Essentially, I am wondering what the purpose of AES/symmetric keywrap algorithms in the context of JWE is.
---- When using asymmetric encryption (RSA, EC) keywrap makes sense: 1. A random content encryption key (CEK) is created 2. Payload is encrypted (using symmetric encryption) using the CEK 3. The CEK is encrypted using the supplied key (which serves as the key encryption key (KEK)) However, when using A*KW, or A*GCMKW, I do not see the purpose of this: 1. A random CEK is created 2. Payload is encrypted (symmetricly) using CEK 3. CEK is encrypted (symmetrically) using KEK JWE RFC section 11.3 ( https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40#section-11.3) even says: > Algorithms of matching strengths should be used together whenever possible. For instance, when AES Key Wrap is used with a given key size, using the same key size is recommended when AES GCM is also used. If the key encryption and content encryption algorithms are different, the effective security is determined by the weaker of the two algorithms. This highlights that there's not even a point in having eg, a 256-bit KEK and using 128-bit CEK (eg: to lower CPU usage with big payload) -- the effective security is still 128-bit. ---- So this boils down to: if I want symmetric encryption, why would I ever choose anything besides the DIR (direct) key algorithm? If there is no good answer, perhaps A*KW and A*GCMKW should be deprecated, which will later lead to simpler libraries and less variation in JWE formats in the wild. Note, I asked this question on security.stackexchange ( http://security.stackexchange.com/questions/80966/what-is-the-point-of-aes-key-wrap-with-json-web-encryption) but responses there just seem to reinforce my original suspicion that symmetric KW algorithms have zero benefit to JWE/JWT.
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
