Nested JWS + JWE vs JWE with Authenticated Encryption

Question

Problem

I want to sign and encrypt (effectively, obfuscate) some information ('token') on my server (a trusted environment) and send the cyphertext to a client machine (not quite trusted environment) to be read and verified by my client-side software. This type of the environment allows me to have a private key on the server for asymmetric signing, but I cannot 'hide' a secret key for symmetric signing on a client side.

Alternatives

I chose to use JWT as a standard and Nimbus JOSE+JWT library as an implementation for signing and encryption. Nimbus library provides two options for sign + encrypt: nest JWS into JWE or use JWE with authenticated encryption algorithm (A128CBC_HS256, A192CBC_HS384, or A256CBC_HS512). Algorithm Selection Guide for Nimbus states:

Encryption in JOSE is always authenticated, meaning that ciphertext’s integrity is protected from tampering. Authenticated encryption thus makes nesting an HMAC JWT inside a JSON Web Encryption (JWE) redundant; use just JWE encryption.

However, AxxxCBC_HSxxx encryption methods use only symmetric keys. Additionally, replacing direct JWE algorithm with RSA JWE algorithm should not help, because an abuser can generate CEK (consisting of encryption key and key for HMAC) themselves and encrypt it with a public key.

Question

Despite the quote about the redundancy of nested JWTs, I concluded, that for my case JWE+JWS nesting is the only workable approach. Am I right?

Answer 1

Clarifications

Every content encryption algorithms (AxxxGCM and AxxxCBC_HSxxx) use a symmetric key (CEK). This key is determined by the key encryption algorithm and its key management mode (random CEK, key agreement, direct key...).

You are right, contrary to the AxxxGCM algorithms, the AxxxCBC algorithms are not authenticated encryption algorithms. However, the RFC7516 section 5.1 item 15. (specification for JWE) introduces a tag that allows to authenticate the cyphertext and protect the integrity of the protected header (that is why the AxxxCBC algorithm is used with the HSxxx).

This is confirmed by the table in the RFC7518 section 5.1. Details are given in the next section.

In any case, you will need 2 algorithms for JWE computation:

• The key encryption algorithm: you mentioned you have an asymmetric key so I guess you will chose an RSA or an ECDH-ES algorithm depending on your key type.
• The content encryption key: AxxxGCM or AxxxCBC_HSxxx algorithms. With the JWE specification both offer an authenticated encryption. Personally I prefer AxxxGCM algorithms because they are faster in my environment.

Answer

You indicated that you want sign and encrypt but you cannot hide a secret key on client side thus the signature will not be guaranteed.

If you only encrypt (JWE only), your server will not be able to verify the issuer of the token.