| Internet-Draft | ECDH-MAC for JOSE | January 2024 |
| Bastian | Expires 20 July 2024 | [Page] |
This specification defines a JSON Web Algorithm for JOSE, that uses a combination of key agreement and MAC to construct a signature-like mechanism.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://paulbastian.github.io/paulbastian-jose-ecdh-mac-algorithms/draft-bastian-jose-alg-ecdh-mac.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-bastian-jose-alg-ecdh-mac/.¶
Discussion of this document takes place on the Javascript Object Signing and Encryption Working Group mailing list (mailto:jose@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/jose/. Subscribe at https://www.ietf.org/mailman/listinfo/jose/.¶
Source for this draft and an issue tracker can be found at https://github.com/paulbastian/paulbastian-jose-ecdh-mac-algorithms.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 20 July 2024.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
JWS defines cryptographic algorithms to digitally sign or create Message Authentication Codes (MAC) of the contents of the JWS Protected Header and the JWS Payload in Section-3 [RFC7518]. JWS also offers ephemeral-static Elliptic Curve Diffie-Hellman key exchange in combination with a key derivation function ("ECDH-ES" and its variations) as a mechanism for key management in Section-4.6 [RFC7518], however these are only used for symmetric encryption.¶
This specification describes a combination of an ECDH key exchange with a MAC, that enables a feature set that is similar to digital signatures with repudiation.¶
This specification and all described algorithms should respect the efforts for Fully Specified Algorithms (https://www.ietf.org/archive/id/draft-jones-jose-fully-specified-algorithms-00.html).¶
This algorithm is intended for use with digital credentials ecosystems, including the Issuer-Holder-Verifier model described by W3C VCDM or IETF SD-JWT-VC.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
For the generation of an ECDH-based MAC the following parameters must be chosen:¶
the domain parameters for the ECDH "curve"¶
the key derivation algorithm "kd"¶
the MAC algorithm "mac"¶
In general, these parameters are chosen by the Generating Party. These parameters need to be communicated to the Verifying Party before the generation of an ECDH-based MAC.¶
The generation of the ECDH-based MAC takes the private key of the Generating Party and the public key of the Verifying Party as inputs. The retrieval and communication of the Verifying Party's public key is out of scope of this specification and subject to the implementing protocols.¶
The generation of ECDH-based MAC follows these steps:¶
Perform ECDH as defined as defined by "curve"
- use the specified elliptic curve to generate a key pair and set the epk
- use the Verifier's public key defined by kid to perform the key agreement
- optionally provide a certificate chain defined by x5c¶
Derive symmetric key as defined by "kd" - use the output from the key agreement as an input for the key derivation algorithm - derive the MAC key¶
Generate a MAC as defined by "mac" - use the output from the key derivation algorithm as an input for the MAC algorithm - generate the MAC¶
The verification of ECDH-based MAC follows these steps:¶
Perform ECDH as defined as defined by "curve"
- use the specified elliptic curve to generate an ephemeral key pair and set the kid
- provide the public key kid to the Generating Party
- use the Generating Party's public key defined by epk and perform the key agreement
- optionally validate the certificate chain defined by x5c¶
Derive symmetric key as defined by "kd" - use the output from the key agreement as an input for the key derivation algorithm - derive the MAC key¶
Generate a MAC as defined by "mac" - use the output from the key derivation algorithm as an input for the MAC algorithm - generate the MAC - compare the generated MAC with the signature value¶
The following values MUST be used for the "alg" header parameter:¶
+--------------------+--------------------------------+----------------+ | Algorithm Name | Algorithm Explanation | Implementation | | | | Requirements | +--------------------+--------------------------------+----------------+ | ECDH-P256-CC-HS256 | ECDH using NIST P-256, | Optional | | | ConcatKDF and | | | | HMAC using SHA-256 | | | ECDH-BP256-CC-HS256| ECDH using BrainpoolP256r1, | Optional | | | ConcatKDF and | | | | HMAC using SHA-256 | | +--------------------+--------------------------------+----------------+¶
Other algorithms SHOULD follow the naming ECDH-<elliptic curve domain parameters>-<KD algorithm>-<MAC algorithm>.¶
The "epk" (ephemeral public key) value is created by the Generating Party for the use in the key agreement algorithm. This header parameter MUST be present and MUST contain the Generating Party's public key represented as a JSON Web Key according to [RFC7517]. It MUST contain only public key parameters and SHOULD contain only the minimum JWK parameters necessary to represent the key. Other JWK parameters included may be checked for consistency or may be ignored.¶
The "x5c" (X.509 certificate chain) value is created by the Generating Party for the trust management of the "epk". This header parameter is OPTIONAL and if present MUST contain the X.509 certificate chain with the JWK from "epk" being the public key of the leaf certificate. Alternatively, the Generating Party may use "x5t", x5t#S256" or "x5u".¶
The "kid" (key identifier) value is created by the Generating Party for the use in the key agreement algorithm. This header parameter MUST be present and MUST contain the Verifying Party's public key ID user by the Generating Party for the ECDH.¶
The JWT/JWS header:¶
{
"typ" : "JWT",
"alg" : "ECDH-P256-HS256",
"x5c" : <issuer certificate chain that signs the epk>,
"epk" : <JWK used for ECDH>,
"kid" : <key ID of Verifying Party>
}
¶
The JWT/JWS payload:¶
{
"iss" : "https://example.as.com",
"iat" : "1701870613",
"given_name" : "Erika",
"family_name" : "Mustermann"
}
¶
The JWT/JWS signature:¶
base64-encoded MAC¶
TODO Security¶
This document has no IANA actions.¶
TODO acknowledge.¶