JEF
 
JSON Encryption Format
Table of Contents
1. Introduction
2. Sample Object
3. Notation
4. Data Types
5. JEF Objects
Encryption Object
Key Encryption
publicKey
6. Decryption Operation
7. Encryption Operation
8. Security Considerations
Appendix A: Test Vectors
Appendix B: References
Appendix C: Document History
Appendix D: Author
1. Introduction
This document specifies a container formatted in JSON [RFC8259] for holding encrypted binary data, coined JEF (JSON Encryption Format).
JEF is loosely derived from IETF's JWE [RFC7516] specification and supports the same JWA [RFC7518] and RFC8037 [RFC8037] encryption algorithms. Public keys are represented as JWK [RFC7517] objects while the encryption container itself utilizes a notation similar to the JSON Signature Format [JSF] in order to maintain a consistent "style" in applications using encryption and signatures, including providing header information in plain text. The latter was the primary motivation for creating an alternative to JWE.
2. Sample Object
The following sample object is used to visualize the JEF specification:
{
  "algorithm": "A128GCM",
  "keyEncryption": {
    "algorithm": "ECDH-ES+A128KW",
    "keyId": "example.com:p256",
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "-ll147wh95-3_aY-0ld8LG7dxmRjPW4rkkzzPVed_cI",
      "y": "CNWi2J49GmAjlP1ywnyiGFRpryHARSxT7Rias0l_MaA"
    },
    "encryptedKey": "JD1dlMyCUFQuvRRdVAE8WCSNWcNnkbKb"
  },
  "iv": "-ZdCpyIiyJaUAPZu",
  "tag": "efRJKsqLIXnFZyS-pYEqrQ",
  "cipherText": "A2AaQadn8MGk_3JanGvt5H6Kce70_w"
}
The sample object can be decrypted by using the EC private key defined in Test Vectors.
3. Notation
JEF containers always start with a top-level JSON object.
JSON objects are described as tables with associated properties. When a property holds a JSON object this is denoted by a link to the actual definition.
Properties may either be mandatory (M) or optional (O) as defined in the "Req" column.
Array properties are identified by [ ] x-y where the range expression represents the valid number of array elements.
In some JSON objects there is a choice from a set of mutually exclusive alternatives.
This is manifested in object tables like the following:
Property selection 1Type selection 1ReqComment selection 1
Property selection 2Type selection 2Comment selection 2
4. Data Types
The table below shows how the data types used by this specification are mapped into native JSON types:
TypeMappingDescription
stringstringArbitrary string
byte[]stringBase64URL-encoded [RFC4648] binary data
cryptostringBase64URL-encoded positive integer with arbitrary precision. Note that the value must not contain leading zero-valued bytes
object{}JSON object
Note that "Type" refers to the element type for arrays.
5. JEF Objects
The following tables describe the JEF JSON structures in detail.
Encryption Object
PropertyTypeReqComment
"algorithm": "Algorithm"stringMContent/data encryption algorithm. Currently the following JWE [RFC7516] algorithms are recognized:
  • A128CBC-HS256
  • A192CBC-HS384
  • A256CBC-HS512
  • A128GCM
  • A192GCM
  • A256GCM
JWE counterpart: "enc".
"keyId": "Key Identifier"stringOOptional. Identifies a symmetric content encryption key.
JWE counterpart: "kid".
"keyEncryption": Key EncryptionobjectOptional. Single recipient using a key encryption scheme.
See also the p256#ecdh-es+a256kw@a128cbc-hs256@jwk.json test vector.
"recipients": [Key Encryption] 1-nobjectOptional. One or more recipients, each using a key encryption scheme featuring an "encryptedKey" element.
See also the p256#ecdh-es+a256kw,r2048#rsa-oaep-256@a128cbc-hs256@mult-kid.json test vector.
JWE counterpart: "recipients".
"extensions": ["Property List"] 1-nstringOOptional. Array holding the names of one or more application specific extension properties featured in the Key Encryption objects (or in the top level object if there are no "recipients" or "keyEncryption" elements).
Extension names must not be duplicated or use any of the JEF reserved words "algorithm", "certificatePath", "cipherText", "encryptedKey", "ephemeralKey", "extensions", "iv", "keyEncryption", "keyId", "publicKey", "recipients" or "tag".
Extensions intended for public consumption are preferably expressed as URIs (unless registered with IANA), while private schemes are free using any valid property name.
A conforming JEF implementation must reject encryption objects listing properties that are not found as well as empty "extensions" objects. Receivers are recommended introducing additional constraints like only accepting predefined extensions.
See also the p256#ecdh-es+a256kw@a256gcm@exts-jwk.json test vector.
JWE counterpart: "crit".
"iv": "iv"byte[]MInitialization vector.
JWE counterpart: "iv".
"tag": "tag"byte[]MAuthentication tag.
JWE counterpart: "tag".
"cipherText": "cipherText"byte[]MEncrypted data.
JWE counterpart: "chiphertext".
Note that if neither keyId nor keyEncryption nor recipients are defined, the (symmetric) content encryption key is assumed to known by the recipient.
Key Encryption
PropertyTypeReqComment
"algorithm": "Algorithm"stringOKey encryption algorithm. Currently the following JWE [RFC7516] algorithms are recognized:Note that the "PartyUInfo" and "PartyVInfo" arguments to the NIST Concat KDF function are always set to 0 using JEF.
JWE counterpart: "alg".
"keyId": "Key Identifier"stringOIf the keyId property is defined, it is supposed to identify the public key associated with the encrypted (or derived) key.
JWE counterpart: "kid".
"publicKey": publicKeyobjectOOptional. Public key associated with the encrypted (or derived) key.
See also the p256#ecdh-es+a256kw@a128cbc-hs256@jwk.json test vector.
JWE counterpart: "jwk".
"certificatePath": ["Certificate Path"] 1-nbyte[]Optional. Sorted array of X.509 [RFC5280] certificates, where the first element must contain the encryption certificate. The certificate path must be contiguous but is not required to be complete.
See also the p256#ecdh-es+a256kw@a128cbc-hs256@cer.json test vector.
JWE counterpart: "x5c".
Additional ECDH Properties
"ephemeralKey": publicKeyobjectMEphemeral EC public key.
JWE counterpart: "epk".
Additional ECDH+KW Properties
"ephemeralKey": publicKeyobjectMEphemeral EC public key.
JWE counterpart: "epk".
"encryptedKey": "encryptedKey"byte[]MEncrypted key.
JWE counterpart: "encrypted_key".
Additional RSA Encryption Properties
"encryptedKey": "encryptedKey"byte[]MEncrypted key.
JWE counterpart: "encrypted_key".
Note that if neither keyId nor publicKey nor certificatePath are defined, the associated public key is assumed to be known by the recipient.
publicKey
PropertyTypeReqComment
"kty": "Key Type"stringMKey type indicator. Currently the following types are recognized:
Additional EC Properties
"crv": "Curve Name"stringMEC curve name. The currently recognized EC curves include:
  • P-256
  • P-384
  • P-521
Note: If proprietary curve names are added, they must be expressed as URIs.
"x": "Coordinate"byte[]MEC curve point X. The length of this field must be the full size of a coordinate for the curve specified in the "crv" parameter. For example, if the value of "crv" is "P-521", the decoded argument must be 66 bytes.
"y": "Coordinate"byte[]MEC curve point Y. The length of this field must be the full size of a coordinate for the curve specified in the "crv" parameter. For example, if the value of "crv" is "P-256", the decoded argument must be 32 bytes.
Additional OKP Properties
"crv": "Curve Name"stringMECDH curve name. The currently recognized ECDH curves include:
  • X25519
  • X448
Note: If proprietary curve names are added, they must be expressed as URIs.
"x": "Coordinate"byte[]MECDH curve point X. The length of this field must be the full size of a coordinate for the curve specified in the "crv" parameter. For example, if the value of "crv" is "X25519", the decoded argument must be 32 bytes.
Additional RSA Properties
"n": "Modulus"cryptoMRSA modulus. See also the crypto data type.
"e": "Exponent"cryptoMRSA exponent. See also the crypto data type.
This object represents a true subset of JWK [RFC7517].
6. Decryption Operation
JEF implementors are presumed to be familiar with JWE [RFC7516].
Prerequisite: A JSON object in accordance with [RFC8259] containing properly formatted JEF data.
Note that there must not be any not here defined properties inside of a JEF object and that the use of JCS [RFC8785] implies certain constraints on the JSON data.
Since JEF uses the same algorithms as JWE, the JWA [RFC7518] reference apply with one important exception: the Additional Authenticated Data used by the symmetric ciphers. This difference is due to the way encryption meta data is formatted. For recreating the Additional Authenticated Data the following steps must be performed:
  1. Delete the top level properties "iv", "tag" and "cipherText" from the JEF object.
  2. Retrieve the Additional Authenticated Data by running the JCS [RFC8785] canonicalization method over the remaining JEF object.
Applied on the Sample Object, a conforming JEF Additional Authenticated Data process should return the following JSON string:
{"algorithm":"A128GCM","keyEncryption":{"algorithm":"ECDH-ES+A128KW","encryptedKey":"JD1dlMyCUFQuvRR
dVAE8WCSNWcNnkbKb","ephemeralKey":{"crv":"P-256","kty":"EC","x":"-ll147wh95-3_aY-0ld8LG7dxmRjPW4rkkz
zPVed_cI","y":"CNWi2J49GmAjlP1ywnyiGFRpryHARSxT7Rias0l_MaA"},"keyId":"example.com:p256"}}
Note that the output string was folded for improving readability.
The Additional Authenticated Data string is subsequently UTF-8 encoded before being applied to the decryption algorithm.
7. Encryption Operation
Encryption is analogous to decryption but requires adding the "iv", "tag" and "cipherText" properties after the creation of the Additional Authenticated Data.
8. Security Considerations
This specification does (to the author's knowledge), not introduce additional vulnerabilities over what is specified for JWE [RFC7516].
Appendix A: Test Vectors
This section holds test data which can be used to verify the correctness of a JEF implementation.
All encryption tests encrypt the string below (after first having converted it to UTF-8):
"Hello encrypted world!"
p256privatekey.jwk
The Sample Object (available in file p256#ecdh-es+a128kw@a128gcm@kid.json), can be decrypted by the following EC private key, here expressed in the JWK [RFC7517] format:
{
  "kid": "example.com:p256",
  "kty": "EC",
  "crv": "P-256",
  "x": "6BKxpty8cI-exDzCkh-goU6dXq3MbcY0cd1LaAxiNrU",
  "y": "mCbcvUzm44j3Lt2b5BPyQloQ91tf2D2V-gzeUxWaUdg",
  "d": "6XxMFXhcYT5QN9w5TIg2aSKsbcj-pj4BnZkK7ZOt4B8"
}
p256#ecdh-es+a256kw@a128cbc-hs256@kid.json
ECDH encryption object requiring the same private key as in the sample object while using a different set of algorithms both for key encryption and content encryption. The public key is specified through a keyId:
{
  "algorithm": "A128CBC-HS256",
  "keyEncryption": {
    "algorithm": "ECDH-ES+A256KW",
    "keyId": "example.com:p256",
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "EifyhsxhWZ_RxGMAns503B2lGVeJGid0HSTumFcpx-0",
      "y": "wDN7ec_8OTItqYUiPKLe4jkBKYxKqfpcKVeKd_FuQ_0"
    },
    "encryptedKey": "24vHVn4TKr47FNs-5dZ8_DsGDx_jVm2HFFByrpkQiguBQ-5TurKLIA"
  },
  "iv": "otshLHOW7fuCRA0bACxfHw",
  "tag": "j-WoMcRiEFpDXWH-No1wdg",
  "cipherText": "opggbJ1GLvk8wjsVyF9BqAHWhqRUGc9zcBs9JkiSy3o"
}
p256#ecdh-es+a256kw@a128cbc-hs256@jwk.json
ECDH encryption object requiring the same private key as in the sample object while providing the public key information in line:
{
  "algorithm": "A128CBC-HS256",
  "keyEncryption": {
    "algorithm": "ECDH-ES+A256KW",
    "publicKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "6BKxpty8cI-exDzCkh-goU6dXq3MbcY0cd1LaAxiNrU",
      "y": "mCbcvUzm44j3Lt2b5BPyQloQ91tf2D2V-gzeUxWaUdg"
    },
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "DKudBnim9LfvH4uSv5yBcdLnSm8j1j_scNz7l1PkPFc",
      "y": "XpMosiRHcNOOzvqaucDs0k5mv8wY4uH02PnoihAsTu0"
    },
    "encryptedKey": "ZwwIdd4GaxotdFHPAwuUpAvXpOvK1l1mXoABQgU-gVTmMPGK5sIh-g"
  },
  "iv": "P78vpDuUSfwzWgvLJcrKPA",
  "tag": "nyYQ9s2lYih0jxpVGA9aww",
  "cipherText": "JpSdOgnuHzFdfMIQLkmjGB4Ua6G7sTnW1jbkxyUHTyQ"
}
p256#ecdh-es+a128kw@a128gcm@imp.json
ECDH encryption object requiring the same private key as in the sample object but assuming it is known through the context:
{
  "algorithm": "A128GCM",
  "keyEncryption": {
    "algorithm": "ECDH-ES+A128KW",
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "LIT0jcMKnY5TnohuZ73vatqhYvawofskk9HuwyPVYLg",
      "y": "-WrYl0zeAgVvH-6PMjbUnojZE7JncXAjSr70WAUkqHQ"
    },
    "encryptedKey": "JntNXd3hIMV7ECo07Ur9Mi7XRbwR7s81"
  },
  "iv": "65dOH0eyoU3ZU07k",
  "tag": "No_8Yv6OhsQaNUw8IwX0zw",
  "cipherText": "Wo7s7xOfU8jycnv8GijiKk6JTiss1w"
}
p256#ecdh-es+a256kw@a128cbc-hs256@cer.json
ECDH encryption object requiring the same private key as in the sample object while providing the key information through an in-line certificate path:
{
  "algorithm": "A128CBC-HS256",
  "keyEncryption": {
    "algorithm": "ECDH-ES+A256KW",
    "certificatePath": [
      "MIIB4zCCAUSgAwIBAgIGAXQvSpluMAoGCCqGSM49BAMEMBYxFDASBgNVBAMTC1Rlc3QgU3ViIENBMB4XDTE4MDEwMTAwMDAwMFoXDT
MwMTIzMTIzNTk1OVowNzE1MDMGA1UEAxMsVGVzdCBjZXJ0aWZpY2F0ZSBtYXRjaGluZyBwMjU2cHJpdmF0ZWtleS5wZW0wWTATBgcqhkjOPQI
BBggqhkjOPQMBBwNCAAToErGm3Lxwj57EPMKSH6ChTp1ercxtxjRx3UtoDGI2tZgm3L1M5uOI9y7dm-QT8kJaEPdbX9g9lfoM3lMVmlHYo10w
WzAJBgNVHRMEAjAAMA4GA1UdDwEB_wQEAwID-DAdBgNVHQ4EFgQUA7M3k-KvWbX6doCGtEiuymmJmsAwHwYDVR0jBBgwFoAUoxFlz13AUKdL5
RnhdntUmrdPl4owCgYIKoZIzj0EAwQDgYwAMIGIAkIBkOc9pom0iG4DK4bxq6YDHIOOzXfzrgXAQlC13d1y_rgdr8u5dzWPwzGO4YlSUZxh7G
4OWdn5tdLltud69ZjXW_oCQgF5V3fe1smjY8uj3Xesz3DObu2RE_f_Bqaotf_7H0sA-z7t0nJTo6MeiDVsLmx4Re9q_PxpH2oIN-01l_SDbGA
DfQ",
      "MIIDgzCCAWugAwIBAgIBAzANBgkqhkiG9w0BAQ0FADAXMRUwEwYDVQQDEwxUZXN0IFJvb3QgQ0EwHhcNMTYwNzEwMTAwMDAwWhcNMz
kwNzEwMDk1OTU5WjAWMRQwEgYDVQQDEwtUZXN0IFN1YiBDQTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAPc4WO7RVjN58NCzHfz5yDrrl_u
lWhyYdYgPz-13bR3qiC0TguuXRN7Ye9cXxDPwfZNiPui5jEzvjkkEFeFRYc_2AMgl7WOo9JWQjf0RQXMxqlnwjUa5UoKst9NZOPn-tTcq6k1n
kd3LZKRLfLZq5qGWm5mQWLf73WHFe1ELES5oO1Zco2MwYTAPBgNVHRMBAf8EBTADAQH_MA4GA1UdDwEB_wQEAwIBBjAdBgNVHQ4EFgQUoxFlz
13AUKdL5RnhdntUmrdPl4owHwYDVR0jBBgwFoAUQI50o7LJMzle8DBu7lOobUF1IcowDQYJKoZIhvcNAQENBQADggIBAB2a9M8LkaTQh5iZW8
-vpkFdiu5sFcOUWKxtFZ7FImuFMPkJbUhHBAYjnSXiLb0SyqWwh4QlO2qSpGqxEjpuGtam-maKsvKxMLwybPgv18-bsbmM7ZjBG7MQYox5P7j
FYZB4U4I3Pn0kQK6Bdr18Ua8EP8YkTKyJS6Gmohl6iTtdsgOdJ5EHjzC0GhzwiR3pXKDX44LO0aK6lERWX3uOAqZazB-K8qhFnh1MA6_p-q1z
VcEIuPcfKmi-8wBOjqHhao8ThmB8afpolWfFrEx23e5ybUe4FPAGMh_5lRP0pA7yHdethk3J5KKScmBioFDm0d8NxlojjMXKHIe0hwJQB6YJj
EPlFw1-U0a4l4IbHEFIywuTmRP0-gCeiznnHkg96JvJRDiQt8sj2DOaCi784HlbVQQQzTBd8VJoCJRgG9CChXqcZn5T-wThGviuMzREHpteSC
E2AyZ-7_loaKsWV_riTqv7GgGVUnke8p0XNjtzMzD-iJVNvLKNhpt4w84jB11TGqnvuJ3i73e-hg96yZITAhMgUSXpn_cZtCPl3oHu7Cjpu78
vyuA0QatYCEBPMAlUfQs-exA8nkV40giCBc3muOpsTjJW1-vQrxpFGkXvK4s9wuzqVrrbXRGNYNCiO6ZrEDJJ3_Ms24bE4JJ_uPnhy7LqtmuU
Ehe3z3Z1Sx7I"
    ],
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "kf2DKnszR417O8rLhizxD19aMVzKPk7Dd6toCRqj-4g",
      "y": "i-eFySiwzqXZUgWz-MEQlDQoz1Mg5LZ4-czfnj_NFqU"
    },
    "encryptedKey": "jbpMEmLYLamuL_gEkDQL-fZ0JFJCEoMun-QhpgtvGeBg-WHv4bRhIw"
  },
  "iv": "XKBzJpYbxQp4O9k791S4BA",
  "tag": "35MTw9KN0jaJu4sqwOQidQ",
  "cipherText": "L1zXA-wRLNX7ERVwEUJB4drOVXnCkAYHrwIfyXdCvM8"
}
p256#ecdh-es+a256kw@a256gcm@exts-jwk.json
ECDH encryption object requiring the same private key as in the sample object while providing the key information in line. In addition, this object declares extensions:
{
  "algorithm": "A256GCM",
  "keyEncryption": {
    "algorithm": "ECDH-ES+A256KW",
    "publicKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "6BKxpty8cI-exDzCkh-goU6dXq3MbcY0cd1LaAxiNrU",
      "y": "mCbcvUzm44j3Lt2b5BPyQloQ91tf2D2V-gzeUxWaUdg"
    },
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "0waEHuPXfwLOUqBRqo2dmc8DK5aiwwDXfQfCCSQgXeY",
      "y": "MjhWHJHalsrBp0jNnc9X8TybZJY2ZHHmscw2dn-xtd8"
    },
    "encryptedKey": "T5aTMhTEiC9yZX268vObcIUE3h0yTTUEdu0GICSDoE5Pi7j36Yq5_w",
    "otherExt": "something",
    "https://example.com/extension": {
      "life-is-great": true
    }
  },
  "extensions": ["otherExt", "https://example.com/extension"],
  "iv": "cXkpHuWu080pSkSw",
  "tag": "w_CxBpcERg877TEH9j0BWA",
  "cipherText": "n9LBA3JAaKfnnsUAyfLNRFCe7OQX0w"
}
p384privatekey.jwk
EC private key for decrypting the subsequent object:
{
  "kid": "example.com:p384",
  "kty": "EC",
  "crv": "P-384",
  "x": "o4lIdIXzdJro4jU9g-2q-__i5WcutpJaWwOeSgKL8x6nxKWOPD5rH-POQhJ79l6t",
  "y": "MLnyLIGdTO2feJkCW3rWWKG3elhi1Zmbp068Ejb_1LuI-2cNQsRUqb16TfK588_N",
  "d": "woqAfcmqQ5T0rD-FlnTqjXw8wLOIXACCIy4SoWwy8jiSc_BRVH5jGPwZZUyvP1vd"
}
p384#ecdh-es@a256cbc-hs512@jwk.json
ECDH encryption object requiring the private key above:
{
  "algorithm": "A256CBC-HS512",
  "keyEncryption": {
    "algorithm": "ECDH-ES",
    "publicKey": {
      "kty": "EC",
      "crv": "P-384",
      "x": "o4lIdIXzdJro4jU9g-2q-__i5WcutpJaWwOeSgKL8x6nxKWOPD5rH-POQhJ79l6t",
      "y": "MLnyLIGdTO2feJkCW3rWWKG3elhi1Zmbp068Ejb_1LuI-2cNQsRUqb16TfK588_N"
    },
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-384",
      "x": "HRkfdPK0ylVtdpXguqMptMvtyMPohxCtjeN-6gKIsdncqHUtncc30-yOkuDrB_Rq",
      "y": "o2lrgU2at01OpMbBeZlllvdOeJEbsgeDqih4R9iYuoawD84EcvIxp-ELpijoBMTj"
    }
  },
  "iv": "4CthkSjwPMAB3V1KyD416Q",
  "tag": "4QgIVoyzGmsejhGImlGfQkipKFFRZWJJW4Pgzvqs4jQ",
  "cipherText": "lUv_9Brk1S_Sf816goXlFqhKUEt2o59VXgdwxZuNRtY"
}
p521privatekey.jwk
EC private key for decrypting the subsequent object:
{
  "kid": "example.com:p521",
  "kty": "EC",
  "crv": "P-521",
  "x": "AVb-eD8V1UAzN8GWoUypQ_8xSABA4PwUZ1O_fanjLvbwpuyoniN98ljWt3y93TCrDAqe1089tLCfpJhre8M5frBs",
  "y": "ABORvO-p61zLrGCtgqqqFcQJX_ljnoJ7iDd1IIKZSyksI8aElmtJFCRVSgCyU_P7mSmilqVVaBWhE9fqRHcQ2u_c",
  "d": "AUxbUwj3PKhK08nxKFFRToiriDJyp_bUv0puyt0qch9UwQ5qCjqBqSPAOB5RyvPKy0XwKDhXJGeAGsVqKzsUMRxA"
}
p521#ecdh-es+a256kw@a128cbc-hs256@jwk.json
ECDH encryption object requiring the private key above:
{
  "algorithm": "A128CBC-HS256",
  "keyEncryption": {
    "algorithm": "ECDH-ES+A256KW",
    "publicKey": {
      "kty": "EC",
      "crv": "P-521",
      "x": "AVb-eD8V1UAzN8GWoUypQ_8xSABA4PwUZ1O_fanjLvbwpuyoniN98ljWt3y93TCrDAqe1089tLCfpJhre8M5frBs",
      "y": "ABORvO-p61zLrGCtgqqqFcQJX_ljnoJ7iDd1IIKZSyksI8aElmtJFCRVSgCyU_P7mSmilqVVaBWhE9fqRHcQ2u_c"
    },
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-521",
      "x": "ASVjdXRy8FghL2Zar9GjRU7ZFjX2p51oDtyj68AIF91gGTZt8-6nyVyNHgTuCPI-iuOq0-AAi_okV9c9o2C1Vqzk",
      "y": "AJoCi0gxP5Kl-lnv0x68vkCUzGiw9Gxs9-tDe1KWHaN6BIPo3m4o27OH1ct3KY8RUoHBkeVU2NT_-LboK8ZWxWCf"
    },
    "encryptedKey": "bSY2E2xLiec5M_8ylKSJ8Xb-1UWNNJXWdpU03xCdx0yKbk1XblS1Yw"
  },
  "iv": "h-ojY78jHI6dpxc70LSBqw",
  "tag": "XVjOQfZ25jpfjrQtD96ezQ",
  "cipherText": "gYn4rr-tkUev_J3-556pBSoebe3lfkbhN8Hi_aDCM-I"
}
x25519privatekey.jwk
ECDH private key for decrypting the subsequent object:
{
  "kid": "example.com:x25519",
  "kty": "OKP",
  "crv": "X25519",
  "x": "o16U773QQYaQB4eegNCldg6huoIZLsOQIYkFWvbZ5lA",
  "d": "8AMLEwmHm83XsNZ-ZfMxqa4mrPzIuIXOZfQshTJrX2g"
}
x25519#ecdh-es+a256kw@a256gcm@jwk.json
ECDH encryption object requiring the private key above:
{
  "algorithm": "A256GCM",
  "keyEncryption": {
    "algorithm": "ECDH-ES+A256KW",
    "publicKey": {
      "kty": "OKP",
      "crv": "X25519",
      "x": "o16U773QQYaQB4eegNCldg6huoIZLsOQIYkFWvbZ5lA"
    },
    "ephemeralKey": {
      "kty": "OKP",
      "crv": "X25519",
      "x": "cngrOo_p079Mct9vow8RLPby5GczqcmFgfGQO8BjuUo"
    },
    "encryptedKey": "ClkyQ6DZ_dtYOZ0wDtFIb0kKKHORTaY0Soq56vIjnFnLRMf99gSGtA"
  },
  "iv": "ie5qgjoNjPGEdsY5",
  "tag": "Tt4jenE8pYlTkpORHKS4eg",
  "cipherText": "gQsovzlCPzrzTu8yWJEfAy2Y0rCYrw"
}
x448privatekey.jwk
ECDH private key for decrypting the subsequent object:
{
  "kid": "example.com:x448",
  "kty": "OKP",
  "crv": "X448",
  "x": "Nm2U_QCgZFMPGI-NjqjTtA8tk1hw8PvYUXChKyM-cJ0tSlivU9uoxkUYrt87KzMukVkfSlrimW0",
  "d": "8AKsGXExIQSgaPxmm3ATFJgtpRlvDBwQs3gM9ew2xPWIAfTCZoiuMo6or6W4N-ziLU1KZSytdvs"
}
x448#ecdh-es@a256cbc-hs512@jwk.json
ECDH encryption object requiring the private key above:
{
  "algorithm": "A256CBC-HS512",
  "keyEncryption": {
    "algorithm": "ECDH-ES",
    "publicKey": {
      "kty": "OKP",
      "crv": "X448",
      "x": "Nm2U_QCgZFMPGI-NjqjTtA8tk1hw8PvYUXChKyM-cJ0tSlivU9uoxkUYrt87KzMukVkfSlrimW0"
    },
    "ephemeralKey": {
      "kty": "OKP",
      "crv": "X448",
      "x": "LhO8D83feuZHdDmw8rHZAiArOwB0K7Z48WkuD7nolGTSPP119b205S8ssyL38z3NiD0QA4ia3iA"
    }
  },
  "iv": "pVsOmLk904-b_nBl1YIzrQ",
  "tag": "iQOzCjmZrYBTQf0I0cxQ19PUDPWBXfAFM_0JaasP-iw",
  "cipherText": "awZjj5vKy8RV83rMLBAHWZo0_nB66Bo15zyw8WR6GLE"
}
r2048privatekey.jwk
RSA private key for decrypting the subsequent object:
{
  "kid": "example.com:r2048",
  "kty": "RSA",
  "n": "ptKZyFPStvmOlb0WihOBhlHUr6wFDHC-tW7hJAudfTQ5mHZQpB8PoMz07udZA-dG8dhUIPkmXlp1TgREeYTHdhxhuf0y_GhbpZv5J
PYHx3watO-HWO2qYkjRMEcrWhPMdaVkS_Xe_liaMcow4jYoWaFm8VobeYsyVD2bWWdyl4joTEETm1Z47RnnfR15kVhVudVrDzEFmM4nXV_6dm
Ig184RJE4httwBFxR8qZCQCwTiJmsoyJxfUR0Gs4ePKc5sB0NTkmFZc5klQSitd67RJn2ldhbqE7EpDl4XlIt-UyLJm1guCBltia8Agke7dXu
hpB7hQ6LJwY4EjzthkJ8IPw",
  "e": "AQAB",
  "d": "KT6KTNAEmb5rdTPxvaOC832J0wD5opDBZcQLH8lLX6go0Tv3Rgxz5bKmn-ZMyL1GegadDiXrSYqd0_MUJuMgGWB8_OnP0D3Q4soEO
BIn7DcPt0o9MUxZQsF0DraZzkR02WVRvcIFJucrAEJYAaWYJkjUVbmMb2ltwQwWO21rFHGbpE73nsfr_oAWsZEvKsQZoYm4fh5jVI5-wKyRnK
aN1uqAcNgj75cdywCHBVwgEefEgOPM77CDMH0-JumSirQiBfR35-HWRwHwpm09wI6Aqtvgy5bzxvLDDRgrhX4LCPtUHGrUXNJHRKYiHQX6P6b
IVuBrHV6VFpyS-5weu0w6kQ",
  "p": "0KOEHi7Tu0tyh_FC95V-JYR9Su_0PfbgR5ry13Yg5B4y2wW4dCX6x4B7ZyvW7ydhr1XMISPX04jtadaOUTOY24lVEgkvdbC3Ezxb_
F_N7BMQWZ675UpW_72vuMlvi876-mYg5WWLFUTbzQB1E6Ix0Qjh9j-Hl9fqpeT-BTHX70k",
  "q": "zLEOCwacYw_SnQ8yc8PWtMWy-O0HQnmQajVMujL8CxNPirBfqa76IoDWQmk3CdhX6D8aRN_6NAP28gk7g5H3Xa3f4XADtIHdUfQmC
Q1yX5yG2X4XlJh1u0oW18qoaakClY8x_o5y6lY2xg-rc93TfgMDYFCw_778FzNk1qbvU0c",
  "dp": "aQ890xkPY0vNo2i4qQVtHSVHFjoYSi-LpmL_D8IbM-OFBkcuJ8aMLnOjMEOiGpFBHlJc1P9AifN0YYw54-fQfBP-c3OOo3vV5GjL
hR0VC2BaJlbJFN_HSUZSOwGsGsGiHf7ZZ8onLBGdgPBPBBDzdug7KI27EJoYPWs_AoyjyIk",
  "dq": "PIePE4uc615edbtsu_cJouNjjWDqaKnyHrYsPlOdXNkVCHonj9ICffmDYpgignLLbA5dAkkJgCA8Ak7gnoOnlrg4ID4zmklc3UNJ
jBvB2qw65E35QyPijMPYBXAUZUppTTjPG-ub59ge0msH1Hegdv8FHJJABSDBA0tbYm5zDzk",
  "qi": "Pf9CrVihTIRd79NS-eAFxeW9eUa6AYWQH8yNVNMDzuCek8_tSqpra8B0wTyN-p8yEyIZTIXKE7DETIJ79DR88ZXEEJgMt36BQRTs
h16pd4T7VmxFYgeY0LOHD-bbNaIr1YaxLa6xOdUxuFfxH3w9SSoh5ezBAmBDMgc99T7EQrs"
}
r2048#rsa-oaep-256@a256gcm@jwk.json
RSA encryption object requiring the private key above:
{
  "algorithm": "A256GCM",
  "keyEncryption": {
    "algorithm": "RSA-OAEP-256",
    "publicKey": {
      "kty": "RSA",
      "n": "ptKZyFPStvmOlb0WihOBhlHUr6wFDHC-tW7hJAudfTQ5mHZQpB8PoMz07udZA-dG8dhUIPkmXlp1TgREeYTHdhxhuf0y_Ghbp
Zv5JPYHx3watO-HWO2qYkjRMEcrWhPMdaVkS_Xe_liaMcow4jYoWaFm8VobeYsyVD2bWWdyl4joTEETm1Z47RnnfR15kVhVudVrDzEFmM4nXV
_6dmIg184RJE4httwBFxR8qZCQCwTiJmsoyJxfUR0Gs4ePKc5sB0NTkmFZc5klQSitd67RJn2ldhbqE7EpDl4XlIt-UyLJm1guCBltia8Agke
7dXuhpB7hQ6LJwY4EjzthkJ8IPw",
      "e": "AQAB"
    },
    "encryptedKey": "WZ9L_td3QGpTaJru4gU4WhM73KPTvuE45TW0xG6l3FoUMn8Kysnhcdk69DIe-lDFYwWjNOnxrRCKsZB8DJGIVd30
UFBM3LWRs-6-xAZcEgTvQvQAvBWuNRgaxoCZwgxOsj4vm4YbK-uAH6LpRJ9dcECWOBqLdU3aowmF-MvqYDNEUKCVz6HuTnjFtlpjQ9RUrl21b
v5jp9Rrs5LodoSFbEP6n4P1xv393JAOCutqAnPNcZEHHiXQNWLHpTPQwjCQbomy-qhe9kPBrxiyy_5-_m9ZwUl45XQse20vbswfg-1PTEC0O4
MIfTUVfaYZpIjJu9O0ogADQUiBcYcEIbu7Wg"
  },
  "iv": "0KlTwJYPNkJriOxC",
  "tag": "wchYIlIq8oMR7Qjn7mjCQQ",
  "cipherText": "zh4p9D0y1Tz192ceDeMXW0HjWj4OBQ"
}
r2048#rsa-oaep-256@a256gcm@imp.json
RSA encryption object requiring the same private key as in the previous example but relying on that this being implicitly known since the encryption object neither contains a keyId, nor a publicKey property:
{
  "algorithm": "A256GCM",
  "keyEncryption": {
    "algorithm": "RSA-OAEP-256",
    "encryptedKey": "YMcg5m1cEGbjig_QjdqoZo3GispLrPJ0rkf30fH12HDPHdKZwsS8ZV3nbUKK0iKG5ddLzpGBkgS_MiHZL9h5FbyH
qWnImbFbxSzj2uILXbdyyor6ml0N694ABEWEh1A9WMyUInAOBbESCOFHJNaLoAcq85wt5WyOFIDrnniljcy1GkGHhdESBCfwVpGTsuc5quYa_
GhcyTF4lziYT0p40hXKJWAZPXsLmQG17-TbmFfILprs9kIdQqUOgbqeDC_beUxdd6si00om-7OstdBXPSrHu0Jw0CqYISDq5aZY3CDmshrfOh
yvNdIK5S5d90Yh9pDi814A7KwxUfurHrPiIw"
  },
  "iv": "9ydGtwR1aA69-Myz",
  "tag": "cB-8uVLqU1yGupv6CD-XQQ",
  "cipherText": "3-PcIL5MKqtmuKoFMwUTYaQXXEFAaw"
}
r2048#rsa-oaep@a128gcm@kid.json
RSA encryption object requiring the same private key as in the previous example while using a different set of algorithms both for key encryption and content encryption:
{
  "algorithm": "A128GCM",
  "keyEncryption": {
    "algorithm": "RSA-OAEP",
    "keyId": "example.com:r2048",
    "encryptedKey": "omhHAMEOtunreSExXgEH2LyfgWBlpexBtkZJTXKFplGRysXFDExKrLznLLNDzR6FM-fVD_NUDIhW7G1HNhfUkERo
4PuN-q1hq4EurOs-3cZ2B3S4sAYekqioeqd3YWk0LiFgYDJKmIG-Ux5_d8vF9YjKU3DiKbRL55WS3Ll-Uv8iYFi2lAuxspDOhJKJAbBHMAs2E
ovVB_y1SElU8ZFLDxAvBKAbcpbw5Ux6fbRpJ_pdblBrOGmjuvjQwv5WVp0EpcDKJMO6v0pxKn-e5LOoGw70u23LtK_rCFwGsnE3MG4bKrzpjC
ACM4Vz0XDk0tKBgIv3TpNVAEHNjndTWjg3rA"
  },
  "iv": "KwsWBm2ttLPK3BPM",
  "tag": "gnZjFDksHYqMLeYW5vSSXQ",
  "cipherText": "8QTwAiRNWDoZjXAc2LqL-ELa3ygWrw"
}
p256#ecdh-es+a256kw,r2048#rsa-oaep-256@a128cbc-hs256@mult-kid.json
Multiple recipient encryption object requiring the same private keys as in the previous examples:
{
  "algorithm": "A128CBC-HS256",
  "recipients": [{
    "algorithm": "ECDH-ES+A256KW",
    "keyId": "example.com:p256",
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "eu2XtegyQIEaTsexjI6samB_o4iLk1u7CiW9r6caCJU",
      "y": "g4R56A3zU-xSjeNr699rG5g4lIqboxO3WHbr7Xr37Nw"
    },
    "encryptedKey": "tTcFvNB0i0LjOexAh-bUihzhLmLzzCWoDOR3oRiOxi1CekmViDJjQg"
  },{
    "algorithm": "RSA-OAEP-256",
    "keyId": "example.com:r2048",
    "encryptedKey": "Pskgr7PNGvjeID2cp4IIo78uUssRRwo1sfBu886PECuEkIrJq1-ozc5eeqk7Gw8J4LAXA-gQ2-J4DM3TFC9HxYLe
UcexAzLxxc_sIx0WaOuw3ADQkh9yeSC5h_6yix9iAculopFto5cLcZpSAWBJ-10YdTBTYxVoDKtyUIqVxiPDi_AorznyFIhYLgMvTaeOc27Oc
lhYYoBMiyt2sk3rGuYxRq3g89JDi3vvPvX_CGZFs1acikauoA_xiSx_pE0oRgqF1naP26vM4gSRjZUckRxf-H2lY_EhpwTi6ABOKt6duroWwN
_s9wYIaY1hqLUk-WDsCes6iYmBXYX3fc2KnQ"
  }],
  "iv": "buiFR9fvcZUZfwHMbO35CQ",
  "tag": "TwEWy99fEqAHphTHFdHPlw",
  "cipherText": "SaUieQjCeDqvKXJojPLkhc1rn1qDz8JQkPlGG03RGAE"
}
AES key named "a128bitkey" here provided in hexadecimal notation:
42123a659360163ad88471f8c089913b
a128@a128gcm@kid.json
Encryption object requiring the key above for decryption:
{
  "algorithm": "A128GCM",
  "keyId": "a128bitkey",
  "iv": "KDEeX-4BGokcuL55",
  "tag": "XgM4Xdk0uvScVoKGk1Ok2Q",
  "cipherText": "YUy7d7IV6BJc9QV762rmy0bKtQEJtA"
}
AES key named "a256bitkey" here provided in hexadecimal notation:
7fdd851a3b9d2dafc5f0d00030e22b9343900cd42ede4948568a4a2ee655291a
a256@a128cbc-hs256@kid.json
Encryption object requiring the key above for decryption:
{
  "algorithm": "A128CBC-HS256",
  "keyId": "a256bitkey",
  "iv": "ggcbWwo1vAuIblGfcvF5Gw",
  "tag": "nl3RRpUVDrVva0IrBSvPgQ",
  "cipherText": "GI1ctn2kh25OHGM95C2JYN7YuVh1w1jn3B0KDmoQlEk"
}
AES key here provided in hexadecimal notation:
7fdd851a3b9d2dafc5f0d00030e22b9343900cd42ede4948568a4a2ee655291a
a256@a256gcm@imp.json
Encryption object requiring the implicit key above for decryption:
{
  "algorithm": "A256GCM",
  "iv": "frl1L2w8T6ZOQFMR",
  "tag": "fXRaFyaKDHMMJEmV56hk-g",
  "cipherText": "PV9YYLv6NLStHeJzYH-JuS0KNQP3iw"
}
AES key named "a256bitkey" here provided in hexadecimal notation:
7fdd851a3b9d2dafc5f0d00030e22b9343900cd42ede4948568a4a2ee655291a
a256@a256gcm@kid.json
Encryption object requiring the key above for decryption:
{
  "algorithm": "A256GCM",
  "keyId": "a256bitkey",
  "iv": "MWHC-px5pgzCDksQ",
  "tag": "3KjlaqcQp_9HaFsyuKH4Vg",
  "cipherText": "5eiYIl5xWxyCms4vkvcEJwSuVuLZAA"
}
AES key named "a512bitkey" here provided in hexadecimal notation:
83d26e96b71a5dd767c215f201ef5884fb03dfe5a8ee9612d4e3c942e84d45dfdc5801cb8379958f3af600d68eba1a14e945c90f16556
71f042cea7b34d53236
a512@a256cbc-hs512@kid.json
Encryption object requiring the key above for decryption:
{
  "algorithm": "A256CBC-HS512",
  "keyId": "a512bitkey",
  "iv": "dw0EQT9v8IiVQNzoZFS1NQ",
  "tag": "elNz37drd7xKuO5Qljm3G8xLgcWBoDJqV2kRrV_Lc3g",
  "cipherText": "UG5VKDLyF2nQdmCz3OZVbi_PttCN_qkLfUVQUzEd68c"
}
Appendix B: References
ReferenceDescription
[JSF]A. Rundgren, "JSF - JSON Signature Format", Work in progress, V0.82, October 2020. https://cyberphone.github.io/doc/security/jsf.html
[OPENKEY]"OpenKeyStore Project", https://github.com/cyberphone/openkeystore
[RFC4648]S. Josefsson, "The Base16, Base32, and Base64 Data Encodings", RFC 4648, October 2006. https://tools.ietf.org/html/rfc4648
[RFC5280]D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. https://tools.ietf.org/html/rfc5280
[RFC7516]M. Jones, J. Hildebrand, "JSON Web Encryption (JWE)", RFC 7516, May 2015. https://tools.ietf.org/html/rfc7516
[RFC7517]M. Jones, "JSON Web Key (JWK)", RFC 7517, May 2015. https://tools.ietf.org/html/rfc7517
[RFC7518]M. Jones, "JSON Web Algorithms (JWA)", RFC 7518, May 2015. https://tools.ietf.org/html/rfc7518
[RFC8037]I. Liusvaara, "CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption", RFC 8037, January 2017. https://tools.ietf.org/html/rfc8037
[RFC8259]T. Bray, "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 8259, December 2017. https://tools.ietf.org/html/rfc8259
[RFC8785]A. Rundgren, B. Jordan, S. Erdtman, "JCS - JSON Canonicalization Scheme", RFC 8785, June 2020. https://tools.ietf.org/html/rfc8785
Appendix C: Document History
DateVerComment
2016-08-030.3Initial publication in HTML5
2017-04-190.4Changed public keys to use JWK [RFC7517] format
2017-04-250.5Added KW and GCM algorithms
2017-05-150.51Added test vectors and missing RSA-OAEP algorithm
2019-03-150.60Rewritten to use the JSON Canonicalization Scheme [RFC8785]
2020-01-200.61Refactored names
2020-10-100.62Added support for RFC8037 [RFC8037] algorithms
Appendix D: Author
JEF was developed by Anders Rundgren (anders.rundgren.net@gmail.com) as a part of the OpenKeyStore [OPENKEY] project .