Tech-invite3GPPspaceIETF RFCsSIP
9190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 7518

JSON Web Algorithms (JWA)

Pages: 69
Proposed Standard
Errata
Part 4 of 4 – Pages 53 to 69
First   Prev   None

Top   ToC   RFC7518 - Page 53   prevText

9. Internationalization Considerations

Passwords obtained from users are likely to require preparation and normalization to account for differences of octet sequences generated by different input devices, locales, etc. It is RECOMMENDED that applications perform the steps outlined in [PRECIS] to prepare a password supplied directly by a user before performing key derivation and encryption.

10. References

10.1. Normative References

[AES] National Institute of Standards and Technology (NIST), "Advanced Encryption Standard (AES)", FIPS PUB 197, November 2001, <http://csrc.nist.gov/publications/ fips/fips197/fips-197.pdf>. [Boneh99] "Twenty Years of Attacks on the RSA Cryptosystem", Notices of the American Mathematical Society (AMS), Vol. 46, No. 2, pp. 203-213, 1999, <http://crypto.stanford.edu/ ~dabo/pubs/papers/RSA-survey.pdf>.
Top   ToC   RFC7518 - Page 54
   [DSS]      National Institute of Standards and Technology (NIST),
              "Digital Signature Standard (DSS)", FIPS PUB 186-4, July
              2013, <http://nvlpubs.nist.gov/nistpubs/FIPS/
              NIST.FIPS.186-4.pdf>.

   [JWE]      Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
              RFC 7516, DOI 10.17487/RFC7516, May 2015,
              <http://www.rfc-editor.org/info/rfc7516>.

   [JWK]      Jones, M., "JSON Web Key (JWK)", RFC 7517,
              DOI 10.17487/RFC7517, May 2015,
              <http://www.rfc-editor.org/info/rfc7517>.

   [JWS]      Jones, M., Bradley, J., and N. Sakimura, "JSON Web
              Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
              2015, <http://www.rfc-editor.org/info/rfc7515>.

   [NIST.800-38A]
              National Institute of Standards and Technology (NIST),
              "Recommendation for Block Cipher Modes of Operation", NIST
              Special Publication 800-38A, December 2001,
              <http://csrc.nist.gov/publications/nistpubs/800-38a/
              sp800-38a.pdf>.

   [NIST.800-38D]
              National Institute of Standards and Technology (NIST),
              "Recommendation for Block Cipher Modes of Operation:
              Galois/Counter Mode (GCM) and GMAC", NIST Special
              Publication 800-38D, December 2001,
              <http://csrc.nist.gov/publications/nistpubs/800-38D/
              SP-800-38D.pdf>.

   [NIST.800-56A]
              National Institute of Standards and Technology (NIST),
              "Recommendation for Pair-Wise Key Establishment Schemes
              Using Discrete Logarithm Cryptography", NIST Special
              Publication 800-56A, Revision 2, May 2013,
              <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
              NIST.SP.800-56Ar2.pdf>.

   [NIST.800-57]
              National Institute of Standards and Technology (NIST),
              "Recommendation for Key Management - Part 1: General
              (Revision 3)", NIST Special Publication 800-57, Part 1,
              Revision 3, July 2012, <http://csrc.nist.gov/publications/
              nistpubs/800-57/sp800-57_part1_rev3_general.pdf>.
Top   ToC   RFC7518 - Page 55
   [RFC20]    Cerf, V., "ASCII format for Network Interchange", STD 80,
              RFC 20, DOI 10.17487/RFC0020, October 1969,
              <http://www.rfc-editor.org/info/rfc20>.

   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC:
              Keyed-Hashing for Message Authentication", RFC 2104,
              DOI 10.17487/RFC2104, February 1997,
              <http://www.rfc-editor.org/info/rfc2104>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC2898]  Kaliski, B., "PKCS #5: Password-Based Cryptography
              Specification Version 2.0", RFC 2898,
              DOI 10.17487/RFC2898, September 2000,
              <http://www.rfc-editor.org/info/rfc2898>.

   [RFC3394]  Schaad, J. and R. Housley, "Advanced Encryption Standard
              (AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394,
              September 2002, <http://www.rfc-editor.org/info/rfc3394>.

   [RFC3447]  Jonsson, J. and B. Kaliski, "Public-Key Cryptography
              Standards (PKCS) #1: RSA Cryptography Specifications
              Version 2.1", RFC 3447, DOI 10.17487/RFC3447, February
              2003, <http://www.rfc-editor.org/info/rfc3447>.

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
              2003, <http://www.rfc-editor.org/info/rfc3629>.

   [RFC4868]  Kelly, S. and S. Frankel, "Using HMAC-SHA-256,
              HMAC-SHA-384, and HMAC-SHA-512 with IPsec", RFC 4868,
              DOI 10.17487/RFC4868, May 2007,
              <http://www.rfc-editor.org/info/rfc4868>.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
              FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
              <http://www.rfc-editor.org/info/rfc4949>.

   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
              RFC 5652, DOI 10.17487/RFC5652, September 2009,
              <http://www.rfc-editor.org/info/rfc5652>.
Top   ToC   RFC7518 - Page 56
   [RFC6090]  McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
              Curve Cryptography Algorithms", RFC 6090,
              DOI 10.17487/RFC6090, February 2011,
              <http://www.rfc-editor.org/info/rfc6090>.

   [RFC7159]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
              2014, <http://www.rfc-editor.org/info/rfc7159>.

   [SEC1]     Standards for Efficient Cryptography Group, "SEC 1:
              Elliptic Curve Cryptography", Version 2.0, May 2009,
              <http://www.secg.org/sec1-v2.pdf>.

   [SHS]      National Institute of Standards and Technology (NIST),
              "Secure Hash Standard (SHS)", FIPS PUB 180-4, March 2012,
              <http://csrc.nist.gov/publications/fips/fips180-4/
              fips-180-4.pdf>.

   [UNICODE]  The Unicode Consortium, "The Unicode Standard",
              <http://www.unicode.org/versions/latest/>.

10.2. Informative References

[AEAD-CBC-SHA] McGrew, D., Foley, J., and K. Paterson, "Authenticated Encryption with AES-CBC and HMAC-SHA", Work in Progress, draft-mcgrew-aead-aes-cbc-hmac-sha2-05, July 2014. [CanvasApp] Facebook, "Canvas Applications", 2010, <http://developers.facebook.com/docs/authentication/ canvas>. [JCA] Oracle, "Java Cryptography Architecture (JCA) Reference Guide", 2014, <http://docs.oracle.com/javase/8/docs/techno tes/guides/security/crypto/CryptoSpec.html>. [JSE] Bradley, J. and N. Sakimura (editor), "JSON Simple Encryption", September 2010, <http://jsonenc.info/enc/1.0/>. [JSMS] Rescorla, E. and J. Hildebrand, "JavaScript Message Security Format", Work in Progress, draft-rescorla-jsms-00, March 2011. [JSS] Bradley, J. and N. Sakimura, Ed., "JSON Simple Sign 1.0", Draft 01, September 2010, <http://jsonenc.info/jss/1.0/>.
Top   ToC   RFC7518 - Page 57
   [JWE-JWK]  Miller, M., "Using JavaScript Object Notation (JSON) Web
              Encryption (JWE) for Protecting JSON Web Key (JWK)
              Objects", Work in Progress,
              draft-miller-jose-jwe-protected-jwk-02, June 2013.

   [MagicSignatures]
              Panzer, J., Ed., Laurie, B., and D. Balfanz, "Magic
              Signatures", January 2011,
              <http://salmon-protocol.googlecode.com/svn/trunk/
              draft-panzer-magicsig-01.html>.

   [NIST.800-107]
              National Institute of Standards and Technology (NIST),
              "Recommendation for Applications Using Approved Hash
              Algorithms", NIST Special Publication 800-107, Revision 1,
              August 2012, <http://csrc.nist.gov/publications/
              nistpubs/800-107-rev1/sp800-107-rev1.pdf>.

   [NIST.800-63-2]
              National Institute of Standards and Technology (NIST),
              "Electronic Authentication Guideline", NIST Special
              Publication 800-63-2, August 2013,
              <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
              NIST.SP.800-63-2.pdf>.

   [PRECIS]   Saint-Andre, P. and A. Melnikov, "Preparation,
              Enforcement, and Comparison of Internationalized Strings
              Representing Usernames and Passwords", Work in Progress,
              draft-ietf-precis-saslprepbis-16, April 2015.

   [RFC2631]  Rescorla, E., "Diffie-Hellman Key Agreement Method",
              RFC 2631, DOI 10.17487/RFC2631, June 1999,
              <http://www.rfc-editor.org/info/rfc2631>.

   [RFC3275]  Eastlake 3rd, D., Reagle, J., and D. Solo, "(Extensible
              Markup Language) XML-Signature Syntax and Processing",
              RFC 3275, DOI 10.17487/RFC3275, March 2002,
              <http://www.rfc-editor.org/info/rfc3275>.

   [RFC4086]  Eastlake 3rd, D., Schiller, J., and S. Crocker,
              "Randomness Requirements for Security", BCP 106, RFC 4086,
              DOI 10.17487/RFC4086, June 2005,
              <http://www.rfc-editor.org/info/rfc4086>.

   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated
              Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
              <http://www.rfc-editor.org/info/rfc5116>.
Top   ToC   RFC7518 - Page 58
   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              DOI 10.17487/RFC5226, May 2008,
              <http://www.rfc-editor.org/info/rfc5226>.

   [W3C.NOTE-xmldsig-core2-20130411]
              Eastlake, D., Reagle, J., Solo, D., Hirsch, F., Roessler,
              T., Yiu, K., Datta, P., and S. Cantor, "XML Signature
              Syntax and Processing Version 2.0", World Wide Web
              Consortium Note NOTE-xmldsig-core2-20130411, April 2013,
              <http://www.w3.org/TR/2013/NOTE-xmldsig-core2-20130411/>.

   [W3C.REC-xmlenc-core-20021210]
              Eastlake, D. and J. Reagle, "XML Encryption Syntax and
              Processing", World Wide Web Consortium Recommendation REC-
              xmlenc-core-20021210, December 2002,
              <http://www.w3.org/TR/2002/REC-xmlenc-core-20021210>.

   [W3C.REC-xmlenc-core1-20130411]
              Eastlake, D., Reagle, J., Hirsch, F., and T. Roessler,
              "XML Encryption Syntax and Processing Version 1.1", World
              Wide Web Consortium Recommendation REC-xmlenc-
              core1-20130411, April 2013,
              <http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/>.
Top   ToC   RFC7518 - Page 59

Appendix A. Algorithm Identifier Cross-Reference

This appendix contains tables cross-referencing the cryptographic algorithm identifier values defined in this specification with the equivalent identifiers used by other standards and software packages. See XML DSIG [RFC3275], XML DSIG 2.0 [W3C.NOTE-xmldsig-core2-20130411], XML Encryption [W3C.REC-xmlenc-core-20021210], XML Encryption 1.1 [W3C.REC-xmlenc-core1-20130411], and Java Cryptography Architecture [JCA] for more information about the names defined by those documents.
Top   ToC   RFC7518 - Page 60

A.1. Digital Signature/MAC Algorithm Identifier Cross-Reference

This section contains a table cross-referencing the JWS digital signature and MAC "alg" (algorithm) values defined in this specification with the equivalent identifiers used by other standards and software packages. +-------------------------------------------------------------------+ | JWS | XML DSIG | | | JCA | OID | +-------------------------------------------------------------------+ | HS256 | http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 | | | HmacSHA256 | 1.2.840.113549.2.9 | +-------------------------------------------------------------------+ | HS384 | http://www.w3.org/2001/04/xmldsig-more#hmac-sha384 | | | HmacSHA384 | 1.2.840.113549.2.10 | +-------------------------------------------------------------------+ | HS512 | http://www.w3.org/2001/04/xmldsig-more#hmac-sha512 | | | HmacSHA512 | 1.2.840.113549.2.11 | +-------------------------------------------------------------------+ | RS256 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | | | SHA256withRSA | 1.2.840.113549.1.1.11 | +-------------------------------------------------------------------+ | RS384 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 | | | SHA384withRSA | 1.2.840.113549.1.1.12 | +-------------------------------------------------------------------+ | RS512 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 | | | SHA512withRSA | 1.2.840.113549.1.1.13 | +-------------------------------------------------------------------+ | ES256 | http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256 | | | SHA256withECDSA | 1.2.840.10045.4.3.2 | +-------------------------------------------------------------------+ | ES384 | http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384 | | | SHA384withECDSA | 1.2.840.10045.4.3.3 | +-------------------------------------------------------------------+ | ES512 | http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512 | | | SHA512withECDSA | 1.2.840.10045.4.3.4 | +-------------------------------------------------------------------+ | PS256 | http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 | | | SHA256withRSAandMGF1 | 1.2.840.113549.1.1.10 | +-------------------------------------------------------------------+ | PS384 | http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1 | | | SHA384withRSAandMGF1 | 1.2.840.113549.1.1.10 | +-------------------------------------------------------------------+ | PS512 | http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1 | | | SHA512withRSAandMGF1 | 1.2.840.113549.1.1.10 | +-------------------------------------------------------------------+
Top   ToC   RFC7518 - Page 61

A.2. Key Management Algorithm Identifier Cross-Reference

This section contains a table cross-referencing the JWE "alg" (algorithm) values defined in this specification with the equivalent identifiers used by other standards and software packages. +-------------------------------------------------------------------+ | JWE | XML ENC | | | JCA | OID | +-------------------------------------------------------------------+ | RSA1_5 | http://www.w3.org/2001/04/xmlenc#rsa-1_5 | | | RSA/ECB/PKCS1Padding | 1.2.840.113549.1.1.1 | +-------------------------------------------------------------------+ | RSA-OAEP | http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p | | | RSA/ECB/OAEPWithSHA-1AndMGF1Padding | 1.2.840.113549.1.1.7 | +-------------------------------------------------------------------+ | RSA-OAEP-256 | http://www.w3.org/2009/xmlenc11#rsa-oaep | | | & http://www.w3.org/2009/xmlenc11#mgf1sha256 | | | RSA/ECB/OAEPWithSHA-256AndMGF1Padding | | | | & MGF1ParameterSpec.SHA256 | 1.2.840.113549.1.1.7 | +-------------------------------------------------------------------+ | ECDH-ES | http://www.w3.org/2009/xmlenc11#ECDH-ES | | | ECDH | 1.3.132.1.12 | +-------------------------------------------------------------------+ | A128KW | http://www.w3.org/2001/04/xmlenc#kw-aes128 | | | AESWrap | 2.16.840.1.101.3.4.1.5 | +-------------------------------------------------------------------+ | A192KW | http://www.w3.org/2001/04/xmlenc#kw-aes192 | | | AESWrap | 2.16.840.1.101.3.4.1.25 | +-------------------------------------------------------------------+ | A256KW | http://www.w3.org/2001/04/xmlenc#kw-aes256 | | | AESWrap | 2.16.840.1.101.3.4.1.45 | +-------------------------------------------------------------------+
Top   ToC   RFC7518 - Page 62

A.3. Content Encryption Algorithm Identifier Cross-Reference

This section contains a table cross-referencing the JWE "enc" (encryption algorithm) values defined in this specification with the equivalent identifiers used by other standards and software packages. For the composite algorithms "A128CBC-HS256", "A192CBC-HS384", and "A256CBC-HS512", the corresponding AES-CBC algorithm identifiers are listed. +-------------------------------------------------------------------+ | JWE | XML ENC | | | JCA | OID | +-------------------------------------------------------------------+ | A128CBC-HS256 | http://www.w3.org/2001/04/xmlenc#aes128-cbc | | | AES/CBC/PKCS5Padding | 2.16.840.1.101.3.4.1.2 | +-------------------------------------------------------------------+ | A192CBC-HS384 | http://www.w3.org/2001/04/xmlenc#aes192-cbc | | | AES/CBC/PKCS5Padding | 2.16.840.1.101.3.4.1.22 | +-------------------------------------------------------------------+ | A256CBC-HS512 | http://www.w3.org/2001/04/xmlenc#aes256-cbc | | | AES/CBC/PKCS5Padding | 2.16.840.1.101.3.4.1.42 | +-------------------------------------------------------------------+ | A128GCM | http://www.w3.org/2009/xmlenc11#aes128-gcm | | | AES/GCM/NoPadding | 2.16.840.1.101.3.4.1.6 | +-------------------------------------------------------------------+ | A192GCM | http://www.w3.org/2009/xmlenc11#aes192-gcm | | | AES/GCM/NoPadding | 2.16.840.1.101.3.4.1.26 | +-------------------------------------------------------------------+ | A256GCM | http://www.w3.org/2009/xmlenc11#aes256-gcm | | | AES/GCM/NoPadding | 2.16.840.1.101.3.4.1.46 | +-------------------------------------------------------------------+

Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms

The following test cases can be used to validate implementations of the AES_CBC_HMAC_SHA2 algorithms defined in Section 5.2. They are also intended to correspond to test cases that may appear in a future version of [AEAD-CBC-SHA], demonstrating that the cryptographic computations performed are the same. The variable names are those defined in Section 5.2. All values are hexadecimal.
Top   ToC   RFC7518 - Page 63

B.1. Test Cases for AES_128_CBC_HMAC_SHA_256

AES_128_CBC_HMAC_SHA_256 K = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f MAC_KEY = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ENC_KEY = 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f P = 41 20 63 69 70 68 65 72 20 73 79 73 74 65 6d 20 6d 75 73 74 20 6e 6f 74 20 62 65 20 72 65 71 75 69 72 65 64 20 74 6f 20 62 65 20 73 65 63 72 65 74 2c 20 61 6e 64 20 69 74 20 6d 75 73 74 20 62 65 20 61 62 6c 65 20 74 6f 20 66 61 6c 6c 20 69 6e 74 6f 20 74 68 65 20 68 61 6e 64 73 20 6f 66 20 74 68 65 20 65 6e 65 6d 79 20 77 69 74 68 6f 75 74 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 IV = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 A = 54 68 65 20 73 65 63 6f 6e 64 20 70 72 69 6e 63 69 70 6c 65 20 6f 66 20 41 75 67 75 73 74 65 20 4b 65 72 63 6b 68 6f 66 66 73 AL = 00 00 00 00 00 00 01 50 E = c8 0e df a3 2d df 39 d5 ef 00 c0 b4 68 83 42 79 a2 e4 6a 1b 80 49 f7 92 f7 6b fe 54 b9 03 a9 c9 a9 4a c9 b4 7a d2 65 5c 5f 10 f9 ae f7 14 27 e2 fc 6f 9b 3f 39 9a 22 14 89 f1 63 62 c7 03 23 36 09 d4 5a c6 98 64 e3 32 1c f8 29 35 ac 40 96 c8 6e 13 33 14 c5 40 19 e8 ca 79 80 df a4 b9 cf 1b 38 4c 48 6f 3a 54 c5 10 78 15 8e e5 d7 9d e5 9f bd 34 d8 48 b3 d6 95 50 a6 76 46 34 44 27 ad e5 4b 88 51 ff b5 98 f7 f8 00 74 b9 47 3c 82 e2 db M = 65 2c 3f a3 6b 0a 7c 5b 32 19 fa b3 a3 0b c1 c4 e6 e5 45 82 47 65 15 f0 ad 9f 75 a2 b7 1c 73 ef T = 65 2c 3f a3 6b 0a 7c 5b 32 19 fa b3 a3 0b c1 c4
Top   ToC   RFC7518 - Page 64

B.2. Test Cases for AES_192_CBC_HMAC_SHA_384

K = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f MAC_KEY = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 ENC_KEY = 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f P = 41 20 63 69 70 68 65 72 20 73 79 73 74 65 6d 20 6d 75 73 74 20 6e 6f 74 20 62 65 20 72 65 71 75 69 72 65 64 20 74 6f 20 62 65 20 73 65 63 72 65 74 2c 20 61 6e 64 20 69 74 20 6d 75 73 74 20 62 65 20 61 62 6c 65 20 74 6f 20 66 61 6c 6c 20 69 6e 74 6f 20 74 68 65 20 68 61 6e 64 73 20 6f 66 20 74 68 65 20 65 6e 65 6d 79 20 77 69 74 68 6f 75 74 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 IV = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 A = 54 68 65 20 73 65 63 6f 6e 64 20 70 72 69 6e 63 69 70 6c 65 20 6f 66 20 41 75 67 75 73 74 65 20 4b 65 72 63 6b 68 6f 66 66 73 AL = 00 00 00 00 00 00 01 50 E = ea 65 da 6b 59 e6 1e db 41 9b e6 2d 19 71 2a e5 d3 03 ee b5 00 52 d0 df d6 69 7f 77 22 4c 8e db 00 0d 27 9b dc 14 c1 07 26 54 bd 30 94 42 30 c6 57 be d4 ca 0c 9f 4a 84 66 f2 2b 22 6d 17 46 21 4b f8 cf c2 40 0a dd 9f 51 26 e4 79 66 3f c9 0b 3b ed 78 7a 2f 0f fc bf 39 04 be 2a 64 1d 5c 21 05 bf e5 91 ba e2 3b 1d 74 49 e5 32 ee f6 0a 9a c8 bb 6c 6b 01 d3 5d 49 78 7b cd 57 ef 48 49 27 f2 80 ad c9 1a c0 c4 e7 9c 7b 11 ef c6 00 54 e3 M = 84 90 ac 0e 58 94 9b fe 51 87 5d 73 3f 93 ac 20 75 16 80 39 cc c7 33 d7 45 94 f8 86 b3 fa af d4 86 f2 5c 71 31 e3 28 1e 36 c7 a2 d1 30 af de 57 T = 84 90 ac 0e 58 94 9b fe 51 87 5d 73 3f 93 ac 20 75 16 80 39 cc c7 33 d7
Top   ToC   RFC7518 - Page 65

B.3. Test Cases for AES_256_CBC_HMAC_SHA_512

K = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f MAC_KEY = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ENC_KEY = 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f P = 41 20 63 69 70 68 65 72 20 73 79 73 74 65 6d 20 6d 75 73 74 20 6e 6f 74 20 62 65 20 72 65 71 75 69 72 65 64 20 74 6f 20 62 65 20 73 65 63 72 65 74 2c 20 61 6e 64 20 69 74 20 6d 75 73 74 20 62 65 20 61 62 6c 65 20 74 6f 20 66 61 6c 6c 20 69 6e 74 6f 20 74 68 65 20 68 61 6e 64 73 20 6f 66 20 74 68 65 20 65 6e 65 6d 79 20 77 69 74 68 6f 75 74 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 IV = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 A = 54 68 65 20 73 65 63 6f 6e 64 20 70 72 69 6e 63 69 70 6c 65 20 6f 66 20 41 75 67 75 73 74 65 20 4b 65 72 63 6b 68 6f 66 66 73 AL = 00 00 00 00 00 00 01 50 E = 4a ff aa ad b7 8c 31 c5 da 4b 1b 59 0d 10 ff bd 3d d8 d5 d3 02 42 35 26 91 2d a0 37 ec bc c7 bd 82 2c 30 1d d6 7c 37 3b cc b5 84 ad 3e 92 79 c2 e6 d1 2a 13 74 b7 7f 07 75 53 df 82 94 10 44 6b 36 eb d9 70 66 29 6a e6 42 7e a7 5c 2e 08 46 a1 1a 09 cc f5 37 0d c8 0b fe cb ad 28 c7 3f 09 b3 a3 b7 5e 66 2a 25 94 41 0a e4 96 b2 e2 e6 60 9e 31 e6 e0 2c c8 37 f0 53 d2 1f 37 ff 4f 51 95 0b be 26 38 d0 9d d7 a4 93 09 30 80 6d 07 03 b1 f6 M = 4d d3 b4 c0 88 a7 f4 5c 21 68 39 64 5b 20 12 bf 2e 62 69 a8 c5 6a 81 6d bc 1b 26 77 61 95 5b c5 fd 30 a5 65 c6 16 ff b2 f3 64 ba ec e6 8f c4 07 53 bc fc 02 5d de 36 93 75 4a a1 f5 c3 37 3b 9c T = 4d d3 b4 c0 88 a7 f4 5c 21 68 39 64 5b 20 12 bf 2e 62 69 a8 c5 6a 81 6d bc 1b 26 77 61 95 5b c5
Top   ToC   RFC7518 - Page 66

Appendix C. Example ECDH-ES Key Agreement Computation

This example uses ECDH-ES Key Agreement and the Concat KDF to derive the CEK in the manner described in Section 4.6. In this example, the ECDH-ES Direct Key Agreement mode ("alg" value "ECDH-ES") is used to produce an agreed-upon key for AES GCM with a 128-bit key ("enc" value "A128GCM"). In this example, a producer Alice is encrypting content to a consumer Bob. The producer (Alice) generates an ephemeral key for the key agreement computation. Alice's ephemeral key (in JWK format) used for the key agreement computation in this example (including the private part) is: {"kty":"EC", "crv":"P-256", "x":"gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0", "y":"SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps", "d":"0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo" } The consumer's (Bob's) key (in JWK format) used for the key agreement computation in this example (including the private part) is: {"kty":"EC", "crv":"P-256", "x":"weNJy2HscCSM6AEDTDg04biOvhFhyyWvOHQfeF_PxMQ", "y":"e8lnCO-AlStT-NJVX-crhB7QRYhiix03illJOVAOyck", "d":"VEmDZpDXXK8p8N0Cndsxs924q6nS1RXFASRl6BfUqdw" } Header Parameter values used in this example are as follows. The "apu" (agreement PartyUInfo) Header Parameter value is the base64url encoding of the UTF-8 string "Alice" and the "apv" (agreement PartyVInfo) Header Parameter value is the base64url encoding of the UTF-8 string "Bob". The "epk" (ephemeral public key) Header Parameter is used to communicate the producer's (Alice's) ephemeral public key value to the consumer (Bob).
Top   ToC   RFC7518 - Page 67
     {"alg":"ECDH-ES",
      "enc":"A128GCM",
      "apu":"QWxpY2U",
      "apv":"Qm9i",
      "epk":
       {"kty":"EC",
        "crv":"P-256",
        "x":"gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0",
        "y":"SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps"
       }
     }

   The resulting Concat KDF [NIST.800-56A] parameter values are:

   Z
      This is set to the ECDH-ES key agreement output.  (This value is
      often not directly exposed by libraries, due to NIST security
      requirements, and only serves as an input to a KDF.)  In this
      example, Z is following the octet sequence (using JSON array
      notation):
      [158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132,
      38, 156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121,
      140, 254, 144, 196].

   keydatalen
      This value is 128 - the number of bits in the desired output key
      (because "A128GCM" uses a 128-bit key).

   AlgorithmID
      This is set to the octets representing the 32-bit big-endian value
      7 - [0, 0, 0, 7] - the number of octets in the AlgorithmID content
      "A128GCM", followed, by the octets representing the ASCII string
      "A128GCM" - [65, 49, 50, 56, 71, 67, 77].

   PartyUInfo
      This is set to the octets representing the 32-bit big-endian value
      5 - [0, 0, 0, 5] - the number of octets in the PartyUInfo content
      "Alice", followed, by the octets representing the UTF-8 string
      "Alice" - [65, 108, 105, 99, 101].

   PartyVInfo
      This is set to the octets representing the 32-bit big-endian value
      3 - [0, 0, 0, 3] - the number of octets in the PartyUInfo content
      "Bob", followed, by the octets representing the UTF-8 string "Bob"
      - [66, 111, 98].
Top   ToC   RFC7518 - Page 68
   SuppPubInfo
      This is set to the octets representing the 32-bit big-endian value
      128 - [0, 0, 0, 128] - the keydatalen value.

   SuppPrivInfo
      This is set to the empty octet sequence.

   Concatenating the parameters AlgorithmID through SuppPubInfo results
   in an OtherInfo value of:
   [0, 0, 0, 7, 65, 49, 50, 56, 71, 67, 77, 0, 0, 0, 5, 65, 108, 105,
   99, 101, 0, 0, 0, 3, 66, 111, 98, 0, 0, 0, 128]

   Concatenating the round number 1 ([0, 0, 0, 1]), Z, and the OtherInfo
   value results in the Concat KDF round 1 hash input of:
   [0, 0, 0, 1,
   158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132, 38,
   156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121, 140,
   254, 144, 196,
   0, 0, 0, 7, 65, 49, 50, 56, 71, 67, 77, 0, 0, 0, 5, 65, 108, 105, 99,
   101, 0, 0, 0, 3, 66, 111, 98, 0, 0, 0, 128]

   The resulting derived key, which is the first 128 bits of the round 1
   hash output is:
   [86, 170, 141, 234, 248, 35, 109, 32, 92, 34, 40, 205, 113, 167, 16,
   26]

   The base64url-encoded representation of this derived key is:

     VqqN6vgjbSBcIijNcacQGg
Top   ToC   RFC7518 - Page 69

Acknowledgements

Solutions for signing and encrypting JSON content were previously explored by "Magic Signatures" [MagicSignatures], "JSON Simple Sign 1.0" [JSS], "Canvas Applications" [CanvasApp], "JSON Simple Encryption" [JSE], and "JavaScript Message Security Format" [JSMS], all of which influenced this document. The "Authenticated Encryption with AES-CBC and HMAC-SHA" [AEAD-CBC-SHA] specification, upon which the AES_CBC_HMAC_SHA2 algorithms are based, was written by David A. McGrew and Kenny Paterson. The test cases for AES_CBC_HMAC_SHA2 are based upon those for [AEAD-CBC-SHA] by John Foley. Matt Miller wrote "Using JavaScript Object Notation (JSON) Web Encryption (JWE) for Protecting JSON Web Key (JWK) Objects" [JWE-JWK], upon which the password-based encryption content of this document is based. This specification is the work of the JOSE working group, which includes dozens of active and dedicated participants. In particular, the following individuals contributed ideas, feedback, and wording that influenced this specification: Dirk Balfanz, Richard Barnes, Carsten Bormann, John Bradley, Brian Campbell, Alissa Cooper, Breno de Medeiros, Vladimir Dzhuvinov, Roni Even, Stephen Farrell, Yaron Y. Goland, Dick Hardt, Joe Hildebrand, Jeff Hodges, Edmund Jay, Charlie Kaufman, Barry Leiba, James Manger, Matt Miller, Kathleen Moriarty, Tony Nadalin, Axel Nennker, John Panzer, Emmanuel Raviart, Eric Rescorla, Pete Resnick, Nat Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner. Jim Schaad and Karen O'Donoghue chaired the JOSE working group and Sean Turner, Stephen Farrell, and Kathleen Moriarty served as Security Area Directors during the creation of this specification.

Author's Address

Michael B. Jones Microsoft EMail: mbj@microsoft.com URI: http://self-issued.info/