Cryptographic algorithms¶
All the participants MUST expose the supported signature and encryption algorithms in their metadata. They are used for all encryption and signature operations required by OIDC core and Federation.
Note
The length of the RSA keys must be equal to or greater than 2048 bits. A length of 4096 bits is recommended.
In the SPID and CIE id the following algorithms MUST be supported:
Algorithm |
Operations |
References |
Applicable to |
|---|---|---|---|
RS256 |
Signature |
OpenID.Core and RFC7518. |
|
RS512 |
Signature |
|
|
RSA-OAEP |
Key Encryption |
|
|
RSA-OAEP-256 |
Key Encryption |
|
|
A128CBC-HS256 |
Content Encryption |
|
|
A256CBC-HS512 |
Content Encryption |
|
In the SPID and CIE id the following algorithms are RECOMMENDED to be supported:
Algorithm |
Operations |
References |
Applicable to |
|---|---|---|---|
ES256 |
Signature |
OpenID.Core and RFC7518. |
|
ES512 |
Signature |
|
|
PS256 |
Signature |
|
|
PS512 |
Signature |
|
|
ECDH-ES |
Key Encryption |
|
|
ECDH-ES+A128KW |
Key Encryption |
|
|
ECDH-ES+A256KW |
Key Encryption |
|
In the SPID and CIE id the following algorithms MUST NOT be supported:
Algorithm |
Operations |
References |
Applicable to |
|---|---|---|---|
none |
Signature |
|
|
RSA_1_5 |
Key Encryption |
|
|
HS256 |
Signature |
|
|
HS384 |
Signature |
|
|
HS512 |
Signature |
|