1

So I am attempting to generate a JWE using an X25519 to encrypt the for the Content Encryption Key (CEK) and AES-256-GCM for the content.

My issue however is that NaCl needs an IV (nonce in NaCl) for both the asymmetric encryption of the key and the symmetric encryption of the content.

Looking at other examples such as the ietf-jose cookbook, (X25519, A128GCM), they only have the one "top level" IV.

Is it ok to use the same IV for both the x25519 and the A256GCM?

If not, where does the IV for the x25519 get placed in the JWE?

Or is there something else I am missing entirely?

{
  header: {
    enc: "A256GCM",
    alg: "ECDH-ES",
    epk: {
      crv: "X25519",
      kty: "OKP",
      x: ephemPublicKey
      iv: "Perhaps we stuff the X25519 iv here?",
    },
    iv: "Perhaps we stuff the X25519 iv here?",
    encrypted_key,
  },
  ciphertext,
  tag,
  iv: "iv for the A256GCM only or both?",
}
kelalaka
  • 49,797
  • 12
  • 123
  • 211
Wil W
  • 131
  • 3

1 Answers1

2

So the answer thanks to @kelalaka's comments is that X25519 doesn't need an iv. I was not using just X25519, but instead x25519-xsalsa20-poly1305 via TweetNaCl.js.

There isn't really a need to use x25519-xsalsa20-poly1305 to wrap the AES-256-GCM key, as the "xsalsa20 is a stream cipher and poly1305 is for mutual authentication".

Regarding JWE, there isn't a way to use x25519-xsalsa20-poly1305 with a JWE because JWE requires Authenticated Encryption Additional Data (AEAD) and salsa only has Authenticated Encryption (AE).

So my options with a JWE are to switch to just using x25519 + AES-256-GCM OR use just x25519-xsalsa20-poly1305 without using a JWE (or at least not a standards compliant one).

Wil W
  • 131
  • 3