CODEWITHSUNDEEP
securityencryptionencryption-asymmetrickey-managementjwe
adada
adada

Reputation: 1

Pros and cons of JWE Key Management Modes

I've been searching a lot but nothing hit the spot, they are questions about JWE key management.

Scenario:

Server wants to send sensitive data to client, and it chooses to encrypt the data with a symmetric algorithm by a symmetric key, i.e, Content Encryption Key (CEK).
Client will retrieve the CEK to decrypt the encrypted data, but the CEK can't be sent as a clear text together with the encrypted data, so the CEK will need to be encrypted.

Approach:

The JWE specification defines different key management modes as follows

  1. Key Wrapping: the CEK is encrypted for the intended recipient using a symmetric encryption algorithm.
    Key Wrapping Diagram

  2. Key Encryption: the CEK is encrypted for the intended recipient using an asymmetric encryption algorithm.
    Key Encryption Diagram

  3. Direct Key Agreement: a key agreement algorithm is used to pick the CEK.
    Direct Key Agreement Diagram

  4. Key Agreement with Key Wrapping: a key agreement algorithm is used to pick a symmetric CEK using a symmetric encryption algorithm.
    Key Agreement with Key Wrapping Diagram

  5. Direct Encryption: a user-defined symmetric shared key is used as the CEK (no key derivation or generation).
    Direct Encryption Diagram

Question:

  1. What are pros and cons of each mode?
  2. Under what circumstance will each mode be preferable?

Any help or advise would be appreciated, thank you very much.

Upvotes: 0

Views: 459

Answers (1)

Marco
Marco

Reputation: 6675

See this answer for the difference between the key management modes and when to use each.

Upvotes: 0

Related Questions