Skip to main content

4. Cryptographic Algorithms for Key Management

JWE uses cryptographic algorithms to encrypt or determine the Content Encryption Key (CEK).

4.1 "alg" Header Parameter Values for JWE

Key management algorithms supported by JWE (summary):

Algorithm IDKey Management AlgorithmAdditional Header ParamsImplementation Requirements
RSA1_5RSAES-PKCS1-v1_5-Recommended-
RSA-OAEPRSAES OAEP (default parameters)-Recommended+
RSA-OAEP-256RSAES OAEP (SHA-256)-Optional
A128KW / A192KW / A256KWAES Key Wrap-Recommended
dirDirect use of shared symmetric key-Recommended
ECDH-ESECDH key agreementepk, apu, apvRecommended+
ECDH-ES+A128KW/A192KW/A256KWECDH + AES Key Wrapepk, apu, apvRecommended/Optional
A128GCMKW / A192GCMKW / A256GCMKWAES GCM Key Wrapiv, tagOptional
PBES2-HS256/384/512+A128/192/256KWPassword-based key encryptionp2s, p2cOptional

Notes:

  • "+" indicates the requirement may be strengthened in future versions
  • "-" indicates the requirement may be weakened in future versions
  • All algorithms except "dir" and "ECDH-ES" generate a JWE Encrypted Key

4.2-4.8 Algorithm Detailed Descriptions

4.2 RSA Key Encryption (RSAES-PKCS1-v1_5)

  • Algorithm ID: RSA1_5
  • Minimum key size: 2048 bits

4.3 RSA-OAEP Key Encryption

  • RSA-OAEP: Uses SHA-1 and MGF1
  • RSA-OAEP-256: Uses SHA-256 and MGF1
  • Minimum key size: 2048 bits

4.4 AES Key Wrap

  • A128KW: 128-bit key
  • A192KW: 192-bit key
  • A256KW: 256-bit key
  • Uses AES Key Wrap algorithm defined in RFC 3394

4.5 Direct Encryption (dir)

  • Directly uses a pre-shared symmetric key as the CEK
  • Does not produce a JWE Encrypted Key

4.6 ECDH-ES Key Agreement

  • Uses Elliptic Curve Diffie-Hellman Ephemeral Static key agreement
  • Additional header parameters:
    • epk (Ephemeral Public Key): Ephemeral public key
    • apu (Agreement PartyUInfo): Party U information
    • apv (Agreement PartyVInfo): Party V information
  • Uses Concat KDF for key derivation

4.7 AES GCM Key Encryption

  • Uses AES GCM algorithm for key wrapping
  • Additional header parameters:
    • iv (Initialization Vector): Initialization vector
    • tag (Authentication Tag): Authentication tag

4.8 PBES2 Password-Based Key Encryption

  • Uses PBES2 (Password-Based Encryption Scheme 2)
  • Combines HMAC-SHA2 and AES Key Wrap
  • Additional header parameters:
    • p2s (PBES2 Salt Input): Salt input
    • p2c (PBES2 Count): Iteration count

Implementation Recommendations:

  • Prefer using ECDH-ES and RSA-OAEP
  • Avoid algorithms with known weaknesses (such as RSA1_5)
  • Choose key sizes appropriate for your application
Last updated on