Re: [jose] CFRG ECC in JOSE - thumbprint
Anders Rundgren <anders.rundgren.net@gmail.com> Sat, 14 November 2015 15:43 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 658AA1A886F for <jose@ietfa.amsl.com>; Sat, 14 Nov 2015 07:43:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_25=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ibmnVUaXMRZU for <jose@ietfa.amsl.com>; Sat, 14 Nov 2015 07:43:31 -0800 (PST)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F9DA1A8881 for <jose@ietf.org>; Sat, 14 Nov 2015 07:43:31 -0800 (PST)
Received: by wmec201 with SMTP id c201so120373892wme.0 for <jose@ietf.org>; Sat, 14 Nov 2015 07:43:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=S0DFxZaqFijfBNG9xu2QiMNTvQQwXyPCKweE1g1tODY=; b=HpLJ6lturOj3Xz/Tzw8w9puEhKAT1u09Y8WG1XgIsF/Rp25gNindTbPY4jwkD9dzm/ jBPBNhS/SVhG2OkdYJ2lf3TDrORNd7D/w6LRJQ++padGnIVahA1D6llDW7ZxOvT0thEe 1nRgFq/N+JKFC2svtsL12tA5tpwo187L9O6jZTHitjp8IDL47IICsdTenrVARCvGjNoD gLhwrprL6nfrGnaiv+WicOXxApQuU4jafiohk+Xje0A2yh27FeM5UkB9n2N9YPyPe+/o /2+A/ckkOo7jzo2ximrdl2B8qYe5/1qv1x1JSzZRk57S8Hndp/p/iH33YBrF8MXazUjk cqvg==
X-Received: by 10.194.82.202 with SMTP id k10mr33005849wjy.85.1447515809958; Sat, 14 Nov 2015 07:43:29 -0800 (PST)
Received: from [192.168.1.79] (148.198.130.77.rev.sfr.net. [77.130.198.148]) by smtp.googlemail.com with ESMTPSA id c13sm9340818wmd.14.2015.11.14.07.43.28 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 14 Nov 2015 07:43:29 -0800 (PST)
To: Ilari Liusvaara <ilariliusvaara@welho.com>
References: <255B9BB34FB7D647A506DC292726F6E13BB1B6894C@WSMSG3153V.srv.dir.telstra.com> <77F4F506-1924-45A7-94CB-3C530968244B@mit.edu> <20151111083733.GA32165@LK-Perkele-V2.elisa-laajakaista.fi> <20151114131022.GA31553@LK-Perkele-V2.elisa-laajakaista.fi>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <5647569F.6070907@gmail.com>
Date: Sat, 14 Nov 2015 16:43:27 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <20151114131022.GA31553@LK-Perkele-V2.elisa-laajakaista.fi>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/KCO6JPHJWMn6woctulXnYPd6r_I>
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] CFRG ECC in JOSE - thumbprint
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Nov 2015 15:43:35 -0000
Hi Ilari, If these curves are generally recognized as "Edwards" (?) I would personally prefer that "kty" refer to something Edward-ish like "ED" although this is (of course) entirely unimportant. However, for the other parameters I don't see much value in creating new JOSE "keywords" unless we are dealing with things that have no previous counterpart. Simon's PKIX I-Ds talk about "curves" so "crv" should IMHO apply here as well. Reusing "x" wouldn't be a crime either since each "kty" must be treated separately anyway. Anders for the "art club" :-) On 2015-11-14 14:10, Ilari Liusvaara wrote: > On Wed, Nov 11, 2015 at 10:37:33AM +0200, Ilari Liusvaara wrote: >> On Tue, Nov 10, 2015 at 08:22:53PM -0500, Justin Richer wrote: >>> I would lean toward using a new “kty” value for these as the syntax >>> is different from existing ones. This will help parsers and existing >>> implementations add this in without adding special processing rules: >>> code is already set up to branch on “kty” so let’s keep that >>> behavior. Note you can still reuse parts of the key definition >>> (like “d” is found in both RSA and EC keypairs) without having to >>> overload a new syntax since the kty defines a new namespace, >>> effectively. I suggest a value of “ED” since they’re all “edwards” >>> curves from my quick read. >> >> 1) Actually, I think "okp" (Octet Key Pair) or something like that >> might be more descriptive, since these are keypairs with no structure >> outside the box ("oct" or whatever won't do, since that's symmetric, >> not asymmetric). This also holds for X25519 and X448. > > Well, here is a pre-draft version using new key type (for algorithms > using octet-string key pairs). I named the analog of the EC "curve" > parameter as "key algorithm group". > > The crypto material in examples are either from CFRG document examples > or from my vector generator for Ed25519. > > The naming could probably be improved... > > > ----------------------------------------------------------------------- > Network Working Group I. Liusvaara > Internet-Draft Independent > Intended status: Standards Track November 14, 2015 > Expires: May 17, 2016 > > > CFRG curves and signatures in JOSE > draft-liusvaara-jose-cfrg-curves > > Abstract > > This document defines how to use curves and algorithms from IRTF CFRG > elliptic curves work (Diffie-Hellman and signatures) in JOSE. > > Status of This Memo > > This Internet-Draft is submitted in full conformance with the > provisions of BCP 78 and BCP 79. > > Internet-Drafts are working documents of the Internet Engineering > Task Force (IETF). Note that other groups may also distribute > working documents as Internet-Drafts. The list of current Internet- > Drafts is at http://datatracker.ietf.org/drafts/current/. > > Internet-Drafts are draft documents valid for a maximum of six months > and may be updated, replaced, or obsoleted by other documents at any > time. It is inappropriate to use Internet-Drafts as reference > material or to cite them other than as "work in progress." > > This Internet-Draft will expire on May 17, 2016. > > Copyright Notice > > Copyright (c) 2015 IETF Trust and the persons identified as the > document authors. All rights reserved. > > This document is subject to BCP 78 and the IETF Trust's Legal > Provisions Relating to IETF Documents > (http://trustee.ietf.org/license-info) in effect on the date of > publication of this document. Please review these documents > carefully, as they describe your rights and restrictions with respect > to this document. Code Components extracted from this document must > include Simplified BSD License text as described in Section 4.e of > the Trust Legal Provisions and are provided without warranty as > described in the Simplified BSD License. > > > > > > > Liusvaara Expires May 17, 2016 [Page 1] > > Internet-Draft CFRG curves and signatures in JOSE November 2015 > > > Table of Contents > > 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 > 1.1. Requirements Terminology . . . . . . . . . . . . . . . . 2 > 1.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . 2 > 2. Key type 'OKP' . . . . . . . . . . . . . . . . . . . . . . . 3 > 3. Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 3 > 3.1. Signatures . . . . . . . . . . . . . . . . . . . . . . . 3 > 3.1.1. Algorithms . . . . . . . . . . . . . . . . . . . . . 3 > 3.1.2. Signing . . . . . . . . . . . . . . . . . . . . . . . 3 > 3.1.3. Verification . . . . . . . . . . . . . . . . . . . . 4 > 3.2. ECDH-ES . . . . . . . . . . . . . . . . . . . . . . . . . 4 > 3.2.1. Performing the ECDH operation . . . . . . . . . . . . 4 > 4. Security considerations . . . . . . . . . . . . . . . . . . . 4 > 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 > 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 5 > 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 > 7.1. Normative References . . . . . . . . . . . . . . . . . . 7 > 7.2. Informative References . . . . . . . . . . . . . . . . . 7 > Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 8 > A.1. Ed25519 private key . . . . . . . . . . . . . . . . . . . 8 > A.2. Ed25519 public key . . . . . . . . . . . . . . . . . . . 8 > A.3. JWK thumbprint canonicalization . . . . . . . . . . . . . 8 > A.4. Ed25519 Signing . . . . . . . . . . . . . . . . . . . . . 9 > A.5. Ed25519 Validation . . . . . . . . . . . . . . . . . . . 9 > A.6. ECDH-ES with X25519 . . . . . . . . . . . . . . . . . . . 10 > Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 > > 1. Introduction > > Internet Research Task Force (IRTF) Crypto Forum Research Group > (CFRG) selected new elliptic curves and signature algorithms for > asymmetric key cryptography. This document defines how those curves > and algorithms are to be used in JOSE in interoperable manner. > > This extends [RFC7517] and [RFC7518] > > 1.1. Requirements Terminology > > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this > document are to be interpreted as described in [RFC2119]. > > 1.2. Notation > > All inputs to and outputs from the the ECDH and signature functions > are defined to be octet strings, with the exception of output of > verfication function, which is a boolean. > > > > Liusvaara Expires May 17, 2016 [Page 2] > > Internet-Draft CFRG curves and signatures in JOSE November 2015 > > > 2. Key type 'OKP' > > A new key type (kty) value "OKP" (Octet Key Pair) is defined for > public key algorithms that use octet strings as private and public > keys. It has the following parameters: > > o The parameter "kty" MUST be "OKP". > > o The parameter "kag" MUST be present, and contain the key algorithm > group (from JSON Web Signature and Encryption Algorithms). > > o The parameter "p" MUST be present, and contain the public key > encoded using base64url [RFC4648] encoding. > > o The parameter "d" MUST be present for private keys, and contain > the private key encoded using base64url encoding. This parameter > MUST NOT be present for public keys. > > When calculating thumbprints [RFC7638], the three public key fields > are included in the hash. That is, in lexographic order: "kag", > "kty" and "p". > > 3. Algorithms > > 3.1. Signatures > > 3.1.1. Algorithms > > The following signature algorithms are defined here (to be applied as > values of "alg" parameter). All these have keys with algorithm group > of the same name: > > alg/kag value: The algorithm: > Ed25519 Ed25519 > Ed25519ph Ed25519ph > Ed448 Ed448 > Ed448ph Ed448ph > > The key type for these keys is "OKP" and key algorithm group for > these algorithms MUST be the same as the algorithm name. > > 3.1.2. Signing > > Signing for these is preformed by applying the signing algorithm > defined in [I-D.irtf-cfrg-eddsa] to the private key (as private key), > public key (as public key) and the JWS Signing Input (as message). > The resulting signature is the JWS Signature value. All inputs and > outputs are octet strings. > > > > Liusvaara Expires May 17, 2016 [Page 3] > > Internet-Draft CFRG curves and signatures in JOSE November 2015 > > > 3.1.3. Verification > > Verification is performed by applying the verification algorithm > defined in [I-D.irtf-cfrg-eddsa] to the public key (as public key), > the JWS Signing Input (as message) and the JWS Signature value (as > signature). All inputs are octet strings. If the algorithm accepts, > the signature is valid, otherwise it is invalid. > > 3.2. ECDH-ES > > The following key algorithm groups are defined here for purpose of > ECDH-ES: > > algorithm group: ECDH Function: > X25519 X25519 > X448 X448 > > The key type used with these keys is "OKP". > > 3.2.1. Performing the ECDH operation > > The "p" parameter of "epk" field is set as follows: > > Apply the appropriate ECDH function to the ephemeral private key (as > scalar input) and the standard basepoint (as u-coordinate input). > The output is the value for "p" parameter of "epk" field. All inputs > and outputs are octet strings. > > The Z value (raw key agreement output) for key agreement is > determined as follows: > > Apply the appropriate ECDH function to the ephemeral private key (as > scalar input) and receiver public key (as u-coordinate input). The > output is the Z value. All inputs and outputs are octet strings. > > 4. Security considerations > > Security considerations from [I-D.irtf-cfrg-curves] and > [I-D.irtf-cfrg-eddsa] apply here. > > Some algorithms interact in bad ways (e.g. "Ed25519" and > "Ed25519ph"). For this reason, those algorithms have different > algorithm groups, so keys for each are not mixed up. > > Do not separate key material from information what key algorithm > group it is for. When using keys, check that the algorithm is > compatible with the key algorithm group for the key. To do otherwise > > > > > Liusvaara Expires May 17, 2016 [Page 4] > > Internet-Draft CFRG curves and signatures in JOSE November 2015 > > > opens system up to attacks via mixing up algorithms. It is > practicularly dangerous to mix up signature and MAC algorithms. > > Do not assume that signature also binds the key used for signing, it > does not (there are also other widespread signature algorithms where > this binding fails, as such binding is not part of the definition of > secure signature primitive). As an example of such failure, the > Ed25519ph signature of X under key (Ed25519ph,Y) is identical to > Ed25519 signature of SHA512(X) under key (Ed25519,Y). And often it > takes only setting a few bits of message (easy to do by brute force) > to make the message valid enough to be processed in some very > surprising way. > > If key generation or batch signature verification is performed, a > well-seed cryptographical random number generator is REQUIRED. > Signing and non-batch signature verification are deterministic > operations and do not need random numbers of any kind. > > 5. Acknowledgements > > Mike Jones for comments on initial pre-draft. > > 6. IANA considerations > > The following is added to JSON Web Key Types Registry: > > o "kty" Parameter Value: "OKP" > o Key Type Description: Octet string key pairs > o JOSE Implementation Requirements: Optional > o Change Controller: IESG > o Specification Document(s): Section 2 of [RFC-THIS] > > > The following is added to JSON Web Key Parameters Registry: > > o Parameter Name: "kag" > o Parameter Description: The algorithm group of keypair > o Parameter Information Class: Public > o Used with "kty" Value(s): "OKP" > o Change Controller: IESG > o Specification Document(s): Section 2 of [RFC-THIS] > > o Parameter Name: "d" > o Parameter Description: The private key > o Parameter Information Class: Private > o Used with "kty" Value(s): "OKP" > o Change Controller: IESG > o Specification Document(s): Section 2 of [RFC-THIS] > > > > Liusvaara Expires May 17, 2016 [Page 5] > > Internet-Draft CFRG curves and signatures in JOSE November 2015 > > > The following is added to JSON Web Key Parameters Registry: > > o Parameter Name: "p" > o Parameter Description: The public key > o Parameter Information Class: Public > o Used with "kty" Value(s): "OKP" > o Change Controller: IESG > o Specification Document(s): Section 2 of [RFC-THIS] > > > The following is added to JSON Web Signature and Encryption > Algorithms Registry: > > o Algorithm Name: "Ed25519" > o Algorithm Description: Ed25519 signature algorithm and its > keypairs > o Algorithm Usage Location(s): "alg", "kag" > o JOSE Implementation Requirements: Optional > o Change Controller: IESG > o Specification Document(s): Section 3.1 of [RFC-THIS] > o Algorithm Analysis Documents(s): [I-D.irtf-cfrg-eddsa] > > o Algorithm Name: "Ed25519ph" > o Algorithm Description: Ed25519 signature algorithm with prehash > and its keypairs > o Algorithm Usage Location(s): "alg", "kag" > o JOSE Implementation Requirements: Optional > o Change Controller: IESG > o Specification Document(s): Section 3.1 of [RFC-THIS] > o Algorithm Analysis Documents(s): [I-D.irtf-cfrg-eddsa] > > o Algorithm Name: "Ed448" > o Algorithm Description: Ed448 signature algorithm and its keypairs > o Algorithm Usage Location(s): "alg", "kag" > o JOSE Implementation Requirements: Optional > o Change Controller: IESG > o Specification Document(s): Section 3.1 of [RFC-THIS] > o Algorithm Analysis Documents(s): [I-D.irtf-cfrg-eddsa] > > o Algorithm Name: "Ed448ph" > o Algorithm Description: Ed448 signature algorithm with prehash and > its keypairs > o Algorithm Usage Location(s): "alg", "kag" > o JOSE Implementation Requirements: Optional > o Change Controller: IESG > o Specification Document(s): Section 3.1 of [RFC-THIS] > o Algorithm Analysis Documents(s): [I-D.irtf-cfrg-eddsa] > > > > > Liusvaara Expires May 17, 2016 [Page 6] > > Internet-Draft CFRG curves and signatures in JOSE November 2015 > > > o Algorithm Name: "X25519" > o Algorithm Description: X25519 function keypairs > o Algorithm Usage Location(s): "kag" > o JOSE Implementation Requirements: Optional > o Change Controller: IESG > o Specification Document(s): Section 3.2 of [RFC-THIS] > o Algorithm Analysis Documents(s): [I-D.irtf-cfrg-curves] > > o Class Name: "X448" > o Class Description: X448 function keypairs > o JOSE Implementation Requirements: Optional > o Algorithm Usage Location(s): "kag" > o Change Controller: IESG > o Specification Document(s): Section 3.2 of [RFC-THIS] > o Algorithm Analysis Documents(s): [I-D.irtf-cfrg-curves] > > 7. References > > 7.1. Normative References > > [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate > Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ > RFC2119, March 1997, > <http://www.rfc-editor.org/info/rfc2119>. > > [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data > Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, > <http://www.rfc-editor.org/info/rfc4648>. > > [I-D.irtf-cfrg-curves] > Langley, A. and M. Hamburg, "Elliptic Curves for > Security", draft-irtf-cfrg-curves-09 (work in progress), > September 2015. > > [I-D.irtf-cfrg-eddsa] > Josefsson, S. and I. Liusvaara, "Edwards-curve Digital > Signature Algorithm (EdDSA)", draft-irtf-cfrg-eddsa-00 > (work in progress), October 2015. > > 7.2. Informative References > > [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10.17487/ > RFC7517, May 2015, > <http://www.rfc-editor.org/info/rfc7517>. > > [RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, DOI > 10.17487/RFC7518, May 2015, > <http://www.rfc-editor.org/info/rfc7518>. > > > > Liusvaara Expires May 17, 2016 [Page 7] > > Internet-Draft CFRG curves and signatures in JOSE November 2015 > > > [RFC7638] Jones, M. and N. Sakimura, "JSON Web Key (JWK) > Thumbprint", RFC 7638, DOI 10.17487/RFC7638, September > 2015, <http://www.rfc-editor.org/info/rfc7638>. > > Appendix A. Examples > > To the extent possible, the examples use material lifted from test > vectors of [I-D.irtf-cfrg-curves] and [I-D.irtf-cfrg-eddsa] > > A.1. Ed25519 private key > > {"kty":"OKP","kag":"Ed25519", > "d":"nWGxne_9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A" > "p":"11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo"} > > The hexadecimal dump of private key is: > > 9d 61 b1 9d ef fd 5a 60 ba 84 4a f4 92 ec 2c c4 > 44 49 c5 69 7b 32 69 19 70 3b ac 03 1c ae 7f 60 > > And of the public key: > > d7 5a 98 01 82 b1 0a b7 d5 4b fe d3 c9 64 07 3a > 0e e1 72 f3 da a6 23 25 af 02 1a 68 f7 07 51 1a > > A.2. Ed25519 public key > > This is the public parts of the previous private key (just omits > "d"): > > {"kty":"OKP","kag":"Ed25519", > "p":"11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo"} > > A.3. JWK thumbprint canonicalization > > The JWK thumbprint canonicalization of the two above examples is > (linebreak inserted for formatting reasons) > > {"kag":"Ed25519","kty":"OKP","p":"11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwI > aaPcHURo"} > > Which has the SHA-256 hash of: > 9b4dece50b24e8008ea629f8b0443f785c910fe2d6fd9c058a8032a54ae8ed97 > > > > > > > > > Liusvaara Expires May 17, 2016 [Page 8] > > Internet-Draft CFRG curves and signatures in JOSE November 2015 > > > A.4. Ed25519 Signing > > The JWS protected header is: > > {"alg":"Ed25519"} > > This has base64url encoding of: > > eyJhbGciOiJFZDI1NTE5In0 > > The payload is (text): > > Example of Ed25519 signing > > This has base64url encoding of: > > RXhhbXBsZSBvZiBFZDI1NTE5IHNpZ25pbmc > > The JWS signing input is (concatenation of base64url encoding of the > (protected) header, a dot and base64url encoding of the payload) is: > > eyJhbGciOiJFZDI1NTE5In0.RXhhbXBsZSBvZiBFZDI1NTE5IHNpZ25pbmc > > Applying Ed25519 signing algorithm to the private key, public key and > the JWS signing input yields signature (hex): > > 53 18 48 60 b1 c6 83 7f 4d 54 22 e9 40 05 43 fd > 47 1f 3a 69 c6 48 2c cb 15 9a 17 62 42 e2 21 b1 > 5c 72 63 9b fe a3 9b b2 08 f3 2c ab 1f 27 0f b8 > 36 57 1c 52 0b d8 ac 41 eb 45 b3 55 d0 77 19 01 > > Converting this to base64url yields: > > UxhIYLHGg39NVCLpQAVD_UcfOmnGSCzLFZoXYkLiIbFccmOb_qObsgjzLKsfJw-4NlccU > gvYrEHrRbNV0HcZAQ > > So the compact serialization of JWS is (concatenation of signing > input, a dot and base64url encoding of the signature: > > eyJhbGciOiJFZDI1NTE5In0.RXhhbXBsZSBvZiBFZDI1NTE5IHNpZ25pbmc.UxhIYLHGg > 39NVCLpQAVD_UcfOmnGSCzLFZoXYkLiIbFccmOb_qObsgjzLKsfJw-4NlccUgvYrEHrRb > NV0HcZAQ > > A.5. Ed25519 Validation > > The JWS from above example is: > > > > > > Liusvaara Expires May 17, 2016 [Page 9] > > Internet-Draft CFRG curves and signatures in JOSE November 2015 > > > eyJhbGciOiJFZDI1NTE5In0.RXhhbXBsZSBvZiBFZDI1NTE5IHNpZ25pbmc.UxhIYLHGg > 39NVCLpQAVD_UcfOmnGSCzLFZoXYkLiIbFccmOb_qObsgjzLKsfJw-4NlccUgvYrEHrRb > NV0HcZAQ > > This has 2 dots in it, so it might be valid JWS. Base64url decoding > the protected header yields: > > {"alg":"Ed25519"} > > So this is Ed25519 signature. Now the key has: "kty":"OKP" and > "kag":"Ed25519", so the key is valid for the algorithm (if it had > other values, the validation would have failed). > > The signing input is the part before second dot: > > eyJhbGciOiJFZDI1NTE5In0.RXhhbXBsZSBvZiBFZDI1NTE5IHNpZ25pbmc > > Applying Ed25519 verification algorithm to the public key, JWS > signing input and the signature yields true. So the signature is > valid. The message is base64 decoding of the part between the dots: > > Example of Ed25519 signing > > A.6. ECDH-ES with X25519 > > The public key to encrypt to is: > > {"kty":"OKP","kag":"X25519","kid":"Bob" > "p":"3p7bfXt9wbTTW2HC7OQ1Nz-DQ8hbeGdNrfx-FG-IK08"} > > The public key from target key is (hex): > > de 9e db 7d 7b 7d c1 b4 d3 5b 61 c2 ec e4 35 37 > 3f 83 43 c8 5b 78 67 4d ad fc 7e 14 6f 88 2b 4f > > The ephemeral secret happens to be (hex): > > 77 07 6d 0a 73 18 a5 7d 3c 16 c1 72 51 b2 66 45 > df 4c 2f 87 eb c0 99 2a b1 77 fb a5 1d b9 2c 2a > > So the ephemeral public key is X25519(ephkey,G) (hex): > > 85 20 f0 09 89 30 a7 54 74 8b 7d dc b4 3e f7 5a > 0d bf 3a 0d 26 38 1a f4 eb a4 a9 8e aa 9b 4e 6a > > This is packed into ephemeral public key value: > > > > > > Liusvaara Expires May 17, 2016 [Page 10] > > Internet-Draft CFRG curves and signatures in JOSE November 2015 > > > {"kty":"OKP","kag":"X25519", > "p":"hSDwCYkwp1R0i33ctD73Wg2_Og0mOBr066SpjqqbTmo"} > > So the protected header could for example be: > > {"alg":"ECDH-ES+A128KW","epk":{"kty":"OKP","kag":"X25519", > "p":"hSDwCYkwp1R0i33ctD73Wg2_Og0mOBr066SpjqqbTmo"}, > "enc":"A128GCM","kid":"Bob"} > > And sender computes as the DH Z value as X25519(ephkey,recv_pub) > (hex): > > 4a 5d 9d 5b a4 ce 2d e1 72 8e 3b f4 80 35 0f 25 > e0 7e 21 c9 47 d1 9e 33 76 f0 9b 3c 1e 16 17 42 > > The receiver computes as the DH Z value as X25519(seckey,ephkey_pub) > (hex): > > 4a 5d 9d 5b a4 ce 2d e1 72 8e 3b f4 80 35 0f 25 > e0 7e 21 c9 47 d1 9e 33 76 f0 9b 3c 1e 16 17 42 > > Which is the same as sender's value (the both sides run this through > KDF before using as AES128-KW key). > > Author's Address > > Ilari Liusvaara > Independent > > Email: ilariliusvaara@welho.com > > > > > > > > > > > > > > > > > > > > > > Liusvaara Expires May 17, 2016 [Page 11] > ----------------------------------------------------------------------- > > > -Ilari > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >
- Re: [jose] CFRG ECC in JOSE - thumbprint Manger, James
- Re: [jose] CFRG ECC in JOSE - thumbprint Justin Richer
- Re: [jose] CFRG ECC in JOSE - thumbprint Anders Rundgren
- Re: [jose] CFRG ECC in JOSE - thumbprint Ilari Liusvaara
- Re: [jose] CFRG ECC in JOSE - thumbprint Brian Campbell
- Re: [jose] CFRG ECC in JOSE - thumbprint Ilari Liusvaara
- Re: [jose] CFRG ECC in JOSE - thumbprint Anders Rundgren
- Re: [jose] CFRG ECC in JOSE - thumbprint Ilari Liusvaara
- Re: [jose] CFRG ECC in JOSE - thumbprint Mike Jones
- Re: [jose] CFRG ECC in JOSE - thumbprint Anders Rundgren
- Re: [jose] CFRG ECC in JOSE - thumbprint Ilari Liusvaara
- Re: [jose] CFRG ECC in JOSE - thumbprint Anders Rundgren