Class ECDHEncryptionHandler
java.lang.Object
org.forgerock.json.jose.jwe.handlers.encryption.ECDHEncryptionHandler
- All Implemented Interfaces:
EncryptionHandler
Implements Elliptic Curve Diffie-Hellman (ECDH) key agreement in ephemeral-static (ECDH-ES) mode. In this mode, the
party we are sending data to has a static key pair for which we know (and trust) the public key. We then generate
an ephemeral key pair, and perform a ECDH key agreement using our ephemeral private key and the destination's
static public key to derive a shared secret. This is then ran through the Concat-KDF key derivation function to
derive a symmetric encryption key, which we either use directly or with AES Key Wrapping to encrypt the content of
the JWT. We attach our ephemeral public key to the (integrity protected) JWT header and send the result to the other
party. They can then perform the same ECDH key agreement using their static private key and the public key from the
message to derive the same content encryption (or wrapping) key and decrypt the contents.
Some points to note:
- Static-ephemeral key agreement can be performed "offline" (i.e., without the recipient being actively involved), however it lacks the forward-secrecy of fully ephemeral ECDH: any compromise of the recipient's long-term private key will result in decryption of all previously captured traffic.
- The "static" recipient key does not need to be long-lived, and it is good practice to rotate it frequently and/or use a different public key for each sender (e.g., provide individual JWK URIs for each client).
- In the limit, the "static" key can be generated fresh for every message (using some online protocol), in which case it is effectively equivalent to ephemeral-ephemeral ECDH.
- ECDH does not on its own provide any authentication of either party. If the static public key of the recipient is trusted (e.g., is signed by a trusted CA or received over a trusted channel) then this is sufficient to authenticate the recipient. For the sender, an ephemeral key is used so authentication must be achieved by other means: for example, including a signed hash of the public key in the UPartyInfo/apu claim (signed with a long-term signature key whose public key is known and trusted by the other party). This is an application protocol concern.
This encryption scheme is also generally known as ECIES - Elliptic Curve Integrated Encryption Scheme.
-
Method Summary
Modifier and TypeMethodDescriptionbyte[]
decryptCiphertext
(Key contentEncryptionKey, byte[] initialisationVector, byte[] ciphertext, byte[] authenticationTag, byte[] additionalAuthenticatedData) Decrypts the ciphertext with the Content Encryption Key, using the initialisation vector and additional authenticated data, following the steps defined by the EncryptionHandler JweAlgorithm.decryptContentEncryptionKey
(Key key, byte[] encryptedContentEncryptionKey, JweHeader header) Decrypts the Content Encryption Key (CEK) following the appropriate steps defined by the EncryptionHandler JweAlgorithm.encryptPlaintext
(Key contentEncryptionKey, byte[] initialisationVector, byte[] plaintext, byte[] additionalAuthenticatedData) Encrypts the plaintext with the Content Encryption Key, using the initialisation vector and additional authenticated data, following the steps defined by the EncryptionHandler JweAlgorithm.byte[]
Generates a random JWE Initialisation Vector of the correct size for the encryption algorithm, if the EncryptionHandler JweAlgorithm does not required an initialisation vector then the initialisation vector will be an empty octet sequence.byte[]
generateJWEEncryptedKey
(Key key, Key ephemeralKey, JweHeader header) Generates the Content Encryption Key (CEK) following the appropriate steps defined by the EncryptionHandler JweAlgorithm.Creates a Content Encryption Key (CEK) following the appropriate steps defined by the EncryptionHandler JweAlgorithm.static ECDHEncryptionHandler
getInstance
(EncryptionHandler keyWrappingHandler, JweAlgorithm algorithm, EncryptionMethod encryptionMethod) Get an instance of the ECDH-ES encryption handler for the given parameters.Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.forgerock.json.jose.jwe.handlers.encryption.EncryptionHandler
decryptContentEncryptionKey, generateJWEEncryptedKey
-
Method Details
-
getInstance
public static ECDHEncryptionHandler getInstance(EncryptionHandler keyWrappingHandler, JweAlgorithm algorithm, EncryptionMethod encryptionMethod) Get an instance of the ECDH-ES encryption handler for the given parameters.- Parameters:
keyWrappingHandler
- the underlying key wrapping or direct encryption mode.algorithm
- the overall JWE algorithm to be used. Must be an ECDH-ES type.encryptionMethod
- the content encryption method.- Returns:
- a configured ECDH encryption handler.
-
getContentEncryptionKey
Description copied from interface:EncryptionHandler
Creates a Content Encryption Key (CEK) following the appropriate steps defined by the EncryptionHandler JweAlgorithm.See points 1, 2, 3 in Section 5.1 of the JWE Specification.
- Specified by:
getContentEncryptionKey
in interfaceEncryptionHandler
- Returns:
- The Content Encryption Key or null if the shared key should be used directly.
-
generateJWEEncryptedKey
Description copied from interface:EncryptionHandler
Generates the Content Encryption Key (CEK) following the appropriate steps defined by the EncryptionHandler JweAlgorithm.See points 4, 5, 6 in Section 5.1 of the JWE Specification.
- Specified by:
generateJWEEncryptedKey
in interfaceEncryptionHandler
- Parameters:
key
- The key to use to encrypt the Content Encryption Key, if the EncryptionHandler JweAlgorithm requires.ephemeralKey
- The Content Encryption Key (CEK).header
- The JWE header.- Returns:
- A byte array of the JWE Encrypted Key.
-
generateInitialisationVector
public byte[] generateInitialisationVector()Description copied from interface:EncryptionHandler
Generates a random JWE Initialisation Vector of the correct size for the encryption algorithm, if the EncryptionHandler JweAlgorithm does not required an initialisation vector then the initialisation vector will be an empty octet sequence.See points 9 in Section 5.1 of the JWE Specification.
- Specified by:
generateInitialisationVector
in interfaceEncryptionHandler
- Returns:
- The Initialisation Vector.
-
encryptPlaintext
public JweEncryption encryptPlaintext(Key contentEncryptionKey, byte[] initialisationVector, byte[] plaintext, byte[] additionalAuthenticatedData) Description copied from interface:EncryptionHandler
Encrypts the plaintext with the Content Encryption Key, using the initialisation vector and additional authenticated data, following the steps defined by the EncryptionHandler JweAlgorithm.See points 15, 16 in Section 5.1 of the JWE Specification.
- Specified by:
encryptPlaintext
in interfaceEncryptionHandler
- Parameters:
contentEncryptionKey
- The Content Encryption Key.initialisationVector
- The Initialisation Vector.plaintext
- The plaintext to encrypt.additionalAuthenticatedData
- An array of bytes representing the additional authenticated data.- Returns:
- The JweEncryption object containing the ciphertext and authentication tag.
-
decryptContentEncryptionKey
public Key decryptContentEncryptionKey(Key key, byte[] encryptedContentEncryptionKey, JweHeader header) Description copied from interface:EncryptionHandler
Decrypts the Content Encryption Key (CEK) following the appropriate steps defined by the EncryptionHandler JweAlgorithm.See points 9, 10 in Section 5.2 of the JWE Specification.
- Specified by:
decryptContentEncryptionKey
in interfaceEncryptionHandler
- Parameters:
key
- The private key pair to the public key that encrypted the JWT.encryptedContentEncryptionKey
- The encrypted Content Encryption Key.header
- The JWE header.- Returns:
- The decrypted Content Encryption Key.
-
decryptCiphertext
public byte[] decryptCiphertext(Key contentEncryptionKey, byte[] initialisationVector, byte[] ciphertext, byte[] authenticationTag, byte[] additionalAuthenticatedData) Description copied from interface:EncryptionHandler
Decrypts the ciphertext with the Content Encryption Key, using the initialisation vector and additional authenticated data, following the steps defined by the EncryptionHandler JweAlgorithm.See points 14, 15 in Section 5.2 of the JWE Specification.
- Specified by:
decryptCiphertext
in interfaceEncryptionHandler
- Parameters:
contentEncryptionKey
- The Content Encryption Key.initialisationVector
- The Initialisation Vector.ciphertext
- The ciphertext to decrypt.authenticationTag
- The authentication tag.additionalAuthenticatedData
- An array of bytes representing the additional authenticated data.- Returns:
- An array of bytes representing the decrypted ciphertext.
-