Security Glossary

JSON Web Encryption (JWE)

A standard for encrypting JWT content, providing confidentiality in addition to the integrity protection offered by JWS signatures.

JSON Web Encryption (JWE) is a standard (RFC 7516) for encrypting content to be represented as a JSON-based data structure. While JWS provides integrity and authentication, JWE adds confidentiality by encrypting the payload.

Structure

JWE tokens have five Base64URL-encoded parts:

header.encrypted_key.iv.ciphertext.tag

eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.
OKOawDo13gRp2ojaHV7LFpZcgV7T6DVZKTyKOMTYUmKoTCVJRgckCL9kiMT03JGe...
48V1_ALb6US04U3b.
5eym8TW_c8SuK0ltJ3rpYI...
XFBoMYUZodetZdvTiFvSkQ

Components

Header: Encryption algorithm (alg) and content encryption (enc)
Encrypted Key: Content encryption key encrypted with recipient's key
IV: Initialization vector for content encryption
Ciphertext: Encrypted payload
Authentication Tag: Integrity protection

Common Algorithms

// Key encryption (alg)
RSA-OAEP, RSA1_5, A256KW, dir

// Content encryption (enc)
A256GCM, A128CBC-HS256

When to Use

Tokens contain sensitive data (PII, secrets)
Payload should not be readable by client
Defense in depth alongside HTTPS

Security Considerations

Choose strong encryption algorithms
Validate algorithm headers to prevent downgrade
Properly manage encryption keys
Consider using nested JWE+JWS for signed encryption

PentesterLab Exercises

JWE Exercises