RSA JWK format and parameters meaning

Question

In RFC 7571 I found how RSA JWK should look like:

         {"kty":"RSA",
      "n":"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4
 cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMst
 n64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2Q
 vzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbIS
 D08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw
 0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
      "e":"AQAB",
      "d":"X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9
 M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqij
 wp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d
 _cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBz
 nbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFz
 me1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q",
      "p":"83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPV
 nwD20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuVIYQyqV
 WlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs",
      "q":"3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyum
 qjVZQO1dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgx
 kIdrecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk",
      "dp":"G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oim
 YwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_Nmtu
 YZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
      "dq":"s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUU
 vMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9
 GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
      "qi":"GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzg
 UIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rx
 yR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
      "alg":"RS256",
      "kid":"2011-04-29"}

But the problem is, I could not find anywhere the meaning of all those parameters, like n,e and etc. So, what do all these paremeters mean?

BBerastegui · Accepted Answer · 2017-08-21T15:34:51.887

12

These are probably the parameters of an RSA key, as you can see here: https://www.gnupg.org/documentation/manuals/gcrypt-devel/RSA-key-parameters.html

The naming convention matches with that one used in the JWK:

n-mpi
    RSA public modulus n. 
e-mpi
    RSA public exponent e. 
d-mpi
    RSA secret exponent d = e^-1 \bmod (p-1)(q-1). 
p-mpi
    RSA secret prime p. 
q-mpi
    RSA secret prime q with p < q. 
u-mpi
    Multiplicative inverse u = p^-1 \bmod q.

Cheers !

edited Aug 21 '17 at 15:34

answered Aug 21 '17 at 13:19

BBerastegui

515
3
9

1

Is -- not is probably. Same with ECC keys. Just the formal parameters of the keys, plus some metadata. – Steve Aug 21 '17 at 15:13

score 5 · Answer 2 · edited Oct 07 '21 at 08:14

They are defined in the JWA Specification, RFC 7518 section 6

6.3.1. Parameters for RSA Public Keys

The following members MUST be present for RSA public keys.

6.3.1.1. "n" (Modulus) Parameter

The "n" (modulus) parameter contains the modulus value for the RSA public key. It is represented as a Base64urlUInt-encoded value.

Note that implementers have found that some cryptographic libraries prefix an extra zero-valued octet to the modulus representations they return, for instance, returning 257 octets for a 2048-bit key, rather than 256. Implementations using such libraries will need to take
care to omit the extra octet from the base64url-encoded
representation.

6.3.1.2. "e" (Exponent) Parameter

The "e" (exponent) parameter contains the exponent value for the RSA public key. It is represented as a Base64urlUInt-encoded value.

For instance, when representing the value 65537, the octet sequence to be base64url-encoded MUST consist of the three octets [1, 0, 1];
the resulting representation for this value is "AQAB".

The rest of the section goes on to detail private keys:

6.3.2. Parameters for RSA Private Keys

In addition to the members used to represent RSA public keys, the
following members are used to represent RSA private keys. The
parameter "d" is REQUIRED for RSA private keys. The others enable
optimizations and SHOULD be included by producers of JWKs
representing RSA private keys. If the producer includes any of the
other private key parameters, then all of the others MUST be present, with the exception of "oth", which MUST only be present when more
than two prime factors were used.

6.3.2.1. "d" (Private Exponent) Parameter

The "d" (private exponent) parameter contains the private exponent value for the RSA private key. It is represented as a Base64urlUInt- encoded value.

Jones Standards Track [Page 30]

RFC 7518 JSON Web Algorithms (JWA) May 2015

6.3.2.2. "p" (First Prime Factor) Parameter

The "p" (first prime factor) parameter contains the first prime
factor. It is represented as a Base64urlUInt-encoded value.

6.3.2.3. "q" (Second Prime Factor) Parameter

The "q" (second prime factor) parameter contains the second prime
factor. It is represented as a Base64urlUInt-encoded value.

6.3.2.4. "dp" (First Factor CRT Exponent) Parameter

The "dp" (first factor CRT exponent) parameter contains the Chinese Remainder Theorem (CRT) exponent of the first factor. It is
represented as a Base64urlUInt-encoded value.

6.3.2.5. "dq" (Second Factor CRT Exponent) Parameter

The "dq" (second factor CRT exponent) parameter contains the CRT
exponent of the second factor. It is represented as a Base64urlUInt- encoded value.

6.3.2.6. "qi" (First CRT Coefficient) Parameter

The "qi" (first CRT coefficient) parameter contains the CRT
coefficient of the second factor. It is represented as a
Base64urlUInt-encoded value.

6.3.2.7. "oth" (Other Primes Info) Parameter

The "oth" (other primes info) parameter contains an array of
information about any third and subsequent primes, should they exist. When only two primes have been used (the normal case), this parameter MUST be omitted. When three or more primes have been used, the
number of array elements MUST be the number of primes used minus two. For more information on this case, see the description of the
OtherPrimeInfo parameters in Appendix A.1.2 of RFC 3447 [RFC3447],
upon which the following parameters are modeled. If the consumer of
a JWK does not support private keys with more than two primes and it
encounters a private key that includes the "oth" parameter, then it
MUST NOT use the key. Each array element MUST be an object with the
following members.

6.3.2.7.1. "r" (Prime Factor)

The "r" (prime factor) parameter within an "oth" array member
represents the value of a subsequent prime factor. It is represented as a Base64urlUInt-encoded value.

6.3.2.7.2. "d" (Factor CRT Exponent)

The "d" (factor CRT exponent) parameter within an "oth" array member represents the CRT exponent of the corresponding prime factor. It is represented as a Base64urlUInt-encoded value.

6.3.2.7.3. "t" (Factor CRT Coefficient)

The "t" (factor CRT coefficient) parameter within an "oth" array
member represents the CRT coefficient of the corresponding prime
factor. It is represented as a Base64urlUInt-encoded value.

Section 6.2 details the values used for Elliptic Curve keys, but I'll spare the quotation here.

And as 6.3 says, these are the same as in RFC3447, PKCS1 v2.1, which was the current version of PKCS1 (the basic standard for RSA) at the time RFC7518 was written. — dave_thompson_085, Mar 26 '19 at 02:08

RSA JWK format and parameters meaning

2 Answers2