Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [jwe]

JWE specifies how to encrypt content and encode associated metadata. It is defined in RFC 7516: JSON Web Encryption (JWE).

As indicated in section 3 of the RFC, "JWE represents encrypted content using JSON data structures and base64url encoding." This standard focuses on authenticated encryption.

The structures defined are:

  • JOSE Header:
  • JWE Encrypted Key
  • JWE Initialization Vector
  • JWE AAD
  • JWE Ciphertext
  • JWE Authentication Tag

which can be combined to a higher level protocol:

  • JWE Protected Header
  • JWE Shared Unprotected Header
  • JWE Per-Recipient Unprotected Header

The algorithms to be used are defined in RFC 7518: JSON Web Algorithms (JWA), section 4

13 questions
6
votes
1 answer

How does the Concat KDF work?

I am writing an application using JSON Web Encryption with ECDH using the X25519 Curve. The RFC says that ECHD-ES derived secret is run through a Concat KDF. Given that many cryptographers seem to be bashing JWT and the JOSE standard for having too…
ams
  • 701
  • 1
  • 8
  • 14
4
votes
1 answer

How does JOSE/JWE make use of ECDH when encrypting/decrypting messages?

Disclaimer: I first posted this question on security.stackexchange some minutes ago but deleted it, this is probably a better place for it. My goal is to use JWE with hybrid encryption (ECDH+AES) for exchanging sensitive data with another party.…
ceaaj
  • 43
  • 4
3
votes
1 answer

AES 128 GCM - dynamic key with static IV/nonce

I'm working on a project to upgrade an existing system that currently uses RC4 to encrypt a payload with a random session key. The session key is then encrypted with asymmetric public key encryption (RSA PKCS#1 OAEP). The encrypted pair are then…
Alastair McCormack
  • 133
  • 5
3
votes
1 answer

AEAD: Is it secure to decrypt the content encryption key before verifying the MAC?

The JSON Web Encryption (JWE) standard defines a number of encryption modes with the same basic form: First, the a unique content encryption key (CEK) is generated and used to encrypt the payload with associated data in an AEAD mode (e.g. AES-CBC…
Neil Madden
  • 557
  • 3
  • 13
2
votes
1 answer

JWE between Android/iPhone and backend

I'm working on a solution where JWE is needed between an Android app and a backend written in Node.JS, using node-jose. I've been struggling a lot since it seems there is no out of the box compatibility between Android - if you want to use the HW…
JHH
  • 121
  • 4
2
votes
1 answer

Are there any security drawbacks for simply encrypting and MACing my JWS token (JWT)?

This question, while related, doesn't answer the security aspect I have in mind. I understand that signatures make it impossible for the tokens to be modified. But if I want the JWS token content to be non-visible, I keep hearing people mention JWE.…
The Quantum Physicist
  • 221
  • 1
  • 11
2
votes
0 answers

Secure option for (hybrid) encryption of a secret key using JWE

I want to encrypt a private key $sk$ (it's actually an RSA private key in PKCS#8 format) with another person's (and/or my) public key $pk_A$ for secure storage. With JWE, it is possible to use hybrid encryption: we generate a random symmetric key…
bertrandrussellsghost
  • 21
  • 2
1
vote
0 answers

In regard to using RSA-OAEP-256 in JWE to also authenticate token issuer

I'm not an expert on cryptography, so, the understanding below might not be entirely correct. From what I understand, in the context of JWE, the RSA-OAEP-256 key algorithm is meant to provide payload integrity and confidentiality. If the…
Wendong
  • 11
  • 2
1
vote
1 answer

How can JWE support an integrity check given that it uses a public key to encrypt the message?

As far as I know JWE (JSON Web Encryption) supports both integrity and confidentiality. I agree about the confedintiality because only the recepient with a private key can decrypt a message. What about the integrity? Given that the Content…
Abzal Serekov
  • 11
  • 1
1
vote
1 answer

JOSE: JWE CEK Initialization Vector Position or Reuse

So I am attempting to generate a JWE using an X25519 to encrypt the for the Content Encryption Key (CEK) and AES-256-GCM for the content. My issue however is that NaCl needs an IV (nonce in NaCl) for both the asymmetric encryption of the key and the…
Wil W
  • 131
  • 3
1
vote
0 answers

Why doesn't the JOSE suite/JWA include ECIES?

The JOSE suite specifics use of RSA-OAEP (for when one party has an RSA key) and ECDH (for when two parties have EC keys) in JWA. Why doesn't it include ECIES? It seems like a way to derive a key when only one party has an EC key would be a common…
kag0
  • 115
  • 3
1
vote
0 answers

Custom key for key wrapping using JOSE/JWK

I am trying to figure out how to use a custom password with a JWK that uses the password for key wrapping. The JWA spec contains for example "PBES2-HS512+A256KW", which does "PBES2 with HMAC SHA-512 and 'A256KW' wrapping". So, if I understand…
enzian
  • 121
  • 3
0
votes
0 answers

Difference between JWE encryption algorithm RSAES-PKCS1-v1_5 and RSAES OAEP

In the specifications of JWE (RFC7516) they specify the values for (asymmetrically) encrypting the symmetric key. In RFC7518 in section 4.1 they list the options, of which two are relevant for my case alg = RSA1_5 (RSAES-PKCS1-v1_5) or alg =…
Krijn
  • 115
  • 5