[Openid-specs-ab] Updated JWE encryption examples

Mike Jones Michael.Jones at microsoft.com
Fri Sep 7 19:26:27 UTC 2012


Hi Axel,

I believe that the bug is in your stringToSign calculation.  For non-AEAD algorithms, such as AES CBC, it should be:
String stringToSign = encodedJwtHeaderSegment + "." + encodedJwtKeySegment + "." + encodedJwtInitializationVectorSegment + "." + encodedJwtCryptoSegment;
And for AEAD algorithms, such as AES GCM, it should be:
String stringToSign = encodedJwtHeaderSegment + "." + encodedJwtKeySegment + "." + encodedJwtInitializationVectorSegment;

You could see the "Secured Input", "Secured Input Bytes", "Additional Authenticated Data", and "Additional Authenticated Data Bytes" values in the log files and see if the values you compute match those.

                                                                Hope this helps,
                                                                -- Mike

From: openid-connect-interop at googlegroups.com [mailto:openid-connect-interop at googlegroups.com] On Behalf Of Axel Nennker
Sent: Friday, September 07, 2012 11:28 AM
To: openid-connect-interop at googlegroups.com
Cc: ejay at mgi1.com; emmanuel at raviart.com; bcampbell at pingidentity.com; openid-specs-ab at lists.openid.net
Subject: Re: Updated JWE encryption examples

I get the same CIK and CEK.
I can encrypt and decrypt and the things that don't have added randomness are the same.

The other way round gives me headaches. I can decrypt and get the same cleartext. I made sure (again) that I have the same CIK and CEK but the integrity check fails.
I guess that is a problem with my implementation.
      String stringToSign = encodedJwtHeaderSegment + "." + encodedJwtKeySegment + "." + encodedJwtCryptoSegment;
      byte[] bytes = JcBase.doMac(mac, cik, stringToSign.getBytes());
mac is SHA256Digest, cik is your CIK

For today I give up to see the difference.

cheers
Axel

2012/9/5 Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>
Yes. The int and kdf parameters will be removed from the next draft.

Thanks,
-- Mike
________________________________
From: Axel.Nennker at telekom.de<mailto:Axel.Nennker at telekom.de>
Sent: 9/4/2012 1:53 PM
To: Mike Jones; ejay at mgi1.com<mailto:ejay at mgi1.com>; emmanuel at raviart.com<mailto:emmanuel at raviart.com>; bcampbell at pingidentity.com<mailto:bcampbell at pingidentity.com>
Cc: openid-connect-interop at googlegroups.com<mailto:openid-connect-interop at googlegroups.com>; openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: RE: Updated JWE encryption examples

I will finish this tomorrow. Is the "int" parameter removed from the header altogether? Kdf too?
I checked the changes into the jsoncrypto repository but my development laptop crashed and I could not complete all tests.

Axel

From: Mike Jones [mailto:Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>]
Sent: Tuesday, September 04, 2012 8:56 PM
To: Edmund Jay; Emmanuel Raviart; Brian Campbell; Nennker, Axel
Cc: openid-connect-interop at googlegroups.com<mailto:openid-connect-interop at googlegroups.com>; openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: Updated JWE encryption examples

Have any of you tried decrypting these updated examples?  I plan on using them in the next release of the JWE spec, but would like confirmation that they're correct.

                                                                Thanks again,
                                                                -- Mike

From: openid-connect-interop at googlegroups.com<mailto:openid-connect-interop at googlegroups.com> [mailto:openid-connect-interop at googlegroups.com<mailto:openid-connect-interop at googlegroups.com>] On Behalf Of Mike Jones
Sent: Wednesday, August 29, 2012 10:12 PM
To: Edmund Jay; Emmanuel Raviart; Brian Campbell; Axel Nennker
Cc: openid-connect-interop at googlegroups.com<mailto:openid-connect-interop at googlegroups.com>; openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Updated JWE encryption examples

Here's updated encryption examples incorporating the proposed JWE/JWA changes.  In summary, changes in these computations are:

*         Updated the Concat KDF calculation, per yesterday's e-mail

*         Consolidated the "enc", "int", and "kdf" parameters into a composite "enc" parameter, with new AES CBC "enc" values "A128CBC+HS256" and "A256CBC+HS512"

*         Moved initialization vector out of the header into its own dot-separated parameter value (to save space and to factor it out for the JSON Serialization), with the JWE representation becoming header.encryptedKey.initializationVector.ciphertext.integrityValue

The examples attached are:

*         JWE.log:  Will be used to create the new AES-CBC example in Section 3.2 and Appendix A.2 of the JWE specification

*         JWE2.log:  Will be used to create the new AES-GCM example in Section 3.1 and Appendix A.1 of the JWE specification

It would be great if any of you can verify that you can decrypt these results!

                                                            Thanks again,
                                                            -- Mike


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120907/dc4b9124/attachment-0001.html>


More information about the Openid-specs-ab mailing list