PASETO RFC - draft-00

Submitted on: 2018-04-19


        



(No Working Group)                                        S. Arciszewski
Internet-Draft                            Paragon Initiative Enterprises
Intended status: Informational                              S. Haussmann
Expires: October 21, 2018               Rensselaer Polytechnic Institute
                                                          April 19, 2018


               PASETO: Platform-Agnostic SEcurity TOkens
                      draft-paragon-paseto-rfc-00

Abstract

   Platform-Agnostic SEcurity TOkens (PASETOs) provide a
   cryptographically secure, compact, and URL-safe representation of
   claims that may be transferred between two parties.  The claims are
   encoded in JavaScript Object Notation (JSON), version-tagged, and
   either encrypted using shared-key cryptography or signed using
   public-key cryptography.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 21, 2018.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of



Arciszewski & Haussmann Expires October 21, 2018                [Page 1]

Internet-Draft                                                April 2018


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Difference Between PASETO and JOSE  . . . . . . . . . . .   3
     1.2.  Notation and Conventions  . . . . . . . . . . . . . . . .   3
   2.  PASETO Message Format . . . . . . . . . . . . . . . . . . . .   3
     2.1.  Base64 Encoding . . . . . . . . . . . . . . . . . . . . .   4
     2.2.  Authentication Padding  . . . . . . . . . . . . . . . . .   4
       2.2.1.  PAE Definition  . . . . . . . . . . . . . . . . . . .   5
   3.  Protocol Versions . . . . . . . . . . . . . . . . . . . . . .   6
     3.1.  PASETO Protocol Guidelines  . . . . . . . . . . . . . . .   6
   4.  PASETO Protocol Version v1  . . . . . . . . . . . . . . . . .   7
     4.1.  v1.local  . . . . . . . . . . . . . . . . . . . . . . . .   7
     4.2.  v1.public . . . . . . . . . . . . . . . . . . . . . . . .   8
     4.3.  Version v1 Algorithms . . . . . . . . . . . . . . . . . .   8
       4.3.1.  v1.GetNonce . . . . . . . . . . . . . . . . . . . . .   8
       4.3.2.  v1.Encrypt  . . . . . . . . . . . . . . . . . . . . .   8
       4.3.3.  v1.Decrypt  . . . . . . . . . . . . . . . . . . . . .   9
       4.3.4.  v1.Sign . . . . . . . . . . . . . . . . . . . . . . .  11
       4.3.5.  v1.Verify . . . . . . . . . . . . . . . . . . . . . .  12
   5.  PASETO Protocol Version v2  . . . . . . . . . . . . . . . . .  13
     5.1.  v2.local  . . . . . . . . . . . . . . . . . . . . . . . .  13
     5.2.  v2.public . . . . . . . . . . . . . . . . . . . . . . . .  13
     5.3.  Version v2 Algorithms . . . . . . . . . . . . . . . . . .  13
       5.3.1.  v2.Encrypt  . . . . . . . . . . . . . . . . . . . . .  13
       5.3.2.  v2.Decrypt  . . . . . . . . . . . . . . . . . . . . .  14
       5.3.3.  v2.Sign . . . . . . . . . . . . . . . . . . . . . . .  15
       5.3.4.  v2.Verify . . . . . . . . . . . . . . . . . . . . . .  16
   6.  Payload Processing  . . . . . . . . . . . . . . . . . . . . .  16
     6.1.  Registered Claims . . . . . . . . . . . . . . . . . . . .  17
       6.1.1.  Key-ID Support  . . . . . . . . . . . . . . . . . . .  17
   7.  AEAD_XChaCha20_Poly1305 . . . . . . . . . . . . . . . . . . .  18
     7.1.  Motivation for XChaCha20-Poly1305 . . . . . . . . . . . .  19
     7.2.  HChaCha20 . . . . . . . . . . . . . . . . . . . . . . . .  19
       7.2.1.  Test Vector for the HChaCha20 Block Function  . . . .  20
   8.  Intended Use-Cases for PASETO . . . . . . . . . . . . . . . .  20
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  21
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  22
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  22
     11.1.  Normative References . . . . . . . . . . . . . . . . . .  22
     11.2.  URIs . . . . . . . . . . . . . . . . . . . . . . . . . .  24
   Appendix A.  PASETO Test Vectors  . . . . . . . . . . . . . . . .  24
     A.1.  PASETO v1 Test Vectors  . . . . . . . . . . . . . . . . .  25
       A.1.1.  v1.local (Shared-Key Encryption) Test Vectors . . . .  25
       A.1.2.  v1.public (Public-Key Authentication) Test Vectors  .  27



Arciszewski & Haussmann Expires October 21, 2018                [Page 2]

Internet-Draft                                                April 2018


     A.2.  PASETO v2 Test Vectors  . . . . . . . . . . . . . . . . .  29
       A.2.1.  v2.local (Shared-Key Encryption) Test Vectors . . . .  29
       A.2.2.  v2.public (Public-Key Authentication) Test Vectors  .  31
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  31

1.  Introduction

   A Platform-Agnostic SEcurity TOken (PASETO) is a cryptographically
   secure, compact, and URL-safe representation of claims intended for
   space-constrained environments such as HTTP Cookies, HTTP
   Authorization headers, and URI query parameters.  A PASETO encodes
   claims to be transmitted in a JSON [RFC8259] object, and is either
   encrypted symmetrically or signed using public-key cryptography.

1.1.  Difference Between PASETO and JOSE

   The key difference between PASETO and the JOSE family of standards
   (JWS [RFC7516], JWE [RFC7517], JWK [RFC7518], JWA [RFC7518], and JWT
   [RFC7519]) is that JOSE allows implementors and users to mix and
   match their own choice of cryptographic algorithms (specified by the
   "alg" header in JWT), while PASETO has clearly defined protocol
   versions to prevent unsafe configurations from being selected.

   PASETO is defined in two pieces:

   1.  The PASETO Message Format, defined in Section 2

   2.  The PASETO Protocol Version, defined in Section 3

1.2.  Notation and Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.  PASETO Message Format

   PASETOs consist of three or four segments, separated by a period (the
   ASCII character whose number, represented in hexadecimal, is 2E).

   Without the Optional Footer:

                          version.purpose.payload

   With the Optional Footer:

                      version.purpose.payload.footer




Arciszewski & Haussmann Expires October 21, 2018                [Page 3]

Internet-Draft                                                April 2018


   If no footer is provided, implementations SHOULD NOT append a
   trailing period to each payload.

   The *version* is a string that represents the current version of the
   protocol.  Currently, two versions are specified, which each possess
   their own ciphersuites.  Accepted values: *v1*, *v2*.

   The *purpose* is a short string describing the purpose of the token.
   Accepted values: *local*, *public*.

   o  *local*: shared-key authenticated encryption

   o  *public*: public-key digital signatures; *not encrypted*

   The *payload* is a string that contains the token's data.  In a
   "local" token, this data is encrypted with a symmetric cipher.  In a
   "public" token, this data is _unencrypted_.

   Any optional data can be appended to the *footer*. This data is
   authenticated through inclusion in the calculation of the
   authentication tag along with the header and payload.  The *footer*
   MUST NOT be encrypted.

2.1.  Base64 Encoding

   The payload and footer in a PASETO MUST be encoded using base64url as
   defined in [RFC4648], without "=" padding.

   In this document. "b64()" refers to this unpadded variant of
   base64url.

2.2.  Authentication Padding

   Multi-part messages (e.g. header, content, footer) are encoded in a
   specific manner before being passed to the appropriate cryptographic
   function.

   In "local" mode, this encoding is applied to the additional
   associated data (AAD).  In "public" mode, which is not encrypted,
   this encoding is applied to the components of the token, with respect
   to the protocol version being followed.

   We will refer to this process as *PAE* in this document (short for
   Pre-Authentication Encoding).







Arciszewski & Haussmann Expires October 21, 2018                [Page 4]

Internet-Draft                                                April 2018


2.2.1.  PAE Definition

   "PAE()" accepts an array of strings.

   "LE64()" encodes a 64-bit unsigned integer into a little-endian
   binary string.  The most significant bit MUST be set to 0 for
   interoperability with programming languages that do not have unsigned
   integer support.

   The first 8 bytes of the output will be the number of pieces.
   Currently, this will be 3 or 4.  This is calculated by applying
   "LE64()" to the size of the array.

   Next, for each piece provided, the length of the piece is encoded via
   "LE64()" and prefixed to each piece before concatenation.

              function LE64(n) {
                  var str = '';
                  for (var i = 0; i < 8; ++i) {
                      if (i === 7) {
                          n &= 127;
                      }
                      str += String.fromCharCode(n & 255);
                      n = n >>> 8;
                  }
                  return str;
              }
              function PAE(pieces) {
                  if (!Array.isArray(pieces)) {
                      throw TypeError('Expected an array.');
                  }
                  var count = pieces.length;
                  var output = LE64(count);
                  for (var i = 0; i < count; i++) {
                      output += LE64(pieces[i].length);
                      output += pieces[i];
                  }
                  return output;
              }

      JavaScript implementation of Pre-Authentication Encoding (PAE)

   As a consequence:

   o  "PAE([])" will always return "\x00\x00\x00\x00\x00\x00\x00\x00"

   o  "PAE([''])" will always return
      "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"



Arciszewski & Haussmann Expires October 21, 2018                [Page 5]

Internet-Draft                                                April 2018


   o  "PAE(['test'])" will always return "\x01\x00\x00\x00\x00\x00\x00\x
      00\x04\x00\x00\x00\x00\x00\x00\x00test"

   o  "PAE('test')" will throw a "TypeError"

   As a result, partially controlled plaintext cannot be used to create
   a collision.  Either the number of pieces will differ, or the length
   of one of the fields (which is prefixed to user-controlled input)
   will differ, or both.

   Due to the length being expressed as an unsigned 64-bit integer, it
   is infeasible to encode enough data to create an integer overflow.

   This is not used to encode data prior to decryption, and no decoding
   function is provided or specified.  This merely exists to prevent
   canonicalization attacks.

3.  Protocol Versions

   This document defines two protocol versions, *v1* and *v2*.

   Each protocol version strictly defines the cryptographic primitives
   used.  Changes to the primitives requires new protocol versions.
   Future RFCs MAY introduce new PASETO protocol versions by continuing
   the convention (e.g. *v3*, *v4*, ...).

   Both *v1* and *v2* provide authentication of the entire PASETO
   message, including the *version*, *purpose*, *payload*, and *footer*.

   The initial recommendation is to use *v2*, allowing for upgrades to
   possible future versions *v3*, *v4*, etc. when they are defined in
   the future.

3.1.  PASETO Protocol Guidelines

   When defining future protocol versions, the following rules SHOULD or
   MUST be followed:

   1.  Everything in a token MUST be authenticated.  Attackers should
       never be allowed the opportunity to alter messages freely.

       *  If encryption is specified, unauthenticated modes (e.g.  AES-
          CBC without a MAC) are forbidden.

       *  The nonce or initialization vector must be covered by the
          authentication tag, not just the ciphertext.

   2.  Some degree of nonce-misuse resistance SHOULD be provided:



Arciszewski & Haussmann Expires October 21, 2018                [Page 6]

Internet-Draft                                                April 2018


       *  Supporting larger nonces (longer than 128-bit) is sufficient
          for satisfying this requirement, provided the nonce is
          generated by a cryptographically secure random number
          generator, such as */dev/urandom* on Linux.

       *  Key-splitting and including an additional HKDF salt as part of
          the nonce is sufficient for this requirement.

       *  Hashing the plaintext payload with the random nonce is an
          acceptable strategy for mitigating random number generator
          failures, but a secure random number generator SHOULD be used
          even with this safeguard in place.

   3.  Non-deterministic, stateful, and otherwise dangerous signature
       schemes (e.g.  ECDSA without deterministic signatures as in
       [RFC6979], XMSS) are forbidden from all PASETO protocols.

   4.  Public-key cryptography MUST be IND-CCA2 secure to be considered
       for inclusion.

       *  This means that RSA with PKCS1v1.5 padding and unpadded RSA
          MUST NOT ever be used in a PASETO protocol.

4.  PASETO Protocol Version v1

   Version *v1* is a compatibility mode composed of cryptographic
   primitives likely available on legacy systems. *v1* SHOULD NOT be
   used when all systems are able to use *v2*. *v1* MAY be used when
   compatibility requirements include systems unable to use
   cryptographic primitives from *v2*.

   *v1* messages MUST use a *purpose* value of either *local* or
   *public*.

4.1.  v1.local

   *v1.local* messages SHALL be encrypted and authenticated with *AES-
   256-CTR* (AES-CTR from [RFC3686] with a 256-bit key) and *HMAC-SHA-
   384* ([RFC4231]), using an *Encrypt-then-MAC* construction.

   Encryption and authentication keys are split from the original key
   and half the nonce, facilitated by HKDF [RFC5869] using SHA384.

   Refer to the operations defined in *v1.Encrypt* and *v1.Decrypt* for
   a formal definition.






Arciszewski & Haussmann Expires October 21, 2018                [Page 7]

Internet-Draft                                                April 2018


4.2.  v1.public

   *v1.public* messages SHALL be signed using RSASSA-PSS as defined in
   [RFC8017], with 2048-bit private keys.  These messages provide
   authentication but do not prevent the contents from being read,
   including by those without either the *public key* or the *private
   key*. Refer to the operations defined in *v1.Sign* and *v1.Verify*
   for a formal definition.

4.3.  Version v1 Algorithms

4.3.1.  v1.GetNonce

   Given a message ("m") and a nonce ("n"):

   1.  Calculate HMAC-SHA384 of the message "m" with "n" as the key.

   2.  Return the leftmost 32 bytes of step 1.

4.3.2.  v1.Encrypt

   Given a message "m", key "k", and optional footer "f" (which defaults
   to empty string):

   1.  Set header "h" to "v1.local."

   2.  Generate 32 random bytes from the OS's CSPRNG.

   3.  Calculate "GetNonce()" of "m" and the output of step 2 to get the
       nonce, "n".

       *  This step is to ensure that an RNG failure does not result in
          a nonce-misuse condition that breaks the security of our
          stream cipher.

   4.  Split the key ("k") into an Encryption key ("Ek") and an
       Authentication key ("Ak"), using the leftmost 16 bytes of "n" as
       the HKDF salt.  (See below for pseudocode.)

       *  For encryption keys, the *info* parameter for HKDF MUST be set
          to *paseto-encryption-key*.

       *  For authentication keys, the *info* parameter for HKDF MUST be
          set to *paseto-auth-key-for-aead*.

       *  The output length MUST be 32 for both keys.





Arciszewski & Haussmann Expires October 21, 2018                [Page 8]

Internet-Draft                                                April 2018


   5.  Encrypt the message using "AES-256-CTR", using "Ek" as the key
       and the rightmost 16 bytes of "n" as the nonce.  We'll call this
       "c".  (See below for pseudocode.)

   6.  Pack "h", "n", "c", and "f" together (in that order) using PAE
       (see Section 2.2).  We'll call this "preAuth".

   7.  Calculate HMAC-SHA-384 of the output of "preAuth", using "Ak" as
       the authentication key.  We'll call this "t".

   8.  If "f" is:

       *  Empty: return h || b64(n || c || t)

       *  Non-empty: return h || b64(n || c || t) || "." || b64(f)

       *  ...where || means "concatenate"

   Example code:

                   Ek = hkdf_sha384(
                      len = 32
                      ikm = k,
                      info = "paseto-encryption-key",
                      salt = n[0:16]
                   );
                   Ak = hkdf_sha384(
                      len = 32
                      ikm = k,
                      info = "paseto-auth-key-for-aead",
                      salt = n[0:16]
                   );

              Step 4: Key splitting with HKDF-SHA384 as per .

                          c = aes256ctr_encrypt(
                              plaintext = m,
                              nonce = n[16:]
                              key = Ek
                          );

               Step 5: PASETO v1 encryption (calculating c)

4.3.3.  v1.Decrypt

   Given a message "m", key "k", and optional footer "f" (which defaults
   to empty string):




Arciszewski & Haussmann Expires October 21, 2018                [Page 9]

Internet-Draft                                                April 2018


   1.  If "f" is not empty, implementations MAY verify that the value
       appended to the token matches some expected string "f", provided
       they do so using a constant-time string compare function.

   2.  Verify that the message begins with "v1.local.", otherwise throw
       an exception.  This constant will be referred to as "h".

   3.  Decode the payload ("m" sans "h", "f", and the optional trailing
       period between "m" and "f") from b64 to raw binary.  Set:

       *  "n" to the leftmost 32 bytes

       *  "t" to the rightmost 48 bytes

       *  "c" to the middle remainder of the payload, excluding "n" and
          "t"

   4.  Split the key ("k") into an Encryption key ("Ek") and an
       Authentication key ("Ak"), using the leftmost 16 bytes of "n" as
       the HKDF salt.  (See below for pseudocode.)

       *  For encryption keys, the *info* parameter for HKDF MUST be set
          to *paseto-encryption-key*.

       *  For authentication keys, the *info* parameter for HKDF MUST be
          set to *paseto-auth-key-for-aead*.

       *  The output length MUST be 32 for both keys.

   5.  Pack "h", "n", "c", and "f" together (in that order) using PAE
       (see Section 2.2).  We'll call this "preAuth".

   6.  Recalculate HMAC-SHA-384 of "preAuth" using "Ak" as the key.
       We'll call this "t2".

   7.  Compare "t" with "t2" using a constant-time string compare
       function.  If they are not identical, throw an exception.

   8.  Decrypt "c" using "AES-256-CTR", using "Ek" as the key and the
       rightmost 16 bytes of "n" as the nonce, and return this value.

   Example code:









Arciszewski & Haussmann Expires October 21, 2018               [Page 10]

Internet-Draft                                                April 2018


                   Ek = hkdf_sha384(
                      len = 32
                      ikm = k,
                      info = "paseto-encryption-key",
                      salt = n[0:16]
                   );
                   Ak = hkdf_sha384(
                      len = 32
                      ikm = k,
                      info = "paseto-auth-key-for-aead",
                      salt = n[0:16]
                   );

              Step 4: Key splitting with HKDF-SHA384 as per .

                         return aes256ctr_decrypt(
                            cipherext = c,
                            nonce = n[16:]
                            key = Ek
                         );

                       Step 8: PASETO v1 decryption

4.3.4.  v1.Sign

   Given a message "m", 2048-bit RSA secret key "sk", and optional
   footer "f" (which defaults to empty string):

   1.  Set "h" to "v1.public."

   2.  Pack "h", "m", and "f" together (in that order) using PAE (see
       Section 2.2).  We'll call this "m2".

   3.  Sign "m2" using RSA with the private key "sk".  We'll call this
       "sig".  The padding mode MUST be RSASSA-PSS [RFC8017]; PKCS1v1.5
       is explicitly forbidden.  The public exponent "e" MUST be 65537.
       The mask generating function MUST be MGF1+SHA384.  The hash
       function MUST be SHA384.  (See below for pseudocode.)

   4.  If "f" is:

       *  Empty: return h || b64(m || sig)

       *  Non-empty: return h || b64(m || sig) || "." || b64(f)

       *  ...where || means "concatenate"





Arciszewski & Haussmann Expires October 21, 2018               [Page 11]

Internet-Draft                                                April 2018


                        sig = crypto_sign_rsa(
                           message = m2,
                           private_key = sk,
                           padding_mode = "pss",
                           public_exponent = 65537,
                           hash = "sha384"
                           mgf = "mgf1+sha384"
                        );

           Pseudocode: RSA signature algorithm used in PASETO v1

4.3.5.  v1.Verify

   Given a signed message "sm", RSA public key "pk", and optional footer
   "f" (which defaults to empty string):

   1.  If "f" is not empty, implementations MAY verify that the value
       appended to the token matches some expected string "f", provided
       they do so using a constant-time string compare function.

   2.  Verify that the message begins with "v1.public.", otherwise throw
       an exception.  This constant will be referred to as "h".

   3.  Decode the payload ("sm" sans "h", "f", and the optional trailing
       period between "m" and "f") from b64 to raw binary.  Set:

       *  "s" to the rightmost 256 bytes

       *  "m" to the leftmost remainder of the payload, excluding "s"

   4.  Pack "h", "m", and "f" together (in that order) using PAE (see
       Section 2.2).  We'll call this "m2".

   5.  Use RSA to verify that the signature is valid for the message.
       The padding mode MUST be RSASSA-PSS [RFC8017]; PKCS1v1.5 is
       explicitly forbidden.  The public exponent "e" MUST be 65537.
       The mask generating function MUST be MGF1+SHA384.  The hash
       function MUST be SHA384.  (See below for pseudocode.)

   6.  If the signature is valid, return "m".  Otherwise, throw an
       exception.










Arciszewski & Haussmann Expires October 21, 2018               [Page 12]

Internet-Draft                                                April 2018


                      valid = crypto_sign_rsa_verify(
                          signature = s,
                          message = m2,
                          public_key = pk,
                          padding_mode = "pss",
                          public_exponent = 65537,
                          hash = "sha384"
                          mgf = "mgf1+sha384"
                      );

            Pseudocode: RSA signature validation for PASETO v1

5.  PASETO Protocol Version v2

   Version *v2* is the RECOMMENDED protocol version. *v2* SHOULD be used
   in preference to *v1*. Applications using PASETO SHOULD only support
   *v2* messages, but MAY support *v1* messages if the cryptographic
   primitives used in *v2* are not available on all machines.

   *v2* messages MUST use a *purpose* value of either *local* or
   *public*.

5.1.  v2.local

   *v2.local* messages MUST be encrypted with XChaCha20-Poly1305, a
   variant of ChaCha20-Poly1305 [RFC7539] defined in Section 7.  Refer
   to the operations defined in *v2.Encrypt* and *v2.Decrypt* for a
   formal definition.

5.2.  v2.public

   *v2.public* messages MUST be signed using Ed25519 [RFC8032] public
   key signatures.  These messages provide authentication but do not
   prevent the contents from being read, including by those without
   either the *public key* or the *private key*. Refer to the operations
   defined in *v2.Sign* and *v2.Verify* for a formal definition.

5.3.  Version v2 Algorithms

5.3.1.  v2.Encrypt

   Given a message "m", key "k", and optional footer "f".

   1.  Set header "h" to "v2.local."

   2.  Generate 24 random bytes from the OS's CSPRNG.





Arciszewski & Haussmann Expires October 21, 2018               [Page 13]

Internet-Draft                                                April 2018


   3.  Calculate BLAKE2b of the message "m" with the output of step 2 as
       the key, with an output length of 24.  This will be our nonce,
       "n".

       *  This step is to ensure that an RNG failure does not result in
          a nonce-misuse condition that breaks the security of our
          stream cipher.

   4.  Pack "h", "n", and "f" together (in that order) using PAE (see
       Section 2.2).  We'll call this "preAuth".

   5.  Encrypt the message using XChaCha20-Poly1305, using an AEAD
       interface such as the one provided in libsodium.  (See below for
       pseudocode.)

   6.  If "f" is:

       *  Empty: return h || b64(n || c)

       *  Non-empty: return h || b64(n || c) || "." || base64url(f)

       *  ...where || means "concatenate"

                c = crypto_aead_xchacha20poly1305_encrypt(
                    message = m
                    aad = preAuth
                    nonce = n
                    key = k
                );

               Step 5: PASETO v2 encryption (calculating c)

5.3.2.  v2.Decrypt

   Given a message "m", key "k", and optional footer "f".

   1.  If "f" is not empty, implementations MAY verify that the value
       appended to the token matches some expected string "f", provided
       they do so using a constant-time string compare function.

   2.  Verify that the message begins with "v2.local.", otherwise throw
       an exception.  This constant will be referred to as "h".

   3.  Decode the payload ("m" sans "h", "f", and the optional trailing
       period between "m" and "f") from base64url to raw binary.  Set:

       *  "n" to the leftmost 24 bytes




Arciszewski & Haussmann Expires October 21, 2018               [Page 14]

Internet-Draft                                                April 2018


       *  "c" to the middle remainder of the payload, excluding "n".

   4.  Pack "h", "n", and "f" together (in that order) using PAE (see
       Section 2.2).  We'll call this "preAuth"

   5.  Decrypt "c" using "XChaCha20-Poly1305", store the result in "p".
       (See below for pseudocode.)

   6.  If decryption failed, throw an exception.  Otherwise, return "p".

                p = crypto_aead_xchacha20poly1305_decrypt(
                    ciphertext = c
                    aad = preAuth
                    nonce = n
                    key = k
                );

                       Step 8: PASETO v2 decryption

5.3.3.  v2.Sign

   Given a message "m", Ed25519 secret key "sk", and optional footer "f"
   (which defaults to empty string):

   1.  Set "h" to "v2.public."

   2.  Pack "h", "m", and "f" together (in that order) using PAE (see
       Section 2.2).  We'll call this "m2".

   3.  Sign "m2" using Ed25519 "sk".  We'll call this "sig".  (See below
       for pseudocode.)

   4.  If "f" is:

       *  Empty: return h || b64(m || sig)

       *  Non-empty: return h || b64(m || sig) || "." || b64(f)

       *  ...where || means "concatenate"

                        sig = crypto_sign_detached(
                            message = m2,
                            private_key = sk
                        );

               Step 3: Generating an Ed25519 with libsodium





Arciszewski & Haussmann Expires October 21, 2018               [Page 15]

Internet-Draft                                                April 2018


5.3.4.  v2.Verify

   Given a signed message "sm", public key "pk", and optional footer "f"
   (which defaults to empty string):

   1.  If "f" is not empty, implementations MAY verify that the value
       appended to the token matches some expected string "f", provided
       they do so using a constant-time string compare function.

   2.  Verify that the message begins with "v2.public.", otherwise throw
       an exception.  This constant will be referred to as "h".

   3.  Decode the payload ("sm" sans "h", "f", and the optional trailing
       period between "m" and "f") from base64url to raw binary.  Set:

       *  "s" to the rightmost 64 bytes

       *  "m" to the leftmost remainder of the payload, excluding "s"

   4.  Pack "h", "m", and "f" together (in that order) using PAE (see
       Section 2.2).  We'll call this "m2".

   5.  Use Ed25519 to verify that the signature is valid for the
       message: (See below for pseudocode.)

   6.  If the signature is valid, return "m".  Otherwise, throw an
       exception.

                   valid = crypto_sign_verify_detached(
                       signature = s,
                       message = m2,
                       public_key = pk
                   );

         Step 5: Validating the Ed25519 signature using libsodium.

6.  Payload Processing

   All PASETO payloads MUST be a JSON object [RFC8259].

   If non-UTF-8 character sets are desired for some fields, implementors
   are encouraged to use Base64url [1] encoding to preserve the original
   intended binary data, but still use UTF-8 for the actual payloads.








Arciszewski & Haussmann Expires October 21, 2018               [Page 16]

Internet-Draft                                                April 2018


6.1.  Registered Claims

   The following keys are reserved for use within PASETO.  Users SHOULD
   NOT write arbitrary/invalid data to any keys in a top-level PASETO in
   the list below:

    +-----+------------+--------+-------------------------------------+
    | Key |    Name    |  Type  |               Example               |
    +-----+------------+--------+-------------------------------------+
    | iss |   Issuer   | string |       {"iss":"paragonie.com"}       |
    | sub |  Subject   | string |            {"sub":"test"}           |
    | aud |  Audience  | string |       {"aud":"pie-hosted.com"}      |
    | exp | Expiration | DtTime | {"exp":"2039-01-01T00:00:00+00:00"} |
    | nbf | Not Before | DtTime | {"nbf":"2038-04-01T00:00:00+00:00"} |
    | iat | Issued At  | DtTime | {"iat":"2038-03-17T00:00:00+00:00"} |
    | jti |  Token ID  | string |  {"jti":"87IFSGFgPNtQNNuw0AtuLttP"} |
    | kid |   Key-ID   | string |    {"kid":"stored-in-the-footer"}   |
    +-----+------------+--------+-------------------------------------+

   In the table above, DtTime means an ISO 8601 compliant DateTime
   string.  See [#keyid-support] for special rules about "kid" claims.

   Any other claims can be freely used.  These keys are only reserved in
   the top-level JSON object.

   The keys in the above table are case-sensitive.

   Implementors (i.e. library designers) SHOULD provide some means to
   discourage setting invalid/arbitrary data to these reserved claims.

   For example: Storing any string that isn't a valid ISO 8601 DateTime
   in the "exp" claim should result in an exception or error state
   (depending on the programming language in question).

6.1.1.  Key-ID Support

   Some systems need to support key rotation, but since the payloads of
   a _local_ token are always encrypted, it is impractical to store the
   key id in the payload.

   Instead, users should store Key-ID claims (_kid_) in the unencrypted
   footer.

   For example, a footer of {"kid":"gandalf0"} can be read without
   needing to first decrypt the token (which would in turn allow the
   user to know which key to use to decrypt the token).





Arciszewski & Haussmann Expires October 21, 2018               [Page 17]

Internet-Draft                                                April 2018


   Implementations SHOULD provide a means to extract the footer from a
   PASETO before authentication and decryption.  This is possible for
   _local_ tokens because the contents of the footer are _not_
   encrypted.  However, the authenticity of the footer is only assured
   after the authentication tag is verified.

   While a key identifier can generally be safely used for selecting the
   cryptographic key used to decrypt and/or verify payloads before
   verification, provided that the _kid_ is a public number that is
   associated with a particular key which is not supplied by attackers,
   any other fields stored in the footer MUST be distrusted until the
   payload has been verified.

   IMPORTANT: Key identifiers MUST be independent of the actual keys
   used by PASETO.

   A fingerprint of the key is allowed as long as it is impractical for
   an attacker to recover the key from said fingerprint.

   For example, the user MUST NOT store the public key in the footer for
   a *public* token and have the recipient use the provided public key.
   Doing so would allow an attacker to replace the public key with one
   of their own choosing, which will cause the recipient to accept any
   signature for any message as valid, therefore defeating the security
   goals of public-key cryptography.

   Instead, it's recommended that implementors and users use a unique
   identifier for each key (independent of the cryptographic key's
   contents) that is used in a database or other key-value store to
   select the appropriate cryptographic key.  These search operations
   MUST fail closed if no valid key is found for the given key
   identifier.

7.  AEAD_XChaCha20_Poly1305

   XChaCha20-Poly1305 is a variant of the ChaCha20-Poly1305 AEAD
   construction as defined in [RFC7539] that uses a 192-bit nonce
   instead of a 64-bit nonce.

   The algorithm for XChaCha20-Poly1305 is as follows:

   1.  Calculate a subkey from the first 16 bytes of the nonce and the
       key, using HChaCha20 (Section 7.2).

   2.  Use the subkey and remaining 8 bytes of the nonce (prefixed with
       4 NUL bytes) with AEAD_CHACHA20_POLY1305 from [RFC7539] as
       normal.




Arciszewski & Haussmann Expires October 21, 2018               [Page 18]

Internet-Draft                                                April 2018


   XChaCha20-Poly1305 implementations already exist in libsodium [2],
   Monocypher [3], xsecretbox [4], and a standalone Go [5] library.

7.1.  Motivation for XChaCha20-Poly1305

   As long as ChaCha20-Poly1305 is a secure AEAD cipher and ChaCha is a
   secure pseudorandom function (PRF), XChaCha20-Poly1305 is secure.

   The nonce used by the original ChaCha20-Poly1305 is too short to
   safely use with random strings for long-lived keys.

   With XChaCha20-Poly1305, users can safely generate a random 192-bit
   nonce for each message and not worry about nonce-reuse
   vulnerabilities.

7.2.  HChaCha20

   *HChaCha20* is an intermediary step towards XChaCha20 based on the
   construction and security proof used to create XSalsa20 [6], an
   extended-nonce Salsa20 variant used in NaCl [7].

   HChaCha20 is initialized the same way as the ChaCha cipher, except
   that HChaCha20 uses a 128-bit nonce and has no counter.

   Consider the two figures below, where each non-whitespace character
   represents one nibble of information about the ChaCha states (all
   numbers little-endian):

                  cccccccc  cccccccc  cccccccc  cccccccc
                  kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
                  kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
                  bbbbbbbb  nnnnnnnn  nnnnnnnn  nnnnnnnn

           ChaCha20 State: c=constant k=key b=blockcount n=nonce

                  cccccccc  cccccccc  cccccccc  cccccccc
                  kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
                  kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
                  nnnnnnnn  nnnnnnnn  nnnnnnnn  nnnnnnnn

                 HChaCha20 State: c=constant k=key n=nonce

   After initialization, proceed through the ChaCha rounds as usual.

   Once the 20 ChaCha rounds have been completed, the first 128 bits and
   last 128 bits of the keystream (both little-endian) are concatenated,
   and this 256-bit subkey is returned.




Arciszewski & Haussmann Expires October 21, 2018               [Page 19]

Internet-Draft                                                April 2018


7.2.1.  Test Vector for the HChaCha20 Block Function

   o  Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:
      14:15:16:17:18:19:1a:1b:1c:1d:1e:1f.  The key is a sequence of
      octets with no particular structure before we copy it into the
      HChaCha state.

   o  Nonce = (00:00:00:09:00:00:00:4a:00:00:00:00:31:41:59:27)

   After setting up the HChaCha state, it looks like this:

                    61707865 3320646e 79622d32 6b206574
                    03020100 07060504 0b0a0908 0f0e0d0c
                    13121110 17161514 1b1a1918 1f1e1d1c
                    09000000 4a000000 00000000 27594131

                     ChaCha state with the key setup.

   After running 20 rounds (10 column rounds interleaved with 10
   "diagonal rounds"), the HChaCha state looks like this:

                    82413b42 27b27bfe d30e4250 8a877d73
                    4864a70a f3cd5479 37cd6a84 ad583c7b
                    8355e377 127ce783 2d6a07e0 e5d06cbc
                    a0f9e4d5 8a74a853 c12ec413 26d3ecdc

                       HChaCha state after 20 rounds

   HChaCha20 will then return only the first and last rows, resulting in
   the following 256-bit key:

                    82413b4 227b27bfe d30e4250 8a877d73
                    a0f9e4d 58a74a853 c12ec413 26d3ecdc

                        Resultant HChaCha20 subkey

8.  Intended Use-Cases for PASETO

   Like JWTs, PASETOs are intended to be single-use tokens, as there is
   no built-in mechanism to prevent replay attacks within the token
   lifetime.

   o  *local* tokens are intended for tamper-resistant encrypted cookies
      or HTTP request parameters.  A resonable example would be long-
      term authentication cookies which re-establish a new session
      cookie if a user checked the "remember me on this computer" box
      when authenticating.  To accomplish this, the server would look
      use the "jti" claim in a database lookup to find the appropriate



Arciszewski & Haussmann Expires October 21, 2018               [Page 20]

Internet-Draft                                                April 2018


      user to associate this session with.  After each new browsing
      session, the "jti" would be rotated in the database and a fresh
      cookie would be stored in tbe browser.

   o  *public* tokens are intended for one-time authentication claims
      from a third party.  For example, *public* PASETO would be
      suitable for a protocol like OpenID Connect.

9.  Security Considerations

   PASETO was designed in part to address known deficits of the JOSE
   standards that lead to insecure implementations.

   PASETO uses versioned protocols, rather than runtime ciphersuite
   negotiation, to prevent insecure algorithms from being selected.
   Mix-and-match is not a robust strategy for usable security
   engineering, especially when implementations have insecure default
   settings.

   If a severe security vulnerability is ever discovered in one of the
   specified versions, a new version of the protocol that is not
   affected should be decided by a team of cryptography engineers
   familiar with the vulnerability in question.  This prevents users
   from having to rewrite and/or reconfigure their implementations to
   side-step the vulnerability.

   PASETO implementors should only support the two most recent protocol
   versions (currently *v1* and *v2*) at any given time.

   PASETO users should beware that, although footers are authenticated,
   they are never encrypted.  Therefore, sensitive information MUST NOT
   be stored in a footer.

   Furthermore, PASETO users should beware that, if footers are employed
   to implement Key Identification (*kid*), the values stored in the
   footer MUST be unrelated to the actual cryptographic key used in
   verifying the token as discussed in Section 6.1.1.

   PASETO has no built-in mechanism to resist replay attacks within the
   token's lifetime.  Users SHOULD NOT attempt to use PASETO to obviate
   the need for server-side data storage when designing web
   applications.

   PASETO's cryptography features requires the availability of a secure
   random number generator, such as the getrandom(2) syscall on newer
   Linux distributions, /dev/urandom on most Unix-like systems, and
   CryptGenRandom on Windows computers.




Arciszewski & Haussmann Expires October 21, 2018               [Page 21]

Internet-Draft                                                April 2018


   The use of userspace pseudo-random number generators, even if seeded
   by the operating system's cryptographically secure pseudo-random
   number generator, is discouraged.

10.  IANA Considerations

   The IANA should reserve a new "PASETO Headers" registry for the
   purpose of this document and superseding RFCs.

   This document defines a suite of string prefixes for PASETO tokens,
   called "PASETO Headers" (see Section 2), which consists of two parts:

   o  *version*, with values *v1*, *v2* defined above

   o  *purpose*, with the values of *local* or *public*

   These two values are concatenated with a single character separator,
   the ASCII period character *.*.

   Initial values for the "PASETO Headers" registry are given below;
   future assignments are to be made through Expert Review [RFC8126],
   such as the CFRG [8].

            +-----------+-----------------------+-------------+
            |   Value   | PASETO Header Meaning |  Definition |
            +-----------+-----------------------+-------------+
            |  v1.local |    Version 1, local   | Section 4.1 |
            | v1.public |   Version 1, public   | Section 4.2 |
            |  v2.local |    Version 2, local   | Section 5.1 |
            | v2.public |   Version 2, public   | Section 5.2 |
            +-----------+-----------------------+-------------+

               PASETO Headers and their respective meanings

11.  References

11.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
              editor.org/info/rfc2119>.

   [RFC3686]  Housley, R., "Using Advanced Encryption Standard (AES)
              Counter Mode With IPsec Encapsulating Security Payload
              (ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004,
              <https://www.rfc-editor.org/info/rfc3686>.




Arciszewski & Haussmann Expires October 21, 2018               [Page 22]

Internet-Draft                                                April 2018


   [RFC4231]  Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA-
              224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512",
              RFC 4231, DOI 10.17487/RFC4231, December 2005,
              <https://www.rfc-editor.org/info/rfc4231>.

   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
              Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
              <https://www.rfc-editor.org/info/rfc4648>.

   [RFC5869]  Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
              Key Derivation Function (HKDF)", RFC 5869,
              DOI 10.17487/RFC5869, May 2010, <https://www.rfc-
              editor.org/info/rfc5869>.

   [RFC6979]  Pornin, T., "Deterministic Usage of the Digital Signature
              Algorithm (DSA) and Elliptic Curve Digital Signature
              Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August
              2013, <https://www.rfc-editor.org/info/rfc6979>.

   [RFC7516]  Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
              RFC 7516, DOI 10.17487/RFC7516, May 2015,
              <https://www.rfc-editor.org/info/rfc7516>.

   [RFC7517]  Jones, M., "JSON Web Key (JWK)", RFC 7517,
              DOI 10.17487/RFC7517, May 2015, <https://www.rfc-
              editor.org/info/rfc7517>.

   [RFC7518]  Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
              DOI 10.17487/RFC7518, May 2015, <https://www.rfc-
              editor.org/info/rfc7518>.

   [RFC7519]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
              (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
              <https://www.rfc-editor.org/info/rfc7519>.

   [RFC7539]  Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
              Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015,
              <https://www.rfc-editor.org/info/rfc7539>.

   [RFC8017]  Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
              "PKCS #1: RSA Cryptography Specifications Version 2.2",
              RFC 8017, DOI 10.17487/RFC8017, November 2016,
              <https://www.rfc-editor.org/info/rfc8017>.

   [RFC8032]  Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
              Signature Algorithm (EdDSA)", RFC 8032,
              DOI 10.17487/RFC8032, January 2017, <https://www.rfc-
              editor.org/info/rfc8032>.



Arciszewski & Haussmann Expires October 21, 2018               [Page 23]

Internet-Draft                                                April 2018


   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

   [RFC8259]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", STD 90, RFC 8259,
              DOI 10.17487/RFC8259, December 2017, <https://www.rfc-
              editor.org/info/rfc8259>.

11.2.  URIs

   [1] https://tools.ietf.org/html/rfc4648#page-7

   [2] https://download.libsodium.org/doc/secret-key_cryptography/
       xchacha20-poly1305_construction.html

   [3] https://github.com/LoupVaillant/Monocypher

   [4] https://github.com/jedisct1/xsecretbox

   [5] https://github.com/aead/chacha20

   [6] https://cr.yp.to/snuffle/xsalsa-20110204.pdf

   [7] https://nacl.cr.yp.to

   [8] https://irtf.org/cfrg

Appendix A.  PASETO Test Vectors

   Note: When a nonce is given below, it refers to the value before
   being hashed with the message.  Typically this value is provided by a
   secure random number generator.

   Note: Signing may result in a different token each time, but the
   given token and public key pair should validate successfully.  The
   private key that corresponds to this public key is as follows:













Arciszewski & Haussmann Expires October 21, 2018               [Page 24]

Internet-Draft                                                April 2018


     -----BEGIN RSA PRIVATE KEY-----
     MIIEowIBAAKCAQEAyaTgTt53ph3p5GHgwoGWwz5hRfWXSQA08NCOwe0FEgALWos9
     GCjNFCd723nCHxBtN1qd74MSh/uN88JPIbwxKheDp4kxo4YMN5trPaF0e9G6Bj1N
     02HnanxFLW+gmLbgYO/SZYfWF/M8yLBcu5Y1Ot0ZxDDDXS9wIQTtBE0ne3YbxgZJ
     AZTU5XqyQ1DxdzYyC5lF6yBaR5UQtCYTnXAApVRuUI2Sd6L1E2vl9bSBumZ5IpNx
     kRnAwIMjeTJB/0AIELh0mE5vwdihOCbdV6alUyhKC1+1w/FW6HWcp/JG1kKC8DPI
     idZ78Bbqv9YFzkAbNni5eSBOsXVBKG78Zsc8owIDAQABAoIBAF22jLDa34yKdns3
     qfd7to+C3D5hRzAcMn6Azvf9qc+VybEI6RnjTHxDZWK5EajSP4/sQ15e8ivUk0Jo
     WdJ53feL+hnQvwsab28gghSghrxM2kGwGA1XgO+SVawqJt8SjvE+Q+//01ZKK0Oy
     A0cDJjX3L9RoPUN/moMeAPFw0hqkFEhm72GSVCEY1eY+cOXmL3icxnsnlUD//SS9
     q33RxF2y5oiW1edqcRqhW/7L1yYMbxHFUcxWh8WUwjn1AAhoCOUzF8ZB+0X/PPh+
     1nYoq6xwqL0ZKDwrQ8SDhW/rNDLeO9gic5rl7EetRQRbFvsZ40AdsX2wU+lWFUkB
     42AjuoECgYEA5z/CXqDFfZ8MXCPAOeui8y5HNDtu30aR+HOXsBDnRI8huXsGND04
     FfmXR7nkghr08fFVDmE4PeKUk810YJb+IAJo8wrOZ0682n6yEMO58omqKin+iIUV
     rPXLSLo5CChrqw2J4vgzolzPw3N5I8FJdLomb9FkrV84H+IviPIylyECgYEA3znw
     AG29QX6ATEfFpGVOcogorHCntd4niaWCq5ne5sFL+EwLeVc1zD9yj1axcDelICDZ
     xCZynU7kDnrQcFkT0bjH/gC8Jk3v7XT9l1UDDqC1b7rm/X5wFIZ/rmNa1rVZhL1o
     /tKx5tvM2syJ1q95v7NdygFIEIW+qbIKbc6Wz0MCgYBsUZdQD+qx/xAhELX364I2
     epTryHMUrs+tGygQVrqdiJX5dcDgM1TUJkdQV6jLsKjPs4Vt6OgZRMrnuLMsk02R
     3M8gGQ25ok4f4nyyEZxGGWnVujn55KzUiYWhGWmhgp18UCkoYa59/Q9ss+gocV9h
     B9j9Q43vD80QUjiF4z0DQQKBgC7XQX1VibkMim93QAnXGDcAS0ij+w02qKVBjcHk
     b9mMBhz8GAxGOIu7ZJafYmxhwMyVGB0I1FQeEczYCJUKnBYN6Clsjg6bnBT/z5bJ
     x/Jx1qCzX3Uh6vLjpjc5sf4L39Tyye1u2NXQmZPwB5x9BdcsFConSq/s4K1LJtUT
     3KFxAoGBANGcQ8nObi3m4wROyKrkCWcWxFFMnpwxv0pW727Hn9wuaOs4UbesCnwm
     pcMTfzGUDuzYXCtAq2pJl64HG6wsdkWmjBTJEpm6b9ibOBN3qFV2zQ0HyyKlMWxI
     uVSj9gOo61hF7UH9XB6R4HRdlpBOuIbgAWZ46dkj9/HM9ovdP0Iy
     -----END RSA PRIVATE KEY-----

A.1.  PASETO v1 Test Vectors

A.1.1.  v1.local (Shared-Key Encryption) Test Vectors

A.1.1.1.  Test Vector v1-E-1

   Key:     70717273 74757677 78797a7b 7c7d7e7f
            80818283 84858687 88898a8b 8c8d8e8f
   Nonce:   00000000 00000000 00000000 00000000
            00000000 00000000 00000000 00000000
   Payload: {"data":"this is a signed message",
            "exp":"2019-01-01T00:00:00+00:00"}
   Footer:
   Token:   v1.local.WzhIh1MpbqVNXNt7-HbWvL-JwAym3Tomad9Pc2nl7wK87vGraUV
            vn2bs8BBNo7jbukCNrkVID0jCK2vr5bP18G78j1bOTbBcP9HZzqnraEdspcj
            d_PvrxDEhj9cS2MG5fmxtvuoHRp3M24HvxTtql9z26KTfPWxJN5bAJaAM6go
            s8fnfjJO8oKiqQMaiBP_Cqncmqw8






Arciszewski & Haussmann Expires October 21, 2018               [Page 25]

Internet-Draft                                                April 2018


A.1.1.2.  Test Vector v1-E-2

   Same as v1-E-1, but with a slightly different message.

   Key:     70717273 74757677 78797a7b 7c7d7e7f
            80818283 84858687 88898a8b 8c8d8e8f
   Nonce:   00000000 00000000 00000000 00000000
            00000000 00000000 00000000 00000000
   Payload: {"data":"this is a secret message",
            "exp":"2019-01-01T00:00:00+00:00"}
   Footer:
   Token:   v1.local.w_NOpjgte4bX-2i1JAiTQzHoGUVOgc2yqKqsnYGmaPaCu_KWUkR
            GlCRnOvZZxeH4HTykY7AE_jkzSXAYBkQ1QnwvKS16uTXNfnmp8IRknY76I2m
            3S5qsM8klxWQQKFDuQHl8xXV0MwAoeFh9X6vbwIqrLlof3s4PMjRDwKsxYzk
            Mr1RvfDI8emoPoW83q4Q60_xpHaw

A.1.1.3.  Test Vector v1-E-3

   Key:     70717273 74757677 78797a7b 7c7d7e7f
            80818283 84858687 88898a8b 8c8d8e8f
   Nonce:   26f75533 54482a1d 91d47846 27854b8d
            a6b8042a 7966523c 2b404e8d bbe7f7f2
   Payload: {"data":"this is a signed message",
            "exp":"2019-01-01T00:00:00+00:00"}
   Footer:
   Token:   v1.local.4VyfcVcFAOAbB8yEM1j1Ob7Iez5VZJy5kHNsQxmlrAwKUbOtq9c
            v39T2fC0MDWafX0nQJ4grFZzTdroMvU772RW-X1oTtoFBjsl_3YYHWnwgqzs
            0aFc3ejjORmKP4KUM339W3syBYyjKIOeWnsFQB6Yef-1ov9rvqt7TmwONUHe
            JUYk4IK_JEdUeo_uFRqAIgHsiGCg

A.1.1.4.  Test Vector v1-E-4

   Same as v1-E-3, but with a slightly different message.

   Key:     70717273 74757677 78797a7b 7c7d7e7f
            80818283 84858687 88898a8b 8c8d8e8f
   Nonce:   26f75533 54482a1d 91d47846 27854b8d
            a6b8042a 7966523c 2b404e8d bbe7f7f2
   Payload: {"data":"this is a secret message",
            "exp":"2019-01-01T00:00:00+00:00"}
   Footer:
   Token:   v1.local.IddlRQmpk6ojcD10z1EYdLexXvYiadtY0MrYQaRnq3dnqKIWcbb
            pOcgXdMIkm3_3gksirTj81bvWrWkQwcUHilt-tQo7LZK8I6HCK1V78B9YeEq
            GNeeWXOyWWHoJQIe0d5nTdvejdt2Srz_5Q0QG4oiz1gB_wmv4U5pifedaZbH
            XUTWXchFEi0etJ4u6tqgxZSklcec






Arciszewski & Haussmann Expires October 21, 2018               [Page 26]

Internet-Draft                                                April 2018


A.1.1.5.  Test Vector v1-E-5

   Key:     70717273 74757677 78797a7b 7c7d7e7f
            80818283 84858687 88898a8b 8c8d8e8f
   Nonce:   26f75533 54482a1d 91d47846 27854b8d
            a6b8042a 7966523c 2b404e8d bbe7f7f2
   Payload: {"data":"this is a signed message",
            "exp":"2019-01-01T00:00:00+00:00"}
   Footer:  {"kid":"UbkK8Y6iv4GZhFp6Tx3IWLWLfNXSEvJcdT3zdR65YZxo"}
   Token:   v1.local.4VyfcVcFAOAbB8yEM1j1Ob7Iez5VZJy5kHNsQxmlrAwKUbOtq9c
            v39T2fC0MDWafX0nQJ4grFZzTdroMvU772RW-X1oTtoFBjsl_3YYHWnwgqzs
            0aFc3ejjOR mKP4KUM339W3szA28OabR192eRqiyspQ6xPM35NMR-04-FhRJ
            ZEWiF0W5oWjPVtGPjeVjm2DI4YtJg.eyJraWQiOiJVYmtLOFk2aXY0R1poRn
            A2VHgzSVdMV0xmTlhTRXZKY2RUM3pkUjY1WVp4byJ9

A.1.1.6.  Test Vector v1-E-6

   Same as v1-E-5, but with a slightly different message.

   Key:     70717273 74757677 78797a7b 7c7d7e7f
            80818283 84858687 88898a8b 8c8d8e8f
   Nonce:   26f75533 54482a1d 91d47846 27854b8d
            a6b8042a 7966523c 2b404e8d bbe7f7f2
   Payload: {"data":"this is a secret message",
            "exp":"2019-01-01T00:00:00+00:00"}
   Footer:  {"kid":"UbkK8Y6iv4GZhFp6Tx3IWLWLfNXSEvJcdT3zdR65YZxo"}
   Token:   v1.local.IddlRQmpk6ojcD10z1EYdLexXvYiadtY0MrYQaRnq3dnqKIWcbb
            pOcgXdMIkm3_3gksirTj81bvWrWkQwcUHilt-tQo7LZK8I6HCK1V78B9YeEq
            GNeeWXOyWWHoJQIe0d5nTdvcT2vnER6NrJ7xIowvFba6J4qMlFhBnYSxHEq9
            v9NlzcKsz1zscdjcAiXnEuCHyRSc.eyJraWQiOiJVYmtLOFk2aXY0R1poRnA
            2VHgzSVdMV0xmTlhTRXZKY2RUM3pkUjY1WVp4byJ9

A.1.2.  v1.public (Public-Key Authentication) Test Vectors

A.1.2.1.  Test Vector v1-S-1
















Arciszewski & Haussmann Expires October 21, 2018               [Page 27]

Internet-Draft                                                April 2018


   Token:      v1.public.eyJkYXRhIjoidGhpcyBpcyBhIHNpZ25lZCBtZXNzYWdlIiw
               iZXhwIjoiMjAxOS0wMS0wMVQwMDowMDowMCswMDowMCJ9cIZKahKeGM5k
               iAS_4D70Qbz9FIThZpxetJ6n6E6kXP_119SvQcnfCSfY_gG3D0Q2v7FEt
               m2Cmj04lE6YdgiZ0RwA41WuOjXq7zSnmmHK9xOSH6_2yVgt207h1_LphJ
               zVztmZzq05xxhZsV3nFPm2cCu8oPceWy-DBKjALuMZt_Xj6hWFFie96Sf
               Q6i85lOsTX8Kc6SQaG-3CgThrJJ6W9DC-YfQ3lZ4TJUoY3QNYdtEgAvp1
               QuWWK6xmIb8BwvkBPej5t88QUb7NcvZ15VyNw3qemQGn2ITSdpdDgwMtp
               flZOeYdtuxQr1DSGO2aQyZl7s0WYn1IjdQFx6VjSQ4yfw
   Public Key: -----BEGIN PUBLIC KEY-----
               MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyaTgTt53ph3p
               5GHgwoGWwz5hRfWXSQA08NCOwe0FEgALWos9GCjNFCd723nCHxBtN1qd
               74MSh/uN88JPIbwxKheDp4kxo4YMN5trPaF0e9G6Bj1N02HnanxFLW+g
               mLbgYO/SZYfWF/M8yLBcu5Y1Ot0ZxDDDXS9wIQTtBE0ne3YbxgZJAZTU
               5XqyQ1DxdzYyC5lF6yBaR5UQtCYTnXAApVRuUI2Sd6L1E2vl9bSBumZ5
               IpNxkRnAwIMjeTJB/0AIELh0mE5vwdihOCbdV6alUyhKC1+1w/FW6HWc
               p/JG1kKC8DPIidZ78Bbqv9YFzkAbNni5eSBOsXVBKG78Zsc8owIDAQAB
               -----END PUBLIC KEY-----
   Payload:    {"data":"this is a secret message",
               "exp":"2019-01-01T00:00:00+00:00"}
   Footer:

A.1.2.2.  Test Vector v1-S-2

   Token:      v1.public.eyJkYXRhIjoidGhpcyBpcyBhIHNpZ25lZCBtZXNzYWdlIiw
               iZXhwIjoiMjAxOS0wMS0wMVQwMDowMDowMCswMDowMCJ9sBTIb0J_4mis
               AuYc4-6P5iR1rQighzktpXhJ8gtrrp2MqSSDkbb8q5WZh3FhUYuW_rg2X
               8aflDlTWKAqJkM3otjYwtmfwfOhRyykxRL2AfmIika_A-_MaLp9F0iw4S
               1JetQQDV8GUHjosd87TZ20lT2JQLhxKjBNJSwWue8ucGhTgJcpOhXcthq
               az7a2yudGyd0layzeWziBhdQpoBR6ryTdtIQX54hP59k3XCIxuYbB9qJM
               pixiPAEKBcjHT74sA-uukug9VgKO7heWHwJL4Rl9ad21xyNwaxAnwAJ7C
               0fN5oGv8Rl0dF11b3tRmsmbDoIokIM0Dba29x_T3YzOyg.eyJraWQiOiJ
               kWWtJU3lseFFlZWNFY0hFTGZ6Rjg4VVpyd2JMb2xOaUNkcHpVSEd3OVVx
               biJ9
   Public Key: -----BEGIN PUBLIC KEY-----
               MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyaTgTt53ph3p
               5GHgwoGWwz5hRfWXSQA08NCOwe0FEgALWos9GCjNFCd723nCHxBtN1qd
               74MSh/uN88JPIbwxKheDp4kxo4YMN5trPaF0e9G6Bj1N02HnanxFLW+g
               mLbgYO/SZYfWF/M8yLBcu5Y1Ot0ZxDDDXS9wIQTtBE0ne3YbxgZJAZTU
               5XqyQ1DxdzYyC5lF6yBaR5UQtCYTnXAApVRuUI2Sd6L1E2vl9bSBumZ5
               IpNxkRnAwIMjeTJB/0AIELh0mE5vwdihOCbdV6alUyhKC1+1w/FW6HWc
               p/JG1kKC8DPIidZ78Bbqv9YFzkAbNni5eSBOsXVBKG78Zsc8owIDAQAB
               -----END PUBLIC KEY-----
   Payload:    {"data":"this is a secret message",
               "exp":"2019-01-01T00:00:00+00:00"}
   Footer:     {"kid":"dYkISylxQeecEcHELfzF88UZrwbLolNiCdpzUHGw9Uqn"}






Arciszewski & Haussmann Expires October 21, 2018               [Page 28]

Internet-Draft                                                April 2018


A.2.  PASETO v2 Test Vectors

A.2.1.  v2.local (Shared-Key Encryption) Test Vectors

A.2.1.1.  Test Vector v2-E-1

   Key:     70717273 74757677 78797a7b 7c7d7e7f
            80818283 84858687 88898a8b 8c8d8e8f
   Nonce:   00000000 00000000 00000000 00000000
            00000000 00000000
   Payload: {"data":"this is a signed message",
            "exp":"2019-01-01T00:00:00+00:00"}
   Footer:
   Token:   v2.local.97TTOvgwIxNGvV80XKiGZg_kD3tsXM_-qB4dZGHOeN1cTkgQ4Pn
            W8888l802W8d9AvEGnoNBY3BnqHORy8a5cC8aKpbA0En8XELw2yDk2f1sVOD
            yfnDbi6rEGMY3pSfCbLWMM2oHJxvlEl2XbQ

A.2.1.2.  Test Vector v2-E-2

   Same as v2-E-1, but with a slightly different message.

   Key:     70717273 74757677 78797a7b 7c7d7e7f
            80818283 84858687 88898a8b 8c8d8e8f
   Nonce:   00000000 00000000 00000000 00000000
            00000000 00000000
   Payload: {"data":"this is a secret message",
            "exp":"2019-01-01T00:00:00+00:00"}
   Footer:
   Token:   v2.local.CH50H-HM5tzdK4kOmQ8KbIvrzJfjYUGuu5Vy9ARSFHy9owVDMYg
            3-8rwtJZQjN9ABHb2njzFkvpr5cOYuRyt7CRXnHt42L5yZ7siD-4l-FoNsC7
            J2OlvLlIwlG06mzQVunrFNb7Z3_CHM0PK5w

A.2.1.3.  Test Vector v2-E-3

   Key:     70717273 74757677 78797a7b 7c7d7e7f
            80818283 84858687 88898a8b 8c8d8e8f
   Nonce:   45742c97 6d684ff8 4ebdc0de 59809a97
            cda2f64c 84fda19b
   Payload: {"data":"this is a signed message",
            "exp":"2019-01-01T00:00:00+00:00"}
   Footer:
   Token:   v2.local.5K4SCXNhItIhyNuVIZcwrdtaDKiyF81-eWHScuE0idiVqCo72bb
            jo07W05mqQkhLZdVbxEa5I_u5sgVk1QLkcWEcOSlLHwNpCkvmGGlbCdNExn6
            Qclw3qTKIIl5-O5xRBN076fSDPo5xUCPpBA







Arciszewski & Haussmann Expires October 21, 2018               [Page 29]

Internet-Draft                                                April 2018


A.2.1.4.  Test Vector v2-E-4

   Same as v2-E-3, but with a slightly different message.

   Key:     70717273 74757677 78797a7b 7c7d7e7f
            80818283 84858687 88898a8b 8c8d8e8f
   Nonce:   45742c97 6d684ff8 4ebdc0de 59809a97
            cda2f64c 84fda19b
   Payload: {"data":"this is a secret message",
            "exp":"2019-01-01T00:00:00+00:00"}
   Footer:
   Token:   v2.local.pvFdDeNtXxknVPsbBCZF6MGedVhPm40SneExdClOxa9HNR8wFv7
            cu1cB0B4WxDdT6oUc2toyLR6jA6sc-EUM5ll1EkeY47yYk6q8m1RCpqTIzUr
            Iu3B6h232h62DPbIxtjGvNRAwsLK7LcV8oQ

A.2.1.5.  Test Vector v2-E-5

   Key:     70717273 74757677 78797a7b 7c7d7e7f
            80818283 84858687 88898a8b 8c8d8e8f
   Nonce:   45742c97 6d684ff8 4ebdc0de 59809a97
            cda2f64c 84fda19b
   Payload: {"data":"this is a signed message",
            "exp":"2019-01-01T00:00:00+00:00"}
   Footer:  {"kid":"UbkK8Y6iv4GZhFp6Tx3IWLWLfNXSEvJcdT3zdR65YZxo"}
   Token:   v2.local.5K4SCXNhItIhyNuVIZcwrdtaDKiyF81-eWHScuE0idiVqCo72bb
            jo07W05mqQkhLZdVbxEa5I_u5sgVk1QLkcWEcOSlLHwNpCkvmGGlbCdNExn6
            Qclw3qTKIIl5-zSLIrxZqOLwcFLYbVK1SrQ.eyJraWQiOiJ6VmhNaVBCUDlm
            UmYyc25FY1Q3Z0ZUaW9lQTlDT2NOeTlEZmdMMVc2MGhhTiJ9

A.2.1.6.  Test Vector v2-E-6

   Same as v2-E-5, but with a slightly different message.

   Key:     70717273 74757677 78797a7b 7c7d7e7f
            80818283 84858687 88898a8b 8c8d8e8f
   Nonce:   45742c97 6d684ff8 4ebdc0de 59809a97
            cda2f64c 84fda19b
   Payload: {"data":"this is a secret message",
            "exp":"2019-01-01T00:00:00+00:00"}
   Footer:  {"kid":"UbkK8Y6iv4GZhFp6Tx3IWLWLfNXSEvJcdT3zdR65YZxo"}
   Token:   v2.local.pvFdDeNtXxknVPsbBCZF6MGedVhPm40SneExdClOxa9HNR8wFv7
            cu1cB0B4WxDdT6oUc2toyLR6jA6sc-EUM5ll1EkeY47yYk6q8m1RCpqTIzUr
            Iu3B6h232h62DnMXKdHn_Smp6L_NfaEnZ-A.eyJraWQiOiJ6VmhNaVBCUDlm
            UmYyc25FY1Q3Z0ZUaW9lQTlDT2NOeTlEZmdMMVc2MGhhTiJ9







Arciszewski & Haussmann Expires October 21, 2018               [Page 30]

Internet-Draft                                                April 2018


A.2.2.  v2.public (Public-Key Authentication) Test Vectors

A.2.2.1.  Test Vector v2-S-1

   Token:       v2.public.eyJkYXRhIjoidGhpcyBpcyBhIHNpZ25lZCBtZXNzYWdlIi
                wiZXhwIjoiMjAxOS0wMS0wMVQwMDowMDowMCswMDowMCJ9HQr8URrGnt
                Tu7Dz9J2IF23d1M7-9lH9xiqdGyJNvzp4angPW5Esc7C5huy_M8I8_Dj
                JK2ZXC2SUYuOFM-Q_5Cw
   Private Key: b4cbfb43 df4ce210 727d953e 4a713307
                fa19bb7d 9f850414 38d9e11b 942a3774
                1eb9dbbb bc047c03 fd70604e 0071f098
                7e16b28b 757225c1 1f00415d 0e20b1a2
   Public Key:  1eb9dbbb bc047c03 fd70604e 0071f098
                7e16b28b 757225c1 1f00415d 0e20b1a2
   Payload:     {"data":"this is a signed message",
                "exp":"2019-01-01T00:00:00+00:00"}
   Footer:

A.2.2.2.  Test Vector v2-S-2

   Token:       v2.public.eyJkYXRhIjoidGhpcyBpcyBhIHNpZ25lZCBtZXNzYWdlIi
                wiZXhwIjoiMjAxOS0wMS0wMVQwMDowMDowMCswMDowMCJ9flsZsx_gYC
                R0N_Ec2QxJFFpvQAs7h9HtKwbVK2n1MJ3Rz-hwe8KUqjnd8FAnIJZ601
                tp7lGkguU63oGbomhoBw.eyJraWQiOiJ6VmhNaVBCUDlmUmYyc25FY1Q
                3Z0ZUaW9lQTlDT2NOeTlEZmdMMVc2MGhhTiJ9
   Private Key: b4cbfb43 df4ce210 727d953e 4a713307
                fa19bb7d 9f850414 38d9e11b 942a3774
                1eb9dbbb bc047c03 fd70604e 0071f098
                7e16b28b 757225c1 1f00415d 0e20b1a2
   Public Key:  1eb9dbbb bc047c03 fd70604e 0071f098
                7e16b28b 757225c1 1f00415d 0e20b1a2
   Payload:     {"data":"this is a signed message",
                "exp":"2019-01-01T00:00:00+00:00"}
   Footer:      {"kid":"dYkISylxQeecEcHELfzF88UZrwbLolNiCdpzUHGw9Uqn"}

Authors' Addresses

   Scott Arciszewski
   Paragon Initiative Enterprises
   United States

   Email: security@paragonie.com









Arciszewski & Haussmann Expires October 21, 2018               [Page 31]

Internet-Draft                                                April 2018


   Steven Haussmann
   Rensselaer Polytechnic Institute
   United States

   Email: hausss@rpi.edu














































Arciszewski & Haussmann Expires October 21, 2018               [Page 32]