2

When implementing JSON Web Encryption (JWE), I understand the reasons why you might choose A256KW over DIR. But, now I notice there is also A256GCMKW as an optional part of the JWE standard (see RFC7518 page 19 which defines it in detail, and also page 13 where it is declared to be Optional – RFC7518 is JSON Web Algorithms (JWA), while JWE is defined in RFC7516 which incorporates JWA by reference.)

I can see some obvious disadvantages A256GCMKW has compared to A256KW:

  • As an optional part of the standard, some JWE implementations will not support it
  • It is going to impose an additional performance cost (although, depending on your use case, this might not be significant in practice)

But, I'm assuming for it to be standardised it must have some advantage over A256KW in some scenario – what is that advantage?

Note (if it matters) I was planning to use A256GCM content encryption with A256KW key algorithm. The combination of A256GCMKW + A256GCM would provide two layers of authenticated encryption – while I can't see how that could hurt, is it adding complexity for little or no real value?

Improve this question

1 Answer 1

Reset to default
5

Both A256KW and A256GCMKW use authenticated encryption for the Content Encryption Key (CEK). This isn't redundant when combining it with A256GCM, because it protects the integrity of the key rather than the encrypted content.

The difference between the algorithms is that A256KW uses the AES Key Wrap (AES-KW) algorithm from RFC 3394 for the CEK, whereas A256GCMKW relies on the general-purpose GCM mode for key encryption. Both have strengths and weaknesses:

  • A256GCMKW requires an initialization vector which must be unique per key encryption key. See section 8.2 of NIST Special Publication 800-38D for concrete recommendations on how to construct the IV. A256KW, on the other hand, is entirely deterministic. However, as you already need to generate an IV when encrypting the content with A256GCM, this aspect shouldn't matter much, except that you need to store an extra 128 bits.
  • Besides the IV, A256GCMKW needs another 128 bits for the authentication tag. In A256KW, the integrity value is embedded into the key itself.
  • On the other hand, the 128-bit authentication tag of A256GCMKW provides better protection against forgery than the 64-bit authentication value in A256KW.
  • There's a strict limit for the maximum number of invocations when AES-GCM is used (depending on the IV construction). AES-KW doesn't have any invocation limits, as pointed out in section 5.4 of NIST Special Publication 800-38F.
  • AES-GCM has hardware support in many CPUs, AES-KW doesn't. This makes me skeptical about your claim that A256KW will be faster than A256GCMKW. If performance is really an issue, then you need to do actual measurements.
  • AES-GCM is much better known than AES-KW and has probably seen a lot more scrutiny from cryptographers.
  • But as you've correctly pointed out that A256KW is declared Recommended in RFC 7518, A256GCMKW only Optional.

There isn't really a clear winner. You'll have to decide for yourself which aspects matter for your concrete use case and which don't.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.