oauth2.dev

sd_hash

IETF

Registry Context

`sd_hash` is a required claim in a Key Binding JWT that binds the KB-JWT to the presented SD-JWT, including the selected disclosures.

Technical Summary

Its value is the base64url-encoded digest of the US-ASCII bytes of the encoded SD-JWT: the Issuer-signed JWT followed by `~`, then each selected Disclosure followed by `~`. The disclosure hash algorithm identified by `_sd_alg`, or its defined default, is used.

When Used

In an SD-JWT+KB presentation to bind the holder's Key Binding JWT to the particular SD-JWT and disclosures presented.

Normative Requirements

Key Binding JWT producer

MUST
3
  1. RFC 9901 - Section 4.3.1

    Compute `sd_hash` over the US-ASCII bytes of the encoded SD-JWT: the Issuer-signed JWT followed by a tilde and zero or more selected Disclosures, each followed by a tilde..

    Condition: When computing `sd_hash`.

    The sd_hash value MUST be computed over the US-ASCII bytes of the encoded SD-JWT

  2. RFC 9901 - Section 4.3.1

    Base64url-encode the digest bytes to form the `sd_hash` value..

    Condition: When computing `sd_hash`.

    The bytes of the digest MUST then be base64url encoded.

  3. RFC 9901 - Section 4.3.1

    Use the same hash algorithm for `sd_hash` as is used for the Disclosures..

    Condition: When computing `sd_hash`.

    The same hash algorithm as for the Disclosures MUST be used

REQUIRED
1
  1. RFC 9901 - Section 4.3

    Include `sd_hash` in the Key Binding JWT payload as the base64url-encoded hash over the Issuer-signed JWT and selected Disclosures..

    Condition: When producing a Key Binding JWT.

    sd_hash: REQUIRED. The base64url-encoded hash value over the Issuer-signed JWT and the selected Disclosures

Verifier

MUST
2
  1. RFC 9901 - Section 7.3

    Calculate the digest over the Issuer-signed JWT and Disclosures and verify that it matches the Key Binding JWT's `sd_hash` value..

    Condition: When Key Binding is required.

    Verifiers MUST follow the following steps (or equivalent): ... Calculate the digest ... and verify that it matches the value of the sd_hash claim

  2. RFC 9901 - Section 7.3

    Abort processing when verification of `sd_hash` fails..

    Condition: When the calculated digest does not match `sd_hash`.

    If any step fails, the presentation is not valid and processing MUST be aborted.

Validation Guidance

error

Verify that the Key Binding JWT payload contains `sd_hash` and that its value is valid base64url-encoded data.

error

Recompute the digest from the US-ASCII bytes of the encoded SD-JWT, preserving the required tilde delimiters and including exactly the disclosures selected for presentation, then compare it with `sd_hash`.

error

Confirm that the hash algorithm used for `sd_hash` is the disclosure hash algorithm identified by `_sd_alg`, or its defined default.

error

Reject the presentation and abort processing if the calculated digest does not match `sd_hash`.

Security Notes

RFC 9901 - Section 9.5

Without required Key Binding, an attacker who obtains an SD-JWT can replay it, and an attacker can attempt to strip the KB-JWT before presentation.

Reference

Details

Entry Id
sd_hash
Claim Name
sd_hash
Claim Description
Digest of the SD-JWT to which the KB-JWT is tied
Change Controller
IETF
Reference
RFC9901 - Section 4.3