draft-ietf-cose-rfc8152bis-algs-05.txt   draft-ietf-cose-rfc8152bis-algs-06.txt 
COSE Working Group J. Schaad COSE Working Group J. Schaad
Internet-Draft August Cellars Internet-Draft August Cellars
Obsoletes: 8152 (if approved) September 11, 2019 Obsoletes: 8152 (if approved) 4 November 2019
Intended status: Standards Track Intended status: Standards Track
Expires: March 14, 2020 Expires: 7 May 2020
CBOR Object Signing and Encryption (COSE): Initial Algorithms CBOR Object Signing and Encryption (COSE): Initial Algorithms
draft-ietf-cose-rfc8152bis-algs-05 draft-ietf-cose-rfc8152bis-algs-06
Abstract Abstract
Concise Binary Object Representation (CBOR) is a data format designed Concise Binary Object Representation (CBOR) is a data format designed
for small code size and small message size. There is a need for the for small code size and small message size. There is a need for the
ability to have basic security services defined for this data format. ability to have basic security services defined for this data format.
This document defines the CBOR Object Signing and Encryption (COSE) This document defines the CBOR Object Signing and Encryption (COSE)
protocol. This specification describes how to create and process protocol. This specification describes how to create and process
signatures, message authentication codes, and encryption using CBOR signatures, message authentication codes, and encryption using CBOR
for serialization. COSE additionally describes how to represent for serialization. COSE additionally describes how to represent
skipping to change at page 2, line 10 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 14 March 2020. This Internet-Draft will expire on 7 May 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 33 skipping to change at page 2, line 33
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Terminology . . . . . . . . . . . . . . . . 4 1.1. Requirements Terminology . . . . . . . . . . . . . . . . 4
1.2. Changes from RFC8152 . . . . . . . . . . . . . . . . . . 4 1.2. Changes from RFC8152 . . . . . . . . . . . . . . . . . . 4
1.3. Document Terminology . . . . . . . . . . . . . . . . . . 4 1.3. Document Terminology . . . . . . . . . . . . . . . . . . 4
1.4. CBOR Grammar . . . . . . . . . . . . . . . . . . . . . . 4 1.4. CBOR Grammar . . . . . . . . . . . . . . . . . . . . . . 4
1.5. Examples . . . . . . . . . . . . . . . . . . . . . . . . 4 1.5. Examples . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Signature Algorithms . . . . . . . . . . . . . . . . . . . . 5 2. Signature Algorithms . . . . . . . . . . . . . . . . . . . . 5
2.1. ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1. Security Considerations . . . . . . . . . . . . . . . 6 2.1.1. Security Considerations . . . . . . . . . . . . . . . 7
2.2. Edwards-Curve Digital Signature Algorithms 2.2. Edwards-Curve Digital Signature Algorithms
(EdDSAs) . . . . . . . . . . . . . . . . . . . . . . . . 7 (EdDSAs) . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.1. Security Considerations . . . . . . . . . . . . . . . 8 2.2.1. Security Considerations . . . . . . . . . . . . . . . 9
3. Message Authentication Code (MAC) Algorithms . . . . . . . . 8 3. Message Authentication Code (MAC) Algorithms . . . . . . . . 9
3.1. Hash-Based Message Authentication Codes (HMACs) . . . . . 9 3.1. Hash-Based Message Authentication Codes (HMACs) . . . . . 9
3.1.1. Security Considerations . . . . . . . . . . . . . . . 10 3.1.1. Security Considerations . . . . . . . . . . . . . . . 11
3.2. AES Message Authentication Code (AES-CBC-MAC) . . . . . . 10 3.2. AES Message Authentication Code (AES-CBC-MAC) . . . . . . 11
3.2.1. Security Considerations . . . . . . . . . . . . . . . 11 3.2.1. Security Considerations . . . . . . . . . . . . . . . 12
4. Content Encryption Algorithms . . . . . . . . . . . . . . . . 12 4. Content Encryption Algorithms . . . . . . . . . . . . . . . . 12
4.1. AES GCM . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.1. AES GCM . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.1.1. Security Considerations . . . . . . . . . . . . . . . 13 4.1.1. Security Considerations . . . . . . . . . . . . . . . 13
4.2. AES CCM . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2. AES CCM . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.2.1. Security Considerations . . . . . . . . . . . . . . . 16 4.2.1. Security Considerations . . . . . . . . . . . . . . . 17
4.3. ChaCha20 and Poly1305 . . . . . . . . . . . . . . . . . . 16 4.3. ChaCha20 and Poly1305 . . . . . . . . . . . . . . . . . . 17
4.3.1. Security Considerations . . . . . . . . . . . . . . . 17 4.3.1. Security Considerations . . . . . . . . . . . . . . . 18
5. Key Derivation Functions (KDFs) . . . . . . . . . . . . . . . 17 5. Key Derivation Functions (KDFs) . . . . . . . . . . . . . . . 18
5.1. HMAC-Based Extract-and-Expand Key Derivation Function 5.1. HMAC-Based Extract-and-Expand Key Derivation Function
(HKDF) . . . . . . . . . . . . . . . . . . . . . . . . . 18 (HKDF) . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.2. Context Information Structure . . . . . . . . . . . . . . 19 5.2. Context Information Structure . . . . . . . . . . . . . . 20
6. Content Key Distribution Methods . . . . . . . . . . . . . . 24 6. Content Key Distribution Methods . . . . . . . . . . . . . . 25
6.1. Direct Encryption . . . . . . . . . . . . . . . . . . . . 25 6.1. Direct Encryption . . . . . . . . . . . . . . . . . . . . 26
6.1.1. Direct Key . . . . . . . . . . . . . . . . . . . . . 25 6.1.1. Direct Key . . . . . . . . . . . . . . . . . . . . . 26
6.1.2. Direct Key with KDF . . . . . . . . . . . . . . . . . 26 6.1.2. Direct Key with KDF . . . . . . . . . . . . . . . . . 27
6.2. AES Key Wrap . . . . . . . . . . . . . . . . . . . . . . 28 6.2. AES Key Wrap . . . . . . . . . . . . . . . . . . . . . . 29
6.2.1. Security Considerations for AES-KW . . . . . . . . . 28 6.2.1. Security Considerations for AES-KW . . . . . . . . . 29
6.3. Direct ECDH . . . . . . . . . . . . . . . . . . . . . . . 29 6.3. Direct ECDH . . . . . . . . . . . . . . . . . . . . . . . 30
6.3.1. Security Considerations . . . . . . . . . . . . . . . 32 6.3.1. Security Considerations . . . . . . . . . . . . . . . 33
6.4. ECDH with Key Wrap . . . . . . . . . . . . . . . . . . . 32 6.4. ECDH with Key Wrap . . . . . . . . . . . . . . . . . . . 33
7. Key Object Parameters . . . . . . . . . . . . . . . . . . . . 34 7. Key Object Parameters . . . . . . . . . . . . . . . . . . . . 35
7.1. Elliptic Curve Keys . . . . . . . . . . . . . . . . . . . 34 7.1. Elliptic Curve Keys . . . . . . . . . . . . . . . . . . . 35
7.1.1. Double Coordinate Curves . . . . . . . . . . . . . . 35 7.1.1. Double Coordinate Curves . . . . . . . . . . . . . . 36
7.2. Octet Key Pair . . . . . . . . . . . . . . . . . . . . . 36 7.2. Octet Key Pair . . . . . . . . . . . . . . . . . . . . . 37
7.3. Symmetric Keys . . . . . . . . . . . . . . . . . . . . . 37 7.3. Symmetric Keys . . . . . . . . . . . . . . . . . . . . . 38
8. CBOR Encoding Restrictions . . . . . . . . . . . . . . . . . 38 8. COSE Capabilities . . . . . . . . . . . . . . . . . . . . . . 39
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 8.1. Assignments for Existing Key Types . . . . . . . . . . . 39
10. Security Considerations . . . . . . . . . . . . . . . . . . . 38 8.2. Assignments for Existing Algorithms . . . . . . . . . . . 40
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 9. CBOR Encoding Restrictions . . . . . . . . . . . . . . . . . 40
11.1. Normative References . . . . . . . . . . . . . . . . . . 40 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
11.2. Informative References . . . . . . . . . . . . . . . . . 42 10.1. Changes to "COSE Key Types" registry. . . . . . . . . . 40
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 43 10.2. Changes to "COSE Algorithms" registry . . . . . . . . . 41
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 44 11. Security Considerations . . . . . . . . . . . . . . . . . . . 41
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 43
12.1. Normative References . . . . . . . . . . . . . . . . . . 43
12.2. Informative References . . . . . . . . . . . . . . . . . 45
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 47
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 47
1. Introduction 1. Introduction
There has been an increased focus on small, constrained devices that There has been an increased focus on small, constrained devices that
make up the Internet of Things (IoT). One of the standards that has make up the Internet of Things (IoT). One of the standards that has
come out of this process is "Concise Binary Object Representation come out of this process is "Concise Binary Object Representation
(CBOR)" [RFC7049]. CBOR extended the data model of the JavaScript (CBOR)" [RFC7049]. CBOR extended the data model of the JavaScript
Object Notation (JSON) [RFC8259] by allowing for binary data, among Object Notation (JSON) [RFC8259] by allowing for binary data, among
other changes. CBOR is being adopted by several of the IETF working other changes. CBOR is being adopted by several of the IETF working
groups dealing with the IoT world as their encoding of data groups dealing with the IoT world as their encoding of data
skipping to change at page 19, line 31 skipping to change at page 20, line 31
Table 8: HKDF Algorithms Table 8: HKDF Algorithms
+------+-------+------+----------------------------+-------------+ +------+-------+------+----------------------------+-------------+
| Name | Label | Type | Algorithm | Description | | Name | Label | Type | Algorithm | Description |
+======+=======+======+============================+=============+ +======+=======+======+============================+=============+
| salt | -20 | bstr | direct+HKDF-SHA-256, | Random salt | | salt | -20 | bstr | direct+HKDF-SHA-256, | Random salt |
| | | | direct+HKDF-SHA-512, | | | | | | direct+HKDF-SHA-512, | |
| | | | direct+HKDF-AES-128, | | | | | | direct+HKDF-AES-128, | |
| | | | direct+HKDF-AES-256, ECDH- | | | | | | direct+HKDF-AES-256, ECDH- | |
| | | | ES+HKDF-256, ECDH-ES+HKDF- | | | | | | ES+HKDF-256, ECDH-ES+HKDF- | |
| | | | 512, ECDH- SS+HKDF-256, | | | | | | 512, ECDH-SS+HKDF-256, | |
| | | | ECDH-SS+HKDF-512, ECDH- | | | | | | ECDH-SS+HKDF-512, ECDH- | |
| | | | ES+A128KW, ECDH-ES+A192KW, | | | | | | ES+A128KW, ECDH-ES+A192KW, | |
| | | | ECDH-ES+A256KW, ECDH- | | | | | | ECDH-ES+A256KW, ECDH- | |
| | | | SS+A128KW, ECDH-SS+A192KW, | | | | | | SS+A128KW, ECDH-SS+A192KW, | |
| | | | ECDH-SS+A256KW | | | | | | ECDH-SS+A256KW | |
+------+-------+------+----------------------------+-------------+ +------+-------+------+----------------------------+-------------+
Table 9: HKDF Algorithm Parameters Table 9: HKDF Algorithm Parameters
5.2. Context Information Structure 5.2. Context Information Structure
skipping to change at page 20, line 42 skipping to change at page 21, line 42
+----------+-------+------+---------------------------+-------------+ +----------+-------+------+---------------------------+-------------+
| Name | Label | Type | Algorithm | Description | | Name | Label | Type | Algorithm | Description |
+==========+=======+======+===========================+=============+ +==========+=======+======+===========================+=============+
| PartyU | -21 | bstr | direct+HKDF-SHA-256, | Party U | | PartyU | -21 | bstr | direct+HKDF-SHA-256, | Party U |
| identity | | | direct+HKDF-SHA-512, | identity | | identity | | | direct+HKDF-SHA-512, | identity |
| | | | direct+HKDF-AES-128, | information | | | | | direct+HKDF-AES-128, | information |
| | | | direct+HKDF-AES-256, | | | | | | direct+HKDF-AES-256, | |
| | | | ECDH-ES+HKDF-256, | | | | | | ECDH-ES+HKDF-256, | |
| | | | ECDH-ES+HKDF-512, | | | | | | ECDH-ES+HKDF-512, | |
| | | | ECDH- SS+HKDF-256, | | | | | | ECDH-SS+HKDF-256, | |
| | | | ECDH-SS+HKDF-512, | | | | | | ECDH-SS+HKDF-512, | |
| | | | ECDH-ES+A128KW, | | | | | | ECDH-ES+A128KW, | |
| | | | ECDH-ES+A192KW, | | | | | | ECDH-ES+A192KW, | |
| | | | ECDH-ES+A256KW, | | | | | | ECDH-ES+A256KW, | |
| | | | ECDH-SS+A128KW, | | | | | | ECDH-SS+A128KW, | |
| | | | ECDH-SS+A192KW, | | | | | | ECDH-SS+A192KW, | |
| | | | ECDH-SS+A256KW | | | | | | ECDH-SS+A256KW | |
+----------+-------+------+---------------------------+-------------+ +----------+-------+------+---------------------------+-------------+
| PartyU | -22 | bstr | direct+HKDF-SHA-256, | Party U | | PartyU | -22 | bstr | direct+HKDF-SHA-256, | Party U |
| nonce | | / | direct+HKDF-SHA-512, | provided | | nonce | | / | direct+HKDF-SHA-512, | provided |
| | | int | direct+HKDF-AES-128, | nonce | | | | int | direct+HKDF-AES-128, | nonce |
| | | | direct+HKDF-AES-256, | | | | | | direct+HKDF-AES-256, | |
| | | | ECDH-ES+HKDF-256, | | | | | | ECDH-ES+HKDF-256, | |
| | | | ECDH-ES+HKDF-512, | | | | | | ECDH-ES+HKDF-512, | |
| | | | ECDH- SS+HKDF-256, | | | | | | ECDH-SS+HKDF-256, | |
| | | | ECDH-SS+HKDF-512, | | | | | | ECDH-SS+HKDF-512, | |
| | | | ECDH-ES+A128KW, | | | | | | ECDH-ES+A128KW, | |
| | | | ECDH-ES+A192KW, | | | | | | ECDH-ES+A192KW, | |
| | | | ECDH-ES+A256KW, | | | | | | ECDH-ES+A256KW, | |
| | | | ECDH-SS+A128KW, | | | | | | ECDH-SS+A128KW, | |
| | | | ECDH-SS+A192KW, | | | | | | ECDH-SS+A192KW, | |
| | | | ECDH-SS+A256KW | | | | | | ECDH-SS+A256KW | |
+----------+-------+------+---------------------------+-------------+ +----------+-------+------+---------------------------+-------------+
| PartyU | -23 | bstr | direct+HKDF-SHA-256, | Party U | | PartyU | -23 | bstr | direct+HKDF-SHA-256, | Party U |
| other | | | direct+HKDF-SHA-512, | other | | other | | | direct+HKDF-SHA-512, | other |
| | | | direct+HKDF-AES-128, | provided | | | | | direct+HKDF-AES-128, | provided |
| | | | direct+HKDF-AES-256, | information | | | | | direct+HKDF-AES-256, | information |
| | | | ECDH-ES+HKDF-256, | | | | | | ECDH-ES+HKDF-256, | |
| | | | ECDH-ES+HKDF-512, | | | | | | ECDH-ES+HKDF-512, | |
| | | | ECDH- SS+HKDF-256, | | | | | | ECDH-SS+HKDF-256, | |
| | | | ECDH-SS+HKDF-512, | | | | | | ECDH-SS+HKDF-512, | |
| | | | ECDH-ES+A128KW, | | | | | | ECDH-ES+A128KW, | |
| | | | ECDH-ES+A192KW, | | | | | | ECDH-ES+A192KW, | |
| | | | ECDH-ES+A256KW, | | | | | | ECDH-ES+A256KW, | |
| | | | ECDH-SS+A128KW, | | | | | | ECDH-SS+A128KW, | |
| | | | ECDH-SS+A192KW, | | | | | | ECDH-SS+A192KW, | |
| | | | ECDH-SS+A256KW | | | | | | ECDH-SS+A256KW | |
+----------+-------+------+---------------------------+-------------+ +----------+-------+------+---------------------------+-------------+
| PartyV | -24 | bstr | direct+HKDF-SHA-256, | Party V | | PartyV | -24 | bstr | direct+HKDF-SHA-256, | Party V |
| identity | | | direct+HKDF-SHA-512, | identity | | identity | | | direct+HKDF-SHA-512, | identity |
| | | | direct+HKDF-AES-128, | information | | | | | direct+HKDF-AES-128, | information |
| | | | direct+HKDF-AES-256, | | | | | | direct+HKDF-AES-256, | |
| | | | ECDH-ES+HKDF-256, | | | | | | ECDH-ES+HKDF-256, | |
| | | | ECDH-ES+HKDF-512, | | | | | | ECDH-ES+HKDF-512, | |
| | | | ECDH- SS+HKDF-256, | | | | | | ECDH-SS+HKDF-256, | |
| | | | ECDH-SS+HKDF-512, | | | | | | ECDH-SS+HKDF-512, | |
| | | | ECDH-ES+A128KW, | | | | | | ECDH-ES+A128KW, | |
| | | | ECDH-ES+A192KW, | | | | | | ECDH-ES+A192KW, | |
| | | | ECDH-ES+A256KW, | | | | | | ECDH-ES+A256KW, | |
| | | | ECDH-SS+A128KW, | | | | | | ECDH-SS+A128KW, | |
| | | | ECDH-SS+A192KW, | | | | | | ECDH-SS+A192KW, | |
| | | | ECDH-SS+A256KW | | | | | | ECDH-SS+A256KW | |
+----------+-------+------+---------------------------+-------------+ +----------+-------+------+---------------------------+-------------+
| PartyV | -25 | bstr | direct+HKDF-SHA-256, | Party V | | PartyV | -25 | bstr | direct+HKDF-SHA-256, | Party V |
| nonce | | / | direct+HKDF-SHA-512, | provided | | nonce | | / | direct+HKDF-SHA-512, | provided |
| | | int | direct+HKDF-AES-128, | nonce | | | | int | direct+HKDF-AES-128, | nonce |
| | | | direct+HKDF-AES-256, | | | | | | direct+HKDF-AES-256, | |
| | | | ECDH-ES+HKDF-256, | | | | | | ECDH-ES+HKDF-256, | |
| | | | ECDH-ES+HKDF-512, | | | | | | ECDH-ES+HKDF-512, | |
| | | | ECDH- SS+HKDF-256, | | | | | | ECDH-SS+HKDF-256, | |
| | | | ECDH-SS+HKDF-512, | | | | | | ECDH-SS+HKDF-512, | |
| | | | ECDH-ES+A128KW, | | | | | | ECDH-ES+A128KW, | |
| | | | ECDH-ES+A192KW, | | | | | | ECDH-ES+A192KW, | |
| | | | ECDH-ES+A256KW, | | | | | | ECDH-ES+A256KW, | |
| | | | ECDH-SS+A128KW, | | | | | | ECDH-SS+A128KW, | |
| | | | ECDH-SS+A192KW, | | | | | | ECDH-SS+A192KW, | |
| | | | ECDH-SS+A256KW | | | | | | ECDH-SS+A256KW | |
+----------+-------+------+---------------------------+-------------+ +----------+-------+------+---------------------------+-------------+
| PartyV | -26 | bstr | direct+HKDF-SHA-256, | Party V | | PartyV | -26 | bstr | direct+HKDF-SHA-256, | Party V |
| other | | | direct+HKDF-SHA-512, | other | | other | | | direct+HKDF-SHA-512, | other |
| | | | direct+HKDF-AES-128, | provided | | | | | direct+HKDF-AES-128, | provided |
| | | | direct+HKDF-AES-256, | information | | | | | direct+HKDF-AES-256, | information |
| | | | ECDH-ES+HKDF-256, | | | | | | ECDH-ES+HKDF-256, | |
| | | | ECDH-ES+HKDF-512, | | | | | | ECDH-ES+HKDF-512, | |
| | | | ECDH- SS+HKDF-256, | | | | | | ECDH-SS+HKDF-256, | |
| | | | ECDH-SS+HKDF-512, | | | | | | ECDH-SS+HKDF-512, | |
| | | | ECDH-ES+A128KW, | | | | | | ECDH-ES+A128KW, | |
| | | | ECDH-ES+A192KW, | | | | | | ECDH-ES+A192KW, | |
| | | | ECDH-ES+A256KW, | | | | | | ECDH-ES+A256KW, | |
| | | | ECDH-SS+A128KW, | | | | | | ECDH-SS+A128KW, | |
| | | | ECDH-SS+A192KW, | | | | | | ECDH-SS+A192KW, | |
| | | | ECDH-SS+A256KW | | | | | | ECDH-SS+A256KW | |
+----------+-------+------+---------------------------+-------------+ +----------+-------+------+---------------------------+-------------+
Table 10: Context Algorithm Parameters Table 10: Context Algorithm Parameters
skipping to change at page 31, line 11 skipping to change at page 32, line 11
+-----------+-------+---------+------------+------+-----------------+ +-----------+-------+---------+------------+------+-----------------+
Table 14: ECDH Algorithm Values Table 14: ECDH Algorithm Values
+-----------+-------+----------+-------------------+-------------+ +-----------+-------+----------+-------------------+-------------+
| Name | Label | Type | Algorithm | Description | | Name | Label | Type | Algorithm | Description |
+===========+=======+==========+===================+=============+ +===========+=======+==========+===================+=============+
| ephemeral | -1 | COSE_Key | ECDH-ES+HKDF-256, | Ephemeral | | ephemeral | -1 | COSE_Key | ECDH-ES+HKDF-256, | Ephemeral |
| key | | | ECDH-ES+HKDF-512, | public key | | key | | | ECDH-ES+HKDF-512, | public key |
| | | | ECDH-ES+A128KW, | for the | | | | | ECDH-ES+A128KW, | for the |
| | | | ECDH- ES+A192KW, | sender | | | | | ECDH-ES+A192KW, | sender |
| | | | ECDH-ES+A256KW | | | | | | ECDH-ES+A256KW | |
+-----------+-------+----------+-------------------+-------------+ +-----------+-------+----------+-------------------+-------------+
| static | -2 | COSE_Key | ECDH-SS+HKDF-256, | Static | | static | -2 | COSE_Key | ECDH-SS+HKDF-256, | Static |
| key | | | ECDH-SS+HKDF-512, | public key | | key | | | ECDH-SS+HKDF-512, | public key |
| | | | ECDH-SS+A128KW, | for the | | | | | ECDH-SS+A128KW, | for the |
| | | | ECDH- SS+A192KW, | sender | | | | | ECDH-SS+A192KW, | sender |
| | | | ECDH-SS+A256KW | | | | | | ECDH-SS+A256KW | |
+-----------+-------+----------+-------------------+-------------+ +-----------+-------+----------+-------------------+-------------+
| static | -3 | bstr | ECDH-SS+HKDF-256, | Static | | static | -3 | bstr | ECDH-SS+HKDF-256, | Static |
| key id | | | ECDH-SS+HKDF-512, | public key | | key id | | | ECDH-SS+HKDF-512, | public key |
| | | | ECDH-SS+A128KW, | identifier | | | | | ECDH-SS+A128KW, | identifier |
| | | | ECDH- SS+A192KW, | for the | | | | | ECDH-SS+A192KW, | for the |
| | | | ECDH-SS+A256KW | sender | | | | | ECDH-SS+A256KW | sender |
+-----------+-------+----------+-------------------+-------------+ +-----------+-------+----------+-------------------+-------------+
Table 15: ECDH Algorithm Parameters Table 15: ECDH Algorithm Parameters
This document defines these algorithms to be used with the curves This document defines these algorithms to be used with the curves
P-256, P-384, P-521, X25519, and X448. Implementations MUST verify P-256, P-384, P-521, X25519, and X448. Implementations MUST verify
that the key type and curve are correct. Different curves are that the key type and curve are correct. Different curves are
restricted to different key types. Implementations MUST verify that restricted to different key types. Implementations MUST verify that
the curve and algorithm are appropriate for the entities involved. the curve and algorithm are appropriate for the entities involved.
skipping to change at page 38, line 5 skipping to change at page 39, line 5
'k' be present in the structure. 'k' be present in the structure.
+------+----------+-------+------+-------------+ +------+----------+-------+------+-------------+
| Name | Key Type | Label | Type | Description | | Name | Key Type | Label | Type | Description |
+======+==========+=======+======+=============+ +======+==========+=======+======+=============+
| k | 4 | -1 | bstr | Key Value | | k | 4 | -1 | bstr | Key Value |
+------+----------+-------+------+-------------+ +------+----------+-------+------+-------------+
Table 21: Symmetric Key Parameters Table 21: Symmetric Key Parameters
8. CBOR Encoding Restrictions 8. COSE Capabilities
There are some situations that have been identified where
identification of capabilities of an algorithm need to be specified.
One example of this is in [I-D.ietf-core-oscore-groupcomm] where the
capabilities of the counter signature algorithm are mixed into the
traffic key derivation process. This has a counterpart in the S/MIME
specifications where SMIMECapabilities is defined in Section 2.5.2 of
[RFC8551]. The concept is being pulled forward and defined now for
COSE.
Two different types of capabilities are defined: Capabilities for
algorithms and capabilities for key structures. Once defined by
registration with IANA, the list capabilities is immutable. As a
general rule, the capabilities are going to correspond to algorithm
or key fields, but they do not need to do so. An example of this is
the HSS-LMS key capabilities defined below where the hash algorithm
used is included.
The capability structure is an array of values, the order being
dependent on the specific algorithm or key. For an algorithm, the
first element should always be a key type value, but the items that
are specific to a key should not be included in the algorithm
capabilities. This means that if one wishes to enumerate all of the
capabilities for a device which implements ECDH, it requires multiple
pairs of capability structures (algorithm, key) to deal with the
different key types and curves that are supported. For a key, the
first element should also be a key type value, while this means that
this value will be duplicated if both an algorithm and key capability
are used, the key type is needed in order to understand the rest of
the values.
8.1. Assignments for Existing Key Types
There are a number of pre-existing key types, the following deals
with creating the capability definition for those structures:
* OKP, EC2: The list of capabilities is:
- The key type value,
- One curve for that key type.
* RSA: The list of capabilities is:
- The key type value.
* Symmetric: The list of capabilities is:
- The key type value.
* HSS-LMS: The list of capabilities is:
- The key type value,
- Algorithm identifier for the underlying hash function.
8.2. Assignments for Existing Algorithms
For the current set of algorithms in the registry, those in this
document as well as those in [RFC8230] and [I-D.ietf-cose-hash-sig],
the capabilities is set to the single entry of the key type that will
be accepted. It is expected other algorithms will have no items or
multiple items.
9. CBOR Encoding Restrictions
There has been an attempt to limit the number of places where the There has been an attempt to limit the number of places where the
document needs to impose restrictions on how the CBOR Encoder needs document needs to impose restrictions on how the CBOR Encoder needs
to work. We have managed to narrow it down to the following to work. We have managed to narrow it down to the following
restrictions: restrictions:
* The restriction applies to the encoding of the COSE_KDF_Context. * The restriction applies to the encoding of the COSE_KDF_Context.
* Encoding MUST be done using definite lengths and the length of the * Encoding MUST be done using definite lengths and the length of the
MUST be the minimum possible length. This means that the integer MUST be the minimum possible length. This means that the integer
1 is encoded as "0x01" and not "0x1801". 1 is encoded as "0x01" and not "0x1801".
* Applications MUST NOT generate messages with the same label used * Applications MUST NOT generate messages with the same label used
twice as a key in a single map. Applications MUST NOT parse and twice as a key in a single map. Applications MUST NOT parse and
process messages with the same label used twice as a key in a process messages with the same label used twice as a key in a
single map. Applications can enforce the parse and process single map. Applications can enforce the parse and process
requirement by using parsers that will fail the parse step or by requirement by using parsers that will fail the parse step or by
using parsers that will pass all keys to the application, and the using parsers that will pass all keys to the application, and the
application can perform the check for duplicate keys. application can perform the check for duplicate keys.
9. IANA Considerations 10. IANA Considerations
There are no IANA actions. The required actions are in 10.1. Changes to "COSE Key Types" registry.
[I-D.ietf-cose-rfc8152bis-struct].
10. Security Considerations IANA is requested to create a new column in the "COSE Key Types"
registry. The new column is to be labeled "Capabilities". The new
column is to be populated according the the entries in Table 22.
+------+-----------+---------------------+
| Name | Value | Capabilities |
+======+===========+=====================+
| 1 | OKP | kty, crv |
+------+-----------+---------------------+
| 2 | EC2 | kty, crv |
+------+-----------+---------------------+
| 3 | RSA | kty |
+------+-----------+---------------------+
| 4 | Symmetric | kty |
+------+-----------+---------------------+
| 5 | HSS-LMS | kty, hash algorithm |
+------+-----------+---------------------+
Table 22: Key Type Capabilities
10.2. Changes to "COSE Algorithms" registry
IANA is requested to create a new column in the "COSE Algorithms"
registry. The new column is to be labeled "Capabilities". The new
column is populated with "kty" for all current, non-provisional,
registrations. It is expected that the documents which define those
algorithms will be expanded to include this registration, if this is
not done then the DE should be consulted at the time of final
registration.
11. Security Considerations
There are a number of security considerations that need to be taken There are a number of security considerations that need to be taken
into account by implementers of this specification. The security into account by implementers of this specification. The security
considerations that are specific to an individual algorithm are considerations that are specific to an individual algorithm are
placed next to the description of the algorithm. While some placed next to the description of the algorithm. While some
considerations have been highlighted here, additional considerations considerations have been highlighted here, additional considerations
may be found in the documents listed in the references. may be found in the documents listed in the references.
Implementations need to protect the private key material for any Implementations need to protect the private key material for any
individuals. There are some cases in this document that need to be individuals. There are some cases in this document that need to be
skipping to change at page 40, line 30 skipping to change at page 43, line 30
analysis of encrypted messages based on the length of the message. analysis of encrypted messages based on the length of the message.
This specification does not provide for a uniform method of providing This specification does not provide for a uniform method of providing
padding as part of the message structure. An observer can padding as part of the message structure. An observer can
distinguish between two different strings (for example, 'YES' and distinguish between two different strings (for example, 'YES' and
'NO') based on the length for all of the content encryption 'NO') based on the length for all of the content encryption
algorithms that are defined in this document. This means that it is algorithms that are defined in this document. This means that it is
up to the applications to document how content padding is to be done up to the applications to document how content padding is to be done
in order to prevent or discourage such analysis. (For example, the in order to prevent or discourage such analysis. (For example, the
strings could be defined as 'YES' and 'NO '.) strings could be defined as 'YES' and 'NO '.)
11. References 12. References
11.1. Normative References
[AES-GCM] National Institute of Standards and Technology,
"Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC",
DOI 10.6028/NIST.SP.800-38D, NIST Special
Publication 800-38D, November 2007,
<https://csrc.nist.gov/publications/nistpubs/800-38D/SP-
800-38D.pdf>.
[DSS] National Institute of Standards and Technology, "Digital 12.1. Normative References
Signature Standard (DSS)", DOI 10.6028/NIST.FIPS.186-4,
FIPS PUB 186-4, July 2013,
<http://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.186-4.pdf>.
[I-D.ietf-cose-rfc8152bis-struct] [I-D.ietf-cose-rfc8152bis-struct]
Schaad, J., "CBOR Object Signing and Encryption (COSE): Schaad, J., "CBOR Object Signing and Encryption (COSE):
Structures and Process", Internet Draft, draft-ietf-cose- Structures and Process", Work in Progress, Internet-Draft,
rfc8152bis-struct-05, August 18, 2019, draft-ietf-cose-rfc8152bis-struct-06, 11 September 2019,
<https://www.ietf.org/archive/id/draft-ietf-cose- <https://tools.ietf.org/html/draft-ietf-cose-rfc8152bis-
rfc8152bis-struct-05>. struct-06>.
[MAC] National Institute of Standards and Technology, "Computer
Data Authentication", FIPS PUB 113, May 1985,
<http://csrc.nist.gov/publications/fips/fips113/
fips113.html>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997, DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>. <https://www.rfc-editor.org/info/rfc2104>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 41, line 49 skipping to change at page 44, line 30
[RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature
Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature
Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August
2013, <https://www.rfc-editor.org/info/rfc6979>. 2013, <https://www.rfc-editor.org/info/rfc6979>.
[RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object [RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object
Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049,
October 2013, <https://www.rfc-editor.org/info/rfc7049>. October 2013, <https://www.rfc-editor.org/info/rfc7049>.
[RFC8439] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018,
<https://www.rfc-editor.org/info/rfc8439>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>. 2016, <https://www.rfc-editor.org/info/rfc7748>.
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032,
DOI 10.17487/RFC8032, January 2017,
<https://www.rfc-editor.org/info/rfc8032>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8439] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF [AES-GCM] National Institute of Standards and Technology,
Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, "Recommendation for Block Cipher Modes of Operation:
<https://www.rfc-editor.org/info/rfc8439>. Galois/Counter Mode (GCM) and GMAC",
DOI 10.6028/NIST.SP.800-38D, NIST Special
Publication 800-38D, November 2007,
<https://csrc.nist.gov/publications/nistpubs/800-38D/SP-
800-38D.pdf>.
[DSS] National Institute of Standards and Technology, "Digital
Signature Standard (DSS)", DOI 10.6028/NIST.FIPS.186-4,
FIPS PUB 186-4, July 2013,
<http://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.186-4.pdf>.
[MAC] National Institute of Standards and Technology, "Computer
Data Authentication", FIPS PUB 113, May 1985,
<http://csrc.nist.gov/publications/fips/fips113/
fips113.html>.
[SEC1] Certicom Research, "SEC 1: Elliptic Curve Cryptography", [SEC1] Certicom Research, "SEC 1: Elliptic Curve Cryptography",
May 2009, <http://www.secg.org/sec1-v2.pdf>. May 2009, <http://www.secg.org/sec1-v2.pdf>.
11.2. Informative References [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032,
DOI 10.17487/RFC8032, January 2017,
<https://www.rfc-editor.org/info/rfc8032>.
12.2. Informative References
[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data
Definition Language (CDDL): A Notational Convention to
Express Concise Binary Object Representation (CBOR) and
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610,
June 2019, <https://www.rfc-editor.org/info/rfc8610>.
[RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA-
224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512",
RFC 4231, DOI 10.17487/RFC4231, December 2005, RFC 4231, DOI 10.17487/RFC4231, December 2005,
<https://www.rfc-editor.org/info/rfc4231>. <https://www.rfc-editor.org/info/rfc4231>.
[RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The
AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June
2006, <https://www.rfc-editor.org/info/rfc4493>. 2006, <https://www.rfc-editor.org/info/rfc4493>.
skipping to change at page 42, line 46 skipping to change at page 46, line 5
[RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk,
"Elliptic Curve Cryptography Subject Public Key "Elliptic Curve Cryptography Subject Public Key
Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, Information", RFC 5480, DOI 10.17487/RFC5480, March 2009,
<https://www.rfc-editor.org/info/rfc5480>. <https://www.rfc-editor.org/info/rfc5480>.
[RFC6151] Turner, S. and L. Chen, "Updated Security Considerations [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations
for the MD5 Message-Digest and the HMAC-MD5 Algorithms", for the MD5 Message-Digest and the HMAC-MD5 Algorithms",
RFC 6151, DOI 10.17487/RFC6151, March 2011, RFC 6151, DOI 10.17487/RFC6151, March 2011,
<https://www.rfc-editor.org/info/rfc6151>. <https://www.rfc-editor.org/info/rfc6151>.
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc8259>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014, DOI 10.17487/RFC7252, June 2014,
<https://www.rfc-editor.org/info/rfc7252>. <https://www.rfc-editor.org/info/rfc7252>.
[RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, [RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
DOI 10.17487/RFC7518, May 2015, DOI 10.17487/RFC7518, May 2015,
<https://www.rfc-editor.org/info/rfc7518>. <https://www.rfc-editor.org/info/rfc7518>.
[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
"PKCS #1: RSA Cryptography Specifications Version 2.2", "PKCS #1: RSA Cryptography Specifications Version 2.2",
RFC 8017, DOI 10.17487/RFC8017, November 2016, RFC 8017, DOI 10.17487/RFC8017, November 2016,
<https://www.rfc-editor.org/info/rfc8017>. <https://www.rfc-editor.org/info/rfc8017>.
[RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)",
RFC 8152, DOI 10.17487/RFC8152, July 2017, RFC 8152, DOI 10.17487/RFC8152, July 2017,
<https://www.rfc-editor.org/info/rfc8152>. <https://www.rfc-editor.org/info/rfc8152>.
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data [RFC8551] Schaad, J., Ramsdell, B., and S. Turner, "Secure/
Interchange Format", STD 90, RFC 8259, Multipurpose Internet Mail Extensions (S/MIME) Version 4.0
DOI 10.17487/RFC8259, December 2017, Message Specification", RFC 8551, DOI 10.17487/RFC8551,
<https://www.rfc-editor.org/info/rfc8259>. April 2019, <https://www.rfc-editor.org/info/rfc8551>.
[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data [RFC8230] Jones, M., "Using RSA Algorithms with CBOR Object Signing
Definition Language (CDDL): A Notational Convention to and Encryption (COSE) Messages", RFC 8230,
Express Concise Binary Object Representation (CBOR) and DOI 10.17487/RFC8230, September 2017,
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, <https://www.rfc-editor.org/info/rfc8230>.
June 2019, <https://www.rfc-editor.org/info/rfc8610>.
[I-D.ietf-core-oscore-groupcomm]
Tiloca, M., Selander, G., Palombini, F., and J. Park,
"Group OSCORE - Secure Group Communication for CoAP", Work
in Progress, Internet-Draft, draft-ietf-core-oscore-
groupcomm-05, 5 July 2019, <https://tools.ietf.org/html/
draft-ietf-core-oscore-groupcomm-05>.
[I-D.ietf-cose-hash-sig]
Housley, R., "Use of the HSS/LMS Hash-based Signature
Algorithm with CBOR Object Signing and Encryption (COSE)",
Work in Progress, Internet-Draft, draft-ietf-cose-hash-
sig-06, 1 November 2019,
<https://tools.ietf.org/html/draft-ietf-cose-hash-sig-06>.
[SP800-56A] [SP800-56A]
Barker, E., Chen, L., Roginsky, A., and M. Smid, Barker, E., Chen, L., Roginsky, A., and M. Smid,
"Recommendation for Pair-Wise Key Establishment Schemes "Recommendation for Pair-Wise Key Establishment Schemes
Using Discrete Logarithm Cryptography", Using Discrete Logarithm Cryptography",
DOI 10.6028/NIST.SP.800-56Ar2, NIST Special Publication DOI 10.6028/NIST.SP.800-56Ar2, NIST Special Publication
800-56A, Revision 2, May 2013, 800-56A, Revision 2, May 2013,
<http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-56Ar2.pdf>. NIST.SP.800-56Ar2.pdf>.
 End of changes. 34 change blocks. 
99 lines changed or deleted 222 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/