Encryption Algorithms

This framework comes with several encryption algorithms. These algorithms are in the following namespaces:

  • Jose\Component\Encryption\Algorithm\KeyEncryption: key encryption algorithms

  • Jose\Component\Encryption\Algorithm\ContentEncryption: content encryption algorithms

Main Algorithms

Key Encryption

Algorithm
Package

A128KW

A192KW

A256KW

web-token/jwt-encryption-algorithm-aeskw

A128GCMKW

A192GCMKW

A256GCMKW

web-token/jwt-encryption-algorithm-aesgcmkw

dir

web-token/jwt-encryption-algorithm-dir

ECDH-ES

ECDH-ES+A128KW

ECDH-ES+A192KW

ECDH-ES+A256KW

web-token/jwt-encryption-algorithm-ecdh-es

PBES2-HS256+A128KW

PBES2-HS384+A192KW

PBES2-HS512+A256KW

web-token/jwt-encryption-algorithm-pbes2

RSA1_5

RSA-OAEP

RSA-OAEP-256

web-token/jwt-encryption-algorithm-rsa

Content Encryption

Algorithm
Package

A128GCM

A192GCM

A256GCM

web-token/jwt-encryption-algorithm-aesgcm

A128CBC-HS256

A192CBC-HS384

A256CBC-HS512

web-token/jwt-encryption-algorithm-aescbc

The algorithm RSA1_5 is deprecated due to known security vulnerability.

The algorithms ECDH-ES* are not recommended unless used with the OKP key type.

Experimental Algorithms

The following algorithms are experimental and must not be used in production unless you know what you are doing. They are proposed for testing purpose only.

They are all part of the package web-token/jwt-encryption-algorithm-experimental

Key Encryption

Algorithm
Description

A128CTR

A192CTR

A256CTR

AES CTR based encryption

Chacha20+Poly1305

Please note that this algorithm requires OpenSSL 1.1

RSA-OAEP-384

RSA-OAEP-512

Same algorithm as RSA-OAEP-256 but with SHA-384 and SHA-512 hashing functions

Content Encryption

Algorithm
Description

A128CCM-16-128

A128CCM-16-64

A128CCM-64-128

A128CCM-64-64

A256CCM-16-128

A256CCM-16-64

A256CCM-64-128

A256CCM-64-64

AES-CCM based algorithms

How To Use

These algorithms have to be used with the Algorithm Manager.

<?php

use Jose\Component\Core\AlgorithmManager;
use Jose\Component\Encryption\Algorithm\KeyEncryption\A128KW;
use Jose\Component\Encryption\Algorithm\KeyEncryption\PBES2HS256A128KW;
use Jose\Component\Encryption\Algorithm\ContentEncryption\A128CBCHS256;

$algorithmManager = new AlgorithmManager([
    new A128KW(),
    new PBES2HS256A128KW(),
    new A128CBCHS256(),
]);

By default, PBES2* algorithms use the following parameter values:

  • Salt size: 64 bytes (512 bits)

  • Count: 4096

You may need to use other values. This can be done during the instantiation of the algorithm:

Example with 16 bytes (128 bits) salt and 1024 counts:

<?php

use Jose\Component\Core\AlgorithmManager;
use Jose\Component\Encryption\Algorithm\KeyEncryption\PBES2HS256A128KW;

$algorithmManager = new AlgorithmManager([
    new PBES2HS256A128KW(16, 1024),
]);

Last updated