Public Key Authenticated Encryption for JOSE: ECDH-1PU
draft-madden-jose-ecdh-1pu-00

The information below is for an old version of the document
Document Type Active Internet-Draft (individual)
Author Neil Madden 
Last updated 2019-05-09
Stream (None)
Intended RFC status (None)
Formats pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                          N. Madden
Internet-Draft                                                 ForgeRock
Intended status: Standards Track                             May 8, 2019
Expires: November 9, 2019

         Public Key Authenticated Encryption for JOSE: ECDH-1PU
                     draft-madden-jose-ecdh-1pu-00

Abstract

   This document describes the ECDH-1PU public key authenticated
   encryption algorithm for JWE.  The algorithm is similar to the
   existing ECDH-ES encryption algorithm, but adds an additional ECDH
   key agreement between static keys of the sender and recipient.  This
   additional step allows the recipient to be assured of sender
   authenticity without requiring a nested signed-then-encrypted message
   structure.  The mode is also a useful building block for constructing
   interactive handshake protocols on top of JOSE.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on November 9, 2019.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must

Madden                  Expires November 9, 2019                [Page 1]
Internet-Draft                JOSE ECDH-1PU                     May 2019

   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Terminology  . . . . . . . . . . . . . . . .   3
   2.  Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral-
       Static Static-Static (ECDH-1PU) . . . . . . . . . . . . . . .   3
     2.1.  Header Parameters used for ECDH Key Agreement . . . . . .   4
     2.2.  Key Derivation for ECDH-1PU Key Agreement . . . . . . . .   4
   3.  Two-way interactive handshake . . . . . . . . . . . . . . . .   6
   4.  IANA considerations . . . . . . . . . . . . . . . . . . . . .   7
     4.1.  ECDH-1PU  . . . . . . . . . . . . . . . . . . . . . . . .   7
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     6.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   JSON Object Signing and Encryption (JOSE) defines a number of
   encryption (JWE) [RFC7516] and digital signature (JWS) [RFC7515]
   algorithms.  When symmetric cryptography is used, JWE provides
   authenticated encryption that ensures both confidentiality and sender
   authentication.  However, for public key cryptography the existing
   JWE encryption algorithms provide only confidentiality and some level
   of ciphertext integrity.  When sender authentication is required,
   users must resort to nested signed-then-encrypted structures, which
   increases the overhead and size of resulting messages.  This document
   describes an alternative encryption algorithm called ECDH-1PU that
   provides public key authenticated encryption, allowing the benefits
   of authenticated encryption to be enjoyed for public key JWE as it
   currently is for symmetric cryptography.

   ECDH-1PU is based on the One-Pass Unified Model for Elliptic Curve
   Diffie-Hellman key agreement described in [NIST.800-56A].

   The advantages of public key authenticated encryption with ECDH-1PU
   compared to using nested signed-then-encrypted documents include the
   following:

   o  The resulting message size is more compact as an additional layer
      of headers and base64url-encoding is avoided.

Madden                  Expires November 9, 2019                [Page 2]
Internet-Draft                JOSE ECDH-1PU                     May 2019

   o  The same primitives are used for both confidentiality and
Show full document text