JWE - GCM Authentication Tag in JWE compact format

The JWE spec specifies the compact format as "{JWE Header}.{JWE Encrypted Key}.{JWE Ciphertext}.{JWE Integrity Value}"

For AEAD algorithms such as A(128/256)GCM, the JWE Integrity Value should be the empty string.

According to NIST SP800-38D, the encryption algorithm is as follows :

{{{ Algorithm 4: GCM-AEK (IV, P, A) Prerequisites: approved block cipher CIPH with a 128-bit block size; key K; definitions of supported input-output lengths; supported tag length t associated with the key.

Input: initialization vector IV (whose length is supported); plaintext P (whose length is supported); additional authenticated data A (whose length is supported).

Output: ciphertext C; authentication tag T.

Steps: 1. Let H = CIPHK(0128). 2. Define a block, J0, as follows: If len(IV)=96, then let J0 = IV || 031 ||1. If len(IV) ≠ 96, then let s = 128 ⎡len(IV)/128⎤-len(IV), and let J0=GHASHH(IV||0s+64||[len(IV)]64). 3. Let C=GCTRK(inc32(J0), P). 4. .... (see sp800-38d algorithm 4)

7. Return (C, T). }}}

It doesn't say that C and T is returned as one blob or in some sort of structured data, so it seems that there are 2 separate values returned, C and T. If that is the case, I think C and T should be base64url encoded and used as the JWE CipherText and JWE Integrity Value respectively.

On a side note, the decryption function lists C and T as separate input values, which leads to the assumption that the encryption function produces 2 separate values.

Also, we need to specify the size of T in bits and if any additional authenticated data (A) needs to be added.

We can add some text similar to that used by XML Encryption at http://www.w3.org/TR/2011/CR-xmlenc-core1-20110303/#sec-AES-GCM

Comments (4)