JEF
 
JSON Encryption Format
Table of Contents
1. Introduction
2. Sample Object
3. Notation
4. Data Types
5. JEF Objects
Encryption Object
Key Encryption
jwk
6. Operation
7. Security Considerations
Appendix A: Test Vectors
Appendix B: References
Appendix C: Document History
Appendix D: Author
1. Introduction
This document specifies a container formatted in JSON [RFC7159] for holding encrypted binary data, coined JEF (JSON Encryption Format).
JEF was derived from IETF's JWE [RFC7516] specification and supports a subset of the same algorithms [RFC7518]. Public keys are represented as JWK [RFC7517] objects while the encryption container itself utilizes a notation similar to JCS [JCS] in order to maintain a consistent "style" in applications using encryption and signatures, including providing header information in plain text.
The JEF encryption scheme is fully compatible with the ES6 [ES6] JSON/JavaScript serialization and parsing specification.
2. Sample Object
The following sample object is used to visualize the JEF specification:
{
  "enc": "A128GCM",
  "alg": "ECDH-ES+A128KW",
  "kid": "example.com:p256",
  "epk": {
    "kty": "EC",
    "crv": "P-256",
    "x": "M6HeD_egKOCrx6EEQ9WBV57WRaOxHG3qPe46auPKjNw",
    "y": "aZYIM2pC48FbSCKWmBgaCxDii8lRTWRxDmMPz9FukeQ"
  },
  "encrypted_key": "V9Fq0Y1g7VzbAcqZqdVN3lnbx5bnspv0",
  "iv": "ydp_806BQdHd-5QT",
  "tag": "iRmtRkBZGLw_ueCoUllgqA",
  "ciphertext": "4Z5I-yz4h7WtkOB7S3cJa-L_wKcg2g"
}
The sample object can be decrypted by using the EC private key defined in Test Vectors.
3. Notation
JEF containers always start with a top-level JSON object.
JSON objects are described as tables with associated properties. When a property holds a JSON object this is denoted by a link to the actual definition.
Properties may either be mandatory (M) or optional (O) as defined in the "Req" column.
Array properties are identified by [ ] x-y where the range expression represents the valid number of array elements.
In some JSON objects there is a choice from a set of mutually exclusive alternatives.
This is manifested in object tables like the following:
Property selection 1Type selection 1ReqComment selection 1
Property selection 2Type selection 2Comment selection 2
4. Data Types
The table below shows how the data types used by this specification are mapped into native JSON types:
TypeMappingDescription
stringstringArbitrary string
uristringURI [RFC3986]
byte[]stringBase64URL-encoded [RFC4648] binary data
byte2[]stringBase64-encoded [RFC4648] binary data
cryptostringBase64URL-encoded positive integer with arbitrary precision. Note that the value must not contain leading zero-valued bytes
object{}JSON object
Note that "Type" refers to the element type for arrays.
5. JEF Objects
The following tables describe the JEF JSON structures in detail.
Encryption Object
PropertyTypeReqComment
"enc": "Algorithm"stringMContent encryption algorithm. Currently the following JWE [RFC7516] algorithms are recognized:
  • A128CBC-HS256
  • A192CBC-HS384
  • A256CBC-HS512
  • A128GCM
  • A192GCM
  • A256GCM
"alg": "Algorithm"stringOOptional. See alg.
Note: There must always be an "alg" identifier present. However, for multiple encryptions schemes "alg" can either be provided at the top level (=shared), or be suppled individually (local level) for each encryption object, not both.
Also see the p256#ecdh-es+a256kw,p384#ecdh-es+a256kw@a128cbc-hs256@mult-glob+alg-kid.json test vector.
"...": Key Encryptionn/aOIf an encryption scheme for a single recipient is targeted, the applicable properties from Key Encryption must also be featured inside of the encryption object (=at the top level) as illustrated by the Sample Object.
"recipients": [Key Encryption] 1-nobjectIf this property is defined, one or more recipients must each be provided with a suitable Key Encryption object.
Also see the p256#ecdh-es+a256kw,r2048#rsa-oaep-256@a128cbc-hs256@mult-kid.json test vector.
"crit": ["Property List"] 1-nstringOOptional. Array holding the names of one or more application specific extension properties featured in the Key Encryption object (or the top level object for the case there is no "recipients" element).
Extension names must not be duplicated or use any of the JEF reserved words "alg", "enc", "iv", "tag", "aad", "encrypted_key", "epk", "ciphertext", "recipients", "crit", "kid", "jwk", "jku", "x5c", "x5t", "x5t#s256" or "x5u".
Extensions intended for public consumption are preferably expressed as URIs (unless registered with IANA), while private schemes are free using any valid property name.
A conforming JEF implementation must reject encryption objects listing properties that are not found as well as empty "crit" objects. Receivers are recommended introducing additional constraints like only accepting predefined extensions.
Also see the p256#ecdh-es+a256kw@a256gcm@crit-jwk.json test vector.
"iv": "iv"byte[]MInitialization vector.
"tag": "tag"byte[]MAuthentication tag.
"ciphertext": "ciphertext"byte[]MEncrypted data.
Note that if neither kid nor @@@ are defined, the (symmetric) data encryption key is assumed to known by the recipient.
Key Encryption
PropertyTypeReqComment
"alg": "Algorithm"stringOKey encryption algorithm. Currently the following JWE [RFC7516] algorithms are recognized:
"kid": "Key Identifier"stringOIf the kid property is defined, it is supposed to identify the public key associated with the encrypted (or derived) key.
"jwk": jwkobjectOOptional. Public key associated with the encrypted (or derived) key.
Also see the p256#ecdh-es+a256kw@a128cbc-hs256@jwk.json test vector.
"jku": "URL"uriOptional. URI [RFC3986] which must be dereferencable by an HTTPS GET operation and pointing to a JWK [RFC7517] key set holding a single jwk object.
Also see the p256#ecdh-es+a256kw@a128cbc-hs256@jku.json test vector.
"x5c": ["Certificate Path"] 1-nbyte2[]Optional. Sorted array of X.509 [RFC5280] certificates, where the first element must contain the encryption certificate. The certificate path must be contiguous but is not required to be complete.
Also see the p256#ecdh-es+a256kw@a128cbc-hs256@x5c.json test vector.
"x5u": "URL"uriOptional. URI [RFC3986] which must be dereferencable by an HTTPS GET operation and pointing to a PEM [RFC7468] file containing a sorted array of X.509 [RFC5280] certificates, where the first element must contain the encryption certificate. The certificate path must be contiguous but is not required to be complete.
Also see the p256#ecdh-es+a256kw@a128cbc-hs256@x5u.json test vector.
Additional ECDH Properties
"epk": jwkobjectMEphemeral EC public key.
Additional ECDH+KW Properties
"epk": jwkobjectMEphemeral EC public key.
"encrypted_key": "encrypted_key"byte[]MEncrypted content encryption key.
Additional RSA Encryption Properties
"encrypted_key": "encrypted_key"byte[]MEncrypted content encryption key.
Note that if neither kid nor jwk are defined, the associated key is assumed to known by the recipient.
jwk
PropertyTypeReqComment
"kty": "Key Type"stringMKey type indicator. Currently the following types are recognized:
Additional EC Properties
"crv": "Curve Name"stringMEC curve name. The currently recognized EC curves include:
  • P-256
  • P-384
  • P-521
Note: If proprietary curve names are added, they must be expressed as URIs.
"x": "Coordinate"byte[]MEC curve point X. The length of this field must be the full size of a coordinate for the curve specified in the crv parameter. For example, if the value of crv is P-521, the decoded argument must be 66 bytes.
"y": "Coordinate"byte[]MEC curve point Y. The length of this field must be the full size of a coordinate for the curve specified in the crv parameter. For example, if the value of crv is P-256, the decoded argument must be 32 bytes.
Additional RSA Properties
"n": "Modulus"cryptoMRSA modulus. Also see the crypto data type.
"e": "Exponent"cryptoMRSA exponent. Also see the crypto data type.
This object represents a subset of JWK [RFC7517].
6. Operation
Prerequisite: A JSON object in accordance with [RFC7159] containing properly formatted JEF data.
Parsing restrictions:Since JEF uses the same algorithms as JWE [RFC7516] the JWA [RFC7518] reference apply with one important exception: Additional Authenticated Data used by the symmetric ciphers. This difference is due to the way encryption meta-data is formatted. The process for creating Additional Authenticated Data is as follows:Applied on the Sample Object, a conforming JEF Additional Authenticated Data process should return the following JSON string:
{"enc":"A128GCM","alg":"ECDH-ES+A128KW","kid":"example.com:p256","epk":{"kty":"EC","crv":"P-256","x":"M6HeD_egK
OCrx6EEQ9WBV57WRaOxHG3qPe46auPKjNw","y":"aZYIM2pC48FbSCKWmBgaCxDii8lRTWRxDmMPz9FukeQ"},"encrypted_key":"V9Fq0Y1
g7VzbAcqZqdVN3lnbx5bnspv0","iv":"ydp_806BQdHd-5QT"}
Note that the output string was folded for improving readability.
The Additional Authenticated Data string is subsequently UTF-8 encoded before being applied to the encryption algorithm.
7. Security Considerations
This specification does (to the author's knowledge), not introduce additional vulnerabilities over what is specified for JWE [RFC7516].
Appendix A: Test Vectors
This section holds test data which can be used to verify the correctness of a JEF implementation.
All encryption tests encrypt the string below (after first having converted it to UTF-8):
"Hello encrypted world!"
p256privatekey.jwk
The Sample Object (available in file p256#ecdh-es+a128kw@a128gcm@kid.json), can be decrypted by the following EC private key, here expressed in the JWK [RFC7517] format:
{
  "kid": "example.com:p256",
  "kty": "EC",
  "crv": "P-256",
  "x": "censDzcMEkgiePz6DXB7cDuwFemshAFR90UNVQFCg8Q",
  "y": "xq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeY",
  "d": "nEsftLbi5u9pI8B0-drEjIuJzQgZie3yeqUR3BwWDl4"
}
p256#ecdh-es+a256kw@a128cbc-hs256@kid.json
ECDH encryption object requiring the same private key as in the sample object while using a different set of algorithms both for key encryption and content encryption:
{
  "enc": "A128CBC-HS256",
  "alg": "ECDH-ES+A256KW",
  "kid": "example.com:p256",
  "epk": {
    "kty": "EC",
    "crv": "P-256",
    "x": "RO6mCzVpp5xu5JD7dfmHps-zTX3WHBR-7TT7-qw3wHM",
    "y": "4smBJY8DN36H47ZpTjIZvMY3yBBAN9PIx7WfF1ocdzs"
  },
  "encrypted_key": "getOWMlQOtRS9LD_nUaN5nkP1t5eKsfoG61HjtuZwXyod3-urN4d2g",
  "iv": "XEb4njK3QaMn5gtAjrv2Ig",
  "tag": "QcE8X8Fw77BYpvNB2bktYg",
  "ciphertext": "TsRAtIQKNz9BpVqKbaA1NBVCoe-i8gt_mV92y56q-cw"
}
p256#ecdh-es+a256kw@a128cbc-hs256@jwk.json
ECDH encryption object requiring the same private key as in the sample object while providing the public key information in line, instead of using a kid:
{
  "enc": "A128CBC-HS256",
  "alg": "ECDH-ES+A256KW",
  "jwk": {
    "kty": "EC",
    "crv": "P-256",
    "x": "censDzcMEkgiePz6DXB7cDuwFemshAFR90UNVQFCg8Q",
    "y": "xq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeY"
  },
  "epk": {
    "kty": "EC",
    "crv": "P-256",
    "x": "rtpbuVSSTAYBwVspAkUv7DVGFWMmXZEj9vHYSFm3Pp0",
    "y": "G6GJmTB4i7dE3ST6V_qYxEmAGaq8ifbOJnS0jj_ifb8"
  },
  "encrypted_key": "zP4oYy-TmGCRzVa3FoM_Xn_WaYJMptuj_N9rBEStZK6HatkjyZpZ9A",
  "iv": "1Mfcgxqkk_JnKxLKQ15TKA",
  "tag": "bIq3mQr5p5yI2lKQAIu9rg",
  "ciphertext": "6QDjZw2NjZjqdMxGi4pz5fOB2JqrriBg-6F0mblB0EU"
}
p256#ecdh-es+a128kw@a128gcm@imp.json
ECDH encryption object requiring the same private key as in the sample object but assuming it is known through the context:
{
  "enc": "A128GCM",
  "alg": "ECDH-ES+A128KW",
  "epk": {
    "kty": "EC",
    "crv": "P-256",
    "x": "dtGqqauOqXA5tJGqPlwcqQPIIfH1R1Tgj87Poi95LqU",
    "y": "kiTuCTdz7NIfPFca2zt4wYa7We2QE8O_e70OAyKfwZ4"
  },
  "encrypted_key": "U-kYwoQr1wwStOhEABkGVOnbYEY5YXRr",
  "iv": "t403qJD15gN6irSP",
  "tag": "0DAopRKDtTVspAyB5f9_rw",
  "ciphertext": "ACqNMP7uchOEg3XoSDJOAj4WnYc-oA"
}
p256#ecdh-es+a256kw@a128cbc-hs256@x5c.json
ECDH encryption object requiring the same private key as in the sample object while providing the key information through an in-line certificate path:
{
  "enc": "A128CBC-HS256",
  "alg": "ECDH-ES+A256KW",
  "x5c": [
    "MIIB+TCCAVigAwIBAgIGAWFcc4YkMAwGCCqGSM49BAMEBQAwLTELMAkGA1UEBhMCRVUxHjAcBgNVBAMTFVRydXN0IE5ldHdvcmsgU3Vi
IENBMzAeFw0xODAxMDEwMDAwMDBaFw0yMjEyMzEyMzU5NTlaMDIxCzAJBgNVBAYTAkZSMQ0wCwYDVQQFEwQ0NTAxMRQwEgYDVQQDEwtleGFtc
GxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHHp7A83DBJIInj8+g1we3A7sBXprIQBUfdFDVUBQoPExq8rze6ewG0+eVcSF72J77
gKiD0IHnzpwHaU7t6nVeajXTBbMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgP4MB0GA1UdDgQWBBQQyJ9rXSIskoUuA946von62LoxqzAfBgN
VHSMEGDAWgBTUWrS54qC2NgG3UK6rVAr0gbQ0MTAMBggqhkjOPQQDBAUAA4GMADCBiAJCAaWoVQ0r6jFjhO5e0WJTgyMmA8BhpO1t7gXQ6xoK
Gso9jCOYf9OG9BFfZoVmdIyfYiwkhy1ld27tiOJ5X4m6WasRAkIBpEkUDf8irbSZ1V7zXALaR2mJTjKQV/5jRHsiBQWA+5DxEa+x/zJVRz8tp
p+jjT2tSCU82bwUOBLu6te1YIDpWCA=",
    "MIIDsTCCAZmgAwIBAgIBAzANBgkqhkiG9w0BAQ0FADAuMQswCQYDVQQGEwJVUzEfMB0GA1UEAxMWVHJ1c3QgTmV0d29yayBSb290IENB
MTAeFw0xNjA3MTAxMDAwMDBaFw0yNTA3MTAwOTU5NTlaMC0xCzAJBgNVBAYTAkVVMR4wHAYDVQQDExVUcnVzdCBOZXR3b3JrIFN1YiBDQTMwg
ZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAGJzPZsjniwyZeXrgrlQM3Y13r3znR8FSQpKbC2bplrOWySQJPGm+GFObe5Dk4t3Jrtk/Pbs8+3VW
/4q5drL0YqYwBYNJPhqjbSM6SGHrc6wNdPZRw/WnJVa0ELXKICC73lkjskWPfE+cLpZ3sTq1ovEmoNjgaySVRUH1wFDdkqyReJaKNjMGEwDwY
DVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNRatLnioLY2AbdQrqtUCvSBtDQxMB8GA1UdIwQYMBaAFEkmC1HDAh0f
XehpiUhUGE868Hk2MA0GCSqGSIb3DQEBDQUAA4ICAQAs2KADYyGQCVy8tJZWakNtGdww4OumZpBuR66p/2xK7veRubQEhG+nJn7oVkJ4w5pEe
c3sYQEqtPbHyZcEKEYbOJ2cVf1nMH+DvFZ6ypQocGRp3WSWsTzL3SgqiWrQdPX1Y5dO6Hvx7p9ST9H2WgkxB+Q75Jov1gVF3bScAbxb7Mw7tf
5z3Cvqmfo0Gatkgzz6+jDPrtUK7AAAOw3C0kHMbE3EnNarsfhBkUerE8QVmHIvz373mWt0SnguaHq0A9ZuSia/pF7bgfVRZi2ZzIzpu2O276s
B2Yji9tcSn5l21jq63rXtvY/DLAi4kaLyf9sHT/tkH+gkTdkdkfQq8sA5ysRW21wPQbmjTIVwsfY4JjajVIUitjPbkUJqURpf2VD0JXdYQHS6
KVPWqHWTlKPlsKbhw4ghuLqCMYda88L9rxWnSC5L8s0DJSuBBm+nq23NtHl5FbCzeXWcKRayIgimT+An1WIOeJP4F7+BctYLIooKoQzJZR1tO
WvprUs22/xAivVBz7J/LmJyVlKesB2ic8qYdt7YVoCsWrnEUgoNoJPwLHeva8KPvd0gLXrwaMyTCCjeoemXFj6nCbbMHJeVffh6jYBAzlbcAE
vTiZcdzrVVr54kOtWskyaeDnAcMXW4Of1vWdUJ2as5nyfletfTp4E6A9P2dZ5g7nMoL90yIw=="
  ],
  "epk": {
    "kty": "EC",
    "crv": "P-256",
    "x": "mJplla35w8LLjRbYojEdgMsRCg5UDZf2Jdz-EhwHqRw",
    "y": "-QbSyHnk-7k55JKpLrKN8BTg73T4F1mr_IUwWpHpU1s"
  },
  "encrypted_key": "yg8tnENhAe4bXL6yBtp-MptSrLHmaJ_YSaGhUdzWhMGEp38W9B4HNg",
  "iv": "v8XdNLDpEruTdiqYEhwFYg",
  "tag": "oXak3oJQS7HIFnzcQc4iGg",
  "ciphertext": "ZiqRUBTGs1eF51v1fPUM-4ADzn09NnD4BREUr64A6tw"
}
p256#ecdh-es+a256kw@a128cbc-hs256@x5u.json
ECDH encryption object requiring the same private key as in the sample object while providing the key information through an external certificate path:
{
  "enc": "A128CBC-HS256",
  "alg": "ECDH-ES+A256KW",
  "x5u": "https://cyberphone.github.io/doc/openkeystore/p256certpath.pem",
  "epk": {
    "kty": "EC",
    "crv": "P-256",
    "x": "uo-SKsSxG8vz7AjF5rbCGn0MSXnj8xY6fesv2NOcR9U",
    "y": "nPSr6cgw5-eIwT_T7jX_NLRr0WYNxmac-1chVc05knA"
  },
  "encrypted_key": "fBxGHuGlSyOkHXIAaAwn6x_y9u97PipLNWlMM4nOvJK5xYhWpoO7bg",
  "iv": "41BL8Nh67MIX2on9lf25Zg",
  "tag": "u3o63Olj4Cn6spGCYQ6_Bw",
  "ciphertext": "V2vPNUbRIRNDLXOw6Y6kVaR-WiT6JxJdE0qYClloa1c"
}
p256#ecdh-es+a256kw@a128cbc-hs256@jku.json
ECDH encryption object requiring the same private key as in the sample object while providing the key information through an external public key:
{
  "enc": "A128CBC-HS256",
  "alg": "ECDH-ES+A256KW",
  "jku": "https://cyberphone.github.io/doc/openkeystore/p256.jwks",
  "epk": {
    "kty": "EC",
    "crv": "P-256",
    "x": "7yV4wkhfMJvStzGmizzBNwpKWVAL817r5rZlvtFUlCk",
    "y": "B8mita0_8mqJ5UPbq1iWvEndP27Ya8cXKkz5y62T3xo"
  },
  "encrypted_key": "_EZJZLcLsUu0KgnSpMd7XzWiZfDjmR3wzk0a8EzKB54HdBQmLzKfaA",
  "iv": "hjU2byZo8HlH42JOg-bHMQ",
  "tag": "vdV94kF9V-Fy1a_f8sBCkA",
  "ciphertext": "4Ac_b4txl2s0Rv04EsLXISnbE9YcydAgn0ZDQ3FwcW8"
}
p256.jwks
JWK [RFC7517] key set associated with the preceeding encryption object:
{
  "keys": [{
    "kty": "EC",
    "crv": "P-256",
    "x": "censDzcMEkgiePz6DXB7cDuwFemshAFR90UNVQFCg8Q",
    "y": "xq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeY"
  }]
}
p256#ecdh-es+a256kw@a256gcm@crit-jwk.json
ECDH encryption object requiring the same private key as in the sample object while providing the key information in line. In addition, this object declares crit extensions:
{
  "enc": "A256GCM",
  "alg": "ECDH-ES+A256KW",
  "jwk": {
    "kty": "EC",
    "crv": "P-256",
    "x": "censDzcMEkgiePz6DXB7cDuwFemshAFR90UNVQFCg8Q",
    "y": "xq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeY"
  },
  "epk": {
    "kty": "EC",
    "crv": "P-256",
    "x": "Wcwhj89NzVFg5KFRc7ue2BwaRjNzX-fBpXFrBkoEKxM",
    "y": "jFb-fB0yMmsxqS_hvhzhKJxNoieSG4GqnzJ0Dexcfnw"
  },
  "encrypted_key": "o36Ni79Q17naDGp7s_freBX2wRA0qRLQ_phJWXYs5tZGHCh4h8tiVA",
  "otherExt": "something",
  "https://example.com/extension": {
    "life-is-great": true
  },
  "crit": ["otherExt","https://example.com/extension"],
  "iv": "F8nKpoWaoLL-EX_n",
  "tag": "10gnkZhV9StOvG3XxAIw3w",
  "ciphertext": "X6AyJSWZvZPAOS4ATWUlG4aw9aY8Sg"
}
p384privatekey.jwk
EC private key for decrypting the subsequent object:
{
  "kid": "example.com:p384",
  "kty": "EC",
  "crv": "P-384",
  "x": "GLfdsvEwphRzS_twup7UFPVOk7_CKgHZ7dt_fJ2QHPBdJa1c5pfJcRIWTfT0lpg9",
  "y": "ovA5_QXmFbj9U4pjZ1AX_ZdVyIRZUBWW9cuZda_tupKfWQfmcQHzDmHGHbxl9Xxl",
  "d": "Qsgq80kMs40sAn1gB7gLxAk1se37Kmh9AG18wWZ3SqgcPPRq1wwidNTi866Gt4_0"
}
p384#ecdh-es@a256cbc-hs512@jwk.json
ECDH encryption object requiring the private key above:
{
  "enc": "A256CBC-HS512",
  "alg": "ECDH-ES",
  "jwk": {
    "kty": "EC",
    "crv": "P-384",
    "x": "GLfdsvEwphRzS_twup7UFPVOk7_CKgHZ7dt_fJ2QHPBdJa1c5pfJcRIWTfT0lpg9",
    "y": "ovA5_QXmFbj9U4pjZ1AX_ZdVyIRZUBWW9cuZda_tupKfWQfmcQHzDmHGHbxl9Xxl"
  },
  "epk": {
    "kty": "EC",
    "crv": "P-384",
    "x": "5mC75QUZ_QmeLt7wPOpwIW_lxZawixKKEi-WVusRHMmLHuU-Zc_87KRrGzCxxb1-",
    "y": "iMrvjUucognf4_-Ep8AWpQGwhFRUvITqOVoe8FRkhcj7eMvTfkImPgpdKDoEMpe5"
  },
  "iv": "7Vb6KYpzo-v2ED_gR_1wow",
  "tag": "LDTfMoihkdI7H3v7qRKkDQ_zDoF69ecwo10XQF5MBUE",
  "ciphertext": "87mAGU2DFz09xg7XjJV9slwaLpKf8nwLked95KvM9A0"
}
p521privatekey.jwk
EC private key for decrypting the subsequent object:
{
  "kid": "example.com:p521",
  "kty": "EC",
  "crv": "P-521",
  "x": "AT9Hw32aVQCGd5csltC1dqhSB4fFt-mEWO-QxZqrr9Yrwn69_q7n1YOYrHSWjk_qMkCGk6qQ4f9ZRYIJPGqjfxC9",
  "y": "AeVHV1elHFzR_P5Lzb22hMyhAzcGSTT1sdwVmFkJGBYt55RKXGNO1H9De2v_p5S-kkK8BZVh3JGzixMyT0Eo_ckS",
  "d": "AYSlWWbGUougMnE2r7pRkiHZfXBgUzaVTuWfE0X7PDYodsVXVzRiz4KMgfs5Xowwk2roUsbJV7wdyZ83qMrQM1Fv"
}
p521#ecdh-es+a256kw@a128cbc-hs256@jwk.json
ECDH encryption object requiring the private key above:
{
  "enc": "A128CBC-HS256",
  "alg": "ECDH-ES+A256KW",
  "jwk": {
    "kty": "EC",
    "crv": "P-521",
    "x": "AT9Hw32aVQCGd5csltC1dqhSB4fFt-mEWO-QxZqrr9Yrwn69_q7n1YOYrHSWjk_qMkCGk6qQ4f9ZRYIJPGqjfxC9",
    "y": "AeVHV1elHFzR_P5Lzb22hMyhAzcGSTT1sdwVmFkJGBYt55RKXGNO1H9De2v_p5S-kkK8BZVh3JGzixMyT0Eo_ckS"
  },
  "epk": {
    "kty": "EC",
    "crv": "P-521",
    "x": "APzJiz9pQDMRVfyYMt6-8Qzjql2c_X1uC-8RXeOlcP11X5_XfUMmPhuXw-p-vjqEVkUYxU15whMF1hkGJpBNJK_O",
    "y": "ASzvAKK7OSdcffhI2aIOmUrU9s3Jehd-r8n9TsoL4u8T2JLwtPE_zK7Gk58DDpsOdYRL1l5nlAWc9_GYDKI3dTEx"
  },
  "encrypted_key": "29zg9s16Pycih0vCNmu4EUY_ekKvzE2Sj0DbTDgjRHYJdfIVPDZZ8w",
  "iv": "CL5b8ilEG2CAtSyu88oJ9A",
  "tag": "hDIowc0t0OJDEB3HE6G89Q",
  "ciphertext": "GRanGwesXtb0vFoUC6qyeOHDDkbJISFFNjHt3yRAwwA"
}
r2048privatekey.jwk
RSA private key for decrypting the subsequent object:
{
  "kid": "example.com:r2048",
  "kty": "RSA",
  "n": "hFWEXArvaZEpSP5qNX7x4C4Hl28GJQTNvnDwkfqiWs63kXbdyPeS06bz6GnY3tfQ_093nGauWsimqKBmGAGMPtsV83Qxw1OIeO4uj
bIIb9pema0qtVqs0MWlHxklZGFkYfAmbuEUFxYDeLDHe0bkkXbSlB7_t8pCSvc8HLgHjEQjYOlFRwjR0D-uLo-xgsCbpmCtYkB5lcT_zFgpRg
Y4zJNLSv7GZiz2S4Fc5ArGjd34lL47-L8bozuYjqNOv9sqX0Zgll5XaJ1ndvr7UqZu1xQFgm38reoM3IarBP_SkEFbt_v9iak602VO3k28fQh
MaocP7JWR2YLT3kZM0-WTFw",
  "e": "AQAB",
  "d": "Q6iBYpnIrB2mkQZagP1lZuvBv9_osVaSZpLRvKD7DxhvbDTs0coaTJIoVCSB1_VZip8zlUg-TnYWF1Liv9VSwfQ7ddxrcOUtej60m
Id0ntNz2HhbxJsWjiru8EZoArl0nEovLDNxlRgRMEyZwOKPC_xHT6nFrk7_s9pR5pEEcubGLAVBKnLCoPdLr-CBjCvWfJo73W5AZxoSb8MdWQ
Oi5viXHURpr1Y_uBRsMuclovM56Vt05etMsB1AbcTLUDwAuYrZWa1c08ql60ft7b3v6Q_rCL7EHtFU3PHAuP0mV7tM5BfAPf4T0g9pbr4GOw7
eqQCiYgPFE7gmCR_PDxv5YQ",
  "p": "6DIM343hAtj1hQprJaVQ3T8YeIytIQ7Ma544C0A8BX-irjJfARy4fAlTSyBFeauZ0WdbMGtKpAIgNVmfCfuP7W1bXw7UaxpqsQlbw
54K1VtBs8xG-lee_2YQ3lUlIiC1at6L0jxWYNkvp-LIfU2F5ZQir5ZWVXwgdMcgoNBABMc",
  "q": "keacq0goV7pAtG2h33OAk-XOSclIF1agvEMMOKuud5V-vGQ6OaYldlYqZmSGgF7RVlX0GZO70nPqatjd2G-tI8wEq5K_xmLQurUPF
W8g___z0CTgJ62KbjFxCtGny5rsObX9im6cCc_EOtWZRaApzO8ykxfo1QcEjT4k1na7DzE",
  "dp": "nPmJPnFal2Q5x_GdMlwq6QhI8OaZ_OlWRcM3PFP2v_jj8ERZehUCm8hqKTXuAi2C1dC8E2XVlj9hqu-l10fcq7Tsurz52laHnpwn
D35-8HK7XmRR79jgwuUrrkN90S6vt0ow2La15s-tqiBlTmDkjqqxMGfAghZiktA0PMPNI-0",
  "dq": "D3c1lkZw2FPK9hVE-m3A7GyIwHOQq8CoCyzER-GS_eQf6hJpxaCiCfg6SF5Rj5v9brxvwqJRX46gA7F3WrED1m6S9Cj7ISlqXNBC
iBAenGRiUOcHx8zyhpnBFNeChOeoMLnk5V6yNawLbf0kYSgIJkwYvVTkfmhfCCXVO9KcI5E",
  "qi": "wV0NzfCakfog1NFjtPzcga1MtkpizgPkxcP9LjNdvXW2YQZhM6GIEGjsu3ivTrHrrM-4_bTQHOoTtfIY7wdqBKlwQTJOI0dH9FbN
J4ecGojRwgv83TN8aNKh17Tt44jI5oibs2P-31B_VW9R1wwhnnOuCYpABfoSbtHIoCRme5I"
}
r2048#rsa-oaep-256@a256gcm@jwk.json
RSA encryption object requiring the private key above:
{
  "enc": "A256GCM",
  "alg": "RSA-OAEP-256",
  "jwk": {
    "kty": "RSA",
    "n": "hFWEXArvaZEpSP5qNX7x4C4Hl28GJQTNvnDwkfqiWs63kXbdyPeS06bz6GnY3tfQ_093nGauWsimqKBmGAGMPtsV83Qxw1OIeO4
ujbIIb9pema0qtVqs0MWlHxklZGFkYfAmbuEUFxYDeLDHe0bkkXbSlB7_t8pCSvc8HLgHjEQjYOlFRwjR0D-uLo-xgsCbpmCtYkB5lcT_zFgp
RgY4zJNLSv7GZiz2S4Fc5ArGjd34lL47-L8bozuYjqNOv9sqX0Zgll5XaJ1ndvr7UqZu1xQFgm38reoM3IarBP_SkEFbt_v9iak602VO3k28f
QhMaocP7JWR2YLT3kZM0-WTFw",
    "e": "AQAB"
  },
  "encrypted_key": "EYMCBETX_ND4g_szRDV0ONZqmujBVmlJONqUzADeO0f3XNgXtKCGg5t0mF3J7bH0im0LmrlZJmeq9ryDFOQTW-T15
chsN8pOEA3wF0ZE3XUSdkREwUm5lsdjmqnAyD_yjAWOaHeaowdbjx7FiCK5uKkqPHn4CP-OwAcFmCr_5AJlTVVAq1pSqFnExYzcpH48TyojcD
_aOYD17y0GqUcGR1SeMCJC2EApzdB3eimtLvUwYttTV02s3-fhfxPE-mGPCQ_aDuuntqSX-fIzGRbTKY3I1o86_F3lH1ZnyGCw2hNag07QGMm
kApMu3UA31d4vCns628MFIc1L4B4SO1283w",
  "iv": "TwtnOYeF1XcvPqEy",
  "tag": "QMUNT_O6lA66aVVXsn3rtg",
  "ciphertext": "Zzjo62c44t_FLWSHzVQgx3oN6PQojA"
}
r2048#rsa-oaep-256@a256gcm@imp.json
RSA encryption object requiring the same private key as in the previous example but relying on that this being implicitly known since the encryption object neither contains a kid, nor a jwk property:
{
  "enc": "A256GCM",
  "alg": "RSA-OAEP-256",
  "encrypted_key": "efWx5lm4XNcac59UuXGU_nJKUu1QFQA6e3BRSmNuZ72ApOMsR902scUjAOARFvhe38NYM0l38AHwLB0Li2_Ey-pXK
6uSIcA5sxyB6H5uIqLANAnvdJ-hKmKATUdNQ6C7mNXkNDIhvFoFqqrI_TSrrvHLYgUdkk7FnHnIWXuj1h8P1JiG2GUTrnAqHfBnNBsZAv4DWn
dLoXqE1IS9ttK-RY8-LxyVTk5IaOkjaFRBUOXJ503LnZFUAJ6_xI3iUH3qOGOMuEgQTuUn-BWfgv8RmMJpzW6P7IHfOrVGuldpk9N494O388R
W03sJFN32VEaeL_Onm6WcRuyvvFBrqZ-zOg",
  "iv": "8EQhWNG2qvTvKE8v",
  "tag": "2tI3h_ub6RG_uJnpBDS8EQ",
  "ciphertext": "NYqXIy6VjoaW9FyQRmMynSwnUx7jcA"
}
r2048#rsa-oaep-256@a256gcm@kid.json
RSA encryption object requiring the same private key as in the previous example while using a different set of algorithms both for key encryption and content encryption:
{
  "enc": "A256GCM",
  "alg": "RSA-OAEP-256",
  "kid": "example.com:r2048",
  "encrypted_key": "KDTA6d32KNCy40MjOOViUl5p3XEZDgJp4N90Rwqxa2JEGivwR6zJZx5Wy95mvZOyz1lHrBIp40rODl8RP_-mFdD-_
lrv8XDUwt7TDv45jv64tjlAKhMR2BHf_1sHmW0sbXQ4RDiaei51xoqaN9XJcD8LGcRjbYZfcmb0wjaphCWC_QaVZyV3CHkoDuG13J6cggQZpC
dNKXdM-J6gh4gEXW8Hw4rI7U3Cdp7SF61zxUda8HD-LLxBEGQD91OPyfZCh0nMxT1Y5u4sqQU0vJO0XkiLW43-ngOFp6RPjc4Jrrcc1BXHn7B
XZ9zHmsIzSPIQHZE9rjA_CDCYkbCNNyIzfQ",
  "iv": "IN68wu0aF83dGxRD",
  "tag": "pQ2onOnbQy8-2lg7bMsvkQ",
  "ciphertext": "-BYGdaZUkKxrMVntJYUwjmfrt7pTsA"
}
p256#ecdh-es+a256kw,r2048#rsa-oaep-256@a128cbc-hs256@mult-kid.json
Multiple recipient encryption object requiring the same private keys as in the previous examples:
{
  "enc": "A128CBC-HS256",
  "recipients": [{
    "alg": "ECDH-ES+A256KW",
    "kid": "example.com:p256",
    "epk": {
      "kty": "EC",
      "crv": "P-256",
      "x": "TyzaohwPI2pScDjU2VyUPIMVPJx8cfIqRJ_iSIV1cJg",
      "y": "V7OFHYFmMwekU3JLoMEO8UkZtdSf38i6FgEepeNQOgY"
    },
    "encrypted_key": "vgvY7J9_1gVkWQ19_OYmdlTSNONnIvFYElu8zZ8h4P_LhpxZhxBIUw"
  },{
    "alg": "RSA-OAEP-256",
    "kid": "example.com:r2048",
    "encrypted_key": "aIZisAiTO3rFR_ZQGUnlkm7J3ESD4p3QaMCbSp6YYVfFif1Be0JgmlTr4GQsOVIDWsvUMaN87O85cKozxo4Zj-y
FdhodO3tJoTbIZEacwaZAeVSlBD6sVWIEeb5C0npPF7RWY7HZOmgLSPNb_YnWMPHQzFoxdfHwrt8StO-7GEsicxT8tqfrEYJIrRJR8qtc68Us
Kno9vnxtjbseZSb2anB1cw8i5rBJFxqYLKb_ECUcs-LVMelXr5P2GCkqiCW8yiYb99uNvTwDxZ-597RzMSxg_wValXF76s0iTZlh4v6a9-P0L
Z1aPT5kUywNixnbkYSOU8qF7g2HtCAnZPlfVw"
  }],
  "iv": "OvM6nx0bFG0hvv9I_jzWnQ",
  "tag": "XOJJiowbxFBlRKPh5BuQgA",
  "ciphertext": "Jbk5fXbkV95T2G_Ym-4ZtM0BCeE2S2tix0ZHBTYLc04"
}
p256#ecdh-es+a256kw,p384#ecdh-es+a256kw@a128cbc-hs256@mult-glob+alg-kid.json
Multiple recipient encryption object requiring the same private keys as in the previous examples as well as using a global alg property:
{
  "enc": "A128CBC-HS256",
  "alg": "ECDH-ES+A256KW",
  "recipients": [{
    "kid": "example.com:p256",
    "epk": {
      "kty": "EC",
      "crv": "P-256",
      "x": "A5vxnGj4VYUB7EHl1EeSUqAsCEA0EzOrLOoEmHT-8Mk",
      "y": "mBKFZO0hcTeZYz3oh02qEJUFNmeOhTsGbW8ON2M5uTE"
    },
    "encrypted_key": "NRf8M5G6vd2HFtXN59a82SjkWmGsyohecrlEb3lmxTqBUjHIUnWCyQ"
  },{
    "kid": "example.com:p384",
    "epk": {
      "kty": "EC",
      "crv": "P-384",
      "x": "cZAU8zn_qCCNk-rYaP_cr6x9TlVRhtyx4YQKoCvdRtCq8jo4TjNlVEuNucoiyXob",
      "y": "YJuRj9eqdE7SwydP_WTUMmZyeNrC74WKddvC4kNPDoZHzNPr56lbF2IYtr41TU1A"
    },
    "encrypted_key": "73l3XqJOfConxhby2Ei4B57lrNXcV21Sob_AhpKdzQhjCNH0T6EekQ"
  }],
  "iv": "q-iYsqa1n0ZjoMzuaPK9bw",
  "tag": "oAkOP26fu1SJVw_GdiEckA",
  "ciphertext": "9ejwjNwe97ec70FUcnDyS1yUmsJ4-4lGrXfY9ouiEHE"
}
AES key named "a128bitkey" here provided in hexadecimal notation:
42123a659360163ad88471f8c089913b
a128@a128gcm@kid.json
Encryption object requiring the key above for decryption:
{
  "enc": "A128GCM",
  "alg": "dir",
  "kid": "a128bitkey",
  "iv": "W_3t1F5obVl-Ze4c",
  "tag": "fix6w2-u-9pTmFYDSssgtQ",
  "ciphertext": "kir2kFME29Qgh3tmVTOWyyLAzFNndw"
}
AES key named "a256bitkey" here provided in hexadecimal notation:
7fdd851a3b9d2dafc5f0d00030e22b9343900cd42ede4948568a4a2ee655291a
a256@a128cbc-hs256@kid.json
Encryption object requiring the key above for decryption:
{
  "enc": "A128CBC-HS256",
  "alg": "dir",
  "kid": "a256bitkey",
  "iv": "KlbUwIkWKOkZ5fN9uFtEjw",
  "tag": "N4scztLbNSLsBGCFi_t4OQ",
  "ciphertext": "g-mC8qE2Ah_lI8rdJeqs1sI_mmIda-exBcE0VEYiQUo"
}
AES key here provided in hexadecimal notation:
7fdd851a3b9d2dafc5f0d00030e22b9343900cd42ede4948568a4a2ee655291a
a256@a256gcm@imp.json
Encryption object requiring the implicit key above for decryption:
{
  "enc": "A256GCM",
  "alg": "dir",
  "iv": "uuQlojW6EvQlkMzc",
  "tag": "KoxOipRNGwjiVNuK5o1l6w",
  "ciphertext": "qg-ueyvAHnblryLHPoejYxRnbeCqHw"
}
AES key named "a256bitkey" here provided in hexadecimal notation:
7fdd851a3b9d2dafc5f0d00030e22b9343900cd42ede4948568a4a2ee655291a
a256@a256gcm@kid.json
Encryption object requiring the key above for decryption:
{
  "enc": "A256GCM",
  "alg": "dir",
  "kid": "a256bitkey",
  "iv": "wBfJFQ-dNpR0ydut",
  "tag": "SQigJaS5khIKRBK0_SfXYg",
  "ciphertext": "2UFQkjlGIIVGK7Mc2xZIDtMtLk6pEw"
}
AES key named "a512bitkey" here provided in hexadecimal notation:
83d26e96b71a5dd767c215f201ef5884fb03dfe5a8ee9612d4e3c942e84d45dfdc5801cb8379958f3af600d68eba1a14e945c90f16556
71f042cea7b34d53236
a512@a256cbc-hs512@kid.json
Encryption object requiring the key above for decryption:
{
  "enc": "A256CBC-HS512",
  "alg": "dir",
  "kid": "a512bitkey",
  "iv": "UNrFnJcnrBCatLUzxR4EuQ",
  "tag": "lJsVPUm-T3yWvZvpXcYzQhnF4fuxoPG6pB9oAkuZJFU",
  "ciphertext": "Zee1ZNhWOA8xI2Nr1O0l6zlVNl0Cil_E7Jr5N44MJ6E"
}
Appendix B: References
ReferenceDescription
[ES6]A. Wirfs-Brock, "ECMAScript 2015 Language Specification", ECMA-262, June 2015.
https://www.ecma-international.org/ecma-262/6.0/ECMA-262.pdf
[JCS]A. Rundgren, "JCS - JSON Cleartext Signature", Work in progress, V0.80, January 2018. https://cyberphone.github.io/doc/security/jose-jcs.html
[OPENKEY]"OpenKeyStore Project", https://github.com/cyberphone/openkeystore
[RFC3986]T. Berners-Lee, R. Fielding, L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", RFC 3986, January 2005. https://tools.ietf.org/html/rfc3986
[RFC4648]S. Josefsson, "The Base16, Base32, and Base64 Data Encodings", RFC 4648, October 2006. https://tools.ietf.org/html/rfc4648
[RFC5280]D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. https://tools.ietf.org/html/rfc5280
[RFC7159]T. Bray, "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 7159, March 2014. https://tools.ietf.org/html/rfc7159
[RFC7468]S. Josefsson, S. Leonard, "Textual Encodings of PKIX, PKCS, and CMS Structures", RFC 7468, April 2015. https://tools.ietf.org/html/rfc7468
[RFC7516]M. Jones, J. Hildebrand, "JSON Web Encryption (JWE)", RFC 7516, May 2015. https://tools.ietf.org/html/rfc7516
[RFC7517]M. Jones, "JSON Web Key (JWK)", RFC 7517, May 2015. https://tools.ietf.org/html/rfc7517
[RFC7518]M. Jones, "JSON Web Algorithms (JWA)", RFC 7518, May 2015. https://tools.ietf.org/html/rfc7518
Appendix C: Document History
DateVerComment
2016-08-030.3Initial publication in HTML5
2017-04-190.4Changed public keys to use JWK [RFC7517] format
2017-04-250.5Added KW and GCM algorithms
2017-05-150.51Added test vectors and missing RSA-OAEP algorithm
2018-01-150.60Rewritten to reuse JWE [RFC7516] property names
Appendix D: Author
JEF was developed by Anders Rundgren (anders.rundgren.net@gmail.com) as a part of the OpenKeyStore [OPENKEY] project .