> > Why is JWE HPKE Key Encryption necessary at all? Since HPKE requires > asymmetric keys to be used, what is the use case for encrypting a > direct/shared symmetric key when the recipient must decrypt with their > private key anyway? >
Trying to answer my own question: "alg": "HPKE-P256-SHA256", "enc": "A256GCM" would mean a JWE content encryption key would be obtained by executing the KEM to derive a shared secret which is then made uniform by HKDF-SHA256. The output of the HKDF Expand function would be the content encryption key used to directly encrypt the payload using AES 256 GCM. This would imply that the HKDF's `Expand(prk, info, L)` function's `L` input length must be equal to the `enc` required key length (in this example, `256`). Whereas "alg": "HPKE-P256-SHA256-A256GCM", "enc": "A128GCM" would mean a) an ephemeral AEAD secret key (the CEK) would be generated for the `enc` algorithm (e.g. AES 128 GCM) b) this ephemeral AES 128-bit CEK would itself be encrypted using HPKE P256-SHA256-A256GCM b) the ephemeral AES 128-bit CEK would be used to encrypt the recipient payload, and the CEK ciphertext would be included in the recipient header. Then the recipient uses HPKE P256-SHA256-A256GCM to decrypt the CEK ciphertext, producing the CEK, which is then used to decrypt the payload. Is that about right? Les >
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
