE-xmldsig-core2-20130411/>.

   [W3C.REC-xmlenc-core-20021210]
              Eastlake, D. and J. Reagle, "XML Encryption Syntax and
              Processing", World Wide Web Consortium Recommendation REC-
              xmlenc-core-20021210, December 2002,
              <http://www.w3.org/TR/2002/REC-xmlenc-core-20021210>.

   [W3C.REC-xmlenc-core1-20130411]
              Eastlake, D., Reagle, J., Hirsch, F., and T. Roessler,
              "XML Encryption Syntax and Processing Version 1.1", World
              Wide Web Consortium Recommendation REC-xmlenc-
              core1-20130411, April 2013,
              <http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/>.

Top      Up      ToC       Page 59 
Appendix A.  Algorithm Identifier Cross-Reference

   This appendix contains tables cross-referencing the cryptographic
   algorithm identifier values defined in this specification with the
   equivalent identifiers used by other standards and software packages.
   See XML DSIG [RFC3275], XML DSIG 2.0
   [W3C.NOTE-xmldsig-core2-20130411], XML Encryption
   [W3C.REC-xmlenc-core-20021210], XML Encryption 1.1
   [W3C.REC-xmlenc-core1-20130411], and Java Cryptography Architecture
   [JCA] for more information about the names defined by those
   documents.

Top      Up      ToC       Page 60 
A.1.  Digital Signature/MAC Algorithm Identifier Cross-Reference

   This section contains a table cross-referencing the JWS digital
   signature and MAC "alg" (algorithm) values defined in this
   specification with the equivalent identifiers used by other standards
   and software packages.

   +-------------------------------------------------------------------+
   | JWS      | XML DSIG                                               |
   | | JCA                                   | OID                     |
   +-------------------------------------------------------------------+
   | HS256    | http://www.w3.org/2001/04/xmldsig-more#hmac-sha256     |
   | | HmacSHA256                            | 1.2.840.113549.2.9      |
   +-------------------------------------------------------------------+
   | HS384    | http://www.w3.org/2001/04/xmldsig-more#hmac-sha384     |
   | | HmacSHA384                            | 1.2.840.113549.2.10     |
   +-------------------------------------------------------------------+
   | HS512    | http://www.w3.org/2001/04/xmldsig-more#hmac-sha512     |
   | | HmacSHA512                            | 1.2.840.113549.2.11     |
   +-------------------------------------------------------------------+
   | RS256    | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256      |
   | | SHA256withRSA                         | 1.2.840.113549.1.1.11   |
   +-------------------------------------------------------------------+
   | RS384    | http://www.w3.org/2001/04/xmldsig-more#rsa-sha384      |
   | | SHA384withRSA                         | 1.2.840.113549.1.1.12   |
   +-------------------------------------------------------------------+
   | RS512    | http://www.w3.org/2001/04/xmldsig-more#rsa-sha512      |
   | | SHA512withRSA                         | 1.2.840.113549.1.1.13   |
   +-------------------------------------------------------------------+
   | ES256    | http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256    |
   | | SHA256withECDSA                       | 1.2.840.10045.4.3.2     |
   +-------------------------------------------------------------------+
   | ES384    | http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384    |
   | | SHA384withECDSA                       | 1.2.840.10045.4.3.3     |
   +-------------------------------------------------------------------+
   | ES512    | http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512    |
   | | SHA512withECDSA                       | 1.2.840.10045.4.3.4     |
   +-------------------------------------------------------------------+
   | PS256    | http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 |
   | | SHA256withRSAandMGF1                  | 1.2.840.113549.1.1.10   |
   +-------------------------------------------------------------------+
   | PS384    | http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1 |
   | | SHA384withRSAandMGF1                  | 1.2.840.113549.1.1.10   |
   +-------------------------------------------------------------------+
   | PS512    | http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1 |
   | | SHA512withRSAandMGF1                  | 1.2.840.113549.1.1.10   |
   +-------------------------------------------------------------------+

Top      Up      ToC       Page 61 
A.2.  Key Management Algorithm Identifier Cross-Reference

   This section contains a table cross-referencing the JWE "alg"
   (algorithm) values defined in this specification with the equivalent
   identifiers used by other standards and software packages.

   +-------------------------------------------------------------------+
   | JWE           | XML ENC                                           |
   | | JCA                                   | OID                     |
   +-------------------------------------------------------------------+
   | RSA1_5        | http://www.w3.org/2001/04/xmlenc#rsa-1_5          |
   | | RSA/ECB/PKCS1Padding                  | 1.2.840.113549.1.1.1    |
   +-------------------------------------------------------------------+
   | RSA-OAEP      | http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p   |
   | | RSA/ECB/OAEPWithSHA-1AndMGF1Padding   | 1.2.840.113549.1.1.7    |
   +-------------------------------------------------------------------+
   | RSA-OAEP-256  | http://www.w3.org/2009/xmlenc11#rsa-oaep          |
   |               | & http://www.w3.org/2009/xmlenc11#mgf1sha256      |
   | | RSA/ECB/OAEPWithSHA-256AndMGF1Padding |                         |
   | | & MGF1ParameterSpec.SHA256            | 1.2.840.113549.1.1.7    |
   +-------------------------------------------------------------------+
   | ECDH-ES       | http://www.w3.org/2009/xmlenc11#ECDH-ES           |
   | | ECDH                                  | 1.3.132.1.12            |
   +-------------------------------------------------------------------+
   | A128KW        | http://www.w3.org/2001/04/xmlenc#kw-aes128        |
   | | AESWrap                               | 2.16.840.1.101.3.4.1.5  |
   +-------------------------------------------------------------------+
   | A192KW        | http://www.w3.org/2001/04/xmlenc#kw-aes192        |
   | | AESWrap                               | 2.16.840.1.101.3.4.1.25 |
   +-------------------------------------------------------------------+
   | A256KW        | http://www.w3.org/2001/04/xmlenc#kw-aes256        |
   | | AESWrap                               | 2.16.840.1.101.3.4.1.45 |
   +-------------------------------------------------------------------+

Top      Up      ToC       Page 62 
A.3.  Content Encryption Algorithm Identifier Cross-Reference

   This section contains a table cross-referencing the JWE "enc"
   (encryption algorithm) values defined in this specification with the
   equivalent identifiers used by other standards and software packages.

   For the composite algorithms "A128CBC-HS256", "A192CBC-HS384", and
   "A256CBC-HS512", the corresponding AES-CBC algorithm identifiers are
   listed.

   +-------------------------------------------------------------------+
   | JWE           | XML ENC                                           |
   | | JCA                                   | OID                     |
   +-------------------------------------------------------------------+
   | A128CBC-HS256 | http://www.w3.org/2001/04/xmlenc#aes128-cbc       |
   | | AES/CBC/PKCS5Padding                  | 2.16.840.1.101.3.4.1.2  |
   +-------------------------------------------------------------------+
   | A192CBC-HS384 | http://www.w3.org/2001/04/xmlenc#aes192-cbc       |
   | | AES/CBC/PKCS5Padding                  | 2.16.840.1.101.3.4.1.22 |
   +-------------------------------------------------------------------+
   | A256CBC-HS512 | http://www.w3.org/2001/04/xmlenc#aes256-cbc       |
   | | AES/CBC/PKCS5Padding                  | 2.16.840.1.101.3.4.1.42 |
   +-------------------------------------------------------------------+
   | A128GCM       | http://www.w3.org/2009/xmlenc11#aes128-gcm        |
   | | AES/GCM/NoPadding                     | 2.16.840.1.101.3.4.1.6  |
   +-------------------------------------------------------------------+
   | A192GCM       | http://www.w3.org/2009/xmlenc11#aes192-gcm        |
   | | AES/GCM/NoPadding                     | 2.16.840.1.101.3.4.1.26 |
   +-------------------------------------------------------------------+
   | A256GCM       | http://www.w3.org/2009/xmlenc11#aes256-gcm        |
   | | AES/GCM/NoPadding                     | 2.16.840.1.101.3.4.1.46 |
   +-------------------------------------------------------------------+

Appendix B.  Test Cases for AES_CBC_HMAC_SHA2 Algorithms

   The following test cases can be used to validate implementations of
   the AES_CBC_HMAC_SHA2 algorithms defined in Section 5.2.  They are
   also intended to correspond to test cases that may appear in a future
   version of [AEAD-CBC-SHA], demonstrating that the cryptographic
   computations performed are the same.

   The variable names are those defined in Section 5.2.  All values are
   hexadecimal.

Top      Up      ToC       Page 63 
B.1.  Test Cases for AES_128_CBC_HMAC_SHA_256

   AES_128_CBC_HMAC_SHA_256

     K =       00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
               10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f

     MAC_KEY = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f

     ENC_KEY = 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f

     P =       41 20 63 69 70 68 65 72 20 73 79 73 74 65 6d 20
               6d 75 73 74 20 6e 6f 74 20 62 65 20 72 65 71 75
               69 72 65 64 20 74 6f 20 62 65 20 73 65 63 72 65
               74 2c 20 61 6e 64 20 69 74 20 6d 75 73 74 20 62
               65 20 61 62 6c 65 20 74 6f 20 66 61 6c 6c 20 69
               6e 74 6f 20 74 68 65 20 68 61 6e 64 73 20 6f 66
               20 74 68 65 20 65 6e 65 6d 79 20 77 69 74 68 6f
               75 74 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65

     IV =      1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04

     A =       54 68 65 20 73 65 63 6f 6e 64 20 70 72 69 6e 63
               69 70 6c 65 20 6f 66 20 41 75 67 75 73 74 65 20
               4b 65 72 63 6b 68 6f 66 66 73

     AL =      00 00 00 00 00 00 01 50

     E =       c8 0e df a3 2d df 39 d5 ef 00 c0 b4 68 83 42 79
               a2 e4 6a 1b 80 49 f7 92 f7 6b fe 54 b9 03 a9 c9
               a9 4a c9 b4 7a d2 65 5c 5f 10 f9 ae f7 14 27 e2
               fc 6f 9b 3f 39 9a 22 14 89 f1 63 62 c7 03 23 36
               09 d4 5a c6 98 64 e3 32 1c f8 29 35 ac 40 96 c8
               6e 13 33 14 c5 40 19 e8 ca 79 80 df a4 b9 cf 1b
               38 4c 48 6f 3a 54 c5 10 78 15 8e e5 d7 9d e5 9f
               bd 34 d8 48 b3 d6 95 50 a6 76 46 34 44 27 ad e5
               4b 88 51 ff b5 98 f7 f8 00 74 b9 47 3c 82 e2 db

     M =       65 2c 3f a3 6b 0a 7c 5b 32 19 fa b3 a3 0b c1 c4
               e6 e5 45 82 47 65 15 f0 ad 9f 75 a2 b7 1c 73 ef

     T =       65 2c 3f a3 6b 0a 7c 5b 32 19 fa b3 a3 0b c1 c4

Top      Up      ToC       Page 64 
B.2.  Test Cases for AES_192_CBC_HMAC_SHA_384

     K =       00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
               10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
               20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f

     MAC_KEY = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
               10 11 12 13 14 15 16 17

     ENC_KEY = 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27
               28 29 2a 2b 2c 2d 2e 2f

     P =       41 20 63 69 70 68 65 72 20 73 79 73 74 65 6d 20
               6d 75 73 74 20 6e 6f 74 20 62 65 20 72 65 71 75
               69 72 65 64 20 74 6f 20 62 65 20 73 65 63 72 65
               74 2c 20 61 6e 64 20 69 74 20 6d 75 73 74 20 62
               65 20 61 62 6c 65 20 74 6f 20 66 61 6c 6c 20 69
               6e 74 6f 20 74 68 65 20 68 61 6e 64 73 20 6f 66
               20 74 68 65 20 65 6e 65 6d 79 20 77 69 74 68 6f
               75 74 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65

     IV =      1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04

     A =       54 68 65 20 73 65 63 6f 6e 64 20 70 72 69 6e 63
               69 70 6c 65 20 6f 66 20 41 75 67 75 73 74 65 20
               4b 65 72 63 6b 68 6f 66 66 73

     AL =      00 00 00 00 00 00 01 50

     E =       ea 65 da 6b 59 e6 1e db 41 9b e6 2d 19 71 2a e5
               d3 03 ee b5 00 52 d0 df d6 69 7f 77 22 4c 8e db
               00 0d 27 9b dc 14 c1 07 26 54 bd 30 94 42 30 c6
               57 be d4 ca 0c 9f 4a 84 66 f2 2b 22 6d 17 46 21
               4b f8 cf c2 40 0a dd 9f 51 26 e4 79 66 3f c9 0b
               3b ed 78 7a 2f 0f fc bf 39 04 be 2a 64 1d 5c 21
               05 bf e5 91 ba e2 3b 1d 74 49 e5 32 ee f6 0a 9a
               c8 bb 6c 6b 01 d3 5d 49 78 7b cd 57 ef 48 49 27
               f2 80 ad c9 1a c0 c4 e7 9c 7b 11 ef c6 00 54 e3

     M =       84 90 ac 0e 58 94 9b fe 51 87 5d 73 3f 93 ac 20
               75 16 80 39 cc c7 33 d7 45 94 f8 86 b3 fa af d4
               86 f2 5c 71 31 e3 28 1e 36 c7 a2 d1 30 af de 57

     T =       84 90 ac 0e 58 94 9b fe 51 87 5d 73 3f 93 ac 20
               75 16 80 39 cc c7 33 d7

Top      Up      ToC       Page 65 
B.3.  Test Cases for AES_256_CBC_HMAC_SHA_512

     K =       00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
               10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
               20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
               30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f

     MAC_KEY = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
               10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f

     ENC_KEY = 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
               30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f

     P =       41 20 63 69 70 68 65 72 20 73 79 73 74 65 6d 20
               6d 75 73 74 20 6e 6f 74 20 62 65 20 72 65 71 75
               69 72 65 64 20 74 6f 20 62 65 20 73 65 63 72 65
               74 2c 20 61 6e 64 20 69 74 20 6d 75 73 74 20 62
               65 20 61 62 6c 65 20 74 6f 20 66 61 6c 6c 20 69
               6e 74 6f 20 74 68 65 20 68 61 6e 64 73 20 6f 66
               20 74 68 65 20 65 6e 65 6d 79 20 77 69 74 68 6f
               75 74 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65

     IV =      1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04

     A =       54 68 65 20 73 65 63 6f 6e 64 20 70 72 69 6e 63
               69 70 6c 65 20 6f 66 20 41 75 67 75 73 74 65 20
               4b 65 72 63 6b 68 6f 66 66 73

     AL =      00 00 00 00 00 00 01 50

     E =       4a ff aa ad b7 8c 31 c5 da 4b 1b 59 0d 10 ff bd
               3d d8 d5 d3 02 42 35 26 91 2d a0 37 ec bc c7 bd
               82 2c 30 1d d6 7c 37 3b cc b5 84 ad 3e 92 79 c2
               e6 d1 2a 13 74 b7 7f 07 75 53 df 82 94 10 44 6b
               36 eb d9 70 66 29 6a e6 42 7e a7 5c 2e 08 46 a1
               1a 09 cc f5 37 0d c8 0b fe cb ad 28 c7 3f 09 b3
               a3 b7 5e 66 2a 25 94 41 0a e4 96 b2 e2 e6 60 9e
               31 e6 e0 2c c8 37 f0 53 d2 1f 37 ff 4f 51 95 0b
               be 26 38 d0 9d d7 a4 93 09 30 80 6d 07 03 b1 f6

     M =       4d d3 b4 c0 88 a7 f4 5c 21 68 39 64 5b 20 12 bf
               2e 62 69 a8 c5 6a 81 6d bc 1b 26 77 61 95 5b c5
               fd 30 a5 65 c6 16 ff b2 f3 64 ba ec e6 8f c4 07
               53 bc fc 02 5d de 36 93 75 4a a1 f5 c3 37 3b 9c

     T =       4d d3 b4 c0 88 a7 f4 5c 21 68 39 64 5b 20 12 bf
               2e 62 69 a8 c5 6a 81 6d bc 1b 26 77 61 95 5b c5

Top      Up      ToC       Page 66 
Appendix C.  Example ECDH-ES Key Agreement Computation

   This example uses ECDH-ES Key Agreement and the Concat KDF to derive
   the CEK in the manner described in Section 4.6.  In this example, the
   ECDH-ES Direct Key Agreement mode ("alg" value "ECDH-ES") is used to
   produce an agreed-upon key for AES GCM with a 128-bit key ("enc"
   value "A128GCM").

   In this example, a producer Alice is encrypting content to a consumer
   Bob.  The producer (Alice) generates an ephemeral key for the key
   agreement computation.  Alice's ephemeral key (in JWK format) used
   for the key agreement computation in this example (including the
   private part) is:

     {"kty":"EC",
      "crv":"P-256",
      "x":"gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0",
      "y":"SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps",
      "d":"0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo"
     }

   The consumer's (Bob's) key (in JWK format) used for the key agreement
   computation in this example (including the private part) is:

     {"kty":"EC",
      "crv":"P-256",
      "x":"weNJy2HscCSM6AEDTDg04biOvhFhyyWvOHQfeF_PxMQ",
      "y":"e8lnCO-AlStT-NJVX-crhB7QRYhiix03illJOVAOyck",
      "d":"VEmDZpDXXK8p8N0Cndsxs924q6nS1RXFASRl6BfUqdw"
     }

   Header Parameter values used in this example are as follows.  The
   "apu" (agreement PartyUInfo) Header Parameter value is the base64url
   encoding of the UTF-8 string "Alice" and the "apv" (agreement
   PartyVInfo) Header Parameter value is the base64url encoding of the
   UTF-8 string "Bob".  The "epk" (ephemeral public key) Header
   Parameter is used to communicate the producer's (Alice's) ephemeral
   public key value to the consumer (Bob).

Top      Up      ToC       Page 67 
     {"alg":"ECDH-ES",
      "enc":"A128GCM",
      "apu":"QWxpY2U",
      "apv":"Qm9i",
      "epk":
       {"kty":"EC",
        "crv":"P-256",
        "x":"gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0",
        "y":"SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps"
       }
     }

   The resulting Concat KDF [NIST.800-56A] parameter values are:

   Z
      This is set to the ECDH-ES key agreement output.  (This value is
      often not directly exposed by libraries, due to NIST security
      requirements, and only serves as an input to a KDF.)  In this
      example, Z is following the octet sequence (using JSON array
      notation):
      [158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132,
      38, 156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121,
      140, 254, 144, 196].

   keydatalen
      This value is 128 - the number of bits in the desired output key
      (because "A128GCM" uses a 128-bit key).

   AlgorithmID
      This is set to the octets representing the 32-bit big-endian value
      7 - [0, 0, 0, 7] - the number of octets in the AlgorithmID content
      "A128GCM", followed, by the octets representing the ASCII string
      "A128GCM" - [65, 49, 50, 56, 71, 67, 77].

   PartyUInfo
      This is set to the octets representing the 32-bit big-endian value
      5 - [0, 0, 0, 5] - the number of octets in the PartyUInfo content
      "Alice", followed, by the octets representing the UTF-8 string
      "Alice" - [65, 108, 105, 99, 101].

   PartyVInfo
      This is set to the octets representing the 32-bit big-endian value
      3 - [0, 0, 0, 3] - the number of octets in the PartyUInfo content
      "Bob", followed, by the octets representing the UTF-8 string "Bob"
      - [66, 111, 98].

Top      Up      ToC       Page 68 
   SuppPubInfo
      This is set to the octets representing the 32-bit big-endian value
      128 - [0, 0, 0, 128] - the keydatalen value.

   SuppPrivInfo
      This is set to the empty octet sequence.

   Concatenating the parameters AlgorithmID through SuppPubInfo results
   in an OtherInfo value of:
   [0, 0, 0, 7, 65, 49, 50, 56, 71, 67, 77, 0, 0, 0, 5, 65, 108, 105,
   99, 101, 0, 0, 0, 3, 66, 111, 98, 0, 0, 0, 128]

   Concatenating the round number 1 ([0, 0, 0, 1]), Z, and the OtherInfo
   value results in the Concat KDF round 1 hash input of:
   [0, 0, 0, 1,
   158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132, 38,
   156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121, 140,
   254, 144, 196,
   0, 0, 0, 7, 65, 49, 50, 56, 71, 67, 77, 0, 0, 0, 5, 65, 108, 105, 99,
   101, 0, 0, 0, 3, 66, 111, 98, 0, 0, 0, 128]

   The resulting derived key, which is the first 128 bits of the round 1
   hash output is:
   [86, 170, 141, 234, 248, 35, 109, 32, 92, 34, 40, 205, 113, 167, 16,
   26]

   The base64url-encoded representation of this derived key is:

     VqqN6vgjbSBcIijNcacQGg

Top      Up      ToC       Page 69 
Acknowledgements

   Solutions for signing and encrypting JSON content were previously
   explored by "Magic Signatures" [MagicSignatures], "JSON Simple Sign
   1.0" [JSS], "Canvas Applications" [CanvasApp], "JSON Simple
   Encryption" [JSE], and "JavaScript Message Security Format" [JSMS],
   all of which influenced this document.

   The "Authenticated Encryption with AES-CBC and HMAC-SHA"
   [AEAD-CBC-SHA] specification, upon which the AES_CBC_HMAC_SHA2
   algorithms are based, was written by David A. McGrew and Kenny
   Paterson.  The test cases for AES_CBC_HMAC_SHA2 are based upon those
   for [AEAD-CBC-SHA] by John Foley.

   Matt Miller wrote "Using JavaScript Object Notation (JSON) Web
   Encryption (JWE) for Protecting JSON Web Key (JWK) Objects"
   [JWE-JWK], upon which the password-based encryption content of this
   document is based.

   This specification is the work of the JOSE working group, which
   includes dozens of active and dedicated participants.  In particular,
   the following individuals contributed ideas, feedback, and wording
   that influenced this specification:

   Dirk Balfanz, Richard Barnes, Carsten Bormann, John Bradley, Brian
   Campbell, Alissa Cooper, Breno de Medeiros, Vladimir Dzhuvinov, Roni
   Even, Stephen Farrell, Yaron Y. Goland, Dick Hardt, Joe Hildebrand,
   Jeff Hodges, Edmund Jay, Charlie Kaufman, Barry Leiba, James Manger,
   Matt Miller, Kathleen Moriarty, Tony Nadalin, Axel Nennker, John
   Panzer, Emmanuel Raviart, Eric Rescorla, Pete Resnick, Nat Sakimura,
   Jim Schaad, Hannes Tschofenig, and Sean Turner.

   Jim Schaad and Karen O'Donoghue chaired the JOSE working group and
   Sean Turner, Stephen Farrell, and Kathleen Moriarty served as
   Security Area Directors during the creation of this specification.

Author's Address

   Michael B. Jones
   Microsoft

   EMail: mbj@microsoft.com
   URI:   http://self-issued.info/