[Openid-specs-ab] [openid/connect] JWE - GCM Authentication Tag in JWE compact format (issue #580)

Edmund Jay issues-reply at bitbucket.org
Fri Apr 27 01:10:17 UTC 2012

--- you can reply above this line ---

New issue 580: JWE - GCM Authentication Tag in JWE compact format

Edmund Jay:

The JWE spec specifies the compact format as "{JWE Header}.{JWE Encrypted Key}.{JWE Ciphertext}.{JWE Integrity Value}"

For AEAD algorithms such as A(128/256)GCM, the JWE Integrity Value should be the empty string.

According to NIST SP800-38D, the encryption algorithm is as follows :

Algorithm 4: GCM-AEK (IV, P, A)
  approved block cipher CIPH with a 128-bit block size;
  key K;
  definitions of supported input-output lengths;
  supported tag length t associated with the key.

  initialization vector IV (whose length is supported);
  plaintext P (whose length is supported);
  additional authenticated data A (whose length is supported).

  ciphertext C;
  authentication tag T.

  Let H = CIPHK(0128).
  Define a block, J0, as follows:
  If len(IV)=96, then let J0 = IV || 031 ||1.
  If len(IV) ≠ 96, then let s = 128 ⎡len(IV)/128⎤-len(IV), and let
  Let C=GCTRK(inc32(J0), P).
.... (see sp800-38d algorithm 4)

Return (C, T).

It doesn't say that C and T is returned as one blob or in some sort of structured data, so it seems that there are 2 separate values returned, C and T. If that is the case, I think C and T should be base64url encoded and used as the JWE CipherText and JWE Integrity Value respectively.

On a side note, the decryption function lists C and T as separate input values, which leads to the assumption that the encryption function produces 2 separate values.

Also, we need to specify the size of T in bits and if any additional authenticated data (A) needs to be added.

Responsible: ve7jtb

This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.

More information about the Openid-specs-ab mailing list