JWT Framework
v1.x
v1.x
  • Introduction
  • Components
    • Algorithm Management (JWA)
    • Key (JWK) and Key Set (JWKSet)
      • Key Management (JWK)
      • Key Set Management (JWKSet)
    • Header Checker
    • Claim Checker
    • Signed Tokens (JWS)
      • Signature Algorithms
      • JWS Creation
      • JWS Loading
    • Encrypted Tokens (JWE)
      • Encryption Algorithms
      • JWE Creation
      • JWE Loading
  • Symfony Bundle
    • Algorithm Management
    • Key and Key Set Management
      • Key Management (JWK)
      • Key Set Management (JWKSet)
    • Header and Claim Checker Management
    • Signed Tokens
      • JWS serializers
      • JWS creation
      • JWS verification
    • Encrypted Tokens
      • JWE serializers
      • JWE creation
      • JWE decryption
    • Configuration Helper
  • Console
    • Standalone Application
    • Symfony Console
    • PHAR Application
  • Security Recommendations
  • Advanced Topics
    • Nested Tokens
    • Serialization
    • Custom Algorithm
    • Signed tokens and
      • Unprotected Header
      • Multiple Signatures
      • Detached Payload
      • Unencoded Payload
    • Encrypted tokens and
      • Unprotected Headers
      • Multiple Recipients
      • Additional Authentication Data (AAD)
  • Benchmarks
    • Result table
  • Migration
    • From spomky-labs/jose
      • Keys (JWK)
      • Key Sets (JWKSet)
      • Signed Tokens (JWS)
      • Encrypted Tokens (JWE)
      • Header Checking
      • Claim Checking
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
Export as PDF
  1. Components
  2. Encrypted Tokens (JWE)

Encryption Algorithms

This framework comes with several encryption algorithms. These algorithms are in the following namespaces:

  • Jose\Component\Encryption\Algorithm\KeyEncryption: key encryption algorithms

  • Jose\Component\Encryption\Algorithm\ContentEncryption: content encryption algorithms

    From v1.2, the algorithms have their own sub-packages. To avoid BC breaks, these packages are automatically installed for all v1.x of the framework. Starting at v2.0, you will have to explicitly install the algorithm packages you need.

  • Key Encryption

    • Package web-token/jwt-encryption-algorithm-aeskw

      • A128KW

      • A192KW

      • A256KW

    • Package web-token/jwt-encryption-algorithm-aesgcmkw

      • A128GCMKW

      • A192GCMKW

      • A256GCMKW

    • Package web-token/jwt-encryption-algorithm-dir

      • dir (class Dir)

    • Package web-token/jwt-encryption-algorithm-ecdh-es

      • ECDH-ES (class ECDHES) READ THE NOTE BELOW

      • ECDH-ES+A128KW (class ECDHESA128KW) READ THE NOTE BELOW

      • ECDH-ES+A192KW (class ECDHESA192KW) READ THE NOTE BELOW

      • ECDH-ES+A256KW (class ECDHESA256KW) READ THE NOTE BELOW

    • Package web-token/jwt-encryption-algorithm-pbes2

      • PBES2-HS256+A128KW (class PBES2HS256A128KW)

      • PBES2-HS384+A192KW (class PBES2HS384A192KW)

      • PBES2-HS512+A259KW (class PBES2HS512A1256KW)

    • Package web-token/jwt-encryption-algorithm-rsa

      • RSA1_5 (class RSA15) READ THE NOTE BELOW

      • RSA-OAEP (class RSAOAEP)

      • RSA-OAEP-256 (class RSAOAEP256)

  • Content Encryption

    • Package web-token/jwt-encryption-algorithm-aesgcm

      • A128GCM

      • A192GCM

      • A256GCM

    • Package web-token/jwt-encryption-algorithm-aescbc

      • A128CBC-HS256 (class A128CBCHS256)

      • A192CBC-HS384 (class A192CBCHS384)

      • A256CBC-HS512 (class A256CBCHS512)

IMPORTANT NOTE:

  • The algorithms ECDH-ES* are not recommended unless used with the OKP key type.

The following signature algorithms are experimental and must not be used in production unless you know what you are doing. They are proposed for testing purpose only.

They are all part of the package web-token/jwt-encryption-algorithm-experimental

  • Key Encryption

    • A128CTR, A192CTR and A256CTR: AES CTR based encryption.

    • Chacha20+Poly1305 : Please note that this algorithm requires OpenSSL 1.1

    • RSA-OAEP-384 and RSA-OAEP-512: Same algorithm as RSA-OAEP-256 but with SHA-384 and SHA-512 hashing functions.

  • Content Encryption

    • AxxxCCM-16-128, AxxxCCM-16-64, AxxxCCM-64-128, AxxxCCM-64-64: AES-CCM based aalgorithms. xxx can be 128 or 256.

How To Use

Example:

<?php

use Jose\Component\Core\AlgorithmManager;
use Jose\Component\Encryption\Algorithm\KeyEncryption\A128KW;
use Jose\Component\Encryption\Algorithm\KeyEncryption\PBES2HS256A128KW;
use Jose\Component\Encryption\Algorithm\ContentEncryption\A128CBCHS256;

$algorithmManager = AlgorithmManager::create([
    new A128KW(),
    new PBES2HS256A128KW(),
    new A128CBCHS256(),
]);

By default, PBES2* algorithms use the following parameter values:

  • Salt size: 64 bytes (512 bits)

  • Count: 4096

You may need to use other values. This can be done during the instantiation of the algorithm:

Example with 16 bytes (128 bits) salt and 1024 counts:

<?php

use Jose\Component\Core\AlgorithmManager;
use Jose\Component\Encryption\Algorithm\KeyEncryption\PBES2HS256A128KW;

$algorithmManager = AlgorithmManager::create([
    new PBES2HS256A128KW(16, 1024),
]);
PreviousEncrypted Tokens (JWE)NextJWE Creation

Last updated 6 years ago

Was this helpful?

The algorithm RSA1_5 is deprecated due to known .

These algorithms have to be used with the . They do not need any arguments.

security vulnerability
Algorithm Manager