The JWE standard defines a concept called Key Management Mode. According to the RFC, there are five: Direct Encryption, Key Encryption, Direct Key Agreement, Key Wrapping, Key Agreement with Key Wrapping.
What's the difference between them and what's the point of having so many?
JWE always encrypts plaintext using a symmetric encryption key called CEK (Content Encryption Key). An issuer and recipient don't always have a pre-shared key they can use as the CEK, so they must use some form of public-key cryptography in order to securely share or agree on a CEK to use. Key Management Modes specify how the CEK is determined.
JWE always provides confidentiality (ensure only recipient can decrypt data), and integrity (ensure data was not altered by a third-party during transit). Depending on the Key Management Mode, it can also provide authentication (ensure data comes from issuer it claims to be).
JWE also supports tokens intended for multiple recipients where each recipient may use a different Key Management Mode. In this scenario, the JWE cannot use compact serialization and must use JSON serialization. Additionally, regardless of the number of recipients, JWE uses a single CEK to encrypt the plaintext. Thus, there is no need to include a different copy of the ciphertext for each intended recipient.
The following are the supported Key Management Modes by JWE:
1. Direct Encryption:
CEK.CEK.CEK.CEK).{ "alg": "dir", "enc": "A256GCM" }2. Key Encryption:
RSA key.RSA key for that recipient.CEK.CEK.CEK with recipient's public key.CEK + ciphertext in JWE.CEK with its private key.CEK.{ "alg": "RSA-OAEP", "enc": "A256GCM" }3. Direct Key Agreement
EC key (EC key pairs cannot be used directly to encrypt/decrypt data).EC public/private key pair.CEK using ephemeral private key and recipient's public key.CEK.CEK using ephemeral public key and its private key.CEK.{ "alg": "ECDH-ES", "enc": "A256GCM", "epk": { ephemeral public key }, "apu": "(issuer)", "apv": "(recipient)" }4. Key Wrapping
CEK.CEK.CEK with the wrapping key.CEK + ciphertext in JWE.CEK and decrypts it with the wrapping key.CEK.{ "alg": "A256KW", "enc": "A256GCM" }5. Key Agreement with Key Wrapping
EC key for that recipient (EC key pairs cannot be used directly to encrypt/decrypt data).CEK.CEK.EC public/private key pair.CEK using wrapping key.CEK + ephemeral public key + ciphertext in JWE.CEK and decrypts it using the derived wrapping key.CEK.{ "alg": "ECDH-ES+A256KW", "enc": "A256GCM", "epk": { ephemeral public key }, "apu": "(issuer)", "apv": "(recipient)" }
7518 JSON Web Algorithms (JWA) includes details on Cryptographic Algorithms for Key Management. As to why so many, the JWA model use cases are wide and the RFC states:
Registering the algorithms and identifiers here, rather than in the JWS, JWE, and JWK specifications, is intended to allow them to remain unchanged in the face of changes in the set of Required, Recommended, Optional, and Deprecated algorithms over time. This also allows
changes to the JWS, JWE, and JWK specifications without changing this document.
The table below is the set of "alg" (algorithm) Header Parameter
values that are defined by this specification for use with JWE.
These algorithms are used to encrypt the CEK, producing the JWE
Encrypted Key, or to use key agreement to agree upon the CEK.
+--------------------+--------------------+--------+----------------+
| "alg" Param Value | Key Management | More | Implementation |
| | Algorithm | Header | Requirements |
| | | Params | |
+--------------------+--------------------+--------+----------------+
| RSA1_5 | RSAES-PKCS1-v1_5 | (none) | Recommended- |
| RSA-OAEP | RSAES OAEP using | (none) | Recommended+ |
| | default parameters | | |
| RSA-OAEP-256 | RSAES OAEP using | (none) | Optional |
| | SHA-256 and MGF1 | | |
| | with SHA-256 | | |
| A128KW | AES Key Wrap with | (none) | Recommended |
| | default initial | | |
| | value using | | |
| | 128-bit key | | |
| A192KW | AES Key Wrap with | (none) | Optional |
| | default initial | | |
| | value using | | |
| | 192-bit key | | |
| A256KW | AES Key Wrap with | (none) | Recommended |
| | default initial | | |
| | value using | | |
| | 256-bit key | | |
| dir | Direct use of a | (none) | Recommended |
| | shared symmetric | | |
| | key as the CEK | | |
| ECDH-ES | Elliptic Curve | "epk", | Recommended+ |
| | Diffie-Hellman | "apu", | |
| | Ephemeral Static | "apv" | |
| | key agreement | | |
| | using Concat KDF | | |
| ECDH-ES+A128KW | ECDH-ES using | "epk", | Recommended |
| | Concat KDF and CEK | "apu", | |
| | wrapped with | "apv" | |
| | "A128KW" | | |
| ECDH-ES+A192KW | ECDH-ES using | "epk", | Optional |
| | Concat KDF and CEK | "apu", | |
| | wrapped with | "apv" | |
| | "A192KW" | | |
| ECDH-ES+A256KW | ECDH-ES using | "epk", | Recommended |
| | Concat KDF and CEK | "apu", | |
| | wrapped with | "apv" | |
| | "A256KW" | | |
| A128GCMKW | Key wrapping with | "iv", | Optional |
| | AES GCM using | "tag" | |
| | 128-bit key | | |
| A192GCMKW | Key wrapping with | "iv", | Optional |
| | AES GCM using | "tag" | |
| | 192-bit key | | |
| A256GCMKW | Key wrapping with | "iv", | Optional |
| | AES GCM using | "tag" | |
| | 256-bit key | | |
| PBES2-HS256+A128KW | PBES2 with HMAC | "p2s", | Optional |
| | SHA-256 and | "p2c" | |
| | "A128KW" wrapping | | |
| PBES2-HS384+A192KW | PBES2 with HMAC | "p2s", | Optional |
| | SHA-384 and | "p2c" | |
| | "A192KW" wrapping | | |
| PBES2-HS512+A256KW | PBES2 with HMAC | "p2s", | Optional |
| | SHA-512 and | "p2c" | |
| | "A256KW" wrapping | | |
+--------------------+--------------------+--------+----------------+
