Internet Engineering Task Force (IETF) M. Miller
Request for Comments: 7520 Cisco Systems, Inc.
Category: Informational May 2015
ISSN: 2070-1721
Examples of Protecting Content Using
JSON Object Signing and Encryption (JOSE)
Abstract
This document contains a set of examples using JSON Object Signing
and Encryption (JOSE) technology to protect data. These examples
present a representative sampling of JSON Web Key (JWK) objects as
well as various JSON Web Signature (JWS) and JSON Web Encryption
(JWE) results given similar inputs.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7520.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
5.1. Key Encryption Using RSA v1.5 and AES-HMAC-SHA2 ...........39
5.1.1. Input Factors ......................................39
5.1.2. Generated Factors ..................................41
5.1.3. Encrypting the Key .................................41
5.1.4. Encrypting the Content .............................42
5.1.5. Output Results .....................................43
5.2. Key Encryption Using RSA-OAEP with AES-GCM ................45
5.2.1. Input Factors ......................................46
5.2.2. Generated Factors ..................................47
5.2.3. Encrypting the Key .................................48
5.2.4. Encrypting the Content .............................48
5.2.5. Output Results .....................................49
5.3. Key Wrap Using PBES2-AES-KeyWrap with AES-CBC-HMAC-SHA2 ...52
5.3.1. Input Factors ......................................53
5.3.2. Generated Factors ..................................54
5.3.3. Encrypting the Key .................................54
5.3.4. Encrypting the Content .............................55
5.3.5. Output Results .....................................56
5.4. Key Agreement with Key Wrapping Using ECDH-ES and
AES-KeyWrap with AES-GCM ..................................59
5.4.1. Input Factors ......................................59
5.4.2. Generated Factors ..................................60
5.4.3. Encrypting the Key .................................60
5.4.4. Encrypting the Content .............................61
5.4.5. Output Results .....................................63
5.5. Key Agreement Using ECDH-ES with AES-CBC-HMAC-SHA2 ........65
5.5.1. Input Factors ......................................66
5.5.2. Generated Factors ..................................66
5.5.3. Key Agreement ......................................67
5.5.4. Encrypting the Content .............................67
5.5.5. Output Results .....................................68
5.6. Direct Encryption Using AES-GCM ...........................70
5.6.1. Input Factors ......................................70
5.6.2. Generated Factors ..................................70
5.6.3. Encrypting the Content .............................71
5.6.4. Output Results .....................................72
5.7. Key Wrap Using AES-GCM KeyWrap with AES-CBC-HMAC-SHA2 .....73
5.7.1. Input Factors ......................................73
5.7.2. Generated Factors ..................................74
5.7.3. Encrypting the Key .................................74
5.7.4. Encrypting the Content .............................75
5.7.5. Output Results .....................................77
5.8. Key Wrap Using AES-KeyWrap with AES-GCM ...................79
5.8.1. Input Factors ......................................79
5.8.2. Generated Factors ..................................80
5.8.3. Encrypting the Key .................................80
5.8.4. Encrypting the Content .............................80
5.8.5. Output Results .....................................82
Miller Informational [Page 3]
RFC 7520 JOSE Cookbook May 2015
5.9. Compressed Content ........................................84
5.9.1. Input Factors ......................................84
5.9.2. Generated Factors ..................................84
5.9.3. Encrypting the Key .................................85
5.9.4. Encrypting the Content .............................85
5.9.5. Output Results .....................................86
5.10. Including Additional Authenticated Data ..................88
5.10.1. Input Factors .....................................88
5.10.2. Generated Factors .................................89
5.10.3. Encrypting the Key ................................90
5.10.4. Encrypting the Content ............................90
5.10.5. Output Results ....................................91
5.11. Protecting Specific Header Fields ........................93
5.11.1. Input Factors .....................................93
5.11.2. Generated Factors .................................94
5.11.3. Encrypting the Key ................................94
5.11.4. Encrypting the Content ............................94
5.11.5. Output Results ....................................95
5.12. Protecting Content Only ..................................97
5.12.1. Input Factors .....................................97
5.12.2. Generated Factors .................................98
5.12.3. Encrypting the Key ................................98
5.12.4. Encrypting the Content ............................98
5.12.5. Output Results ....................................99
5.13. Encrypting to Multiple Recipients .......................101
5.13.1. Input Factors ....................................101
5.13.2. Generated Factors ................................101
5.13.3. Encrypting the Key to the First Recipient ........102
5.13.4. Encrypting the Key to the Second Recipient .......103
5.13.5. Encrypting the Key to the Third Recipient ........105
5.13.6. Encrypting the Content ...........................106
5.13.7. Output Results ...................................108
6. Nesting Signatures and Encryption .............................110
6.1. Signing Input Factors ....................................110
6.2. Signing Operation ........................................112
6.3. Signing Output ...........................................112
6.4. Encryption Input Factors .................................113
6.5. Encryption Generated Factors .............................113
6.6. Encrypting the Key .......................................114
6.7. Encrypting the Content ...................................114
6.8. Encryption Output ........................................115
7. Security Considerations .......................................119
8. References ....................................................119
8.1. Normative References .....................................119
8.2. Informative References ...................................120
Acknowledgements .................................................120
Author's Address .................................................120
Miller Informational [Page 4]
RFC 7520 JOSE Cookbook May 2015
1. Introduction
The JSON Object Signing and Encryption (JOSE) technologies -- JSON
Web Signature [JWS], JSON Web Encryption [JWE], JSON Web Key [JWK],
and JSON Web Algorithms [JWA] -- can be used collectively to encrypt
and/or sign content using a variety of algorithms. While the full
set of permutations is extremely large, and might be daunting to
some, it is expected that most applications will only use a small set
of algorithms to meet their needs.
This document provides a number of examples of signing or encrypting
content using JOSE. While not exhaustive, it does compile a
representative sampling of JOSE features. As much as possible, the
same signature payload or encryption plaintext content is used to
illustrate differences in various signing and encryption results.
This document also provides a number of example JWK objects. These
examples illustrate the distinguishing properties of various key
types and emphasize important characteristics. Most of the JWK
examples are then used in the signature or encryption examples that
follow.
This document separates data that are expected to be input to an
implementation of JOSE from data that are expected to be generated by
an implementation of JOSE. Each example, wherever possible, provides
enough information both to replicate the results of this document and
to validate the results by running its inverse operation (e.g.,
signature results can be validated by performing the JWS verify).
However, some algorithms inherently use random data; therefore,
computations employing them cannot be exactly replicated. Such cases
are explicitly stated in the relevant sections.
All instances of binary octet strings are represented using base64url
[RFC4648] encoding.
Wherever possible and unless otherwise noted, the examples include
the JWS or JWE Compact Serialization, general JWS or JWE JSON
Serialization, and flattened JWS or JWE JSON Serialization.
All of the examples in this document have whitespace added to improve
formatting and readability. Except for JWE Plaintext or JWS Payload
content, whitespace is not part of the cryptographic operations nor
the exchange results.
Miller Informational [Page 5]
RFC 7520 JOSE Cookbook May 2015
Unless otherwise noted, the JWE Plaintext or JWS Payload content does
include " " (U+0020 SPACE) characters. Line breaks (U+000A LINE
FEED) replace some " " (U+0020 SPACE) characters to improve
readability but are not present in the JWE Plaintext or JWS Payload.
2. Terminology
This document inherits terminology regarding JSON Web Signature (JWS)
technology from [JWS], terminology regarding JSON Web Encryption
(JWE) technology from [JWE], terminology regarding JSON Web Key (JWK)
technology from [JWK], and terminology regarding algorithms from
[JWA].
3. JSON Web Key Examples
The following sections demonstrate how to represent various JWK and
JWK Set objects.
3.1. EC Public Key
This example illustrates an Elliptic Curve (EC) public key. This
example is the public key corresponding to the private key in
Figure 2.
Note that whitespace is added for readability as described in
Section 1.1.
The field "kty" value of "EC" identifies this as an Elliptic Curve
key. The field "crv" identifies the curve, which is curve P-521 for
this example. The values of the fields "x" and "y" are the
base64url-encoded X and Y coordinates (respectively).
Miller Informational [Page 6]
RFC 7520 JOSE Cookbook May 2015
The values of the fields "x" and "y" decoded are the octets necessary
to represent each full coordinate to the order of the curve. For a
key over curve P-521, the values of the fields "x" and "y" are
exactly 66 octets in length when decoded, padded with leading zero
(0x00) octets to reach the expected length.
3.2. EC Private Key
This example illustrates an Elliptic Curve private key. This example
is the private key corresponding to the public key in Figure 1.
Note that whitespace is added for readability as described in
Section 1.1.
The field "kty" value of "EC" identifies this as an Elliptic Curve
key. The field "crv" identifies the curve, which is curve P-521
(also known as SECG curve secp521r1) for this example. The values of
the fields "x" and "y" are the base64url-encoded X and Y coordinates
(respectively). The field "d" value is the base64url-encoded private
key.
The values of the fields "d", "x", and "y" decoded are the octets
necessary to represent the private key or each full coordinate
(respectively) to the order of the curve. For a key over curve
P-521, the values of the "d", "x", and "y" fields are each exactly 66
octets in length when decoded, padded with leading zero (0x00) octets
to reach the expected length.
Miller Informational [Page 7]
RFC 7520 JOSE Cookbook May 2015
3.3. RSA Public Key
This example illustrates an RSA public key. This example is the
public key corresponding to the private key in Figure 4.
Note that whitespace is added for readability as described in
Section 1.1.
The field "kty" value of "RSA" identifies this as an RSA key. The
fields "n" and "e" values are the modulus and (public) exponent
(respectively) using the minimum octets necessary.
For a 2048-bit key, the field "n" value is 256 octets in length when
decoded.
3.4. RSA Private Key
This example illustrates an RSA private key. This example is the
private key corresponding to the public key in Figure 3.
Note that whitespace is added for readability as described in
Section 1.1.
The field "kty" value of "RSA" identifies this as an RSA key. The
fields "n" and "e" values are the base64url-encoded modulus and
(public) exponent (respectively) using the minimum number of octets
necessary. The field "d" value is the base64url-encoded private
exponent using the minimum number of octets necessary. The fields
"p", "q", "dp", "dq", and "qi" are the base64url-encoded additional
private information using the minimum number of octets necessary.
For a 2048-bit key, the field "n" is 256 octets in length when
decoded, and the field "d" is not longer than 256 octets in length
when decoded.
3.5. Symmetric Key (MAC Computation)
This example illustrates a symmetric key used for computing Message
Authentication Codes (MACs).
Note that whitespace is added for readability as described in
Section 1.1.
The field "kty" value of "oct" identifies this as a symmetric key.
The field "k" value is the symmetric key.
When used for the signing algorithm "HS256" (HMAC-SHA256), the field
"k" value is 32 octets (or more) in length when decoded, padded with
leading zero (0x00) octets to reach the minimum expected length.
Miller Informational [Page 10]
RFC 7520 JOSE Cookbook May 2015
3.6. Symmetric Key (Encryption)
This example illustrates a symmetric key used for encryption.
Note that whitespace is added for readability as described in
Section 1.1.
The field "kty" value of "oct" identifies this as a symmetric key.
The field "k" value is the symmetric key.
For the content encryption algorithm "A256GCM", the field "k" value
is exactly 32 octets in length when decoded, padded with leading zero
(0x00) octets to reach the expected length.
4. JSON Web Signature Examples
The following sections demonstrate how to generate various JWS
objects.
All of the signature examples use the following payload content (an
abridged quote from "The Fellowship of the Ring" [LOTR-FELLOWSHIP]),
serialized as UTF-8. The payload is presented here as a series of
quoted strings that are concatenated to produce the JWS Payload. The
sequence "\xe2\x80\x99" is substituted for (U+2019 RIGHT SINGLE
QUOTATION MARK), and quotation marks (U+0022 QUOTATION MARK) are
added for readability but are not present in the JWS Payload.
"It\xe2\x80\x99s a dangerous business, Frodo, going out your "
"door. You step onto the road, and if you don't keep your feet, "
"there\xe2\x80\x99s no knowing where you might be swept off "
"to."
Figure 7: Payload Content Plaintext
Miller Informational [Page 11]
RFC 7520 JOSE Cookbook May 2015
The payload -- with the sequence "\xe2\x80\x99" replaced with (U+2019
RIGHT SINGLE QUOTATION MARK) and quotations marks (U+0022 QUOTATION
MARK) are removed -- is encoded as UTF-8 and then as base64url
[RFC4648]:
The JWS Protected Header (Figure 10) and JWS Payload (Figure 8) are
combined as described in Section 5.1 of [JWS] to produce the JWS
Signing Input (Figure 11).
This example illustrates signing content using the "ES512" (Elliptic
Curve Digital Signature Algorithm (ECDSA) with curve P-521 and SHA-
512) algorithm.
Note that ECDSA uses random data to generate the signature; it might
not be possible to exactly replicate the results in this section.
Note that whitespace is added for readability as described in
Section 1.1.
4.3.1. Input Factors
The following are supplied before beginning the signing operation:
o Payload content; this example uses the content from Figure 7,
encoded using base64url [RFC4648] to produce Figure 8.
o EC private key on the curve P-521; this example uses the key from
Figure 2.
o "alg" parameter of "ES512".
4.3.2. Signing Operation
The following is generated before beginning the signature process:
o JWS Protected Header; this example uses the header from Figure 23,
encoded using base64url [RFC4648] to produce Figure 24.
This example illustrates a signature with detached content. This
example is identical to other examples in Section 4, except the
resulting JWS objects do not include the JWS Payload field. Instead,
the application is expected to locate it elsewhere. For example, the
signature might be in a metadata section, with the payload being the
content.
Note that whitespace is added for readability as described in
Section 1.1.
Miller Informational [Page 24]
RFC 7520 JOSE Cookbook May 2015
4.5.1. Input Factors
The following are supplied before beginning the signing operation:
o Payload content; this example uses the content from Figure 7,
encoded using base64url [RFC4648] to produce Figure 8.
o Signing key; this example uses the AES symmetric key from
Figure 5.
o Signing algorithm; this example uses "HS256".
4.5.2. Signing Operation
The following is generated before completing the signing operation:
o JWS Protected Header; this example uses the header from Figure 37,
encoded using base64url [RFC4648] to produce Figure 38.
This example illustrates a signature where only certain Header
Parameters are protected. Since this example contains both
unprotected and protected Header Parameters, only the general JWS
JSON Serialization and flattened JWS JSON Serialization are possible.
Note that whitespace is added for readability as described in
Section 1.1.
4.6.1. Input Factors
The following are supplied before beginning the signing operation:
o Payload content; this example uses the content from Figure 7,
encoded using base64url [RFC4648] to produce Figure 8.
o Signing key; this example uses the AES symmetric key from
Figure 5.
o Signing algorithm; this example uses "HS256".
4.6.2. Signing Operation
The following are generated before completing the signing operation:
o JWS Protected Header; this example uses the header from Figure 44,
encoded using base64url [RFC4648] to produce Figure 45.
o JWS Unprotected Header; this example uses the header from
Figure 46.
This example illustrates a signature where none of the Header
Parameters are protected. Since this example contains only
unprotected Header Parameters, only the general JWS JSON
Serialization and flattened JWS JSON Serialization are possible.
Note that whitespace is added for readability as described in
Section 1.1.
Miller Informational [Page 29]
RFC 7520 JOSE Cookbook May 2015
4.7.1. Input Factors
The following are supplied before beginning the signing operation:
o Payload content; this example uses the content from Figure 7,
encoded using base64url [RFC4648] to produce Figure 8.
o Signing key; this example uses the AES symmetric key from
Figure 5.
o Signing algorithm; this example uses "HS256".
4.7.2. Signing Operation
The following is generated before completing the signing operation:
o JWS Unprotected Header; this example uses the header from
Figure 51.
The empty string (as there is no JWS Protected Header) and JWS
Payload (Figure 8) are combined as described in [JWS] to produce the
JWS Signing Input (Figure 52).
This example illustrates multiple signatures applied to the same
payload. Since this example contains more than one signature, only
the JSON General Serialization is possible.
Note that whitespace is added for readability as described in
Section 1.1.
4.8.1. Input Factors
The following are supplied before beginning the signing operation:
o Payload content; this example uses the content from Figure 7,
encoded using base64url [RFC4648] to produce Figure 8.
o Signing keys; this example uses the following:
* RSA private key from Figure 4 for the first signature
* EC private key from Figure 2 for the second signature
* AES symmetric key from Figure 5 for the third signature
o Signing algorithms; this example uses the following:
* "RS256" for the first signature
* "ES512" for the second signature
* "HS256" for the third signature
Miller Informational [Page 32]
RFC 7520 JOSE Cookbook May 2015
4.8.2. First Signing Operation
The following are generated before completing the first signing
operation:
o JWS Protected Header; this example uses the header from Figure 56,
encoded using base64url [RFC4648] to produce Figure 57.
o JWS Unprotected Header; this example uses the header from
Figure 58.
The empty string (as there is no JWS Protected Header) and JWS
Payload (Figure 8) are combined as described in [JWS] to produce the
JWS Signing Input (Figure 63).
The JWS Compact Serialization is not presented because it does not
support this use case; the flattened JWS JSON Serialization is not
presented because there is more than one signature.
Miller Informational [Page 37]
RFC 7520 JOSE Cookbook May 2015
The resulting JWS object using the general JWS JSON Serialization:
The following sections demonstrate how to generate various JWE
objects.
All of the encryption examples (unless otherwise noted) use the
following Plaintext content (an abridged quote from "The Fellowship
of the Ring" [LOTR-FELLOWSHIP]), serialized as UTF-8. The Plaintext
is presented here as a series of quoted strings that are concatenated
to produce the JWE Plaintext. The sequence "\xe2\x80\x93" is
substituted for (U+2013 EN DASH), and quotation marks (U+0022
QUOTATION MARK) are added for readability but are not present in the
JWE Plaintext.
"You can trust us to stick with you through thick and "
"thin\xe2\x80\x93to the bitter end. And you can trust us to "
"keep any secret of yours\xe2\x80\x93closer than you keep it "
"yourself. But you cannot trust us to let you face trouble "
"alone, and go off without a word. We are your friends, Frodo."
Figure 72: Plaintext Content
5.1. Key Encryption Using RSA v1.5 and AES-HMAC-SHA2
This example illustrates encrypting content using the "RSA1_5"
(RSAES-PKCS1-v1_5) key encryption algorithm and the "A128CBC-HS256"
(AES-128-CBC-HMAC-SHA-256) content encryption algorithm.
Note that RSAES-PKCS1-v1_5 uses random data to generate the
ciphertext; it might not be possible to exactly replicate the results
in this section.
Note that only the RSA public key is necessary to perform the
encryption. However, the example includes the RSA private key to
allow readers to validate the output.
Note that whitespace is added for readability as described in
Section 1.1.
5.1.1. Input Factors
The following are supplied before beginning the encryption process:
o Plaintext content; this example uses the content from Figure 72.
o RSA public key; this example uses the key from Figure 73.
This example illustrates encrypting content using the "RSA-OAEP"
(RSAES-OAEP) key encryption algorithm and the "A256GCM" (AES-GCM)
content encryption algorithm.
Note that RSAES-OAEP uses random data to generate the ciphertext; it
might not be possible to exactly replicate the results in this
section.
Note that only the RSA public key is necessary to perform the
encryption. However, the example includes the RSA private key to
allow readers to validate the output.
Note that whitespace is added for readability as described in
Section 1.1.
Miller Informational [Page 45]
RFC 7520 JOSE Cookbook May 2015
5.2.1. Input Factors
The following are supplied before beginning the encryption process:
o Plaintext content; this example uses the Plaintext from Figure 72.
o RSA public key; this example uses the key from Figure 84.
5.3. Key Wrap Using PBES2-AES-KeyWrap with AES-CBC-HMAC-SHA2
The example illustrates encrypting content using the
"PBES2-HS512+A256KW" (PBES2 Password-based Encryption using HMAC-
SHA-512 and AES-256-KeyWrap) key encryption algorithm with the
"A128CBC-HS256" (AES-128-CBC-HMAC-SHA-256) content encryption
algorithm.
A common use of password-based encryption is the import/export of
keys. Therefore, this example uses a JWK Set for the Plaintext
content instead of the Plaintext from Figure 72.
Miller Informational [Page 52]
RFC 7520 JOSE Cookbook May 2015
Note that if password-based encryption is used for multiple
recipients, it is expected that each recipient use different values
for the PBES2 parameters "p2s" and "p2c".
Note that whitespace is added for readability as described in
Section 1.1.
5.3.1. Input Factors
The following are supplied before beginning the encryption process:
o Plaintext content; this example uses the Plaintext from Figure 95
(NOTE: All whitespace was added for readability).
o Password; this example uses the password from Figure 96 -- with
the sequence "\xe2\x80\x93" replaced with (U+2013 EN DASH).
5.4. Key Agreement with Key Wrapping Using ECDH-ES and AES-KeyWrap with
AES-GCM
This example illustrates encrypting content using the "ECDH-
ES+A128KW" (Elliptic Curve Diffie-Hellman Ephemeral-Static with AES-
128-KeyWrap) key encryption algorithm and the "A128GCM" (AES-GCM)
content encryption algorithm.
Note that only the EC public key is necessary to perform the key
agreement. However, the example includes the EC private key to allow
readers to validate the output.
Note that whitespace is added for readability as described in
Section 1.1.
5.4.1. Input Factors
The following are supplied before beginning the encryption process:
o Plaintext content; this example uses the content from Figure 72.
o EC public key; this example uses the public key from Figure 108.
5.5. Key Agreement Using ECDH-ES with AES-CBC-HMAC-SHA2
This example illustrates encrypting content using the "ECDH-ES"
(Elliptic Curve Diffie-Hellman Ephemeral-Static) key agreement
algorithm and the "A128CBC-HS256" (AES-128-CBC-HMAC-SHA-256) content
encryption algorithm.
Note that only the EC public key is necessary to perform the key
agreement. However, the example includes the EC private key to allow
readers to validate the output.
Note that whitespace is added for readability as described in
Section 1.1.
Miller Informational [Page 65]
RFC 7520 JOSE Cookbook May 2015
5.5.1. Input Factors
The following are supplied before beginning the encryption process:
o Plaintext content; this example uses the content from Figure 72.
o EC public key; this example uses the public key from Figure 120.
5.7. Key Wrap Using AES-GCM KeyWrap with AES-CBC-HMAC-SHA2
This example illustrates encrypting content using the "A256GCMKW"
(AES-256-GCM-KeyWrap) key encryption algorithm with the "A128CBC-
HS256" (AES-128-CBC-HMAC-SHA-256) content encryption algorithm.
Note that whitespace is added for readability as described in
Section 1.1.
5.7.1. Input Factors
The following are supplied before beginning the encryption process:
o Plaintext content; this example uses the content from Figure 72.
o AES symmetric key; this example uses the key from Figure 138.
The following example illustrates content encryption using the
"A128KW" (AES-128-KeyWrap) key encryption algorithm and the "A128GCM"
(AES-128-GCM) content encryption algorithm.
Note that whitespace is added for readability as described in
Section 1.1.
5.8.1. Input Factors
The following are supplied before beginning the encryption process:
o Plaintext content; this example uses the content from Figure 72.
o AES symmetric key; this example uses the key from Figure 151.
This example illustrates encrypting content that is first compressed.
It reuses the AES symmetric key, key encryption algorithm, and
content encryption algorithm from Section 5.8.
Note that whitespace is added for readability as described in
Section 1.1.
5.9.1. Input Factors
The following are supplied before beginning the encryption process:
o Plaintext content; this example uses the content from Figure 72.
o Recipient encryption key; this example uses the key from
Figure 151.
o Key encryption algorithm; this example uses "A128KW".
o Content encryption algorithm; this example uses "A128GCM".
o "zip" parameter of "DEF".
5.9.2. Generated Factors
The following are generated before encrypting:
o Compressed Plaintext from the original Plaintext content;
compressing Figure 72 using the DEFLATE [RFC1951] algorithm
produces the compressed Plaintext from Figure 162.
o AES symmetric key as the Content Encryption Key (CEK); this
example uses the key from Figure 163.
o Initialization Vector; this example uses the Initialization Vector
from Figure 164.
This example illustrates encrypting content that includes additional
authenticated data. As this example includes an additional top-level
property not present in the JWE Compact Serialization, only the
flattened JWE JSON Serialization and general JWE JSON Serialization
are possible.
Note that whitespace is added for readability as described in
Section 1.1.
5.10.1. Input Factors
The following are supplied before beginning the encryption process:
o Plaintext content; this example uses the content from Figure 72.
o Recipient encryption key; this example uses the key from
Figure 151.
o Key encryption algorithm; this example uses "A128KW".
o Content encryption algorithm; this example uses "A128GCM".
o Additional Authenticated Data; this example uses a vCard [RFC7095]
from Figure 173, serialized to UTF-8.
Figure 173: Additional Authenticated Data, in JSON Format
NOTE: Whitespace between JSON values was added for readability.
5.10.2. Generated Factors
The following are generated before encrypting:
o AES symmetric key as the Content Encryption Key (CEK); this
example uses the key from Figure 174.
o Initialization Vector; this example uses the Initialization Vector
from Figure 175.
o Encoded Additional Authenticated Data (AAD); this example uses the
Additional Authenticated Data from Figure 173, encoded to
base64url [RFC4648] as Figure 176.
This example illustrates encrypting content where only certain JOSE
Header Parameters are protected. As this example includes parameters
in the JWE Shared Unprotected Header, only the general JWE JSON
Serialization and flattened JWE JSON Serialization are possible.
Note that whitespace is added for readability as described in
Section 1.1.
5.11.1. Input Factors
The following are supplied before beginning the encryption process:
o Plaintext content; this example uses the content from Figure 72.
o Recipient encryption key; this example uses the key from
Figure 151.
o Key encryption algorithm; this example uses "A128KW".
o Content encryption algorithm; this example uses "A128GCM".
Miller Informational [Page 93]
RFC 7520 JOSE Cookbook May 2015
5.11.2. Generated Factors
The following are generated before encrypting:
o AES symmetric key as the Content Encryption Key (CEK); this
example uses the key from Figure 184.
o Initialization Vector; this example uses the Initialization Vector
from Figure 185.
This example illustrates encrypting content where none of the JOSE
header parameters are protected. As this example includes parameters
only in the JWE Shared Unprotected Header, only the flattened JWE
JSON Serialization and general JWE JSON Serialization are possible.
Note that whitespace is added for readability as described in
Section 1.1.
5.12.1. Input Factors
The following are supplied before beginning the encryption process:
o Plaintext content; this example uses the content from Figure 72.
o Recipient encryption key; this example uses the key from
Figure 151.
o Key encryption algorithm; this example uses "A128KW".
o Content encryption algorithm; this example uses "A128GCM".
Miller Informational [Page 97]
RFC 7520 JOSE Cookbook May 2015
5.12.2. Generated Factors
The following are generated before encrypting:
o AES symmetric key as the Content Encryption Key; this example the
key from Figure 194.
o Initialization Vector; this example uses the Initialization Vector
from Figure 195.
This example illustrates encryption content for multiple recipients.
As this example has multiple recipients, only the general JWE JSON
Serialization is possible.
Note that RSAES-PKCS1-v1_5 uses random data to generate the
ciphertext; it might not be possible to exactly replicate the results
in this section.
Note that whitespace is added for readability as described in
Section 1.1.
5.13.1. Input Factors
The following are supplied before beginning the encryption process:
o Plaintext content; this example uses the Plaintext from Figure 72.
o Recipient keys; this example uses the following:
* The RSA public key from Figure 73 for the first recipient.
* The EC public key from Figure 108 for the second recipient.
* The AES symmetric key from Figure 138 for the third recipient.
o Key encryption algorithms; this example uses the following:
* "RSA1_5" for the first recipient.
* "ECDH-ES+A256KW" for the second recipient.
* "A256GCMKW" for the third recipient.
o Content encryption algorithm; this example uses "A128CBC-HS256".
5.13.2. Generated Factors
The following are generated before encrypting:
o AES symmetric key as the Content Encryption Key (CEK); this
example uses the key from Figure 202.
o Initialization Vector; this example uses the Initialization Vector
from Figure 203.
Performing the "RSA1_5" key encryption operation over the CEK
(Figure 202) with the first recipient's RSA key (Figure 73) produces
the following Encrypted Key:
The following is generated after encrypting the Plaintext:
o JWE Shared Unprotected Header parameters; this example uses the
header from Figure 220.
{
"cty": "text/plain"
}
Figure 220: JWE Shared Unprotected Header JSON
5.13.7. Output Results
The following compose the resulting JWE object:
o Recipient #1 JSON (Figure 206)
o Recipient #2 JSON (Figure 210)
o Recipient #3 JSON (Figure 215)
o Initialization Vector (Figure 203)
o Ciphertext (Figure 218)
o Authentication Tag (Figure 219)
The JWE Compact Serialization is not presented because it does not
support this use case; the flattened JWE JSON Serialization is not
presented because there is more than one recipient.
Miller Informational [Page 108]
RFC 7520 JOSE Cookbook May 2015
The resulting JWE object using the general JWE JSON Serialization:
This example illustrates nesting a JSON Web Signature (JWS) structure
within a JSON Web Encryption (JWE) structure. The signature uses the
"PS256" (RSASSA-PSS) algorithm; the encryption uses the "RSA-OAEP"
(RSAES-OAEP) key encryption algorithm and the "A128GCM" (AES-GCM)
content encryption algorithm.
Note that RSASSA-PSS uses random data to generate the signature, and
RSAES-OAEP uses random data to generate the ciphertext; it might not
be possible to exactly replicate the results in this section.
Note that whitespace is added for readability as described in
Section 1.1.
6.1. Signing Input Factors
The following are supplied before beginning the signing operation:
o Payload content; this example uses the JSON Web Token [JWT]
content from Figure 222, encoded as base64url [RFC4648] to produce
Figure 223.
o RSA private key; this example uses the key from Figure 224.
Performing the signature operation over the combined JWS Protected
Header (Figure 226) and payload content (Figure 222) produces the
following signature:
This document is designed to provide examples for developers to use
in checking their implementations. As such, it does not follow some
of the security considerations and recommendations in the core
documents (i.e., [JWS], [JWE], [JWK], and [JWA]). For instance:
o it does not always generate a new CEK value for every encrypted
example;
o it does not always generate a new Initialization Vector (IV) value
for every encrypted example; and
o it does not always generate a new ephemeral key for every
ephemeral key example.
For each example, data that is expected to be generated for each
signing or encryption operation is isolated to sections titled
"Generated Factors".
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
2015, <http://www.rfc-editor.org/info/rfc7515>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<http://www.rfc-editor.org/info/rfc4648>.
Miller Informational [Page 119]
RFC 7520 JOSE Cookbook May 2015
8.2. Informative References
[JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<http://www.rfc-editor.org/info/rfc7519>.
[LOTR-FELLOWSHIP]
Tolkien, J., "The Fellowship of the Ring", HarperCollins
Publishers, ePub Edition, ISBN 9780061952838, March 2009.
[RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification
version 1.3", RFC 1951, DOI 10.17487/RFC1951, May 1996,
<http://www.rfc-editor.org/info/rfc1951>.
Most of the examples herein use quotes and character names found in
the novel "The Fellowship of the Ring" [LOTR-FELLOWSHIP], written by
J. R. R. Tolkien.
Thanks to Richard Barnes, Brian Campbell, Mike Jones, and Jim Schaad
for their input and review of the text. Thanks to Brian Campbell for
verifying the Compact Serialization examples.
