Description
JSON Web Encryption (JWE) is a data structure representing an encrypted payload using JSON-based serialization. It is defined within the 3GPP architecture to secure sensitive data in API communications, particularly for service-based interfaces (SBIs) in the 5G Core network. JWE operates by taking a plaintext payload, which could be any data like a JSON Web Token (JWT) claim set or other sensitive information, and encrypting it using a specified cryptographic algorithm. The process results in a JWE object that consists of several parts: a protected header, an encrypted key, an initialization vector, the ciphertext (encrypted payload), and an authentication tag. The protected header contains metadata necessary for processing, such as the encryption algorithm (e.g., A256GCM for AES-GCM with a 256-bit key) and the key management method (e.g., RSA-OAEP for asymmetric encryption or direct encryption with a symmetric key). The encrypted key is the content encryption key (CEK) encrypted with the recipient's public key or a shared secret, depending on the key management mode. The initialization vector ensures randomness in the encryption process, while the authentication tag provides integrity and authenticity of the ciphertext, preventing tampering.
In 3GPP systems, JWE is utilized within protocols like the Network Exposure Function (NEF) API and security frameworks to protect data in transit. For instance, when a third-party application requests user data via an API, the response containing private information can be encapsulated in a JWE to ensure only authorized entities can decrypt it. The decryption process involves parsing the JWE object, extracting the protected header to determine the algorithms, decrypting the encrypted key to obtain the CEK, and then using the CEK along with the initialization vector to decrypt the ciphertext and verify the authentication tag. This structured approach allows for flexible key management, supporting both symmetric and asymmetric cryptography, and enables interoperability across different systems by adhering to the IETF RFC 7516 standard, which 3GPP profiles for its specific use cases.
The role of JWE in the 3GPP ecosystem is critical for maintaining data confidentiality in service-based architectures, where network functions communicate over HTTP/2 interfaces. It integrates with other JSON-based security standards like JSON Web Signature (JWS) and JSON Web Token (JWT) to provide comprehensive security solutions. For example, a JWT containing user claims might be encrypted as a JWE to protect its contents, and then optionally signed with JWS for additional integrity. This layered security model is essential in 5G networks to safeguard against eavesdropping and data breaches, especially in scenarios involving network exposure to external applications or roaming agreements between operators. By standardizing on JWE, 3GPP ensures that encrypted data can be consistently processed across diverse implementations, enhancing security while maintaining the flexibility and scalability required for modern telecommunications services.
Purpose & Motivation
JWE was introduced in 3GPP to address the growing need for robust data encryption in API-driven network architectures, particularly with the advent of 5G and its service-based core. Prior to its adoption, 3GPP systems relied on traditional security mechanisms like IPsec or TLS for transport security, which provided channel encryption but lacked granular, payload-level confidentiality for specific data elements. This limitation became apparent as networks evolved to expose capabilities to third-party applications and support more dynamic service interactions, where sensitive information—such as user identifiers, location data, or subscription details—needed protection beyond the transport layer. JWE solves this by enabling end-to-end encryption of individual JSON payloads, ensuring that data remains confidential even if intercepted during processing or storage, and allowing selective encryption based on content sensitivity.
The motivation for JWE in 3GPP stems from the shift towards cloud-native, microservices-based designs, where network functions communicate via RESTful APIs. In such environments, data often traverses multiple intermediaries or is stored in caches, making transport-level encryption insufficient for comprehensive security. JWE provides a standardized, interoperable method to encrypt JSON data, aligning with industry best practices from the IETF and enabling seamless integration with web technologies. It addresses specific 3GPP requirements, such as protecting user privacy in network exposure scenarios and securing sensitive parameters in authentication protocols. By incorporating JWE into specifications like 29.573 and 33.938, 3GPP ensures that network APIs can securely handle confidential data, mitigating risks associated with data breaches and regulatory non-compliance, while supporting the flexible, open architectures essential for 5G innovation.
Key Features
- Payload-level encryption for JSON data structures
- Support for multiple cryptographic algorithms (e.g., AES-GCM, RSA-OAEP)
- Flexible key management modes (symmetric and asymmetric)
- Integrity protection via authentication tags
- JSON-based serialization for interoperability
- Compatibility with JWT and JWS for layered security
Evolution Across Releases
Introduced JWE as part of the 5G security framework, initially defined in specifications 29.573 and 33.938. It provided the architecture for encrypting JSON payloads in service-based interfaces, supporting algorithms like A128GCM and RSA-OAEP for confidentiality in network APIs, particularly for protecting sensitive data in NEF exposures and authentication exchanges.
Defining Specifications
| Specification | Title |
|---|---|
| TS 29.573 | 3GPP TS 29.573 |
| TS 33.938 | 3GPP TR 33.938 |