One document matched: draft-miller-jose-jwe-protected-jwk-02.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc compact="yes"?>
<?rfc strict="yes"?>
<?rfc symrefs="yes"?>
<?rfc toc="yes"?>
<?rfc tocdepth="4"?>
<rfc category="std" docName="draft-miller-jose-jwe-protected-jwk-02" ipr="trust200902">
<front>
<title abbrev="JWE Protected JWK">Using JavaScript Object Notation (JSON) Web Encryption (JWE) for Protecting JSON Web Key (JWK) Objects</title>
<author initials="M." surname="Miller" fullname="Matthew Miller">
<organization>Cisco Systems, Inc.</organization>
<address>
<postal>
<street>1899 Wynkoop Street, Suite 600</street>
<city>Denver</city>
<region>CO</region>
<code>80202</code>
<country>USA</country>
</postal>
<phone>+1-303-308-3204</phone>
<email>mamille2@cisco.com</email>
</address>
</author>
<date/>
<area>Security</area>
<workgroup>JOSE Working Group</workgroup>
<keyword>Internet-Draft</keyword>
<abstract>
<t>This document specifies an approach to protecting a private key formatted as a JavaScript Syntax Object Notation (JSON) Web Key (JWK) object using JSON Web Encryption (JWE). This document also specifies a set of algorithms for protecting such content using password-based cryptography.</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="intro">
<t>There are times when it is necessary to transport a private key, whether the private component to an asymmetric cipher key-pair or a symmetric cipher key used for encryption or generating a message authentication code (MAC), where the transport mechanism might not provide adequate content protection for the key. For instance, end-to-end scenarios where the key holder and key recipient are linked through multiple network hops that might or might not employ transport layer security (TLS, <xref target="RFC5246"/>), or the key holder an key recipient (often the same human being) might exchange a private key using physical media such as a USB drive that itself is not encrypted.</t>
<t>This document specifies an approach that uses JavaScript Object Notation (JSON) Web Encryption <xref target="JWE"/> to encrypt a private key that is formatted as a JSON Web Key <xref target="JWK"/>. While <xref target="JWE"/> provides protection of symmetric keys, this key is itself intended for the protection of content, not as the content itself. Further, <xref target="JWE"/> does not itself provide protection of an asymmetric private key.</t>
<t>Ofttimes the transport of private keys involves direct interaction with human beings. In these scenarios the use of a human-understandable password or passphrase to protect the private key is desirable. Therefore, this document also specifies and registers JWK formats and JWE algorithms based on <xref target="RFC2898"/> to allow for protecting content using a password.</t>
</section>
<section title="Terminology" anchor="terms">
<t>This document inherits JSON Web Algorithms (JWA)-related terminology from <xref target="JWA"/>, JSON Web Encryption (JWE)-related terminology from <xref target="JWE"/>, JSON Web Key (JWK)-related terminology from <xref target="JWK"/>, and password-based cryptography-related terminology from <xref target="RFC2898"/>. Security-related terms are to be understood in the sense defined in <xref target="RFC4949"/>.</t>
<t>The capitalized key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in <xref target="RFC2119"/>.</t>
</section>
<section title="Protecting Keys" anchor="protect">
<t>The process for protecting private keys and symmetric keys are identical. The only differences are typically the algorithms used to protect the key.</t>
<t>To protect a private key, the key holder performs the following steps:<vspace blankLines="1"/>
<list style="numbers">
<t>Converts the JWK object to a UTF-8 encoded string (K').<vspace blankLines="1"/></t>
<t>Performs the message encryption steps from <xref target="JWE"/> to generate the JWE header H, JWE Encrypted Key E, JWE Initialization Vector IV, JWE Ciphertext C, and JWE Integrity Value I, using the following inputs:<vspace blankLines="1"/>
<list style="symbols">
<t>The 'alg' property set to the intended key encryption algorithm (e.g., "RSA-OAEP", or "PBES2-HS256+A256KW" from below).<vspace blankLines="1"/></t>
<t>Keying material appropriate for the selected key encryption algorithm (e.g., private key for "RSA-OAEP", or shared password, salt, and iteration count for "PBES2-HS256+A256KW").<vspace blankLines="1"/></t>
<t>The 'enc' property set to the intended content encryption algorithm (e.g., "A256GCM" or "A256CBC+HS512").<vspace blankLines="1"/></t>
<t>The 'cty' property set to "application/jwk+json", indicating the content is a JWK object.<vspace blankLines="1"/></t>
<t>Keying material appropriate for the selected content encryption algorithm (e.g., Content Encryption Key and Initialization Vector).<vspace blankLines="1"/></t>
<t>K' as the plaintext content to encrypt.</t>
</list>
</t>
<t>Serializes to the appropriate format for exchange, such as the Compact Serialization documented in <xref target="JWE"/>.<vspace blankLines="1"/></t>
</list>
</t>
<section title="Details for Private Keys" anchor="protect-private">
<t>Private keys are typically protected using a symmetric key. This symmetric key can be exchanged or determined in various ways, such as deriving one from a user-supplied password; the algorithms "PBES2-HS256+A128KW" and "PBES2-HS256+A256KW" (defined in <xref target="pbcrypto-pbes2-jwe"/>) enable this.</t>
</section>
<section title="Details for Symmetric Keys" anchor="protect-symmetric">
<t>Symmetric keys are typically protected using public-private key pairs. It is assumed the key holder has the appropriate public key(s) for the key recipient(s).</t>
<t>The process defined herein expects JWK objects. While more compact to simply encrypt the symmetric key directly with a public key, using the complete JWE process on complete JWK objects allows additional properties to be protected (e.g., expected lifetime, acceptable uses) without exceeding the very restrictive plaintext length limits in most public-private key operations (e.g., 234 octects when using the "RSA-OAEP" algorithm with a 2048-bit key).</t>
</section>
</section>
<section title="Private Key Example" anchor="example-privkey">
<t>NOTE: unless otherwise indicated, all line breaks are included for readability.</t>
<t>The key holder begins with the <xref target="JWK"/> representation of the private key (here using a <xref target="RFC3447"/> RSA private key, formatted per <xref target="JPSK"/>):</t>
<t>
<figure>
<artwork><![CDATA[
{
"kty":"RSA",
"kid":"juliet@capulet.lit",
"n":"ALekPD1kotXZCY_YUz_ITWBZb2nTOw35VvZlnqTiYSeusO58qCtYDz
ahTEkEcjtduRqfkxJKHYVq9Iro4x1cewXFdJZUuMOQAhoD63AHemXE
kdPiKqJvkBXDT_Eo4NPOjMKKkFPy2MsJQBmdtVknUvzxEchhYjZ490
EJTvGJ7OYwrSwkcCxy9D29XxL-OQLkSLlH1XD8kgVmJw8hsb42Bg0j
PgKlkvcyENmYpYE_hqlJoqYNFzgtAnNtK4C3tspix46R3IgilQG2Of
i99vpUnmTvjrOlNef2l65PRsPHD1Gl9fyPLCxrkolXbdwvxZ9j2d2f
Iu-OBTxRhnBtarNls_k",
"e":"AQAB",
"d":"GRtbIQmhOZtyszfgKdg4u_N-R_mZGU_9k7JQ_jn1DnfTuMdSNprTea
STyWfSNkuaAwnOEbIQVy1IQbWVV25NY3ybc_IhUJtfri7bAXYEReWa
Cl3hdlPKXy9UvqPYGR0kIXTQRqns-dVJ7jahlI7LyckrpTmrM8dWBo
4_PMaenNnPiQgO0xnuToxutRZJfJvG4Ox4ka3GORQd9CsCZ2vsUDms
XOfUENOyMqADC6p1M3h33tsurY15k9qMSpG9OX_IJAXmxzAh_tWiZO
wk2K4yxH9tS3Lq1yX8C1EWmeRDkK2ahecG85-oLKQt5VEpWHKmjOi_
gJSdSgqcN96X52esAQ",
"p":"ANq50jleISkjfLEuAoHEBxW7NPF26BQ6irpt7HOIdxkca05kHZdWSv
bsPjyB30D9BZMV1a8flhPmRG66orx_9ogi1Eu8AJel7wEbdSpCGlMT
z0mAfcpN9bNEPFCvehN_zqwAwGLQCbPjNycQi3zYKoeehw5xE00IR9
6wk-U98icL",
"q":"ANbv0YhQz-ywWIdzeBly0_TqUimD9LkGcommcAbTggTSYEMWo9dEVo
7GbtHOiHnYrOEuwf3KEigdCo_T2j2gc4PiMkkb73ELj2pkLuuq4jIY
1bRuk5VfAiwmCq2Jeds4qitBP8ptkJ5MLFF-3mEwey2wB0SvRqqHAx
OQdH_NPCOL",
"dp":"KkMTWqBUefVwZ2_Dbj1pPQqyHSHjj90L5x_MOzqYAJMcLMZtbUtwK
qvVDq3tbEo3ZIcohbDtt6SbfmWzggabpQxNxuBpoOOf_a_HgMXK_l
hqigI4y_kqS1wY52IwjUn5rgRrJ-yYo1h41KR-vz2pYhEAeYrhttW
txVqLCRViD6c",
"dq":"AvfS0-gRxvn0bwJoMSnFxYcK1WnuEjQFluMGfwGitQBWtfZ1Er7t1
xDkbN9GQTB9yqpDoYaN06H7CFtrkxhJIBQaj6nkF5KKS3TQtQ5qCz
kOkmxIe3KRbBymXxkb5qwUpX5ELD5xFc6FeiafWYY63TmmEAu_lRF
COJ3xDea-ots",
"qi":"AJUkIvsPQqclEXjBKz9UbAS5O8DbTr7OREKT6prjL6luezQVHM0nB
KD8JlKqmm7vVdPj8uHUOe_22qaCkbtUfdG77hZ1Ot0h1hBYJWULyQ
zHgL5o-LJvhadKGLv53qLYENIc2yOYK8u2o3WMvftpTcf--mgWaDl
LvRwiflLH0jiP"
}
]]></artwork>
</figure>
</t>
<t>The key holder uses the following <xref target="JWE"/> inputs:<vspace blankLines="1"/></t>
<t>
<figure>
<preamble>JWE Header:</preamble>
<artwork><![CDATA[
{
"alg":"PBES2-HS256+A128KW",
"jwk":{
kty:"PBKDF2",
kid:"27a4c46f-6d36-4a8c-814c-c954165f6dc9",
s:"2WCTcJZ1Rvd_CJuJripQ1w",
c:4096
},
"enc":"A128CBC+HS256",
"cty":"application/jwk+json"
}
]]></artwork>
</figure>
<vspace blankLines="1"/>
</t>
<t>
<figure>
<preamble>Password:</preamble>
<artwork><![CDATA[
Thus from my lips, by yours, my sin is purged.
]]></artwork>
</figure>
<vspace blankLines="1"/>
</t>
<t>
<figure>
<preamble>Content Master Key (encoded as base64url per <xref target="RFC4648"/>):</preamble>
<artwork><![CDATA[
D0GoLoMS35BtD4_rSF56VGg_Syj0VG6-lb4xrpQIQmU
]]></artwork>
</figure>
<vspace blankLines="1"/>
</t>
<t>
<figure>
<preamble>Initialization Vector (encoded as base64url per <xref target="RFC4648"/>):</preamble>
<artwork><![CDATA[
XYqmb7uopcN1pCNRGJ5hKw
]]></artwork>
</figure>
<vspace blankLines="1"/>
</t>
<t>The key holder performs steps 1 and 2 to generate the <xref target="JWE"/> outputs (represented using the Compact Serialization):<vspace blankLines="1"/></t>
<t>
<figure>
<artwork><![CDATA[
eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJqd2siOnsia3R5IjoiUEJLREY
yIiwia2lkIjoiMjdhNGM0NmYtNmQzNi00YThjLTgxNGMtYzk1NDE2NWY2ZGM5Ii
wicyI6IjJXQ1RjSloxUnZkX0NKdUpyaXBRMXciLCJjIjo0MDk2fSwiZW5jIjoiQ
TEyOENCQytIUzI1NiIsImN0eSI6ImFwcGxpY2F0aW9uL2p3aytqc29uIn0.
b735tKJtEzS9VNxgEO6hT6WYZ9-zOpEIAFk3k0jIiCju7bPLb7FQKw.
XYqmb7uopcN1pCNRGJ5hKw.
dmqTOCIGwHdNOixUkmQ9H0g-JWU74ayVUeuSnsRnRdBPy0wRdBkZBsiQC6-Cl8q
QSjmC376EJvffG2xUBqjt4omuzMX9KY3Kn64GAHr528N5Bv5487fu-iHBy7uVvT
F0zgBaSV4Rt-44FWoMoE7H4vcQn_Lf7mv0dviciDM3Spp_IZrb5ufzDhrQlzArM
xOh7rBTgwoeOaFywXuFrxqr9GbV4Qzn7Vy78T8UUd5alr6GlfF-_O0hW37Gwju_
AT4bN6fs42NKYvqsAq90ZDujQjRlj3BJc1wAJbw9Ev7oxEvPvUSXgfDk6rvnB-n
uKD-0KU-M9td2QM8De0AXYRf2rTMiIIuNsRWeJxgeL97Unz9yNywAfcf4SX1P38
pgCZAbVwLRdbZwcOjK0_R3BQAtyysX-f4rtDCH9BKKFLB_YLcDkQn547QS2RMWf
GrVPT5CKp5Z5H8RSC47HEnmwppAKtGfUPb4wSs6zT8yV60RxOYD8Ze5DK9UJrPN
MFfN33_JlpeNKF7w9ulN57-ooYbXkX0WI4JjdF9G9NdJbh8F1NRqLc4KyQBW2bJ
S_SCZdeVZ4O_spCKfwKpIDFoXE9Nm-3o8mxhfdUbq_Ck8WqiJ6CKm-XjN1b7Z0f
lkGz6YkXdbd3-F62bB09VzsYERnSBIdsWtwaKMvSyqi8MkhMyhZe2-Iz481r4gi
v8ESWXAMeVihmOU9HLtgO4MMY3kSbB1qLzhbH7-CRh4h7k83tCmHPvNIQc-JYLm
80aHs_W_91SPRwnUZJHKasybepqika_CNwkmYsRkiV0GOpzrl2T28Nor74xPrBb
tk5LJMT_ZKErrCQoIvcgXrWcaTknCpe2sDYkOMuvNlsT8g6r45HuPJ6u561-sw7
wvam2P1AEg4wuQBAt7Y1_VDy6N-q71ZejayANTCtMGeJiWea79X6xdUJQ_py5xR
SuSjSwjsXCvisWyiKLAKXoVO9gQGEZLZMhYqRSGwip-KSkYpFYPd5ofn21MHXKG
D6r0gapo7lMysKlCpfd5v0_sB0JJYKsm12F49cvtK_CEtMYQw9n5R2wo8_2m5og
HGG3hMajGmem3anRAoSfifBBzx4kP_OOSqo_FoDbRzGluImVwcGL_pzCRRVNwAx
e5Bx8Al2xGLYncgs-QG7MRKu6LRB5pUq_ZbarL8JJengaa6AbxWsIMkTPEqilyi
SPpl7zmOFrUtuu-UUnNwhr6WEdLJm7o0iUoXr-Eyi8rfnZgdSvJOdMj-pGKQrWl
xyAo-Td8IqU-3DHk-otvjCd_i9SW0zRoL4GmqMkiJkIzZ7mjLdFLIFnX85sx4Qt
yYhMzEIfpgqnv66RnKVLyQ-sIap-9XO_mvSxsLL0yr8a4c_jufv0aFAbbLa_bo0
Mz_U309z0PmMp7BMh7CuwbiLhaoM6ZoafsxxVcOTHMbmEpybvsDOf8HPQ_k2kN2
qrVUfvYW5Be9ViOBNxKZWSiDDY0YWs5MhMZUvqnfq8amtAQNYTrpu5w2LfJIWhA
KkqzYAkzH7Jm7NFnOlcSrLPzFndjVZgIysYnBqkziTqtDoSNHCFY2TaJyZ3cT-o
WZQkVn07E8zuzMd6SGqPRAzY51CKbXdEfRaNgvaSb-V9TZYyhCmSHCGbwo0iErG
TfGiHtrfo4Jf6GD8-CcdmggWN-824rGOtp3Bgl8VAi_jmKkzF5s_sIEwhe7oa1H
S6PMYPkp9llZAiwmFCKHdQbfOdKXbD8FI7p7kUX8llOFLk3w12R2ffVR-gOm7qs
9MJjmi14nXmp13mV9YP_CgkNNss45B1DdcNMhtippHJ07CWIvKm1pkQOrsXG45C
4bNJ6YCn63X9ctdzhnFGmCJxCji3TasWWbnI4eA6XthWkJC5e5Nbz_2K-99PC9K
zwmauA98sqU1yKZFugSYOB6NRwN_y_GB1LEXDSE_FPRSEPNZNJyEMvKo5CeAtEj
7YPvFR6-yzWDTG0Uq1PafxITByg6UXHl9xBRborklCdfL3gUj3EoXHkvEsXdg22
jkpGZUmhWWlNvHeM5y0FUHZTIgyyJqHx_Y8v7yaZ881xwFaYAW52aSnL_8h68U1
8Sv7Q66FKi1gtOYU41FRW6i7oAC9xPYr1Jt5A-am4IwPPR-CPL071mGqOPrDd7l
gSCumoFESqi24d0IQuzPdEh643DHbWbeAQ7YB-LpZR_hTEC4IndRugQA.
3c4RF_muOYT02o5Klxv-IQ
]]></artwork>
</figure>
</t>
</section>
<section title="Symmetric Key Example" anchor="protect-example-symm">
<t>NOTE: unless otherwise indicated, all line breaks are included for readability.</t>
<t>The key holder begins with the <xref target="JWK"/> representation of the symmetric key (here using a <xref target="AES"/> 128-bit key, formatted as per <xref target="JPSK"/>):</t>
<t>
<figure>
<artwork><![CDATA[
{
"kty":"oct",
"kid": "b8acba65-8af2-4e93-a8e0-d4abd7f25e52",
"k": "fKrBr19_ne9Cp3akXGpqgA"
}
]]></artwork>
</figure>
</t>
<t>The key holder uses the following <xref target="JWE"/> inputs:</t>
<t>
<figure>
<preamble>JWE Header:</preamble>
<artwork><![CDATA[
{
"alg":"RSA-OAEP",
"jwk":{
"kty":"RSA",
"kid":"juliet@capulet.lit",
"n":"ALekPD1kotXZCY_YUz_ITWBZb2nTOw35VvZlnqTiYSeusO58qCtYDz
ahTEkEcjtduRqfkxJKHYVq9Iro4x1cewXFdJZUuMOQAhoD63AHemXE
kdPiKqJvkBXDT_Eo4NPOjMKKkFPy2MsJQBmdtVknUvzxEchhYjZ490
EJTvGJ7OYwrSwkcCxy9D29XxL-OQLkSLlH1XD8kgVmJw8hsb42Bg0j
PgKlkvcyENmYpYE_hqlJoqYNFzgtAnNtK4C3tspix46R3IgilQG2Of
i99vpUnmTvjrOlNef2l65PRsPHD1Gl9fyPLCxrkolXbdwvxZ9j2d2f
Iu-OBTxRhnBtarNls_k",
"e":"AQAB"
},
"enc":"A128CBC+HS256",
"cty":"application/jwk+json"
}
]]></artwork>
</figure>
<vspace blankLines="1"/>
</t>
<t>
<figure>
<preamble>Content Master Key (encoded as base64url per <xref target="RFC4648"/>):</preamble>
<artwork><![CDATA[
QkWU4j0bOc_meVgxNYoad74fQAosvz-4rnKqAhHEV-c
]]></artwork>
</figure>
<vspace blankLines="1"/>
</t>
<t>
<figure>
<preamble>Initialization Vector (encoded as base64url per <xref target="RFC4648"/>):</preamble>
<artwork><![CDATA[
VMmZ6nLXHkcOUmBTlZaSsQ
]]></artwork>
</figure>
<vspace blankLines="1"/>
</t>
<t>The key holder performs steps 1 and 2 to generate the <xref target="JWE"/> outputs (represented using the Compact Serialization):<vspace blankLines="1"/></t>
<t>
<figure>
<artwork><![CDATA[
eyJhbGciOiJSU0EtT0FFUCIsImp3ayI6eyJrdHkiOiJSU0EiLCJraWQiOiJqdWx
pZXRAY2FwdWxldC5saXQiLCJuIjoiQUxla1BEMWtvdFhaQ1lfWVV6X0lUV0JaYj
JuVE93MzVWdlpsbnFUaVlTZXVzTzU4cUN0WUR6YWhURWtFY2p0ZHVScWZreEpLS
FlWcTlJcm80eDFjZXdYRmRKWlV1TU9RQWhvRDYzQUhlbVhFa2RQaUtxSnZrQlhE
VF9FbzROUE9qTUtLa0ZQeTJNc0pRQm1kdFZrblV2enhFY2hoWWpaNDkwRUpUdkd
KN09Zd3JTd2tjQ3h5OUQyOVh4TC1PUUxrU0xsSDFYRDhrZ1ZtSnc4aHNiNDJCZz
BqUGdLbGt2Y3lFTm1ZcFlFX2hxbEpvcVlORnpndEFuTnRLNEMzdHNwaXg0NlIzS
WdpbFFHMk9maTk5dnBVbm1UdmpyT2xOZWYybDY1UFJzUEhEMUdsOWZ5UExDeHJr
b2xYYmR3dnhaOWoyZDJmSXUtT0JUeFJobkJ0YXJObHNfayIsImUiOiJBUUFCIn0
sImVuYyI6IkExMjhDQkMrSFMyNTYiLCJjdHkiOiJhcHBsaWNhdGlvbi9qd2sran
NvbiJ9.
ReivAR0RfDi-03K9Db3gC3MSJQJvCe378Anzg0vKj45DJGwfEaPFym_tt6HkbgB
vgIBaFX_WZE1E3xXMngH_oBz-zUJzB9Gc_hAeov6uLz0pp4knb20pOZCls0Lcjs
xqgAF_RwB7l_mcPP3HVAwfoEz-_Um7FOztq5Wjse1fBmEX0fwqJT3VC7HVKzJpo
pJgrrsYFyGPlraNBJJ3yvmRMYLOzTLNoNDYqQz89yZ_dYDcN7zjrke8T3NnSwx2
9xF3kwiD_AO2SUsA23Zw3xEFQoiskK0w54KKa75yFlSbnObFLOOvqncxJy0bbha
GqW6I-jeoXVaG7aia6hGU9aMX2g.
VMmZ6nLXHkcOUmBTlZaSsQ.
N3j7CW5JfJj7C6uL9PCVIm4U_NWRtAVjrnqnPRXIwhepaGoL-TQHeMyHveg5Uyg
rPP_PBwk-VkwAyFBJClPNJ6cGSS_VN5a9Z60rxlXEQi8nBhCgQzA3wU1XMTHCs-
QF.
trBdLTmkE2mIPdA7eefNyQ
]]></artwork>
</figure>
</t>
</section>
<section title="Using Password-Based Cryptography" anchor="pbcrypto">
<t>There are often times when a key is exchanged through immediate human interaction. To help facilitate such exchanges, a number of password-based cryptography schemes utilizing <xref target="RFC2898"/> are defined to supplement the key format and encryption algorithms from <xref target="JWA"/>.</t>
<section title="PBKDF2 Key Type" anchor="pbcrypto-pbkdf2-jwk">
<t>The "PBKDF2" key type is used to contain the parameters necessary to derive a cipher key from a password using the PBKDF2 algorithm from <xref target="RFC2898"/>. The following parameters are defined:</t>
<section title="'s' Parameter" anchor="pbcrypto-pbkdf2-jwk-S">
<t>The REQUIRED "s" parameter contains the PBKDF2 salt value (S), as a base64url encoded string (per <xref target="RFC4648"/>). This value MUST NOT be the empty string "".</t>
<t>The salt expands the possible keys that can be derived from a given password. <xref target="RFC2898"/> originally recommended a minimum salt length of 8 octets (since there is no concern here of a derived key being re-used for different purposes). The salt MUST be generated randomly; see <xref target="RFC4086"/> for considerations on generating random values.</t>
</section>
<section title="'c' Parameter" anchor="pbcrypto-pbkdf2-jwk-c">
<t>The REQUIRED "c" parameter contains the PBKDF2 iteration count (c), as an integer. This value MUST NOT be less than 1, as per <xref target="RFC2898"/>.</t>
<t>The iteration count adds computational expense, ideally compounded by the possible range of keys introduced by the salt. <xref target="RFC2898"/> originally recommended a minimum iteration count of 1000.</t>
</section>
<section title="'hint' Parameter" anchor="pbcrypto-pbkdf2-jwk-hint">
<t>The OPTIONAL "hint" parameter contains a description clue to the password, as a string. If present, this value SHOULD NOT be the empty string "".</t>
<t>The hint is typically displayed to the user as a reminder or mnemonic for the actual password used. This parameter MUST NOT contain the actual password, and implementations MAY use various heuristic algorithms to prohibit hints that are alternate forms of the actual password.</t>
</section>
</section>
<section title="PBES2 Key Encryption Algorithms" anchor="pbcrypto-pbes2-jwe">
<t>The "PBES2-HS256+A128KW" and "PBES2-HS256+A256KW" algorithms defined below are used to encrypt a JWE Content Master Key using a user-supplied password to derive the key encryption key. With these algorithms, the derived key is used to encrypt the JWE Content Master Key. These algorithms combine a key derivation function with an encryption scheme to encrypt the JWE Content Master Key according to PBES2 from section 6.2 of <xref target="RFC2898"/>.</t>
<section title="PBES2-HS256+A128KW" anchor="pbcrypto-pbes2-jwe-hs256-a128kw">
<t>The "PBES2-HS256+A128KW" algorithm uses "HMAC-SHA256" as the PRF and "AES128-WRAP" as defined in <xref target="RFC3394"/> for the encryption scheme. The salt (S) and iteration count (c) MUST be specified by the "s" and "c" parameters (respectively) in the applicable "PBKDF2" JWK object. The derived-key length (dkLen) is 16 octets.</t>
</section>
<section title="PBES2-HS256+A256KW" anchor="pbcrypto-pbes2-jwe-hs512-a256kw">
<t>The "PBES2-HS256+A256KW" algorithm uses "HMAC-SHA256" as the PRF "and "AES256-WRAP" as defined in <xref target="RFC3394"/> for the encryption scheme. The salt (S) and iteration count (c) MUST be specified by the "s" and "c" parameters (respectively) in the applicable "PBKDF2" JWK object. The derived-key length (dkLen) is 32 octets.</t>
</section>
</section>
</section>
<section title="IANA Considerations" anchor="iana">
<section title="JSON Web Key Types Registration" anchor="iana-jwk-types">
<t>This document registers the following to the JSON Web Key Types registry:</t>
<t>
<list style="symbols">
<t>"kty" Paramater value: "PBKDF2"<vspace blankLines="1"/></t>
<t>Implementation Requirements: OPTIONAL<vspace blankLines="1"/></t>
<t>Change Controller: IETF<vspace blankLines="1"/></t>
<t>Specification Document(s): <xref target="pbcrypto-pbkdf2-jwk"/> of [[ this document ]]<vspace blankLines="1"/></t>
</list>
</t>
</section>
<section title="JSON Web Key Parameters Registration" anchor="iana-jwk-params">
<t>This document registers the following to the JSON Web Key Parameters registry:</t>
<t>
<list style="symbols">
<t>Parameter Name: "s"<vspace blankLines="1"/></t>
<t>Change Controller: IETF<vspace blankLines="1"/></t>
<t>Specification Document(s): <xref target="pbcrypto-pbkdf2-jwk-S"/> of [[ this document ]]<vspace blankLines="1"/></t>
</list>
</t>
<t>
<list style="symbols">
<t>Parameter Name: "c"<vspace blankLines="1"/></t>
<t>Change Controller: IETF<vspace blankLines="1"/></t>
<t>Specification Document(s): <xref target="pbcrypto-pbkdf2-jwk-c"/> of [[ this document ]]<vspace blankLines="1"/></t>
</list>
</t>
<t>
<list style="symbols">
<t>Parameter Name: "hint"<vspace blankLines="1"/></t>
<t>Change Controller: IETF<vspace blankLines="1"/></t>
<t>Specification Document(s): <xref target="pbcrypto-pbkdf2-jwk-hint"/> of [[ this document ]]<vspace blankLines="1"/></t>
</list>
</t>
</section>
<section title="JSON Web Encryption Algorithms" anchor="iana-jwe-algs">
<t>This document registers the following to the JSON Web Encryption Algorithms registry:</t>
<t>
<list style="symbols">
<t>Algorithm Name: "PBES2-HS256+A128KW"<vspace blankLines="1"/></t>
<t>Algorithm Usage Location(s): "alg"</t>
<t>Implementation Requirements: OPTIONAL<vspace blankLines="1"/></t>
<t>Change Controller: IETF<vspace blankLines="1"/></t>
<t>Specification Document(s): <xref target="pbcrypto-pbes2-jwe-hs256-a128kw"/> of [[ this document ]]<vspace blankLines="1"/></t>
</list>
</t>
<t>
<list style="symbols">
<t>Algorithm Name: "PBES2-HS256+A256KW"<vspace blankLines="1"/></t>
<t>Algorithm Usage Location(s): "alg"</t>
<t>Implementation Requirements: OPTIONAL<vspace blankLines="1"/></t>
<t>Change Controller: IETF<vspace blankLines="1"/></t>
<t>Specification Document(s): <xref target="pbcrypto-pbes2-jwe-hs512-a256kw"/> of [[ this document ]]<vspace blankLines="1"/></t>
</list>
</t>
</section>
</section>
<section title="Security Considerations" anchor="security">
<section title="Re-using Keying Material" anchor="security-reuse">
<t>It is NOT RECOMMENDED to re-use the same keying material (Key Encryption Key, Content Master Key, Initialization Vector, etc) to protect multiple JWK objects, or to protect the same JWK object multiple times. One suggestion for preventing re-use is to always generate a new set keying material for each protection operation, based on the considerations noted in this document as well as from <xref target="RFC4086"/>.</t>
</section>
<!--
<section title="Lifetime of Protected Keys" anchor="security-store">
<t>Depending on the application, a protected JWK could potentially be stored for an indefinite time, anywhere from milliseconds (e.g., broadcasted over a computer network) to years (e.g., stored as a file). This lifetime can influence the factors used to protect the key; for a protected JWK that exists for as long as it takes to transit a network might use minimal-strength keys and algorithms, while longer term storage might necessitate stronger factors.</t>
</section>
-->
<section title="Password Considerations" anchor="security-pwd">
<t>While convenient for end users, passwords are vulnerable to a number of attacks. To help mitigate some of these limitations, this document applies principles from <xref target="RFC2898"/> to derive cryptographic keys from user-supplied passwords.</t>
<t>However, the strength of the password still has a significant impact. A high-entry password has greater resistance to dictionary attacks. <xref target="NIST-800-63-1"/> contains guidelines for estimating password entropy, which can help applications and users generate stronger passwords.</t>
<t>An ideal password is one that is as large (or larger) than the derived key length but less than the PRF's block size. Passwords larger than the PRF's block size are first hashed, which reduces an attacker's effective search space to the length of the hash algorithm (32 octects for HMAC-SHA-256). It is RECOMMENDED that the password be no longer than 64 octets long; for "PBES2-HS256+A256KW".</t>
<t>Still, care needs to be taken in where and how password-based encryption is used. Such algorithms MUST NOT be used where the attacker can make an indefinite number of attempts to circumvent the protection.</t>
</section>
</section>
<section title="Internationalization Considerations" anchor="i18n">
<t>Passwords obtained from users are likely to require preparation and normalization to account for differences of octet sequences generated by different input devices, locales, etc. It is RECOMMENDED for applications to perform the steps outlined in <xref target="SASLPREP"/> to prepare a password supplied directly by a user before performing key derivation and encryption.</t>
</section>
</middle>
<back>
<references title="Normative References">
<reference anchor="JWA">
<front>
<title>JSON Web Algorithms (JWA)</title>
<author initials="M." surname="Jones" fullname="Michael B. Jones">
<organization>Microsoft</organization>
<address>
<email>mjb@microsoft.com</email>
</address>
</author>
<date year="2012" month="December"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-jose-json-web-algorithms-08"/>
<format type="TXT" target="http://www.ietf.org/internet-drafts/draft-ietf-jose-json-web-algorithms-08.txt"/>
</reference>
<reference anchor="JWE">
<front>
<title>JSON Web Encryption (JWE)</title>
<author initials="M." surname="Jones" fullname="Michael B. Jones">
<organization>Microsoft</organization>
<address>
<email>mjb@microsoft.com</email>
</address>
</author>
<author initials="E." surname="Rescola" fullname="Eric Rescola">
<organization>RTFM, Inc.</organization>
<address>
<email>ekr@rtfm.com</email>
</address>
</author>
<author initials="J." surname="Hildebrand" fullname="Joe Hildebrand">
<organization>Cisco Systems, Inc.</organization>
<address>
<email>jhildebr@cisco.com</email>
</address>
</author>
<date year="2012" month="December"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-jose-json-web-encryption-08"/>
<format type="TXT" target="http://www.ietf.org/internet-drafts/draft-ietf-jose-json-web-encryption-08.txt"/>
</reference>
<reference anchor="JWK">
<front>
<title>JSON Web Key (JWK)</title>
<author initials="M." surname="Jones" fullname="Michael B. Jones">
<organization>Microsoft</organization>
<address>
<email>mjb@microsoft.com</email>
</address>
</author>
<date year="2012" month="December"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-jose-json-web-key-08"/>
<format type="TXT" target="http://www.ietf.org/internet-drafts/draft-ietf-jose-json-web-key-08.txt"/>
</reference>
<reference anchor="JPSK">
<front>
<title>JSON Private and Symmetric Key</title>
<author initials="M." surname="Jones" fullname="Michael B. Jones">
<organization>Microsoft</organization>
<address>
<email>mjb@microsoft.com</email>
</address>
</author>
<date year="2012" month="December"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-jones-jose-json-private-and-symmetric-key-00"/>
<format type="TXT" target="http://www.ietf.org/internet-drafts/draft-jones-jose-json-private-and-symmetric-key-00.txt"/>
</reference>
<reference anchor="SASLPREP">
<front>
<title>Preparation and Comparison of Internationalized Strings Representing Simple User Names and Passwords</title>
<author initials="P." surname="Saint-Andre" fullname="Peter Saint-Andre">
<organization>Cisco Systems, Inc.</organization>
</author>
<date month="September" year="2012"/>
<abstract>
<t>This document describes how to handle Unicode strings representing simple user names and passwords, primarily for purposes of comparison. This profile is intended to be used by Simple Authentication and Security Layer (SASL) mechanisms (such as PLAIN and SCRAM-SHA-1), as well as other protocols that exchange simple user names or passwords. This document obsoletes RFC 4013.</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-melnikov-precis-saslprepbis-04"/>
<format type="TXT" target="http://www.ietf.org/internet-drafts/draft-melnikov-precis-saslprepbis-04.txt"/>
</reference>
<reference anchor="RFC2119">
<front>
<title abbrev="RFC Key Words">Key words for use in RFCs to Indicate Requirement Levels</title>
<author initials="S." surname="Bradner" fullname="Scott Bradner">
<organization>Harvard University</organization>
<address>
<postal>
<street>1350 Mass. Ave.</street>
<street>Cambridge</street>
<street>MA 02138</street>
</postal>
<phone>+1 617 495 3864</phone>
</address>
</author>
<date month="March" year="1997"/>
<area>General</area>
<keyword>keyword</keyword>
<abstract>
<t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. Authors who follow these guidelines should incorporate this phrase near the beginning of their document:
<list><t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.</t></list>
</t>
<t>Note that the force of these words is modified by the requirement level of the document in which they are used.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
</reference>
<reference anchor="RFC2898">
<front>
<title>Password-Based Cryptography Specification</title>
<author initials="B." surname="Kaliski" fullname="Burt Kaliski">
<organization>RSA Labratories</organization>
</author>
<date year="2000" month="September"/>
<abstract>
<t>This memo represents a republication of PKCS #5 v2.0 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document, except for the security considerations section, is taken directly from that specification.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="2898"/>
<format type="TXT" target="http://www.ietf.org/rfc/rfc2898.txt"/>
</reference>
<reference anchor="RFC3394">
<front>
<title>Advanced Encryption Standard (AES) Key Wrap Algorithm</title>
<author initials="J." surname="Schaad" fullname="Jim Schaad">
<organization>Soaring Hawk Consulting</organization>
</author>
<author initials="R." surname="Housley" fullname="Russell Housley">
<organization>RSA Laboratories</organization>
</author>
<date year="2002" month="September"/>
<abstract>
<t>The purpose of this document is to make the Advanced Encryption Standard (AES) Key Wrap algorithm conveniently available to the Internet community. The United States of America has adopted AES as the new encryption standard. The AES Key Wrap algorithm will probably be adopted by the USA for encryption of AES keys. The authors took most of the text in this document from the draft AES Key Wrap posted by NIST.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3394"/>
<format type="TXT" target="http://www.ietf.org/rfc/rfc3394.txt"/>
</reference>
<reference anchor="RFC4086">
<front>
<title>Randomness Requirements for Security</title>
<author initials="D." surname="Eastlake" fullname="Donald E. Eastlake 3rd">
<organization>Motorola Laboratories</organization>
<address>
<email>donald.eastlake@motorola.com</email>
</address>
</author>
<author initials="J." surname="Schiller" fullname="Jeffrey I. Schiller">
<organization>MIT, Room E30-311</organization>
<address>
<email>jis@mit.edu</email>
</address>
</author>
<author initials="S." surname="Crocker" fullname="Steve Crocker">
<organization/>
<address>
<email>steve@stevecrocker.com</email>
</address>
</author>
<date month="June" year="2005"/>
</front>
<seriesInfo name="RFC" value="4086"/>
<format type="TXT" target="http://tools.ietf.org/rfc/rfc4086.txt"/>
</reference>
<reference anchor="RFC4648">
<front>
<title>The Base16, Base32, and Base64 Data Encodings</title>
<author initials="S." surname="Josefsson" fullname="S. Josefsson">
<organization/>
</author>
<date year="2006" month="October"/>
<abstract>
<t>This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4648"/>
<format type="TXT" octets="35491" target="http://www.ietf.org/rfc/rfc4648.txt"/>
</reference>
<reference anchor="RFC4949">
<front>
<title>Internet Security Glossary, Version 2</title>
<author initials="R." surname="Shirey" fullname="R. Shirey">
<organization/>
</author>
<date year="2007" month="August"/>
<abstract>
<t>This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed. This memo provides information for the Internet community.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4949"/>
<format type="TXT" octets="867626" target="http://www.ietf.org/rfc/rfc4949.txt"/>
</reference>
</references>
<references title="Informative References">
<reference anchor="AES">
<front>
<title>Advanced Encryption Standard (AES)</title>
<author>
<organization>National Institute of Standards and Technology (NIST)</organization>
</author>
<date month="November" year="2001"/>
</front>
<seriesInfo name="FIPS" value="PUB 197"/>
<format target="http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf" type="PDF"/>
</reference>
<reference anchor="NIST-800-63-1">
<front>
<title>Electronic Authentication Guideline</title>
<author>
<organization>National Institute of Standards and Technology (NIST)</organization>
</author>
<date month="December" year="2011"/>
</front>
<seriesInfo name="NIST" value="800-63-1"/>
<format target="http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf" type="PDF"/>
</reference>
<reference anchor="RFC3447">
<front>
<title>Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1</title>
<author initials="J." surname="Jonsson" fullname="Jakob Jonsson">
<organization>Philipps-Universitaet Marburg</organization>
</author>
<author initials="B." surname="Kaliski" fullname="Burt Kaliski">
<organization>RSA Labratories</organization>
</author>
<date year="2003" month="February"/>
<abstract>
<t>This memo represents a republication of PKCS #1 v2.1 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document is taken directly from the PKCS #1 v2.1 document, with certain corrections made during the publication process.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="2898"/>
<format type="TXT" target="http://www.ietf.org/rfc/rfc2898.txt"/>
</reference>
<reference anchor="RFC5246">
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.2</title>
<author initials="T." surname="Dierks" fullname="Tim Dierks"/>
<author initials="E." surname="Rescorla" fullname="Eric REscorla"/>
<date month="August" year="2008"/>
<abstract>
<t>This document specifies Version 1.2 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5246"/>
<format type="TXT" target="http://www.ietf.org/rfc/rfc5246"/>
</reference>
</references>
<section title="Acknowledgements" anchor="acknowledgements">
</section>
<section title="Document History" anchor="history">
<t>
<list style="hanging">
<t hangText="-02">
<list style="symbols">
<t>Incorporated changes suggested at the JOSE interim meeting on 2012-04-28:<vspace blankLines="1"/>
<list style="symbols">
<t>Replaced JWE key encryption algorithm "PBES2-HS512+A256KW" with "PBES2-HS256+A256KW".<vspace blankLines="1"/></t>
<t>Added considerations for password-based encryption algorithms around dictionary and brute force attacks.<vspace blankLines="1"/></t>
</list>
</t>
<t>Updated to latest versions of JOSE dependencies.<vspace blankLines="1"/></t>
</list>
</t>
<t hangText="-01">
Incorporated changes suggested by Jim Schaad:<vspace blankLines="1"/>
<list style="symbols">
<t>Expanded the acronym "JSON" on first use.<vspace blankLines="1"/></t>
<t>Expanded the introduction to explain how this document's protection of symmetric keys differs from <xref target="JWE"/>.<vspace blankLines="1"/></t>
<t>Expanded the introduction to better explain why password-based encryption algorithms are needed.<vspace blankLines="1"/></t>
<t>Moved information on PBKDF2 salt from the security considerations to the "s" JWK parameter definition.<vspace blankLines="1"/></t>
<t>Moved information on PBKDF2 iteration count from security considerations to the "c" JWK parameter definition.<vspace blankLines="1"/></t>
<t>Added the "hint" JWK parameter.<vspace blankLines="1"/></t>
<t>Explicitly noted what registries are updated by the IANA considerations.<vspace blankLines="1"/></t>
<t>Relaxed language around re-use of keying material.<vspace blankLines="1"/></t>
<t>Removed section discussing protected key lifetimes.<vspace blankLines="1"/></t>
<t>Improved recommendations around password lengths.<vspace blankLines="1"/></t>
</list>
</t>
<t hangText="-00">Initial revision</t>
</list>
</t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 14:59:20 |