b_c / jose4j / issues / #136 - OIDC Conformance Certification - Conf Test unable to decrypt jwe recieved

Brian Campbell repo owner

Given the apparent context of symmetric encryption of the ID Token in OIDC, the first thing I'd look at is how the encryption key is being derived from the client secret and making sure the right key length, hash algorithm, etc. are being used.

The relevant bit from the spec from https://openid.net/specs/openid-connect-core-1_0.html#Encryption is:

Symmetric Encryption

The symmetric encryption key is derived from the client_secret value by using a left truncated SHA-2 hash of the octets of the UTF-8 representation of the client_secret. For keys of 256 or fewer bits, SHA-256 is used; for keys of 257-384 bits, SHA-384 is used; for keys of 385-512 bits, SHA-512 is used. The hash value MUST be left truncated to the appropriate bit length for the AES key wrapping or direct encryption algorithm used, for instance, truncating the SHA-256 hash to 128 bits for A128KW. If a symmetric key with greater than 512 bits is needed, a different method of deriving the key from the client_secret would have to be defined by an extension. Symmetric encryption MUST NOT be used by public (non-confidential) Clients because of their inability to keep secrets.

2019-02-28T16:05:01+00:00

Comments (3)

Former user Account Deleted reporter
- edited description
- 2019-02-28T03:34:05+00:00
Brian Campbell repo owner
Given the apparent context of symmetric encryption of the ID Token in OIDC, the first thing I'd look at is how the encryption key is being derived from the client secret and making sure the right key length, hash algorithm, etc. are being used.

The relevant bit from the spec from https://openid.net/specs/openid-connect-core-1_0.html#Encryption is:

Symmetric Encryption

The symmetric encryption key is derived from the client_secret value by using a left truncated SHA-2 hash of the octets of the UTF-8 representation of the client_secret. For keys of 256 or fewer bits, SHA-256 is used; for keys of 257-384 bits, SHA-384 is used; for keys of 385-512 bits, SHA-512 is used. The hash value MUST be left truncated to the appropriate bit length for the AES key wrapping or direct encryption algorithm used, for instance, truncating the SHA-256 hash to 128 bits for A128KW. If a symmetric key with greater than 512 bits is needed, a different method of deriving the key from the client_secret would have to be defined by an extension. Symmetric encryption MUST NOT be used by public (non-confidential) Clients because of their inability to keep secrets.
- 2019-02-28T16:05:01+00:00
Brian Campbell repo owner
- changed status to closed
- 2019-09-25T12:40:17+00:00
Log in to comment