rfc9053.original | rfc9053.txt | |||
---|---|---|---|---|
COSE Working Group J. Schaad | Internet Engineering Task Force (IETF) J. Schaad | |||
Internet-Draft August Cellars | Request for Comments: 9053 August Cellars | |||
Obsoletes: 8152 (if approved) 24 September 2020 | Obsoletes: 8152 July 2021 | |||
Intended status: Informational | Category: Informational | |||
Expires: 28 March 2021 | ISSN: 2070-1721 | |||
CBOR Object Signing and Encryption (COSE): Initial Algorithms | CBOR Object Signing and Encryption (COSE): Initial Algorithms | |||
draft-ietf-cose-rfc8152bis-algs-12 | ||||
Abstract | Abstract | |||
Concise Binary Object Representation (CBOR) is a data format designed | Concise Binary Object Representation (CBOR) is a data format designed | |||
for small code size and small message size. There is a need for the | for small code size and small message size. There is a need to be | |||
ability to have basic security services defined for this data format. | able to define basic security services for this data format. This | |||
THis document defines a set of algorithms that can be used with the | document defines a set of algorithms that can be used with the CBOR | |||
CBOR Object Signing and Encryption (COSE) protocol RFC XXXX. | Object Signing and Encryption (COSE) protocol (RFC 9052). | |||
Contributing to this document | ||||
This note is to be removed before publishing as an RFC. | ||||
The source for this draft is being maintained in GitHub. Suggested | ||||
changes should be submitted as pull requests at https://github.com/ | ||||
cose-wg/cose-rfc8152bis. Instructions are on that page as well. | ||||
Editorial changes can be managed in GitHub, but any substantial | ||||
issues need to be discussed on the COSE mailing list. | ||||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This document is not an Internet Standards Track specification; it is | |||
provisions of BCP 78 and BCP 79. | published for informational purposes. | |||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF). Note that other groups may also distribute | ||||
working documents as Internet-Drafts. The list of current Internet- | ||||
Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Not all documents | |||
approved by the IESG are candidates for any level of Internet | ||||
Standard; see Section 2 of RFC 7841. | ||||
This Internet-Draft will expire on 28 March 2021. | Information about the current status of this document, any errata, | |||
and how to provide feedback on it may be obtained at | ||||
https://www.rfc-editor.org/info/rfc9053. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
extracted from this document must include Simplified BSD License text | to this document. Code Components extracted from this document must | |||
as described in Section 4.e of the Trust Legal Provisions and are | include Simplified BSD License text as described in Section 4.e of | |||
provided without warranty as described in the Simplified BSD License. | the Trust Legal Provisions and are provided without warranty as | |||
described in the Simplified BSD License. | ||||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction | |||
1.1. Requirements Terminology . . . . . . . . . . . . . . . . 4 | 1.1. Requirements Terminology | |||
1.2. Changes from RFC8152 . . . . . . . . . . . . . . . . . . 4 | 1.2. Changes from RFC 8152 | |||
1.3. Document Terminology . . . . . . . . . . . . . . . . . . 4 | 1.3. Document Terminology | |||
1.4. CBOR Grammar . . . . . . . . . . . . . . . . . . . . . . 5 | 1.4. CBOR Grammar | |||
1.5. Examples . . . . . . . . . . . . . . . . . . . . . . . . 5 | 1.5. Examples | |||
2. Signature Algorithms . . . . . . . . . . . . . . . . . . . . 5 | 2. Signature Algorithms | |||
2.1. ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2.1. ECDSA | |||
2.1.1. Security Considerations for ECDSA . . . . . . . . . . 7 | 2.1.1. Security Considerations for ECDSA | |||
2.2. Edwards-Curve Digital Signature Algorithms (EdDSAs) . . . 8 | 2.2. Edwards-Curve Digital Signature Algorithms (EdDSAs) | |||
2.2.1. Security Considerations for EdDSA . . . . . . . . . . 9 | 2.2.1. Security Considerations for EdDSA | |||
3. Message Authentication Code (MAC) Algorithms . . . . . . . . 9 | 3. Message Authentication Code (MAC) Algorithms | |||
3.1. Hash-Based Message Authentication Codes (HMACs) . . . . . 9 | 3.1. Hash-Based Message Authentication Codes (HMACs) | |||
3.1.1. Security Considerations for HMAC . . . . . . . . . . 11 | 3.1.1. Security Considerations for HMAC | |||
3.2. AES Message Authentication Code (AES-CBC-MAC) . . . . . . 11 | 3.2. AES Message Authentication Code (AES-CBC-MAC) | |||
3.2.1. Security Considerations AES-CBC_MAC . . . . . . . . . 12 | 3.2.1. Security Considerations for AES-CBC-MAC | |||
4. Content Encryption Algorithms . . . . . . . . . . . . . . . . 12 | 4. Content Encryption Algorithms | |||
4.1. AES GCM . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 4.1. AES-GCM | |||
4.1.1. Security Considerations for AES-GCM . . . . . . . . . 13 | 4.1.1. Security Considerations for AES-GCM | |||
4.2. AES CCM . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 4.2. AES-CCM | |||
4.2.1. Security Considerations for AES-CCM . . . . . . . . . 17 | 4.2.1. Security Considerations for AES-CCM | |||
4.3. ChaCha20 and Poly1305 . . . . . . . . . . . . . . . . . . 18 | 4.3. ChaCha20 and Poly1305 | |||
4.3.1. Security Considerations for ChaCha20/Poly1305 . . . . 19 | 4.3.1. Security Considerations for ChaCha20/Poly1305 | |||
5. Key Derivation Functions (KDFs) . . . . . . . . . . . . . . . 19 | 5. Key Derivation Functions (KDFs) | |||
5.1. HMAC-Based Extract-and-Expand Key Derivation Function | 5.1. HMAC-Based Extract-and-Expand Key Derivation Function | |||
(HKDF) . . . . . . . . . . . . . . . . . . . . . . . . . 19 | (HKDF) | |||
5.2. Context Information Structure . . . . . . . . . . . . . . 21 | 5.2. Context Information Structure | |||
6. Content Key Distribution Methods . . . . . . . . . . . . . . 26 | 6. Content Key Distribution Methods | |||
6.1. Direct Encryption . . . . . . . . . . . . . . . . . . . . 27 | 6.1. Direct Encryption | |||
6.1.1. Direct Key . . . . . . . . . . . . . . . . . . . . . 27 | 6.1.1. Direct Key | |||
6.1.2. Direct Key with KDF . . . . . . . . . . . . . . . . . 28 | 6.1.2. Direct Key with KDF | |||
6.2. Key Wrap . . . . . . . . . . . . . . . . . . . . . . . . 29 | 6.2. Key Wrap | |||
6.2.1. AES Key Wrap . . . . . . . . . . . . . . . . . . . . 30 | 6.2.1. AES Key Wrap | |||
6.3. Direct Key Agreement . . . . . . . . . . . . . . . . . . 31 | 6.3. Direct Key Agreement | |||
6.3.1. Direct ECDH . . . . . . . . . . . . . . . . . . . . . 31 | 6.3.1. Direct ECDH | |||
6.4. Key Agreement with Key Wrap . . . . . . . . . . . . . . . 34 | 6.4. Key Agreement with Key Wrap | |||
6.4.1. ECDH with Key Wrap . . . . . . . . . . . . . . . . . 35 | 6.4.1. ECDH with Key Wrap | |||
7. Key Object Parameters . . . . . . . . . . . . . . . . . . . . 37 | 7. Key Object Parameters | |||
7.1. Elliptic Curve Keys . . . . . . . . . . . . . . . . . . . 37 | 7.1. Elliptic Curve Keys | |||
7.1.1. Double Coordinate Curves . . . . . . . . . . . . . . 38 | 7.1.1. Double Coordinate Curves | |||
7.2. Octet Key Pair . . . . . . . . . . . . . . . . . . . . . 39 | 7.2. Octet Key Pair | |||
7.3. Symmetric Keys . . . . . . . . . . . . . . . . . . . . . 40 | 7.3. Symmetric Keys | |||
8. COSE Capabilities . . . . . . . . . . . . . . . . . . . . . . 41 | 8. COSE Capabilities | |||
8.1. Assignments for Existing Algorithms . . . . . . . . . . . 42 | 8.1. Assignments for Existing Algorithms | |||
8.2. Assignments for Existing Key Types . . . . . . . . . . . 42 | 8.2. Assignments for Existing Key Types | |||
8.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . 42 | 8.3. Examples | |||
9. CBOR Encoding Restrictions . . . . . . . . . . . . . . . . . 45 | 9. CBOR Encoding Restrictions | |||
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 45 | 10. IANA Considerations | |||
10.1. Changes to "COSE Key Types" registry. . . . . . . . . . 45 | 10.1. Changes to the "COSE Key Types" Registry | |||
10.2. Changes to "COSE Algorithms" registry . . . . . . . . . 46 | 10.2. Changes to the "COSE Algorithms" Registry | |||
10.3. Changes to the "COSE Key Type Parameters" registry . . . 46 | 10.3. Changes to the "COSE Key Type Parameters" Registry | |||
10.4. Expert Review Instructions . . . . . . . . . . . . . . . 46 | 10.4. Expert Review Instructions | |||
11. Security Considerations . . . . . . . . . . . . . . . . . . . 47 | 11. Security Considerations | |||
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 49 | 12. References | |||
12.1. Normative References . . . . . . . . . . . . . . . . . . 49 | 12.1. Normative References | |||
12.2. Informative References . . . . . . . . . . . . . . . . . 51 | 12.2. Informative References | |||
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 54 | Acknowledgments | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 54 | Author's Address | |||
1. Introduction | 1. Introduction | |||
There has been an increased focus on small, constrained devices that | There has been an increased focus on small, constrained devices that | |||
make up the Internet of Things (IoT). One of the standards that has | make up the Internet of Things (IoT). One of the standards that has | |||
come out of this process is "Concise Binary Object Representation | come out of this process is "Concise Binary Object Representation | |||
(CBOR)" [RFC7049]. CBOR extended the data model of JavaScript Object | (CBOR)" [RFC8949]. CBOR extended the data model of JavaScript Object | |||
Notation (JSON) [STD90] by allowing for binary data, among other | Notation (JSON) [STD90] by allowing for binary data, among other | |||
changes. CBOR is being adopted by several of the IETF working groups | changes. CBOR is being adopted by several of the IETF working groups | |||
dealing with the IoT world as their encoding of data structures. | dealing with the IoT world as their method of encoding data | |||
CBOR was designed specifically to be both small in terms of messages | structures. CBOR was designed specifically to be small in terms of | |||
transported and implementation size and be a schema-free decoder. A | both messages transported and implementation size and be a schema- | |||
need exists to provide message security services for IoT, and using | free decoder. A need exists to provide message security services for | |||
CBOR as the message-encoding format makes sense. | IoT, and using CBOR as the message-encoding format makes sense. | |||
The core COSE specification consists of two documents. | The core COSE specification consists of two documents. [RFC9052] | |||
[I-D.ietf-cose-rfc8152bis-struct] contains the serialization | contains the serialization structures and the procedures for using | |||
structures and the procedures for using the different cryptographic | the different cryptographic algorithms. This document provides an | |||
algorithms. This document provides an initial set of algorithms for | initial set of algorithms for use with those structures. | |||
use with those structures. | ||||
1.1. Requirements Terminology | 1.1. Requirements Terminology | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
1.2. Changes from RFC8152 | 1.2. Changes from RFC 8152 | |||
* Extract the sections dealing with specific algorithms into this | * Extracted the sections dealing with specific algorithms and place | |||
document. The sections dealing with structure and general | them into this document. The sections dealing with structure and | |||
processing rules are placed in [I-D.ietf-cose-rfc8152bis-struct]. | general processing rules are placed in [RFC9052]. | |||
* Text clarifications and changes in terminology. | * Made text clarifications and changes in terminology. | |||
1.3. Document Terminology | 1.3. Document Terminology | |||
In this document, we use the following terminology: | In this document, we use the following terminology: | |||
Byte is a synonym for octet. | Byte: A synonym for octet. | |||
Constrained Application Protocol (CoAP) is a specialized web transfer | Constrained Application Protocol (CoAP): A specialized web transfer | |||
protocol for use in constrained systems. It is defined in [RFC7252]. | protocol for use in constrained systems. It is defined in | |||
[RFC7252]. | ||||
Authenticated Encryption (AE) [RFC5116] algorithms are encryption | Authenticated Encryption (AE) algorithms [RFC5116]: Encryption | |||
algorithms that provide an authentication check of the contents with | algorithms that provide an authentication check of the contents | |||
the encryption service. An example of an AE algorithm used in COSE | with the encryption service. An example of an AE algorithm used | |||
is AES Key Wrap [RFC3394]. These algorithms are used for key | in COSE is AES Key Wrap [RFC3394]. These algorithms are used for | |||
encryption algorithms, but AEAD algorithms would be preferred. | key encryption algorithms, but Authenticated Encryption with | |||
Associated Data (AEAD) algorithms would be preferred. | ||||
Authenticated Encryption with Associated Data (AEAD) [RFC5116] | AEAD algorithms [RFC5116]: Provide the same authentication service | |||
algorithms provide the same authentication service of the content as | of the content as AE algorithms do. They also allow associated | |||
AE algorithms do. They also allow for associated data to be included | data that is not part of the encrypted body to be included in the | |||
in the authentication service, but which is not part of the encrypted | authentication service. An example of an AEAD algorithm used in | |||
body. An example of an AEAD algorithm used in COSE is AES-GCM | COSE is AES-GCM [RFC5116]. These algorithms are used for content | |||
[RFC5116]. These algorithms are used for content encryption and can | encryption and can be used for key encryption as well. | |||
be used for key encryption as well. | ||||
The term 'byte string' is used for sequences of bytes, while the term | The term "byte string" is used for sequences of bytes, while the term | |||
'text string' is used for sequences of characters. | "text string" is used for sequences of characters. | |||
The tables for algorithms contain the following columns: | The tables for algorithms contain the following columns: | |||
* A name for use in documents for the algorithms. | * A name for the algorithms for use in documents. | |||
* The value used on the wire for the algorithm. One place this is | * The value used on the wire for the algorithm. One place this is | |||
used is the algorithm header parameter of a message. | used is the algorithm header parameter of a message. | |||
* A short description so that the algorithm can be easily identified | * A short description so that the algorithm can be easily identified | |||
when scanning the IANA registry. | when scanning the IANA registry. | |||
Additional columns may be present in the table depending on the | Additional columns may be present in a table depending on the | |||
algorithms. | algorithms. | |||
1.4. CBOR Grammar | 1.4. CBOR Grammar | |||
At the time that [RFC8152] was initially published, the CBOR Data | At the time that [RFC8152] was initially published, the CBOR Data | |||
Definition Language (CDDL) [RFC8610] had not yet been published. | Definition Language (CDDL) [RFC8610] had not yet been published. | |||
This document uses a variant of CDDL which is described in | This document uses a variant of CDDL that is described in [RFC9052]. | |||
[I-D.ietf-cose-rfc8152bis-struct]. | ||||
1.5. Examples | 1.5. Examples | |||
A GitHub project has been created at [GitHub-Examples] that contains | A GitHub project has been created at [GitHub-Examples] that contains | |||
a set of testing examples as well. Each example is found in a JSON | a set of testing examples as well. Each example is found in a JSON | |||
file that contains the inputs used to create the example, some of the | file that contains the inputs used to create the example, some of the | |||
intermediate values that can be used for debugging, and the output of | intermediate values that can be used for debugging, and the output of | |||
the example. The results are encoded using both hexadecimal and CBOR | the example. The results are encoded using both hexadecimal and CBOR | |||
diagnostic notation format. | diagnostic notation format. | |||
Some of the examples are designed to test failure case; these are | Some of the examples are designed to test the failure case; these are | |||
clearly marked as such in the JSON file. If errors in the examples | clearly marked as such in the JSON file. If errors in the examples | |||
in this document are found, the examples on GitHub will be updated, | in this document are found, the examples on GitHub will be updated, | |||
and a note to that effect will be placed in the JSON file. | and a note to that effect will be placed in the JSON file. | |||
2. Signature Algorithms | 2. Signature Algorithms | |||
Section 9.1 of [I-D.ietf-cose-rfc8152bis-struct] contains a generic | Section 8.1 of [RFC9052] contains a generic description of signature | |||
description of signature algorithms. The document defines signature | algorithms. The document defines signature algorithm identifiers for | |||
algorithm identifiers for two signature algorithms. | two signature algorithms. | |||
2.1. ECDSA | 2.1. ECDSA | |||
ECDSA [DSS] defines a signature algorithm using ECC. Implementations | The Elliptic Curve Digital Signature Algorithm (ECDSA) [DSS] defines | |||
SHOULD use a deterministic version of ECDSA such as the one defined | a signature algorithm using Elliptic Curve Cryptography (ECC). | |||
in [RFC6979]. The use of a deterministic signature algorithm allows | Implementations SHOULD use a deterministic version of ECDSA such as | |||
for systems to avoid relying on random number generators in order to | the one defined in [RFC6979]. The use of a deterministic signature | |||
avoid generating the same value of 'k' (the per-message random | algorithm allows systems to avoid relying on random number generators | |||
value). Biased generation of the value 'k' can be attacked, and | in order to avoid generating the same value of "k" (the per-message | |||
collisions of this value leads to leaked keys. It additionally | random value). Biased generation of the value "k" can be attacked, | |||
allows for doing deterministic tests for the signature algorithm. | and collisions of this value lead to leaked keys. It additionally | |||
allows performing deterministic tests for the signature algorithm. | ||||
The use of deterministic ECDSA does not lessen the need to have good | The use of deterministic ECDSA does not lessen the need to have good | |||
random number generation when creating the private key. | random number generation when creating the private key. | |||
The ECDSA signature algorithm is parameterized with a hash function | The ECDSA signature algorithm is parameterized with a hash function | |||
(h). In the event that the length of the hash function output is | (h). In the event that the length of the hash function output is | |||
greater than the group of the key, the leftmost bytes of the hash | greater than the group of the key, the leftmost bytes of the hash | |||
output are used. | output are used. | |||
The algorithms defined in this document can be found in Table 1. | The algorithms defined in this document can be found in Table 1. | |||
+=======+=======+=========+==================+ | +=======+=======+=========+==================+ | |||
| Name | Value | Hash | Description | | | Name | Value | Hash | Description | | |||
+=======+=======+=========+==================+ | +=======+=======+=========+==================+ | |||
| ES256 | -7 | SHA-256 | ECDSA w/ SHA-256 | | | ES256 | -7 | SHA-256 | ECDSA w/ SHA-256 | | |||
+-------+-------+---------+------------------+ | +-------+-------+---------+------------------+ | |||
| ES384 | -35 | SHA-384 | ECDSA w/ SHA-384 | | | ES384 | -35 | SHA-384 | ECDSA w/ SHA-384 | | |||
+-------+-------+---------+------------------+ | +-------+-------+---------+------------------+ | |||
| ES512 | -36 | SHA-512 | ECDSA w/ SHA-512 | | | ES512 | -36 | SHA-512 | ECDSA w/ SHA-512 | | |||
+-------+-------+---------+------------------+ | +-------+-------+---------+------------------+ | |||
Table 1: ECDSA Algorithm Values | Table 1: ECDSA Algorithm Values | |||
This document defines ECDSA to work only with the curves P-256, | This document defines ECDSA as working only with the curves P-256, | |||
P-384, and P-521. This document requires that the curves be encoded | P-384, and P-521. This document requires that the curves be encoded | |||
using the 'EC2' (two coordinate elliptic curve) key type. | using the "EC2" (two coordinate elliptic curve) key type. | |||
Implementations need to check that the key type and curve are correct | Implementations need to check that the key type and curve are correct | |||
when creating and verifying a signature. Future documents may define | when creating and verifying a signature. Future documents may define | |||
it to work with other curves and points in the future. | it to work with other curves and points in the future. | |||
In order to promote interoperability, it is suggested that SHA-256 be | In order to promote interoperability, it is suggested that SHA-256 be | |||
used only with curve P-256, SHA-384 be used only with curve P-384, | used only with curve P-256, SHA-384 be used only with curve P-384, | |||
and SHA-512 be used with curve P-521. This is aligned with the | and SHA-512 be used with curve P-521. This is aligned with the | |||
recommendation in Section 4 of [RFC5480]. | recommendation in Section 4 of [RFC5480]. | |||
The signature algorithm results in a pair of integers (R, S). These | The signature algorithm results in a pair of integers (R, S). These | |||
skipping to change at page 7, line 5 ¶ | skipping to change at line 274 ¶ | |||
Using the function defined in [RFC8017], the signature is: | Using the function defined in [RFC8017], the signature is: | |||
Signature = I2OSP(R, n) | I2OSP(S, n) | Signature = I2OSP(R, n) | I2OSP(S, n) | |||
where n = ceiling(key_length / 8) | where n = ceiling(key_length / 8) | |||
When using a COSE key for this algorithm, the following checks are | When using a COSE key for this algorithm, the following checks are | |||
made: | made: | |||
* The 'kty' field MUST be present, and it MUST be 'EC2'. | * The "kty" field MUST be present, and it MUST be "EC2". | |||
* If the 'alg' field is present, it MUST match the ECDSA signature | * If the "alg" field is present, it MUST match the ECDSA signature | |||
algorithm being used. | algorithm being used. | |||
* If the 'key_ops' field is present, it MUST include 'sign' when | * If the "key_ops" field is present, it MUST include "sign" when | |||
creating an ECDSA signature. | creating an ECDSA signature. | |||
* If the 'key_ops' field is present, it MUST include 'verify' when | * If the "key_ops" field is present, it MUST include "verify" when | |||
verifying an ECDSA signature. | verifying an ECDSA signature. | |||
2.1.1. Security Considerations for ECDSA | 2.1.1. Security Considerations for ECDSA | |||
The security strength of the signature is no greater than the minimum | The security strength of the signature is no greater than the minimum | |||
of the security strength associated with the bit length of the key | of the security strength associated with the bit length of the key | |||
and the security strength of the hash function. | and the security strength of the hash function. | |||
Note: Use of a deterministic signature technique is a good idea even | Note: Use of a deterministic signature technique is a good idea even | |||
when good random number generation exists. Doing so both reduces the | when good random number generation exists. Doing so both reduces the | |||
possibility of having the same value of 'k' in two signature | possibility of having the same value of "k" in two signature | |||
operations and allows for reproducible signature values, which helps | operations and allows for reproducible signature values, which helps | |||
testing. There have been recent attacks involving faulting the | testing. There have been recent attacks involving faulting the | |||
device in order to extract the key. This can be addressed by | device in order to extract the key. This can be addressed by | |||
combining both randomness and determinism | combining both randomness and determinism [CFRG-DET-SIGS]. | |||
[I-D.mattsson-cfrg-det-sigs-with-noise]. | ||||
There are two substitution attacks that can theoretically be mounted | There are two substitution attacks that can theoretically be mounted | |||
against the ECDSA signature algorithm. | against the ECDSA signature algorithm. | |||
* Changing the curve used to validate the signature: If one changes | * Changing the curve used to validate the signature: If one changes | |||
the curve used to validate the signature, then potentially one | the curve used to validate the signature, then potentially one | |||
could have two messages with the same signature, each computed | could have two messages with the same signature, each computed | |||
under a different curve. The only requirement on the new curve is | under a different curve. The only requirements on the new curve | |||
that its order be the same as the old one and it be acceptable to | are that its order be the same as the old one and that it be | |||
the client. An example would be to change from using the curve | acceptable to the client. An example would be to change from | |||
secp256r1 (aka P-256) to using secp256k1. (Both are 256-bit | using the curve secp256r1 (aka P-256) to using secp256k1. (Both | |||
curves.) We currently do not have any way to deal with this | are 256-bit curves.) We currently do not have any way to deal | |||
version of the attack except to restrict the overall set of curves | with this version of the attack except to restrict the overall set | |||
that can be used. | of curves that can be used. | |||
* Change the hash function used to validate the signature: If one | * Changing the hash function used to validate the signature: If one | |||
either has two different hash functions of the same length or can | either has two different hash functions of the same length or can | |||
truncate a hash function, then one could potentially find | truncate a hash function, then one could potentially find | |||
collisions between the hash functions rather than within a single | collisions between the hash functions rather than within a single | |||
hash function (for example, truncating SHA-512 to 256 bits might | hash function. For example, truncating SHA-512 to 256 bits might | |||
collide with a SHA-256 bit hash value). As the hash algorithm is | collide with a SHA-256 bit hash value. As the hash algorithm is | |||
part of the signature algorithm identifier, this attack is | part of the signature algorithm identifier, this attack is | |||
mitigated by including a signature algorithm identifier in the | mitigated by including a signature algorithm identifier in the | |||
protected header bucket. | protected-header bucket. | |||
2.2. Edwards-Curve Digital Signature Algorithms (EdDSAs) | 2.2. Edwards-Curve Digital Signature Algorithms (EdDSAs) | |||
[RFC8032] describes the elliptic curve signature scheme Edwards-curve | [RFC8032] describes the elliptic curve signature scheme Edwards-curve | |||
Digital Signature Algorithm (EdDSA). In that document, the signature | Digital Signature Algorithm (EdDSA). In that document, the signature | |||
algorithm is instantiated using parameters for edwards25519 and | algorithm is instantiated using parameters for edwards25519 and | |||
edwards448 curves. The document additionally describes two variants | edwards448 curves. The document additionally describes two variants | |||
of the EdDSA algorithm: Pure EdDSA, where no hash function is applied | of the EdDSA algorithm: Pure EdDSA, where no hash function is applied | |||
to the content before signing, and HashEdDSA, where a hash function | to the content before signing, and HashEdDSA, where a hash function | |||
is applied to the content before signing and the result of that hash | is applied to the content before signing and the result of that hash | |||
function is signed. For EdDSA, the content to be signed (either the | function is signed. For EdDSA, the content to be signed (either the | |||
message or the pre-hash value) is processed twice inside of the | message or the prehash value) is processed twice inside of the | |||
signature algorithm. For use with COSE, only the pure EdDSA version | signature algorithm. For use with COSE, only the pure EdDSA version | |||
is used. This is because it is not expected that extremely large | is used. This is because it is not expected that extremely large | |||
contents are going to be needed and, based on the arrangement of the | contents are going to be needed and, based on the arrangement of the | |||
message structure, the entire message is going to need to be held in | message structure, the entire message is going to need to be held in | |||
memory in order to create or verify a signature. This means that | memory in order to create or verify a signature. Therefore, there | |||
there does not appear to be a need to be able to do block updates of | does not appear to be a need to be able to do block updates of the | |||
the hash, followed by eliminating the message from memory. | hash, followed by eliminating the message from memory. Applications | |||
Applications can provide the same features by defining the content of | can provide the same features by defining the content of the message | |||
the message as a hash value and transporting the COSE object (with | as a hash value and transporting the COSE object (with the hash | |||
the hash value) and the content as separate items. | value) and the content as separate items. | |||
The algorithms defined in this document can be found in Table 2. A | The algorithm defined in this document can be found in Table 2. A | |||
single signature algorithm is defined, which can be used for multiple | single signature algorithm is defined, which can be used for multiple | |||
curves. | curves. | |||
+=======+=======+=============+ | +=======+=======+=============+ | |||
| Name | Value | Description | | | Name | Value | Description | | |||
+=======+=======+=============+ | +=======+=======+=============+ | |||
| EdDSA | -8 | EdDSA | | | EdDSA | -8 | EdDSA | | |||
+-------+-------+-------------+ | +-------+-------+-------------+ | |||
Table 2: EdDSA Algorithm Values | Table 2: EdDSA Algorithm Value | |||
[RFC8032] describes the method of encoding the signature value. | [RFC8032] describes the method of encoding the signature value. | |||
When using a COSE key for this algorithm, the following checks are | When using a COSE key for this algorithm, the following checks are | |||
made: | made: | |||
* The 'kty' field MUST be present, and it MUST be 'OKP' (Octet Key | * The "kty" field MUST be present, and it MUST be "OKP" (Octet Key | |||
Pair). | Pair). | |||
* The 'crv' field MUST be present, and it MUST be a curve defined | * The "crv" field MUST be present, and it MUST be a curve defined | |||
for this signature algorithm. | for this signature algorithm. | |||
* If the 'alg' field is present, it MUST match 'EdDSA'. | * If the "alg" field is present, it MUST match "EdDSA". | |||
* If the 'key_ops' field is present, it MUST include 'sign' when | * If the "key_ops" field is present, it MUST include "sign" when | |||
creating an EdDSA signature. | creating an EdDSA signature. | |||
* If the 'key_ops' field is present, it MUST include 'verify' when | * If the "key_ops" field is present, it MUST include "verify" when | |||
verifying an EdDSA signature. | verifying an EdDSA signature. | |||
2.2.1. Security Considerations for EdDSA | 2.2.1. Security Considerations for EdDSA | |||
How public values are computed is not the same when looking at EdDSA | Public values are computed differently in EdDSA and Elliptic Curve | |||
and Elliptic Curve Diffie-Hellman (ECDH); for this reason, the public | Diffie-Hellman (ECDH); for this reason, the public key should not be | |||
key should not be used with the other algorithm. | used with the other algorithm. | |||
If batch signature verification is performed, a well-seeded | If batch signature verification is performed, a well-seeded | |||
cryptographic random number generator is REQUIRED (Section 8.2 of | cryptographic random number generator is REQUIRED (Section 8.2 of | |||
[RFC8032]). Signing and non-batch signature verification are | [RFC8032]). Signing and nonbatch signature verification are | |||
deterministic operations and do not need random numbers of any kind. | deterministic operations and do not need random numbers of any kind. | |||
3. Message Authentication Code (MAC) Algorithms | 3. Message Authentication Code (MAC) Algorithms | |||
Section 9.2 of [I-D.ietf-cose-rfc8152bis-struct] contains a generic | Section 9.2 of [RFC9052] contains a generic description of MAC | |||
description of MAC algorithms. This section defines the conventions | algorithms. This section defines the conventions for two MAC | |||
for two MAC algorithms. | algorithms. | |||
3.1. Hash-Based Message Authentication Codes (HMACs) | 3.1. Hash-Based Message Authentication Codes (HMACs) | |||
HMAC [RFC2104] [RFC4231] was designed to deal with length extension | HMAC [RFC2104] [RFC4231] was designed to deal with length extension | |||
attacks. The algorithm was also designed to allow for new hash | attacks. The algorithm was also designed to allow new hash | |||
algorithms to be directly plugged in without changes to the hash | algorithms to be directly plugged in without changes to the hash | |||
function. The HMAC design process has been shown as solid since, | function. The HMAC design process has been shown to be solid; | |||
while the security of hash algorithms such as MD5 has decreased over | although the security of hash algorithms such as MD5 has decreased | |||
time; the security of HMAC combined with MD5 has not yet been shown | over time, the security of HMAC combined with MD5 has not yet been | |||
to be compromised [RFC6151]. | shown to be compromised [RFC6151]. | |||
The HMAC algorithm is parameterized by an inner and outer padding, a | The HMAC algorithm is parameterized by an inner and outer padding, a | |||
hash function (h), and an authentication tag value length. For this | hash function (h), and an authentication tag value length. For this | |||
specification, the inner and outer padding are fixed to the values | specification, the inner and outer padding are fixed to the values | |||
set in [RFC2104]. The length of the authentication tag corresponds | set in [RFC2104]. The length of the authentication tag corresponds | |||
to the difficulty of producing a forgery. For use in constrained | to the difficulty of producing a forgery. For use in constrained | |||
environments, we define one HMAC algorithm that is truncated. There | environments, we define one HMAC algorithm that is truncated. There | |||
are currently no known issues with truncation; however, the security | are currently no known issues with truncation; however, the security | |||
strength of the message tag is correspondingly reduced in strength. | strength of the message tag is correspondingly reduced in strength. | |||
When truncating, the leftmost tag length bits are kept and | When truncating, the leftmost tag-length bits are kept and | |||
transmitted. | transmitted. | |||
The algorithms defined in this document can be found in Table 3. | The algorithms defined in this document can be found in Table 3. | |||
+=============+=======+=========+============+======================+ | +=============+=======+=========+============+======================+ | |||
| Name | Value | Hash | Tag Length | Description | | | Name | Value | Hash | Tag Length | Description | | |||
+=============+=======+=========+============+======================+ | +=============+=======+=========+============+======================+ | |||
| HMAC | 4 | SHA-256 | 64 | HMAC w/ SHA-256 | | | HMAC | 4 | SHA-256 | 64 | HMAC w/ SHA-256 | | |||
| 256/64 | | | | truncated to 64 bits | | | 256/64 | | | | truncated to 64 bits | | |||
+-------------+-------+---------+------------+----------------------+ | +-------------+-------+---------+------------+----------------------+ | |||
| HMAC | 5 | SHA-256 | 256 | HMAC w/ SHA-256 | | | HMAC | 5 | SHA-256 | 256 | HMAC w/ SHA-256 | | |||
| 256/256 | | | | | | | 256/256 | | | | | | |||
+-------------+-------+---------+------------+----------------------+ | +-------------+-------+---------+------------+----------------------+ | |||
| HMAC | 6 | SHA-384 | 384 | HMAC w/ SHA-384 | | | HMAC | 6 | SHA-384 | 384 | HMAC w/ SHA-384 | | |||
| 384/384 | | | | | | | 384/384 | | | | | | |||
+-------------+-------+---------+------------+----------------------+ | +-------------+-------+---------+------------+----------------------+ | |||
| HMAC | 7 | SHA-512 | 512 | HMAC w/ SHA-512 | | | HMAC | 7 | SHA-512 | 512 | HMAC w/ SHA-512 | | |||
| 512/512 | | | | | | | 512/512 | | | | | | |||
+-------------+-------+---------+------------+----------------------+ | +-------------+-------+---------+------------+----------------------+ | |||
Table 3: HMAC Algorithm Values | Table 3: HMAC Algorithm Values | |||
Some recipient algorithms transport the key, while others derive a | Some recipient algorithms transport the key, while others derive a | |||
key from secret data. For those algorithms that transport the key | key from secret data. For those algorithms that transport the key | |||
(such as AES Key Wrap), the size of the HMAC key SHOULD be the same | (such as AES Key Wrap), the size of the HMAC key SHOULD be the same | |||
size as the output of the underlying hash function. For those | size as the output of the underlying hash function. For those | |||
algorithms that derive the key (such as ECDH), the derived key MUST | algorithms that derive the key (such as ECDH), the derived key MUST | |||
be the same size as the underlying hash function. | be the same size as the underlying hash function. | |||
When using a COSE key for this algorithm, the following checks are | When using a COSE key for this algorithm, the following checks are | |||
made: | made: | |||
* The 'kty' field MUST be present, and it MUST be 'Symmetric'. | * The "kty" field MUST be present, and it MUST be "Symmetric". | |||
* If the 'alg' field is present, it MUST match the HMAC algorithm | * If the "alg" field is present, it MUST match the HMAC algorithm | |||
being used. | being used. | |||
* If the 'key_ops' field is present, it MUST include 'MAC create' | * If the "key_ops" field is present, it MUST include "MAC create" | |||
when creating an HMAC authentication tag. | when creating an HMAC authentication tag. | |||
* If the 'key_ops' field is present, it MUST include 'MAC verify' | * If the "key_ops" field is present, it MUST include "MAC verify" | |||
when verifying an HMAC authentication tag. | when verifying an HMAC authentication tag. | |||
Implementations creating and validating MAC values MUST validate that | Implementations creating and validating MAC values MUST validate that | |||
the key type, key length, and algorithm are correct and appropriate | the key type, key length, and algorithm are correct and appropriate | |||
for the entities involved. | for the entities involved. | |||
3.1.1. Security Considerations for HMAC | 3.1.1. Security Considerations for HMAC | |||
HMAC has proved to be resistant to attack even when used with | HMAC has proved to be resistant to attack even when used with | |||
weakened hash algorithms. The current best known attack is to brute | weakened hash algorithms. The current best known attack is to brute | |||
skipping to change at page 11, line 21 ¶ | skipping to change at line 475 ¶ | |||
3.2. AES Message Authentication Code (AES-CBC-MAC) | 3.2. AES Message Authentication Code (AES-CBC-MAC) | |||
AES-CBC-MAC is defined in [MAC]. (Note that this is not the same | AES-CBC-MAC is defined in [MAC]. (Note that this is not the same | |||
algorithm as AES Cipher-Based Message Authentication Code (AES-CMAC) | algorithm as AES Cipher-Based Message Authentication Code (AES-CMAC) | |||
[RFC4493].) | [RFC4493].) | |||
AES-CBC-MAC is parameterized by the key length, the authentication | AES-CBC-MAC is parameterized by the key length, the authentication | |||
tag length, and the Initialization Vector (IV) used. For all of | tag length, and the Initialization Vector (IV) used. For all of | |||
these algorithms, the IV is fixed to all zeros. We provide an array | these algorithms, the IV is fixed to all zeros. We provide an array | |||
of algorithms for various key lengths and tag lengths. The | of algorithms for various key and tag lengths. The algorithms | |||
algorithms defined in this document are found in Table 4. | defined in this document are found in Table 4. | |||
+=========+=======+============+============+==================+ | +=========+=======+============+============+==================+ | |||
| Name | Value | Key Length | Tag Length | Description | | | Name | Value | Key Length | Tag Length | Description | | |||
+=========+=======+============+============+==================+ | +=========+=======+============+============+==================+ | |||
| AES-MAC | 14 | 128 | 64 | AES-MAC 128-bit | | | AES-MAC | 14 | 128 | 64 | AES-MAC 128-bit | | |||
| 128/64 | | | | key, 64-bit tag | | | 128/64 | | | | key, 64-bit tag | | |||
+---------+-------+------------+------------+------------------+ | +---------+-------+------------+------------+------------------+ | |||
| AES-MAC | 15 | 256 | 64 | AES-MAC 256-bit | | | AES-MAC | 15 | 256 | 64 | AES-MAC 256-bit | | |||
| 256/64 | | | | key, 64-bit tag | | | 256/64 | | | | key, 64-bit tag | | |||
+---------+-------+------------+------------+------------------+ | +---------+-------+------------+------------+------------------+ | |||
| AES-MAC | 25 | 128 | 128 | AES-MAC 128-bit | | | AES-MAC | 25 | 128 | 128 | AES-MAC 128-bit | | |||
| 128/128 | | | | key, 128-bit tag | | | 128/128 | | | | key, 128-bit tag | | |||
+---------+-------+------------+------------+------------------+ | +---------+-------+------------+------------+------------------+ | |||
| AES-MAC | 26 | 256 | 128 | AES-MAC 256-bit | | | AES-MAC | 26 | 256 | 128 | AES-MAC 256-bit | | |||
| 256/128 | | | | key, 128-bit tag | | | 256/128 | | | | key, 128-bit tag | | |||
+---------+-------+------------+------------+------------------+ | +---------+-------+------------+------------+------------------+ | |||
Table 4: AES-MAC Algorithm Values | Table 4: AES-MAC Algorithm Values | |||
Keys may be obtained either from a key structure or from a recipient | Keys may be obtained from either a key structure or a recipient | |||
structure. Implementations creating and validating MAC values MUST | structure. Implementations creating and validating MAC values MUST | |||
validate that the key type, key length, and algorithm are correct and | validate that the key type, key length, and algorithm are correct and | |||
appropriate for the entities involved. | appropriate for the entities involved. | |||
When using a COSE key for this algorithm, the following checks are | When using a COSE key for this algorithm, the following checks are | |||
made: | made: | |||
* The 'kty' field MUST be present, and it MUST be 'Symmetric'. | * The "kty" field MUST be present, and it MUST be "Symmetric". | |||
* If the 'alg' field is present, it MUST match the AES-MAC algorithm | * If the "alg" field is present, it MUST match the AES-MAC algorithm | |||
being used. | being used. | |||
* If the 'key_ops' field is present, it MUST include 'MAC create' | * If the "key_ops" field is present, it MUST include "MAC create" | |||
when creating an AES-MAC authentication tag. | when creating an AES-MAC authentication tag. | |||
* If the 'key_ops' field is present, it MUST include 'MAC verify' | * If the "key_ops" field is present, it MUST include "MAC verify" | |||
when verifying an AES-MAC authentication tag. | when verifying an AES-MAC authentication tag. | |||
3.2.1. Security Considerations AES-CBC_MAC | 3.2.1. Security Considerations for AES-CBC-MAC | |||
A number of attacks exist against Cipher Block Chaining Message | A number of attacks exist against Cipher Block Chaining Message | |||
Authentication Code (CBC-MAC) that need to be considered. | Authentication Code (CBC-MAC) that need to be considered. | |||
* A single key must only be used for messages of a fixed or known | * A single key must only be used for messages of a fixed or known | |||
length. If this is not the case, an attacker will be able to | length. If this is not the case, an attacker will be able to | |||
generate a message with a valid tag given two message and tag | generate a message with a valid tag given two message and tag | |||
pairs. This can be addressed by using different keys for messages | pairs. This can be addressed by using different keys for messages | |||
of different lengths. The current structure mitigates this | of different lengths. The current structure mitigates this | |||
problem, as a specific encoding structure that includes lengths is | problem, as a specific encoding structure that includes lengths is | |||
built and signed. (CMAC also addresses this issue.) | built and signed. (CMAC also addresses this issue.) | |||
* In cipher Block Chaining (CBC) mode, if the same key is used for | * In Cipher Block Chaining (CBC) mode, if the same key is used for | |||
both encryption and authentication operations, an attacker can | both encryption and authentication operations, an attacker can | |||
produce messages with a valid authentication code. | produce messages with a valid authentication code. | |||
* If the IV can be modified, then messages can be forged. This is | * If the IV can be modified, then messages can be forged. This is | |||
addressed by fixing the IV to all zeros. | addressed by fixing the IV to all zeros. | |||
4. Content Encryption Algorithms | 4. Content Encryption Algorithms | |||
Section 9.3 of [I-D.ietf-cose-rfc8152bis-struct] contains a generic | Section 9.3 of [RFC9052] contains a generic description of content | |||
description of Content Encryption algorithms. This document defines | encryption algorithms. This document defines the identifier and | |||
the identifier and usages for three content encryption algorithms. | usages for three content encryption algorithms. | |||
4.1. AES GCM | 4.1. AES-GCM | |||
The Galois/Counter Mode (GCM) mode is a generic AEAD block cipher | The Galois/Counter Mode (GCM) is a generic AEAD block cipher mode | |||
mode defined in [AES-GCM]. The GCM mode is combined with the AES | defined in [AES-GCM]. The GCM is combined with the AES block | |||
block encryption algorithm to define an AEAD cipher. | encryption algorithm to define an AEAD cipher. | |||
The GCM mode is parameterized by the size of the authentication tag | The GCM is parameterized by the size of the authentication tag and | |||
and the size of the nonce. This document fixes the size of the nonce | the size of the nonce. This document fixes the size of the nonce at | |||
at 96 bits. The size of the authentication tag is limited to a small | 96 bits. The size of the authentication tag is limited to a small | |||
set of values. For this document however, the size of the | set of values. For this document, however, the size of the | |||
authentication tag is fixed at 128 bits. | authentication tag is fixed at 128 bits. | |||
The set of algorithms defined in this document are in Table 5. | The set of algorithms defined in this document is in Table 5. | |||
+=========+=======+==========================================+ | +=========+=======+=====================================+ | |||
| Name | Value | Description | | | Name | Value | Description | | |||
+=========+=======+==========================================+ | +=========+=======+=====================================+ | |||
| A128GCM | 1 | AES-GCM mode w/ 128-bit key, 128-bit tag | | | A128GCM | 1 | AES-GCM w/ 128-bit key, 128-bit tag | | |||
+---------+-------+------------------------------------------+ | +---------+-------+-------------------------------------+ | |||
| A192GCM | 2 | AES-GCM mode w/ 192-bit key, 128-bit tag | | | A192GCM | 2 | AES-GCM w/ 192-bit key, 128-bit tag | | |||
+---------+-------+------------------------------------------+ | +---------+-------+-------------------------------------+ | |||
| A256GCM | 3 | AES-GCM mode w/ 256-bit key, 128-bit tag | | | A256GCM | 3 | AES-GCM w/ 256-bit key, 128-bit tag | | |||
+---------+-------+------------------------------------------+ | +---------+-------+-------------------------------------+ | |||
Table 5: Algorithm Value for AES-GCM | Table 5: Algorithm Values for AES-GCM | |||
Keys may be obtained either from a key structure or from a recipient | Keys may be obtained from either a key structure or a recipient | |||
structure. Implementations encrypting and decrypting MUST validate | structure. Implementations that are encrypting and decrypting MUST | |||
that the key type, key length, and algorithm are correct and | validate that the key type, key length, and algorithm are correct and | |||
appropriate for the entities involved. | appropriate for the entities involved. | |||
When using a COSE key for this algorithm, the following checks are | When using a COSE key for this algorithm, the following checks are | |||
made: | made: | |||
* The 'kty' field MUST be present, and it MUST be 'Symmetric'. | * The "kty" field MUST be present, and it MUST be "Symmetric". | |||
* If the 'alg' field is present, it MUST match the AES-GCM algorithm | * If the "alg" field is present, it MUST match the AES-GCM algorithm | |||
being used. | being used. | |||
* If the 'key_ops' field is present, it MUST include 'encrypt' or | * If the "key_ops" field is present, it MUST include "encrypt" or | |||
'wrap key' when encrypting. | "wrap key" when encrypting. | |||
* If the 'key_ops' field is present, it MUST include 'decrypt' or | * If the "key_ops" field is present, it MUST include "decrypt" or | |||
'unwrap key' when decrypting. | "unwrap key" when decrypting. | |||
4.1.1. Security Considerations for AES-GCM | 4.1.1. Security Considerations for AES-GCM | |||
When using AES-GCM, the following restrictions MUST be enforced: | When using AES-GCM, the following restrictions MUST be enforced: | |||
* The key and nonce pair MUST be unique for every message encrypted. | * The key and nonce pair MUST be unique for every message encrypted. | |||
* The total number of messages encrypted for a single key MUST NOT | * The total number of messages encrypted for a single key MUST NOT | |||
exceed 2^32 [SP800-38d]. An explicit check is required only in | exceed 2^32 [SP800-38D]. An explicit check is required only in | |||
environments where it is expected that it might be exceeded. | environments where it is expected that it might be exceeded. | |||
* A more recent analysis in [ROBUST] indicates that the the number | * A more recent analysis in [ROBUST] indicates that the number of | |||
of failed decryptions needs to be taken into account as part | failed decryptions needs to be taken into account as part of | |||
determining when a key roll-over is to be done. Following the | determining when a key rollover is to be done. Following the | |||
recommendation of for DTLS, the number of failed message | recommendation of for DTLS, the number of failed message | |||
decryptions should be limited to 2^36. | decryptions should be limited to 2^36. | |||
Consideration was given to supporting smaller tag values; the | Consideration was given to supporting smaller tag values; the | |||
constrained community would desire tag sizes in the 64-bit range. | constrained community would desire tag sizes in the 64-bit range. | |||
Doing so drastically changes both the maximum messages size | Such use drastically changes both the maximum message size (generally | |||
(generally not an issue) and the number of times that a key can be | not an issue) and the number of times that a key can be used. Given | |||
used. Given that Counter with CBC-MAC (CCM) is the usual mode for | that Counter with CBC-MAC (CCM) is the usual mode for constrained | |||
constrained environments, restricted modes are not supported. | environments, restricted modes are not supported. | |||
4.2. AES CCM | 4.2. AES-CCM | |||
CCM is a generic authentication encryption block cipher mode defined | CCM is a generic authentication encryption block cipher mode defined | |||
in [RFC3610]. The CCM mode is combined with the AES block encryption | in [RFC3610]. The CCM mode is combined with the AES block encryption | |||
algorithm to define a commonly used content encryption algorithm used | algorithm to define a commonly used content encryption algorithm used | |||
in constrained devices. | in constrained devices. | |||
The CCM mode has two parameter choices. The first choice is M, the | CCM mode has two parameter choices. The first choice is M, the size | |||
size of the authentication field. The choice of the value for M | of the authentication field. The choice of the value for M involves | |||
involves a trade-off between message growth (from the tag) and the | a trade-off between message growth (from the tag) and the probability | |||
probability that an attacker can undetectably modify a message. The | that an attacker can undetectably modify a message. The second | |||
second choice is L, the size of the length field. This value | choice is L, the size of the length field. This value requires a | |||
requires a trade-off between the maximum message size and the size of | trade-off between the maximum message size and the size of the nonce. | |||
the Nonce. | ||||
It is unfortunate that the specification for CCM specified L and M as | It is unfortunate that the specification for CCM specified L and M as | |||
a count of bytes rather than a count of bits. This leads to possible | a count of bytes rather than a count of bits. This leads to possible | |||
misunderstandings where AES-CCM-8 is frequently used to refer to a | misunderstandings where AES-CCM-8 is frequently used to refer to a | |||
version of CCM mode where the size of the authentication is 64 bits | version of CCM mode where the size of the authentication is 64 bits | |||
and not 8 bits. These values have traditionally been specified as | and not 8 bits. These values have traditionally been specified as | |||
bit counts rather than byte counts. This document will follow the | bit counts rather than byte counts. This document will follow the | |||
convention of using bit counts so that it is easier to compare the | convention of using bit counts so that it is easier to compare the | |||
different algorithms presented in this document. | different algorithms presented in this document. | |||
skipping to change at page 15, line 4 ¶ | skipping to change at line 648 ¶ | |||
operation. This favors larger values of L and M. | operation. This favors larger values of L and M. | |||
The following values are used for L: | The following values are used for L: | |||
16 bits (2): This limits messages to 2^16 bytes (64 KiB) in length. | 16 bits (2): This limits messages to 2^16 bytes (64 KiB) in length. | |||
This is sufficiently long for messages in the constrained world. | This is sufficiently long for messages in the constrained world. | |||
The nonce length is 13 bytes allowing for 2^104 possible values of | The nonce length is 13 bytes allowing for 2^104 possible values of | |||
the nonce without repeating. | the nonce without repeating. | |||
64 bits (8): This limits messages to 2^64 bytes in length. The | 64 bits (8): This limits messages to 2^64 bytes in length. The | |||
nonce length is 7 bytes allowing for 2^56 possible values of the | nonce length is 7 bytes, allowing for 2^56 possible values of the | |||
nonce without repeating. | nonce without repeating. | |||
The following values are used for M: | The following values are used for M: | |||
64 bits (8): This produces a 64-bit authentication tag. This | 64 bits (8): This produces a 64-bit authentication tag. This | |||
implies that there is a 1 in 2^64 chance that a modified message | implies that there is a 1 in 2^64 chance that a modified message | |||
will authenticate. | will authenticate. | |||
128 bits (16): This produces a 128-bit authentication tag. This | 128 bits (16): This produces a 128-bit authentication tag. This | |||
implies that there is a 1 in 2^128 chance that a modified message | implies that there is a 1 in 2^128 chance that a modified message | |||
will authenticate. | will authenticate. | |||
+====================+=======+====+=====+========+===============+ | +====================+=======+====+=====+========+===============+ | |||
| Name | Value | L | M | Key | Description | | | Name | Value | L | M | Key | Description | | |||
| | | | | Length | | | | | | | | Length | | | |||
+====================+=======+====+=====+========+===============+ | +====================+=======+====+=====+========+===============+ | |||
| AES-CCM-16-64-128 | 10 | 16 | 64 | 128 | AES-CCM mode | | | AES-CCM-16-64-128 | 10 | 16 | 64 | 128 | AES-CCM mode | | |||
| | | | | | 128-bit key, | | | | | | | | 128-bit key, | | |||
| | | | | | 64-bit tag, | | | | | | | | 64-bit tag, | | |||
| | | | | | 13-byte nonce | | | | | | | | 13-byte nonce | | |||
+--------------------+-------+----+-----+--------+---------------+ | +--------------------+-------+----+-----+--------+---------------+ | |||
| AES-CCM-16-64-256 | 11 | 16 | 64 | 256 | AES-CCM mode | | | AES-CCM-16-64-256 | 11 | 16 | 64 | 256 | AES-CCM mode | | |||
| | | | | | 256-bit key, | | | | | | | | 256-bit key, | | |||
| | | | | | 64-bit tag, | | | | | | | | 64-bit tag, | | |||
| | | | | | 13-byte nonce | | | | | | | | 13-byte nonce | | |||
+--------------------+-------+----+-----+--------+---------------+ | +--------------------+-------+----+-----+--------+---------------+ | |||
| AES-CCM-64-64-128 | 12 | 64 | 64 | 128 | AES-CCM mode | | | AES-CCM-64-64-128 | 12 | 64 | 64 | 128 | AES-CCM mode | | |||
| | | | | | 128-bit key, | | | | | | | | 128-bit key, | | |||
| | | | | | 64-bit tag, | | | | | | | | 64-bit tag, | | |||
| | | | | | 7-byte nonce | | | | | | | | 7-byte nonce | | |||
+--------------------+-------+----+-----+--------+---------------+ | +--------------------+-------+----+-----+--------+---------------+ | |||
| AES-CCM-64-64-256 | 13 | 64 | 64 | 256 | AES-CCM mode | | | AES-CCM-64-64-256 | 13 | 64 | 64 | 256 | AES-CCM mode | | |||
| | | | | | 256-bit key, | | | | | | | | 256-bit key, | | |||
| | | | | | 64-bit tag, | | | | | | | | 64-bit tag, | | |||
| | | | | | 7-byte nonce | | | | | | | | 7-byte nonce | | |||
+--------------------+-------+----+-----+--------+---------------+ | +--------------------+-------+----+-----+--------+---------------+ | |||
| AES-CCM-16-128-128 | 30 | 16 | 128 | 128 | AES-CCM mode | | | AES-CCM-16-128-128 | 30 | 16 | 128 | 128 | AES-CCM mode | | |||
| | | | | | 128-bit key, | | | | | | | | 128-bit key, | | |||
| | | | | | 128-bit tag, | | | | | | | | 128-bit tag, | | |||
| | | | | | 13-byte nonce | | | | | | | | 13-byte nonce | | |||
+--------------------+-------+----+-----+--------+---------------+ | +--------------------+-------+----+-----+--------+---------------+ | |||
| AES-CCM-16-128-256 | 31 | 16 | 128 | 256 | AES-CCM mode | | | AES-CCM-16-128-256 | 31 | 16 | 128 | 256 | AES-CCM mode | | |||
| | | | | | 256-bit key, | | | | | | | | 256-bit key, | | |||
| | | | | | 128-bit tag, | | | | | | | | 128-bit tag, | | |||
| | | | | | 13-byte nonce | | | | | | | | 13-byte nonce | | |||
+--------------------+-------+----+-----+--------+---------------+ | +--------------------+-------+----+-----+--------+---------------+ | |||
| AES-CCM-64-128-128 | 32 | 64 | 128 | 128 | AES-CCM mode | | | AES-CCM-64-128-128 | 32 | 64 | 128 | 128 | AES-CCM mode | | |||
| | | | | | 128-bit key, | | | | | | | | 128-bit key, | | |||
| | | | | | 128-bit tag, | | | | | | | | 128-bit tag, | | |||
| | | | | | 7-byte nonce | | | | | | | | 7-byte nonce | | |||
+--------------------+-------+----+-----+--------+---------------+ | +--------------------+-------+----+-----+--------+---------------+ | |||
| AES-CCM-64-128-256 | 33 | 64 | 128 | 256 | AES-CCM mode | | | AES-CCM-64-128-256 | 33 | 64 | 128 | 256 | AES-CCM mode | | |||
| | | | | | 256-bit key, | | | | | | | | 256-bit key, | | |||
| | | | | | 128-bit tag, | | | | | | | | 128-bit tag, | | |||
| | | | | | 7-byte nonce | | | | | | | | 7-byte nonce | | |||
+--------------------+-------+----+-----+--------+---------------+ | +--------------------+-------+----+-----+--------+---------------+ | |||
Table 6: Algorithm Values for AES-CCM | Table 6: Algorithm Values for AES-CCM | |||
Keys may be obtained either from a key structure or from a recipient | Keys may be obtained from either a key structure or a recipient | |||
structure. Implementations encrypting and decrypting MUST validate | structure. Implementations that are encrypting and decrypting MUST | |||
that the key type, key length, and algorithm are correct and | validate that the key type, key length, and algorithm are correct and | |||
appropriate for the entities involved. | appropriate for the entities involved. | |||
When using a COSE key for this algorithm, the following checks are | When using a COSE key for this algorithm, the following checks are | |||
made: | made: | |||
* The 'kty' field MUST be present, and it MUST be 'Symmetric'. | * The "kty" field MUST be present, and it MUST be "Symmetric". | |||
* If the 'alg' field is present, it MUST match the AES-CCM algorithm | * If the "alg" field is present, it MUST match the AES-CCM algorithm | |||
being used. | being used. | |||
* If the 'key_ops' field is present, it MUST include 'encrypt' or | * If the "key_ops" field is present, it MUST include "encrypt" or | |||
'wrap key' when encrypting. | "wrap key" when encrypting. | |||
* If the 'key_ops' field is present, it MUST include 'decrypt' or | * If the "key_ops" field is present, it MUST include "decrypt" or | |||
'unwrap key' when decrypting. | "unwrap key" when decrypting. | |||
4.2.1. Security Considerations for AES-CCM | 4.2.1. Security Considerations for AES-CCM | |||
When using AES-CCM, the following restrictions MUST be enforced: | When using AES-CCM, the following restrictions MUST be enforced: | |||
* The key and nonce pair MUST be unique for every message encrypted. | * The key and nonce pair MUST be unique for every message encrypted. | |||
Note that the value of L influences the number of unique nonces. | Note that the value of L influences the number of unique nonces. | |||
* The total number of times the AES block cipher is used MUST NOT | * The total number of times the AES block cipher is used MUST NOT | |||
exceed 2^61 operations. This limitation is the sum of times the | exceed 2^61 operations. This limitation is the sum of times the | |||
block cipher is used in computing the MAC value and in performing | block cipher is used in computing the MAC value and performing | |||
stream encryption operations. An explicit check is required only | stream encryption operations. An explicit check is required only | |||
in environments where it is expected that it might be exceeded. | in environments where it is expected that this number might be | |||
exceeded. | ||||
* [I-D.ietf-quic-tls] contains an analysis on the use of AES-CCM in | * [RFC9001] contains an analysis on the use of AES-CCM in that | |||
that environment. Based on that reommendation, one should | environment. Based on that recommendation, one should restrict | |||
restrict the number of messages encrypted to 2^23. If one is | the number of messages encrypted to 2^23. If one is using the | |||
using the 64-bit tag, then the limits are signficantly smaller if | 64-bit tag, then the limits are significantly smaller if one wants | |||
one wants to keep the same integrity limits. A protocol | to keep the same integrity limits. A protocol recommending this | |||
recommending this needs to analysis what level of integrity is | needs to analyze what level of integrity is acceptable for the | |||
acceptable for the smaller tag size. It may be that to keep the | smaller tag size. It may be that, to keep the desired integrity, | |||
desired integrity one needs to re-key as often as every 2^7 | one needs to rekey as often as every 2^7 messages. | |||
messages. | ||||
* In addition to the number of messages successfully decrypted, the | * In addition to the number of messages successfully decrypted, the | |||
number of failed decryptions needs to be kept as well. If the | number of failed decryptions needs to be kept as well. If the | |||
number of failed decryptions exceeds 2^23 then a rekeying | number of failed decryptions exceeds 2^23, then a rekeying | |||
operation should occur. | operation should occur. | |||
[RFC3610] additionally calls out one other consideration of note. It | [RFC3610] additionally calls out one other consideration of note. It | |||
is possible to do a pre-computation attack against the algorithm in | is possible to do a precomputation attack against the algorithm in | |||
cases where portions of the plaintext are highly predictable. This | cases where portions of the plaintext are highly predictable. This | |||
reduces the security of the key size by half. Ways to deal with this | reduces the security of the key size by half. Ways to deal with this | |||
attack include adding a random portion to the nonce value and/or | attack include adding a random portion to the nonce value and/or | |||
increasing the key size used. Using a portion of the nonce for a | increasing the key size used. Using a portion of the nonce for a | |||
random value will decrease the number of messages that a single key | random value will decrease the number of messages that a single key | |||
can be used for. Increasing the key size may require more resources | can be used for. Increasing the key size may require more resources | |||
in the constrained device. See Sections 5 and 10 of [RFC3610] for | in the constrained device. See Sections 5 and 10 of [RFC3610] for | |||
more information. | more information. | |||
4.3. ChaCha20 and Poly1305 | 4.3. ChaCha20 and Poly1305 | |||
ChaCha20 and Poly1305 combined together is an AEAD mode that is | ChaCha20 and Poly1305 combined together is an AEAD mode that is | |||
defined in [RFC8439]. This is an algorithm defined to be a cipher | defined in [RFC8439]. This is an algorithm defined to be a cipher | |||
that is not AES and thus would not suffer from any future weaknesses | that is not AES and thus would not suffer from any future weaknesses | |||
found in AES. These cryptographic functions are designed to be fast | found in AES. These cryptographic functions are designed to be fast | |||
in software-only implementations. | in software-only implementations. | |||
The ChaCha20/Poly1305 AEAD construction defined in [RFC8439] has no | The ChaCha20/Poly1305 AEAD construction defined in [RFC8439] has no | |||
parameterization. It takes a 256-bit key and a 96-bit nonce, as well | parameterization. It takes as inputs a 256-bit key and a 96-bit | |||
as the plaintext and additional data as inputs and produces the | nonce, as well as the plaintext and additional data, and produces the | |||
ciphertext as an option. We define one algorithm identifier for this | ciphertext as an option. We define one algorithm identifier for this | |||
algorithm in Table 7. | algorithm in Table 7. | |||
+===================+=======+==========================+ | +===================+=======+==========================+ | |||
| Name | Value | Description | | | Name | Value | Description | | |||
+===================+=======+==========================+ | +===================+=======+==========================+ | |||
| ChaCha20/Poly1305 | 24 | ChaCha20/Poly1305 w/ | | | ChaCha20/Poly1305 | 24 | ChaCha20/Poly1305 w/ | | |||
| | | 256-bit key, 128-bit tag | | | | | 256-bit key, 128-bit tag | | |||
+-------------------+-------+--------------------------+ | +-------------------+-------+--------------------------+ | |||
Table 7: Algorithm Value for ChaCha20/Poly1305 | Table 7: Algorithm Value for ChaCha20/Poly1305 | |||
Keys may be obtained either from a key structure or from a recipient | Keys may be obtained from either a key structure or a recipient | |||
structure. Implementations encrypting and decrypting MUST validate | structure. Implementations that are encrypting and decrypting MUST | |||
that the key type, key length, and algorithm are correct and | validate that the key type, key length, and algorithm are correct and | |||
appropriate for the entities involved. | appropriate for the entities involved. | |||
When using a COSE key for this algorithm, the following checks are | When using a COSE key for this algorithm, the following checks are | |||
made: | made: | |||
* The 'kty' field MUST be present, and it MUST be 'Symmetric'. | * The "kty" field MUST be present, and it MUST be "Symmetric". | |||
* If the 'alg' field is present, it MUST match the ChaCha20/Poly1305 | * If the "alg" field is present, it MUST match the ChaCha20/Poly1305 | |||
algorithm being used. | algorithm being used. | |||
* If the 'key_ops' field is present, it MUST include 'encrypt' or | * If the "key_ops" field is present, it MUST include "encrypt" or | |||
'wrap key' when encrypting. | "wrap key" when encrypting. | |||
* If the 'key_ops' field is present, it MUST include 'decrypt' or | * If the "key_ops" field is present, it MUST include "decrypt" or | |||
'unwrap key' when decrypting. | "unwrap key" when decrypting. | |||
4.3.1. Security Considerations for ChaCha20/Poly1305 | 4.3.1. Security Considerations for ChaCha20/Poly1305 | |||
The key and nonce values MUST be a unique pair for every invocation | The key and nonce values MUST be a unique pair for every invocation | |||
of the algorithm. Nonce counters are considered to be an acceptable | of the algorithm. Nonce counters are considered to be an acceptable | |||
way of ensuring that they are unique. | way of ensuring that they are unique. | |||
A more recent analysis in [ROBUST] indicates that the the number of | A more recent analysis in [ROBUST] indicates that the number of | |||
failed decryptions needs to be taken into account as part determining | failed decryptions needs to be taken into account as part of | |||
when a key roll-over is to be done. Following the recommendation of | determining when a key rollover is to be done. Following the | |||
for DTLS, the number of failed message decryptions should be limited | recommendation of for DTLS, the number of failed message decryptions | |||
to 2^36. | should be limited to 2^36. | |||
[I-D.ietf-quic-tls] recommends that no more than 2^24.5 messages be | [RFC9001] recommends that no more than 2^24.5 messages be encrypted | |||
encrypted under a single key. | under a single key. | |||
5. Key Derivation Functions (KDFs) | 5. Key Derivation Functions (KDFs) | |||
Section 9.4 of [I-D.ietf-cose-rfc8152bis-struct] contains a generic | Section 9.4 of [RFC9052] contains a generic description of key | |||
description of Key Derivation Functions. This document defines a | derivation functions. This document defines a single context | |||
single context structure and a single KDF. These elements are used | structure and a single KDF. These elements are used for all of the | |||
for all of the recipient algorithms defined in this document that | recipient algorithms defined in this document that require a KDF | |||
require a KDF process. These algorithms are defined in Sections | process. These algorithms are defined in Sections 6.1.2, 6.3.1, and | |||
6.1.2, 6.3.1, and 6.4.1. | 6.4.1. | |||
5.1. HMAC-Based Extract-and-Expand Key Derivation Function (HKDF) | 5.1. HMAC-Based Extract-and-Expand Key Derivation Function (HKDF) | |||
The HKDF key derivation algorithm is defined in [RFC5869][HKDF]. | The HKDF key derivation algorithm is defined in [RFC5869] and [HKDF]. | |||
The HKDF algorithm takes these inputs: | The HKDF algorithm takes these inputs: | |||
secret -- a shared value that is secret. Secrets may be either | secret: A shared value that is secret. Secrets may be either | |||
previously shared or derived from operations like a Diffie-Hellman | previously shared or derived from operations like a Diffie-Hellman | |||
(DH) key agreement. | (DH) key agreement. | |||
salt -- an optional value that is used to change the generation | salt: An optional value that is used to change the generation | |||
process. The salt value can be either public or private. If the | process. The salt value can be either public or private. If the | |||
salt is public and carried in the message, then the 'salt' | salt is public and carried in the message, then the "salt" | |||
algorithm header parameter defined in Table 9 is used. While | algorithm header parameter defined in Table 9 is used. While | |||
[RFC5869] suggests that the length of the salt be the same as the | [RFC5869] suggests that the length of the salt be the same as the | |||
length of the underlying hash value, any positive salt length will | length of the underlying hash value, any positive salt length will | |||
improve the security as different key values will be generated. | improve the security, as different key values will be generated. | |||
This parameter is protected by being included in the key | This parameter is protected by being included in the key | |||
computation and does not need to be separately authenticated. The | computation and does not need to be separately authenticated. The | |||
salt value does not need to be unique for every message sent. | salt value does not need to be unique for every message sent. | |||
length -- the number of bytes of output that need to be generated. | length: The number of bytes of output that need to be generated. | |||
context information -- Information that describes the context in | context information: Information that describes the context in which | |||
which the resulting value will be used. Making this information | the resulting value will be used. Making this information | |||
specific to the context in which the material is going to be used | specific to the context in which the material is going to be used | |||
ensures that the resulting material will always be tied to that | ensures that the resulting material will always be tied to that | |||
usage. The context structure defined in Section 5.2 is used by | usage. The context structure defined in Section 5.2 is used by | |||
the KDFs in this document. | the KDFs in this document. | |||
PRF -- The underlying pseudorandom function to be used in the HKDF | PRF: The underlying pseudorandom function to be used in the HKDF | |||
algorithm. The PRF is encoded into the HKDF algorithm selection. | algorithm. The PRF is encoded into the HKDF algorithm selection. | |||
HKDF is defined to use HMAC as the underlying PRF. However, it is | HKDF is defined to use HMAC as the underlying PRF. However, it is | |||
possible to use other functions in the same construct to provide a | possible to use other functions in the same construct to provide a | |||
different KDF that is more appropriate in the constrained world. | different KDF that is more appropriate in the constrained world. | |||
Specifically, one can use AES-CBC-MAC as the PRF for the expand step, | Specifically, one can use AES-CBC-MAC as the PRF for the expand step, | |||
but not for the extract step. When using a good random shared secret | but not for the extract step. When using a good random shared secret | |||
of the correct length, the extract step can be skipped. For the AES | of the correct length, the extract step can be skipped. For the AES | |||
algorithm versions, the extract step is always skipped. | algorithm versions, the extract step is always skipped. | |||
The extract step cannot be skipped if the secret is not uniformly | The extract step cannot be skipped if the secret is not uniformly | |||
random, for example, if it is the result of an ECDH key agreement | random -- for example, if it is the result of an ECDH key agreement | |||
step. This implies that the AES HKDF version cannot be used with | step. This implies that the AES HKDF version cannot be used with | |||
ECDH. If the extract step is skipped, the 'salt' value is not used | ECDH. If the extract step is skipped, the "salt" value is not used | |||
as part of the HKDF functionality. | as part of the HKDF functionality. | |||
The algorithms defined in this document are found in Table 8. | The algorithms defined in this document are found in Table 8. | |||
+==============+===================+========================+ | +==============+===================+========================+ | |||
| Name | PRF | Description | | | Name | PRF | Description | | |||
+==============+===================+========================+ | +==============+===================+========================+ | |||
| HKDF SHA-256 | HMAC with SHA-256 | HKDF using HMAC | | | HKDF SHA-256 | HMAC with SHA-256 | HKDF using HMAC | | |||
| | | SHA-256 as the PRF | | | | | SHA-256 as the PRF | | |||
+--------------+-------------------+------------------------+ | +--------------+-------------------+------------------------+ | |||
skipping to change at page 21, line 39 ¶ | skipping to change at line 915 ¶ | |||
| | | | direct+HKDF-AES-256, ECDH- | | | | | | | direct+HKDF-AES-256, ECDH- | | | |||
| | | | ES+HKDF-256, ECDH-ES+HKDF- | | | | | | | ES+HKDF-256, ECDH-ES+HKDF- | | | |||
| | | | 512, ECDH-SS+HKDF-256, | | | | | | | 512, ECDH-SS+HKDF-256, | | | |||
| | | | ECDH-SS+HKDF-512, ECDH- | | | | | | | ECDH-SS+HKDF-512, ECDH- | | | |||
| | | | ES+A128KW, ECDH-ES+A192KW, | | | | | | | ES+A128KW, ECDH-ES+A192KW, | | | |||
| | | | ECDH-ES+A256KW, ECDH- | | | | | | | ECDH-ES+A256KW, ECDH- | | | |||
| | | | SS+A128KW, ECDH-SS+A192KW, | | | | | | | SS+A128KW, ECDH-SS+A192KW, | | | |||
| | | | ECDH-SS+A256KW | | | | | | | ECDH-SS+A256KW | | | |||
+------+-------+------+----------------------------+-------------+ | +------+-------+------+----------------------------+-------------+ | |||
Table 9: HKDF Algorithm Parameters | Table 9: HKDF Algorithm Parameter | |||
5.2. Context Information Structure | 5.2. Context Information Structure | |||
The context information structure is used to ensure that the derived | The context information structure is used to ensure that the derived | |||
keying material is "bound" to the context of the transaction. The | keying material is "bound" to the context of the transaction. The | |||
context information structure used here is based on that defined in | context information structure used here is based on that defined in | |||
[SP800-56A]. By using CBOR for the encoding of the context | [SP800-56A]. By using CBOR for the encoding of the context | |||
information structure, we automatically get the same type and length | information structure, we automatically get the same type and length | |||
separation of fields that is obtained by the use of ASN.1. This | separation of fields that is obtained by the use of ASN.1. This | |||
means that there is no need to encode the lengths for the base | means that there is no need to encode the lengths for the base | |||
elements, as it is done by the encoding used in JOSE (Section 4.6.2 | elements, as it is done by the encoding used in JSON Object Signing | |||
of [RFC7518]). | and Encryption (JOSE) (Section 4.6.2 of [RFC7518]). | |||
The context information structure refers to PartyU and PartyV as the | The context information structure refers to PartyU and PartyV as the | |||
two parties that are doing the key derivation. Unless the | two parties that are doing the key derivation. Unless the | |||
application protocol defines differently, we assign PartyU to the | application protocol defines differently, we assign PartyU to the | |||
entity that is creating the message and PartyV to the entity that is | entity that is creating the message and PartyV to the entity that is | |||
receiving the message. By doing this association, different keys | receiving the message. By defining this association, different keys | |||
will be derived for each direction as the context information is | will be derived for each direction, as the context information is | |||
different in each direction. | different in each direction. | |||
The context structure is built from information that is known to both | The context structure is built from information that is known to both | |||
entities. This information can be obtained from a variety of | entities. This information can be obtained from a variety of | |||
sources: | sources: | |||
* Fields can be defined by the application. This is commonly used | * Fields can be defined by the application. This is commonly used | |||
to assign fixed names to parties, but it can be used for other | to assign fixed names to parties, but it can be used for other | |||
items such as nonces. | items such as nonces. | |||
* Fields can be defined by usage of the output. Examples of this | * Fields can be defined by usage of the output. Examples of this | |||
are the algorithm and key size that are being generated. | are the algorithm and key size that are being generated. | |||
* Fields can be defined by parameters from the message. We define a | * Fields can be defined by parameters from the message. We define a | |||
set of header parameters in Table 10 that can be used to carry the | set of header parameters in Table 10 that can be used to carry the | |||
values associated with the context structure. Examples of this | values associated with the context structure. Examples of this | |||
are identities and nonce values. These header parameters are | are identities and nonce values. These header parameters are | |||
designed to be placed in the unprotected bucket of the recipient | designed to be placed in the unprotected bucket of the recipient | |||
structure; they do not need to be in the protected bucket since | structure; they do not need to be in the protected bucket, since | |||
they already are included in the cryptographic computation by | they are already included in the cryptographic computation by | |||
virtue of being included in the context structure. | virtue of being included in the context structure. | |||
+==========+=======+======+===========================+=============+ | +==========+=======+======+===========================+=============+ | |||
| Name | Label | Type | Algorithm | Description | | | Name | Label | Type | Algorithm | Description | | |||
+==========+=======+======+===========================+=============+ | +==========+=======+======+===========================+=============+ | |||
| PartyU | -21 | bstr | direct+HKDF-SHA-256, | Party U | | | PartyU | -21 | bstr | direct+HKDF-SHA-256, | Party U | | |||
| identity | | | direct+HKDF-SHA-512, | identity | | | identity | | | direct+HKDF-SHA-512, | identity | | |||
| | | | direct+HKDF-AES-128, | information | | | | | | direct+HKDF-AES-128, | information | | |||
| | | | direct+HKDF-AES-256, | | | | | | | direct+HKDF-AES-256, | | | |||
| | | | ECDH-ES+HKDF-256, | | | | | | | ECDH-ES+HKDF-256, | | | |||
skipping to change at page 24, line 42 ¶ | skipping to change at line 1063 ¶ | |||
We define a CBOR object to hold the context information. This object | We define a CBOR object to hold the context information. This object | |||
is referred to as COSE_KDF_Context. The object is based on a CBOR | is referred to as COSE_KDF_Context. The object is based on a CBOR | |||
array type. The fields in the array are: | array type. The fields in the array are: | |||
AlgorithmID: This field indicates the algorithm for which the key | AlgorithmID: This field indicates the algorithm for which the key | |||
material will be used. This normally is either a key wrap | material will be used. This normally is either a key wrap | |||
algorithm identifier or a content encryption algorithm identifier. | algorithm identifier or a content encryption algorithm identifier. | |||
The values are from the "COSE Algorithms" registry. This field is | The values are from the "COSE Algorithms" registry. This field is | |||
required to be present. The field exists in the context | required to be present. The field exists in the context | |||
information so that a different key is generated for each | information so that a different key is generated for each | |||
algorithm even of all of the other context information is the | algorithm even if all of the other context information is the | |||
same. In practice, this means if algorithm A is broken and thus | same. In practice, this means if algorithm A is broken and thus | |||
finding the key is relatively easy, the key derived for algorithm | finding the key is relatively easy, the key derived for algorithm | |||
B will not be the same as the key derived for algorithm A. | B will not be the same as the key derived for algorithm A. | |||
PartyUInfo: This field holds information about party U. The | PartyUInfo: This field holds information about PartyU. The | |||
PartyUInfo is encoded as a CBOR array. The elements of PartyUInfo | PartyUInfo is encoded as a CBOR array. The elements of PartyUInfo | |||
are encoded in the order presented below. The elements of the | are encoded in the order presented below. The elements of the | |||
PartyUInfo array are: | PartyUInfo array are: | |||
identity: This contains the identity information for party U. | identity: This contains the identity information for PartyU. The | |||
The identities can be assigned in one of two manners. First, a | identities can be assigned in one of two manners. First, a | |||
protocol can assign identities based on roles. For example, | protocol can assign identities based on roles. For example, | |||
the roles of "client" and "server" may be assigned to different | the roles of "client" and "server" may be assigned to different | |||
entities in the protocol. Each entity would then use the | entities in the protocol. Each entity would then use the | |||
correct label for the data they send or receive. The second | correct label for the data it sends or receives. The second | |||
way for a protocol to assign identities is to use a name based | way for a protocol to assign identities is to use a name based | |||
on a naming system (i.e., DNS, X.509 names). | on a naming system (i.e., DNS or X.509 names). | |||
We define an algorithm parameter 'PartyU identity' that can be | We define an algorithm parameter, "PartyU identity", that can | |||
used to carry identity information in the message. However, | be used to carry identity information in the message. However, | |||
identity information is often known as part of the protocol and | identity information is often known to be part of the protocol | |||
can thus be inferred rather than made explicit. If identity | and can thus be inferred rather than made explicit. If | |||
information is carried in the message, applications SHOULD have | identity information is carried in the message, applications | |||
a way of validating the supplied identity information. The | SHOULD have a way of validating the supplied identity | |||
identity information does not need to be specified and is set | information. The identity information does not need to be | |||
to nil in that case. | specified and is set to nil in that case. | |||
nonce: This contains a nonce value. The nonce can either be | nonce: This contains a nonce value. The nonce can be either | |||
implicit from the protocol or be carried as a value in the | implicit from the protocol or carried as a value in the | |||
unprotected header bucket. | unprotected header bucket. | |||
We define an algorithm parameter 'PartyU nonce' that can be | We define an algorithm parameter, "PartyU nonce", that can be | |||
used to carry this value in the message; however, the nonce | used to carry this value in the message; however, the nonce | |||
value could be determined by the application and the value | value could be determined by the application and the value | |||
determined from elsewhere. | determined from elsewhere. | |||
This option does not need to be specified and is set to nil in | This option does not need to be specified; if not needed, it is | |||
that case. | set to nil. | |||
other: This contains other information that is defined by the | other: This contains other information that is defined by the | |||
protocol. This option does not need to be specified and is set | protocol. This option does not need to be specified; if not | |||
to nil in that case. | needed, it is set to nil. | |||
PartyVInfo: This field holds information about party V. The content | PartyVInfo: This field holds information about party V. The content | |||
of the structure is the same as for the PartyUInfo but for party | of the structure is the same as for the PartyUInfo but for party | |||
V. | V. | |||
SuppPubInfo: This field contains public information that is mutually | SuppPubInfo: This field contains public information that is mutually | |||
known to both parties. | known to both parties. | |||
keyDataLength: This is set to the number of bits of the desired | keyDataLength: This is set to the number of bits of the desired | |||
output value. This practice means if algorithm A can use two | output value. This practice means if algorithm A can use two | |||
different key lengths, the key derived for longer key size will | different key lengths, the key derived for the longer key size | |||
not contain the key for shorter key size as a prefix. | will not contain the key for the shorter key size as a prefix. | |||
protected: This field contains the protected parameter field. If | protected: This field contains the protected parameter field. If | |||
there are no elements in the protected field, then use a zero- | there are no elements in the "protected" field, then use a | |||
length bstr. | zero-length bstr. | |||
other: This field is for free form data defined by the | other: This field is for free-form data defined by the | |||
application. An example is that an application could define | application. For example, an application could define two | |||
two different byte strings to be placed here to generate | different byte strings to be placed here to generate different | |||
different keys for a data stream versus a control stream. This | keys for a data stream versus a control stream. This field is | |||
field is optional and will only be present if the application | optional and will only be present if the application defines a | |||
defines a structure for this information. Applications that | structure for this information. Applications that define this | |||
define this SHOULD use CBOR to encode the data so that types | SHOULD use CBOR to encode the data so that types and lengths | |||
and lengths are correctly included. | are correctly included. | |||
SuppPrivInfo: This field contains private information that is | SuppPrivInfo: This field contains private information that is | |||
mutually known private information. An example of this | mutually known private information. An example of this | |||
information would be a preexisting shared secret. (This could, | information would be a pre-existing shared secret. (This could, | |||
for example, be used in combination with an ECDH key agreement to | for example, be used in combination with an ECDH key agreement to | |||
provide a secondary proof of identity.) The field is optional and | provide a secondary proof of identity.) The field is optional and | |||
will only be present if the application defines a structure for | will only be present if the application defines a structure for | |||
this information. Applications that define this SHOULD use CBOR | this information. Applications that define this SHOULD use CBOR | |||
to encode the data so that types and lengths are correctly | to encode the data so that types and lengths are correctly | |||
included. | included. | |||
The following CDDL fragment corresponds to the text above. | The following CDDL fragment corresponds to the text above. | |||
PartyInfo = ( | PartyInfo = ( | |||
skipping to change at page 26, line 48 ¶ | skipping to change at line 1164 ¶ | |||
SuppPubInfo : [ | SuppPubInfo : [ | |||
keyDataLength : uint, | keyDataLength : uint, | |||
protected : empty_or_serialized_map, | protected : empty_or_serialized_map, | |||
? other : bstr | ? other : bstr | |||
], | ], | |||
? SuppPrivInfo : bstr | ? SuppPrivInfo : bstr | |||
] | ] | |||
6. Content Key Distribution Methods | 6. Content Key Distribution Methods | |||
Section 9.5 of [I-D.ietf-cose-rfc8152bis-struct] contains a generic | Section 8.5 of [RFC9052] contains a generic description of content | |||
description of content key distribution methods. This document | key distribution methods. This document defines the identifiers and | |||
defines the identifiers and usage for a number of content key | usage for a number of content key distribution methods. | |||
distribution methods. | ||||
6.1. Direct Encryption | 6.1. Direct Encryption | |||
Direct encryption algorithm is defined in Section 9.5.1 of | A direct encryption algorithm is defined in Section 8.5.1 of | |||
[I-D.ietf-cose-rfc8152bis-struct]. Information about how to fill in | [RFC9052]. Information about how to fill in the COSE_Recipient | |||
the COSE_Recipient structure are detailed there. | structure is detailed there. | |||
6.1.1. Direct Key | 6.1.1. Direct Key | |||
This recipient algorithm is the simplest; the identified key is | This recipient algorithm is the simplest; the identified key is | |||
directly used as the key for the next layer down in the message. | directly used as the key for the next layer down in the message. | |||
There are no algorithm parameters defined for this algorithm. The | There are no algorithm parameters defined for this algorithm. The | |||
algorithm identifier value is assigned in Table 11. | algorithm identifier value is assigned in Table 11. | |||
When this algorithm is used, the protected field MUST be zero length. | When this algorithm is used, the "protected" field MUST have zero | |||
The key type MUST be 'Symmetric'. | length. The key type MUST be "Symmetric". | |||
+========+=======+===================+ | +========+=======+============================================+ | |||
| Name | Value | Description | | | Name | Value | Description | | |||
+========+=======+===================+ | +========+=======+============================================+ | |||
| direct | -6 | Direct use of CEK | | | direct | -6 | Direct use of content encryption key (CEK) | | |||
+--------+-------+-------------------+ | +--------+-------+--------------------------------------------+ | |||
Table 11: Direct Key | Table 11: Direct Key | |||
6.1.1.1. Security Considerations for Direct Key | 6.1.1.1. Security Considerations for Direct Key | |||
This recipient algorithm has several potential problems that need to | This recipient algorithm has several potential problems that need to | |||
be considered: | be considered: | |||
* These keys need to have some method to be regularly updated over | * These keys need to have some method of being regularly updated | |||
time. All of the content encryption algorithms specified in this | over time. All of the content encryption algorithms specified in | |||
document have limits on how many times a key can be used without | this document have limits on how many times a key can be used | |||
significant loss of security. | without significant loss of security. | |||
* These keys need to be dedicated to a single algorithm. There have | * These keys need to be dedicated to a single algorithm. There have | |||
been a number of attacks developed over time when a single key is | been a number of attacks developed over time when a single key is | |||
used for multiple different algorithms. One example of this is | used for multiple different algorithms. One example of this is | |||
the use of a single key for both the CBC encryption mode and the | the use of a single key for both the CBC encryption mode and the | |||
CBC-MAC authentication mode. | CBC-MAC authentication mode. | |||
* Breaking one message means all messages are broken. If an | * Breaking one message means all messages are broken. If an | |||
adversary succeeds in determining the key for a single message, | adversary succeeds in determining the key for a single message, | |||
then the key for all messages is also determined. | then the key for all messages is also determined. | |||
6.1.2. Direct Key with KDF | 6.1.2. Direct Key with KDF | |||
These recipient algorithms take a common shared secret between the | These recipient algorithms take a common shared secret between the | |||
two parties and applies the HKDF function (Section 5.1), using the | two parties and apply HKDF (Section 5.1), using the context structure | |||
context structure defined in Section 5.2 to transform the shared | defined in Section 5.2 to transform the shared secret into the CEK. | |||
secret into the CEK. The 'protected' field can be of non-zero | The "protected" field can be of nonzero length. Either the "salt" | |||
length. Either the 'salt' parameter of HKDF or the 'PartyU nonce' | parameter of HKDF or the "PartyU nonce" parameter of the context | |||
parameter of the context structure MUST be present. The salt/nonce | structure MUST be present. The "salt"/"nonce" parameter can be | |||
parameter can be generated either randomly or deterministically. The | generated either randomly or deterministically. The requirement is | |||
requirement is that it be a unique value for the shared secret in | that it be a unique value for the shared secret in question. | |||
question. | ||||
If the salt/nonce value is generated randomly, then it is suggested | If the salt/nonce value is generated randomly, then it is suggested | |||
that the length of the random value be the same length as the output | that the length of the random value be the same length as the output | |||
of the hash function underlying HKDF. While there is no way to | of the hash function underlying HKDF. While there is no way to | |||
guarantee that it will be unique, there is a high probability that it | guarantee that it will be unique, there is a high probability that it | |||
will be unique. If the salt/nonce value is generated | will be unique. If the salt/nonce value is generated | |||
deterministically, it can be guaranteed to be unique, and thus there | deterministically, it can be guaranteed to be unique, and thus there | |||
is no length requirement. | is no length requirement. | |||
A new IV must be used for each message if the same key is used. The | A new IV must be used for each message if the same key is used. The | |||
IV can be modified in a predictable manner, a random manner, or an | IV can be modified in a predictable manner, a random manner, or an | |||
unpredictable manner (i.e., encrypting a counter). | unpredictable manner (i.e., encrypting a counter). | |||
The IV used for a key can also be generated from the same HKDF | The IV used for a key can also be generated using the same HKDF | |||
functionality as the key is generated. If HKDF is used for | functionality used to generate the key. If HKDF is used for | |||
generating the IV, the algorithm identifier is set to "IV- | generating the IV, the algorithm identifier is set to "IV- | |||
GENERATION". | GENERATION". | |||
The set of algorithms defined in this document can be found in | The set of algorithms defined in this document can be found in | |||
Table 12. | Table 12. | |||
+=====================+=======+==============+=====================+ | +=====================+=======+==============+=====================+ | |||
| Name | Value | KDF | Description | | | Name | Value | KDF | Description | | |||
+=====================+=======+==============+=====================+ | +=====================+=======+==============+=====================+ | |||
| direct+HKDF-SHA-256 | -10 | HKDF SHA-256 | Shared secret w/ | | | direct+HKDF-SHA-256 | -10 | HKDF SHA-256 | Shared secret w/ | | |||
| | | | HKDF and SHA-256 | | | | | | HKDF and SHA-256 | | |||
+---------------------+-------+--------------+---------------------+ | +---------------------+-------+--------------+---------------------+ | |||
| direct+HKDF-SHA-512 | -11 | HKDF SHA-512 | Shared secret w/ | | | direct+HKDF-SHA-512 | -11 | HKDF SHA-512 | Shared secret w/ | | |||
| | | | HKDF and SHA-512 | | | | | | HKDF and SHA-512 | | |||
+---------------------+-------+--------------+---------------------+ | +---------------------+-------+--------------+---------------------+ | |||
| direct+HKDF-AES-128 | -12 | HKDF AES- | Shared secret w/ | | | direct+HKDF-AES-128 | -12 | HKDF AES- | Shared secret w/ | | |||
| | | MAC-128 | AES-MAC 128-bit key | | | | | MAC-128 | AES-MAC 128-bit key | | |||
+---------------------+-------+--------------+---------------------+ | +---------------------+-------+--------------+---------------------+ | |||
| direct+HKDF-AES-256 | -13 | HKDF AES- | Shared secret w/ | | | direct+HKDF-AES-256 | -13 | HKDF AES- | Shared secret w/ | | |||
| | | MAC-256 | AES-MAC 256-bit key | | | | | MAC-256 | AES-MAC 256-bit key | | |||
+---------------------+-------+--------------+---------------------+ | +---------------------+-------+--------------+---------------------+ | |||
Table 12: Direct Key with KDF | Table 12: Direct Key with KDF | |||
When using a COSE key for this algorithm, the following checks are | When using a COSE key for this algorithm, the following checks are | |||
made: | made: | |||
* The 'kty' field MUST be present, and it MUST be 'Symmetric'. | * The "kty" field MUST be present, and it MUST be "Symmetric". | |||
* If the 'alg' field is present, it MUST match the algorithm being | * If the "alg" field is present, it MUST match the algorithm being | |||
used. | used. | |||
* If the 'key_ops' field is present, it MUST include 'deriveKey' or | * If the "key_ops" field is present, it MUST include "deriveKey" or | |||
'deriveBits'. | "deriveBits". | |||
6.1.2.1. Security Considerations for Direct Key with KDF | 6.1.2.1. Security Considerations for Direct Key with KDF | |||
The shared secret needs to have some method to be regularly updated | The shared secret needs to have some method of being regularly | |||
over time. The shared secret forms the basis of trust. Although not | updated over time. The shared secret forms the basis of trust. | |||
used directly, it should still be subject to scheduled rotation. | Although not used directly, it should still be subject to scheduled | |||
rotation. | ||||
While these methods do not provide for perfect forward secrecy, as | These methods do not provide for perfect forward secrecy, as the same | |||
the same shared secret is used for all of the keys generated, if the | shared secret is used for all of the keys generated; however, if the | |||
key for any single message is discovered, only the message (or series | key for any single message is discovered, only the message or series | |||
of messages) using that derived key are compromised. A new key | of messages using that derived key are compromised. A new key | |||
derivation step will generate a new key that requires the same amount | derivation step will generate a new key that requires the same amount | |||
of work to get the key. | of work to get the key. | |||
6.2. Key Wrap | 6.2. Key Wrap | |||
Key wrap is defined in Section 9.5.1 of | Key wrap is defined in Section 8.5.2 of [RFC9052]. Information about | |||
[I-D.ietf-cose-rfc8152bis-struct]. Information about how to fill in | how to fill in the COSE_Recipient structure is detailed there. | |||
the COSE_Recipient structure is detailed there. | ||||
6.2.1. AES Key Wrap | 6.2.1. AES Key Wrap | |||
The AES Key Wrap algorithm is defined in [RFC3394]. This algorithm | The AES Key Wrap algorithm is defined in [RFC3394]. This algorithm | |||
uses an AES key to wrap a value that is a multiple of 64 bits. As | uses an AES key to wrap a value that is a multiple of 64 bits. As | |||
such, it can be used to wrap a key for any of the content encryption | such, it can be used to wrap a key for any of the content encryption | |||
algorithms defined in this document. The algorithm requires a single | algorithms defined in this document. The algorithm requires a single | |||
fixed parameter, the initial value. This is fixed to the value | fixed parameter, the initial value. This is fixed to the value | |||
specified in Section 2.2.3.1 of [RFC3394]. There are no public key | specified in Section 2.2.3.1 of [RFC3394]. There are no public key | |||
parameters that vary on a per-invocation basis. The protected header | parameters that vary on a per-invocation basis. The protected header | |||
bucket MUST be empty. | bucket MUST be empty. | |||
Keys may be obtained either from a key structure or from a recipient | Keys may be obtained from either a key structure or a recipient | |||
structure. Implementations encrypting and decrypting MUST validate | structure. Implementations that are encrypting and decrypting MUST | |||
that the key type, key length, and algorithm are correct and | validate that the key type, key length, and algorithm are correct and | |||
appropriate for the entities involved. | appropriate for the entities involved. | |||
When using a COSE key for this algorithm, the following checks are | When using a COSE key for this algorithm, the following checks are | |||
made: | made: | |||
* The 'kty' field MUST be present, and it MUST be 'Symmetric'. | * The "kty" field MUST be present, and it MUST be "Symmetric". | |||
* If the 'alg' field is present, it MUST match the AES Key Wrap | * If the "alg" field is present, it MUST match the AES Key Wrap | |||
algorithm being used. | algorithm being used. | |||
* If the 'key_ops' field is present, it MUST include 'encrypt' or | * If the "key_ops" field is present, it MUST include "encrypt" or | |||
'wrap key' when encrypting. | "wrap key" when encrypting. | |||
* If the 'key_ops' field is present, it MUST include 'decrypt' or | * If the "key_ops" field is present, it MUST include "decrypt" or | |||
'unwrap key' when decrypting. | "unwrap key" when decrypting. | |||
+========+=======+==========+=============================+ | +========+=======+==========+=============================+ | |||
| Name | Value | Key Size | Description | | | Name | Value | Key Size | Description | | |||
+========+=======+==========+=============================+ | +========+=======+==========+=============================+ | |||
| A128KW | -3 | 128 | AES Key Wrap w/ 128-bit key | | | A128KW | -3 | 128 | AES Key Wrap w/ 128-bit key | | |||
+--------+-------+----------+-----------------------------+ | +--------+-------+----------+-----------------------------+ | |||
| A192KW | -4 | 192 | AES Key Wrap w/ 192-bit key | | | A192KW | -4 | 192 | AES Key Wrap w/ 192-bit key | | |||
+--------+-------+----------+-----------------------------+ | +--------+-------+----------+-----------------------------+ | |||
| A256KW | -5 | 256 | AES Key Wrap w/ 256-bit key | | | A256KW | -5 | 256 | AES Key Wrap w/ 256-bit key | | |||
+--------+-------+----------+-----------------------------+ | +--------+-------+----------+-----------------------------+ | |||
Table 13: AES Key Wrap Algorithm Values | Table 13: AES Key Wrap Algorithm Values | |||
6.2.1.1. Security Considerations for AES-KW | 6.2.1.1. Security Considerations for AES Key Wrap | |||
The shared secret needs to have some method to be regularly updated | The shared secret needs to have some method of being regularly | |||
over time. The shared secret is the basis of trust. | updated over time. The shared secret is the basis of trust. | |||
6.3. Direct Key Agreement | 6.3. Direct Key Agreement | |||
Key Transport is defined in Section 9.5.4 of | Key transport is defined in Section 8.5.3 of [RFC9052]. Information | |||
[I-D.ietf-cose-rfc8152bis-struct]. Information about how to fill in | about how to fill in the COSE_Recipient structure is detailed there. | |||
the COSE_Recipient structure is detailed there. | ||||
6.3.1. Direct ECDH | 6.3.1. Direct ECDH | |||
The mathematics for ECDH can be found in [RFC6090]. In this | The mathematics for ECDH can be found in [RFC6090]. In this | |||
document, the algorithm is extended to be used with the two curves | document, the algorithm is extended to be used with the two curves | |||
defined in [RFC7748]. | defined in [RFC7748]. | |||
ECDH is parameterized by the following: | ECDH is parameterized by the following: | |||
* Curve Type/Curve: The curve selected controls not only the size of | Curve Type/Curve: The curve selected controls not only the size of | |||
the shared secret, but the mathematics for computing the shared | the shared secret, but the mathematics for computing the shared | |||
secret. The curve selected also controls how a point in the curve | secret. The curve selected also controls how a point in the curve | |||
is represented and what happens for the identity points on the | is represented and what happens for the identity points on the | |||
curve. In this specification, we allow for a number of different | curve. In this specification, we allow for a number of different | |||
curves to be used. A set of curves are defined in Table 18. | curves to be used. A set of curves is defined in Table 18. | |||
The math used to obtain the computed secret is based on the curve | The math used to obtain the computed secret is based on the curve | |||
selected and not on the ECDH algorithm. For this reason, a new | selected and not on the ECDH algorithm. For this reason, a new | |||
algorithm does not need to be defined for each of the curves. | algorithm does not need to be defined for each of the curves. | |||
* Computed Secret to Shared Secret: Once the computed secret is | Computed Secret to Shared Secret: Once the computed secret is known, | |||
known, the resulting value needs to be converted to a byte string | the resulting value needs to be converted to a byte string to run | |||
to run the KDF. The x-coordinate is used for all of the curves | the KDF. The x-coordinate is used for all of the curves defined | |||
defined in this document. For curves X25519 and X448, the | in this document. For curves X25519 and X448, the resulting value | |||
resulting value is used directly as it is a byte string of a known | is used directly, as it is a byte string of a known length. For | |||
length. For the P-256, P-384, and P-521 curves, the x-coordinate | the P-256, P-384, and P-521 curves, the x-coordinate is run | |||
is run through the I2OSP function defined in [RFC8017], using the | through the Integer-to-Octet-String primitive (I2OSP) function | |||
same computation for n as is defined in Section 2.1. | defined in [RFC8017], using the same computation for n as is | |||
defined in Section 2.1. | ||||
* Ephemeral-Static or Static-Static: The key agreement process may | Ephemeral-Static or Static-Static: The key agreement process may be | |||
be done using either a static or an ephemeral key for the sender's | done using either a static or an ephemeral key for the sender's | |||
side. When using ephemeral keys, the sender MUST generate a new | side. When using ephemeral keys, the sender MUST generate a new | |||
ephemeral key for every key agreement operation. The ephemeral | ephemeral key for every key agreement operation. The ephemeral | |||
key is placed in the 'ephemeral key' parameter and MUST be present | key is placed in the "ephemeral key" parameter and MUST be present | |||
for all algorithm identifiers that use ephemeral keys. When using | for all algorithm identifiers that use ephemeral keys. When using | |||
static keys, the sender MUST either generate a new random value or | static keys, the sender MUST either generate a new random value or | |||
create a unique value. For the KDFs used, this means either the | create a unique value. For the KDFs used, this means that either | |||
'salt' parameter for HKDF (Table 9) or the 'PartyU nonce' | the "salt" parameter for HKDF (Table 9) or the "PartyU nonce" | |||
parameter for the context structure (Table 10) MUST be present | parameter for the context structure (Table 10) MUST be present | |||
(both can be present if desired). The value in the parameter MUST | (both can be present if desired). The value in the parameter MUST | |||
be unique for the pair of keys being used. It is acceptable to | be unique for the pair of keys being used. It is acceptable to | |||
use a global counter that is incremented for every static-static | use a global counter that is incremented for every static-static | |||
operation and use the resulting value. Care must be taken that | operation and use the resulting value. Care must be taken that | |||
the counter is saved to permanent storage in a way to avoid reuse | the counter is saved to permanent storage in a way that avoids | |||
of that counter value. When using static keys, the static key | reuse of that counter value. When using static keys, the static | |||
should be identified to the recipient. The static key can be | key should be identified to the recipient. The static key can be | |||
identified either by providing the key ('static key') or by | identified by providing either the key ("static key") or a key | |||
providing a key identifier for the static key ('static key id'). | identifier for the static key ("static key id"). Both of these | |||
Both of these header parameters are defined in Table 15. | header parameters are defined in Table 15. | |||
* Key Derivation Algorithm: The result of an ECDH key agreement | Key Derivation Algorithm: The result of an ECDH key agreement | |||
process does not provide a uniformly random secret. As such, it | process does not provide a uniformly random secret. As such, it | |||
needs to be run through a KDF in order to produce a usable key. | needs to be run through a KDF in order to produce a usable key. | |||
Processing the secret through a KDF also allows for the | Processing the secret through a KDF also allows for the | |||
introduction of context material: how the key is going to be used | introduction of context material: how the key is going to be used | |||
and one-time material for static-static key agreement. All of the | and one-time material for static-static key agreement. All of the | |||
algorithms defined in this document use one of the HKDF algorithms | algorithms defined in this document use one of the HKDF algorithms | |||
defined in Section 5.1 with the context structure defined in | defined in Section 5.1 with the context structure defined in | |||
Section 5.2. | Section 5.2. | |||
* Key Wrap Algorithm: No key wrap algorithm is used. This is | Key Wrap Algorithm: No key wrap algorithm is used. This is | |||
represented in Table 14 as 'none'. The key size for the context | represented in Table 14 as "none". The key size for the context | |||
structure is the content layer encryption algorithm size. | structure is the content layer encryption algorithm size. | |||
COSE does not have an Ephemeral-Ephemeral version defined. The | COSE does not have an Ephemeral-Ephemeral version defined. The | |||
reason for this is that COSE is not an online protocol by itself and | reason for this is that COSE is not an online protocol by itself and | |||
thus does not have a method to establish ephemeral secrets on both | thus does not have a method of establishing ephemeral secrets on both | |||
sides. The expectation is that a protocol would establish the | sides. The expectation is that a protocol would establish the | |||
secrets for both sides, and then they would be used as static-static | secrets for both sides, and then they would be used as static-static | |||
for the purposes of COSE, or that the protocol would generate a | for the purposes of COSE, or that the protocol would generate a | |||
shared secret and a direct encryption would be used. | shared secret and a direct encryption would be used. | |||
The set of direct ECDH algorithms defined in this document are found | The set of direct ECDH algorithms defined in this document is found | |||
in Table 14. | in Table 14. | |||
+===========+=======+=========+============+======+=================+ | +==========+=======+=========+==================+=====+=============+ | |||
| Name | Value | KDF | Ephemeral- | Key | Description | | |Name | Value | KDF | Ephemeral-Static |Key |Description | | |||
| | | | Static | Wrap | | | | | | | |Wrap | | | |||
+===========+=======+=========+============+======+=================+ | +==========+=======+=========+==================+=====+=============+ | |||
| ECDH-ES | -25 | HKDF - | yes | none | ECDH ES w/ HKDF | | |ECDH-ES + | -25 | HKDF -- | yes |none |ECDH ES w/ | | |||
| + | | SHA-256 | | | - generate key | | |HKDF-256 | | SHA-256 | | |HKDF -- | | |||
| HKDF-256 | | | | | directly | | | | | | | |generate key | | |||
+-----------+-------+---------+------------+------+-----------------+ | | | | | | |directly | | |||
| ECDH-ES | -26 | HKDF - | yes | none | ECDH ES w/ HKDF | | +----------+-------+---------+------------------+-----+-------------+ | |||
| + | | SHA-512 | | | - generate key | | |ECDH-ES + | -26 | HKDF -- | yes |none |ECDH ES w/ | | |||
| HKDF-512 | | | | | directly | | |HKDF-512 | | SHA-512 | | |HKDF -- | | |||
+-----------+-------+---------+------------+------+-----------------+ | | | | | | |generate key | | |||
| ECDH-SS | -27 | HKDF - | no | none | ECDH SS w/ HKDF | | | | | | | |directly | | |||
| + | | SHA-256 | | | - generate key | | +----------+-------+---------+------------------+-----+-------------+ | |||
| HKDF-256 | | | | | directly | | |ECDH-SS + | -27 | HKDF -- | no |none |ECDH SS w/ | | |||
+-----------+-------+---------+------------+------+-----------------+ | |HKDF-256 | | SHA-256 | | |HKDF -- | | |||
| ECDH-SS | -28 | HKDF - | no | none | ECDH SS w/ HKDF | | | | | | | |generate key | | |||
| + | | SHA-512 | | | - generate key | | | | | | | |directly | | |||
| HKDF-512 | | | | | directly | | +----------+-------+---------+------------------+-----+-------------+ | |||
+-----------+-------+---------+------------+------+-----------------+ | |ECDH-SS + | -28 | HKDF -- | no |none |ECDH SS w/ | | |||
|HKDF-512 | | SHA-512 | | |HKDF -- | | ||||
| | | | | |generate key | | ||||
| | | | | |directly | | ||||
+----------+-------+---------+------------------+-----+-------------+ | ||||
Table 14: ECDH Algorithm Values | Table 14: ECDH Algorithm Values | |||
+===========+=======+==========+===================+=============+ | +===========+=======+==========+===================+=============+ | |||
| Name | Label | Type | Algorithm | Description | | | Name | Label | Type | Algorithm | Description | | |||
+===========+=======+==========+===================+=============+ | +===========+=======+==========+===================+=============+ | |||
| ephemeral | -1 | COSE_Key | ECDH-ES+HKDF-256, | Ephemeral | | | ephemeral | -1 | COSE_Key | ECDH-ES+HKDF-256, | Ephemeral | | |||
| key | | | ECDH-ES+HKDF-512, | public key | | | key | | | ECDH-ES+HKDF-512, | public key | | |||
| | | | ECDH-ES+A128KW, | for the | | | | | | ECDH-ES+A128KW, | for the | | |||
| | | | ECDH-ES+A192KW, | sender | | | | | | ECDH-ES+A192KW, | sender | | |||
skipping to change at page 34, line 14 ¶ | skipping to change at line 1478 ¶ | |||
This document defines these algorithms to be used with the curves | This document defines these algorithms to be used with the curves | |||
P-256, P-384, P-521, X25519, and X448. Implementations MUST verify | P-256, P-384, P-521, X25519, and X448. Implementations MUST verify | |||
that the key type and curve are correct. Different curves are | that the key type and curve are correct. Different curves are | |||
restricted to different key types. Implementations MUST verify that | restricted to different key types. Implementations MUST verify that | |||
the curve and algorithm are appropriate for the entities involved. | the curve and algorithm are appropriate for the entities involved. | |||
When using a COSE key for this algorithm, the following checks are | When using a COSE key for this algorithm, the following checks are | |||
made: | made: | |||
* The 'kty' field MUST be present, and it MUST be 'EC2' or 'OKP'. | * The "kty" field MUST be present, and it MUST be "EC2" or "OKP". | |||
* If the 'alg' field is present, it MUST match the key agreement | * If the "alg" field is present, it MUST match the key agreement | |||
algorithm being used. | algorithm being used. | |||
* If the 'key_ops' field is present, it MUST include 'derive key' or | * If the "key_ops" field is present, it MUST include "derive key" or | |||
'derive bits' for the private key. | "derive bits" for the private key. | |||
* If the 'key_ops' field is present, it MUST be empty for the public | * If the "key_ops" field is present, it MUST be empty for the public | |||
key. | key. | |||
6.3.1.1. Security Considerations for ECDH | 6.3.1.1. Security Considerations for ECDH | |||
There is a method of checking that points provided from external | There is a method of checking that points provided from external | |||
entities are valid. For the 'EC2' key format, this can be done by | entities are valid. For the "EC2" key format, this can be done by | |||
checking that the x and y values form a point on the curve. For the | checking that the x and y values form a point on the curve. For the | |||
'OKP' format, there is no simple way to do point validation. | "OKP" format, there is no simple way to perform point validation. | |||
Consideration was given to requiring that the public keys of both | Consideration was given to requiring that the public keys of both | |||
entities be provided as part of the key derivation process (as | entities be provided as part of the key derivation process (as | |||
recommended in Section 6.4 of [RFC7748]). This was not done as COSE | recommended in Section 6.4 of [RFC7748]). This was not done, because | |||
is used in a store and forward format rather than in online key | COSE is used in a store-and-forward format rather than in online key | |||
exchange. In order for this to be a problem, either the receiver | exchange. In order for this to be a problem, either the receiver | |||
public key has to be chosen maliciously or the sender has to be | public key has to be chosen maliciously or the sender has to be | |||
malicious. In either case, all security evaporates anyway. | malicious. In either case, all security evaporates anyway. | |||
A proof of possession of the private key associated with the public | A proof of possession of the private key associated with the public | |||
key is recommended when a key is moved from untrusted to trusted | key is recommended when a key is moved from untrusted to trusted | |||
(either by the end user or by the entity that is responsible for | (either by the end user or by the entity that is responsible for | |||
making trust statements on keys). | making trust statements on keys). | |||
6.4. Key Agreement with Key Wrap | 6.4. Key Agreement with Key Wrap | |||
Key Agreement with Key Wrap is defined in Section 9.5.5 of | Key Agreement with Key Wrap is defined in Section 8.5.5 of [RFC9052]. | |||
[I-D.ietf-cose-rfc8152bis-struct]. Information about how to fill in | Information about how to fill in the COSE_Recipient structure is | |||
the COSE_Recipient structure are detailed there. | detailed there. | |||
6.4.1. ECDH with Key Wrap | 6.4.1. ECDH with Key Wrap | |||
These algorithms are defined in Table 16. | These algorithms are defined in Table 16. | |||
ECDH with Key Agreement is parameterized by the same header | ECDH with Key Agreement is parameterized by the same header | |||
parameters as for ECDH; see Section 6.3.1, with the following | parameters as for ECDH; see Section 6.3.1, with the following | |||
modifications: | modifications: | |||
* Key Wrap Algorithm: Any of the key wrap algorithms defined in | Key Wrap Algorithm: Any of the key wrap algorithms defined in | |||
Section 6.2 are supported. The size of the key used for the key | Section 6.2 are supported. The size of the key used for the key | |||
wrap algorithm is fed into the KDF. The set of identifiers are | wrap algorithm is fed into the KDF. The set of identifiers is | |||
found in Table 16. | found in Table 16. | |||
+=========+=======+=========+============+========+================+ | +=========+=====+=========+==================+========+=============+ | |||
| Name | Value | KDF | Ephemeral- | Key | Description | | |Name |Value| KDF | Ephemeral-Static |Key Wrap| Description | | |||
| | | | Static | Wrap | | | +=========+=====+=========+==================+========+=============+ | |||
+=========+=======+=========+============+========+================+ | |ECDH-ES +|-29 | HKDF -- | yes |A128KW | ECDH ES w/ | | |||
| ECDH-ES | -29 | HKDF - | yes | A128KW | ECDH ES w/ | | |A128KW | | SHA-256 | | | Concat KDF | | |||
| + | | SHA-256 | | | Concat KDF and | | | | | | | | and AES Key | | |||
| A128KW | | | | | AES Key Wrap | | | | | | | | Wrap w/ | | |||
| | | | | | w/ 128-bit key | | | | | | | | 128-bit key | | |||
+---------+-------+---------+------------+--------+----------------+ | +---------+-----+---------+------------------+--------+-------------+ | |||
| ECDH-ES | -30 | HKDF - | yes | A192KW | ECDH ES w/ | | |ECDH-ES +|-30 | HKDF -- | yes |A192KW | ECDH ES w/ | | |||
| + | | SHA-256 | | | Concat KDF and | | |A192KW | | SHA-256 | | | Concat KDF | | |||
| A192KW | | | | | AES Key Wrap | | | | | | | | and AES Key | | |||
| | | | | | w/ 192-bit key | | | | | | | | Wrap w/ | | |||
+---------+-------+---------+------------+--------+----------------+ | | | | | | | 192-bit key | | |||
| ECDH-ES | -31 | HKDF - | yes | A256KW | ECDH ES w/ | | +---------+-----+---------+------------------+--------+-------------+ | |||
| + | | SHA-256 | | | Concat KDF and | | |ECDH-ES +|-31 | HKDF -- | yes |A256KW | ECDH ES w/ | | |||
| A256KW | | | | | AES Key Wrap | | |A256KW | | SHA-256 | | | Concat KDF | | |||
| | | | | | w/ 256-bit key | | | | | | | | and AES Key | | |||
+---------+-------+---------+------------+--------+----------------+ | | | | | | | Wrap w/ | | |||
| ECDH-SS | -32 | HKDF - | no | A128KW | ECDH SS w/ | | | | | | | | 256-bit key | | |||
| + | | SHA-256 | | | Concat KDF and | | +---------+-----+---------+------------------+--------+-------------+ | |||
| A128KW | | | | | AES Key Wrap | | |ECDH-SS +|-32 | HKDF -- | no |A128KW | ECDH SS w/ | | |||
| | | | | | w/ 128-bit key | | |A128KW | | SHA-256 | | | Concat KDF | | |||
+---------+-------+---------+------------+--------+----------------+ | | | | | | | and AES Key | | |||
| ECDH-SS | -33 | HKDF - | no | A192KW | ECDH SS w/ | | | | | | | | Wrap w/ | | |||
| + | | SHA-256 | | | Concat KDF and | | | | | | | | 128-bit key | | |||
| A192KW | | | | | AES Key Wrap | | +---------+-----+---------+------------------+--------+-------------+ | |||
| | | | | | w/ 192-bit key | | |ECDH-SS +|-33 | HKDF -- | no |A192KW | ECDH SS w/ | | |||
+---------+-------+---------+------------+--------+----------------+ | |A192KW | | SHA-256 | | | Concat KDF | | |||
| ECDH-SS | -34 | HKDF - | no | A256KW | ECDH SS w/ | | | | | | | | and AES Key | | |||
| + | | SHA-256 | | | Concat KDF and | | | | | | | | Wrap w/ | | |||
| A256KW | | | | | AES Key Wrap | | | | | | | | 192-bit key | | |||
| | | | | | w/ 256-bit key | | +---------+-----+---------+------------------+--------+-------------+ | |||
+---------+-------+---------+------------+--------+----------------+ | |ECDH-SS +|-34 | HKDF -- | no |A256KW | ECDH SS w/ | | |||
|A256KW | | SHA-256 | | | Concat KDF | | ||||
| | | | | | and AES Key | | ||||
| | | | | | Wrap w/ | | ||||
| | | | | | 256-bit key | | ||||
+---------+-----+---------+------------------+--------+-------------+ | ||||
Table 16: ECDH Algorithm Values with Key Wrap | Table 16: ECDH Algorithm Values with Key Wrap | |||
When using a COSE key for this algorithm, the following checks are | When using a COSE key for this algorithm, the following checks are | |||
made: | made: | |||
* The 'kty' field MUST be present, and it MUST be 'EC2' or 'OKP'. | * The "kty" field MUST be present, and it MUST be "EC2" or "OKP". | |||
* If the 'alg' field is present, it MUST match the key agreement | * If the "alg" field is present, it MUST match the key agreement | |||
algorithm being used. | algorithm being used. | |||
* If the 'key_ops' field is present, it MUST include 'derive key' or | * If the "key_ops" field is present, it MUST include "derive key" or | |||
'derive bits' for the private key. | "derive bits" for the private key. | |||
* If the 'key_ops' field is present, it MUST be empty for the public | * If the "key_ops" field is present, it MUST be empty for the public | |||
key. | key. | |||
7. Key Object Parameters | 7. Key Object Parameters | |||
The COSE_Key object defines a way to hold a single key object. It is | The COSE_Key object defines a way to hold a single key object. It is | |||
still required that the members of individual key types be defined. | still required that the members of individual key types be defined. | |||
This section of the document is where we define an initial set of | This section of the document is where we define an initial set of | |||
members for specific key types. | members for specific key types. | |||
For each of the key types, we define both public and private members. | For each of the key types, we define both public and private members. | |||
The public members are what is transmitted to others for their usage. | The public members are what is transmitted to others for their usage. | |||
Private members allow for the archival of keys by individuals. | Private members allow individuals to archive keys. However, there | |||
However, there are some circumstances in which private keys may be | are some circumstances in which private keys may be distributed to | |||
distributed to entities in a protocol. Examples include: entities | entities in a protocol. Examples include: entities that have poor | |||
that have poor random number generation, centralized key creation for | random number generation, centralized key creation for multicast-type | |||
multi-cast type operations, and protocols in which a shared secret is | operations, and protocols in which a shared secret is used as a | |||
used as a bearer token for authorization purposes. | bearer token for authorization purposes. | |||
Key types are identified by the 'kty' member of the COSE_Key object. | Key types are identified by the "kty" member of the COSE_Key object. | |||
In this document, we define four values for the member: | In this document, we define four values for the member: | |||
+===========+=======+==========================+ | +===========+=======+==========================+ | |||
| Name | Value | Description | | | Name | Value | Description | | |||
+===========+=======+==========================+ | +===========+=======+==========================+ | |||
| OKP | 1 | Octet Key Pair | | | OKP | 1 | Octet Key Pair | | |||
+-----------+-------+--------------------------+ | +-----------+-------+--------------------------+ | |||
| EC2 | 2 | Elliptic Curve Keys w/ | | | EC2 | 2 | Elliptic Curve Keys w/ | | |||
| | | x- and y-coordinate pair | | | | | x- and y-coordinate pair | | |||
+-----------+-------+--------------------------+ | +-----------+-------+--------------------------+ | |||
| Symmetric | 4 | Symmetric Keys | | | Symmetric | 4 | Symmetric Keys | | |||
+-----------+-------+--------------------------+ | +-----------+-------+--------------------------+ | |||
| Reserved | 0 | This value is reserved | | | Reserved | 0 | This value is reserved | | |||
+-----------+-------+--------------------------+ | +-----------+-------+--------------------------+ | |||
Table 17: Key Type Values | Table 17: Key Type Values | |||
7.1. Elliptic Curve Keys | 7.1. Elliptic Curve Keys | |||
Two different key structures are defined for elliptic curve keys. | Two different key structures are defined for elliptic curve keys. | |||
One version uses both an x-coordinate and a y-coordinate, potentially | One version uses both an x-coordinate and a y-coordinate, potentially | |||
with point compression ('EC2'). This is the traditional EC point | with point compression ("EC2"). This is the traditional elliptic | |||
representation that is used in [RFC5480]. The other version uses | curve (EC) point representation that is used in [RFC5480]. The other | |||
only the x-coordinate as the y-coordinate is either to be recomputed | version uses only the x-coordinate, as the y-coordinate is either to | |||
or not needed for the key agreement operation ('OKP'). | be recomputed or not needed for the key agreement operation ("OKP"). | |||
Applications MUST check that the curve and the key type are | Applications MUST check that the curve and the key type are | |||
consistent and reject a key if they are not. | consistent and reject a key if they are not. | |||
+=========+=======+==========+====================================+ | +=========+=======+==========+=====================================+ | |||
| Name | Value | Key Type | Description | | | Name | Value | Key Type | Description | | |||
+=========+=======+==========+====================================+ | +=========+=======+==========+=====================================+ | |||
| P-256 | 1 | EC2 | NIST P-256 also known as secp256r1 | | | P-256 | 1 | EC2 | NIST P-256, also known as secp256r1 | | |||
+---------+-------+----------+------------------------------------+ | +---------+-------+----------+-------------------------------------+ | |||
| P-384 | 2 | EC2 | NIST P-384 also known as secp384r1 | | | P-384 | 2 | EC2 | NIST P-384, also known as secp384r1 | | |||
+---------+-------+----------+------------------------------------+ | +---------+-------+----------+-------------------------------------+ | |||
| P-521 | 3 | EC2 | NIST P-521 also known as secp521r1 | | | P-521 | 3 | EC2 | NIST P-521, also known as secp521r1 | | |||
+---------+-------+----------+------------------------------------+ | +---------+-------+----------+-------------------------------------+ | |||
| X25519 | 4 | OKP | X25519 for use w/ ECDH only | | | X25519 | 4 | OKP | X25519 for use w/ ECDH only | | |||
+---------+-------+----------+------------------------------------+ | +---------+-------+----------+-------------------------------------+ | |||
| X448 | 5 | OKP | X448 for use w/ ECDH only | | | X448 | 5 | OKP | X448 for use w/ ECDH only | | |||
+---------+-------+----------+------------------------------------+ | +---------+-------+----------+-------------------------------------+ | |||
| Ed25519 | 6 | OKP | Ed25519 for use w/ EdDSA only | | | Ed25519 | 6 | OKP | Ed25519 for use w/ EdDSA only | | |||
+---------+-------+----------+------------------------------------+ | +---------+-------+----------+-------------------------------------+ | |||
| Ed448 | 7 | OKP | Ed448 for use w/ EdDSA only | | | Ed448 | 7 | OKP | Ed448 for use w/ EdDSA only | | |||
+---------+-------+----------+------------------------------------+ | +---------+-------+----------+-------------------------------------+ | |||
Table 18: Elliptic Curves | Table 18: Elliptic Curves | |||
7.1.1. Double Coordinate Curves | 7.1.1. Double Coordinate Curves | |||
The traditional way of sending ECs has been to send either both the | The traditional way of sending ECs has been to send either both the | |||
x-coordinate and y-coordinate or the x-coordinate and a sign bit for | x-coordinate and y-coordinate or the x-coordinate and a sign bit for | |||
the y-coordinate. The latter encoding has not been recommended in | the y-coordinate. The latter encoding has not been recommended by | |||
the IETF due to potential IPR issues. However, for operations in | the IETF due to potential IPR issues. However, for operations in | |||
constrained environments, the ability to shrink a message by not | constrained environments, the ability to shrink a message by not | |||
sending the y-coordinate is potentially useful. | sending the y-coordinate is potentially useful. | |||
For EC keys with both coordinates, the 'kty' member is set to 2 | For EC keys with both coordinates, the "kty" member is set to 2 | |||
(EC2). The key parameters defined in this section are summarized in | (EC2). The key parameters defined in this section are summarized in | |||
Table 19. The members that are defined for this key type are: | Table 19. The members that are defined for this key type are: | |||
crv: This contains an identifier of the curve to be used with the | crv: This contains an identifier of the curve to be used with the | |||
key. The curves defined in this document for this key type can | key. The curves defined in this document for this key type can | |||
be found in Table 18. Other curves may be registered in the | be found in Table 18. Other curves may be registered in the | |||
future, and private curves can be used as well. | future, and private curves can be used as well. | |||
x: This contains the x-coordinate for the EC point. The integer is | x: This contains the x-coordinate for the EC point. The integer is | |||
converted to a byte string as defined in [SEC1]. Leading zero | converted to a byte string as defined in [SEC1]. Leading-zero | |||
octets MUST be preserved. | octets MUST be preserved. | |||
y: This contains either the sign bit or the value of the | y: This contains either the sign bit or the value of the | |||
y-coordinate for the EC point. When encoding the value y, the | y-coordinate for the EC point. When encoding the value y, the | |||
integer is converted to an byte string (as defined in [SEC1]) | integer is converted to a byte string (as defined in [SEC1]) and | |||
and encoded as a CBOR bstr. Leading zero octets MUST be | encoded as a CBOR bstr. Leading-zero octets MUST be preserved. | |||
preserved. The compressed point encoding is also supported. | Compressed point encoding is also supported. Compute the sign | |||
Compute the sign bit as laid out in the Elliptic-Curve-Point-to- | bit as laid out in the Elliptic-Curve-Point-to-Octet-String | |||
Octet-String Conversion function of [SEC1]. If the sign bit is | Conversion function of [SEC1]. If the sign bit is zero, then | |||
zero, then encode y as a CBOR false value; otherwise, encode y | encode y as a CBOR false value; otherwise, encode y as a CBOR | |||
as a CBOR true value. The encoding of the infinity point is not | true value. The encoding of the infinity point is not | |||
supported. | supported. | |||
d: This contains the private key. | d: This contains the private key. | |||
For public keys, it is REQUIRED that 'crv', 'x', and 'y' be present | For public keys, it is REQUIRED that "crv", "x", and "y" be present | |||
in the structure. For private keys, it is REQUIRED that 'crv' and | in the structure. For private keys, it is REQUIRED that "crv" and | |||
'd' be present in the structure. For private keys, it is RECOMMENDED | "d" be present in the structure. For private keys, it is RECOMMENDED | |||
that 'x' and 'y' also be present, but they can be recomputed from the | that "x" and "y" also be present, but they can be recomputed from the | |||
required elements and omitting them saves on space. | required elements, and omitting them saves on space. | |||
+======+======+=======+========+=================================+ | +======+======+=======+========+=================================+ | |||
| Key | Name | Label | CBOR | Description | | | Key | Name | Label | CBOR | Description | | |||
| Type | | | Type | | | | Type | | | Type | | | |||
+======+======+=======+========+=================================+ | +======+======+=======+========+=================================+ | |||
| 2 | crv | -1 | int / | EC identifier - Taken from the | | | 2 | crv | -1 | int / | EC identifier -- Taken from the | | |||
| | | | tstr | "COSE Elliptic Curves" registry | | | | | | tstr | "COSE Elliptic Curves" registry | | |||
+------+------+-------+--------+---------------------------------+ | +------+------+-------+--------+---------------------------------+ | |||
| 2 | x | -2 | bstr | x-coordinate | | | 2 | x | -2 | bstr | x-coordinate | | |||
+------+------+-------+--------+---------------------------------+ | +------+------+-------+--------+---------------------------------+ | |||
| 2 | y | -3 | bstr / | y-coordinate | | | 2 | y | -3 | bstr / | y-coordinate | | |||
| | | | bool | | | | | | | bool | | | |||
+------+------+-------+--------+---------------------------------+ | +------+------+-------+--------+---------------------------------+ | |||
| 2 | d | -4 | bstr | Private key | | | 2 | d | -4 | bstr | Private key | | |||
+------+------+-------+--------+---------------------------------+ | +------+------+-------+--------+---------------------------------+ | |||
Table 19: EC Key Parameters | Table 19: EC Key Parameters | |||
7.2. Octet Key Pair | 7.2. Octet Key Pair | |||
A new key type is defined for Octet Key Pairs (OKP). Do not assume | A new key type is defined for Octet Key Pairs (OKPs). Do not assume | |||
that keys using this type are elliptic curves. This key type could | that keys using this type are elliptic curves. This key type could | |||
be used for other curve types (for example, mathematics based on | be used for other curve types (for example, mathematics based on | |||
hyper-elliptic surfaces). | hyper-elliptic surfaces). | |||
The key parameters defined in this section are summarized in | The key parameters defined in this section are summarized in | |||
Table 20. The members that are defined for this key type are: | Table 20. The members that are defined for this key type are: | |||
crv: This contains an identifier of the curve to be used with the | crv: This contains an identifier of the curve to be used with the | |||
key. The curves defined in this document for this key type can | key. The curves defined in this document for this key type can | |||
be found in Table 18. Other curves may be registered in the | be found in Table 18. Other curves may be registered in the | |||
future and private curves can be used as well. | future, and private curves can be used as well. | |||
x: This contains the public key. The byte string contains the | x: This contains the public key. The byte string contains the | |||
public key as defined by the algorithm. (For X25519, internally | public key as defined by the algorithm. (For X25519, internally | |||
it is a little-endian integer.) | it is a little-endian integer.) | |||
d: This contains the private key. | d: This contains the private key. | |||
For public keys, it is REQUIRED that 'crv' and 'x' be present in the | For public keys, it is REQUIRED that "crv" and "x" be present in the | |||
structure. For private keys, it is REQUIRED that 'crv' and 'd' be | structure. For private keys, it is REQUIRED that "crv" and "d" be | |||
present in the structure. For private keys, it is RECOMMENDED that | present in the structure. For private keys, it is RECOMMENDED that | |||
'x' also be present, but it can be recomputed from the required | "x" also be present, but it can be recomputed from the required | |||
elements and omitting it saves on space. | elements, and omitting it saves on space. | |||
+======+==========+=======+=======+=================================+ | +======+==========+=======+=======+=================================+ | |||
| Name | Key | Label | Type | Description | | | Name | Key | Label | Type | Description | | |||
| | Type | | | | | | | Type | | | | | |||
+======+==========+=======+=======+=================================+ | +======+==========+=======+=======+=================================+ | |||
| crv | 1 | -1 | int / | EC identifier - Taken from the | | | crv | 1 | -1 | int / | EC identifier -- Taken from the | | |||
| | | | tstr | "COSE Elliptic Curves" registry | | | | | | tstr | "COSE Elliptic Curves" registry | | |||
+------+----------+-------+-------+---------------------------------+ | +------+----------+-------+-------+---------------------------------+ | |||
| x | 1 | -2 | bstr | Public Key | | | x | 1 | -2 | bstr | Public Key | | |||
+------+----------+-------+-------+---------------------------------+ | +------+----------+-------+-------+---------------------------------+ | |||
| d | 1 | -4 | bstr | Private key | | | d | 1 | -4 | bstr | Private key | | |||
+------+----------+-------+-------+---------------------------------+ | +------+----------+-------+-------+---------------------------------+ | |||
Table 20: Octet Key Pair Parameters | Table 20: Octet Key Pair Parameters | |||
7.3. Symmetric Keys | 7.3. Symmetric Keys | |||
Occasionally it is required that a symmetric key be transported | Occasionally, it is required that a symmetric key be transported | |||
between entities. This key structure allows for that to happen. | between entities. This key structure allows for that to happen. | |||
For symmetric keys, the 'kty' member is set to 4 ('Symmetric'). The | For symmetric keys, the "kty" member is set to 4 ("Symmetric"). The | |||
member that is defined for this key type is: | member that is defined for this key type is: | |||
k: This contains the value of the key. | k: This contains the value of the key. | |||
This key structure does not have a form that contains only public | This key structure does not have a form that contains only public | |||
members. As it is expected that this key structure is going to be | members. As it is expected that this key structure is going to be | |||
transmitted, care must be taken that it is never transmitted | transmitted, care must be taken that it is never transmitted | |||
accidentally or insecurely. For symmetric keys, it is REQUIRED that | accidentally or insecurely. For symmetric keys, it is REQUIRED that | |||
'k' be present in the structure. | "k" be present in the structure. | |||
+======+==========+=======+======+=============+ | +======+==========+=======+======+=============+ | |||
| Name | Key Type | Label | Type | Description | | | Name | Key Type | Label | Type | Description | | |||
+======+==========+=======+======+=============+ | +======+==========+=======+======+=============+ | |||
| k | 4 | -1 | bstr | Key Value | | | k | 4 | -1 | bstr | Key Value | | |||
+------+----------+-------+------+-------------+ | +------+----------+-------+------+-------------+ | |||
Table 21: Symmetric Key Parameters | Table 21: Symmetric Key Parameter | |||
8. COSE Capabilities | 8. COSE Capabilities | |||
There are some situations that have been identified where | Some situations have been identified where identification of | |||
identification of capabilities of an algorithm or a key type need to | capabilities of an algorithm or a key type needs to be specified. | |||
be specified. One example of this is in | One example of this is in [OSCORE-GROUPCOMM], where the capabilities | |||
[I-D.ietf-core-oscore-groupcomm] where the capabilities of the | of the counter signature algorithm are mixed into the process of | |||
counter signature algorithm are mixed into the traffic key derivation | traffic-key derivation. This has a counterpart in the S/MIME | |||
process. This has a counterpart in the S/MIME specifications where | specifications, where SMIMECapabilities is defined in Section 2.5.2 | |||
SMIMECapabilities is defined in Section 2.5a.2 of [RFC8551]. This | of [RFC8551]. This document defines the same concept for COSE. | |||
document defines the same concept for COSE. | ||||
The algorithm identifier is not included in the capabilities data as | The algorithm identifier is not included in the capabilities data, as | |||
it should be encoded elsewhere in the message. The key type | it should be encoded elsewhere in the message. The key type | |||
identifier is included in the capabilities data as it is not expected | identifier is included in the capabilities data, as it is not | |||
to be encoded elsewhere. | expected to be encoded elsewhere. | |||
Two different types of capabilities are defined: capabilities for | Two different types of capabilities are defined: capabilities for | |||
algorithms and capabilities for key type. Once defined by | algorithms and capabilities for key type. Once defined by | |||
registration with IANA, the list of capabilities for an algorithm or | registration with IANA, the list of capabilities for an algorithm or | |||
key type is immutable. If it is later found that a new capability is | key type is immutable. If it is later found that a new capability is | |||
needed for a key type or an algorithm, it will require that a new | needed for a key type or algorithm, it will require that a new code | |||
code point be assigned to deal with that. As a general rule, the | point be assigned to deal with that. As a general rule, the | |||
capabilities are going to map to algorithm-specific header parameters | capabilities are going to map to algorithm-specific header parameters | |||
or key parameters, but they do not need to do so. An example of this | or key parameters, but they do not need to do so. An example of this | |||
is the HSS-LMS key capabilities defined below where the hash | is the HSS-LMS key capabilities defined below, where the hash | |||
algorithm used is included. | algorithm used is included. | |||
The capability structure is an array of values, the values included | The capability structure is an array of values; the values included | |||
in the structure are dependent on a specific algorithm or key type. | in the structure are dependent on a specific algorithm or key type. | |||
For algorithm capabilities, the first element should always be a key | For algorithm capabilities, the first element should always be a key | |||
type value if applicable, but the items that are specific to a key | type value if applicable, but the items that are specific to a key | |||
(for example a curve) should not be included in the algorithm | (for example, a curve) should not be included in the algorithm | |||
capabilities. This means that if one wishes to enumerate all of the | capabilities. This means that if one wishes to enumerate all of the | |||
capabilities for a device which implements ECDH, it requires that all | capabilities for a device that implements ECDH, it requires that all | |||
of the combinations of algorithms and key pairs to be specified. The | of the combinations of algorithms and key pairs be specified. The | |||
last example of Section 8.3 provides a case where this is done by | last example of Section 8.3 provides a case where this is done by | |||
allowing for a cross product to be specified between an array of | allowing for a cross product to be specified between an array of | |||
algorithm capabilities and key type capabilities (see ECDH-ES+A25KW | algorithm capabilities and key type capabilities (see the ECDH- | |||
element). For a key, the first element should be the key type value. | ES+A25KW element). For a key, the first element should be the key | |||
While this means that the key type value will be duplicated if both | type value. While this means that the key type value will be | |||
an algorithm and key capability are used, the key type is needed in | duplicated if both an algorithm and key capability are used, the key | |||
order to understand the rest of the values. | type is needed in order to understand the rest of the values. | |||
8.1. Assignments for Existing Algorithms | 8.1. Assignments for Existing Algorithms | |||
For the current set of algorithms in the registry, those in this | For the current set of algorithms in the registry, those in this | |||
document as well as those in [RFC8230] and [I-D.ietf-cose-hash-sig], | document as well as those in [RFC8230] and [RFC8778], the | |||
the capabilities list is an array with one element, the key type | capabilities list is an array with one element, the key type (from | |||
(from the "COSE Key Types" Registry). It is expected that future | the "COSE Key Types" registry). It is expected that future | |||
registered algorithms could have zero, one, or multiple elements. | registered algorithms could have zero, one, or multiple elements. | |||
8.2. Assignments for Existing Key Types | 8.2. Assignments for Existing Key Types | |||
There are a number of pre-existing key types, the following deals | There are a number of pre-existing key types; the following deals | |||
with creating the capability definition for those structures: | with creating the capability definition for those structures: | |||
* OKP, EC2: The list of capabilities is: | * OKP, EC2: The list of capabilities is: | |||
- The key type value. (1 for OKP or 2 for EC2.) | - The key type value. (1 for OKP or 2 for EC2.) | |||
- One curve for that key type from the "COSE Elliptic Curve" | - One curve for that key type from the "COSE Elliptic Curves" | |||
registry. | registry. | |||
* RSA: The list of capabilities is: | * RSA: The list of capabilities is: | |||
- The key type value (3). | - The key type value (3). | |||
* Symmetric: The list of capabilities is: | * Symmetric: The list of capabilities is: | |||
- The key type value (4). | - The key type value (4). | |||
* HSS-LMS: The list of capabilities is: | * HSS-LMS: The list of capabilities is: | |||
- The key type value (5), | - The key type value (5). | |||
- Algorithm identifier for the underlying hash function from the | - Algorithm identifier for the underlying hash function from the | |||
"COSE Algorithms" registry. | "COSE Algorithms" registry. | |||
8.3. Examples | 8.3. Examples | |||
Capabilities can be use in a key derivation process to make sure that | Capabilities can be used in a key derivation process to make sure | |||
both sides are using the same parameters. This is the approach that | that both sides are using the same parameters. This is the approach | |||
is being used by the group communication KDF in | that is being used by the group communication KDF in | |||
[I-D.ietf-core-oscore-groupcomm]. The three examples below show | [OSCORE-GROUPCOMM]. The three examples below show different ways | |||
different ways that one might include things: | that one might include things: | |||
* Just an algorithm capability: This is useful if the protocol wants | * Only an algorithm capability: This is useful if the protocol wants | |||
to require a specific algorithm such as ECDSA, but it is agnostic | to require a specific algorithm, such as ECDSA, but it is agnostic | |||
about which curve is being used. This does require that the | about which curve is being used. This requires that the algorithm | |||
algorithm identifier be specified in the protocol. See the first | identifier be specified in the protocol. See the first example. | |||
example. | ||||
* Just a key type capability: This is useful if the protccol wants | * Only a key type capability: This is useful if the protocol wants | |||
to require a specific a specific key type and curve, such as | to require a specific key type and curve, such as P-256, but will | |||
P-256, but will accept any algorithm using that curve (e.g. both | accept any algorithm using that curve (e.g., both ECDSA and ECDH). | |||
ECDSA and ECDH). See the second example. | See the second example. | |||
* Both an algorithm and a key type capability: This is used if the | * Both algorithm and key type capabilities: This is used if the | |||
protocol needs to nail down all of the options surrounding an | protocol needs to nail down all of the options surrounding an | |||
algorithm E.g. EdDSA with the curve X25519. As with the first | algorithm -- e.g., EdDSA with the curve X25519. As with the first | |||
example, the algorithm identifier needs to be specified in the | example, the algorithm identifier needs to be specified in the | |||
protocol. See the third example which just concatenates the two | protocol. See the third example, which just concatenates the two | |||
capabilities together. | capabilities together. | |||
Algorithm ECDSA | Algorithm ECDSA | |||
0x8102 / [2 \ EC2 \ ] / | 0x8102 / [2 \ EC2 \ ] / | |||
Key type EC2 with P-256 curve: | Key type EC2 with P-256 curve: | |||
0x820201 / [2 \ EC2 \, 1 \ P-256 \] / | 0x820201 / [2 \ EC2 \, 1 \ P-256 \] / | |||
ECDH-ES + A256KW with an X25519 curve: | ECDH-ES + A256KW with an X25519 curve: | |||
0x8101820104 / [1 \ OKP \],[1 \ OKP \, 4 \ X25519 \] / | 0x8101820104 / [1 \ OKP \],[1 \ OKP \, 4 \ X25519 \] / | |||
The capabilities can also be used by and entity to advertise what it | The capabilities can also be used by an entity to advertise what it | |||
is capabable of doing. The decoded example below is one of many | is capable of doing. The decoded example below is one of many | |||
encoding that could be used for that purpose. Each array element | encodings that could be used for that purpose. Each array element | |||
includes three fields: the algorithm identifier, one or more | includes three fields: the algorithm identifier, one or more | |||
algorithm capabilities, and one or more key type capabilities. | algorithm capabilities, and one or more key type capabilities. | |||
[ | [ | |||
[-8 / EdDSA /, | [-8 / EdDSA /, | |||
[1 / OKP key type /], | [1 / OKP key type /], | |||
[ | [ | |||
[1 / OKP /, 6 / Ed25519 / ], | [1 / OKP /, 6 / Ed25519 / ], | |||
[1 /OKP/, 7 /Ed448 /] | [1 /OKP/, 7 /Ed448 /] | |||
] | ] | |||
skipping to change at page 44, line 44 ¶ | skipping to change at line 1932 ¶ | |||
] | ] | |||
Examining the above: | Examining the above: | |||
* The first element indicates that the entity supports EdDSA with | * The first element indicates that the entity supports EdDSA with | |||
curves Ed25519 and Ed448. | curves Ed25519 and Ed448. | |||
* The second element indicates that the entity supports ECDSA with | * The second element indicates that the entity supports ECDSA with | |||
curves P-256 and P-521. | curves P-256 and P-521. | |||
* The third element indicates that the entity support ephemeral- | * The third element indicates that the entity supports ephemeral- | |||
static ECDH using AES256 key wrap. The entity can support the | static ECDH using AES256 key wrap. The entity can support the | |||
P-256 curve with an EC2 key type and the X25519 curve with an OKP | P-256 curve with an EC2 key type and the X25519 curve with an OKP | |||
key type. | key type. | |||
* The last element indicates that the entity supports AES-GCM of 128 | * The last element indicates that the entity supports AES-GCM of 128 | |||
bits for content encryption. | bits for content encryption. | |||
The entity does not advertise that it supports any MAC algorithms. | The entity does not advertise that it supports any MAC algorithms. | |||
9. CBOR Encoding Restrictions | 9. CBOR Encoding Restrictions | |||
This document limits the restrictions it imposes on how the CBOR | This document limits the restrictions it imposes on how the CBOR | |||
Encoder needs to work. It has been narrowed down to the following | encoder needs to work. It has been narrowed down to the following | |||
restrictions: | restrictions: | |||
* The restriction applies to the encoding of the COSE_KDF_Context. | * The restriction applies to the encoding of the COSE_KDF_Context. | |||
* Encoding MUST be done using definite lengths and the length of the | * Encoding MUST be done using definite lengths, and the length of | |||
MUST be the minimum possible length. This means that the integer | the MUST be the minimum possible length. This means that the | |||
1 is encoded as "0x01" and not "0x1801". | integer 1 is encoded as "0x01" and not "0x1801". | |||
* Applications MUST NOT generate messages with the same label used | * Applications MUST NOT generate messages with the same label used | |||
twice as a key in a single map. Applications MUST NOT parse and | twice as a key in a single map. Applications MUST NOT parse and | |||
process messages with the same label used twice as a key in a | process messages with the same label used twice as a key in a | |||
single map. Applications can enforce the parse and process | single map. Applications can enforce the parse-and-process | |||
requirement by using parsers that will fail the parse step or by | requirement by using parsers that will either fail the parse step | |||
using parsers that will pass all keys to the application, and the | or pass all keys to the application, and the application can | |||
application can perform the check for duplicate keys. | perform the check for duplicate keys. | |||
10. IANA Considerations | 10. IANA Considerations | |||
IANA is requested to updte ll COSE registeries except for "COSE | IANA has updated all COSE registries except for "COSE Header | |||
Header Parmeters" and "COSE Key Common Parameters" from [RFC8152] to | Parameters" and "COSE Key Common Parameters" to point to this | |||
[[This document]]. | document instead of [RFC8152]. | |||
10.1. Changes to "COSE Key Types" registry. | 10.1. Changes to the "COSE Key Types" Registry | |||
IANA is requested to create a new column in the "COSE Key Types" | IANA has added a new column in the "COSE Key Types" registry. The | |||
registry. The new column is to be labeled "Capabilities". The new | new column is labeled "Capabilities" and has been populated according | |||
column is to be populated according the entries in Table 22. | to the entries in Table 22. | |||
+=======+===========+==========================+ | +=======+===========+==========================+ | |||
| Value | Name | Capabilities | | | Value | Name | Capabilities | | |||
+=======+===========+==========================+ | +=======+===========+==========================+ | |||
| 1 | OKP | [kty(1), crv] | | | 1 | OKP | [kty(1), crv] | | |||
+-------+-----------+--------------------------+ | +-------+-----------+--------------------------+ | |||
| 2 | EC2 | [kty(2), crv] | | | 2 | EC2 | [kty(2), crv] | | |||
+-------+-----------+--------------------------+ | +-------+-----------+--------------------------+ | |||
| 3 | RSA | [kty(3)] | | | 3 | RSA | [kty(3)] | | |||
+-------+-----------+--------------------------+ | +-------+-----------+--------------------------+ | |||
| 4 | Symmetric | [kty(4)] | | | 4 | Symmetric | [kty(4)] | | |||
+-------+-----------+--------------------------+ | +-------+-----------+--------------------------+ | |||
| 5 | HSS-LMS | [kty(5), hash algorithm] | | | 5 | HSS-LMS | [kty(5), hash algorithm] | | |||
+-------+-----------+--------------------------+ | +-------+-----------+--------------------------+ | |||
Table 22: Key Type Capabilities | Table 22: Key Type Capabilities | |||
10.2. Changes to "COSE Algorithms" registry | 10.2. Changes to the "COSE Algorithms" Registry | |||
IANA is requested to create a new column in the "COSE Algorithms" | IANA has added a new column in the "COSE Algorithms" registry. The | |||
registry. The new column is to be labeled "Capabilities". The new | new column is labeled "Capabilities" and has been populated with | |||
column is populated with "[kty]" for all current, non-provisional, | "[kty]" for all current, nonprovisional registrations. It is | |||
registrations. It is expected that the documents which define those | expected that the documents that define those algorithms will be | |||
algorithms will be expanded to include this registration. If this is | expanded to include this registration. If this is not done, then the | |||
not done then the Designated Expert should be consulted before final | designated expert should be consulted before final registration for | |||
registration for this document is done. | this document is done. | |||
IANA is requested to update the reference column in the "COSE | IANA has updated the Reference column in the "COSE Algorithms" | |||
Algorithms" registry to include [[This Document]] as a reference for | registry to include this document as a reference for all rows where | |||
all rows where it is not already present. | it was not already present. | |||
IANA is requested to add a new row to the "COSE Algorithms" registry. | IANA has added a new row to the "COSE Algorithms" registry. | |||
+==========+===============+=============+============+=============+ | +============+===============+=============+==========+=============+ | |||
|Name | Value |Description | Reference | Recommended | | | Name | Value |Description |Reference | Recommended | | |||
+==========+===============+=============+============+=============+ | +============+===============+=============+==========+=============+ | |||
|IV | IV-GENERATION |For doing IV | [[THIS | No | | | IV | IV-GENERATION |For doing IV |RFC 9053 | No | | |||
|Generation| |generation | DOCUMENT]] | | | | Generation | |generation | | | | |||
| | |for symmetric| | | | | | |for symmetric| | | | |||
| | |algorithms. | | | | | | |algorithms. | | | | |||
+----------+---------------+-------------+------------+-------------+ | +------------+---------------+-------------+----------+-------------+ | |||
Table 23 | Table 23 | |||
The capabilities column for this registration is to be empty. | The Capabilities column for this registration is to be empty. | |||
10.3. Changes to the "COSE Key Type Parameters" registry | 10.3. Changes to the "COSE Key Type Parameters" Registry | |||
IANA is requested to modify the description to "Public Key" for the | IANA is requested to modify the description to "Public Key" for the | |||
line with "Key Type" of 2 and the "Name" of "x". See Table 20 which | line with "Key Type" of 2 and the "Name" of "x". See Table 20, which | |||
has been modified with this change. | has been modified with this change. | |||
10.4. Expert Review Instructions | 10.4. Expert Review Instructions | |||
All of the IANA registries established by [RFC8152] are, at least in | All of the IANA registries established by [RFC8152] are, at least in | |||
part, defined as expert review. This section gives some general | part, defined as Expert Review. This section gives some general | |||
guidelines for what the experts should be looking for, but they are | guidelines for what the experts should be looking for, but they are | |||
being designated as experts for a reason, so they should be given | being designated as experts for a reason, so they should be given | |||
substantial latitude. | substantial latitude. | |||
Expert reviewers should take into consideration the following points: | Expert reviewers should take into consideration the following points: | |||
* Point squatting should be discouraged. Reviewers are encouraged | * Point squatting should be discouraged. Reviewers are encouraged | |||
to get sufficient information for registration requests to ensure | to get sufficient information for registration requests to ensure | |||
that the usage is not going to duplicate one that is already | that the usage is not going to duplicate one that is already | |||
registered, and that the point is likely to be used in | registered, and that the point is likely to be used in | |||
deployments. The zones tagged as private use are intended for | deployments. The zones tagged as private use are intended for | |||
testing purposes and closed environments; code points in other | testing purposes and closed environments; code points in other | |||
ranges should not be assigned for testing. | ranges should not be assigned for testing. | |||
* Specifications are required for the standards track range of point | * Specifications are required for the Standards Track range of point | |||
assignment. Specifications should exist for specification | assignments. Specifications should exist for Specification | |||
required ranges, but early assignment before a specification is | Required ranges, but early assignment before a specification is | |||
available is considered to be permissible. Specifications are | available is considered to be permissible. Specifications are | |||
needed for the first-come, first-serve range if they are expected | needed for the first-come, first-serve range if the points are | |||
to be used outside of closed environments in an interoperable way. | expected to be used outside of closed environments in an | |||
When specifications are not provided, the description provided | interoperable way. When specifications are not provided, the | |||
needs to have sufficient information to identify what the point is | description provided needs to have sufficient information to | |||
being used for. | identify what the point is being used for. | |||
* Experts should take into account the expected usage of fields when | * Experts should take into account the expected usage of fields when | |||
approving point assignment. The fact that there is a range for | approving point assignment. The fact that there is a range for | |||
standards track documents does not mean that a standards track | Standards Track documents does not mean that a Standards Track | |||
document cannot have points assigned outside of that range. The | document cannot have points assigned outside of that range. The | |||
length of the encoded value should be weighed against how many | length of the encoded value should be weighed against how many | |||
code points of that length are left, the size of device it will be | code points of that length are left, the size of device it will be | |||
used on, and the number of code points left that encode to that | used on, and the number of code points left that encode to that | |||
size. | size. | |||
* When algorithms are registered, vanity registrations should be | * When algorithms are registered, vanity registrations should be | |||
discouraged. One way to do this is to require registrations to | discouraged. One way to do this is to require registrations to | |||
provide additional documentation on security analysis of the | provide additional documentation on security analysis of the | |||
algorithm. Another thing that should be considered is requesting | algorithm. Another thing that should be considered is requesting | |||
an opinion on the algorithm from the Crypto Forum Research Group | an opinion on the algorithm from the Crypto Forum Research Group | |||
(CFRG). Algorithms that do not meet the security requirements of | (CFRG). Algorithms that do not meet the security requirements of | |||
the community and the messages structures should not be | the community and the message structures should not be registered. | |||
registered. | ||||
11. Security Considerations | 11. Security Considerations | |||
There are a number of security considerations that need to be taken | There are a number of security considerations that need to be taken | |||
into account by implementers of this specification. The security | into account by implementers of this specification. The security | |||
considerations that are specific to an individual algorithm are | considerations that are specific to an individual algorithm are | |||
placed next to the description of the algorithm. While some | placed next to the description of the algorithm. While some | |||
considerations have been highlighted here, additional considerations | considerations have been highlighted here, additional considerations | |||
may be found in the documents listed in the references. | may be found in the documents listed in the references. | |||
Implementations need to protect the private key material for any | Implementations need to protect the private key material for any | |||
individuals. There are some cases in this document that need to be | individuals. Some cases in this document need to be highlighted with | |||
highlighted on this issue. | regard to this issue. | |||
* Using the same key for two different algorithms can leak | * Use of the same key for two different algorithms can leak | |||
information about the key. It is therefore recommended that keys | information about the key. It is therefore recommended that keys | |||
be restricted to a single algorithm. | be restricted to a single algorithm. | |||
* Use of 'direct' as a recipient algorithm combined with a second | * Use of "direct" as a recipient algorithm combined with a second | |||
recipient algorithm exposes the direct key to the second | recipient algorithm exposes the direct key to the second | |||
recipient. | recipient. | |||
* Several of the algorithms in this document have limits on the | * Several of the algorithms in this document have limits on the | |||
number of times that a key can be used without leaking information | number of times that a key can be used without leaking information | |||
about the key. | about the key. | |||
The use of ECDH and direct plus KDF (with no key wrap) will not | The use of ECDH and direct plus KDF (with no key wrap) will not | |||
directly lead to the private key being leaked; the one way function | directly lead to the private key being leaked; the one-way function | |||
of the KDF will prevent that. There is, however, a different issue | of the KDF will prevent that. There is, however, a different issue | |||
that needs to be addressed. Having two recipients requires that the | that needs to be addressed. Having two recipients requires that the | |||
CEK be shared between two recipients. The second recipient therefore | CEK be shared between two recipients. The second recipient therefore | |||
has a CEK that was derived from material that can be used for the | has a CEK that was derived from material that can be used for the | |||
weak proof of origin. The second recipient could create a message | weak proof of origin. The second recipient could create a message | |||
using the same CEK and send it to the first recipient; the first | using the same CEK and send it to the first recipient; the first | |||
recipient would, for either static-static ECDH or direct plus KDF, | recipient would, for either static-static ECDH or direct plus KDF, | |||
make an assumption that the CEK could be used for proof of origin | make an assumption that the CEK could be used for proof of origin | |||
even though it is from the wrong entity. If the key wrap step is | even though it is from the wrong entity. If the key wrap step is | |||
added, then no proof of origin is implied and this is not an issue. | added, then no proof of origin is implied and this is not an issue. | |||
Although it has been mentioned before, the use of a single key for | Although it has been mentioned before, the use of a single key for | |||
multiple algorithms has been demonstrated in some cases to leak | multiple algorithms has been demonstrated in some cases to leak | |||
information about a key, provide the opportunity for attackers to | information about a key, providing the opportunity for attackers to | |||
forge integrity tags, or gain information about encrypted content. | forge integrity tags or gain information about encrypted content. | |||
Binding a key to a single algorithm prevents these problems. Key | Binding a key to a single algorithm prevents these problems. Key | |||
creators and key consumers are strongly encouraged not only to create | creators and key consumers are strongly encouraged to not only create | |||
new keys for each different algorithm, but to include that selection | new keys for each different algorithm, but include that selection of | |||
of algorithm in any distribution of key material and strictly enforce | algorithm in any distribution of key material and strictly enforce | |||
the matching of algorithms in the key structure to algorithms in the | the matching of algorithms in the key structure to algorithms in the | |||
message structure. In addition to checking that algorithms are | message structure. In addition to checking that algorithms are | |||
correct, the key form needs to be checked as well. Do not use an | correct, the key form needs to be checked as well. Do not use an | |||
'EC2' key where an 'OKP' key is expected. | "EC2" key where an "OKP" key is expected. | |||
Before using a key for transmission, or before acting on information | Before using a key for transmission, or before acting on information | |||
received, a trust decision on a key needs to be made. Is the data or | received, a trust decision on a key needs to be made. Is the data or | |||
action something that the entity associated with the key has a right | action something that the entity associated with the key has a right | |||
to see or a right to request? A number of factors are associated | to see or a right to request? A number of factors are associated | |||
with this trust decision. Some of the ones that are highlighted here | with this trust decision. Some highlighted here are: | |||
are: | ||||
* What are the permissions associated with the key owner? | * What are the permissions associated with the key owner? | |||
* Is the cryptographic algorithm acceptable in the current context? | * Is the cryptographic algorithm acceptable in the current context? | |||
* Have the restrictions associated with the key, such as algorithm | * Have the restrictions associated with the key, such as algorithm | |||
or freshness, been checked and are they correct? | or freshness, been checked, and are they correct? | |||
* Is the request something that is reasonable, given the current | * Is the request something that is reasonable, given the current | |||
state of the application? | state of the application? | |||
* Have any security considerations that are part of the message been | * Have any security considerations that are part of the message been | |||
enforced (as specified by the application or 'crit' parameter)? | enforced (as specified by the application or "crit" parameter)? | |||
There are a large number of algorithms presented in this document | There are a large number of algorithms presented in this document | |||
that use nonce values. For all of the nonces defined in this | that use nonce values. For all of the nonces defined in this | |||
document, there is some type of restriction on the nonce being a | document, there is some type of restriction on the nonce being a | |||
unique value either for a key or for some other conditions. In all | unique value for either a key or some other conditions. In all of | |||
of these cases, there is no known requirement on the nonce being both | these cases, there is no known requirement on the nonce being both | |||
unique and unpredictable; under these circumstances, it's reasonable | unique and unpredictable; under these circumstances, it's reasonable | |||
to use a counter for creation of the nonce. In cases where one wants | to use a counter for creation of the nonce. In cases where one wants | |||
the pattern of the nonce to be unpredictable as well as unique, one | the pattern of the nonce to be unpredictable as well as unique, one | |||
can use a key created for that purpose and encrypt the counter to | can use a key created for that purpose and encrypt the counter to | |||
produce the nonce value. | produce the nonce value. | |||
One area that has been getting exposure is traffic analysis of | One area that has been getting exposure is traffic analysis of | |||
encrypted messages based on the length of the message. This | encrypted messages based on the length of the message. This | |||
specification does not provide for a uniform method of providing | specification does not provide a uniform method of providing padding | |||
padding as part of the message structure. An observer can | as part of the message structure. An observer can distinguish | |||
distinguish between two different messages (for example, 'YES' and | between two different messages (for example, "YES" and "NO") based on | |||
'NO') based on the length for all of the content encryption | the length for all of the content encryption algorithms that are | |||
algorithms that are defined in this document. This means that it is | defined in this document. This means that it is up to the | |||
up to the applications to document how content padding is to be done | applications to document how content padding is to be done, in order | |||
in order to prevent or discourage such analysis. (For example, the | to prevent or discourage such analysis. (For example, the text | |||
text strings could be defined as 'YES' and 'NO '.) | strings could be defined as "YES" and "NO".) | |||
The analsys done in [I-D.ietf-quic-tls] is based on the number of | The analysis done in [RFC9001] is based on the number of records/ | |||
records/packets that are sent. This should map well to the number of | packets that are sent. This should map well to the number of | |||
messages sent when use COSE so that analysis should hold here as | messages sent when using COSE, so that analysis should hold here as | |||
well. It needs to be noted that the limits are based on the number | well. It needs to be noted that the limits are based on the number | |||
of messages, but QUIC and DTLS are always pair-wise based endpoints, | of messages, but QUIC and DTLS are always pairwise-based endpoints | |||
[I-D.ietf-core-oscore-groupcomm] use COSE in a group communication. | [OSCORE-GROUPCOMM] and use COSE in a group communication. Under | |||
Under these circumstances it may be that no one single entity will | these circumstances, it may be that no one single entity will see all | |||
see all of the messages that are encrypted an therefore no single | of the messages that are encrypted, and therefore no single entity | |||
entity can trigger the rekey operation. | can trigger the rekey operation. | |||
12. References | 12. References | |||
12.1. Normative References | 12.1. Normative References | |||
[I-D.ietf-cose-rfc8152bis-struct] | [AES-GCM] Dworkin, M., "Recommendation for Block Cipher Modes of | |||
Schaad, J., "CBOR Object Signing and Encryption (COSE): | Operation: Galois/Counter Mode (GCM) and GMAC", NIST | |||
Structures and Process", Work in Progress, Internet-Draft, | Special Publication 800-38D, DOI 10.6028/NIST.SP.800-38D, | |||
draft-ietf-cose-rfc8152bis-struct-13, 4 September 2020, | November 2007, <https://csrc.nist.gov/publications/ | |||
<https://tools.ietf.org/html/draft-ietf-cose-rfc8152bis- | nistpubs/800-38D/SP-800-38D.pdf>. | |||
struct-13>. | ||||
[DSS] National Institute of Standards and Technology, "Digital | ||||
Signature Standard (DSS)", FIPS PUB 186-4, | ||||
DOI 10.6028/NIST.FIPS.186-4, July 2013, | ||||
<https://nvlpubs.nist.gov/nistpubs/FIPS/ | ||||
NIST.FIPS.186-4.pdf>. | ||||
[MAC] Menezes, A., van Oorschot, P., and S. Vanstone, "Handbook | ||||
of Applied Cryptography", CRC Press, Boca Raton, 1996, | ||||
<https://cacr.uwaterloo.ca/hac/>. | ||||
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- | [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- | |||
Hashing for Message Authentication", RFC 2104, | Hashing for Message Authentication", RFC 2104, | |||
DOI 10.17487/RFC2104, February 1997, | DOI 10.17487/RFC2104, February 1997, | |||
<https://www.rfc-editor.org/info/rfc2104>. | <https://www.rfc-editor.org/info/rfc2104>. | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
skipping to change at page 50, line 41 ¶ | skipping to change at line 2225 ¶ | |||
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic | [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic | |||
Curve Cryptography Algorithms", RFC 6090, | Curve Cryptography Algorithms", RFC 6090, | |||
DOI 10.17487/RFC6090, February 2011, | DOI 10.17487/RFC6090, February 2011, | |||
<https://www.rfc-editor.org/info/rfc6090>. | <https://www.rfc-editor.org/info/rfc6090>. | |||
[RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature | [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature | |||
Algorithm (DSA) and Elliptic Curve Digital Signature | Algorithm (DSA) and Elliptic Curve Digital Signature | |||
Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August | Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August | |||
2013, <https://www.rfc-editor.org/info/rfc6979>. | 2013, <https://www.rfc-editor.org/info/rfc6979>. | |||
[RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object | ||||
Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, | ||||
October 2013, <https://www.rfc-editor.org/info/rfc7049>. | ||||
[RFC8439] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | ||||
Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, | ||||
<https://www.rfc-editor.org/info/rfc8439>. | ||||
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves | [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves | |||
for Security", RFC 7748, DOI 10.17487/RFC7748, January | for Security", RFC 7748, DOI 10.17487/RFC7748, January | |||
2016, <https://www.rfc-editor.org/info/rfc7748>. | 2016, <https://www.rfc-editor.org/info/rfc7748>. | |||
[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | ||||
"PKCS #1: RSA Cryptography Specifications Version 2.2", | ||||
RFC 8017, DOI 10.17487/RFC8017, November 2016, | ||||
<https://www.rfc-editor.org/info/rfc8017>. | ||||
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital | ||||
Signature Algorithm (EdDSA)", RFC 8032, | ||||
DOI 10.17487/RFC8032, January 2017, | ||||
<https://www.rfc-editor.org/info/rfc8032>. | ||||
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
[AES-GCM] National Institute of Standards and Technology, | [RFC8439] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | |||
"Recommendation for Block Cipher Modes of Operation: | Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, | |||
Galois/Counter Mode (GCM) and GMAC", | <https://www.rfc-editor.org/info/rfc8439>. | |||
DOI 10.6028/NIST.SP.800-38D, NIST Special | ||||
Publication 800-38D, November 2007, | ||||
<https://csrc.nist.gov/publications/nistpubs/800-38D/SP- | ||||
800-38D.pdf>. | ||||
[DSS] National Institute of Standards and Technology, "Digital | [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object | |||
Signature Standard (DSS)", DOI 10.6028/NIST.FIPS.186-4, | Representation (CBOR)", STD 94, RFC 8949, | |||
FIPS PUB 186-4, July 2013, | DOI 10.17487/RFC8949, December 2020, | |||
<http://nvlpubs.nist.gov/nistpubs/FIPS/ | <https://www.rfc-editor.org/info/rfc8949>. | |||
NIST.FIPS.186-4.pdf>. | ||||
[MAC] Menees, A., van Oorschot, P., and S. Vanstone, "Handbook | [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): | |||
of Applied Cryptography", 1996. | Structures and Process", STD 96, RFC 9052, | |||
DOI 10.17487/RFC9052, July 2021, | ||||
<https://www.rfc-editor.org/info/rfc9052>. | ||||
[SEC1] Certicom Research, "SEC 1: Elliptic Curve Cryptography", | [SEC1] Certicom Research, "SEC 1: Elliptic Curve Cryptography", | |||
May 2009, <http://www.secg.org/sec1-v2.pdf>. | Standards for Efficient Cryptography, May 2009, | |||
<https://www.secg.org/sec1-v2.pdf>. | ||||
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital | 12.2. Informative References | |||
Signature Algorithm (EdDSA)", RFC 8032, | ||||
DOI 10.17487/RFC8032, January 2017, | ||||
<https://www.rfc-editor.org/info/rfc8032>. | ||||
[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | [CFRG-DET-SIGS] | |||
"PKCS #1: RSA Cryptography Specifications Version 2.2", | Mattsson, J. P., Thormarker, E., and S. Ruohomaa, | |||
RFC 8017, DOI 10.17487/RFC8017, November 2016, | "Deterministic ECDSA and EdDSA Signatures with Additional | |||
<https://www.rfc-editor.org/info/rfc8017>. | Randomness", Work in Progress, Internet-Draft, draft- | |||
mattsson-cfrg-det-sigs-with-noise-02, 11 March 2020, | ||||
<https://datatracker.ietf.org/doc/html/draft-mattsson- | ||||
cfrg-det-sigs-with-noise-02>. | ||||
12.2. Informative References | [GitHub-Examples] | |||
"GitHub Examples of COSE", commit 3221310, 3 June 2020, | ||||
<https://github.com/cose-wg/Examples>. | ||||
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | [HKDF] Krawczyk, H., "Cryptographic Extraction and Key | |||
Writing an IANA Considerations Section in RFCs", BCP 26, | Derivation: The HKDF Scheme", 2010, | |||
RFC 8126, DOI 10.17487/RFC8126, June 2017, | <https://eprint.iacr.org/2010/264.pdf>. | |||
<https://www.rfc-editor.org/info/rfc8126>. | ||||
[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data | [OSCORE-GROUPCOMM] | |||
Definition Language (CDDL): A Notational Convention to | Tiloca, M., Selander, G., Palombini, F., Mattsson, J. P., | |||
Express Concise Binary Object Representation (CBOR) and | and J. Park, "Group OSCORE - Secure Group Communication | |||
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, | for CoAP", Work in Progress, Internet-Draft, draft-ietf- | |||
June 2019, <https://www.rfc-editor.org/info/rfc8610>. | core-oscore-groupcomm-11, 22 February 2021, | |||
<https://datatracker.ietf.org/doc/html/draft-ietf-core- | ||||
oscore-groupcomm-11>. | ||||
[RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- | [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- | |||
224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", | 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", | |||
RFC 4231, DOI 10.17487/RFC4231, December 2005, | RFC 4231, DOI 10.17487/RFC4231, December 2005, | |||
<https://www.rfc-editor.org/info/rfc4231>. | <https://www.rfc-editor.org/info/rfc4231>. | |||
[RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The | [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The | |||
AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June | AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June | |||
2006, <https://www.rfc-editor.org/info/rfc4493>. | 2006, <https://www.rfc-editor.org/info/rfc4493>. | |||
skipping to change at page 52, line 28 ¶ | skipping to change at line 2310 ¶ | |||
[RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, | [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, | |||
"Elliptic Curve Cryptography Subject Public Key | "Elliptic Curve Cryptography Subject Public Key | |||
Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, | Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, | |||
<https://www.rfc-editor.org/info/rfc5480>. | <https://www.rfc-editor.org/info/rfc5480>. | |||
[RFC6151] Turner, S. and L. Chen, "Updated Security Considerations | [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations | |||
for the MD5 Message-Digest and the HMAC-MD5 Algorithms", | for the MD5 Message-Digest and the HMAC-MD5 Algorithms", | |||
RFC 6151, DOI 10.17487/RFC6151, March 2011, | RFC 6151, DOI 10.17487/RFC6151, March 2011, | |||
<https://www.rfc-editor.org/info/rfc6151>. | <https://www.rfc-editor.org/info/rfc6151>. | |||
[STD90] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | ||||
Interchange Format", STD 90, RFC 8259, December 2017. | ||||
<https://www.rfc-editor.org/info/std90> | ||||
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained | [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained | |||
Application Protocol (CoAP)", RFC 7252, | Application Protocol (CoAP)", RFC 7252, | |||
DOI 10.17487/RFC7252, June 2014, | DOI 10.17487/RFC7252, June 2014, | |||
<https://www.rfc-editor.org/info/rfc7252>. | <https://www.rfc-editor.org/info/rfc7252>. | |||
[RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, | [RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, | |||
DOI 10.17487/RFC7518, May 2015, | DOI 10.17487/RFC7518, May 2015, | |||
<https://www.rfc-editor.org/info/rfc7518>. | <https://www.rfc-editor.org/info/rfc7518>. | |||
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | ||||
Writing an IANA Considerations Section in RFCs", BCP 26, | ||||
RFC 8126, DOI 10.17487/RFC8126, June 2017, | ||||
<https://www.rfc-editor.org/info/rfc8126>. | ||||
[RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", | [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", | |||
RFC 8152, DOI 10.17487/RFC8152, July 2017, | RFC 8152, DOI 10.17487/RFC8152, July 2017, | |||
<https://www.rfc-editor.org/info/rfc8152>. | <https://www.rfc-editor.org/info/rfc8152>. | |||
[RFC8551] Schaad, J., Ramsdell, B., and S. Turner, "Secure/ | ||||
Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 | ||||
Message Specification", RFC 8551, DOI 10.17487/RFC8551, | ||||
April 2019, <https://www.rfc-editor.org/info/rfc8551>. | ||||
[RFC8230] Jones, M., "Using RSA Algorithms with CBOR Object Signing | [RFC8230] Jones, M., "Using RSA Algorithms with CBOR Object Signing | |||
and Encryption (COSE) Messages", RFC 8230, | and Encryption (COSE) Messages", RFC 8230, | |||
DOI 10.17487/RFC8230, September 2017, | DOI 10.17487/RFC8230, September 2017, | |||
<https://www.rfc-editor.org/info/rfc8230>. | <https://www.rfc-editor.org/info/rfc8230>. | |||
[I-D.ietf-core-oscore-groupcomm] | [RFC8551] Schaad, J., Ramsdell, B., and S. Turner, "Secure/ | |||
Tiloca, M., Selander, G., Palombini, F., and J. Park, | Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 | |||
"Group OSCORE - Secure Group Communication for CoAP", Work | Message Specification", RFC 8551, DOI 10.17487/RFC8551, | |||
in Progress, Internet-Draft, draft-ietf-core-oscore- | April 2019, <https://www.rfc-editor.org/info/rfc8551>. | |||
groupcomm-09, 23 June 2020, <https://tools.ietf.org/html/ | ||||
draft-ietf-core-oscore-groupcomm-09>. | ||||
[I-D.ietf-cose-hash-sig] | [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data | |||
Housley, R., "Use of the HSS/LMS Hash-based Signature | Definition Language (CDDL): A Notational Convention to | |||
Express Concise Binary Object Representation (CBOR) and | ||||
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, | ||||
June 2019, <https://www.rfc-editor.org/info/rfc8610>. | ||||
[RFC8778] Housley, R., "Use of the HSS/LMS Hash-Based Signature | ||||
Algorithm with CBOR Object Signing and Encryption (COSE)", | Algorithm with CBOR Object Signing and Encryption (COSE)", | |||
Work in Progress, Internet-Draft, draft-ietf-cose-hash- | RFC 8778, DOI 10.17487/RFC8778, April 2020, | |||
sig-09, 11 December 2019, | <https://www.rfc-editor.org/info/rfc8778>. | |||
<https://tools.ietf.org/html/draft-ietf-cose-hash-sig-09>. | ||||
[SP800-38d] | [RFC9001] Thomson, M., Ed. and S. Turner, Ed., "Using TLS to Secure | |||
QUIC", RFC 9001, DOI 10.17487/RFC9001, May 2021, | ||||
<https://www.rfc-editor.org/info/rfc9001>. | ||||
[ROBUST] Fischlin, M., Günther, F., and C. Janson, "Robust | ||||
Channels: Handling Unreliable Networks in the Record | ||||
Layers of QUIC and DTLS", February 2020, | ||||
<https://eprint.iacr.org/2020/718.pdf>. | ||||
[SP800-38D] | ||||
Dworkin, M., "Recommendation for Block Cipher Modes of | Dworkin, M., "Recommendation for Block Cipher Modes of | |||
Operation: Galois/Counter Mode (GCM) and GMAC", NIST | Operation: Galois/Counter Mode (GCM) and GMAC", NIST | |||
Special Publication 800-38D , November 2007, | Special Publication 800-38D, November 2007, | |||
<https://nvlpubs.nist.gov/nistpubs/Legacy/SP/ | <https://nvlpubs.nist.gov/nistpubs/Legacy/SP/ | |||
nistspecialpublication800-38d.pdf>. | nistspecialpublication800-38d.pdf>. | |||
[SP800-56A] | [SP800-56A] | |||
Barker, E., Chen, L., Roginsky, A., and M. Smid, | Barker, E., Chen, L., Roginsky, A., and M. Smid, | |||
"Recommendation for Pair-Wise Key Establishment Schemes | "Recommendation for Pair-Wise Key Establishment Schemes | |||
Using Discrete Logarithm Cryptography", | Using Discrete Logarithm Cryptography", NIST Special | |||
DOI 10.6028/NIST.SP.800-56Ar2, NIST Special Publication | Publication 800-56A, Revision 2, | |||
800-56A, Revision 2, May 2013, | DOI 10.6028/NIST.SP.800-56Ar2, May 2013, | |||
<http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | |||
NIST.SP.800-56Ar2.pdf>. | NIST.SP.800-56Ar2.pdf>. | |||
[GitHub-Examples] | [STD90] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | |||
"GitHub Examples of COSE", | Interchange Format", STD 90, RFC 8259, December 2017, | |||
<https://github.com/cose-wg/Examples>. | <https://www.rfc-editor.org/info/std90>. | |||
[I-D.mattsson-cfrg-det-sigs-with-noise] | ||||
Mattsson, J., Thormarker, E., and S. Ruohomaa, | ||||
"Deterministic ECDSA and EdDSA Signatures with Additional | ||||
Randomness", Work in Progress, Internet-Draft, draft- | ||||
mattsson-cfrg-det-sigs-with-noise-02, 11 March 2020, | ||||
<https://tools.ietf.org/html/draft-mattsson-cfrg-det-sigs- | ||||
with-noise-02>. | ||||
[HKDF] Krawczyk, H., "Cryptographic Extraction and Key | ||||
Derivation: The HKDF Scheme", 2010, | ||||
<https://eprint.iacr.org/2010/264.pdf>. | ||||
[ROBUST] Fischlin, M., Günther, F., and C. Janson, "Robust | ||||
Channels: Handling Unreliable Networks in the Record | ||||
Layers of QUIC and DTLS", February 2020, | ||||
<https://www.felixguenther.info/docs/ | ||||
QUIP2020_RobustChannels.pdf>. | ||||
[I-D.ietf-quic-tls] | ||||
Thomson, M. and S. Turner, "Using TLS to Secure QUIC", | ||||
Work in Progress, Internet-Draft, draft-ietf-quic-tls-30, | ||||
9 September 2020, | ||||
<https://tools.ietf.org/html/draft-ietf-quic-tls-30>. | ||||
Acknowledgments | Acknowledgments | |||
This document is a product of the COSE working group of the IETF. | This document is a product of the COSE Working Group of the IETF. | |||
The following individuals are to blame for getting me started on this | The following individuals are to blame for getting me started on this | |||
project in the first place: Richard Barnes, Matt Miller, and Martin | project in the first place: Richard Barnes, Matt Miller, and Martin | |||
Thomson. | Thomson. | |||
The initial version of the specification was based to some degree on | The initial draft version of the specification was based to some | |||
the outputs of the JOSE and S/MIME working groups. | degree on the outputs of the JOSE and S/MIME Working Groups. | |||
The following individuals provided input into the final form of the | The following individuals provided input into the final form of the | |||
document: Carsten Bormann, John Bradley, Brain Campbell, Michael B. | document: Carsten Bormann, John Bradley, Brian Campbell, Michael | |||
Jones, Ilari Liusvaara, Francesca Palombini, Ludwig Seitz, and | B. Jones, Ilari Liusvaara, Francesca Palombini, Ludwig Seitz, and | |||
Göran Selander. | Göran Selander. | |||
Author's Address | Author's Address | |||
Jim Schaad | Jim Schaad | |||
August Cellars | August Cellars | |||
Email: ietf@augustcellars.com | Email: ietf@augustcellars.com | |||
End of changes. 321 change blocks. | ||||
847 lines changed or deleted | 832 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |