JSON Web Encryption

JSON Web Encryption (JWE) is an IETF standard providing a standardised syntax for the exchange of encrypted data, based on JSON and Base64.^[1] It is defined by RFC 7516. Along with JSON Web Signature (JWS), it is one of the two possible formats of a JWT (JSON Web Token). JWE forms part of the JavaScript Object Signing and Encryption (JOSE) suite of protocols.^[2]

JSON Web Encryption

JSON Web Encryption (JWE)
Abbreviation	JWE
Status	Proposed
Year started	16 January 2012 (2012-01-16)
First published	16 January 2012 (2012-01-16)
Latest version	May 2015
Organization	IETF
Series	JOSE
Authors	Michael Jones Joe Hildebrand
Domain	Encryption, authentication
Website	datatracker.ietf.org/doc/html/rfc7516

Vulnerabilities

In March 2017, a serious flaw was discovered in many popular implementations of JWE, the invalid curve attack.^[3]

One implementation of an early (pre-finalised) version of JWE also suffered from Bleichenbacher’s attack.^[4]