Annexure B – Application Layer Security – JWS Signature

Cryptographic Standard algorithms: JSON Web Signature (JWS)

JWS Protected Header

Description: Produce JWS header parameters which define how the signature is created

Claims

Mandatory(M)/ Optional(O)

Description

"b64":" false

Determines whether payload data is b64 encoded or not.

“kid”: "…."

Determine the signer certificate to verify the signature

"x5t#S256": "…."

Hash of signing certificate. It means digest of the X.509 signing certificate using SHA 256.

"crit":["b64"]

Non-standard (i.e., not defined in RFC 7515) JWS header parameters which are critical

"alg": "RS256"

Signature algorithm

Note: This is shown below in a pretty print layout. It will be sent as a single string without line brakes or extra spaces. Escape characters are not used.

Disclaimer: These examples should not be taken as reference point for implementations of the AA JWS profile. They are based on a single implementation and have not been tested for correctness against other implementations.

JSON Web Signature Standard Algorithm

Note: RS256 is the currently adopted algorithm by all AAs for interoperability purpose.

"alg" Param

Digital Signature or MAC Algorithm

Implementation Requirements

HS256

HMAC using SHA-256

Required

HS384

HMAC using SHA-384

Optional

HS512

MAC using SHA-512

Optional

RS256

RSASSA-PKCS1-v1_5 using SHA 256

Recommended

RS384

RSASSA-PKCS1-v1_5 using SHA 384

Optional

RS512

RSASSA-PKCS1-v1_5 using SHA 512

Optional

ES256

ECDSA using P-256 and SHA-256

Recommended

ES384

ECDSA using P-256 and SHA-384

Optional

ES512

ECDSA using P-256 and SHA-512

Optional

PreviousAnnexure A – Business Layer Security – End-to-End Encryption NextAnnexure C – Protocol Layer security – Payload Encryption using TLSv1.2

Last updated 3 years ago

Was this helpful?