Private data is added to an SDMP container using well known encryption techniques. Decryption of the payload must produce a valid container object.
Encryption
Encrypting an object is done by generating an AES key, encrypting the data to that key, and then encrypting the AES key to the public key of all recipients.
The AES encrypted content is held in the encrypted.payload
property,
while the RSA encrypted key is held in the key
property of the recipient
object.
Payload
The payload is an encoded representation of another container object.
Specifically, the payload is the output of the following function:
BASE64URL(ENCRYPT(UTF8(JSON.stringify(SDMP Container))))
The child container is converted to a string, then UTF-8 encoded, then encrypted using the AES key, and then base64url encoded.
Decryption
The RSA encrypted key is decrypted using the recipient's private key, and this key is used to decrypt the AES encrypted content.
Description
This object is an extension of the container object, so it must also have all properties required in the container object specifications.
In addition, the object also has the following properties:
encrypted
(object, required)
This object holds a signed string, which is the string representation of a valid container object.
This object contains the following properties:
encrypted.iv
(string, required)
Initialization vector whose octets are unpadded base64url encoded.
encrypted.payload
(string)
The encrypted content, whose octets are unpadded base64url encoded.
The encrypted content must be the JSON.stringify
output of a fully valid
container object.
encrypted.recipients
(array of objects, required)
Contains per-recipient information.
encrypted.recipients[].key
(string, required)
Contains the key, encrypted to the recipient's public key, whose octets are unpadded base64url encoded.
JWE Parameters
Describe crypto requirements for JWE object here.