RFC7516-JSON Web Encryption (JWE)

概要

JSON Web加密(JWE)使用基于JSON的数据结构表示加密的内容。与该规范一起使用的加密算法和标识符在单独的JSON Web算法(JWA)规范和由该规范定义的IANA注册表中进行了描述。相关的数字签名和消息认证代码(MAC)功能在单独的JSON Web签名(JWS)规范中进行了描述。

JSON Web Encryption (JWE) represents encrypted content using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries defined by that specification. Related digital signature and Message Authentication Code (MAC) capabilities are described in the separate JSON Web Signature (JWS) specification.

1. 简介

JSON Web加密(JWE)使用基于JSON的数据结构表示加密的内容[RFC7159]。JWE加密机制对任意的八位元序列进行加密并提供完整性保护。

为JWEs定义了两种密切相关的序列化。JWE紧凑序列化是一种紧凑的、url安全的表示,用于空间受限的环境,如HTTP授权头和URI查询参数。JWE JSON序列化将JWEs表示为JSON对象,并允许向多方加密相同的内容。两者共享相同的密码基础。

与该规范一起使用的加密算法和标识符在单独的JSON Web算法(JWA) [JWA]规范和由该规范定义的IANA注册表中进行了描述。相关的数字签名和MAC功能在单独的JSON Web签名(JWS) [JWS]规范中进行了描述。
该规范定义的名称很短,因为其核心目标是结果表示要紧凑。

JSON Web Encryption (JWE) represents encrypted content using JSON-based data structures [RFC7159]. The JWE cryptographic mechanisms encrypt and provide integrity protection for an arbitrary sequence of octets.

Two closely related serializations for JWEs are defined. The JWE Compact Serialization is a compact, URL-safe representation intended for space constrained environments such as HTTP Authorization headers and URI query parameters. The JWE JSON Serialization represents JWEs as JSON objects and enables the same content to be encrypted to multiple parties. Both share the same cryptographic underpinnings.

Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) [JWA] specification and IANA registries defined by that specification. Related digital signature and MAC capabilities are described in the separate JSON Web Signature (JWS) [JWS] specification. Names defined by this specification are short because a core goal is for the resulting representations to be compact.

1.1 符号约定(Notational Conventions)

2. 专业术语(Terminology)

The terms “JSON Web Signature (JWS)”, “Base64url Encoding”,”Collision-Resistant Name”, “Header Parameter”, “JOSE Header”, and “StringOrURI” are defined by the JWS specification [JWS].

The terms “Ciphertext”, “Digital Signature”, “Initialization Vector (IV)”, “Message Authentication Code (MAC)”, and “Plaintext” are defined by the “Internet Security Glossary, Version 2” [RFC4949].

These terms are defined by this specification: JSON Web Encryption (JWE) A data structure representing an encrypted and integrity-protected message.

Authenticated Encryption with Associated Data (AEAD) An AEAD algorithm is one that encrypts the plaintext, allows Additional Authenticated Data to be specified, and provides an integrated content integrity check over the ciphertext and Additional Authenticated Data. AEAD algorithms accept two inputs, the plaintext and the Additional Authenticated Data value, and produce two outputs, the ciphertext and the Authentication Tag value. AES Galois/Counter Mode (GCM) is one such algorithm.

Additional Authenticated Data (AAD) An input to an AEAD operation that is integrity protected but not encrypted.

3. JSON Web 加密概述(JSON Web Encryption (JWE) Overview)

4. JOSE头(JOSE Header)

对于JWE,代表JOSE Header的JSON对象的成员描述应用于明文的加密以及JWE的其他可选属性。 正如[JWS]的第4节中所述,JOSE标头中的标头参数名称必须唯一。 实现中无法理解的有关处理标头参数的规则也相同。 标头参数名称的类别也相同。

For a JWE, the members of the JSON object(s) representing the JOSE Header describe the encryption applied to the plaintext and optionally additional properties of the JWE. The Header Parameter names within the JOSE Header MUST be unique, just as described in Section 4 of [JWS]. The rules about handling Header Parameters that are not understood by the implementation are also the same. The classes of Header Parameter names are likewise the same.

4.1 注册头参数名称(Registered Header Parameter Names )

以下在JWEs中使用的头参数名称在[JWS]建立的IANA“JSON Web签名和加密头参数”注册表中注册,其含义如下所示。

正如公共注册表所示,JWSs和JWEs共享一个公共的头参数空间;当一个参数同时被两个规范使用时,它的使用必须在两个规范之间兼容。

The following Header Parameter names for use in JWEs are registered in the IANA “JSON Web Signature and Encryption Header Parameters” registry established by [JWS], with meanings as defined below.

As indicated by the common registry, JWSs and JWEs share a common Header Parameter space; when a parameter is used by both specifications, its usage must be compatible between the specifications.

4.1.1. “alg” (Algorithm) Header Parameter

该参数与[JWS]的4.1.1节中定义的“ alg”标头参数具有相同的含义,语法和处理规则,不同的是标头参数标识用于加密或确定CEK值的密码算法。 如果“ alg”值不表示受支持的算法,或者收件人没有可用于该算法的密钥,则加密的内容将不可用。

在[JWA]建立的IANA“ JSON Web签名和加密算法”注册表中可以找到为此用途定义的“ alg”值的列表。 该注册表的初始内容是[JWA]第4.1节中定义的值。

This parameter has the same meaning, syntax, and processing rules as the “alg” Header Parameter defined in Section 4.1.1 of [JWS], except that the Header Parameter identifies the cryptographic algorithm used to encrypt or determine the value of the CEK. The encrypted content is not usable if the “alg” value does not represent a supported algorithm, or if the recipient does not have a key that can be used with that algorithm.

A list of defined “alg” values for this use can be found in the IANA “JSON Web Signature and Encryption Algorithms” registry established by [JWA]; the initial contents of this registry are the values defined in Section 4.1 of [JWA].

4.1.2. “enc” (Encryption Algorithm) Header Parameter

“enc”(加密算法)头参数识别用于对明文进行认证加密以产生密文和认证标签的内容加密算法。该算法必须是具有指定密钥长度的AEAD算法。如果“enc”值不表示支持的算法,则加密内容不可用。“enc”值应该注册到[JWA]建立的IANA“JSON Web签名和加密算法”注册表中,或者是一个包含防冲突名称的值。enc值是一个区分大小写的ASCII字符串,包含一个StringOrURI值。这个头参数必须存在,并且必须被实现理解和处理。定义的“enc”值的这个使用可以在IANA“JSON Web签名和加密算法”注册表建立的[JWA];该注册表的初始内容是在[JWA]第5.1节中定义的值。

The “enc” (encryption algorithm) Header Parameter identifies the content encryption algorithm used to perform authenticated encryption on the plaintext to produce the ciphertext and the Authentication Tag. This algorithm MUST be an AEAD algorithm with a specified key length. The encrypted content is not usable if the “enc” value does not represent a supported algorithm. “enc” values should either be registered in the IANA “JSON Web Signature and Encryption Algorithms” registry established by [JWA] or be a value that contains a Collision-Resistant Name. The “enc” value is a case-sensitive ASCII string containing a StringOrURI value. This Header Parameter MUST be present and MUST be understood and processed by implementations.A list of defined “enc” values for this use can be found in the IANA “JSON Web Signature and Encryption Algorithms” registry established by [JWA]; the initial contents of this registry are the values defined in Section 5.1 of [JWA].

4.1.3. “zip” (Compression Algorithm) Header Parameter

The “zip” (compression algorithm) applied to the plaintext before
encryption, if any. The “zip” value defined by this specification
is:
o “DEF” - Compression with the DEFLATE [RFC1951] algorithm
Other values MAY be used. Compression algorithm values can be
registered in the IANA “JSON Web Encryption Compression Algorithms”
registry established by [JWA]. The “zip” value is a case-sensitive
string. If no “zip” parameter is present, no compression is applied
to the plaintext before encryption. When used, this Header Parameter
MUST be integrity protected; therefore, it MUST occur only within the JWE Protected Header.Use of this Header Parameter is OPTIONAL.
This Header Parameter MUST be understood and processed by
implementations.

4.1.4. “jku” (JWK Set URL) Header Parameter

This parameter has the same meaning, syntax, and processing rules as
the “jku” Header Parameter defined in Section 4.1.2 of [JWS], except
that the JWK Set resource contains the public key to which the JWE
was encrypted; this can be used to determine the private key needed
to decrypt the JWE.

4.1.5. “jwk” (JSON Web Key) Header Parameter

This parameter has the same meaning, syntax, and processing rules as
the “jwk” Header Parameter defined in Section 4.1.3 of [JWS], except
that the key is the public key to which the JWE was encrypted; this
can be used to determine the private key needed to decrypt the JWE.

4.1.6. “kid” (Key ID) Header Parameter

该参数与[JWS] 4.1.4节中定义的“kid”头参数具有相同的含义、语法和处理规则,只是密钥提示引用了JWE加密后的公钥;这可以用来确定解密JWE所需的私钥。此参数允许发起者显式地向JWE接收者发送密钥更改的信号。

This parameter has the same meaning, syntax, and processing rules as the “kid” Header Parameter defined in Section 4.1.4 of [JWS], except that the key hint references the public key to which the JWE was encrypted; this can be used to determine the private key needed to decrypt the JWE. This parameter allows originators to explicitly signal a change of key to JWE recipients.

4.1.7. “x5u” (X.509 URL) Header Parameter

This parameter has the same meaning, syntax, and processing rules as
the “x5u” Header Parameter defined in Section 4.1.5 of [JWS], except
that the X.509 public key certificate or certificate chain [RFC5280]
contains the public key to which the JWE was encrypted; this can be
used to determine the private key needed to decrypt the JWE.

4.1.8. “x5c” (X.509 Certificate Chain) Header Parameter

This parameter has the same meaning, syntax, and processing rules as
the “x5c” Header Parameter defined in Section 4.1.6 of [JWS], except
that the X.509 public key certificate or certificate chain [RFC5280]
contains the public key to which the JWE was encrypted; this can be
used to determine the private key needed to decrypt the JWE.
See Appendix B of [JWS] for an example “x5c” value.

4.1.9. “x5t” (X.509 Certificate SHA-1 Thumbprint) Header Parameter

This parameter has the same meaning, syntax, and processing rules as
the “x5t” Header Parameter defined in Section 4.1.7 of [JWS], except
that the certificate referenced by the thumbprint contains the public
key to which the JWE was encrypted; this can be used to determine the
private key needed to decrypt the JWE. Note that certificate
thumbprints are also sometimes known as certificate fingerprints.

4.1.10. “x5t#S256” (X.509 Certificate SHA-256 Thumbprint) Header

Parameter
This parameter has the same meaning, syntax, and processing rules as
the “x5t#S256” Header Parameter defined in Section 4.1.8 of [JWS],
except that the certificate referenced by the thumbprint contains the
public key to which the JWE was encrypted; this can be used to
determine the private key needed to decrypt the JWE. Note that
certificate thumbprints are also sometimes known as certificate
fingerprints.

4.1.11. “typ” (Type) Header Parameter

This parameter has the same meaning, syntax, and processing rules as
the “typ” Header Parameter defined in Section 4.1.9 of [JWS], except
that the type is that of this complete JWE.
4.1.12. “cty” (Content Type) Header Parameter
This parameter has the same meaning, syntax, and processing rules as
the “cty” Header Parameter defined in Section 4.1.10 of [JWS], except
that the type is that of the secured content (the plaintext).

4.1.13. “crit” (Critical) Header Parameter

This parameter has the same meaning, syntax, and processing rules as
the “crit” Header Parameter defined in Section 4.1.11 of [JWS],
except that Header Parameters for a JWE are being referred to, rather
than Header Parameters for a JWS.

4.2 公共头参数名称(Public Header Parameter Names)

Additional Header Parameter names can be defined by those using JWEs.
However, in order to prevent collisions, any new Header Parameter
name should either be registered in the IANA “JSON Web Signature and
Encryption Header Parameters” registry established by [JWS] or be a
Public Name: a value that contains a Collision-Resistant Name. In
each case, the definer of the name or value needs to take reasonable
precautions to make sure they are in control of the part of the
namespace they use to define the Header Parameter name.
New Header Parameters should be introduced sparingly, as they can
result in non-interoperable JWEs.

4.3 私有头参数名称(Private Header Parameter Names)

A producer and consumer of a JWE may agree to use Header Parameter
names that are Private Names: names that are not Registered Header
Parameter names (Section 4.1) or Public Header Parameter names
(Section 4.2). Unlike Public Header Parameter names, Private Header
Parameter names are subject to collision and should be used with
caution.

5. 生成与消费JWEs(Producing and Consuming JWEs)

6. ( Key Identification)

7. 序列化(Serializations )

8. TLS要求( TLS Requirements)

9. 区分JWS与JWE对象(Distinguishing between JWS and JWE Objects)

10. IANA注意事项(IANA Considerations)

11. 参考文献(References )

附录A. JWE示例 (Appendix A. JWE Examples )


本节提供JWE计算的示例。

This section provides examples of JWE computations.

A.1. 示例JWE使用RSAES-OAEP和AES GCM(Example JWE using RSAES-OAEP and AES GCM)

A.2. 示例JWE使用RSAES-PKCS1-v1_5和AES_128_CBC_HMAC_SHA_256( Example JWE using RSAES-PKCS1-v1_5 and AES_128_CBC_HMAC_SHA_256 )

A.3. 使用实例JWE Using AES Key Wrap and AES_128_CBC_HMAC_SHA_256(Example JWE Using AES Key Wrap and AES_128_CBC_HMAC_SHA_256 )


Appendix B.例子AES_128_CBC_HMAC_SHA_256计算(Example AES_128_CBC_HMAC_SHA_256 Computation)

这个示例展示了使用附录A.3中的示例值进行AES_128_CBC_HMAC_SHA_256认证加密计算的步骤。该算法在JWA的5.2节和5.2.3节中定义,AES_CBC_HMAC_SHA2系列算法使用高级加密标准(AES)在密码块链(CBC)模式和公钥加密标准(PKCS) #7填充来执行加密和HMAC SHA-2函数来执行完整性计算——在本例中,HMAC SHA-256。

This example shows the steps in the AES_128_CBC_HMAC_SHA_256 authenticated encryption computation using the values from the example in Appendix A.3. As described where this algorithm is defined in Sections 5.2 and 5.2.3 of JWA, the AES_CBC_HMAC_SHA2 family of algorithms are implemented using Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC) mode with Public-Key Cryptography Standards (PKCS) #7 padding to perform the encryption and an HMAC SHA-2 function to perform the integrity calculation — in this case, HMAC SHA-256.