JWE: JSON Web Encryption

Definition

How JWE Encryption Works

JWE uses a two-layer encryption architecture that combines asymmetric and symmetric cryptography for both security and performance. The process begins when the sender generates a random Content Encryption Key (CEK), a symmetric key used to encrypt the actual payload data. The CEK is then wrapped (encrypted) using the recipient's public key through an asymmetric key agreement or key encryption algorithm.

This hybrid approach is essential for EUDI Wallet operations because symmetric encryption (like AES-256-GCM) is fast and efficient for encrypting large payloads, while asymmetric encryption (like ECDH-ES) provides the key management flexibility needed in a multi-party ecosystem. The recipient uses their private key to unwrap the CEK, then uses the CEK to decrypt the payload.

A JWE in compact serialization consists of five Base64URL-encoded parts separated by dots: the JOSE Header (specifying algorithms and key information), the encrypted CEK, the Initialization Vector (IV), the encrypted payload (ciphertext), and the Authentication Tag (which prevents tampering with the encrypted data). Each component plays a critical role in ensuring both confidentiality and integrity.

JWE also supports JSON serialization, which allows multiple recipients to decrypt the same message using different keys. This is useful in EUDI Wallet scenarios where a credential might need to be accessible to multiple authorized systems within an organization.

JWE in EUDI Wallet Communication Flows

In the EUDI Wallet ecosystem, JWE is used in several critical communication flows. During credential issuance via OpenID4VCI, sensitive identity attributes may be encrypted using JWE to protect them from potential interception during transport. This is particularly important when credentials contain high-value personal data like national identification numbers, biometric references, or health information.

During credential presentation via OpenID4VP, JWE can encrypt the authorization request from a verifier to the wallet, preventing observers from determining what credentials are being requested. This protects against surveillance and profiling attempts. The wallet's response containing the requested credential attributes can also be JWE-encrypted for the verifier.

Backend communications between EUDI Wallet infrastructure components also use JWE. When mTLS provides transport-layer security, JWE adds an additional layer of application-level encryption, implementing a defense-in-depth strategy that protects sensitive data even if the transport layer is compromised.

Algorithm Selection and Security

The EUDI Wallet Architecture and Reference Framework specifies approved JWE algorithms to ensure consistent security across all implementations. For key management, ECDH-ES (Elliptic Curve Diffie-Hellman Ephemeral Static) with P-256 curves is the recommended approach, providing forward secrecy since each encryption operation uses a unique ephemeral key pair.

For content encryption, A256GCM (AES-256 in Galois/Counter Mode) is the standard choice, providing authenticated encryption that combines confidentiality and integrity in a single operation. The GCM mode generates an authentication tag that detects any modification to the ciphertext, preventing tampering attacks.

Security best practices for JWE implementation in EUDI Wallets include always validating the algorithm header against an allowlist, using fresh initialization vectors for each encryption operation, verifying the authentication tag before processing decrypted content, and implementing proper key rotation for long-lived encryption keys. These measures protect against known attacks on JSON encryption schemes.

Related Terms