From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc8152.txt | 6779 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 6779 insertions(+) create mode 100644 doc/rfc/rfc8152.txt (limited to 'doc/rfc/rfc8152.txt') diff --git a/doc/rfc/rfc8152.txt b/doc/rfc/rfc8152.txt new file mode 100644 index 0000000..9e440c2 --- /dev/null +++ b/doc/rfc/rfc8152.txt @@ -0,0 +1,6779 @@ + + + + + + +Internet Engineering Task Force (IETF) J. Schaad +Request for Comments: 8152 August Cellars +Category: Standards Track July 2017 +ISSN: 2070-1721 + + + CBOR Object Signing and Encryption (COSE) + +Abstract + + Concise Binary Object Representation (CBOR) is a data format designed + for small code size and small message size. There is a need for the + ability to have basic security services defined for this data format. + This document defines the CBOR Object Signing and Encryption (COSE) + protocol. This specification describes how to create and process + signatures, message authentication codes, and encryption using CBOR + for serialization. This specification additionally describes how to + represent cryptographic keys using CBOR. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc8152. + +Copyright Notice + + Copyright (c) 2017 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + + +Schaad Standards Track [Page 1] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +Table of Contents + + 1. Introduction ....................................................4 + 1.1. Design Changes from JOSE ...................................5 + 1.2. Requirements Terminology ...................................6 + 1.3. CBOR Grammar ...............................................6 + 1.4. CBOR-Related Terminology ...................................7 + 1.5. Document Terminology .......................................8 + 2. Basic COSE Structure ............................................8 + 3. Header Parameters ..............................................10 + 3.1. Common COSE Headers Parameters ............................12 + 4. Signing Objects ................................................16 + 4.1. Signing with One or More Signers ..........................16 + 4.2. Signing with One Signer ...................................18 + 4.3. Externally Supplied Data ..................................19 + 4.4. Signing and Verification Process ..........................20 + 4.5. Computing Counter Signatures ..............................22 + 5. Encryption Objects .............................................22 + 5.1. Enveloped COSE Structure ..................................23 + 5.1.1. Content Key Distribution Methods ...................24 + 5.2. Single Recipient Encrypted ................................25 + 5.3. How to Encrypt and Decrypt for AEAD Algorithms ............26 + 5.4. How to Encrypt and Decrypt for AE Algorithms ..............28 + 6. MAC Objects ....................................................29 + 6.1. MACed Message with Recipients .............................30 + 6.2. MACed Messages with Implicit Key ..........................31 + 6.3. How to Compute and Verify a MAC ...........................32 + 7. Key Objects ....................................................33 + 7.1. COSE Key Common Parameters ................................34 + 8. Signature Algorithms ...........................................37 + 8.1. ECDSA .....................................................38 + 8.1.1. Security Considerations ............................40 + 8.2. Edwards-Curve Digital Signature Algorithms (EdDSAs) .......40 + 8.2.1. Security Considerations ............................41 + 9. Message Authentication Code (MAC) Algorithms ...................42 + 9.1. Hash-Based Message Authentication Codes (HMACs) ...........42 + 9.1.1. Security Considerations ............................44 + 9.2. AES Message Authentication Code (AES-CBC-MAC) .............44 + 9.2.1. Security Considerations ............................45 + 10. Content Encryption Algorithms .................................45 + 10.1. AES GCM ..................................................46 + 10.1.1. Security Considerations ...........................47 + 10.2. AES CCM ..................................................47 + 10.2.1. Security Considerations ...........................50 + 10.3. ChaCha20 and Poly1305 ....................................50 + 10.3.1. Security Considerations ...........................51 + 11. Key Derivation Functions (KDFs) ...............................51 + + + + +Schaad Standards Track [Page 2] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + 11.1. HMAC-Based Extract-and-Expand Key Derivation + Function (HKDF) ..........................................52 + 11.2. Context Information Structure ............................54 + 12. Content Key Distribution Methods ..............................60 + 12.1. Direct Encryption ........................................60 + 12.1.1. Direct Key ........................................61 + 12.1.2. Direct Key with KDF ...............................61 + 12.2. Key Wrap ................................................63 + 12.2.1. AES Key Wrap ......................................64 + 12.3. Key Transport ...........................................65 + 12.4. Direct Key Agreement ....................................65 + 12.4.1. ECDH ..............................................66 + 12.4.2. Security Considerations ...........................69 + 12.5. Key Agreement with Key Wrap ..............................69 + 12.5.1. ECDH ..............................................70 + 13. Key Object Parameters .........................................72 + 13.1. Elliptic Curve Keys ......................................73 + 13.1.1. Double Coordinate Curves ..........................73 + 13.2. Octet Key Pair ...........................................74 + 13.3. Symmetric Keys ...........................................75 + 14. CBOR Encoder Restrictions .....................................76 + 15. Application Profiling Considerations ..........................76 + 16. IANA Considerations ...........................................78 + 16.1. CBOR Tag Assignment ......................................78 + 16.2. COSE Header Parameters Registry ..........................78 + 16.3. COSE Header Algorithm Parameters Registry ................79 + 16.4. COSE Algorithms Registry .................................79 + 16.5. COSE Key Common Parameters Registry ......................81 + 16.6. COSE Key Type Parameters Registry ........................81 + 16.7. COSE Key Types Registry ..................................82 + 16.8. COSE Elliptic Curves Registry ............................83 + 16.9. Media Type Registrations .................................84 + 16.9.1. COSE Security Message .............................84 + 16.9.2. COSE Key Media Type ...............................85 + 16.10. CoAP Content-Formats Registry ...........................87 + 16.11. Expert Review Instructions ..............................87 + 17. Security Considerations .......................................88 + 18. References ....................................................90 + 18.1. Normative References .....................................90 + 18.2. Informative References ...................................92 + Appendix A. Guidelines for External Data Authentication of + Algorithms ............................................96 + A.1. Algorithm Identification ..................................96 + A.2. Counter Signature without Headers .........................99 + Appendix B. Two Layers of Recipient Information ..................100 + Appendix C. Examples .............................................102 + C.1. Examples of Signed Messages ..............................103 + C.1.1. Single Signature ..................................103 + + + +Schaad Standards Track [Page 3] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + C.1.2. Multiple Signers ..................................103 + C.1.3. Counter Signature .................................104 + C.1.4. Signature with Criticality ........................105 + C.2. Single Signer Examples ...................................106 + C.2.1. Single ECDSA Signature ...........................106 + C.3. Examples of Enveloped Messages ...........................107 + C.3.1. Direct ECDH .......................................107 + C.3.2. Direct Plus Key Derivation ........................108 + C.3.3. Counter Signature on Encrypted Content ............109 + C.3.4. Encrypted Content with External Data ..............111 + C.4. Examples of Encrypted Messages ...........................111 + C.4.1. Simple Encrypted Message ..........................111 + C.4.2. Encrypted Message with a Partial IV ...............112 + C.5. Examples of MACed Messages ...............................112 + C.5.1. Shared Secret Direct MAC ..........................112 + C.5.2. ECDH Direct MAC ...................................113 + C.5.3. Wrapped MAC .......................................114 + C.5.4. Multi-Recipient MACed Message .....................115 + C.6. Examples of MAC0 Messages ................................117 + C.6.1. Shared Secret Direct MAC ..........................117 + C.7. COSE Keys ................................................117 + C.7.1. Public Keys .......................................117 + C.7.2. Private Keys ......................................119 + Acknowledgments ..................................................121 + Author's Address .................................................121 + +1. Introduction + + There has been an increased focus on small, constrained devices that + make up the Internet of Things (IoT). One of the standards that has + come out of this process is "Concise Binary Object Representation + (CBOR)" [RFC7049]. CBOR extended the data model of the JavaScript + Object Notation (JSON) [RFC7159] by allowing for binary data, among + other changes. CBOR is being adopted by several of the IETF working + groups dealing with the IoT world as their encoding of data + structures. CBOR was designed specifically to be both small in terms + of messages transport and implementation size and be a schema-free + decoder. A need exists to provide message security services for IoT, + and using CBOR as the message-encoding format makes sense. + + The JOSE working group produced a set of documents [RFC7515] + [RFC7516] [RFC7517] [RFC7518] using JSON that specified how to + process encryption, signatures, and Message Authentication Code (MAC) + operations and how to encode keys using JSON. This document defines + the CBOR Object Signing and Encryption (COSE) standard, which does + the same thing for the CBOR encoding format. While there is a strong + + + + + +Schaad Standards Track [Page 4] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + attempt to keep the flavor of the original JSON Object Signing and + Encryption (JOSE) documents, two considerations are taken into + account: + + o CBOR has capabilities that are not present in JSON and are + appropriate to use. One example of this is the fact that CBOR has + a method of encoding binary directly without first converting it + into a base64-encoded string. + + o COSE is not a direct copy of the JOSE specification. In the + process of creating COSE, decisions that were made for JOSE were + re-examined. In many cases, different results were decided on as + the criteria were not always the same. + +1.1. Design Changes from JOSE + + o Define a single top message structure so that encrypted, signed, + and MACed messages can easily be identified and still have a + consistent view. + + o Signed messages distinguish between the protected and unprotected + parameters that relate to the content from those that relate to + the signature. + + o MACed messages are separated from signed messages. + + o MACed messages have the ability to use the same set of recipient + algorithms as enveloped messages for obtaining the MAC + authentication key. + + o Use binary encodings for binary data rather than base64url + encodings. + + o Combine the authentication tag for encryption algorithms with the + ciphertext. + + o The set of cryptographic algorithms has been expanded in some + directions and trimmed in others. + + + + + + + + + + + + + +Schaad Standards Track [Page 5] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +1.2. Requirements Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in BCP + 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. + + When the words appear in lowercase, this interpretation does not + apply. + +1.3. CBOR Grammar + + There is currently no standard CBOR grammar available for use by + specifications. The CBOR structures are therefore described in + prose. + + The document was developed by first working on the grammar and then + developing the prose to go with it. An artifact of this is that the + prose was written using the primitive type strings defined by CBOR + Data Definition Language (CDDL) [CDDL]. In this specification, the + following primitive types are used: + + any -- non-specific value that permits all CBOR values to be + placed here. + + bool -- a boolean value (true: major type 7, value 21; false: + major type 7, value 20). + + bstr -- byte string (major type 2). + + int -- an unsigned integer or a negative integer. + + nil -- a null value (major type 7, value 22). + + nint -- a negative integer (major type 1). + + tstr -- a UTF-8 text string (major type 3). + + uint -- an unsigned integer (major type 0). + + Two syntaxes from CDDL appear in this document as shorthand. These + are: + + FOO / BAR -- indicates that either FOO or BAR can appear here. + + [+ FOO] -- indicates that the type FOO appears one or more times + in an array. + + + +Schaad Standards Track [Page 6] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + As well as the prose description, a version of a CBOR grammar is + presented in CDDL. Since CDDL has not been published in an RFC, this + grammar may not work with the final version of CDDL. The CDDL + grammar is informational; the prose description is normative. + + The collected CDDL can be extracted from the XML version of this + document via the following XPath expression below. (Depending on the + XPath evaluator one is using, it may be necessary to deal with > + as an entity.) + + //artwork[@type='CDDL']/text() + + CDDL expects the initial non-terminal symbol to be the first symbol + in the file. For this reason, the first fragment of CDDL is + presented here. + + start = COSE_Messages / COSE_Key / COSE_KeySet / Internal_Types + + ; This is defined to make the tool quieter: + Internal_Types = Sig_structure / Enc_structure / MAC_structure / + COSE_KDF_Context + + The non-terminal Internal_Types is defined for dealing with the + automated validation tools used during the writing of this document. + It references those non-terminals that are used for security + computations but are not emitted for transport. + +1.4. CBOR-Related Terminology + + In JSON, maps are called objects and only have one kind of map key: a + string. In COSE, we use strings, negative integers, and unsigned + integers as map keys. The integers are used for compactness of + encoding and easy comparison. The inclusion of strings allows for an + additional range of short encoded values to be used as well. Since + the word "key" is mainly used in its other meaning, as a + cryptographic key, we use the term "label" for this usage as a map + key. + + The presence of a label in a COSE map that is not a string or an + integer is an error. Applications can either fail processing or + process messages with incorrect labels; however, they MUST NOT create + messages with incorrect labels. + + A CDDL grammar fragment defines the non-terminal 'label', as in the + previous paragraph, and 'values', which permits any value to be used. + + label = int / tstr + values = any + + + +Schaad Standards Track [Page 7] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +1.5. Document Terminology + + In this document, we use the following terminology: + + Byte is a synonym for octet. + + Constrained Application Protocol (CoAP) is a specialized web transfer + protocol for use in constrained systems. It is defined in [RFC7252]. + + Authenticated Encryption (AE) [RFC5116] algorithms are those + encryption algorithms that provide an authentication check of the + contents algorithm with the encryption service. + + Authenticated Encryption with Authenticated Data (AEAD) [RFC5116] + algorithms provide the same content authentication service as AE + algorithms, but they additionally provide for authentication of non- + encrypted data as well. + +2. Basic COSE Structure + + The COSE object structure is designed so that there can be a large + amount of common code when parsing and processing the different types + of security messages. All of the message structures are built on the + CBOR array type. The first three elements of the array always + contain the same information: + + 1. The set of protected header parameters wrapped in a bstr. + + 2. The set of unprotected header parameters as a map. + + 3. The content of the message. The content is either the plaintext + or the ciphertext as appropriate. The content may be detached, + but the location is still used. The content is wrapped in a bstr + when present and is a nil value when detached. + + Elements after this point are dependent on the specific message type. + + COSE messages are also built using the concept of layers to separate + different types of cryptographic concepts. As an example of how this + works, consider the COSE_Encrypt message (Section 5.1). This message + type is broken into two layers: the content layer and the recipient + layer. In the content layer, the plaintext is encrypted and + information about the encrypted message is placed. In the recipient + layer, the content encryption key (CEK) is encrypted and information + about how it is encrypted for each recipient is placed. A single + layer version of the encryption message COSE_Encrypt0 (Section 5.2) + is provided for cases where the CEK is pre-shared. + + + + +Schaad Standards Track [Page 8] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Identification of which type of message has been presented is done by + the following methods: + + 1. The specific message type is known from the context. This may be + defined by a marker in the containing structure or by + restrictions specified by the application protocol. + + 2. The message type is identified by a CBOR tag. Messages with a + CBOR tag are known in this specification as tagged messages, + while those without the CBOR tag are known as untagged messages. + This document defines a CBOR tag for each of the message + structures. These tags can be found in Table 1. + + 3. When a COSE object is carried in a media type of 'application/ + cose', the optional parameter 'cose-type' can be used to identify + the embedded object. The parameter is OPTIONAL if the tagged + version of the structure is used. The parameter is REQUIRED if + the untagged version of the structure is used. The value to use + with the parameter for each of the structures can be found in + Table 1. + + 4. When a COSE object is carried as a CoAP payload, the CoAP + Content-Format Option can be used to identify the message + content. The CoAP Content-Format values can be found in + Table 26. The CBOR tag for the message structure is not required + as each security message is uniquely identified. + + +-------+---------------+---------------+---------------------------+ + | CBOR | cose-type | Data Item | Semantics | + | Tag | | | | + +-------+---------------+---------------+---------------------------+ + | 98 | cose-sign | COSE_Sign | COSE Signed Data Object | + | 18 | cose-sign1 | COSE_Sign1 | COSE Single Signer Data | + | | | | Object | + | 96 | cose-encrypt | COSE_Encrypt | COSE Encrypted Data | + | | | | Object | + | 16 | cose-encrypt0 | COSE_Encrypt0 | COSE Single Recipient | + | | | | Encrypted Data Object | + | 97 | cose-mac | COSE_Mac | COSE MACed Data Object | + | 17 | cose-mac0 | COSE_Mac0 | COSE Mac w/o Recipients | + | | | | Object | + +-------+---------------+---------------+---------------------------+ + + Table 1: COSE Message Identification + + + + + + + +Schaad Standards Track [Page 9] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + The following CDDL fragment identifies all of the top messages + defined in this document. Separate non-terminals are defined for the + tagged and the untagged versions of the messages. + + COSE_Messages = COSE_Untagged_Message / COSE_Tagged_Message + + COSE_Untagged_Message = COSE_Sign / COSE_Sign1 / + COSE_Encrypt / COSE_Encrypt0 / + COSE_Mac / COSE_Mac0 + + COSE_Tagged_Message = COSE_Sign_Tagged / COSE_Sign1_Tagged / + COSE_Encrypt_Tagged / COSE_Encrypt0_Tagged / + COSE_Mac_Tagged / COSE_Mac0_Tagged + +3. Header Parameters + + The structure of COSE has been designed to have two buckets of + information that are not considered to be part of the payload itself, + but are used for holding information about content, algorithms, keys, + or evaluation hints for the processing of the layer. These two + buckets are available for use in all of the structures except for + keys. While these buckets are present, they may not all be usable in + all instances. For example, while the protected bucket is defined as + part of the recipient structure, some of the algorithms used for + recipient structures do not provide for authenticated data. If this + is the case, the protected bucket is left empty. + + Both buckets are implemented as CBOR maps. The map key is a 'label' + (Section 1.4). The value portion is dependent on the definition for + the label. Both maps use the same set of label/value pairs. The + integer and string values for labels have been divided into several + sections including a standard range, a private range, and a range + that is dependent on the algorithm selected. The defined labels can + be found in the "COSE Header Parameters" IANA registry + (Section 16.2). + + Two buckets are provided for each layer: + + protected: Contains parameters about the current layer that are to + be cryptographically protected. This bucket MUST be empty if it + is not going to be included in a cryptographic computation. This + bucket is encoded in the message as a binary object. This value + is obtained by CBOR encoding the protected map and wrapping it in + a bstr object. Senders SHOULD encode a zero-length map as a zero- + length string rather than as a zero-length map (encoded as h'a0'). + The zero-length binary encoding is preferred because it is both + shorter and the version used in the serialization structures for + cryptographic computation. After encoding the map, the value is + + + +Schaad Standards Track [Page 10] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + wrapped in the binary object. Recipients MUST accept both a zero- + length binary value and a zero-length map encoded in the binary + value. The wrapping allows for the encoding of the protected map + to be transported with a greater chance that it will not be + altered in transit. (Badly behaved intermediates could decode and + re-encode, but this will result in a failure to verify unless the + re-encoded byte string is identical to the decoded byte string.) + This avoids the problem of all parties needing to be able to do a + common canonical encoding. + + unprotected: Contains parameters about the current layer that are + not cryptographically protected. + + Only parameters that deal with the current layer are to be placed at + that layer. As an example of this, the parameter 'content type' + describes the content of the message being carried in the message. + As such, this parameter is placed only in the content layer and is + not placed in the recipient or signature layers. In principle, one + should be able to process any given layer without reference to any + other layer. With the exception of the COSE_Sign structure, the only + data that needs to cross layers is the cryptographic key. + + The buckets are present in all of the security objects defined in + this document. The fields in order are the 'protected' bucket (as a + CBOR 'bstr' type) and then the 'unprotected' bucket (as a CBOR 'map' + type). The presence of both buckets is required. The parameters + that go into the buckets come from the IANA "COSE Header Parameters" + registry (Section 16.2). Some common parameters are defined in the + next section, but a number of parameters are defined throughout this + document. + + Labels in each of the maps MUST be unique. When processing messages, + if a label appears multiple times, the message MUST be rejected as + malformed. Applications SHOULD verify that the same label does not + occur in both the protected and unprotected headers. If the message + is not rejected as malformed, attributes MUST be obtained from the + protected bucket before they are obtained from the unprotected + bucket. + + + + + + + + + + + + + +Schaad Standards Track [Page 11] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + The following CDDL fragment represents the two header buckets. A + group "Headers" is defined in CDDL that represents the two buckets in + which attributes are placed. This group is used to provide these two + fields consistently in all locations. A type is also defined that + represents the map of common headers. + + Headers = ( + protected : empty_or_serialized_map, + unprotected : header_map + ) + + header_map = { + Generic_Headers, + * label => values + } + + empty_or_serialized_map = bstr .cbor header_map / bstr .size 0 + + +3.1. Common COSE Headers Parameters + + This section defines a set of common header parameters. A summary of + these parameters can be found in Table 2. This table should be + consulted to determine the value of label and the type of the value. + + The set of header parameters defined in this section are: + + alg: This parameter is used to indicate the algorithm used for the + security processing. This parameter MUST be authenticated where + the ability to do so exists. This support is provided by AEAD + algorithms or construction (COSE_Sign, COSE_Sign0, COSE_Mac, and + COSE_Mac0). This authentication can be done either by placing the + header in the protected header bucket or as part of the externally + supplied data. The value is taken from the "COSE Algorithms" + registry (see Section 16.4). + + crit: The parameter is used to indicate which protected header + labels an application that is processing a message is required to + understand. Parameters defined in this document do not need to be + included as they should be understood by all implementations. + When present, this parameter MUST be placed in the protected + header bucket. The array MUST have at least one value in it. + Not all labels need to be included in the 'crit' parameter. The + rules for deciding which header labels are placed in the array + are: + + * Integer labels in the range of 0 to 8 SHOULD be omitted. + + + + +Schaad Standards Track [Page 12] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + * Integer labels in the range -1 to -128 can be omitted as they + are algorithm dependent. If an application can correctly + process an algorithm, it can be assumed that it will correctly + process all of the common parameters associated with that + algorithm. Integer labels in the range -129 to -65536 SHOULD + be included as these would be less common parameters that might + not be generally supported. + + * Labels for parameters required for an application MAY be + omitted. Applications should have a statement if the label can + be omitted. + + The header parameter values indicated by 'crit' can be processed + by either the security library code or an application using a + security library; the only requirement is that the parameter is + processed. If the 'crit' value list includes a value for which + the parameter is not in the protected bucket, this is a fatal + error in processing the message. + + content type: This parameter is used to indicate the content type of + the data in the payload or ciphertext fields. Integers are from + the "CoAP Content-Formats" IANA registry table [COAP.Formats]. + Text values following the syntax of "/" + where and are defined in Section 4.2 of + [RFC6838]. Leading and trailing whitespace is also omitted. + Textual content values along with parameters and subparameters can + be located using the IANA "Media Types" registry. Applications + SHOULD provide this parameter if the content structure is + potentially ambiguous. + + kid: This parameter identifies one piece of data that can be used as + input to find the needed cryptographic key. The value of this + parameter can be matched against the 'kid' member in a COSE_Key + structure. Other methods of key distribution can define an + equivalent field to be matched. Applications MUST NOT assume that + 'kid' values are unique. There may be more than one key with the + same 'kid' value, so all of the keys associated with this 'kid' + may need to be checked. The internal structure of 'kid' values is + not defined and cannot be relied on by applications. Key + identifier values are hints about which key to use. This is not a + security-critical field. For this reason, it can be placed in the + unprotected headers bucket. + + IV: This parameter holds the Initialization Vector (IV) value. For + some symmetric encryption algorithms, this may be referred to as a + nonce. The IV can be placed in the unprotected header as + modifying the IV will cause the decryption to yield plaintext that + is readily detectable as garbled. + + + +Schaad Standards Track [Page 13] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Partial IV: This parameter holds a part of the IV value. When using + the COSE_Encrypt0 structure, a portion of the IV can be part of + the context associated with the key. This field is used to carry + a value that causes the IV to be changed for each message. The IV + can be placed in the unprotected header as modifying the IV will + cause the decryption to yield plaintext that is readily detectable + as garbled. The 'Initialization Vector' and 'Partial + Initialization Vector' parameters MUST NOT both be present in the + same security layer. + + The message IV is generated by the following steps: + + 1. Left-pad the Partial IV with zeros to the length of IV. + + 2. XOR the padded Partial IV with the context IV. + + counter signature: This parameter holds one or more counter + signature values. Counter signatures provide a method of having a + second party sign some data. The counter signature parameter can + occur as an unprotected attribute in any of the following + structures: COSE_Sign1, COSE_Signature, COSE_Encrypt, + COSE_recipient, COSE_Encrypt0, COSE_Mac, and COSE_Mac0. These + structures all have the same beginning elements, so that a + consistent calculation of the counter signature can be computed. + Details on computing counter signatures are found in Section 4.5. + + + + + + + + + + + + + + + + + + + + + + + + + + +Schaad Standards Track [Page 14] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + +-----------+-------+----------------+-------------+----------------+ + | Name | Label | Value Type | Value | Description | + | | | | Registry | | + +-----------+-------+----------------+-------------+----------------+ + | alg | 1 | int / tstr | COSE | Cryptographic | + | | | | Algorithms | algorithm to | + | | | | registry | use | + | crit | 2 | [+ label] | COSE Header | Critical | + | | | | Parameters | headers to be | + | | | | registry | understood | + | content | 3 | tstr / uint | CoAP | Content type | + | type | | | Content- | of the payload | + | | | | Formats or | | + | | | | Media Types | | + | | | | registries | | + | kid | 4 | bstr | | Key identifier | + | IV | 5 | bstr | | Full | + | | | | | Initialization | + | | | | | Vector | + | Partial | 6 | bstr | | Partial | + | IV | | | | Initialization | + | | | | | Vector | + | counter | 7 | COSE_Signature | | CBOR-encoded | + | signature | | / [+ | | signature | + | | | COSE_Signature | | structure | + | | | ] | | | + +-----------+-------+----------------+-------------+----------------+ + + Table 2: Common Header Parameters + + The CDDL fragment that represents the set of headers defined in this + section is given below. Each of the headers is tagged as optional + because they do not need to be in every map; headers required in + specific maps are discussed above. + + Generic_Headers = ( + ? 1 => int / tstr, ; algorithm identifier + ? 2 => [+label], ; criticality + ? 3 => tstr / int, ; content type + ? 4 => bstr, ; key identifier + ? 5 => bstr, ; IV + ? 6 => bstr, ; Partial IV + ? 7 => COSE_Signature / [+COSE_Signature] ; Counter signature + ) + + + + + + + +Schaad Standards Track [Page 15] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +4. Signing Objects + + COSE supports two different signature structures. COSE_Sign allows + for one or more signatures to be applied to the same content. + COSE_Sign1 is restricted to a single signer. The structures cannot + be converted between each other; as the signature computation + includes a parameter identifying which structure is being used, the + converted structure will fail signature validation. + +4.1. Signing with One or More Signers + + The COSE_Sign structure allows for one or more signatures to be + applied to a message payload. Parameters relating to the content and + parameters relating to the signature are carried along with the + signature itself. These parameters may be authenticated by the + signature, or just present. An example of a parameter about the + content is the content type. Examples of parameters about the + signature would be the algorithm and key used to create the signature + and counter signatures. + + RFC 5652 indicates that: + + When more than one signature is present, the successful validation + of one signature associated with a given signer is usually treated + as a successful signature by that signer. However, there are some + application environments where other rules are needed. An + application that employs a rule other than one valid signature for + each signer must specify those rules. Also, where simple matching + of the signer identifier is not sufficient to determine whether + the signatures were generated by the same signer, the application + specification must describe how to determine which signatures were + generated by the same signer. Support for different communities + of recipients is the primary reason that signers choose to include + more than one signature. + + For example, the COSE_Sign structure might include signatures + generated with the Edwards-curve Digital Signature Algorithm (EdDSA) + [RFC8032] and with the Elliptic Curve Digital Signature Algorithm + (ECDSA) [DSS]. This allows recipients to verify the signature + associated with one algorithm or the other. More-detailed + information on multiple signature evaluations can be found in + [RFC5752]. + + + + + + + + + +Schaad Standards Track [Page 16] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + The signature structure can be encoded as either tagged or untagged + depending on the context it will be used in. A tagged COSE_Sign + structure is identified by the CBOR tag 98. The CDDL fragment that + represents this is: + + COSE_Sign_Tagged = #6.98(COSE_Sign) + + A COSE Signed Message is defined in two parts. The CBOR object that + carries the body and information about the body is called the + COSE_Sign structure. The CBOR object that carries the signature and + information about the signature is called the COSE_Signature + structure. Examples of COSE Signed Messages can be found in + Appendix C.1. + + The COSE_Sign structure is a CBOR array. The fields of the array in + order are: + + protected: This is as described in Section 3. + + unprotected: This is as described in Section 3. + + payload: This field contains the serialized content to be signed. + If the payload is not present in the message, the application is + required to supply the payload separately. The payload is wrapped + in a bstr to ensure that it is transported without changes. If + the payload is transported separately ("detached content"), then a + nil CBOR object is placed in this location, and it is the + responsibility of the application to ensure that it will be + transported without changes. + + Note: When a signature with a message recovery algorithm is used + (Section 8), the maximum number of bytes that can be recovered is + the length of the payload. The size of the payload is reduced by + the number of bytes that will be recovered. If all of the bytes + of the payload are consumed, then the payload is encoded as a + zero-length binary string rather than as being absent. + + signatures: This field is an array of signatures. Each signature is + represented as a COSE_Signature structure. + + + + + + + + + + + + +Schaad Standards Track [Page 17] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + The CDDL fragment that represents the above text for COSE_Sign + follows. + + COSE_Sign = [ + Headers, + payload : bstr / nil, + signatures : [+ COSE_Signature] + ] + + The COSE_Signature structure is a CBOR array. The fields of the + array in order are: + + protected: This is as described in Section 3. + + unprotected: This is as described in Section 3. + + signature: This field contains the computed signature value. The + type of the field is a bstr. Algorithms MUST specify padding if + the signature value is not a multiple of 8 bits. + + The CDDL fragment that represents the above text for COSE_Signature + follows. + + COSE_Signature = [ + Headers, + signature : bstr + ] + +4.2. Signing with One Signer + + The COSE_Sign1 signature structure is used when only one signature is + going to be placed on a message. The parameters dealing with the + content and the signature are placed in the same pair of buckets + rather than having the separation of COSE_Sign. + + The structure can be encoded as either tagged or untagged depending + on the context it will be used in. A tagged COSE_Sign1 structure is + identified by the CBOR tag 18. The CDDL fragment that represents + this is: + + COSE_Sign1_Tagged = #6.18(COSE_Sign1) + + The CBOR object that carries the body, the signature, and the + information about the body and signature is called the COSE_Sign1 + structure. Examples of COSE_Sign1 messages can be found in + Appendix C.2. + + + + + +Schaad Standards Track [Page 18] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + The COSE_Sign1 structure is a CBOR array. The fields of the array in + order are: + + protected: This is as described in Section 3. + + unprotected: This is as described in Section 3. + + payload: This is as described in Section 4.1. + + signature: This field contains the computed signature value. The + type of the field is a bstr. + + The CDDL fragment that represents the above text for COSE_Sign1 + follows. + + COSE_Sign1 = [ + Headers, + payload : bstr / nil, + signature : bstr + ] + +4.3. Externally Supplied Data + + One of the features offered in the COSE document is the ability for + applications to provide additional data to be authenticated, but that + is not carried as part of the COSE object. The primary reason for + supporting this can be seen by looking at the CoAP message structure + [RFC7252], where the facility exists for options to be carried before + the payload. Examples of data that can be placed in this location + would be the CoAP code or CoAP options. If the data is in the header + section, then it is available for proxies to help in performing its + operations. For example, the Accept Option can be used by a proxy to + determine if an appropriate value is in the proxy's cache. But the + sender can prevent a proxy from changing the set of values that it + will accept by including that value in the resulting authentication + tag. However, it may also be desired to protect these values so that + if they are modified in transit, it can be detected. + + This document describes the process for using a byte array of + externally supplied authenticated data; however, the method of + constructing the byte array is a function of the application. + Applications that use this feature need to define how the externally + supplied authenticated data is to be constructed. Such a + construction needs to take into account the following issues: + + o If multiple items are included, applications need to ensure that + the same byte string is not produced if there are different + inputs. This could occur by appending the strings 'AB' and 'CDE' + + + +Schaad Standards Track [Page 19] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + or by appending the strings 'ABC' and 'DE'. This is usually + addressed by making fields a fixed width and/or encoding the + length of the field as part of the output. Using options from + CoAP [RFC7252] as an example, these fields use a TLV structure so + they can be concatenated without any problems. + + o If multiple items are included, an order for the items needs to be + defined. Using options from CoAP as an example, an application + could state that the fields are to be ordered by the option + number. + + o Applications need to ensure that the byte stream is going to be + the same on both sides. Using options from CoAP might give a + problem if the same relative numbering is kept. An intermediate + node could insert or remove an option, changing how the relative + number is done. An application would need to specify that the + relative number must be re-encoded to be relative only to the + options that are in the external data. + +4.4. Signing and Verification Process + + In order to create a signature, a well-defined byte stream is needed. + The Sig_structure is used to create the canonical form. This signing + and verification process takes in the body information (COSE_Sign or + COSE_Sign1), the signer information (COSE_Signature), and the + application data (external source). A Sig_structure is a CBOR array. + The fields of the Sig_structure in order are: + + 1. A text string identifying the context of the signature. The + context string is: + + "Signature" for signatures using the COSE_Signature structure. + + "Signature1" for signatures using the COSE_Sign1 structure. + + "CounterSignature" for signatures used as counter signature + attributes. + + 2. The protected attributes from the body structure encoded in a + bstr type. If there are no protected attributes, a bstr of + length zero is used. + + 3. The protected attributes from the signer structure encoded in a + bstr type. If there are no protected attributes, a bstr of + length zero is used. This field is omitted for the COSE_Sign1 + signature structure. + + + + + +Schaad Standards Track [Page 20] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + 4. The protected attributes from the application encoded in a bstr + type. If this field is not supplied, it defaults to a zero- + length binary string. (See Section 4.3 for application guidance + on constructing this field.) + + 5. The payload to be signed encoded in a bstr type. The payload is + placed here independent of how it is transported. + + The CDDL fragment that describes the above text is: + + Sig_structure = [ + context : "Signature" / "Signature1" / "CounterSignature", + body_protected : empty_or_serialized_map, + ? sign_protected : empty_or_serialized_map, + external_aad : bstr, + payload : bstr + ] + + How to compute a signature: + + 1. Create a Sig_structure and populate it with the appropriate + fields. + + 2. Create the value ToBeSigned by encoding the Sig_structure to a + byte string, using the encoding described in Section 14. + + 3. Call the signature creation algorithm passing in K (the key to + sign with), alg (the algorithm to sign with), and ToBeSigned (the + value to sign). + + 4. Place the resulting signature value in the 'signature' field of + the array. + + The steps for verifying a signature are: + + 1. Create a Sig_structure object and populate it with the + appropriate fields. + + 2. Create the value ToBeSigned by encoding the Sig_structure to a + byte string, using the encoding described in Section 14. + + 3. Call the signature verification algorithm passing in K (the key + to verify with), alg (the algorithm used sign with), ToBeSigned + (the value to sign), and sig (the signature to be verified). + + + + + + + +Schaad Standards Track [Page 21] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + In addition to performing the signature verification, the application + may also perform the appropriate checks to ensure that the key is + correctly paired with the signing identity and that the signing + identity is authorized before performing actions. + +4.5. Computing Counter Signatures + + Counter signatures provide a method of associating a different + signature generated by different signers with some piece of content. + This is normally used to provide a signature on a signature allowing + for a proof that a signature existed at a given time (i.e., a + Timestamp). In this document, we allow for counter signatures to + exist in a greater number of environments. As an example, it is + possible to place a counter signature in the unprotected attributes + of a COSE_Encrypt object. This would allow for an intermediary to + either verify that the encrypted byte stream has not been modified, + without being able to decrypt it, or assert that an encrypted byte + stream either existed at a given time or passed through it in terms + of routing (i.e., a proxy signature). + + An example of a counter signature on a signature can be found in + Appendix C.1.3. An example of a counter signature in an encryption + object can be found in Appendix C.3.3. + + The creation and validation of counter signatures over the different + items relies on the fact that the objects have the same structure. + The elements are a set of protected attributes, a set of unprotected + attributes, and a body, in that order. This means that the + Sig_structure can be used in a uniform manner to get the byte stream + for processing a signature. If the counter signature is going to be + computed over a COSE_Encrypt structure, the body_protected and + payload items can be mapped into the Sig_structure in the same manner + as from the COSE_Sign structure. + + It should be noted that only a signature algorithm with appendix (see + Section 8) can be used for counter signatures. This is because the + body should be able to be processed without having to evaluate the + counter signature, and this is not possible for signature schemes + with message recovery. + +5. Encryption Objects + + COSE supports two different encryption structures. COSE_Encrypt0 is + used when a recipient structure is not needed because the key to be + used is known implicitly. COSE_Encrypt is used the rest of the time. + This includes cases where there are multiple recipients or a + recipient algorithm other than direct is used. + + + + +Schaad Standards Track [Page 22] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +5.1. Enveloped COSE Structure + + The enveloped structure allows for one or more recipients of a + message. There are provisions for parameters about the content and + parameters about the recipient information to be carried in the + message. The protected parameters associated with the content are + authenticated by the content encryption algorithm. The protected + parameters associated with the recipient are authenticated by the + recipient algorithm (when the algorithm supports it). Examples of + parameters about the content are the type of the content and the + content encryption algorithm. Examples of parameters about the + recipient are the recipient's key identifier and the recipient's + encryption algorithm. + + The same techniques and structures are used for encrypting both the + plaintext and the keys. This is different from the approach used by + both "Cryptographic Message Syntax (CMS)" [RFC5652] and "JSON Web + Encryption (JWE)" [RFC7516] where different structures are used for + the content layer and for the recipient layer. Two structures are + defined: COSE_Encrypt to hold the encrypted content and + COSE_recipient to hold the encrypted keys for recipients. Examples + of encrypted messages can be found in Appendix C.3. + + The COSE_Encrypt structure can be encoded as either tagged or + untagged depending on the context it will be used in. A tagged + COSE_Encrypt structure is identified by the CBOR tag 96. The CDDL + fragment that represents this is: + + COSE_Encrypt_Tagged = #6.96(COSE_Encrypt) + + The COSE_Encrypt structure is a CBOR array. The fields of the array + in order are: + + protected: This is as described in Section 3. + + unprotected: This is as described in Section 3. + + ciphertext: This field contains the ciphertext encoded as a bstr. + If the ciphertext is to be transported independently of the + control information about the encryption process (i.e., detached + content), then the field is encoded as a nil value. + + recipients: This field contains an array of recipient information + structures. The type for the recipient information structure is a + COSE_recipient. + + + + + + +Schaad Standards Track [Page 23] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + The CDDL fragment that corresponds to the above text is: + + COSE_Encrypt = [ + Headers, + ciphertext : bstr / nil, + recipients : [+COSE_recipient] + ] + + The COSE_recipient structure is a CBOR array. The fields of the + array in order are: + + protected: This is as described in Section 3. + + unprotected: This is as described in Section 3. + + ciphertext: This field contains the encrypted key encoded as a bstr. + All encoded keys are symmetric keys; the binary value of the key + is the content. If there is not an encrypted key, then this field + is encoded as a nil value. + + recipients: This field contains an array of recipient information + structures. The type for the recipient information structure is a + COSE_recipient (an example of this can be found in Appendix B). + If there are no recipient information structures, this element is + absent. + + The CDDL fragment that corresponds to the above text for + COSE_recipient is: + + COSE_recipient = [ + Headers, + ciphertext : bstr / nil, + ? recipients : [+COSE_recipient] + ] + +5.1.1. Content Key Distribution Methods + + An encrypted message consists of an encrypted content and an + encrypted CEK for one or more recipients. The CEK is encrypted for + each recipient, using a key specific to that recipient. The details + of this encryption depend on which class the recipient algorithm + falls into. Specific details on each of the classes can be found in + Section 12. A short summary of the five content key distribution + methods is: + + direct: The CEK is the same as the identified previously distributed + symmetric key or is derived from a previously distributed secret. + No CEK is transported in the message. + + + +Schaad Standards Track [Page 24] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + symmetric key-encryption keys (KEK): The CEK is encrypted using a + previously distributed symmetric KEK. Also known as key wrap. + + key agreement: The recipient's public key and a sender's private key + are used to generate a pairwise secret, a Key Derivation Function + (KDF) is applied to derive a key, and then the CEK is either the + derived key or encrypted by the derived key. + + key transport: The CEK is encrypted with the recipient's public key. + No key transport algorithms are defined in this document. + + passwords: The CEK is encrypted in a KEK that is derived from a + password. No password algorithms are defined in this document. + +5.2. Single Recipient Encrypted + + The COSE_Encrypt0 encrypted structure does not have the ability to + specify recipients of the message. The structure assumes that the + recipient of the object will already know the identity of the key to + be used in order to decrypt the message. If a key needs to be + identified to the recipient, the enveloped structure ought to be + used. + + Examples of encrypted messages can be found in Appendix C.3. + + The COSE_Encrypt0 structure can be encoded as either tagged or + untagged depending on the context it will be used in. A tagged + COSE_Encrypt0 structure is identified by the CBOR tag 16. The CDDL + fragment that represents this is: + + COSE_Encrypt0_Tagged = #6.16(COSE_Encrypt0) + + The COSE_Encrypt0 structure is a CBOR array. The fields of the array + in order are: + + protected: This is as described in Section 3. + + unprotected: This is as described in Section 3. + + ciphertext: This is as described in Section 5.1. + + The CDDL fragment for COSE_Encrypt0 that corresponds to the above + text is: + + COSE_Encrypt0 = [ + Headers, + ciphertext : bstr / nil, + ] + + + +Schaad Standards Track [Page 25] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +5.3. How to Encrypt and Decrypt for AEAD Algorithms + + The encryption algorithm for AEAD algorithms is fairly simple. The + first step is to create a consistent byte stream for the + authenticated data structure. For this purpose, we use an + Enc_structure. The Enc_structure is a CBOR array. The fields of the + Enc_structure in order are: + + 1. A text string identifying the context of the authenticated data + structure. The context string is: + + "Encrypt0" for the content encryption of a COSE_Encrypt0 data + structure. + + "Encrypt" for the first layer of a COSE_Encrypt data structure + (i.e., for content encryption). + + "Enc_Recipient" for a recipient encoding to be placed in an + COSE_Encrypt data structure. + + "Mac_Recipient" for a recipient encoding to be placed in a + MACed message structure. + + "Rec_Recipient" for a recipient encoding to be placed in a + recipient structure. + + 2. The protected attributes from the body structure encoded in a + bstr type. If there are no protected attributes, a bstr of + length zero is used. + + 3. The protected attributes from the application encoded in a bstr + type. If this field is not supplied, it defaults to a zero- + length bstr. (See Section 4.3 for application guidance on + constructing this field.) + + The CDDL fragment that describes the above text is: + + Enc_structure = [ + context : "Encrypt" / "Encrypt0" / "Enc_Recipient" / + "Mac_Recipient" / "Rec_Recipient", + protected : empty_or_serialized_map, + external_aad : bstr + ] + + How to encrypt a message: + + 1. Create an Enc_structure and populate it with the appropriate + fields. + + + +Schaad Standards Track [Page 26] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + 2. Encode the Enc_structure to a byte stream (Additional + Authenticated Data (AAD)), using the encoding described in + Section 14. + + 3. Determine the encryption key (K). This step is dependent on the + class of recipient algorithm being used. For: + + No Recipients: The key to be used is determined by the algorithm + and key at the current layer. Examples are key transport keys + (Section 12.3), key wrap keys (Section 12.2.1), or pre-shared + secrets. + + Direct Encryption and Direct Key Agreement: The key is + determined by the key and algorithm in the recipient + structure. The encryption algorithm and size of the key to be + used are inputs into the KDF used for the recipient. (For + direct, the KDF can be thought of as the identity operation.) + Examples of these algorithms are found in Sections 12.1.2 and + 12.4.1. + + Other: The key is randomly or pseudorandomly generated. + + 4. Call the encryption algorithm with K (the encryption key), P (the + plaintext), and AAD. Place the returned ciphertext into the + 'ciphertext' field of the structure. + + 5. For recipients of the message, recursively perform the encryption + algorithm for that recipient, using K (the encryption key) as the + plaintext. + + How to decrypt a message: + + 1. Create an Enc_structure and populate it with the appropriate + fields. + + 2. Encode the Enc_structure to a byte stream (AAD), using the + encoding described in Section 14. + + 3. Determine the decryption key. This step is dependent on the + class of recipient algorithm being used. For: + + No Recipients: The key to be used is determined by the algorithm + and key at the current layer. Examples are key transport keys + (Section 12.3), key wrap keys (Section 12.2.1), or pre-shared + secrets. + + + + + + +Schaad Standards Track [Page 27] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Direct Encryption and Direct Key Agreement: The key is + determined by the key and algorithm in the recipient + structure. The encryption algorithm and size of the key to be + used are inputs into the KDF used for the recipient. (For + direct, the KDF can be thought of as the identity operation.) + Examples of these algorithms are found in Sections 12.1.2 and + 12.4.1. + + Other: The key is determined by decoding and decrypting one of + the recipient structures. + + 4. Call the decryption algorithm with K (the decryption key to use), + C (the ciphertext), and AAD. + +5.4. How to Encrypt and Decrypt for AE Algorithms + + How to encrypt a message: + + 1. Verify that the 'protected' field is empty. + + 2. Verify that there was no external additional authenticated data + supplied for this operation. + + 3. Determine the encryption key. This step is dependent on the + class of recipient algorithm being used. For: + + No Recipients: The key to be used is determined by the algorithm + and key at the current layer. Examples are key transport keys + (Section 12.3), key wrap keys (Section 12.2.1), or pre-shared + secrets. + + Direct Encryption and Direct Key Agreement: The key is + determined by the key and algorithm in the recipient + structure. The encryption algorithm and size of the key to be + used are inputs into the KDF used for the recipient. (For + direct, the KDF can be thought of as the identity operation.) + Examples of these algorithms are found in Sections 12.1.2 and + 12.4.1. + + Other: The key is randomly generated. + + 4. Call the encryption algorithm with K (the encryption key to use) + and P (the plaintext). Place the returned ciphertext into the + 'ciphertext' field of the structure. + + 5. For recipients of the message, recursively perform the encryption + algorithm for that recipient, using K (the encryption key) as the + plaintext. + + + +Schaad Standards Track [Page 28] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + How to decrypt a message: + + 1. Verify that the 'protected' field is empty. + + 2. Verify that there was no external additional authenticated data + supplied for this operation. + + 3. Determine the decryption key. This step is dependent on the + class of recipient algorithm being used. For: + + No Recipients: The key to be used is determined by the algorithm + and key at the current layer. Examples are key transport keys + (Section 12.3), key wrap keys (Section 12.2.1), or pre-shared + secrets. + + Direct Encryption and Direct Key Agreement: The key is + determined by the key and algorithm in the recipient + structure. The encryption algorithm and size of the key to be + used are inputs into the KDF used for the recipient. (For + direct, the KDF can be thought of as the identity operation.) + Examples of these algorithms are found in Sections 12.1.2 and + 12.4.1. + + Other: The key is determined by decoding and decrypting one of + the recipient structures. + + 4. Call the decryption algorithm with K (the decryption key to use) + and C (the ciphertext). + +6. MAC Objects + + COSE supports two different MAC structures. COSE_MAC0 is used when a + recipient structure is not needed because the key to be used is + implicitly known. COSE_MAC is used for all other cases. These + include a requirement for multiple recipients, the key being unknown, + and a recipient algorithm of other than direct. + + In this section, we describe the structure and methods to be used + when doing MAC authentication in COSE. This document allows for the + use of all of the same classes of recipient algorithms as are allowed + for encryption. + + When using MAC operations, there are two modes in which they can be + used. The first is just a check that the content has not been + changed since the MAC was computed. Any class of recipient algorithm + can be used for this purpose. The second mode is to both check that + the content has not been changed since the MAC was computed and to + use the recipient algorithm to verify who sent it. The classes of + + + +Schaad Standards Track [Page 29] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + recipient algorithms that support this are those that use a pre- + shared secret or do static-static (SS) key agreement (without the key + wrap step). In both of these cases, the entity that created and sent + the message MAC can be validated. (This knowledge of the sender + assumes that there are only two parties involved and that you did not + send the message to yourself.) The origination property can be + obtained with both of the MAC message structures. + +6.1. MACed Message with Recipients + + The multiple recipient MACed message uses two structures: the + COSE_Mac structure defined in this section for carrying the body and + the COSE_recipient structure (Section 5.1) to hold the key used for + the MAC computation. Examples of MACed messages can be found in + Appendix C.5. + + The MAC structure can be encoded as either tagged or untagged + depending on the context it will be used in. A tagged COSE_Mac + structure is identified by the CBOR tag 97. The CDDL fragment that + represents this is: + + COSE_Mac_Tagged = #6.97(COSE_Mac) + + The COSE_Mac structure is a CBOR array. The fields of the array in + order are: + + protected: This is as described in Section 3. + + unprotected: This is as described in Section 3. + + payload: This field contains the serialized content to be MACed. If + the payload is not present in the message, the application is + required to supply the payload separately. The payload is wrapped + in a bstr to ensure that it is transported without changes. If + the payload is transported separately (i.e., detached content), + then a nil CBOR value is placed in this location, and it is the + responsibility of the application to ensure that it will be + transported without changes. + + tag: This field contains the MAC value. + + recipients: This is as described in Section 5.1. + + + + + + + + + +Schaad Standards Track [Page 30] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + The CDDL fragment that represents the above text for COSE_Mac + follows. + + COSE_Mac = [ + Headers, + payload : bstr / nil, + tag : bstr, + recipients :[+COSE_recipient] + ] + +6.2. MACed Messages with Implicit Key + + In this section, we describe the structure and methods to be used + when doing MAC authentication for those cases where the recipient is + implicitly known. + + The MACed message uses the COSE_Mac0 structure defined in this + section for carrying the body. Examples of MACed messages with an + implicit key can be found in Appendix C.6. + + The MAC structure can be encoded as either tagged or untagged + depending on the context it will be used in. A tagged COSE_Mac0 + structure is identified by the CBOR tag 17. The CDDL fragment that + represents this is: + + + COSE_Mac0_Tagged = #6.17(COSE_Mac0) + + The COSE_Mac0 structure is a CBOR array. The fields of the array in + order are: + + protected: This is as described in Section 3. + + unprotected: This is as described in Section 3. + + payload: This is as described in Section 6.1. + + tag: This field contains the MAC value. + + The CDDL fragment that corresponds to the above text is: + + COSE_Mac0 = [ + Headers, + payload : bstr / nil, + tag : bstr, + ] + + + + + +Schaad Standards Track [Page 31] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +6.3. How to Compute and Verify a MAC + + In order to get a consistent encoding of the data to be + authenticated, the MAC_structure is used to have a canonical form. + The MAC_structure is a CBOR array. The fields of the MAC_structure + in order are: + + 1. A text string that identifies the structure that is being + encoded. This string is "MAC" for the COSE_Mac structure. This + string is "MAC0" for the COSE_Mac0 structure. + + 2. The protected attributes from the COSE_MAC structure. If there + are no protected attributes, a zero-length bstr is used. + + 3. The protected attributes from the application encoded as a bstr + type. If this field is not supplied, it defaults to a zero- + length binary string. (See Section 4.3 for application guidance + on constructing this field.) + + 4. The payload to be MACed encoded in a bstr type. The payload is + placed here independent of how it is transported. + + The CDDL fragment that corresponds to the above text is: + + MAC_structure = [ + context : "MAC" / "MAC0", + protected : empty_or_serialized_map, + external_aad : bstr, + payload : bstr + ] + + The steps to compute a MAC are: + + 1. Create a MAC_structure and populate it with the appropriate + fields. + + 2. Create the value ToBeMaced by encoding the MAC_structure to a + byte stream, using the encoding described in Section 14. + + 3. Call the MAC creation algorithm passing in K (the key to use), + alg (the algorithm to MAC with), and ToBeMaced (the value to + compute the MAC on). + + 4. Place the resulting MAC in the 'tag' field of the COSE_Mac or + COSE_Mac0 structure. + + 5. Encrypt and encode the MAC key for each recipient of the message. + + + + +Schaad Standards Track [Page 32] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + The steps to verify a MAC are: + + 1. Create a MAC_structure object and populate it with the + appropriate fields. + + 2. Create the value ToBeMaced by encoding the MAC_structure to a + byte stream, using the encoding described in Section 14. + + 3. Obtain the cryptographic key from one of the recipients of the + message. + + 4. Call the MAC creation algorithm passing in K (the key to use), + alg (the algorithm to MAC with), and ToBeMaced (the value to + compute the MAC on). + + 5. Compare the MAC value to the 'tag' field of the COSE_Mac or + COSE_Mac0 structure. + +7. Key Objects + + A COSE Key structure is built on a CBOR map object. The set of + common parameters that can appear in a COSE Key can be found in the + IANA "COSE Key Common Parameters" registry (Section 16.5). + Additional parameters defined for specific key types can be found in + the IANA "COSE Key Type Parameters" registry (Section 16.6). + + A COSE Key Set uses a CBOR array object as its underlying type. The + values of the array elements are COSE Keys. A COSE Key Set MUST have + at least one element in the array. Examples of COSE Key Sets can be + found in Appendix C.7. + + Each element in a COSE Key Set MUST be processed independently. If + one element in a COSE Key Set is either malformed or uses a key that + is not understood by an application, that key is ignored and the + other keys are processed normally. + + The element "kty" is a required element in a COSE_Key map. + + + + + + + + + + + + + + +Schaad Standards Track [Page 33] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + The CDDL grammar describing COSE_Key and COSE_KeySet is: + + COSE_Key = { + 1 => tstr / int, ; kty + ? 2 => bstr, ; kid + ? 3 => tstr / int, ; alg + ? 4 => [+ (tstr / int) ], ; key_ops + ? 5 => bstr, ; Base IV + * label => values + } + + COSE_KeySet = [+COSE_Key] + +7.1. COSE Key Common Parameters + + This document defines a set of common parameters for a COSE Key + object. Table 3 provides a summary of the parameters defined in this + section. There are also parameters that are defined for specific key + types. Key-type-specific parameters can be found in Section 13. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Schaad Standards Track [Page 34] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + +---------+-------+----------------+------------+-------------------+ + | Name | Label | CBOR Type | Value | Description | + | | | | Registry | | + +---------+-------+----------------+------------+-------------------+ + | kty | 1 | tstr / int | COSE Key | Identification of | + | | | | Common | the key type | + | | | | Parameters | | + | | | | | | + | kid | 2 | bstr | | Key | + | | | | | identification | + | | | | | value -- match to | + | | | | | kid in message | + | | | | | | + | alg | 3 | tstr / int | COSE | Key usage | + | | | | Algorithms | restriction to | + | | | | | this algorithm | + | | | | | | + | key_ops | 4 | [+ (tstr/int)] | | Restrict set of | + | | | | | permissible | + | | | | | operations | + | | | | | | + | Base IV | 5 | bstr | | Base IV to be | + | | | | | xor-ed with | + | | | | | Partial IVs | + +---------+-------+----------------+------------+-------------------+ + + Table 3: Key Map Labels + + kty: This parameter is used to identify the family of keys for this + structure and, thus, the set of key-type-specific parameters to be + found. The set of values defined in this document can be found in + Table 21. This parameter MUST be present in a key object. + Implementations MUST verify that the key type is appropriate for + the algorithm being processed. The key type MUST be included as + part of the trust decision process. + + alg: This parameter is used to restrict the algorithm that is used + with the key. If this parameter is present in the key structure, + the application MUST verify that this algorithm matches the + algorithm for which the key is being used. If the algorithms do + not match, then this key object MUST NOT be used to perform the + cryptographic operation. Note that the same key can be in a + different key structure with a different or no algorithm + specified; however, this is considered to be a poor security + practice. + + + + + + +Schaad Standards Track [Page 35] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + kid: This parameter is used to give an identifier for a key. The + identifier is not structured and can be anything from a user- + provided string to a value computed on the public portion of the + key. This field is intended for matching against a 'kid' + parameter in a message in order to filter down the set of keys + that need to be checked. + + key_ops: This parameter is defined to restrict the set of operations + that a key is to be used for. The value of the field is an array + of values from Table 4. Algorithms define the values of key ops + that are permitted to appear and are required for specific + operations. The set of values matches that in [RFC7517] and + [W3C.WebCrypto]. + + Base IV: This parameter is defined to carry the base portion of an + IV. It is designed to be used with the Partial IV header + parameter defined in Section 3.1. This field provides the ability + to associate a Partial IV with a key that is then modified on a + per message basis with the Partial IV. + + Extreme care needs to be taken when using a Base IV in an + application. Many encryption algorithms lose security if the same + IV is used twice. + + If different keys are derived for each sender, using the same Base + IV with Partial IVs starting at zero is likely to ensure that the + IV would not be used twice for a single key. If different keys + are derived for each sender, starting at the same Base IV is + likely to satisfy this condition. If the same key is used for + multiple senders, then the application needs to provide for a + method of dividing the IV space up between the senders. This + could be done by providing a different base point to start from or + a different Partial IV to start with and restricting the number of + messages to be sent before rekeying. + + + + + + + + + + + + + + + + + +Schaad Standards Track [Page 36] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + +---------+-------+-------------------------------------------------+ + | Name | Value | Description | + +---------+-------+-------------------------------------------------+ + | sign | 1 | The key is used to create signatures. Requires | + | | | private key fields. | + | verify | 2 | The key is used for verification of signatures. | + | encrypt | 3 | The key is used for key transport encryption. | + | decrypt | 4 | The key is used for key transport decryption. | + | | | Requires private key fields. | + | wrap | 5 | The key is used for key wrap encryption. | + | key | | | + | unwrap | 6 | The key is used for key wrap decryption. | + | key | | Requires private key fields. | + | derive | 7 | The key is used for deriving keys. Requires | + | key | | private key fields. | + | derive | 8 | The key is used for deriving bits not to be | + | bits | | used as a key. Requires private key fields. | + | MAC | 9 | The key is used for creating MACs. | + | create | | | + | MAC | 10 | The key is used for validating MACs. | + | verify | | | + +---------+-------+-------------------------------------------------+ + + Table 4: Key Operation Values + +8. Signature Algorithms + + There are two signature algorithm schemes. The first is signature + with appendix. In this scheme, the message content is processed and + a signature is produced; the signature is called the appendix. This + is the scheme used by algorithms such as ECDSA and the RSA + Probabilistic Signature Scheme (RSASSA-PSS). (In fact, the SSA in + RSASSA-PSS stands for Signature Scheme with Appendix.) + + The signature functions for this scheme are: + + signature = Sign(message content, key) + + valid = Verification(message content, key, signature) + + The second scheme is signature with message recovery (an example of + such an algorithm is [PVSig]). In this scheme, the message content + is processed, but part of it is included in the signature. Moving + bytes of the message content into the signature allows for smaller + signatures; the signature size is still potentially large, but the + message content has shrunk. This has implications for systems + implementing these algorithms and for applications that use them. + The first is that the message content is not fully available until + + + +Schaad Standards Track [Page 37] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + after a signature has been validated. Until that point, the part of + the message contained inside of the signature is unrecoverable. The + second is that the security analysis of the strength of the signature + is very much based on the structure of the message content. Messages + that are highly predictable require additional randomness to be + supplied as part of the signature process. In the worst case, it + becomes the same as doing a signature with appendix. Finally, in the + event that multiple signatures are applied to a message, all of the + signature algorithms are going to be required to consume the same + number of bytes of message content. This means that the mixing of + the different schemes in a single message is not supported, and if a + recovery signature scheme is used, then the same amount of content + needs to be consumed by all of the signatures. + + The signature functions for this scheme are: + + signature, message sent = Sign(message content, key) + + valid, message content = Verification(message sent, key, signature) + + Signature algorithms are used with the COSE_Signature and COSE_Sign1 + structures. At this time, only signatures with appendixes are + defined for use with COSE; however, considerable interest has been + expressed in using a signature with message recovery algorithm due to + the effective size reduction that is possible. Implementations will + need to keep this in mind for later possible integration. + +8.1. ECDSA + + ECDSA [DSS] defines a signature algorithm using ECC. Implementations + SHOULD use a deterministic version of ECDSA such as the one defined + in [RFC6979]. The use of a deterministic signature algorithm allows + for systems to avoid relying on random number generators in order to + avoid generating the same value of 'k' (the per-message random + value). Biased generation of the value 'k' can be attacked, and + collisions of this value leads to leaked keys. It additionally + allows for doing deterministic tests for the signature algorithm. + The use of deterministic ECDSA does not lessen the need to have good + random number generation when creating the private key. + + The ECDSA signature algorithm is parameterized with a hash function + (h). In the event that the length of the hash function output is + greater than the group of the key, the leftmost bytes of the hash + output are used. + + + + + + + +Schaad Standards Track [Page 38] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + The algorithms defined in this document can be found in Table 5. + + +-------+-------+---------+------------------+ + | Name | Value | Hash | Description | + +-------+-------+---------+------------------+ + | ES256 | -7 | SHA-256 | ECDSA w/ SHA-256 | + | ES384 | -35 | SHA-384 | ECDSA w/ SHA-384 | + | ES512 | -36 | SHA-512 | ECDSA w/ SHA-512 | + +-------+-------+---------+------------------+ + + Table 5: ECDSA Algorithm Values + + This document defines ECDSA to work only with the curves P-256, + P-384, and P-521. This document requires that the curves be encoded + using the 'EC2' (2 coordinate elliptic curve) key type. + Implementations need to check that the key type and curve are correct + when creating and verifying a signature. Other documents can define + it to work with other curves and points in the future. + + In order to promote interoperability, it is suggested that SHA-256 be + used only with curve P-256, SHA-384 be used only with curve P-384, + and SHA-512 be used with curve P-521. This is aligned with the + recommendation in Section 4 of [RFC5480]. + + The signature algorithm results in a pair of integers (R, S). These + integers will be the same length as the length of the key used for + the signature process. The signature is encoded by converting the + integers into byte strings of the same length as the key size. The + length is rounded up to the nearest byte and is left padded with zero + bits to get to the correct length. The two integers are then + concatenated together to form a byte string that is the resulting + signature. + + Using the function defined in [RFC8017], the signature is: + Signature = I2OSP(R, n) | I2OSP(S, n) + where n = ceiling(key_length / 8) + + When using a COSE key for this algorithm, the following checks are + made: + + o The 'kty' field MUST be present, and it MUST be 'EC2'. + + o If the 'alg' field is present, it MUST match the ECDSA signature + algorithm being used. + + o If the 'key_ops' field is present, it MUST include 'sign' when + creating an ECDSA signature. + + + + +Schaad Standards Track [Page 39] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + o If the 'key_ops' field is present, it MUST include 'verify' when + verifying an ECDSA signature. + +8.1.1. Security Considerations + + The security strength of the signature is no greater than the minimum + of the security strength associated with the bit length of the key + and the security strength of the hash function. + + Note: Use of this technique is a good idea even when good random + number generation exists. Doing so both reduces the possibility of + having the same value of 'k' in two signature operations and allows + for reproducible signature values, which helps testing. + + There are two substitution attacks that can theoretically be mounted + against the ECDSA signature algorithm. + + o Changing the curve used to validate the signature: If one changes + the curve used to validate the signature, then potentially one + could have two messages with the same signature, each computed + under a different curve. The only requirement on the new curve is + that its order be the same as the old one and it be acceptable to + the client. An example would be to change from using the curve + secp256r1 (aka P-256) to using secp256k1. (Both are 256-bit + curves.) We currently do not have any way to deal with this + version of the attack except to restrict the overall set of curves + that can be used. + + o Change the hash function used to validate the signature: If one + either has two different hash functions of the same length or can + truncate a hash function down, then one could potentially find + collisions between the hash functions rather than within a single + hash function (for example, truncating SHA-512 to 256 bits might + collide with a SHA-256 bit hash value). As the hash algorithm is + part of the signature algorithm identifier, this attack is + mitigated by including a signature algorithm identifier in the + protected header. + +8.2. Edwards-Curve Digital Signature Algorithms (EdDSAs) + + [RFC8032] describes the elliptic curve signature scheme Edwards-curve + Digital Signature Algorithm (EdDSA). In that document, the signature + algorithm is instantiated using parameters for edwards25519 and + edwards448 curves. The document additionally describes two variants + of the EdDSA algorithm: Pure EdDSA, where no hash function is applied + to the content before signing, and HashEdDSA, where a hash function + is applied to the content before signing and the result of that hash + function is signed. For EdDSA, the content to be signed (either the + + + +Schaad Standards Track [Page 40] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + message or the pre-hash value) is processed twice inside of the + signature algorithm. For use with COSE, only the pure EdDSA version + is used. This is because it is not expected that extremely large + contents are going to be needed and, based on the arrangement of the + message structure, the entire message is going to need to be held in + memory in order to create or verify a signature. This means that + there does not appear to be a need to be able to do block updates of + the hash, followed by eliminating the message from memory. + Applications can provide the same features by defining the content of + the message as a hash value and transporting the COSE object (with + the hash value) and the content as separate items. + + The algorithms defined in this document can be found in Table 6. A + single signature algorithm is defined, which can be used for multiple + curves. + + +-------+-------+-------------+ + | Name | Value | Description | + +-------+-------+-------------+ + | EdDSA | -8 | EdDSA | + +-------+-------+-------------+ + + Table 6: EdDSA Algorithm Values + + [RFC8032] describes the method of encoding the signature value. + + When using a COSE key for this algorithm, the following checks are + made: + + o The 'kty' field MUST be present, and it MUST be 'OKP' (Octet Key + Pair). + + o The 'crv' field MUST be present, and it MUST be a curve defined + for this signature algorithm. + + o If the 'alg' field is present, it MUST match 'EdDSA'. + + o If the 'key_ops' field is present, it MUST include 'sign' when + creating an EdDSA signature. + + o If the 'key_ops' field is present, it MUST include 'verify' when + verifying an EdDSA signature. + +8.2.1. Security Considerations + + How public values are computed is not the same when looking at EdDSA + and Elliptic Curve Diffie-Hellman (ECDH); for this reason, they + should not be used with the other algorithm. + + + +Schaad Standards Track [Page 41] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + If batch signature verification is performed, a well-seeded + cryptographic random number generator is REQUIRED. Signing and non- + batch signature verification are deterministic operations and do not + need random numbers of any kind. + +9. Message Authentication Code (MAC) Algorithms + + Message Authentication Codes (MACs) provide data authentication and + integrity protection. They provide either no or very limited data + origination. A MAC, for example, can be used to prove the identity + of the sender to a third party. + + MACs use the same scheme as signature with appendix algorithms. The + message content is processed and an authentication code is produced. + The authentication code is frequently called a tag. + + The MAC functions are: + + tag = MAC_Create(message content, key) + + valid = MAC_Verify(message content, key, tag) + + MAC algorithms can be based on either a block cipher algorithm (i.e., + AES-MAC) or a hash algorithm (i.e., a Hash-based Message + Authentication Code (HMAC)). This document defines a MAC algorithm + using each of these constructions. + + MAC algorithms are used in the COSE_Mac and COSE_Mac0 structures. + +9.1. Hash-Based Message Authentication Codes (HMACs) + + HMAC [RFC2104] [RFC4231] was designed to deal with length extension + attacks. The algorithm was also designed to allow for new hash + algorithms to be directly plugged in without changes to the hash + function. The HMAC design process has been shown as solid since, + while the security of hash algorithms such as MD5 has decreased over + time; the security of HMAC combined with MD5 has not yet been shown + to be compromised [RFC6151]. + + The HMAC algorithm is parameterized by an inner and outer padding, a + hash function (h), and an authentication tag value length. For this + specification, the inner and outer padding are fixed to the values + set in [RFC2104]. The length of the authentication tag corresponds + to the difficulty of producing a forgery. For use in constrained + environments, we define a set of HMAC algorithms that are truncated. + + + + + + +Schaad Standards Track [Page 42] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + There are currently no known issues with truncation; however, the + security strength of the message tag is correspondingly reduced in + strength. When truncating, the leftmost tag length bits are kept and + transmitted. + + The algorithms defined in this document can be found in Table 7. + + +-----------+-------+---------+----------+--------------------------+ + | Name | Value | Hash | Tag | Description | + | | | | Length | | + +-----------+-------+---------+----------+--------------------------+ + | HMAC | 4 | SHA-256 | 64 | HMAC w/ SHA-256 | + | 256/64 | | | | truncated to 64 bits | + | HMAC | 5 | SHA-256 | 256 | HMAC w/ SHA-256 | + | 256/256 | | | | | + | HMAC | 6 | SHA-384 | 384 | HMAC w/ SHA-384 | + | 384/384 | | | | | + | HMAC | 7 | SHA-512 | 512 | HMAC w/ SHA-512 | + | 512/512 | | | | | + +-----------+-------+---------+----------+--------------------------+ + + Table 7: HMAC Algorithm Values + + Some recipient algorithms carry the key while others derive a key + from secret data. For those algorithms that carry the key (such as + AES Key Wrap), the size of the HMAC key SHOULD be the same size as + the underlying hash function. For those algorithms that derive the + key (such as ECDH), the derived key MUST be the same size as the + underlying hash function. + + When using a COSE key for this algorithm, the following checks are + made: + + o The 'kty' field MUST be present, and it MUST be 'Symmetric'. + + o If the 'alg' field is present, it MUST match the HMAC algorithm + being used. + + o If the 'key_ops' field is present, it MUST include 'MAC create' + when creating an HMAC authentication tag. + + o If the 'key_ops' field is present, it MUST include 'MAC verify' + when verifying an HMAC authentication tag. + + Implementations creating and validating MAC values MUST validate that + the key type, key length, and algorithm are correct and appropriate + for the entities involved. + + + + +Schaad Standards Track [Page 43] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +9.1.1. Security Considerations + + HMAC has proved to be resistant to attack even when used with + weakened hash algorithms. The current best known attack is to brute + force the key. This means that key size is going to be directly + related to the security of an HMAC operation. + +9.2. AES Message Authentication Code (AES-CBC-MAC) + + AES-CBC-MAC is defined in [MAC]. (Note that this is not the same + algorithm as AES Cipher-Based Message Authentication Code (AES-CMAC) + [RFC4493].) + + AES-CBC-MAC is parameterized by the key length, the authentication + tag length, and the IV used. For all of these algorithms, the IV is + fixed to all zeros. We provide an array of algorithms for various + key lengths and tag lengths. The algorithms defined in this document + are found in Table 8. + + +-------------+-------+----------+----------+-----------------------+ + | Name | Value | Key | Tag | Description | + | | | Length | Length | | + +-------------+-------+----------+----------+-----------------------+ + | AES-MAC | 14 | 128 | 64 | AES-MAC 128-bit key, | + | 128/64 | | | | 64-bit tag | + | AES-MAC | 15 | 256 | 64 | AES-MAC 256-bit key, | + | 256/64 | | | | 64-bit tag | + | AES-MAC | 25 | 128 | 128 | AES-MAC 128-bit key, | + | 128/128 | | | | 128-bit tag | + | AES-MAC | 26 | 256 | 128 | AES-MAC 256-bit key, | + | 256/128 | | | | 128-bit tag | + +-------------+-------+----------+----------+-----------------------+ + + Table 8: AES-MAC Algorithm Values + + Keys may be obtained either from a key structure or from a recipient + structure. Implementations creating and validating MAC values MUST + validate that the key type, key length, and algorithm are correct and + appropriate for the entities involved. + + When using a COSE key for this algorithm, the following checks are + made: + + o The 'kty' field MUST be present, and it MUST be 'Symmetric'. + + o If the 'alg' field is present, it MUST match the AES-MAC algorithm + being used. + + + + +Schaad Standards Track [Page 44] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + o If the 'key_ops' field is present, it MUST include 'MAC create' + when creating an AES-MAC authentication tag. + + o If the 'key_ops' field is present, it MUST include 'MAC verify' + when verifying an AES-MAC authentication tag. + +9.2.1. Security Considerations + + A number of attacks exist against Cipher Block Chaining Message + Authentication Code (CBC-MAC) that need to be considered. + + o A single key must only be used for messages of a fixed and known + length. If this is not the case, an attacker will be able to + generate a message with a valid tag given two message and tag + pairs. This can be addressed by using different keys for messages + of different lengths. The current structure mitigates this + problem, as a specific encoding structure that includes lengths is + built and signed. (CMAC also addresses this issue.) + + o Cipher Block Chaining (CBC) mode, if the same key is used for both + encryption and authentication operations, an attacker can produce + messages with a valid authentication code. + + o If the IV can be modified, then messages can be forged. This is + addressed by fixing the IV to all zeros. + +10. Content Encryption Algorithms + + Content encryption algorithms provide data confidentiality for + potentially large blocks of data using a symmetric key. They provide + integrity on the data that was encrypted; however, they provide + either no or very limited data origination. (One cannot, for + example, be used to prove the identity of the sender to a third + party.) The ability to provide data origination is linked to how the + CEK is obtained. + + COSE restricts the set of legal content encryption algorithms to + those that support authentication both of the content and additional + data. The encryption process will generate some type of + authentication value, but that value may be either explicit or + implicit in terms of the algorithm definition. For simplicity's + sake, the authentication code will normally be defined as being + appended to the ciphertext stream. The encryption functions are: + + ciphertext = Encrypt(message content, key, additional data) + + valid, message content = Decrypt(cipher text, key, additional data) + + + + +Schaad Standards Track [Page 45] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Most AEAD algorithms are logically defined as returning the message + content only if the decryption is valid. Many but not all + + implementations will follow this convention. The message content + MUST NOT be used if the decryption does not validate. + + These algorithms are used in COSE_Encrypt and COSE_Encrypt0. + +10.1. AES GCM + + The Galois/Counter Mode (GCM) mode is a generic authenticated + encryption block cipher mode defined in [AES-GCM]. The GCM mode is + combined with the AES block encryption algorithm to define an AEAD + cipher. + + The GCM mode is parameterized by the size of the authentication tag + and the size of the nonce. This document fixes the size of the nonce + at 96 bits. The size of the authentication tag is limited to a small + set of values. For this document however, the size of the + authentication tag is fixed at 128 bits. + + The set of algorithms defined in this document are in Table 9. + + +---------+-------+------------------------------------------+ + | Name | Value | Description | + +---------+-------+------------------------------------------+ + | A128GCM | 1 | AES-GCM mode w/ 128-bit key, 128-bit tag | + | A192GCM | 2 | AES-GCM mode w/ 192-bit key, 128-bit tag | + | A256GCM | 3 | AES-GCM mode w/ 256-bit key, 128-bit tag | + +---------+-------+------------------------------------------+ + + Table 9: Algorithm Value for AES-GCM + + Keys may be obtained either from a key structure or from a recipient + structure. Implementations encrypting and decrypting MUST validate + that the key type, key length, and algorithm are correct and + appropriate for the entities involved. + + When using a COSE key for this algorithm, the following checks are + made: + + o The 'kty' field MUST be present, and it MUST be 'Symmetric'. + + o If the 'alg' field is present, it MUST match the AES-GCM algorithm + being used. + + o If the 'key_ops' field is present, it MUST include 'encrypt' or + 'wrap key' when encrypting. + + + +Schaad Standards Track [Page 46] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + o If the 'key_ops' field is present, it MUST include 'decrypt' or + 'unwrap key' when decrypting. + +10.1.1. Security Considerations + + When using AES-GCM, the following restrictions MUST be enforced: + + o The key and nonce pair MUST be unique for every message encrypted. + + o The total amount of data encrypted for a single key MUST NOT + exceed 2^39 - 256 bits. An explicit check is required only in + environments where it is expected that it might be exceeded. + + Consideration was given to supporting smaller tag values; the + constrained community would desire tag sizes in the 64-bit range. + Doing so drastically changes both the maximum messages size + (generally not an issue) and the number of times that a key can be + used. Given that Counter with CBC-MAC (CCM) is the usual mode for + constrained environments, restricted modes are not supported. + +10.2. AES CCM + + CCM is a generic authentication encryption block cipher mode defined + in [RFC3610]. The CCM mode is combined with the AES block encryption + algorithm to define a commonly used content encryption algorithm used + in constrained devices. + + The CCM mode has two parameter choices. The first choice is M, the + size of the authentication field. The choice of the value for M + involves a trade-off between message growth (from the tag) and the + probability that an attacker can undetectably modify a message. The + second choice is L, the size of the length field. This value + requires a trade-off between the maximum message size and the size of + the Nonce. + + It is unfortunate that the specification for CCM specified L and M as + a count of bytes rather than a count of bits. This leads to possible + misunderstandings where AES-CCM-8 is frequently used to refer to a + version of CCM mode where the size of the authentication is 64 bits + and not 8 bits. These values have traditionally been specified as + bit counts rather than byte counts. This document will follow the + convention of using bit counts so that it is easier to compare the + different algorithms presented in this document. + + We define a matrix of algorithms in this document over the values of + L and M. Constrained devices are usually operating in situations + where they use short messages and want to avoid doing recipient- + specific cryptographic operations. This favors smaller values of + + + +Schaad Standards Track [Page 47] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + both L and M. Less-constrained devices will want to be able to use + larger messages and are more willing to generate new keys for every + operation. This favors larger values of L and M. + + The following values are used for L: + + 16 bits (2): This limits messages to 2^16 bytes (64 KiB) in length. + This is sufficiently long for messages in the constrained world. + The nonce length is 13 bytes allowing for 2^(13*8) possible values + of the nonce without repeating. + + 64 bits (8): This limits messages to 2^64 bytes in length. The + nonce length is 7 bytes allowing for 2^56 possible values of the + nonce without repeating. + + The following values are used for M: + + 64 bits (8): This produces a 64-bit authentication tag. This + implies that there is a 1 in 2^64 chance that a modified message + will authenticate. + + 128 bits (16): This produces a 128-bit authentication tag. This + implies that there is a 1 in 2^128 chance that a modified message + will authenticate. + + + + + + + + + + + + + + + + + + + + + + + + + + + +Schaad Standards Track [Page 48] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + +--------------------+-------+----+-----+-----+---------------------+ + | Name | Value | L | M | k | Description | + +--------------------+-------+----+-----+-----+---------------------+ + | AES-CCM-16-64-128 | 10 | 16 | 64 | 128 | AES-CCM mode | + | | | | | | 128-bit key, 64-bit | + | | | | | | tag, 13-byte nonce | + | AES-CCM-16-64-256 | 11 | 16 | 64 | 256 | AES-CCM mode | + | | | | | | 256-bit key, 64-bit | + | | | | | | tag, 13-byte nonce | + | AES-CCM-64-64-128 | 12 | 64 | 64 | 128 | AES-CCM mode | + | | | | | | 128-bit key, 64-bit | + | | | | | | tag, 7-byte nonce | + | AES-CCM-64-64-256 | 13 | 64 | 64 | 256 | AES-CCM mode | + | | | | | | 256-bit key, 64-bit | + | | | | | | tag, 7-byte nonce | + | AES-CCM-16-128-128 | 30 | 16 | 128 | 128 | AES-CCM mode | + | | | | | | 128-bit key, | + | | | | | | 128-bit tag, | + | | | | | | 13-byte nonce | + | AES-CCM-16-128-256 | 31 | 16 | 128 | 256 | AES-CCM mode | + | | | | | | 256-bit key, | + | | | | | | 128-bit tag, | + | | | | | | 13-byte nonce | + | AES-CCM-64-128-128 | 32 | 64 | 128 | 128 | AES-CCM mode | + | | | | | | 128-bit key, | + | | | | | | 128-bit tag, 7-byte | + | | | | | | nonce | + | AES-CCM-64-128-256 | 33 | 64 | 128 | 256 | AES-CCM mode | + | | | | | | 256-bit key, | + | | | | | | 128-bit tag, 7-byte | + | | | | | | nonce | + +--------------------+-------+----+-----+-----+---------------------+ + + Table 10: Algorithm Values for AES-CCM + + Keys may be obtained either from a key structure or from a recipient + structure. Implementations encrypting and decrypting MUST validate + that the key type, key length, and algorithm are correct and + appropriate for the entities involved. + + When using a COSE key for this algorithm, the following checks are + made: + + o The 'kty' field MUST be present, and it MUST be 'Symmetric'. + + o If the 'alg' field is present, it MUST match the AES-CCM algorithm + being used. + + + + +Schaad Standards Track [Page 49] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + o If the 'key_ops' field is present, it MUST include 'encrypt' or + 'wrap key' when encrypting. + + o If the 'key_ops' field is present, it MUST include 'decrypt' or + 'unwrap key' when decrypting. + +10.2.1. Security Considerations + + When using AES-CCM, the following restrictions MUST be enforced: + + o The key and nonce pair MUST be unique for every message encrypted. + Note that the value of L influences the number of unique nonces. + + o The total number of times the AES block cipher is used MUST NOT + exceed 2^61 operations. This limitation is the sum of times the + block cipher is used in computing the MAC value and in performing + stream encryption operations. An explicit check is required only + in environments where it is expected that it might be exceeded. + + [RFC3610] additionally calls out one other consideration of note. It + is possible to do a pre-computation attack against the algorithm in + cases where portions of the plaintext are highly predictable. This + reduces the security of the key size by half. Ways to deal with this + attack include adding a random portion to the nonce value and/or + increasing the key size used. Using a portion of the nonce for a + random value will decrease the number of messages that a single key + can be used for. Increasing the key size may require more resources + in the constrained device. See Sections 5 and 10 of [RFC3610] for + more information. + +10.3. ChaCha20 and Poly1305 + + ChaCha20 and Poly1305 combined together is an AEAD mode that is + defined in [RFC7539]. This is an algorithm defined to be a cipher + that is not AES and thus would not suffer from any future weaknesses + found in AES. These cryptographic functions are designed to be fast + in software-only implementations. + + The ChaCha20/Poly1305 AEAD construction defined in [RFC7539] has no + parameterization. It takes a 256-bit key and a 96-bit nonce, as well + as the plaintext and additional data as inputs and produces the + ciphertext as an option. We define one algorithm identifier for this + algorithm in Table 11. + + + + + + + + +Schaad Standards Track [Page 50] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + +-------------------+-------+---------------------------------------+ + | Name | Value | Description | + +-------------------+-------+---------------------------------------+ + | ChaCha20/Poly1305 | 24 | ChaCha20/Poly1305 w/ 256-bit key, | + | | | 128-bit tag | + +-------------------+-------+---------------------------------------+ + + Table 11: Algorithm Value for AES-GCM + + Keys may be obtained either from a key structure or from a recipient + structure. Implementations encrypting and decrypting MUST validate + that the key type, key length, and algorithm are correct and + appropriate for the entities involved. + + When using a COSE key for this algorithm, the following checks are + made: + + o The 'kty' field MUST be present, and it MUST be 'Symmetric'. + + o If the 'alg' field is present, it MUST match the ChaCha20/Poly1305 + algorithm being used. + + o If the 'key_ops' field is present, it MUST include 'encrypt' or + 'wrap key' when encrypting. + + o If the 'key_ops' field is present, it MUST include 'decrypt' or + 'unwrap key' when decrypting. + +10.3.1. Security Considerations + + The key and nonce values MUST be a unique pair for every invocation + of the algorithm. Nonce counters are considered to be an acceptable + way of ensuring that they are unique. + +11. Key Derivation Functions (KDFs) + + KDFs are used to take some secret value and generate a different one. + The secret value comes in three flavors: + + o Secrets that are uniformly random: This is the type of secret that + is created by a good random number generator. + + o Secrets that are not uniformly random: This is type of secret that + is created by operations like key agreement. + + o Secrets that are not random: This is the type of secret that + people generate for things like passwords. + + + + +Schaad Standards Track [Page 51] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + General KDFs work well with the first type of secret, can do + reasonably well with the second type of secret, and generally do + poorly with the last type of secret. None of the KDFs in this + section are designed to deal with the type of secrets that are used + for passwords. Functions like PBES2 [RFC8018] need to be used for + that type of secret. + + The same KDF can be set up to deal with the first two types of + secrets in a different way. The KDF defined in Section 11.1 is such + a function. This is reflected in the set of algorithms defined for + the HMAC-based Extract-and-Expand Key Derivation Function (HKDF). + + When using KDFs, one component that is included is context + information. Context information is used to allow for different + keying information to be derived from the same secret. The use of + context-based keying material is considered to be a good security + practice. + + This document defines a single context structure and a single KDF. + These elements are used for all of the recipient algorithms defined + in this document that require a KDF process. These algorithms are + defined in Sections 12.1.2, 12.4.1, and 12.5.1. + +11.1. HMAC-Based Extract-and-Expand Key Derivation Function (HKDF) + + The HKDF key derivation algorithm is defined in [RFC5869]. + + The HKDF algorithm takes these inputs: + + secret -- a shared value that is secret. Secrets may be either + previously shared or derived from operations like a Diffie-Hellman + (DH) key agreement. + + salt -- an optional value that is used to change the generation + process. The salt value can be either public or private. If the + salt is public and carried in the message, then the 'salt' + algorithm header parameter defined in Table 13 is used. While + [RFC5869] suggests that the length of the salt be the same as the + length of the underlying hash value, any amount of salt will + improve the security as different key values will be generated. + This parameter is protected by being included in the key + computation and does not need to be separately authenticated. The + salt value does not need to be unique for every message sent. + + length -- the number of bytes of output that need to be generated. + + + + + + +Schaad Standards Track [Page 52] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + context information -- Information that describes the context in + which the resulting value will be used. Making this information + specific to the context in which the material is going to be used + ensures that the resulting material will always be tied to that + usage. The context structure defined in Section 11.2 is used by + the KDFs in this document. + + PRF -- The underlying pseudorandom function to be used in the HKDF + algorithm. The PRF is encoded into the HKDF algorithm selection. + + HKDF is defined to use HMAC as the underlying PRF. However, it is + possible to use other functions in the same construct to provide a + different KDF that is more appropriate in the constrained world. + Specifically, one can use AES-CBC-MAC as the PRF for the expand step, + but not for the extract step. When using a good random shared secret + of the correct length, the extract step can be skipped. For the AES + algorithm versions, the extract step is always skipped. + + The extract step cannot be skipped if the secret is not uniformly + random, for example, if it is the result of an ECDH key agreement + step. This implies that the AES HKDF version cannot be used with + ECDH. If the extract step is skipped, the 'salt' value is not used + as part of the HKDF functionality. + + The algorithms defined in this document are found in Table 12. + + +---------------+-----------------+---------------------------------+ + | Name | PRF | Description | + +---------------+-----------------+---------------------------------+ + | HKDF SHA-256 | HMAC with | HKDF using HMAC SHA-256 as the | + | | SHA-256 | PRF | + | HKDF SHA-512 | HMAC with | HKDF using HMAC SHA-512 as the | + | | SHA-512 | PRF | + | HKDF AES- | AES-CBC-MAC-128 | HKDF using AES-MAC as the PRF | + | MAC-128 | | w/ 128-bit key | + | HKDF AES- | AES-CBC-MAC-256 | HKDF using AES-MAC as the PRF | + | MAC-256 | | w/ 256-bit key | + +---------------+-----------------+---------------------------------+ + + Table 12: HKDF Algorithms + + + + + + + + + + + +Schaad Standards Track [Page 53] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + +------+-------+------+-------------------------------+-------------+ + | Name | Label | Type | Algorithm | Description | + +------+-------+------+-------------------------------+-------------+ + | salt | -20 | bstr | direct+HKDF-SHA-256, direct | Random salt | + | | | | +HKDF-SHA-512, direct+HKDF- | | + | | | | AES-128, direct+HKDF-AES-256, | | + | | | | ECDH-ES+HKDF-256, ECDH- | | + | | | | ES+HKDF-512, ECDH- | | + | | | | SS+HKDF-256, ECDH- | | + | | | | SS+HKDF-512, ECDH-ES+A128KW, | | + | | | | ECDH-ES+A192KW, ECDH- | | + | | | | ES+A256KW, ECDH-SS+A128KW, | | + | | | | ECDH-SS+A192KW, ECDH- | | + | | | | SS+A256KW | | + +------+-------+------+-------------------------------+-------------+ + + Table 13: HKDF Algorithm Parameters + +11.2. Context Information Structure + + The context information structure is used to ensure that the derived + keying material is "bound" to the context of the transaction. The + context information structure used here is based on that defined in + [SP800-56A]. By using CBOR for the encoding of the context + information structure, we automatically get the same type and length + separation of fields that is obtained by the use of ASN.1. This + means that there is no need to encode the lengths for the base + elements, as it is done by the encoding used in JOSE (Section 4.6.2 + of [RFC7518]). + + The context information structure refers to PartyU and PartyV as the + two parties that are doing the key derivation. Unless the + application protocol defines differently, we assign PartyU to the + entity that is creating the message and PartyV to the entity that is + receiving the message. By doing this association, different keys + will be derived for each direction as the context information is + different in each direction. + + The context structure is built from information that is known to both + entities. This information can be obtained from a variety of + sources: + + o Fields can be defined by the application. This is commonly used + to assign fixed names to parties, but it can be used for other + items such as nonces. + + o Fields can be defined by usage of the output. Examples of this + are the algorithm and key size that are being generated. + + + +Schaad Standards Track [Page 54] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + o Fields can be defined by parameters from the message. We define a + set of parameters in Table 14 that can be used to carry the values + associated with the context structure. Examples of this are + identities and nonce values. These parameters are designed to be + placed in the unprotected bucket of the recipient structure; they + do not need to be in the protected bucket since they already are + included in the cryptographic computation by virtue of being + included in the context structure. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Schaad Standards Track [Page 55] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + +----------+-------+------+---------------------------+-------------+ + | Name | Label | Type | Algorithm | Description | + +----------+-------+------+---------------------------+-------------+ + | PartyU | -21 | bstr | direct+HKDF-SHA-256, | Party U | + | identity | | | direct+HKDF-SHA-512, | identity | + | | | | direct+HKDF-AES-128, | information | + | | | | direct+HKDF-AES-256, | | + | | | | ECDH-ES+HKDF-256, ECDH- | | + | | | | ES+HKDF-512, ECDH- | | + | | | | SS+HKDF-256, ECDH- | | + | | | | SS+HKDF-512, ECDH- | | + | | | | ES+A128KW, ECDH- | | + | | | | ES+A192KW, ECDH- | | + | | | | ES+A256KW, ECDH- | | + | | | | SS+A128KW, ECDH- | | + | | | | SS+A192KW, ECDH-SS+A256KW | | + | | | | | | + | PartyU | -22 | bstr | direct+HKDF-SHA-256, | Party U | + | nonce | | / | direct+HKDF-SHA-512, | provided | + | | | int | direct+HKDF-AES-128, | nonce | + | | | | direct+HKDF-AES-256, | | + | | | | ECDH-ES+HKDF-256, ECDH- | | + | | | | ES+HKDF-512, ECDH- | | + | | | | SS+HKDF-256, ECDH- | | + | | | | SS+HKDF-512, ECDH- | | + | | | | ES+A128KW, ECDH- | | + | | | | ES+A192KW, ECDH- | | + | | | | ES+A256KW, ECDH- | | + | | | | SS+A128KW, ECDH- | | + | | | | SS+A192KW, ECDH-SS+A256KW | | + | | | | | | + | PartyU | -23 | bstr | direct+HKDF-SHA-256, | Party U | + | other | | | direct+HKDF-SHA-512, | other | + | | | | direct+HKDF-AES-128, | provided | + | | | | direct+HKDF-AES-256, | information | + | | | | ECDH-ES+HKDF-256, ECDH- | | + | | | | ES+HKDF-512, ECDH- | | + | | | | SS+HKDF-256, ECDH- | | + | | | | SS+HKDF-512, ECDH- | | + | | | | ES+A128KW, ECDH- | | + | | | | ES+A192KW, ECDH- | | + | | | | ES+A256KW, ECDH- | | + | | | | SS+A128KW, ECDH- | | + | | | | SS+A192KW, ECDH-SS+A256KW | | + + + + + + + +Schaad Standards Track [Page 56] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + | PartyV | -24 | bstr | direct+HKDF-SHA-256, | Party V | + | identity | | | direct+HKDF-SHA-512, | identity | + | | | | direct+HKDF-AES-128, | information | + | | | | direct+HKDF-AES-256, | | + | | | | ECDH-ES+HKDF-256, ECDH- | | + | | | | ES+HKDF-512, ECDH- | | + | | | | SS+HKDF-256, ECDH- | | + | | | | SS+HKDF-512, ECDH- | | + | | | | ES+A128KW, ECDH- | | + | | | | ES+A192KW, ECDH- | | + | | | | ES+A256KW, ECDH- | | + | | | | SS+A128KW, ECDH- | | + | | | | SS+A192KW, ECDH-SS+A256KW | | + | | | | | | + | PartyV | -25 | bstr | direct+HKDF-SHA-256, | Party V | + | nonce | | / | direct+HKDF-SHA-512, | provided | + | | | int | direct+HKDF-AES-128, | nonce | + | | | | direct+HKDF-AES-256, | | + | | | | ECDH-ES+HKDF-256, ECDH- | | + | | | | ES+HKDF-512, ECDH- | | + | | | | SS+HKDF-256, ECDH- | | + | | | | SS+HKDF-512, ECDH- | | + | | | | ES+A128KW, ECDH- | | + | | | | ES+A192KW, ECDH- | | + | | | | ES+A256KW, ECDH- | | + | | | | SS+A128KW, ECDH- | | + | | | | SS+A192KW, ECDH-SS+A256KW | | + | | | | | | + | PartyV | -26 | bstr | direct+HKDF-SHA-256, | Party V | + | other | | | direct+HKDF-SHA-512, | other | + | | | | direct+HKDF-AES-128, | provided | + | | | | direct+HKDF-AES-256, | information | + | | | | ECDH-ES+HKDF-256, ECDH- | | + | | | | ES+HKDF-512, ECDH- | | + | | | | SS+HKDF-256, ECDH- | | + | | | | SS+HKDF-512, ECDH- | | + | | | | ES+A128KW, ECDH- | | + | | | | ES+A192KW, ECDH- | | + | | | | ES+A256KW, ECDH- | | + | | | | SS+A128KW, ECDH- | | + | | | | SS+A192KW, ECDH-SS+A256KW | | + +----------+-------+------+---------------------------+-------------+ + + Table 14: Context Algorithm Parameters + + + + + + + +Schaad Standards Track [Page 57] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + We define a CBOR object to hold the context information. This object + is referred to as COSE_KDF_Context. The object is based on a CBOR + array type. The fields in the array are: + + AlgorithmID: This field indicates the algorithm for which the key + material will be used. This normally is either a key wrap + algorithm identifier or a content encryption algorithm identifier. + The values are from the "COSE Algorithms" registry. This field is + required to be present. The field exists in the context + information so that if the same environment is used for different + algorithms, then completely different keys will be generated for + each of those algorithms. This practice means if algorithm A is + broken and thus is easier to find, the key derived for algorithm B + will not be the same as the key derived for algorithm A. + + PartyUInfo: This field holds information about party U. The + PartyUInfo is encoded as a CBOR array. The elements of PartyUInfo + are encoded in the order presented. The elements of the + PartyUInfo array are: + + identity: This contains the identity information for party U. + The identities can be assigned in one of two manners. First, a + protocol can assign identities based on roles. For example, + the roles of "client" and "server" may be assigned to different + entities in the protocol. Each entity would then use the + correct label for the data they send or receive. The second + way for a protocol to assign identities is to use a name based + on a naming system (i.e., DNS, X.509 names). + + We define an algorithm parameter 'PartyU identity' that can be + used to carry identity information in the message. However, + identity information is often known as part of the protocol and + can thus be inferred rather than made explicit. If identity + information is carried in the message, applications SHOULD have + a way of validating the supplied identity information. The + identity information does not need to be specified and is set + to nil in that case. + + nonce: This contains a nonce value. The nonce can either be + implicit from the protocol or be carried as a value in the + unprotected headers. + + We define an algorithm parameter 'PartyU nonce' that can be + used to carry this value in the message; however, the nonce + value could be determined by the application and the value + determined from elsewhere. + + + + + +Schaad Standards Track [Page 58] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + This option does not need to be specified and is set to nil in + that case. + + other: This contains other information that is defined by the + protocol. This option does not need to be specified and is set + to nil in that case. + + PartyVInfo: This field holds information about party V. The content + of the structure is the same as for the PartyUInfo but for party + V. + + SuppPubInfo: This field contains public information that is mutually + known to both parties. + + keyDataLength: This is set to the number of bits of the desired + output value. This practice means if algorithm A can use two + different key lengths, the key derived for longer key size will + not contain the key for shorter key size as a prefix. + + protected: This field contains the protected parameter field. If + there are no elements in the protected field, then use a zero- + length bstr. + + other: This field is for free form data defined by the + application. An example is that an application could define + two different strings to be placed here to generate different + keys for a data stream versus a control stream. This field is + optional and will only be present if the application defines a + structure for this information. Applications that define this + SHOULD use CBOR to encode the data so that types and lengths + are correctly included. + + SuppPrivInfo: This field contains private information that is + mutually known private information. An example of this + information would be a preexisting shared secret. (This could, + for example, be used in combination with an ECDH key agreement to + provide a secondary proof of identity.) The field is optional and + will only be present if the application defines a structure for + this information. Applications that define this SHOULD use CBOR + to encode the data so that types and lengths are correctly + included. + + + + + + + + + + +Schaad Standards Track [Page 59] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + The following CDDL fragment corresponds to the text above. + + PartyInfo = ( + identity : bstr / nil, + nonce : bstr / int / nil, + other : bstr / nil + ) + + COSE_KDF_Context = [ + AlgorithmID : int / tstr, + PartyUInfo : [ PartyInfo ], + PartyVInfo : [ PartyInfo ], + SuppPubInfo : [ + keyDataLength : uint, + protected : empty_or_serialized_map, + ? other : bstr + ], + ? SuppPrivInfo : bstr + ] + +12. Content Key Distribution Methods + + Content key distribution methods (recipient algorithms) can be + defined into a number of different classes. COSE has the ability to + support many classes of recipient algorithms. In this section, a + number of classes are listed, and then a set of algorithms are + specified for each of the classes. The names of the recipient + algorithm classes used here are the same as those defined in + [RFC7516]. Other specifications use different terms for the + recipient algorithm classes or do not support some of the recipient + algorithm classes. + +12.1. Direct Encryption + + The direct encryption class algorithms share a secret between the + sender and the recipient that is used either directly or after + manipulation as the CEK. When direct encryption mode is used, it + MUST be the only mode used on the message. + + The COSE_Recipient structure for the recipient is organized as + follows: + + o The 'protected' field MUST be a zero-length item unless it is used + in the computation of the content key. + + o The 'alg' parameter MUST be present. + + o A parameter identifying the shared secret SHOULD be present. + + + +Schaad Standards Track [Page 60] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + o The 'ciphertext' field MUST be a zero-length item. + + o The 'recipients' field MUST be absent. + +12.1.1. Direct Key + + This recipient algorithm is the simplest; the identified key is + directly used as the key for the next layer down in the message. + There are no algorithm parameters defined for this algorithm. The + algorithm identifier value is assigned in Table 15. + + When this algorithm is used, the protected field MUST be zero length. + The key type MUST be 'Symmetric'. + + +--------+-------+-------------------+ + | Name | Value | Description | + +--------+-------+-------------------+ + | direct | -6 | Direct use of CEK | + +--------+-------+-------------------+ + + Table 15: Direct Key + +12.1.1.1. Security Considerations + + This recipient algorithm has several potential problems that need to + be considered: + + o These keys need to have some method to be regularly updated over + time. All of the content encryption algorithms specified in this + document have limits on how many times a key can be used without + significant loss of security. + + o These keys need to be dedicated to a single algorithm. There have + been a number of attacks developed over time when a single key is + used for multiple different algorithms. One example of this is + the use of a single key for both the CBC encryption mode and the + CBC-MAC authentication mode. + + o Breaking one message means all messages are broken. If an + adversary succeeds in determining the key for a single message, + then the key for all messages is also determined. + +12.1.2. Direct Key with KDF + + These recipient algorithms take a common shared secret between the + two parties and applies the HKDF function (Section 11.1), using the + context structure defined in Section 11.2 to transform the shared + + + + +Schaad Standards Track [Page 61] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + secret into the CEK. The 'protected' field can be of non-zero + length. Either the 'salt' parameter of HKDF or the 'PartyU nonce' + parameter of the context structure MUST be present. The salt/nonce + parameter can be generated either randomly or deterministically. The + requirement is that it be a unique value for the shared secret in + question. + + If the salt/nonce value is generated randomly, then it is suggested + that the length of the random value be the same length as the hash + function underlying HKDF. While there is no way to guarantee that it + will be unique, there is a high probability that it will be unique. + If the salt/nonce value is generated deterministically, it can be + guaranteed to be unique, and thus there is no length requirement. + + A new IV must be used for each message if the same key is used. The + IV can be modified in a predictable manner, a random manner, or an + unpredictable manner (i.e., encrypting a counter). + + The IV used for a key can also be generated from the same HKDF + functionality as the key is generated. If HKDF is used for + generating the IV, the algorithm identifier is set to "IV- + GENERATION". + + When these algorithms are used, the key type MUST be 'symmetric'. + + The set of algorithms defined in this document can be found in + Table 16. + + +---------------------+-------+-------------+-----------------------+ + | Name | Value | KDF | Description | + +---------------------+-------+-------------+-----------------------+ + | direct+HKDF-SHA-256 | -10 | HKDF | Shared secret w/ HKDF | + | | | SHA-256 | and SHA-256 | + | direct+HKDF-SHA-512 | -11 | HKDF | Shared secret w/ HKDF | + | | | SHA-512 | and SHA-512 | + | direct+HKDF-AES-128 | -12 | HKDF AES- | Shared secret w/ AES- | + | | | MAC-128 | MAC 128-bit key | + | direct+HKDF-AES-256 | -13 | HKDF AES- | Shared secret w/ AES- | + | | | MAC-256 | MAC 256-bit key | + +---------------------+-------+-------------+-----------------------+ + + Table 16: Direct Key with KDF + + + + + + + + + +Schaad Standards Track [Page 62] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + When using a COSE key for this algorithm, the following checks are + made: + + o The 'kty' field MUST be present, and it MUST be 'Symmetric'. + + o If the 'alg' field is present, it MUST match the algorithm being + used. + + o If the 'key_ops' field is present, it MUST include 'deriveKey' or + 'deriveBits'. + +12.1.2.1. Security Considerations + + The shared secret needs to have some method to be regularly updated + over time. The shared secret forms the basis of trust. Although not + used directly, it should still be subject to scheduled rotation. + + While these methods do not provide for perfect forward secrecy, as + the same shared secret is used for all of the keys generated, if the + key for any single message is discovered, only the message (or series + of messages) using that derived key are compromised. A new key + derivation step will generate a new key that requires the same amount + of work to get the key. + +12.2. Key Wrap + + In key wrap mode, the CEK is randomly generated and that key is then + encrypted by a shared secret between the sender and the recipient. + All of the currently defined key wrap algorithms for COSE are AE + algorithms. Key wrap mode is considered to be superior to direct + encryption if the system has any capability for doing random key + generation. This is because the shared key is used to wrap random + data rather than data that has some degree of organization and may in + fact be repeating the same content. The use of key wrap loses the + weak data origination that is provided by the direct encryption + algorithms. + + The COSE_Encrypt structure for the recipient is organized as follows: + + o The 'protected' field MUST be absent if the key wrap algorithm is + an AE algorithm. + + o The 'recipients' field is normally absent, but can be used. + Applications MUST deal with a recipient field being present, not + being able to decrypt that recipient is an acceptable way of + dealing with it. Failing to process the message is not an + acceptable way of dealing with it. + + + + +Schaad Standards Track [Page 63] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + o The plaintext to be encrypted is the key from next layer down + (usually the content layer). + + o At a minimum, the 'unprotected' field MUST contain the 'alg' + parameter and SHOULD contain a parameter identifying the shared + secret. + +12.2.1. AES Key Wrap + + The AES Key Wrap algorithm is defined in [RFC3394]. This algorithm + uses an AES key to wrap a value that is a multiple of 64 bits. As + such, it can be used to wrap a key for any of the content encryption + algorithms defined in this document. The algorithm requires a single + fixed parameter, the initial value. This is fixed to the value + specified in Section 2.2.3.1 of [RFC3394]. There are no public + parameters that vary on a per-invocation basis. The protected header + field MUST be empty. + + Keys may be obtained either from a key structure or from a recipient + structure. Implementations encrypting and decrypting MUST validate + that the key type, key length, and algorithm are correct and + appropriate for the entities involved. + + When using a COSE key for this algorithm, the following checks are + made: + + o The 'kty' field MUST be present, and it MUST be 'Symmetric'. + + o If the 'alg' field is present, it MUST match the AES Key Wrap + algorithm being used. + + o If the 'key_ops' field is present, it MUST include 'encrypt' or + 'wrap key' when encrypting. + + o If the 'key_ops' field is present, it MUST include 'decrypt' or + 'unwrap key' when decrypting. + + +--------+-------+----------+-----------------------------+ + | Name | Value | Key Size | Description | + +--------+-------+----------+-----------------------------+ + | A128KW | -3 | 128 | AES Key Wrap w/ 128-bit key | + | A192KW | -4 | 192 | AES Key Wrap w/ 192-bit key | + | A256KW | -5 | 256 | AES Key Wrap w/ 256-bit key | + +--------+-------+----------+-----------------------------+ + + Table 17: AES Key Wrap Algorithm Values + + + + + +Schaad Standards Track [Page 64] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +12.2.1.1. Security Considerations for AES-KW + + The shared secret needs to have some method to be regularly updated + over time. The shared secret is the basis of trust. + +12.3. Key Transport + + Key transport mode is also called key encryption mode in some + standards. Key transport mode differs from key wrap mode in that it + uses an asymmetric encryption algorithm rather than a symmetric + encryption algorithm to protect the key. This document does not + define any key transport mode algorithms. + + When using a key transport algorithm, the COSE_Encrypt structure for + the recipient is organized as follows: + + o The 'protected' field MUST be absent. + + o The plaintext to be encrypted is the key from the next layer down + (usually the content layer). + + o At a minimum, the 'unprotected' field MUST contain the 'alg' + parameter and SHOULD contain a parameter identifying the + asymmetric key. + +12.4. Direct Key Agreement + + The 'direct key agreement' class of recipient algorithms uses a key + agreement method to create a shared secret. A KDF is then applied to + the shared secret to derive a key to be used in protecting the data. + This key is normally used as a CEK or MAC key, but could be used for + other purposes if more than two layers are in use (see Appendix B). + + The most commonly used key agreement algorithm is Diffie-Hellman, but + other variants exist. Since COSE is designed for a store and forward + environment rather than an online environment, many of the DH + variants cannot be used as the receiver of the message cannot provide + any dynamic key material. One side effect of this is that perfect + forward secrecy (see [RFC4949]) is not achievable. A static key will + always be used for the receiver of the COSE object. + + Two variants of DH that are supported are: + + Ephemeral-Static (ES) DH: where the sender of the message creates + a one-time DH key and uses a static key for the recipient. The + use of the ephemeral sender key means that no additional random + input is needed as this is randomly generated for each message. + + + + +Schaad Standards Track [Page 65] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Static-Static DH: where a static key is used for both the sender + and the recipient. The use of static keys allows for the + recipient to get a weak version of data origination for the + message. When static-static key agreement is used, then some + piece of unique data for the KDF is required to ensure that a + different key is created for each message. + + When direct key agreement mode is used, there MUST be only one + recipient in the message. This method creates the key directly, and + that makes it difficult to mix with additional recipients. If + multiple recipients are needed, then the version with key wrap needs + to be used. + + The COSE_Encrypt structure for the recipient is organized as follows: + + o At a minimum, headers MUST contain the 'alg' parameter and SHOULD + contain a parameter identifying the recipient's asymmetric key. + + o The headers SHOULD identify the sender's key for the static-static + versions and MUST contain the sender's ephemeral key for the + ephemeral-static versions. + +12.4.1. ECDH + + The mathematics for ECDH can be found in [RFC6090]. In this + document, the algorithm is extended to be used with the two curves + defined in [RFC7748]. + + ECDH is parameterized by the following: + + o Curve Type/Curve: The curve selected controls not only the size of + the shared secret, but the mathematics for computing the shared + secret. The curve selected also controls how a point in the curve + is represented and what happens for the identity points on the + curve. In this specification, we allow for a number of different + curves to be used. A set of curves are defined in Table 22. + The math used to obtain the computed secret is based on the curve + selected and not on the ECDH algorithm. For this reason, a new + algorithm does not need to be defined for each of the curves. + + o Computed Secret to Shared Secret: Once the computed secret is + known, the resulting value needs to be converted to a byte string + to run the KDF. The x-coordinate is used for all of the curves + defined in this document. For curves X25519 and X448, the + resulting value is used directly as it is a byte string of a known + length. For the P-256, P-384, and P-521 curves, the x-coordinate + is run through the I2OSP function defined in [RFC8017], using the + same computation for n as is defined in Section 8.1. + + + +Schaad Standards Track [Page 66] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + o Ephemeral-Static or Static-Static: The key agreement process may + be done using either a static or an ephemeral key for the sender's + side. When using ephemeral keys, the sender MUST generate a new + ephemeral key for every key agreement operation. The ephemeral + key is placed in the 'ephemeral key' parameter and MUST be present + for all algorithm identifiers that use ephemeral keys. When using + static keys, the sender MUST either generate a new random value or + create a unique value. For the KDFs used, this means either the + 'salt' parameter for HKDF (Table 13) or the 'PartyU nonce' + parameter for the context structure (Table 14) MUST be present + (both can be present if desired). The value in the parameter MUST + be unique for the pair of keys being used. It is acceptable to + use a global counter that is incremented for every static-static + operation and use the resulting value. When using static keys, + the static key should be identified to the recipient. The static + key can be identified either by providing the key ('static key') + or by providing a key identifier for the static key ('static key + id'). Both of these parameters are defined in Table 19. + + o Key Derivation Algorithm: The result of an ECDH key agreement + process does not provide a uniformly random secret. As such, it + needs to be run through a KDF in order to produce a usable key. + Processing the secret through a KDF also allows for the + introduction of context material: how the key is going to be used + and one-time material for static-static key agreement. All of the + algorithms defined in this document use one of the HKDF algorithms + defined in Section 11.1 with the context structure defined in + Section 11.2. + + o Key Wrap Algorithm: No key wrap algorithm is used. This is + represented in Table 18 as 'none'. The key size for the context + structure is the content layer encryption algorithm size. + + The set of direct ECDH algorithms defined in this document are found + in Table 18. + + + + + + + + + + + + + + + + +Schaad Standards Track [Page 67] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + +-----------+-------+---------+------------+--------+---------------+ + | Name | Value | KDF | Ephemeral- | Key | Description | + | | | | Static | Wrap | | + +-----------+-------+---------+------------+--------+---------------+ + | ECDH-ES + | -25 | HKDF - | yes | none | ECDH ES w/ | + | HKDF-256 | | SHA-256 | | | HKDF - | + | | | | | | generate key | + | | | | | | directly | + | ECDH-ES + | -26 | HKDF - | yes | none | ECDH ES w/ | + | HKDF-512 | | SHA-512 | | | HKDF - | + | | | | | | generate key | + | | | | | | directly | + | ECDH-SS + | -27 | HKDF - | no | none | ECDH SS w/ | + | HKDF-256 | | SHA-256 | | | HKDF - | + | | | | | | generate key | + | | | | | | directly | + | ECDH-SS + | -28 | HKDF - | no | none | ECDH SS w/ | + | HKDF-512 | | SHA-512 | | | HKDF - | + | | | | | | generate key | + | | | | | | directly | + +-----------+-------+---------+------------+--------+---------------+ + + Table 18: ECDH Algorithm Values + + +-----------+-------+----------+---------------------+--------------+ + | Name | Label | Type | Algorithm | Description | + +-----------+-------+----------+---------------------+--------------+ + | ephemeral | -1 | COSE_Key | ECDH-ES+HKDF-256, | Ephemeral | + | key | | | ECDH-ES+HKDF-512, | public key | + | | | | ECDH-ES+A128KW, | for the | + | | | | ECDH-ES+A192KW, | sender | + | | | | ECDH-ES+A256KW | | + | static | -2 | COSE_Key | ECDH-SS+HKDF-256, | Static | + | key | | | ECDH-SS+HKDF-512, | public key | + | | | | ECDH-SS+A128KW, | for the | + | | | | ECDH-SS+A192KW, | sender | + | | | | ECDH-SS+A256KW | | + | static | -3 | bstr | ECDH-SS+HKDF-256, | Static | + | key id | | | ECDH-SS+HKDF-512, | public key | + | | | | ECDH-SS+A128KW, | identifier | + | | | | ECDH-SS+A192KW, | for the | + | | | | ECDH-SS+A256KW | sender | + +-----------+-------+----------+---------------------+--------------+ + + Table 19: ECDH Algorithm Parameters + + + + + + +Schaad Standards Track [Page 68] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + This document defines these algorithms to be used with the curves + P-256, P-384, P-521, X25519, and X448. Implementations MUST verify + that the key type and curve are correct. Different curves are + restricted to different key types. Implementations MUST verify that + the curve and algorithm are appropriate for the entities involved. + + When using a COSE key for this algorithm, the following checks are + made: + + o The 'kty' field MUST be present, and it MUST be 'EC2' or 'OKP'. + + o If the 'alg' field is present, it MUST match the key agreement + algorithm being used. + + o If the 'key_ops' field is present, it MUST include 'derive key' or + 'derive bits' for the private key. + + o If the 'key_ops' field is present, it MUST be empty for the public + key. + +12.4.2. Security Considerations + + There is a method of checking that points provided from external + entities are valid. For the 'EC2' key format, this can be done by + checking that the x and y values form a point on the curve. For the + 'OKP' format, there is no simple way to do point validation. + + Consideration was given to requiring that the public keys of both + entities be provided as part of the key derivation process (as + recommended in Section 6.1 of [RFC7748]). This was not done as COSE + is used in a store and forward format rather than in online key + exchange. In order for this to be a problem, either the receiver + public key has to be chosen maliciously or the sender has to be + malicious. In either case, all security evaporates anyway. + + A proof of possession of the private key associated with the public + key is recommended when a key is moved from untrusted to trusted + (either by the end user or by the entity that is responsible for + making trust statements on keys). + +12.5. Key Agreement with Key Wrap + + Key Agreement with Key Wrap uses a randomly generated CEK. The CEK + is then encrypted using a key wrap algorithm and a key derived from + the shared secret computed by the key agreement algorithm. The + function for this would be: + + encryptedKey = KeyWrap(KDF(DH-Shared, context), CEK) + + + +Schaad Standards Track [Page 69] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + The COSE_Encrypt structure for the recipient is organized as follows: + + o The 'protected' field is fed into the KDF context structure. + + o The plaintext to be encrypted is the key from the next layer down + (usually the content layer). + + o The 'alg' parameter MUST be present in the layer. + + o A parameter identifying the recipient's key SHOULD be present. A + parameter identifying the sender's key SHOULD be present. + +12.5.1. ECDH + + These algorithms are defined in Table 20. + + ECDH with Key Agreement is parameterized by the same parameters as + for ECDH; see Section 12.4.1, with the following modifications: + + o Key Wrap Algorithm: Any of the key wrap algorithms defined in + Section 12.2.1 are supported. The size of the key used for the + key wrap algorithm is fed into the KDF. The set of identifiers + are found in Table 20. + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Schaad Standards Track [Page 70] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + +-----------+-------+---------+------------+--------+---------------+ + | Name | Value | KDF | Ephemeral- | Key | Description | + | | | | Static | Wrap | | + +-----------+-------+---------+------------+--------+---------------+ + | ECDH-ES + | -29 | HKDF - | yes | A128KW | ECDH ES w/ | + | A128KW | | SHA-256 | | | Concat KDF | + | | | | | | and AES Key | + | | | | | | Wrap w/ | + | | | | | | 128-bit key | + | | | | | | | + | ECDH-ES + | -30 | HKDF - | yes | A192KW | ECDH ES w/ | + | A192KW | | SHA-256 | | | Concat KDF | + | | | | | | and AES Key | + | | | | | | Wrap w/ | + | | | | | | 192-bit key | + | | | | | | | + | ECDH-ES + | -31 | HKDF - | yes | A256KW | ECDH ES w/ | + | A256KW | | SHA-256 | | | Concat KDF | + | | | | | | and AES Key | + | | | | | | Wrap w/ | + | | | | | | 256-bit key | + | | | | | | | + | ECDH-SS + | -32 | HKDF - | no | A128KW | ECDH SS w/ | + | A128KW | | SHA-256 | | | Concat KDF | + | | | | | | and AES Key | + | | | | | | Wrap w/ | + | | | | | | 128-bit key | + | | | | | | | + | ECDH-SS + | -33 | HKDF - | no | A192KW | ECDH SS w/ | + | A192KW | | SHA-256 | | | Concat KDF | + | | | | | | and AES Key | + | | | | | | Wrap w/ | + | | | | | | 192-bit key | + | | | | | | | + | ECDH-SS + | -34 | HKDF - | no | A256KW | ECDH SS w/ | + | A256KW | | SHA-256 | | | Concat KDF | + | | | | | | and AES Key | + | | | | | | Wrap w/ | + | | | | | | 256-bit key | + +-----------+-------+---------+------------+--------+---------------+ + + Table 20: ECDH Algorithm Values with Key Wrap + + + + + + + + + +Schaad Standards Track [Page 71] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + When using a COSE key for this algorithm, the following checks are + made: + + o The 'kty' field MUST be present, and it MUST be 'EC2' or 'OKP'. + + o If the 'alg' field is present, it MUST match the key agreement + algorithm being used. + + o If the 'key_ops' field is present, it MUST include 'derive key' or + 'derive bits' for the private key. + + o If the 'key_ops' field is present, it MUST be empty for the public + key. + +13. Key Object Parameters + + The COSE_Key object defines a way to hold a single key object. It is + still required that the members of individual key types be defined. + This section of the document is where we define an initial set of + members for specific key types. + + For each of the key types, we define both public and private members. + The public members are what is transmitted to others for their usage. + Private members allow for the archival of keys by individuals. + However, there are some circumstances in which private keys may be + distributed to entities in a protocol. Examples include: entities + that have poor random number generation, centralized key creation for + multi-cast type operations, and protocols in which a shared secret is + used as a bearer token for authorization purposes. + + Key types are identified by the 'kty' member of the COSE_Key object. + In this document, we define four values for the member: + + +-----------+-------+-----------------------------------------------+ + | Name | Value | Description | + +-----------+-------+-----------------------------------------------+ + | OKP | 1 | Octet Key Pair | + | EC2 | 2 | Elliptic Curve Keys w/ x- and y-coordinate | + | | | pair | + | Symmetric | 4 | Symmetric Keys | + | Reserved | 0 | This value is reserved | + +-----------+-------+-----------------------------------------------+ + + Table 21: Key Type Values + + + + + + + +Schaad Standards Track [Page 72] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +13.1. Elliptic Curve Keys + + Two different key structures are defined for elliptic curve keys. + One version uses both an x-coordinate and a y-coordinate, potentially + with point compression ('EC2'). This is the traditional EC point + representation that is used in [RFC5480]. The other version uses + only the x-coordinate as the y-coordinate is either to be recomputed + or not needed for the key agreement operation ('OKP'). + + Applications MUST check that the curve and the key type are + consistent and reject a key if they are not. + + +---------+-------+----------+------------------------------------+ + | Name | Value | Key Type | Description | + +---------+-------+----------+------------------------------------+ + | P-256 | 1 | EC2 | NIST P-256 also known as secp256r1 | + | P-384 | 2 | EC2 | NIST P-384 also known as secp384r1 | + | P-521 | 3 | EC2 | NIST P-521 also known as secp521r1 | + | X25519 | 4 | OKP | X25519 for use w/ ECDH only | + | X448 | 5 | OKP | X448 for use w/ ECDH only | + | Ed25519 | 6 | OKP | Ed25519 for use w/ EdDSA only | + | Ed448 | 7 | OKP | Ed448 for use w/ EdDSA only | + +---------+-------+----------+------------------------------------+ + + Table 22: Elliptic Curves + +13.1.1. Double Coordinate Curves + + The traditional way of sending ECs has been to send either both the + x-coordinate and y-coordinate or the x-coordinate and a sign bit for + the y-coordinate. The latter encoding has not been recommended in + the IETF due to potential IPR issues. However, for operations in + constrained environments, the ability to shrink a message by not + sending the y-coordinate is potentially useful. + + For EC keys with both coordinates, the 'kty' member is set to 2 + (EC2). The key parameters defined in this section are summarized in + Table 23. The members that are defined for this key type are: + + crv: This contains an identifier of the curve to be used with the + key. The curves defined in this document for this key type can + be found in Table 22. Other curves may be registered in the + future, and private curves can be used as well. + + x: This contains the x-coordinate for the EC point. The integer is + converted to an octet string as defined in [SEC1]. Leading zero + octets MUST be preserved. + + + + +Schaad Standards Track [Page 73] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + y: This contains either the sign bit or the value of the + y-coordinate for the EC point. When encoding the value y, the + integer is converted to an octet string (as defined in [SEC1]) + and encoded as a CBOR bstr. Leading zero octets MUST be + preserved. The compressed point encoding is also supported. + Compute the sign bit as laid out in the Elliptic-Curve-Point-to- + Octet-String Conversion function of [SEC1]. If the sign bit is + zero, then encode y as a CBOR false value; otherwise, encode y + as a CBOR true value. The encoding of the infinity point is not + supported. + + d: This contains the private key. + + For public keys, it is REQUIRED that 'crv', 'x', and 'y' be present + in the structure. For private keys, it is REQUIRED that 'crv' and + 'd' be present in the structure. For private keys, it is RECOMMENDED + that 'x' and 'y' also be present, but they can be recomputed from the + required elements and omitting them saves on space. + + +-------+------+-------+--------+-----------------------------------+ + | Key | Name | Label | CBOR | Description | + | Type | | | Type | | + +-------+------+-------+--------+-----------------------------------+ + | 2 | crv | -1 | int / | EC identifier - Taken from the | + | | | | tstr | "COSE Elliptic Curves" registry | + | 2 | x | -2 | bstr | x-coordinate | + | 2 | y | -3 | bstr / | y-coordinate | + | | | | bool | | + | 2 | d | -4 | bstr | Private key | + +-------+------+-------+--------+-----------------------------------+ + + Table 23: EC Key Parameters + +13.2. Octet Key Pair + + A new key type is defined for Octet Key Pairs (OKP). Do not assume + that keys using this type are elliptic curves. This key type could + be used for other curve types (for example, mathematics based on + hyper-elliptic surfaces). + + The key parameters defined in this section are summarized in + Table 24. The members that are defined for this key type are: + + crv: This contains an identifier of the curve to be used with the + key. The curves defined in this document for this key type can + be found in Table 22. Other curves may be registered in the + future and private curves can be used as well. + + + + +Schaad Standards Track [Page 74] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + x: This contains the x-coordinate for the EC point. The octet + string represents a little-endian encoding of x. + + d: This contains the private key. + + For public keys, it is REQUIRED that 'crv' and 'x' be present in the + structure. For private keys, it is REQUIRED that 'crv' and 'd' be + present in the structure. For private keys, it is RECOMMENDED that + 'x' also be present, but it can be recomputed from the required + elements and omitting it saves on space. + + +------+-------+-------+--------+-----------------------------------+ + | Name | Key | Label | Type | Description | + | | Type | | | | + +------+-------+-------+--------+-----------------------------------+ + | crv | 1 | -1 | int / | EC identifier - Taken from the | + | | | | tstr | "COSE Key Common Parameters" | + | | | | | registry | + | x | 1 | -2 | bstr | x-coordinate | + | d | 1 | -4 | bstr | Private key | + +------+-------+-------+--------+-----------------------------------+ + + Table 24: Octet Key Pair Parameters + +13.3. Symmetric Keys + + Occasionally it is required that a symmetric key be transported + between entities. This key structure allows for that to happen. + + For symmetric keys, the 'kty' member is set to 4 ('Symmetric'). The + member that is defined for this key type is: + + k: This contains the value of the key. + + This key structure does not have a form that contains only public + members. As it is expected that this key structure is going to be + transmitted, care must be taken that it is never transmitted + accidentally or insecurely. For symmetric keys, it is REQUIRED that + 'k' be present in the structure. + + +------+----------+-------+------+-------------+ + | Name | Key Type | Label | Type | Description | + +------+----------+-------+------+-------------+ + | k | 4 | -1 | bstr | Key Value | + +------+----------+-------+------+-------------+ + + Table 25: Symmetric Key Parameters + + + + +Schaad Standards Track [Page 75] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +14. CBOR Encoder Restrictions + + There has been an attempt to limit the number of places where the + document needs to impose restrictions on how the CBOR Encoder needs + to work. We have managed to narrow it down to the following + restrictions: + + o The restriction applies to the encoding of the Sig_structure, the + Enc_structure, and the MAC_structure. + + o The rules for "Canonical CBOR" (Section 3.9 of RFC 7049) MUST be + used in these locations. The main rule that needs to be enforced + is that all lengths in these structures MUST be encoded such that + they are using definite lengths, and the minimum length encoding + is used. + + o Applications MUST NOT generate messages with the same label used + twice as a key in a single map. Applications MUST NOT parse and + process messages with the same label used twice as a key in a + single map. Applications can enforce the parse and process + requirement by using parsers that will fail the parse step or by + using parsers that will pass all keys to the application, and the + application can perform the check for duplicate keys. + +15. Application Profiling Considerations + + This document is designed to provide a set of security services, but + not implementation requirements for specific usage. The + interoperability requirements are provided for how each of the + individual services are used and how the algorithms are to be used + for interoperability. The requirements about which algorithms and + which services are needed are deferred to each application. + + An example of a profile can be found in [OSCOAP] where two profiles + are being developed. One is for carrying content by itself, and the + other is for carrying content in combination with CoAP headers. + + It is intended that a profile of this document be created that + defines the interoperability requirements for that specific + application. This section provides a set of guidelines and topics + that need to be considered when profiling this document. + + o Applications need to determine the set of messages defined in this + document that they will be using. The set of messages corresponds + fairly directly to the set of security services that are needed + and to the security levels needed. + + + + + +Schaad Standards Track [Page 76] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + o Applications may define new header parameters for a specific + purpose. Applications will often times select specific header + parameters to use or not to use. For example, an application + would normally state a preference for using either the IV or the + Partial IV parameter. If the Partial IV parameter is specified, + then the application would also need to define how the fixed + portion of the IV would be determined. + + o When applications use externally defined authenticated data, they + need to define how that data is encoded. This document assumes + that the data will be provided as a byte stream. More information + can be found in Section 4.3. + + o Applications need to determine the set of security algorithms that + are to be used. When selecting the algorithms to be used as the + mandatory-to-implement set, consideration should be given to + choosing different types of algorithms when two are chosen for a + specific purpose. An example of this would be choosing HMAC- + SHA512 and AES-CMAC as different MAC algorithms; the construction + is vastly different between these two algorithms. This means that + a weakening of one algorithm would be unlikely to lead to a + weakening of the other algorithms. Of course, these algorithms do + not provide the same level of security and thus may not be + comparable for the desired security functionality. + + o Applications may need to provide some type of negotiation or + discovery method if multiple algorithms or message structures are + permitted. The method can be as simple as requiring + preconfiguration of the set of algorithms to providing a discovery + method built into the protocol. S/MIME provided a number of + different ways to approach the problem that applications could + follow: + + * Advertising in the message (S/MIME capabilities) [RFC5751]. + + * Advertising in the certificate (capabilities extension) + [RFC4262]. + + * Minimum requirements for the S/MIME, which have been updated + over time [RFC2633] [RFC5751] (note that [RFC2633] has been + obsoleted by [RFC5751]). + + + + + + + + + + +Schaad Standards Track [Page 77] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +16. IANA Considerations + +16.1. CBOR Tag Assignment + + IANA has assigned the following tags from the "CBOR Tags" registry. + The tags for COSE_Sign1, COSE_Encrypt0, and COSE_Mac0 were assigned + in the 1 to 23 value range (one byte long when encoded). The tags + for COSE_Sign, COSE_Encrypt, and COSE_Mac were assigned in the 24 to + 255 value range (two bytes long when encoded). + + The tags assigned are in Table 1. + +16.2. COSE Header Parameters Registry + + IANA has created a new registry titled "COSE Header Parameters". The + registry has been created to use the "Expert Review Required" + registration procedure [RFC8126]. Guidelines for the experts are + provided in Section 16.11. It should be noted that, in addition to + the expert review, some portions of the registry require a + specification, potentially a Standards Track RFC, be supplied as + well. + + The columns of the registry are: + + Name: The name is present to make it easier to refer to and discuss + the registration entry. The value is not used in the protocol. + Names are to be unique in the table. + + Label: This is the value used for the label. The label can be + either an integer or a string. Registration in the table is based + on the value of the label requested. Integer values between 1 and + 255 and strings of length 1 are designated as "Standards Action". + Integer values from 256 to 65535 and strings of length 2 are + designated as "Specification Required". Integer values of greater + than 65535 and strings of length greater than 2 are designated as + "Expert Review". Integer values in the range -1 to -65536 are + "delegated to the COSE Header Algorithm Parameters registry". + Integer values less than -65536 are marked as private use. + + Value Type: This contains the CBOR type for the value portion of the + label. + + Value Registry: This contains a pointer to the registry used to + contain values where the set is limited. + + Description: This contains a brief description of the header field. + + + + + +Schaad Standards Track [Page 78] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Reference: This contains a pointer to the specification defining the + header field (where public). + + The initial contents of the registry can be found in Tables 2 and 27. + All of the entries in the "References" column of this registry point + to this document. + + Additionally, the label of 0 is to be marked as 'Reserved'. + +16.3. COSE Header Algorithm Parameters Registry + + IANA has created a new registry titled "COSE Header Algorithm + Parameters". The registry uses the "Expert Review Required" + registration procedure. Expert review guidelines are provided in + Section 16.11. + + The columns of the registry are: + + Name: The name is present to make it easier to refer to and discuss + the registration entry. The value is not used in the protocol. + + Algorithm: The algorithm(s) that this registry entry is used for. + This value is taken from the "COSE Algorithms" registry. Multiple + algorithms can be specified in this entry. For the table, the + algorithm/label pair MUST be unique. + + Label: This is the value used for the label. The label is an + integer in the range of -1 to -65536. + + Type: This contains the CBOR type for the value portion of the + label. + + Description: This contains a brief description of the header field. + + Reference: This contains a pointer to the specification defining the + header field (where public). + + The initial contents of the registry can be found in Tables 13, 14, + and 19. All of the entries in the "References" column of this + registry point to this document. + +16.4. COSE Algorithms Registry + + IANA has created a new registry titled "COSE Algorithms". The + registry has been created to use the "Expert Review Required" + registration procedure. Guidelines for the experts are provided in + + + + + +Schaad Standards Track [Page 79] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Section 16.11. It should be noted that, in addition to the expert + review, some portions of the registry require a specification, + potentially a Standards Track RFC, be supplied as well. + + The columns of the registry are: + + Name: A value that can be used to identify an algorithm in documents + for easier comprehension. The name SHOULD be unique. However, + the 'Value' field is what is used to identify the algorithm, not + the 'name' field. + + Value: The value to be used to identify this algorithm. Algorithm + values MUST be unique. The value can be a positive integer, a + negative integer, or a string. Integer values between -256 and + 255 and strings of length 1 are designated as "Standards Action". + Integer values from -65536 to 65535 and strings of length 2 are + designated as "Specification Required". Integer values greater + than 65535 and strings of length greater than 2 are designated as + "Expert Review". Integer values less than -65536 are marked as + private use. + + Description: A short description of the algorithm. + + Reference: A document where the algorithm is defined (if publicly + available). + + Recommended: Does the IETF have a consensus recommendation to use + the algorithm? The legal values are 'Yes', 'No', and + 'Deprecated'. + + The initial contents of the registry can be found in Tables 5, 6, 7, + 8, 9, 10, 11, 15, 16, 17, 18, and 20. All of the entries in the + "References" column of this registry point to this document. All of + the entries in the "Recommended" column are set to "Yes". + + Additionally, the label of 0 is to be marked as 'Reserved'. + + NOTE: The assignment of algorithm identifiers in this document was + done so that positive numbers were used for the first layer objects + (COSE_Sign, COSE_Sign1, COSE_Encrypt, COSE_Encrypt0, COSE_Mac, and + COSE_Mac0). Negative numbers were used for second layer objects + (COSE_Signature and COSE_recipient). Expert reviewers should + consider this practice, but are not expected to be restricted by this + precedent. + + + + + + + +Schaad Standards Track [Page 80] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +16.5. COSE Key Common Parameters Registry + + IANA has created a new registry titled "COSE Key Common Parameters". + The registry has been created to use the "Expert Review Required" + registration procedure. Guidelines for the experts are provided in + Section 16.11. It should be noted that, in addition to the expert + review, some portions of the registry require a specification, + potentially a Standards Track RFC, be supplied as well. + + The columns of the registry are: + + Name: This is a descriptive name that enables easier reference to + the item. It is not used in the encoding. + + Label: The value to be used to identify this algorithm. Key map + labels MUST be unique. The label can be a positive integer, a + negative integer, or a string. Integer values between 0 and 255 + and strings of length 1 are designated as "Standards Action". + Integer values from 256 to 65535 and strings of length 2 are + designated as "Specification Required". Integer values of greater + than 65535 and strings of length greater than 2 are designated as + "Expert Review". Integer values in the range -65536 to -1 are + "used for key parameters specific to a single algorithm delegated + to the COSE Key Type Parameters registry". Integer values less + than -65536 are marked as private use. + + CBOR Type: This field contains the CBOR type for the field. + + Value Registry: This field denotes the registry that values come + from, if one exists. + + Description: This field contains a brief description for the field. + + Reference: This contains a pointer to the public specification for + the field if one exists. + + This registry has been initially populated by the values in Table 3. + All of the entries in the "References" column of this registry point + to this document. + +16.6. COSE Key Type Parameters Registry + + IANA has created a new registry titled "COSE Key Type Parameters". + The registry has been created to use the "Expert Review Required" + registration procedure. Expert review guidelines are provided in + Section 16.11. + + + + + +Schaad Standards Track [Page 81] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + The columns of the table are: + + Key Type: This field contains a descriptive string of a key type. + This should be a value that is in the "COSE Key Common Parameters" + registry and is placed in the 'kty' field of a COSE Key structure. + + Name: This is a descriptive name that enables easier reference to + the item. It is not used in the encoding. + + Label: The label is to be unique for every value of key type. The + range of values is from -65536 to -1. Labels are expected to be + reused for different keys. + + CBOR Type: This field contains the CBOR type for the field. + + Description: This field contains a brief description for the field. + + Reference: This contains a pointer to the public specification for + the field if one exists. + + This registry has been initially populated by the values in Tables + 23, 24, and 25. All of the entries in the "References" column of + this registry point to this document. + +16.7. COSE Key Types Registry + + IANA has created a new registry titled "COSE Key Types". The + registry has been created to use the "Expert Review Required" + registration procedure. Expert review guidelines are provided in + Section 16.11. + + The columns of this table are: + + Name: This is a descriptive name that enables easier reference to + the item. The name MUST be unique. It is not used in the + encoding. + + Value: This is the value used to identify the curve. These values + MUST be unique. The value can be a positive integer, a negative + integer, or a string. + + Description: This field contains a brief description of the curve. + + References: This contains a pointer to the public specification for + the curve if one exists. + + + + + + +Schaad Standards Track [Page 82] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + This registry has been initially populated by the values in Table 21. + The specification column for all of these entries will be this + document. + +16.8. COSE Elliptic Curves Registry + + IANA has created a new registry titled "COSE Elliptic Curves". The + registry has been created to use the "Expert Review Required" + registration procedure. Guidelines for the experts are provided in + Section 16.11. It should be noted that, in addition to the expert + review, some portions of the registry require a specification, + potentially a Standards Track RFC, be supplied as well. + + The columns of the table are: + + Name: This is a descriptive name that enables easier reference to + the item. It is not used in the encoding. + + Value: This is the value used to identify the curve. These values + MUST be unique. The integer values from -256 to 255 are + designated as "Standards Action". The integer values from 256 to + 65535 and -65536 to -257 are designated as "Specification + Required". Integer values over 65535 are designated as "Expert + Review". Integer values less than -65536 are marked as private + use. + + Key Type: This designates the key type(s) that can be used with this + curve. + + Description: This field contains a brief description of the curve. + + Reference: This contains a pointer to the public specification for + the curve if one exists. + + Recommended: Does the IETF have a consensus recommendation to use + the algorithm? The legal values are 'Yes', 'No', and + 'Deprecated'. + + This registry has been initially populated by the values in Table 22. + All of the entries in the "References" column of this registry point + to this document. All of the entries in the "Recommended" column are + set to "Yes". + + + + + + + + + +Schaad Standards Track [Page 83] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +16.9. Media Type Registrations + +16.9.1. COSE Security Message + + This section registers the 'application/cose' media type in the + "Media Types" registry. These media types are used to indicate that + the content is a COSE message. + + Type name: application + + Subtype name: cose + + Required parameters: N/A + + Optional parameters: cose-type + + Encoding considerations: binary + + Security considerations: See the Security Considerations section + of RFC 8152. + + Interoperability considerations: N/A + + Published specification: RFC 8152 + + Applications that use this media type: IoT applications sending + security content over HTTP(S) transports. + + Fragment identifier considerations: N/A + + Additional information: + + * Deprecated alias names for this type: N/A + + * Magic number(s): N/A + + * File extension(s): cbor + + * Macintosh file type code(s): N/A + + Person & email address to contact for further information: + iesg@ietf.org + + Intended usage: COMMON + + Restrictions on usage: N/A + + Author: Jim Schaad, ietf@augustcellars.com + + + +Schaad Standards Track [Page 84] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Change Controller: IESG + + Provisional registration? No + +16.9.2. COSE Key Media Type + + This section registers the 'application/cose-key' and 'application/ + cose-key-set' media types in the "Media Types" registry. These media + types are used to indicate, respectively, that content is a COSE_Key + or COSE_KeySet object. + + The template for registering 'application/cose-key' is: + + Type name: application + + Subtype name: cose-key + + Required parameters: N/A + + Optional parameters: N/A + + Encoding considerations: binary + + Security considerations: See the Security Considerations section + of RFC 8152. + + Interoperability considerations: N/A + + Published specification: RFC 8152 + + Applications that use this media type: Distribution of COSE based + keys for IoT applications. + + Fragment identifier considerations: N/A + + Additional information: + + * Deprecated alias names for this type: N/A + + * Magic number(s): N/A + + * File extension(s): cbor + + * Macintosh file type code(s): N/A + + Person & email address to contact for further information: + iesg@ietf.org + + + + +Schaad Standards Track [Page 85] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Intended usage: COMMON + + Restrictions on usage: N/A + + Author: Jim Schaad, ietf@augustcellars.com + + Change Controller: IESG + + Provisional registration? No + + The template for registering 'application/cose-key-set' is: + + Type name: application + + Subtype name: cose-key-set + + Required parameters: N/A + + Optional parameters: N/A + + Encoding considerations: binary + + Security considerations: See the Security Considerations section + of RFC 8152. + + Interoperability considerations: N/A + + Published specification: RFC 8152 + + Applications that use this media type: Distribution of COSE based + keys for IoT applications. + + Fragment identifier considerations: N/A + + Additional information: + + * Deprecated alias names for this type: N/A + + * Magic number(s): N/A + + * File extension(s): cbor + + * Macintosh file type code(s): N/A + + Person & email address to contact for further information: + iesg@ietf.org + + Intended usage: COMMON + + + +Schaad Standards Track [Page 86] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Restrictions on usage: N/A + + Author: Jim Schaad, ietf@augustcellars.com + + Change Controller: IESG + + Provisional registration? No + +16.10. CoAP Content-Formats Registry + + IANA has added the following entries to the "CoAP Content-Formats" + registry. + + +--------------------------------------+----------+-----+-----------+ + | Media Type | Encoding | ID | Reference | + +--------------------------------------+----------+-----+-----------+ + | application/cose; cose-type="cose- | | 98 | [RFC8152] | + | sign" | | | | + | application/cose; cose-type="cose- | | 18 | [RFC8152] | + | sign1" | | | | + | application/cose; cose-type="cose- | | 96 | [RFC8152] | + | encrypt" | | | | + | application/cose; cose-type="cose- | | 16 | [RFC8152] | + | encrypt0" | | | | + | application/cose; cose-type="cose- | | 97 | [RFC8152] | + | mac" | | | | + | application/cose; cose-type="cose- | | 17 | [RFC8152] | + | mac0" | | | | + | application/cose-key | | 101 | [RFC8152] | + | application/cose-key-set | | 102 | [RFC8152] | + +--------------------------------------+----------+-----+-----------+ + + Table 26: CoAP Content-Formats for COSE + +16.11. Expert Review Instructions + + All of the IANA registries established in this document are defined + as expert review. This section gives some general guidelines for + what the experts should be looking for, but they are being designated + as experts for a reason, so they should be given substantial + latitude. + + Expert reviewers should take into consideration the following points: + + o Point squatting should be discouraged. Reviewers are encouraged + to get sufficient information for registration requests to ensure + that the usage is not going to duplicate one that is already + registered, and that the point is likely to be used in + + + +Schaad Standards Track [Page 87] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + deployments. The zones tagged as private use are intended for + testing purposes and closed environments; code points in other + ranges should not be assigned for testing. + + o Specifications are required for the standards track range of point + assignment. Specifications should exist for specification + required ranges, but early assignment before a specification is + available is considered to be permissible. Specifications are + needed for the first-come, first-serve range if they are expected + to be used outside of closed environments in an interoperable way. + When specifications are not provided, the description provided + needs to have sufficient information to identify what the point is + being used for. + + o Experts should take into account the expected usage of fields when + approving point assignment. The fact that there is a range for + standards track documents does not mean that a standards track + document cannot have points assigned outside of that range. The + length of the encoded value should be weighed against how many + code points of that length are left, the size of device it will be + used on, and the number of code points left that encode to that + size. + + o When algorithms are registered, vanity registrations should be + discouraged. One way to do this is to require registrations to + provide additional documentation on security analysis of the + algorithm. Another thing that should be considered is requesting + an opinion on the algorithm from the Crypto Forum Research Group + (CFRG). Algorithms that do not meet the security requirements of + the community and the messages structures should not be + registered. + +17. Security Considerations + + There are a number of security considerations that need to be taken + into account by implementers of this specification. The security + considerations that are specific to an individual algorithm are + placed next to the description of the algorithm. While some + considerations have been highlighted here, additional considerations + may be found in the documents listed in the references. + + Implementations need to protect the private key material for any + individuals. There are some cases in this document that need to be + highlighted on this issue. + + o Using the same key for two different algorithms can leak + information about the key. It is therefore recommended that keys + be restricted to a single algorithm. + + + +Schaad Standards Track [Page 88] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + o Use of 'direct' as a recipient algorithm combined with a second + recipient algorithm exposes the direct key to the second + recipient. + + o Several of the algorithms in this document have limits on the + number of times that a key can be used without leaking information + about the key. + + The use of ECDH and direct plus KDF (with no key wrap) will not + directly lead to the private key being leaked; the one way function + of the KDF will prevent that. There is, however, a different issue + that needs to be addressed. Having two recipients requires that the + CEK be shared between two recipients. The second recipient therefore + has a CEK that was derived from material that can be used for the + weak proof of origin. The second recipient could create a message + using the same CEK and send it to the first recipient; the first + recipient would, for either static-static ECDH or direct plus KDF, + make an assumption that the CEK could be used for proof of origin + even though it is from the wrong entity. If the key wrap step is + added, then no proof of origin is implied and this is not an issue. + + Although it has been mentioned before, the use of a single key for + multiple algorithms has been demonstrated in some cases to leak + information about a key, provide the opportunity for attackers to + forge integrity tags, or gain information about encrypted content. + Binding a key to a single algorithm prevents these problems. Key + creators and key consumers are strongly encouraged not only to create + new keys for each different algorithm, but to include that selection + of algorithm in any distribution of key material and strictly enforce + the matching of algorithms in the key structure to algorithms in the + message structure. In addition to checking that algorithms are + correct, the key form needs to be checked as well. Do not use an + 'EC2' key where an 'OKP' key is expected. + + Before using a key for transmission, or before acting on information + received, a trust decision on a key needs to be made. Is the data or + action something that the entity associated with the key has a right + to see or a right to request? A number of factors are associated + with this trust decision. Some of the ones that are highlighted here + are: + + o What are the permissions associated with the key owner? + + o Is the cryptographic algorithm acceptable in the current context? + + o Have the restrictions associated with the key, such as algorithm + or freshness, been checked and are they correct? + + + + +Schaad Standards Track [Page 89] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + o Is the request something that is reasonable, given the current + state of the application? + + o Have any security considerations that are part of the message been + enforced (as specified by the application or 'crit' parameter)? + + There are a large number of algorithms presented in this document + that use nonce values. For all of the nonces defined in this + document, there is some type of restriction on the nonce being a + unique value either for a key or for some other conditions. In all + of these cases, there is no known requirement on the nonce being both + unique and unpredictable; under these circumstances, it's reasonable + to use a counter for creation of the nonce. In cases where one wants + the pattern of the nonce to be unpredictable as well as unique, one + can use a key created for that purpose and encrypt the counter to + produce the nonce value. + + One area that has been starting to get exposure is doing traffic + analysis of encrypted messages based on the length of the message. + This specification does not provide for a uniform method of providing + padding as part of the message structure. An observer can + distinguish between two different strings (for example, 'YES' and + 'NO') based on the length for all of the content encryption + algorithms that are defined in this document. This means that it is + up to the applications to document how content padding is to be done + in order to prevent or discourage such analysis. (For example, the + strings could be defined as 'YES' and 'NO '.) + +18. References + +18.1. Normative References + + [AES-GCM] National Institute of Standards and Technology, + "Recommendation for Block Cipher Modes of Operation: + Galois/Counter Mode (GCM) and GMAC", NIST Special + Publication 800-38D, DOI 10.6028/NIST.SP.800-38D, November + 2007, . + + [COAP.Formats] + IANA, "Constrained RESTful Environments (CoRE) + Parameters", + . + + [DSS] National Institute of Standards and Technology, "Digital + Signature Standard (DSS)", FIPS PUB 186-4, + DOI 10.6028/NIST.FIPS.186-4, July 2013, + . + + [MAC] National Institute of Standards and Technology, "Computer + Data Authentication", FIPS PUB 113, May 1985, + . + + [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- + Hashing for Message Authentication", RFC 2104, + DOI 10.17487/RFC2104, February 1997, + . + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + . + + [RFC3394] Schaad, J. and R. Housley, "Advanced Encryption Standard + (AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394, + September 2002, . + + [RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with + CBC-MAC (CCM)", RFC 3610, DOI 10.17487/RFC3610, September + 2003, . + + [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand + Key Derivation Function (HKDF)", RFC 5869, + DOI 10.17487/RFC5869, May 2010, + . + + [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic + Curve Cryptography Algorithms", RFC 6090, + DOI 10.17487/RFC6090, February 2011, + . + + [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature + Algorithm (DSA) and Elliptic Curve Digital Signature + Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August + 2013, . + + [RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object + Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, + October 2013, . + + [RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF + Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, + . + + + + +Schaad Standards Track [Page 91] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves + for Security", RFC 7748, DOI 10.17487/RFC7748, January + 2016, . + + [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital + Signature Algorithm (EdDSA)", RFC 8032, + DOI 10.17487/RFC8032, January 2017, + . + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, . + + [SEC1] Certicom Research, "SEC 1: Elliptic Curve Cryptography", + Standards for Efficient Cryptography, Version 2.0, May + 2009, . + +18.2. Informative References + + [CDDL] Vigano, C. and H. Birkholz, "CBOR data definition language + (CDDL): a notational convention to express CBOR data + structures", Work in Progress, draft-greevenbosch-appsawg- + cbor-cddl-09, March 2017. + + [OSCOAP] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, + "Object Security of CoAP (OSCOAP)", Work in Progress, + draft-ietf-core-object-security-03, May 2017. + + [PVSig] Brown, D. and D. Johnson, "Formal Security Proofs for a + Signature Scheme with Partial Message Recovery", + DOI 10.1007/3-540-45353-9_11, LNCS Volume 2020, June 2000. + + [RFC2633] Ramsdell, B., Ed., "S/MIME Version 3 Message + Specification", RFC 2633, DOI 10.17487/RFC2633, June 1999, + . + + [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- + 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", + RFC 4231, DOI 10.17487/RFC4231, December 2005, + . + + [RFC4262] Santesson, S., "X.509 Certificate Extension for Secure/ + Multipurpose Internet Mail Extensions (S/MIME) + Capabilities", RFC 4262, DOI 10.17487/RFC4262, December + 2005, . + + + + + + +Schaad Standards Track [Page 92] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The + AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June + 2006, . + + [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", + FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, + . + + [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated + Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, + . + + [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, + "Elliptic Curve Cryptography Subject Public Key + Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, + . + + [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, + RFC 5652, DOI 10.17487/RFC5652, September 2009, + . + + [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet + Mail Extensions (S/MIME) Version 3.2 Message + Specification", RFC 5751, DOI 10.17487/RFC5751, January + 2010, . + + [RFC5752] Turner, S. and J. Schaad, "Multiple Signatures in + Cryptographic Message Syntax (CMS)", RFC 5752, + DOI 10.17487/RFC5752, January 2010, + . + + [RFC5990] Randall, J., Kaliski, B., Brainard, J., and S. Turner, + "Use of the RSA-KEM Key Transport Algorithm in the + Cryptographic Message Syntax (CMS)", RFC 5990, + DOI 10.17487/RFC5990, September 2010, + . + + [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations + for the MD5 Message-Digest and the HMAC-MD5 Algorithms", + RFC 6151, DOI 10.17487/RFC6151, March 2011, + . + + [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type + Specifications and Registration Procedures", BCP 13, + RFC 6838, DOI 10.17487/RFC6838, January 2013, + . + + + + + +Schaad Standards Track [Page 93] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + [RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data + Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March + 2014, . + + [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained + Application Protocol (CoAP)", RFC 7252, + DOI 10.17487/RFC7252, June 2014, + . + + [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web + Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May + 2015, . + + [RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", + RFC 7516, DOI 10.17487/RFC7516, May 2015, + . + + [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, + DOI 10.17487/RFC7517, May 2015, + . + + [RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, + DOI 10.17487/RFC7518, May 2015, + . + + [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, + "PKCS #1: RSA Cryptography Specifications Version 2.2", + RFC 8017, DOI 10.17487/RFC8017, November 2016, + . + + [RFC8018] Moriarty, K., Ed., Kaliski, B., and A. Rusch, "PKCS #5: + Password-Based Cryptography Specification Version 2.1", + RFC 8018, DOI 10.17487/RFC8018, January 2017, + . + + [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for + Writing an IANA Considerations Section in RFCs", BCP 26, + RFC 8126, DOI 10.17487/RFC8126, June 2017, + . + + [SP800-56A] + Barker, E., Chen, L., Roginsky, A., and M. Smid, + "Recommendation for Pair-Wise Key Establishment Schemes + Using Discrete Logarithm Cryptography", NIST Special + Publication 800-56A, Revision 2, + DOI 10.6028/NIST.SP.800-56Ar2, May 2013, + . + + + +Schaad Standards Track [Page 94] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + [W3C.WebCrypto] + Watson, M., "Web Cryptography API", W3C Recommendation, + January 2017, . + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Schaad Standards Track [Page 95] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +Appendix A. Guidelines for External Data Authentication of Algorithms + + A portion of the working group has expressed a strong desire to relax + the rule that the algorithm identifier be required to appear in each + level of a COSE object. There are two basic reasons that have been + advanced to support this position. First, the resulting message will + be smaller if the algorithm identifier is omitted from the most + common messages in a CoAP environment. Second, there is a potential + bug that will arise if full checking is not done correctly between + the different places that an algorithm identifier could be placed + (the message itself, an application statement, the key structure that + the sender possesses, and the key structure the recipient possesses). + + This appendix lays out how such a change can be made and the details + that an application needs to specify in order to use this option. + Two different sets of details are specified: those needed to omit an + algorithm identifier and those needed to use a variant on the counter + signature attribute that contains no attributes about itself. + +A.1. Algorithm Identification + + In this section, three sets of recommendations are laid out. The + first set of recommendations apply to having an implicit algorithm + identified for a single layer of a COSE object. The second set of + recommendations apply to having multiple implicit algorithms + identified for multiple layers of a COSE object. The third set of + recommendations apply to having implicit algorithms for multiple COSE + object constructs. + + The key words from RFC 2119 are deliberately not used here. This + specification can provide recommendations, but it cannot enforce + them. + + This set of recommendations applies to the case where an application + is distributing a fixed algorithm along with the key information for + use in a single COSE object. This normally applies to the smallest + of the COSE objects, specifically COSE_Sign1, COSE_Mac0, and + COSE_Encrypt0, but could apply to the other structures as well. + + The following items should be taken into account: + + o Applications need to list the set of COSE structures that implicit + algorithms are to be used in. Applications need to require that + the receipt of an explicit algorithm identifier in one of these + structures will lead to the message being rejected. This + requirement is stated so that there will never be a case where + there is any ambiguity about the question of which algorithm + should be used, the implicit or the explicit one. This applies + + + +Schaad Standards Track [Page 96] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + even if the transported algorithm identifier is a protected + attribute. This applies even if the transported algorithm is the + same as the implicit algorithm. + + o Applications need to define the set of information that is to be + considered to be part of a context when omitting algorithm + identifiers. At a minimum, this would be the key identifier (if + needed), the key, the algorithm, and the COSE structure it is used + with. Applications should restrict the use of a single key to a + single algorithm. As noted for some of the algorithms in this + document, the use of the same key in different related algorithms + can lead to leakage of information about the key, leakage about + the data or the ability to perform forgeries. + + o In many cases, applications that make the algorithm identifier + implicit will also want to make the context identifier implicit + for the same reason. That is, omitting the context identifier + will decrease the message size (potentially significantly + depending on the length of the identifier). Applications that do + this will need to describe the circumstances where the context + identifier is to be omitted and how the context identifier is to + be inferred in these cases. (An exhaustive search over all of the + keys would normally not be considered to be acceptable.) An + example of how this can be done is to tie the context to a + transaction identifier. Both would be sent on the original + message, but only the transaction identifier would need to be sent + after that point as the context is tied into the transaction + identifier. Another way would be to associate a context with a + network address. All messages coming from a single network + address can be assumed to be associated with a specific context. + (In this case, the address would normally be distributed as part + of the context.) + + o Applications cannot rely on key identifiers being unique unless + they take significant efforts to ensure that they are computed in + such a way as to create this guarantee. Even when an application + does this, the uniqueness might be violated if the application is + run in different contexts (i.e., with a different context + provider) or if the system combines the security contexts from + different applications together into a single store. + + o Applications should continue the practice of protecting the + algorithm identifier. Since this is not done by placing it in the + protected attributes field, applications should define an + application-specific external data structure that includes this + value. This external data field can be used as such for content + encryption, MAC, and signature algorithms. It can be used in the + SuppPrivInfo field for those algorithms that use a KDF to derive a + + + +Schaad Standards Track [Page 97] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + key value. Applications may also want to protect other + information that is part of the context structure as well. It + should be noted that those fields, such as the key or a Base IV, + are protected by virtue of being used in the cryptographic + computation and do not need to be included in the external data + field. + + The second case is having multiple implicit algorithm identifiers + specified for a multiple layer COSE object. An example of how this + would work is the encryption context that an application specifies, + which contains a content encryption algorithm, a key wrap algorithm, + a key identifier, and a shared secret. The sender omits sending the + algorithm identifier for both the content layer and the recipient + layer leaving only the key identifier. The receiver then uses the + key identifier to get the implicit algorithm identifiers. + + The following additional items need to be taken into consideration: + + o Applications that want to support this will need to define a + structure that allows for, and clearly identifies, both the COSE + structure to be used with a given key and the structure and + algorithm to be used for the secondary layer. The key for the + secondary layer is computed as normal from the recipient layer. + + The third case is having multiple implicit algorithm identifiers, but + targeted at potentially unrelated layers or different COSE objects. + There are a number of different scenarios where this might be + applicable. Some of these scenarios are: + + o Two contexts are distributed as a pair. Each of the contexts is + for use with a COSE_Encrypt message. Each context will consist of + distinct secret keys and IVs and potentially even different + algorithms. One context is for sending messages from party A to + party B, and the second context is for sending messages from party + B to party A. This means that there is no chance for a reflection + attack to occur as each party uses different secret keys to send + its messages; a message that is reflected back to it would fail to + decrypt. + + o Two contexts are distributed as a pair. The first context is used + for encryption of the message, and the second context is used to + place a counter signature on the message. The intention is that + the second context can be distributed to other entities + independently of the first context. This allows these entities to + validate that the message came from an individual without being + able to decrypt the message and see the content. + + + + + +Schaad Standards Track [Page 98] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + o Two contexts are distributed as a pair. The first context + contains a key for dealing with MACed messages, and the second + context contains a key for dealing with encrypted messages. This + allows for a unified distribution of keys to participants for + different types of messages that have different keys, but where + the keys may be used in a coordinated manner. + + For these cases, the following additional items need to be + considered: + + o Applications need to ensure that the multiple contexts stay + associated. If one of the contexts is invalidated for any reason, + all of the contexts associated with it should also be invalidated. + +A.2. Counter Signature without Headers + + There is a group of people who want to have a counter signature + parameter that is directly tied to the value being signed, and thus + the authenticated and unauthenticated buckets can be removed from the + message being sent. The focus on this is an even smaller size, as + all of the information on the process of creating the counter + signature is implicit rather than being explicitly carried in the + message. This includes not only the algorithm identifier as + presented above, but also items such as the key identification, which + is always external to the signature structure. This means that the + entities that are doing the validation of the counter signature are + required to infer which key is to be used from context rather than + being explicit. One way of doing this would be to presume that all + data coming from a specific port (or to a specific URL) is to be + validated by a specific key. (Note that this does not require that + the key identifier be part of the value signed as it does not serve a + cryptographic purpose. If the key validates the counter signature, + then it should be presumed that the entity associated with that key + produced the signature.) + + When computing the signature for the bare counter signature header, + the same Sig_structure defined in Section 4.4 is used. The + sign_protected field is omitted, as there is no protected header + field in this counter signature header. The value of + "CounterSignature0" is placed in the context field of the + Sig_stucture. + + + + + + + + + + +Schaad Standards Track [Page 99] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + +-------------------+-------+-------+-------+-----------------------+ + | Name | Label | Value | Value | Description | + | | | Type | | | + +-------------------+-------+-------+-------+-----------------------+ + | CounterSignature0 | 9 | bstr | | Counter signature | + | | | | | with implied signer | + | | | | | and headers | + +-------------------+-------+-------+-------+-----------------------+ + + Table 27: Header Parameter for CounterSignature0 + +Appendix B. Two Layers of Recipient Information + + All of the currently defined recipient algorithm classes only use two + layers of the COSE_Encrypt structure. The first layer is the message + content, and the second layer is the content key encryption. + However, if one uses a recipient algorithm such as the RSA Key + Encapsulation Mechanism (RSA-KEM) (see Appendix A of RSA-KEM + [RFC5990]), then it makes sense to have three layers of the + COSE_Encrypt structure. + + These layers would be: + + o Layer 0: The content encryption layer. This layer contains the + payload of the message. + + o Layer 1: The encryption of the CEK by a KEK. + + o Layer 2: The encryption of a long random secret using an RSA key + and a key derivation function to convert that secret into the KEK. + + This is an example of what a triple layer message would look like. + The message has the following layers: + + o Layer 0: Has a content encrypted with AES-GCM using a 128-bit key. + + o Layer 1: Uses the AES Key Wrap algorithm with a 128-bit key. + + o Layer 2: Uses ECDH Ephemeral-Static direct to generate the layer 1 + key. + + + + + + + + + + + +Schaad Standards Track [Page 100] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + In effect, this example is a decomposed version of using the + ECDH-ES+A128KW algorithm. + + Size of binary file is 183 bytes + + 96( + [ + / protected / h'a10101' / { + \ alg \ 1:1 \ AES-GCM 128 \ + } / , + / unprotected / { + / iv / 5:h'02d1f7e6f26c43d4868d87ce' + }, + / ciphertext / h'64f84d913ba60a76070a9a48f26e97e863e2852948658f0 + 811139868826e89218a75715b', + / recipients / [ + [ + / protected / h'', + / unprotected / { + / alg / 1:-3 / A128KW / + }, + / ciphertext / h'dbd43c4e9d719c27c6275c67d628d493f090593db82 + 18f11', + / recipients / [ + [ + / protected / h'a1013818' / { + \ alg \ 1:-25 \ ECDH-ES + HKDF-256 \ + } / , + / unprotected / { + / ephemeral / -1:{ + / kty / 1:2, + / crv / -1:1, + / x / -2:h'b2add44368ea6d641f9ca9af308b4079aeb519f11 + e9b8a55a600b21233e86e68', + / y / -3:false + }, + / kid / 4:'meriadoc.brandybuck@buckland.example' + }, + / ciphertext / h'' + ] + ] + ] + ] + ] + ) + + + + + + +Schaad Standards Track [Page 101] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +Appendix C. Examples + + This appendix includes a set of examples that show the different + features and message types that have been defined in this document. + To make the examples easier to read, they are presented using the + extended CBOR diagnostic notation (defined in [CDDL]) rather than as + a binary dump. + + A GitHub project has been created at that contains not only the examples presented in this + document, but a more complete set of testing examples as well. Each + example is found in a JSON file that contains the inputs used to + create the example, some of the intermediate values that can be used + in debugging the example and the output of the example presented in + both a hex and a CBOR diagnostic notation format. Some of the + examples at the site are designed failure testing cases; these are + clearly marked as such in the JSON file. If errors in the examples + in this document are found, the examples on GitHub will be updated, + and a note to that effect will be placed in the JSON file. + + As noted, the examples are presented using the CBOR's diagnostic + notation. A Ruby-based tool exists that can convert between the + diagnostic notation and binary. This tool can be installed with the + command line: + + gem install cbor-diag + + The diagnostic notation can be converted into binary files using the + following command line: + + diag2cbor.rb < inputfile > outputfile + + The examples can be extracted from the XML version of this document + via an XPath expression as all of the artwork is tagged with the + attribute type='CBORdiag'. (Depending on the XPath evaluator one is + using, it may be necessary to deal with > as an entity.) + + //artwork[@type='CDDL']/text() + + + + + + + + + + + + + +Schaad Standards Track [Page 102] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +C.1. Examples of Signed Messages + +C.1.1. Single Signature + + This example uses the following: + + o Signature Algorithm: ECDSA w/ SHA-256, Curve P-256 + + Size of binary file is 103 bytes + + 98( + [ + / protected / h'', + / unprotected / {}, + / payload / 'This is the content.', + / signatures / [ + [ + / protected / h'a10126' / { + \ alg \ 1:-7 \ ECDSA 256 \ + } / , + / unprotected / { + / kid / 4:'11' + }, + / signature / h'e2aeafd40d69d19dfe6e52077c5d7ff4e408282cbefb + 5d06cbf414af2e19d982ac45ac98b8544c908b4507de1e90b717c3d34816fe926a2b + 98f53afd2fa0f30a' + ] + ] + ] + ) + +C.1.2. Multiple Signers + + This example uses the following: + + o Signature Algorithm: ECDSA w/ SHA-256, Curve P-256 + + o Signature Algorithm: ECDSA w/ SHA-512, Curve P-521 + + + + + + + + + + + + + +Schaad Standards Track [Page 103] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Size of binary file is 277 bytes + + 98( + [ + / protected / h'', + / unprotected / {}, + / payload / 'This is the content.', + / signatures / [ + [ + / protected / h'a10126' / { + \ alg \ 1:-7 \ ECDSA 256 \ + } / , + / unprotected / { + / kid / 4:'11' + }, + / signature / h'e2aeafd40d69d19dfe6e52077c5d7ff4e408282cbefb + 5d06cbf414af2e19d982ac45ac98b8544c908b4507de1e90b717c3d34816fe926a2b + 98f53afd2fa0f30a' + ], + [ + / protected / h'a1013823' / { + \ alg \ 1:-36 + } / , + / unprotected / { + / kid / 4:'bilbo.baggins@hobbiton.example' + }, + / signature / h'00a2d28a7c2bdb1587877420f65adf7d0b9a06635dd1 + de64bb62974c863f0b160dd2163734034e6ac003b01e8705524c5c4ca479a952f024 + 7ee8cb0b4fb7397ba08d009e0c8bf482270cc5771aa143966e5a469a09f613488030 + c5b07ec6d722e3835adb5b2d8c44e95ffb13877dd2582866883535de3bb03d01753f + 83ab87bb4f7a0297' + ] + ] + ] + ) + +C.1.3. Counter Signature + + This example uses the following: + + o Signature Algorithm: ECDSA w/ SHA-256, Curve P-256 + + o The same parameters are used for both the signature and the + counter signature. + + + + + + + +Schaad Standards Track [Page 104] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Size of binary file is 180 bytes + + 98( + [ + / protected / h'', + / unprotected / { + / countersign / 7:[ + / protected / h'a10126' / { + \ alg \ 1:-7 \ ECDSA 256 \ + } / , + / unprotected / { + / kid / 4:'11' + }, + / signature / h'5ac05e289d5d0e1b0a7f048a5d2b643813ded50bc9e4 + 9220f4f7278f85f19d4a77d655c9d3b51e805a74b099e1e085aacd97fc29d72f887e + 8802bb6650cceb2c' + ] + }, + / payload / 'This is the content.', + / signatures / [ + [ + / protected / h'a10126' / { + \ alg \ 1:-7 \ ECDSA 256 \ + } / , + / unprotected / { + / kid / 4:'11' + }, + / signature / h'e2aeafd40d69d19dfe6e52077c5d7ff4e408282cbefb + 5d06cbf414af2e19d982ac45ac98b8544c908b4507de1e90b717c3d34816fe926a2b + 98f53afd2fa0f30a' + ] + ] + ] + ) + +C.1.4. Signature with Criticality + + This example uses the following: + + o Signature Algorithm: ECDSA w/ SHA-256, Curve P-256 + + o There is a criticality marker on the "reserved" header parameter + + + + + + + + + +Schaad Standards Track [Page 105] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Size of binary file is 125 bytes + + 98( + [ + / protected / h'a2687265736572766564f40281687265736572766564' / + { + "reserved":false, + \ crit \ 2:[ + "reserved" + ] + } / , + / unprotected / {}, + / payload / 'This is the content.', + / signatures / [ + [ + / protected / h'a10126' / { + \ alg \ 1:-7 \ ECDSA 256 \ + } / , + / unprotected / { + / kid / 4:'11' + }, + / signature / h'3fc54702aa56e1b2cb20284294c9106a63f91bac658d + 69351210a031d8fc7c5ff3e4be39445b1a3e83e1510d1aca2f2e8a7c081c7645042b + 18aba9d1fad1bd9c' + ] + ] + ] + ) + +C.2. Single Signer Examples + +C.2.1. Single ECDSA Signature + + This example uses the following: + + o Signature Algorithm: ECDSA w/ SHA-256, Curve P-256 + + + + + + + + + + + + + + + +Schaad Standards Track [Page 106] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Size of binary file is 98 bytes + + 18( + [ + / protected / h'a10126' / { + \ alg \ 1:-7 \ ECDSA 256 \ + } / , + / unprotected / { + / kid / 4:'11' + }, + / payload / 'This is the content.', + / signature / h'8eb33e4ca31d1c465ab05aac34cc6b23d58fef5c083106c4 + d25a91aef0b0117e2af9a291aa32e14ab834dc56ed2a223444547e01f11d3b0916e5 + a4c345cacb36' + ] + ) + +C.3. Examples of Enveloped Messages + +C.3.1. Direct ECDH + + This example uses the following: + + o CEK: AES-GCM w/ 128-bit key + + o Recipient class: ECDH Ephemeral-Static, Curve P-256 + + + + + + + + + + + + + + + + + + + + + + + + + +Schaad Standards Track [Page 107] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Size of binary file is 151 bytes + + 96( + [ + / protected / h'a10101' / { + \ alg \ 1:1 \ AES-GCM 128 \ + } / , + / unprotected / { + / iv / 5:h'c9cf4df2fe6c632bf7886413' + }, + / ciphertext / h'7adbe2709ca818fb415f1e5df66f4e1a51053ba6d65a1a0 + c52a357da7a644b8070a151b0', + / recipients / [ + [ + / protected / h'a1013818' / { + \ alg \ 1:-25 \ ECDH-ES + HKDF-256 \ + } / , + / unprotected / { + / ephemeral / -1:{ + / kty / 1:2, + / crv / -1:1, + / x / -2:h'98f50a4ff6c05861c8860d13a638ea56c3f5ad7590bbf + bf054e1c7b4d91d6280', + / y / -3:true + }, + / kid / 4:'meriadoc.brandybuck@buckland.example' + }, + / ciphertext / h'' + ] + ] + ] + ) + +C.3.2. Direct Plus Key Derivation + + This example uses the following: + + o CEK: AES-CCM w/ 128-bit key, truncate the tag to 64 bits + + o Recipient class: Use HKDF on a shared secret with the following + implicit fields as part of the context. + + * salt: "aabbccddeeffgghh" + + * PartyU identity: "lighting-client" + + * PartyV identity: "lighting-server" + + + + +Schaad Standards Track [Page 108] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + * Supplementary Public Other: "Encryption Example 02" + + Size of binary file is 91 bytes + + 96( + [ + / protected / h'a1010a' / { + \ alg \ 1:10 \ AES-CCM-16-64-128 \ + } / , + / unprotected / { + / iv / 5:h'89f52f65a1c580933b5261a76c' + }, + / ciphertext / h'753548a19b1307084ca7b2056924ed95f2e3b17006dfe93 + 1b687b847', + / recipients / [ + [ + / protected / h'a10129' / { + \ alg \ 1:-10 + } / , + / unprotected / { + / salt / -20:'aabbccddeeffgghh', + / kid / 4:'our-secret' + }, + / ciphertext / h'' + ] + ] + ] + ) + +C.3.3. Counter Signature on Encrypted Content + + This example uses the following: + + o CEK: AES-GCM w/ 128-bit key + + o Recipient class: ECDH Ephemeral-Static, Curve P-256 + + + + + + + + + + + + + + + +Schaad Standards Track [Page 109] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Size of binary file is 326 bytes + + 96( + [ + / protected / h'a10101' / { + \ alg \ 1:1 \ AES-GCM 128 \ + } / , + / unprotected / { + / iv / 5:h'c9cf4df2fe6c632bf7886413', + / countersign / 7:[ + / protected / h'a1013823' / { + \ alg \ 1:-36 + } / , + / unprotected / { + / kid / 4:'bilbo.baggins@hobbiton.example' + }, + / signature / h'00929663c8789bb28177ae28467e66377da12302d7f9 + 594d2999afa5dfa531294f8896f2b6cdf1740014f4c7f1a358e3a6cf57f4ed6fb02f + cf8f7aa989f5dfd07f0700a3a7d8f3c604ba70fa9411bd10c2591b483e1d2c31de00 + 3183e434d8fba18f17a4c7e3dfa003ac1cf3d30d44d2533c4989d3ac38c38b71481c + c3430c9d65e7ddff' + ] + }, + / ciphertext / h'7adbe2709ca818fb415f1e5df66f4e1a51053ba6d65a1a0 + c52a357da7a644b8070a151b0', + / recipients / [ + [ + / protected / h'a1013818' / { + \ alg \ 1:-25 \ ECDH-ES + HKDF-256 \ + } / , + / unprotected / { + / ephemeral / -1:{ + / kty / 1:2, + / crv / -1:1, + / x / -2:h'98f50a4ff6c05861c8860d13a638ea56c3f5ad7590bbf + bf054e1c7b4d91d6280', + / y / -3:true + }, + / kid / 4:'meriadoc.brandybuck@buckland.example' + }, + / ciphertext / h'' + ] + ] + ] + ) + + + + + + +Schaad Standards Track [Page 110] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +C.3.4. Encrypted Content with External Data + + This example uses the following: + + o CEK: AES-GCM w/ 128-bit key + + o Recipient class: ECDH static-Static, Curve P-256 with AES Key Wrap + + o Externally Supplied AAD: h'0011bbcc22dd44ee55ff660077' + + Size of binary file is 173 bytes + + 96( + [ + / protected / h'a10101' / { + \ alg \ 1:1 \ AES-GCM 128 \ + } / , + / unprotected / { + / iv / 5:h'02d1f7e6f26c43d4868d87ce' + }, + / ciphertext / h'64f84d913ba60a76070a9a48f26e97e863e28529d8f5335 + e5f0165eee976b4a5f6c6f09d', + / recipients / [ + [ + / protected / h'a101381f' / { + \ alg \ 1:-32 \ ECHD-SS+A128KW \ + } / , + / unprotected / { + / static kid / -3:'peregrin.took@tuckborough.example', + / kid / 4:'meriadoc.brandybuck@buckland.example', + / U nonce / -22:h'0101' + }, + / ciphertext / h'41e0d76f579dbd0d936a662d54d8582037de2e366fd + e1c62' + ] + ] + ] + ) + +C.4. Examples of Encrypted Messages + +C.4.1. Simple Encrypted Message + + This example uses the following: + + o CEK: AES-CCM w/ 128-bit key and a 64-bit tag + + + + + +Schaad Standards Track [Page 111] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Size of binary file is 52 bytes + + 16( + [ + / protected / h'a1010a' / { + \ alg \ 1:10 \ AES-CCM-16-64-128 \ + } / , + / unprotected / { + / iv / 5:h'89f52f65a1c580933b5261a78c' + }, + / ciphertext / h'5974e1b99a3a4cc09a659aa2e9e7fff161d38ce71cb45ce + 460ffb569' + ] + ) + +C.4.2. Encrypted Message with a Partial IV + + This example uses the following: + + o CEK: AES-CCM w/ 128-bit key and a 64-bit tag + + o Prefix for IV is 89F52F65A1C580933B52 + + Size of binary file is 41 bytes + + 16( + [ + / protected / h'a1010a' / { + \ alg \ 1:10 \ AES-CCM-16-64-128 \ + } / , + / unprotected / { + / partial iv / 6:h'61a7' + }, + / ciphertext / h'252a8911d465c125b6764739700f0141ed09192de139e05 + 3bd09abca' + ] + ) + +C.5. Examples of MACed Messages + +C.5.1. Shared Secret Direct MAC + + This example uses the following: + + o MAC: AES-CMAC, 256-bit key, truncated to 64 bits + + o Recipient class: direct shared secret + + + + +Schaad Standards Track [Page 112] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Size of binary file is 57 bytes + + 97( + [ + / protected / h'a1010f' / { + \ alg \ 1:15 \ AES-CBC-MAC-256//64 \ + } / , + / unprotected / {}, + / payload / 'This is the content.', + / tag / h'9e1226ba1f81b848', + / recipients / [ + [ + / protected / h'', + / unprotected / { + / alg / 1:-6 / direct /, + / kid / 4:'our-secret' + }, + / ciphertext / h'' + ] + ] + ] + ) + +C.5.2. ECDH Direct MAC + + This example uses the following: + + o MAC: HMAC w/SHA-256, 256-bit key + + o Recipient class: ECDH key agreement, two static keys, HKDF w/ + context structure + + + + + + + + + + + + + + + + + + + + +Schaad Standards Track [Page 113] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Size of binary file is 214 bytes + + 97( + [ + / protected / h'a10105' / { + \ alg \ 1:5 \ HMAC 256//256 \ + } / , + / unprotected / {}, + / payload / 'This is the content.', + / tag / h'81a03448acd3d305376eaa11fb3fe416a955be2cbe7ec96f012c99 + 4bc3f16a41', + / recipients / [ + [ + / protected / h'a101381a' / { + \ alg \ 1:-27 \ ECDH-SS + HKDF-256 \ + } / , + / unprotected / { + / static kid / -3:'peregrin.took@tuckborough.example', + / kid / 4:'meriadoc.brandybuck@buckland.example', + / U nonce / -22:h'4d8553e7e74f3c6a3a9dd3ef286a8195cbf8a23d + 19558ccfec7d34b824f42d92bd06bd2c7f0271f0214e141fb779ae2856abf585a583 + 68b017e7f2a9e5ce4db5' + }, + / ciphertext / h'' + ] + ] + ] + ) + +C.5.3. Wrapped MAC + + This example uses the following: + + o MAC: AES-MAC, 128-bit key, truncated to 64 bits + + o Recipient class: AES Key Wrap w/ a pre-shared 256-bit key + + + + + + + + + + + + + + + +Schaad Standards Track [Page 114] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Size of binary file is 109 bytes + + 97( + [ + / protected / h'a1010e' / { + \ alg \ 1:14 \ AES-CBC-MAC-128//64 \ + } / , + / unprotected / {}, + / payload / 'This is the content.', + / tag / h'36f5afaf0bab5d43', + / recipients / [ + [ + / protected / h'', + / unprotected / { + / alg / 1:-5 / A256KW /, + / kid / 4:'018c0ae5-4d9b-471b-bfd6-eef314bc7037' + }, + / ciphertext / h'711ab0dc2fc4585dce27effa6781c8093eba906f227 + b6eb0' + ] + ] + ] + ) + +C.5.4. Multi-Recipient MACed Message + + This example uses the following: + + o MAC: HMAC w/ SHA-256, 128-bit key + + o Recipient class: Uses three different methods + + 1. ECDH Ephemeral-Static, Curve P-521, AES Key Wrap w/ 128-bit + key + + 2. AES Key Wrap w/ 256-bit key + + + + + + + + + + + + + + + +Schaad Standards Track [Page 115] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Size of binary file is 309 bytes + + 97( + [ + / protected / h'a10105' / { + \ alg \ 1:5 \ HMAC 256//256 \ + } / , + / unprotected / {}, + / payload / 'This is the content.', + / tag / h'bf48235e809b5c42e995f2b7d5fa13620e7ed834e337f6aa43df16 + 1e49e9323e', + / recipients / [ + [ + / protected / h'a101381c' / { + \ alg \ 1:-29 \ ECHD-ES+A128KW \ + } / , + / unprotected / { + / ephemeral / -1:{ + / kty / 1:2, + / crv / -1:3, + / x / -2:h'0043b12669acac3fd27898ffba0bcd2e6c366d53bc4db + 71f909a759304acfb5e18cdc7ba0b13ff8c7636271a6924b1ac63c02688075b55ef2 + d613574e7dc242f79c3', + / y / -3:true + }, + / kid / 4:'bilbo.baggins@hobbiton.example' + }, + / ciphertext / h'339bc4f79984cdc6b3e6ce5f315a4c7d2b0ac466fce + a69e8c07dfbca5bb1f661bc5f8e0df9e3eff5' + ], + [ + / protected / h'', + / unprotected / { + / alg / 1:-5 / A256KW /, + / kid / 4:'018c0ae5-4d9b-471b-bfd6-eef314bc7037' + }, + / ciphertext / h'0b2c7cfce04e98276342d6476a7723c090dfdd15f9a + 518e7736549e998370695e6d6a83b4ae507bb' + ] + ] + ] + ) + + + + + + + + + +Schaad Standards Track [Page 116] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +C.6. Examples of MAC0 Messages + +C.6.1. Shared Secret Direct MAC + + This example uses the following: + + o MAC: AES-CMAC, 256-bit key, truncated to 64 bits + + o Recipient class: direct shared secret + + Size of binary file is 37 bytes + + 17( + [ + / protected / h'a1010f' / { + \ alg \ 1:15 \ AES-CBC-MAC-256//64 \ + } / , + / unprotected / {}, + / payload / 'This is the content.', + / tag / h'726043745027214f' + ] + ) + + Note that this example uses the same inputs as Appendix C.5.1. + +C.7. COSE Keys + +C.7.1. Public Keys + + This is an example of a COSE Key Set. This example includes the + public keys for all of the previous examples. + + In order the keys are: + + o An EC key with a kid of "meriadoc.brandybuck@buckland.example" + + o An EC key with a kid of "peregrin.took@tuckborough.example" + + o An EC key with a kid of "bilbo.baggins@hobbiton.example" + + o An EC key with a kid of "11" + + + + + + + + + + +Schaad Standards Track [Page 117] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + Size of binary file is 481 bytes + + [ + { + -1:1, + -2:h'65eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c0 + 8551d', + -3:h'1e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd008 + 4d19c', + 1:2, + 2:'meriadoc.brandybuck@buckland.example' + }, + { + -1:1, + -2:h'bac5b11cad8f99f9c72b05cf4b9e26d244dc189f745228255a219a86d6a + 09eff', + -3:h'20138bf82dc1b6d562be0fa54ab7804a3a64b6d72ccfed6b6fb6ed28bbf + c117e', + 1:2, + 2:'11' + }, + { + -1:3, + -2:h'0072992cb3ac08ecf3e5c63dedec0d51a8c1f79ef2f82f94f3c737bf5de + 7986671eac625fe8257bbd0394644caaa3aaf8f27a4585fbbcad0f2457620085e5c8 + f42ad', + -3:h'01dca6947bce88bc5790485ac97427342bc35f887d86d65a089377e247e + 60baa55e4e8501e2ada5724ac51d6909008033ebc10ac999b9d7f5cc2519f3fe1ea1 + d9475', + 1:2, + 2:'bilbo.baggins@hobbiton.example' + }, + { + -1:1, + -2:h'98f50a4ff6c05861c8860d13a638ea56c3f5ad7590bbfbf054e1c7b4d91 + d6280', + -3:h'f01400b089867804b8e9fc96c3932161f1934f4223069170d924b7e03bf + 822bb', + 1:2, + 2:'peregrin.took@tuckborough.example' + } + ] + + + + + + + + + +Schaad Standards Track [Page 118] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +C.7.2. Private Keys + + This is an example of a COSE Key Set. This example includes the + private keys for all of the previous examples. + + In order the keys are: + + o An EC key with a kid of "meriadoc.brandybuck@buckland.example" + + o A shared-secret key with a kid of "our-secret" + + o An EC key with a kid of "peregrin.took@tuckborough.example" + + o A shared-secret key with a kid of "018c0ae5-4d9b-471b- + bfd6-eef314bc7037" + + o An EC key with a kid of "bilbo.baggins@hobbiton.example" + + o An EC key with a kid of "11" + + Size of binary file is 816 bytes + + [ + { + 1:2, + 2:'meriadoc.brandybuck@buckland.example', + -1:1, + -2:h'65eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c0 + 8551d', + -3:h'1e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd008 + 4d19c', + -4:h'aff907c99f9ad3aae6c4cdf21122bce2bd68b5283e6907154ad911840fa + 208cf' + }, + { + 1:2, + 2:'11', + -1:1, + -2:h'bac5b11cad8f99f9c72b05cf4b9e26d244dc189f745228255a219a86d6a + 09eff', + -3:h'20138bf82dc1b6d562be0fa54ab7804a3a64b6d72ccfed6b6fb6ed28bbf + c117e', + -4:h'57c92077664146e876760c9520d054aa93c3afb04e306705db609030850 + 7b4d3' + }, + { + 1:2, + 2:'bilbo.baggins@hobbiton.example', + + + +Schaad Standards Track [Page 119] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + + -1:3, + -2:h'0072992cb3ac08ecf3e5c63dedec0d51a8c1f79ef2f82f94f3c737bf5de + 7986671eac625fe8257bbd0394644caaa3aaf8f27a4585fbbcad0f2457620085e5c8 + f42ad', + -3:h'01dca6947bce88bc5790485ac97427342bc35f887d86d65a089377e247e + 60baa55e4e8501e2ada5724ac51d6909008033ebc10ac999b9d7f5cc2519f3fe1ea1 + d9475', + -4:h'00085138ddabf5ca975f5860f91a08e91d6d5f9a76ad4018766a476680b + 55cd339e8ab6c72b5facdb2a2a50ac25bd086647dd3e2e6e99e84ca2c3609fdf177f + eb26d' + }, + { + 1:4, + 2:'our-secret', + -1:h'849b57219dae48de646d07dbb533566e976686457c1491be3a76dcea6c4 + 27188' + }, + { + 1:2, + -1:1, + 2:'peregrin.took@tuckborough.example', + -2:h'98f50a4ff6c05861c8860d13a638ea56c3f5ad7590bbfbf054e1c7b4d91 + d6280', + -3:h'f01400b089867804b8e9fc96c3932161f1934f4223069170d924b7e03bf + 822bb', + -4:h'02d1f7e6f26c43d4868d87ceb2353161740aacf1f7163647984b522a848 + df1c3' + }, + { + 1:4, + 2:'our-secret2', + -1:h'849b5786457c1491be3a76dcea6c4271' + }, + { + 1:4, + 2:'018c0ae5-4d9b-471b-bfd6-eef314bc7037', + -1:h'849b57219dae48de646d07dbb533566e976686457c1491be3a76dcea6c4 + 27188' + } + ] + + + + + + + + + + + +Schaad Standards Track [Page 120] + +RFC 8152 CBOR Object Signing and Encryption (COSE) July 2017 + + +Acknowledgments + + This document is a product of the COSE working group of the IETF. + + The following individuals are to blame for getting me started on this + project in the first place: Richard Barnes, Matt Miller, and Martin + Thomson. + + The initial version of the specification was based to some degree on + the outputs of the JOSE and S/MIME working groups. + + The following individuals provided input into the final form of the + document: Carsten Bormann, John Bradley, Brain Campbell, Michael B. + Jones, Ilari Liusvaara, Francesca Palombini, Ludwig Seitz, and Goran + Selander. + +Author's Address + + Jim Schaad + August Cellars + + Email: ietf@augustcellars.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Schaad Standards Track [Page 121] + -- cgit v1.2.3