This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

AES 256 JWE using JWT policy

Posted on 05-23-2022 03:14 AM
abhijithsh
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

https://www.googlecloudcommunity.com/gc/Apigee/Does-APIGEE-supports-JWE-and-Encryption/td-p/17424  @dchiesa1  Found your example for RSA. However, could not find any documentation on how to do and what to change for other  algorithms. I was trying to generate a JWE with A256GCMKW algorithm. I will have to provide salt, key and iv. 

Could you please let me know how these customizations can be found for the policies. Thanks in advance.

Edit : Saw that the content encryption is being done using A128GCM in your approach. Correct me if I am wrong. My understanding is that that the result is encrypted using RSA-OAEP-256 algorithm. But did not get where the A128GCM comes into play. Also we provided key required for the RSA encryption. Is something being done on Apigee side regarding A128GCM. I could not think so, since I was able to decode the token using your app by providing the private key. 

 

Solved Solved
0 2 906
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Found your example for RSA. However, could not find any documentation on how to do and what to change for other algorithms. I was trying to generate a JWE with A256GCMKW algorithm. I will have to provide salt, key and iv.

We are working on the documentation. I am sorry to say that the documentation for encrypted JWT is not yet published. It's coming!

Separately, when you say "I will have to provide salt, key, and IV" - that is not the case with JWE. In JWE, there is no salt (unless you are using PBES). And the Key and IV are generated.

Correct me if I am wrong. My understanding is that that the result is encrypted using RSA-OAEP-256 algorithm. But did not get where the A128GCM comes into play.

For details regarding how the encryption works in JWE, check the specification defining JWE, RFC 7516. Specifically, Section 5 of the spec describes the mechanism for producing a JWE in some detail. In general, the JWE is created with 2 layers of encryption. The key encryption algorithm is completely independent of the content-encryption algorithm. In all cases the content-encryption is done via a symmetric (AES based) encryption, and in basically every case, the symmetric key for that encryption is generated. Step 2 and Step 9 in that section describe generating a random key and IV respectively, when encrypting a message. That content-encryption key is then encrypted with the key-encryption algorithm, which might be RSA-based.

You might want to invest some time and effort understanding the specification and the standard before trying to use JWE in practice within Apigee.

Here is a screencast I produced describing JWE in Apigee. It might be helpful.

Also we provided key required for the RSA encryption. Is something being done on Apigee side regarding A128GCM. I could not think so, since I was able to decode the token using your app by providing the private key.

That is how it is supposed to work. If you encrypt with an RSA public key, then it will be possible to decrypt with the matching RSA private key, regardless of the content encryption algorithm you use. That is how JWE works.

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Found your example for RSA. However, could not find any documentation on how to do and what to change for other algorithms. I was trying to generate a JWE with A256GCMKW algorithm. I will have to provide salt, key and iv.

We are working on the documentation. I am sorry to say that the documentation for encrypted JWT is not yet published. It's coming!

Separately, when you say "I will have to provide salt, key, and IV" - that is not the case with JWE. In JWE, there is no salt (unless you are using PBES). And the Key and IV are generated.

Correct me if I am wrong. My understanding is that that the result is encrypted using RSA-OAEP-256 algorithm. But did not get where the A128GCM comes into play.

For details regarding how the encryption works in JWE, check the specification defining JWE, RFC 7516. Specifically, Section 5 of the spec describes the mechanism for producing a JWE in some detail. In general, the JWE is created with 2 layers of encryption. The key encryption algorithm is completely independent of the content-encryption algorithm. In all cases the content-encryption is done via a symmetric (AES based) encryption, and in basically every case, the symmetric key for that encryption is generated. Step 2 and Step 9 in that section describe generating a random key and IV respectively, when encrypting a message. That content-encryption key is then encrypted with the key-encryption algorithm, which might be RSA-based.

You might want to invest some time and effort understanding the specification and the standard before trying to use JWE in practice within Apigee.

Here is a screencast I produced describing JWE in Apigee. It might be helpful.

Also we provided key required for the RSA encryption. Is something being done on Apigee side regarding A128GCM. I could not think so, since I was able to decode the token using your app by providing the private key.

That is how it is supposed to work. If you encrypt with an RSA public key, then it will be possible to decrypt with the matching RSA private key, regardless of the content encryption algorithm you use. That is how JWE works.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
abhijithsh
Bronze 5
Bronze 5
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thank you. That clarifies a lot. It would be helpful for everyone when we have proper documentation. I hope this question and solution will be useful for others till then.

Jump to Solution
0 Likes