JEF
 
JSON Encryption Format
Table of Contents
1. Introduction
2. Sample Object
3. Notation
4. Data Types
5. JEF Objects
Encryption Object
Key Encryption
publicKey
6. Decryption Operation
7. Encryption Operation
8. Security Considerations
Appendix A: Test Vectors
Appendix B: References
Appendix C: Document History
Appendix D: Author
1. Introduction
This document specifies a container formatted in JSON [RFC7159] for holding encrypted binary data, coined JEF (JSON Encryption Format).
JEF is loosely derived from IETF's JWE [RFC7516] specification and supports the same JWA [RFC7518] cryptographic algorithms. Public keys are represented as JWK [RFC7517] objects while the encryption container itself utilizes a notation similar to the JSON Signature Format [JSF] in order to maintain a consistent "style" in applications using encryption and signatures, including providing header information in plain text. The latter was the primary motivation for creating an alternative to JWE.
2. Sample Object
The following sample object is used to visualize the JEF specification:
{
  "algorithm": "A128GCM",
  "encryptedKey": {
    "algorithm": "ECDH-ES+A128KW",
    "keyId": "example.com:p256",
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "B0hv9voXJRhFkcL4J8M6g0evdrKjHjj5FSTXfQDbIb4",
      "y": "XYqQOvUxGSbjuJaxUvow_qDS2iOdKMTPuJ54OCFDo0E"
    },
    "cipherText": "o-zAhqPcqufP19z6G4m41qI_1kVRPZW5"
  },
  "iv": "S3Bt_FPWpNaIH5bc",
  "tag": "QXLRfPjwWFdCoTy-lwAgnw",
  "cipherText": "KsANZ7f9q_HUWXhyrJyNEkZuaBrRYA"
}
The sample object can be decrypted by using the EC private key defined in Test Vectors.
3. Notation
JEF containers always start with a top-level JSON object.
JSON objects are described as tables with associated properties. When a property holds a JSON object this is denoted by a link to the actual definition.
Properties may either be mandatory (M) or optional (O) as defined in the "Req" column.
Array properties are identified by [ ] x-y where the range expression represents the valid number of array elements.
In some JSON objects there is a choice from a set of mutually exclusive alternatives.
This is manifested in object tables like the following:
Property selection 1Type selection 1ReqComment selection 1
Property selection 2Type selection 2Comment selection 2
4. Data Types
The table below shows how the data types used by this specification are mapped into native JSON types:
TypeMappingDescription
stringstringArbitrary string
byte[]stringBase64URL-encoded [RFC4648] binary data
cryptostringBase64URL-encoded positive integer with arbitrary precision. Note that the value must not contain leading zero-valued bytes
object{}JSON object
Note that "Type" refers to the element type for arrays.
5. JEF Objects
The following tables describe the JEF JSON structures in detail.
Encryption Object
PropertyTypeReqComment
"algorithm": "Algorithm"stringMContent encryption algorithm. Currently the following JWE [RFC7516] algorithms are recognized:
  • A128CBC-HS256
  • A192CBC-HS384
  • A256CBC-HS512
  • A128GCM
  • A192GCM
  • A256GCM
JWE counterpart: "enc".
"keyId": "Key Identifier"stringOOptional. Identifies a symmetric content encryption key.
JWE counterpart: "kid".
"encryptedKey": Key EncryptionobjectOptional. Single recipient using an encrypted key.
See also the p256#ecdh-es+a256kw@a128cbc-hs256@jwk.json test vector.
"recipients": [Key Encryption] 1-nobjectOptional. One or more recipients, each having a unique encrypted key.
See also the p256#ecdh-es+a256kw,r2048#rsa-oaep-256@a128cbc-hs256@mult-kid.json test vector.
JWE counterpart: "recipients".
"extensions": ["Property List"] 1-nstringOOptional. Array holding the names of one or more application specific extension properties featured in the Key Encryption objects (or in the top level object if there are no "recipients" or "encryptedKey" elements).
Extension names must not be duplicated or use any of the JEF reserved words "algorithm", "certificatePath", "cipherText", "encryptedKey", "ephemeralKey", "extensions", "iv", "keyId", "publicKey", "recipients" or "tag".
Extensions intended for public consumption are preferably expressed as URIs (unless registered with IANA), while private schemes are free using any valid property name.
A conforming JEF implementation must reject encryption objects listing properties that are not found as well as empty "extensions" objects. Receivers are recommended introducing additional constraints like only accepting predefined extensions.
See also the p256#ecdh-es+a256kw@a256gcm@exts-jwk.json test vector.
JWE counterpart: "crit".
"iv": "iv"byte[]MInitialization vector.
JWE counterpart: "iv".
"tag": "tag"byte[]MAuthentication tag.
JWE counterpart: "tag".
"cipherText": "cipherText"byte[]MEncrypted data.
JWE counterpart: "chiphertext".
Note that if neither keyId nor encryptedKey nor recipients are defined, the (symmetric) content encryption key is assumed to known by the recipient.
Key Encryption
PropertyTypeReqComment
"algorithm": "Algorithm"stringOKey encryption algorithm. Currently the following JWE [RFC7516] algorithms are recognized:JWE counterpart: "alg".
"keyId": "Key Identifier"stringOIf the keyId property is defined, it is supposed to identify the public key associated with the encrypted (or derived) key.
JWE counterpart: "kid".
"publicKey": publicKeyobjectOOptional. Public key associated with the encrypted (or derived) key.
See also the p256#ecdh-es+a256kw@a128cbc-hs256@jwk.json test vector.
JWE counterpart: "jwk".
"certificatePath": ["Certificate Path"] 1-nbyte[]Optional. Sorted array of X.509 [RFC5280] certificates, where the first element must contain the encryption certificate. The certificate path must be contiguous but is not required to be complete.
See also the p256#ecdh-es+a256kw@a128cbc-hs256@cer.json test vector.
JWE counterpart: "x5c".
Additional ECDH Properties
"ephemeralKey": publicKeyobjectMEphemeral EC public key.
JWE counterpart: "epk".
Additional ECDH+KW Properties
"ephemeralKey": publicKeyobjectMEphemeral EC public key.
JWE counterpart: "epk".
"cipherText": "cipherText"byte[]MEncrypted content encryption key.
JWE counterpart: "encrypted_key".
Additional RSA Encryption Properties
"cipherText": "cipherText"byte[]MEncrypted content encryption key.
JWE counterpart: "encrypted_key".
Note that if neither keyId nor publicKey nor certificatePath are defined, the associated public key is assumed to be known by the recipient.
publicKey
PropertyTypeReqComment
"kty": "Key Type"stringMKey type indicator. Currently the following types are recognized:
Additional EC Properties
"crv": "Curve Name"stringMEC curve name. The currently recognized EC curves include:
  • P-256
  • P-384
  • P-521
Note: If proprietary curve names are added, they must be expressed as URIs.
"x": "Coordinate"byte[]MEC curve point X. The length of this field must be the full size of a coordinate for the curve specified in the "crv" parameter. For example, if the value of "crv" is "P-521", the decoded argument must be 66 bytes.
"y": "Coordinate"byte[]MEC curve point Y. The length of this field must be the full size of a coordinate for the curve specified in the "crv" parameter. For example, if the value of "crv" is "P-256", the decoded argument must be 32 bytes.
Additional RSA Properties
"n": "Modulus"cryptoMRSA modulus. See also the crypto data type.
"e": "Exponent"cryptoMRSA exponent. See also the crypto data type.
This object represents a true subset of JWK [RFC7517].
6. Decryption Operation
JEF implementors are presumed to be familiar with JWE [RFC7516].
Prerequisite: A JSON object in accordance with [RFC7159] containing properly formatted JEF data.
Note that there must not be any not here defined properties inside of a JEF object and that the use of JCS [JCS] implies certain constraints on the JSON data.
Since JEF uses the same algorithms as JWE, the JWA [RFC7518] reference apply with one important exception: the Additional Authenticated Data used by the symmetric ciphers. This difference is due to the way encryption meta data is formatted. For recreating the Additional Authenticated Data the following steps must be performed:
  1. Delete the top level properties "iv", "tag" and "cipherText" from the JEF object.
  2. Retrieve the Additional Authenticated Data by running the JCS [JCS] canonicalization method over the remaining JEF object.
Applied on the Sample Object, a conforming JEF Additional Authenticated Data process should return the following JSON string:
{"algorithm":"A128GCM","encryptedKey":{"algorithm":"ECDH-ES+A128KW","cipherText":"o-zAhqPcqufP19z6G4
m41qI_1kVRPZW5","ephemeralKey":{"crv":"P-256","kty":"EC","x":"B0hv9voXJRhFkcL4J8M6g0evdrKjHjj5FSTXfQ
DbIb4","y":"XYqQOvUxGSbjuJaxUvow_qDS2iOdKMTPuJ54OCFDo0E"},"keyId":"example.com:p256"}}
Note that the output string was folded for improving readability.
The Additional Authenticated Data string is subsequently UTF-8 encoded before being applied to the decryption algorithm.
7. Encryption Operation
Encryption is analogous to decryption but requires adding the "iv", "tag" and "cipherText" properties after the creation of the Additional Authenticated Data.
8. Security Considerations
This specification does (to the author's knowledge), not introduce additional vulnerabilities over what is specified for JWE [RFC7516].
Appendix A: Test Vectors
This section holds test data which can be used to verify the correctness of a JEF implementation.
All encryption tests encrypt the string below (after first having converted it to UTF-8):
"Hello encrypted world!"
p256privatekey.jwk
The Sample Object (available in file p256#ecdh-es+a128kw@a128gcm@kid.json), can be decrypted by the following EC private key, here expressed in the JWK [RFC7517] format:
{
  "kid": "example.com:p256",
  "kty": "EC",
  "crv": "P-256",
  "x": "censDzcMEkgiePz6DXB7cDuwFemshAFR90UNVQFCg8Q",
  "y": "xq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeY",
  "d": "nEsftLbi5u9pI8B0-drEjIuJzQgZie3yeqUR3BwWDl4"
}
p256#ecdh-es+a256kw@a128cbc-hs256@kid.json
ECDH encryption object requiring the same private key as in the sample object while using a different set of algorithms both for key encryption and content encryption. The public key is specified through a keyId:
{
  "algorithm": "A128CBC-HS256",
  "encryptedKey": {
    "algorithm": "ECDH-ES+A256KW",
    "keyId": "example.com:p256",
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "SrOwqwDx4ExjaOhSUe7D0I-rj17ea8ywS_ZcZcjRtj4",
      "y": "oRlmznfT3p4sKcEOgVF58p8lAwfihq7VmX3Z4NQgmes"
    },
    "cipherText": "uh6vErPPJIVzmYjnSQsI7ZfFE13nrNdhNBACLYyBDvZCN6VYBB7ufA"
  },
  "iv": "8w9GZ7ffawvUWTmN9vY7Uw",
  "tag": "P9Hvz7WPXYu8H9NLDrP09w",
  "cipherText": "C2olP8d8pjKTnPdqPQ9e6-pScXxrJ_cYjE7eWV80_JI"
}
p256#ecdh-es+a256kw@a128cbc-hs256@jwk.json
ECDH encryption object requiring the same private key as in the sample object while providing the public key information in line:
{
  "algorithm": "A128CBC-HS256",
  "encryptedKey": {
    "algorithm": "ECDH-ES+A256KW",
    "publicKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "censDzcMEkgiePz6DXB7cDuwFemshAFR90UNVQFCg8Q",
      "y": "xq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeY"
    },
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "uaskeuHyvExAAianGSVjAAhC8ss7_-kBRptWh5NFKvE",
      "y": "elAbcn77sxMolkiB41uXEapf0qmjcuCIIApEe0M_8wA"
    },
    "cipherText": "2FxqB86T83jwN5PwMvDHJ2sBkKIOam7sbSbEFoJTXYpwFzRQL-ggSg"
  },
  "iv": "0G7npSYoDI8Q7Z9W1uMSqw",
  "tag": "vYoEVfYfpI3jET6HG-o8fQ",
  "cipherText": "KJ-mz3DegGO18kkneiYkUWXFAlVGCNhBoOe0kUf3vfQ"
}
p256#ecdh-es+a128kw@a128gcm@imp.json
ECDH encryption object requiring the same private key as in the sample object but assuming it is known through the context:
{
  "algorithm": "A128GCM",
  "encryptedKey": {
    "algorithm": "ECDH-ES+A128KW",
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "OsHoqrizMkFTFnd_UbNPmfYfKUjOuCnvqxEl2fT2-QE",
      "y": "dlTbQed_K09U6gTZjK4weR3dA-GrjRkip3FkEseTCxI"
    },
    "cipherText": "7xzTIQyuk5sSToZd7y38Jic5UN1i_B5Q"
  },
  "iv": "UH4lZNacrCVLXWvv",
  "tag": "p_X4ABkJIa74qodimlmvfg",
  "cipherText": "aGUsIJnyF6G7HFK4AW8mC8SnluarNw"
}
p256#ecdh-es+a256kw@a128cbc-hs256@cer.json
ECDH encryption object requiring the same private key as in the sample object while providing the key information through an in-line certificate path:
{
  "algorithm": "A128CBC-HS256",
  "encryptedKey": {
    "algorithm": "ECDH-ES+A256KW",
    "certificatePath": [
      "MIIB-TCCAVigAwIBAgIGAWFcc4YkMAwGCCqGSM49BAMEBQAwLTELMAkGA1UEBhMCRVUxHjAcBgNVBAMTFVRydXN0IE5ldHdvcmsgU3
ViIENBMzAeFw0xODAxMDEwMDAwMDBaFw0yMjEyMzEyMzU5NTlaMDIxCzAJBgNVBAYTAkZSMQ0wCwYDVQQFEwQ0NTAxMRQwEgYDVQQDEwtleGF
tcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHHp7A83DBJIInj8-g1we3A7sBXprIQBUfdFDVUBQoPExq8rze6ewG0-eVcSF72J
77gKiD0IHnzpwHaU7t6nVeajXTBbMAkGA1UdEwQCMAAwDgYDVR0PAQH_BAQDAgP4MB0GA1UdDgQWBBQQyJ9rXSIskoUuA946von62LoxqzAfB
gNVHSMEGDAWgBTUWrS54qC2NgG3UK6rVAr0gbQ0MTAMBggqhkjOPQQDBAUAA4GMADCBiAJCAaWoVQ0r6jFjhO5e0WJTgyMmA8BhpO1t7gXQ6x
oKGso9jCOYf9OG9BFfZoVmdIyfYiwkhy1ld27tiOJ5X4m6WasRAkIBpEkUDf8irbSZ1V7zXALaR2mJTjKQV_5jRHsiBQWA-5DxEa-x_zJVRz8
tpp-jjT2tSCU82bwUOBLu6te1YIDpWCA",
      "MIIDsTCCAZmgAwIBAgIBAzANBgkqhkiG9w0BAQ0FADAuMQswCQYDVQQGEwJVUzEfMB0GA1UEAxMWVHJ1c3QgTmV0d29yayBSb290IE
NBMTAeFw0xNjA3MTAxMDAwMDBaFw0yNTA3MTAwOTU5NTlaMC0xCzAJBgNVBAYTAkVVMR4wHAYDVQQDExVUcnVzdCBOZXR3b3JrIFN1YiBDQTM
wgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAGJzPZsjniwyZeXrgrlQM3Y13r3znR8FSQpKbC2bplrOWySQJPGm-GFObe5Dk4t3Jrtk_Pbs8-3
VW_4q5drL0YqYwBYNJPhqjbSM6SGHrc6wNdPZRw_WnJVa0ELXKICC73lkjskWPfE-cLpZ3sTq1ovEmoNjgaySVRUH1wFDdkqyReJaKNjMGEwD
wYDVR0TAQH_BAUwAwEB_zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNRatLnioLY2AbdQrqtUCvSBtDQxMB8GA1UdIwQYMBaAFEkmC1HDAh
0fXehpiUhUGE868Hk2MA0GCSqGSIb3DQEBDQUAA4ICAQAs2KADYyGQCVy8tJZWakNtGdww4OumZpBuR66p_2xK7veRubQEhG-nJn7oVkJ4w5p
Eec3sYQEqtPbHyZcEKEYbOJ2cVf1nMH-DvFZ6ypQocGRp3WSWsTzL3SgqiWrQdPX1Y5dO6Hvx7p9ST9H2WgkxB-Q75Jov1gVF3bScAbxb7Mw7
tf5z3Cvqmfo0Gatkgzz6-jDPrtUK7AAAOw3C0kHMbE3EnNarsfhBkUerE8QVmHIvz373mWt0SnguaHq0A9ZuSia_pF7bgfVRZi2ZzIzpu2O27
6sB2Yji9tcSn5l21jq63rXtvY_DLAi4kaLyf9sHT_tkH-gkTdkdkfQq8sA5ysRW21wPQbmjTIVwsfY4JjajVIUitjPbkUJqURpf2VD0JXdYQH
S6KVPWqHWTlKPlsKbhw4ghuLqCMYda88L9rxWnSC5L8s0DJSuBBm-nq23NtHl5FbCzeXWcKRayIgimT-An1WIOeJP4F7-BctYLIooKoQzJZR1
tOWvprUs22_xAivVBz7J_LmJyVlKesB2ic8qYdt7YVoCsWrnEUgoNoJPwLHeva8KPvd0gLXrwaMyTCCjeoemXFj6nCbbMHJeVffh6jYBAzlbc
AEvTiZcdzrVVr54kOtWskyaeDnAcMXW4Of1vWdUJ2as5nyfletfTp4E6A9P2dZ5g7nMoL90yIw"
    ],
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "FJ2oSyQP9ERJYruHZP7__nRJ9GzCsIKYifWtYSDM2Nk",
      "y": "ZAfA-gJRgirYe3T5x6T1h5T4aVIpW5j27gj3PCEY3G4"
    },
    "cipherText": "Rh0xX2sBAjctr4j0UTMkUzzO3M3Yc05h8759l-xo6EtycCsXYo573w"
  },
  "iv": "xQ18RNWYuuZuJWlzUEanwg",
  "tag": "IDoQGOBaLkCELfvf9ZyNqA",
  "cipherText": "ELSwv7VjWltuQ5dpATbEC8Ihpw671ApBRfuLc2GEsds"
}
p256#ecdh-es+a256kw@a256gcm@exts-jwk.json
ECDH encryption object requiring the same private key as in the sample object while providing the key information in line. In addition, this object declares extensions:
{
  "algorithm": "A256GCM",
  "encryptedKey": {
    "algorithm": "ECDH-ES+A256KW",
    "publicKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "censDzcMEkgiePz6DXB7cDuwFemshAFR90UNVQFCg8Q",
      "y": "xq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeY"
    },
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "NO6Xg6rEfFZzadVgauvxRQXCHhyUwOinJl0gBt_aYZE",
      "y": "GTP_nNFa7H7fa3pDS0PQxUc4CgQnvOtNnGIwZ74xGk8"
    },
    "cipherText": "McqRBA_Foh1gQox6M4W1I7VULCx97rLtkJ6y2J9dTppluh_VB_MdrQ",
    "otherExt": "something",
    "https://example.com/extension": {
      "life-is-great": true
    }
  },
  "extensions": ["otherExt", "https://example.com/extension"],
  "iv": "bfuCN5E1X2I8kS9Y",
  "tag": "W5rAw4SXoRzLjbJOwrjI5w",
  "cipherText": "tsgolxhAA8llep3ZUXavlQkN7aZI7w"
}
p384privatekey.jwk
EC private key for decrypting the subsequent object:
{
  "kid": "example.com:p384",
  "kty": "EC",
  "crv": "P-384",
  "x": "GLfdsvEwphRzS_twup7UFPVOk7_CKgHZ7dt_fJ2QHPBdJa1c5pfJcRIWTfT0lpg9",
  "y": "ovA5_QXmFbj9U4pjZ1AX_ZdVyIRZUBWW9cuZda_tupKfWQfmcQHzDmHGHbxl9Xxl",
  "d": "Qsgq80kMs40sAn1gB7gLxAk1se37Kmh9AG18wWZ3SqgcPPRq1wwidNTi866Gt4_0"
}
p384#ecdh-es@a256cbc-hs512@jwk.json
ECDH encryption object requiring the private key above:
{
  "algorithm": "A256CBC-HS512",
  "encryptedKey": {
    "algorithm": "ECDH-ES",
    "publicKey": {
      "kty": "EC",
      "crv": "P-384",
      "x": "GLfdsvEwphRzS_twup7UFPVOk7_CKgHZ7dt_fJ2QHPBdJa1c5pfJcRIWTfT0lpg9",
      "y": "ovA5_QXmFbj9U4pjZ1AX_ZdVyIRZUBWW9cuZda_tupKfWQfmcQHzDmHGHbxl9Xxl"
    },
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-384",
      "x": "S8juGu9yNokkL3GIXpbYjsMDUKEc5G0lqze9VPRcxnOcgeogyq9AqlZEYrbvjPmb",
      "y": "Uw7zt0dO1uvLXgrcHotaVQplTHEc_woRVt41f52U4f7S6TgVc6bQvrXsEHWtarH4"
    }
  },
  "iv": "dLzj1Hx31rMOrzEJXhs5iQ",
  "tag": "J49c9spnGviE2qGqQwbQZWmFGTWc0IDv_YSRuBinS9U",
  "cipherText": "RYCsuTOOhUpVABf8G7gATheW9VGfHjM5DeWJiyfQhGs"
}
p521privatekey.jwk
EC private key for decrypting the subsequent object:
{
  "kid": "example.com:p521",
  "kty": "EC",
  "crv": "P-521",
  "x": "AT9Hw32aVQCGd5csltC1dqhSB4fFt-mEWO-QxZqrr9Yrwn69_q7n1YOYrHSWjk_qMkCGk6qQ4f9ZRYIJPGqjfxC9",
  "y": "AeVHV1elHFzR_P5Lzb22hMyhAzcGSTT1sdwVmFkJGBYt55RKXGNO1H9De2v_p5S-kkK8BZVh3JGzixMyT0Eo_ckS",
  "d": "AYSlWWbGUougMnE2r7pRkiHZfXBgUzaVTuWfE0X7PDYodsVXVzRiz4KMgfs5Xowwk2roUsbJV7wdyZ83qMrQM1Fv"
}
p521#ecdh-es+a256kw@a128cbc-hs256@jwk.json
ECDH encryption object requiring the private key above:
{
  "algorithm": "A128CBC-HS256",
  "encryptedKey": {
    "algorithm": "ECDH-ES+A256KW",
    "publicKey": {
      "kty": "EC",
      "crv": "P-521",
      "x": "AT9Hw32aVQCGd5csltC1dqhSB4fFt-mEWO-QxZqrr9Yrwn69_q7n1YOYrHSWjk_qMkCGk6qQ4f9ZRYIJPGqjfxC9",
      "y": "AeVHV1elHFzR_P5Lzb22hMyhAzcGSTT1sdwVmFkJGBYt55RKXGNO1H9De2v_p5S-kkK8BZVh3JGzixMyT0Eo_ckS"
    },
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-521",
      "x": "AKVrK4mMQOQjGSAWrXbs5rkufLa4fkU-lVP9OtFxZ2foRp49DiVGQOCKxY4tajRYgwY1fSDg3SOa3FuxBmEuAvpD",
      "y": "AHYEaq1uhKsxnFdS7yLiM4VsrIyiA8MJnverrZ0XdaNETnv2zzqfIbnkuJu7Z0rYDtsnDn2MtFDOYEuwgM91eMcU"
    },
    "cipherText": "IkEEEsCBM5ttuqPWzRUSYYCbZ22jxsewWZQJ6D9ZdqfDbh1SXpt2eQ"
  },
  "iv": "E03uGCuNEpI6nCqeQVxMkQ",
  "tag": "oF7fLTiPTUN3WMOa5hz_Pw",
  "cipherText": "Eb2Vk1x82X6K2GKvKJJgyYLtL8kTecsNIsPgEUnAaEg"
}
r2048privatekey.jwk
RSA private key for decrypting the subsequent object:
{
  "kid": "example.com:r2048",
  "kty": "RSA",
  "n": "hFWEXArvaZEpSP5qNX7x4C4Hl28GJQTNvnDwkfqiWs63kXbdyPeS06bz6GnY3tfQ_093nGauWsimqKBmGAGMPtsV83Qxw1OIeO4uj
bIIb9pema0qtVqs0MWlHxklZGFkYfAmbuEUFxYDeLDHe0bkkXbSlB7_t8pCSvc8HLgHjEQjYOlFRwjR0D-uLo-xgsCbpmCtYkB5lcT_zFgpRg
Y4zJNLSv7GZiz2S4Fc5ArGjd34lL47-L8bozuYjqNOv9sqX0Zgll5XaJ1ndvr7UqZu1xQFgm38reoM3IarBP_SkEFbt_v9iak602VO3k28fQh
MaocP7JWR2YLT3kZM0-WTFw",
  "e": "AQAB",
  "d": "Q6iBYpnIrB2mkQZagP1lZuvBv9_osVaSZpLRvKD7DxhvbDTs0coaTJIoVCSB1_VZip8zlUg-TnYWF1Liv9VSwfQ7ddxrcOUtej60m
Id0ntNz2HhbxJsWjiru8EZoArl0nEovLDNxlRgRMEyZwOKPC_xHT6nFrk7_s9pR5pEEcubGLAVBKnLCoPdLr-CBjCvWfJo73W5AZxoSb8MdWQ
Oi5viXHURpr1Y_uBRsMuclovM56Vt05etMsB1AbcTLUDwAuYrZWa1c08ql60ft7b3v6Q_rCL7EHtFU3PHAuP0mV7tM5BfAPf4T0g9pbr4GOw7
eqQCiYgPFE7gmCR_PDxv5YQ",
  "p": "6DIM343hAtj1hQprJaVQ3T8YeIytIQ7Ma544C0A8BX-irjJfARy4fAlTSyBFeauZ0WdbMGtKpAIgNVmfCfuP7W1bXw7UaxpqsQlbw
54K1VtBs8xG-lee_2YQ3lUlIiC1at6L0jxWYNkvp-LIfU2F5ZQir5ZWVXwgdMcgoNBABMc",
  "q": "keacq0goV7pAtG2h33OAk-XOSclIF1agvEMMOKuud5V-vGQ6OaYldlYqZmSGgF7RVlX0GZO70nPqatjd2G-tI8wEq5K_xmLQurUPF
W8g___z0CTgJ62KbjFxCtGny5rsObX9im6cCc_EOtWZRaApzO8ykxfo1QcEjT4k1na7DzE",
  "dp": "nPmJPnFal2Q5x_GdMlwq6QhI8OaZ_OlWRcM3PFP2v_jj8ERZehUCm8hqKTXuAi2C1dC8E2XVlj9hqu-l10fcq7Tsurz52laHnpwn
D35-8HK7XmRR79jgwuUrrkN90S6vt0ow2La15s-tqiBlTmDkjqqxMGfAghZiktA0PMPNI-0",
  "dq": "D3c1lkZw2FPK9hVE-m3A7GyIwHOQq8CoCyzER-GS_eQf6hJpxaCiCfg6SF5Rj5v9brxvwqJRX46gA7F3WrED1m6S9Cj7ISlqXNBC
iBAenGRiUOcHx8zyhpnBFNeChOeoMLnk5V6yNawLbf0kYSgIJkwYvVTkfmhfCCXVO9KcI5E",
  "qi": "wV0NzfCakfog1NFjtPzcga1MtkpizgPkxcP9LjNdvXW2YQZhM6GIEGjsu3ivTrHrrM-4_bTQHOoTtfIY7wdqBKlwQTJOI0dH9FbN
J4ecGojRwgv83TN8aNKh17Tt44jI5oibs2P-31B_VW9R1wwhnnOuCYpABfoSbtHIoCRme5I"
}
r2048#rsa-oaep-256@a256gcm@jwk.json
RSA encryption object requiring the private key above:
{
  "algorithm": "A256GCM",
  "encryptedKey": {
    "algorithm": "RSA-OAEP-256",
    "publicKey": {
      "kty": "RSA",
      "n": "hFWEXArvaZEpSP5qNX7x4C4Hl28GJQTNvnDwkfqiWs63kXbdyPeS06bz6GnY3tfQ_093nGauWsimqKBmGAGMPtsV83Qxw1OIe
O4ujbIIb9pema0qtVqs0MWlHxklZGFkYfAmbuEUFxYDeLDHe0bkkXbSlB7_t8pCSvc8HLgHjEQjYOlFRwjR0D-uLo-xgsCbpmCtYkB5lcT_zF
gpRgY4zJNLSv7GZiz2S4Fc5ArGjd34lL47-L8bozuYjqNOv9sqX0Zgll5XaJ1ndvr7UqZu1xQFgm38reoM3IarBP_SkEFbt_v9iak602VO3k2
8fQhMaocP7JWR2YLT3kZM0-WTFw",
      "e": "AQAB"
    },
    "cipherText": "SGxo4qySRu9TKUYedCCULQ6uKbvSzzDC0otslZl2muzrFhfeZmTNXBX1lvgnp0p_RBQ8mOnu-0DRcdyLdZpIE_Rp7g
4ciN4KFTHUwor3OfoU10D-XgXA8H8BG9GJhbZAdkY7oL_MqdtRBcQpB3btehSRWC-pVYeO2hlF52C6QKMxr4j7Yo1wamzsKmC7VjcHWSgTVAW
7YEojI0UWz-6X7yOxEvQoVORJabg7PbcNTq5Dan8AxIX-mGNaOwa2xOW8i353FSa9zsIVnZx5PdOh6FQeGbSxXFbKlGLUvg9Y0PO1cJNgT5YA
NabSNJvXfT5pRGQ-9CD0X7xw4zQSo0xaoQ"
  },
  "iv": "ztNJfef64tiZPtQr",
  "tag": "Fj2KhIxyVDPmIRmZpXTQvA",
  "cipherText": "HdbV6GmfRelLh0lWJuXIUhCm51Fm3Q"
}
r2048#rsa-oaep-256@a256gcm@imp.json
RSA encryption object requiring the same private key as in the previous example but relying on that this being implicitly known since the encryption object neither contains a keyId, nor a publicKey property:
{
  "algorithm": "A256GCM",
  "encryptedKey": {
    "algorithm": "RSA-OAEP-256",
    "cipherText": "Lpnkl27uLhIBMGnawCBiPokS6X8l-WHJ75Ew_lIdaWXcNG03kZ-VATK20BoKlp_kgWkAjFRNosC21jbveJjJnRutwM
ZV52_rhRZGnVnP4plVFoHxa94CHC_KOJTdnFzfMFhEJpFBu9ZNiShwIJR6sw29ClpdNVkT9XFF01uSEnCwRX5-ih2GsuyESlYS8yLPETn1Udy
7RsqtZMDDiMBHvHTRR4bzr9GLe_8E-bq85jVlMPghGF9CUZDXbXhdpJC0Q22isQT9LKYmNV7xa45LsVFicR2jJVlJ6czcr9j0eqUBdSAWNQ1g
w5airU_HTiHmDgddOkQZ_cR8Dbbw5Xcz-w"
  },
  "iv": "QrxSbpIg1Z6_JaTy",
  "tag": "VDilm7Nef24zKHf8iliaKw",
  "cipherText": "jgy0mGLFPhJPCy1AC3xb4Q0w8mBMfA"
}
r2048#rsa-oaep@a128gcm@kid.json
RSA encryption object requiring the same private key as in the previous example while using a different set of algorithms both for key encryption and content encryption:
{
  "algorithm": "A128GCM",
  "encryptedKey": {
    "algorithm": "RSA-OAEP",
    "keyId": "example.com:r2048",
    "cipherText": "gGdSQ29bQKmpdrIuQNkBrMyu76ByJdQ2TsamrpA_YZr22CujgP5LpMcAPk4Lj_iADKZILpwJyB8qJN3ndo2mdpFfxK
LC1iTJ4KDUT0EaTSA9NeFmfyarOHVYb0_QeTqnydKCZ8nBWtdWgbJ1q9P5Mznz1xJbgdkBz7nhpGQCNTGayg4-EZvxFvajLQmV6D4BiNt1PU2
EHaYsfdpo_pTIflK-KJ-tbVPW9xon7Cejzew4xnJOnjqJggY_R1ZImcIqt6Ndxzu1R2I9S9fC2E117suU1GFUcaU5irdj-XFR00DD6UwQs9YV
cAFrWun4RPtAkHACiRGDztoYhai8Q5vD8A"
  },
  "iv": "usuqNsx-ha5wDKkf",
  "tag": "7pewl80M88X1XbZVO8GqiQ",
  "cipherText": "vprnCldhl8-U_wKSRy5BzUu_iNKyCQ"
}
p256#ecdh-es+a256kw,r2048#rsa-oaep-256@a128cbc-hs256@mult-kid.json
Multiple recipient encryption object requiring the same private keys as in the previous examples:
{
  "algorithm": "A128CBC-HS256",
  "recipients": [{
    "algorithm": "ECDH-ES+A256KW",
    "keyId": "example.com:p256",
    "ephemeralKey": {
      "kty": "EC",
      "crv": "P-256",
      "x": "QjM14ToSlG9yRoFTmva5mlGoNqtgU_mAdT8VeCCwoEU",
      "y": "eoagbdiG51dwYQjEWZApRTMxm_BW-istJjlZwzjDgjs"
    },
    "cipherText": "n3xNxHfRuPpQT1TyIJ_b90Q_9bwWHS9XFPkA2CZLuYcaq6kruc4b4Q"
  },{
    "algorithm": "RSA-OAEP-256",
    "keyId": "example.com:r2048",
    "cipherText": "QYpxcVXqQ5CCfQFpDavba0WoxMuxij_XqJOTMWUzf_eGrAFcwCZjOwsyTmxjHjwOzkl72S0jcXif49zeQAa0pzFeMW
dlflhWdHDlPTyCgSFRzqJ-qlRGTK9TIRtqA8ZHAztvkHFefpYgJpjikezO5UyamPH-y0pFL8oL8E3vPPiTy995gmQ6LlgS1cSohl_TebUXNwb
4-NW6p0qtv0kzQRWCCuNCTdHjWzoXVKmOWQj9Ot_atweOw8-p5N7KuSaOmsJe6ozUOTLQ6edHMfA8-btbI3A0TN_exLqnHvEXMfMVgFDzASg1
X15A95LqrX6dC0GwAl_oPKPgkVb2Wmobyg"
  }],
  "iv": "2d1qvkCVma12lJ1WvHALqA",
  "tag": "vB8btn5byzUpbmRi0NlotQ",
  "cipherText": "uVBMYgay4t4Eksl6I7Pj4G2ltehkn437eNBdK10Y4mk"
}
AES key named "a128bitkey" here provided in hexadecimal notation:
42123a659360163ad88471f8c089913b
a128@a128gcm@kid.json
Encryption object requiring the key above for decryption:
{
  "algorithm": "A128GCM",
  "keyId": "a128bitkey",
  "iv": "KDEeX-4BGokcuL55",
  "tag": "XgM4Xdk0uvScVoKGk1Ok2Q",
  "cipherText": "YUy7d7IV6BJc9QV762rmy0bKtQEJtA"
}
AES key named "a256bitkey" here provided in hexadecimal notation:
7fdd851a3b9d2dafc5f0d00030e22b9343900cd42ede4948568a4a2ee655291a
a256@a128cbc-hs256@kid.json
Encryption object requiring the key above for decryption:
{
  "algorithm": "A128CBC-HS256",
  "keyId": "a256bitkey",
  "iv": "ggcbWwo1vAuIblGfcvF5Gw",
  "tag": "nl3RRpUVDrVva0IrBSvPgQ",
  "cipherText": "GI1ctn2kh25OHGM95C2JYN7YuVh1w1jn3B0KDmoQlEk"
}
AES key here provided in hexadecimal notation:
7fdd851a3b9d2dafc5f0d00030e22b9343900cd42ede4948568a4a2ee655291a
a256@a256gcm@imp.json
Encryption object requiring the implicit key above for decryption:
{
  "algorithm": "A256GCM",
  "iv": "frl1L2w8T6ZOQFMR",
  "tag": "fXRaFyaKDHMMJEmV56hk-g",
  "cipherText": "PV9YYLv6NLStHeJzYH-JuS0KNQP3iw"
}
AES key named "a256bitkey" here provided in hexadecimal notation:
7fdd851a3b9d2dafc5f0d00030e22b9343900cd42ede4948568a4a2ee655291a
a256@a256gcm@kid.json
Encryption object requiring the key above for decryption:
{
  "algorithm": "A256GCM",
  "keyId": "a256bitkey",
  "iv": "MWHC-px5pgzCDksQ",
  "tag": "3KjlaqcQp_9HaFsyuKH4Vg",
  "cipherText": "5eiYIl5xWxyCms4vkvcEJwSuVuLZAA"
}
AES key named "a512bitkey" here provided in hexadecimal notation:
83d26e96b71a5dd767c215f201ef5884fb03dfe5a8ee9612d4e3c942e84d45dfdc5801cb8379958f3af600d68eba1a14e945c90f16556
71f042cea7b34d53236
a512@a256cbc-hs512@kid.json
Encryption object requiring the key above for decryption:
{
  "algorithm": "A256CBC-HS512",
  "keyId": "a512bitkey",
  "iv": "dw0EQT9v8IiVQNzoZFS1NQ",
  "tag": "elNz37drd7xKuO5Qljm3G8xLgcWBoDJqV2kRrV_Lc3g",
  "cipherText": "UG5VKDLyF2nQdmCz3OZVbi_PttCN_qkLfUVQUzEd68c"
}
Appendix B: References
ReferenceDescription
[JCS]A. Rundgren, B. Jordan, S. Erdtman, "JCS - JSON Canonicalization Scheme", Work in progress, September 2019. https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-13
[JSF]A. Rundgren, "JSF - JSON Signature Format", Work in progress, V0.81, October 2019. https://cyberphone.github.io/doc/security/jsf.html
[OPENKEY]"OpenKeyStore Project", https://github.com/cyberphone/openkeystore
[RFC4648]S. Josefsson, "The Base16, Base32, and Base64 Data Encodings", RFC 4648, October 2006. https://tools.ietf.org/html/rfc4648
[RFC5280]D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. https://tools.ietf.org/html/rfc5280
[RFC7159]T. Bray, "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 7159, March 2014. https://tools.ietf.org/html/rfc7159
[RFC7516]M. Jones, J. Hildebrand, "JSON Web Encryption (JWE)", RFC 7516, May 2015. https://tools.ietf.org/html/rfc7516
[RFC7517]M. Jones, "JSON Web Key (JWK)", RFC 7517, May 2015. https://tools.ietf.org/html/rfc7517
[RFC7518]M. Jones, "JSON Web Algorithms (JWA)", RFC 7518, May 2015. https://tools.ietf.org/html/rfc7518
Appendix C: Document History
DateVerComment
2016-08-030.3Initial publication in HTML5
2017-04-190.4Changed public keys to use JWK [RFC7517] format
2017-04-250.5Added KW and GCM algorithms
2017-05-150.51Added test vectors and missing RSA-OAEP algorithm
2019-03-150.60Rewritten to use the JCS [JCS] canonicalization scheme
Appendix D: Author
JEF was developed by Anders Rundgren (anders.rundgren.net@gmail.com) as a part of the OpenKeyStore [OPENKEY] project .