JSON Web Encryption
JSON Web Encryption (JWE)
AbbreviationJWE
StatusProposed
Year started16 January 2012 (2012-01-16)
First published16 January 2012 (2012-01-16)
Latest versionMay 2015
OrganizationIETF
SeriesJOSE
Authors
  • Michael Jones
  • Joe Hildebrand
DomainEncryption, authentication
Websitedatatracker.ietf.org/doc/html/rfc7516

JSON Web Encryption (JWE) is an IETF standard providing a standardized syntax for the exchange of encrypted data, based on JSON and Base64.[1] It is defined by RFC 7516. Along with JSON Web Signature (JWS), it is one of the two possible formats of a JWT (JSON Web Token). JWE forms part of the JavaScript Object Signing and Encryption (JOSE) suite of protocols.[2]

Vulnerabilities

edit

In March 2017, a serious flaw was discovered in many popular implementations of JWE, the invalid curve attack.[3]

One implementation of an early (pre-finalized) version of JWE also suffered from Bleichenbacher’s attack.[4]

References

edit
  1. ^ Ng, Alex Chi Keung (26 January 2018). Contemporary Identity and Access Management Architectures: Emerging Research and Opportunities. IGI Global. p. 215. ISBN 978-1-5225-4829-4. JWE is a means of representing encrypted content using JSON data structures.
  2. ^ Fontana, John (January 21, 2013). "Developers getting JSON-based options for enterprise authentication". ZDNet. Retrieved 2018-06-08.
  3. ^ Rashid, Fahmida (27 March 2017). "Critical flaw alert! Stop using JSON encryption". InfoWorld. Retrieved 8 June 2018.
  4. ^ Jager, Tibor; Schinzel, Sebastian; Somorovsky, Juraj (2012), "Bleichenbacher's Attack Strikes again: Breaking PKCS#1 v1.5 in XML Encryption", Computer Security – ESORICS 2012, Springer Berlin Heidelberg, pp. 752–769, CiteSeerX 10.1.1.696.5641, doi:10.1007/978-3-642-33167-1_43, ISBN 9783642331664, Beyond XML Encryption, the recent JSON Web Encryption (JWE) specification prescribes PKCS#1 v1.5 as a mandatory cipher. This specification is under development and at the time of writing there existed only one implementation following this specification. We verified that this implementation was vulnerable to two versions of the Bleichenbacher's attack: the direct attack based on error messages and the timing-based attack.{{citation}}: CS1 maint: work parameter with ISBN (link)
Stub icon

This cryptography-related article is a stub. You can help Wikipedia by adding missing information.

📚 Artikel Terkait di Wikipedia

Cryptocat

online chatting available for Windows, OS X, and Linux. It uses end-to-end encryption to secure all communications to other Cryptocat users. Users are given

JSON Web Token

Vulnerability in JSON Web Encryption". Auth0 - Blog. Retrieved October 14, 2023. "No Way, JOSE! Javascript Object Signing and Encryption is a Bad Standard That

Web Cryptography API

2017". W3C. Retrieved 3 July 2018. JOSE Working Group. "Javascript Object Signing and Encryption (jose)". IETF. Retrieved 16 March 2017. Official website

PDF

content), three-dimensional objects using U3D or PRC, and various other data formats. The PDF specification also provides for encryption and digital signatures

OwnCloud

features include end-to-end encryption, ransomware and antivirus protection, branding, document classification, and single sign-on via OpenID. Free and open-source

Mozilla Persona

easiest way to sign in., Mozilla, archived from the original on 2013-03-08, retrieved 2013-02-10 "Javascript Object Signing and Encryption (jose)". IETF

List of computing and IT abbreviations

ADO—ActiveX Data Objects ADSL—Asymmetric Digital Subscriber Line ADT—Abstract Data Type AE—Adaptive Equalizer AE—Authenticated encryption AEAD—Authenticated

Apache iBATIS

first product to be released by iBATIS was Secrets, a personal data encryption and signing tool much like PGP. Secrets was written entirely in Java and was