Intro

Today we are discussing JSON Web Encryption(JWE) standard. This standard fundamentally executes cryptographic functions on JSON-typed messages. Many services on the Internet use TLS(formerly SSL) for secure communication between the user and the server. However, TLS mostly performs confidentiality principle of information security triad. We will ensure the security over Internet when we also can perform the other two principle.

Integrity and availability is the other elements of security triad. Integrity basically represents the routing data should not be altered or malformed. The JWE has “Authentication Tag” part ensures the integrity of encrypted content.

Let’s Practice

We can use Apache JAX-RS JOSE library to execute simple JWE functions.

Apache Foundation has the JOSE(Javascript Object Signing and Encryption) library which make RFC 7516 security functions. The dependency registry must be putted into any kind of dependency file .

<dependency>

<groupId>org.apache.cxf</groupId>

<artifactId>cxf-rt-rs-security-jose</artifactId>

<version>3.1.7</version>

</dependency>

Apache JOSE has a piece of cake methods to run JWE functions. The following sample shows content encryption with using AES-128 bit algorithm on Galois Code Mode(GCM). RFC 7516 renames symmetric key as “Content Encryption Key(CEK)”. We generated CEK to use java.crypto library.

JweUtils is a utility class that contains some sort of static methods to perform JWE functions. We used encryptDirect/decryptDirect methods for both encryption/decryption process. JweUtils also has encrypt/decrypt methods but they can use extra “Key Encryption” process. Key encryption provides key agreement between the peers. The CEK is ephemerally generated with using pub/pri keys.

Most of key agreement implementations use public-key cryptographic algorithms such as Elliptic Curve, RSA .



Encrypted text: eyJlbmMiOiJBMTI4R0NNIiwiY3R5IjpudWxsfQ..8o_hhB1z7eumB1dh.KdoRkK79oX3ca1Lk4VsTbfJy56QbSE7aLQ.PMqrdsf5PT4WLCEkZwHYVg

Decrypted text: The world is not enough !

The encrypted data is splitted with dot character. The encrypted data has 4 part. First part is protected data. It just has been encoded with base64url encoding. Second part is empty because we use “Direct” mode for Key Encryption. None of encrypted value of encryption key data placed here.The third part is encrypted content and the last part is “authenticated tag” -which we mentioned in the beginning - that ensures integrity of the whole data.

eyJlbmMiOiJBMTI4R0NNIiwiY3R5IjpudWxsfQ

.

.

8o_hhB1z7eumB1dh.KdoRkK79oX3ca1Lk4VsTbfJy56QbSE7aLQ

.

PMqrdsf5PT4WLCEkZwHYVg

JWE might be like familiar :)

Yesss. JSON Web Token(JWT) use JWE to provide protection and integrity. Because JWT data does not protect the data. It is encoded and also signed by trust[1]. It just represents an credentials of requester. If you choose hide the data rather than authenticate, you should use JWE algorithms. Some of applications use JWE to encrypt sensitive data. Although JWE is providing enhanced security, it might inflate the data size over the network.

One of the example is 3D Secure 2.2.0 protocol use JWE algorithms for making end-to-end payment communication between the mobile application and acquirers.

[1]https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec

[2]https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3