rfc9053.original.xml   rfc9053.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent" [ <rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" category="info" cons
<!ENTITY SigSection "9.1"> ensus="true" docName="draft-ietf-cose-rfc8152bis-algs-12" indexInclude="true" ip
<!ENTITY MacSection "9.2"> r="trust200902" number="9053" obsoletes="8152" prepTime="2022-08-24T13:41:43" sc
<!ENTITY ContentSection "9.3"> ripts="Common,Latin" sortRefs="true" submissionType="IETF" symRefs="true" tocDep
<!ENTITY KDFSection "9.4"> th="3" tocInclude="true" xml:lang="en">
<!ENTITY CKeyDistributeSection "9.5"> <link href="https://datatracker.ietf.org/doc/draft-ietf-cose-rfc8152bis-algs-1
<!ENTITY DirectDistribute "9.5.1"> 2" rel="prev"/>
<!ENTITY KeyWrap "9.5.2"> <link href="https://dx.doi.org/10.17487/rfc9053" rel="alternate"/>
]> <link href="urn:issn:2070-1721" rel="alternate"/>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" category="info
" docName="draft-ietf-cose-rfc8152bis-algs-11" obsoletes="8152" submissionType="
IETF" version="3" consensus="true">
<!-- xml2rfc v2v3 conversion 2.24.0 -->
<front> <front>
<title abbrev="COSE Algorithms"> <title abbrev="COSE Algorithms">CBOR Object Signing and Encryption (COSE): I
CBOR Object Signing&nbsp;and&nbsp;Encryption&nbsp;(COSE): Initial Algorith nitial Algorithms</title>
ms <seriesInfo name="RFC" value="9053" stream="IETF"/>
</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-cose-rfc8152bis-algs-11"
/>
<author initials="J." surname="Schaad" fullname="Jim Schaad"> <author initials="J." surname="Schaad" fullname="Jim Schaad">
<organization>August Cellars</organization> <organization showOnFrontPage="true">August Cellars</organization>
<address> <address>
<email>ietf@augustcellars.com</email>
</address> </address>
</author> </author>
<date/> <date month="08" year="2022"/>
<area>Security</area> <area>Security</area>
<workgroup>COSE Working Group</workgroup> <workgroup>COSE Working Group</workgroup>
<abstract> <keyword>Object Security</keyword>
<t> <keyword>COSE</keyword>
<keyword>Constrained Devices</keyword>
<keyword>AES</keyword>
<keyword>AES-GCM</keyword>
<keyword>AES-CCM</keyword>
<keyword>ECDSA</keyword>
<keyword>EdDSA</keyword>
<keyword>ECC</keyword>
<keyword>HSS-LMS</keyword>
<keyword>AES-KW</keyword>
<keyword>ECDH</keyword>
<keyword>HMAC</keyword>
<keyword>CMAC</keyword>
<keyword>Cryptography</keyword>
<abstract pn="section-abstract">
<t indent="0" pn="section-abstract-1">
Concise Binary Object Representation (CBOR) is a data format designed fo r small code size and small message size. Concise Binary Object Representation (CBOR) is a data format designed fo r small code size and small message size.
There is a need for the ability to have basic security services defined There is a need to be able to define basic security services for this da
for this data format. ta format.
THis document defines a set of algorithms that can be used with the CBOR This document defines a set of algorithms that can be used with the
Object Signing and Encryption (COSE) protocol RFC XXXX. <!-- <xref target="I-D. CBOR Object Signing and Encryption (COSE) protocol (RFC 9052).
ietf-cose-rfc8152bis-struct"/>.-->
</t> </t>
</abstract> <t indent="0" pn="section-abstract-2">
<note removeInRFC="true"> This document, along with RFC 9052, obsoletes RFC 8152.
<name>Contributing to this document</name>
<!-- RFC EDITOR - Please remove this note before publishing -->
<t>
The source for this draft is being maintained in GitHub.
Suggested changes should be submitted as pull requests at <eref target=
"https://github.com/cose-wg/cose-rfc8152bis"/>.
Instructions are on that page as well.
Editorial changes can be managed in GitHub, but any substantial issues n
eed to be discussed on the COSE mailing list.
</t> </t>
</note> </abstract>
<boilerplate>
<section anchor="status-of-memo" numbered="false" removeInRFC="false" toc=
"exclude" pn="section-boilerplate.1">
<name slugifiedName="name-status-of-this-memo">Status of This Memo</name
>
<t indent="0" pn="section-boilerplate.1-1">
This document is not an Internet Standards Track specification; it i
s
published for informational purposes.
</t>
<t indent="0" pn="section-boilerplate.1-2">
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
</t>
<t indent="0" pn="section-boilerplate.1-3">
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
<eref target="https://www.rfc-editor.org/info/rfc9053" brackets="non
e"/>.
</t>
</section>
<section anchor="copyright" numbered="false" removeInRFC="false" toc="excl
ude" pn="section-boilerplate.2">
<name slugifiedName="name-copyright-notice">Copyright Notice</name>
<t indent="0" pn="section-boilerplate.2-1">
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
</t>
<t indent="0" pn="section-boilerplate.2-2">
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<eref target="https://trustee.ietf.org/license-info" brackets="none
"/>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Revised BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Revised BSD License.
</t>
</section>
</boilerplate>
<toc>
<section anchor="toc" numbered="false" removeInRFC="false" toc="exclude" p
n="section-toc.1">
<name slugifiedName="name-table-of-contents">Table of Contents</name>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="section-to
c.1-1">
<li pn="section-toc.1-1.1">
<t indent="0" pn="section-toc.1-1.1.1"><xref derivedContent="1" form
at="counter" sectionFormat="of" target="section-1"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-introduction">Introduction</xref><
/t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.1.2">
<li pn="section-toc.1-1.1.2.1">
<t indent="0" keepWithNext="true" pn="section-toc.1-1.1.2.1.1"><
xref derivedContent="1.1" format="counter" sectionFormat="of" target="section-1.
1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-re
quirements-terminology">Requirements Terminology</xref></t>
</li>
<li pn="section-toc.1-1.1.2.2">
<t indent="0" keepWithNext="true" pn="section-toc.1-1.1.2.2.1"><
xref derivedContent="1.2" format="counter" sectionFormat="of" target="section-1.
2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-ch
anges-from-rfc-8152">Changes from RFC 8152</xref></t>
</li>
<li pn="section-toc.1-1.1.2.3">
<t indent="0" keepWithNext="true" pn="section-toc.1-1.1.2.3.1"><
xref derivedContent="1.3" format="counter" sectionFormat="of" target="section-1.
3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-do
cument-terminology">Document Terminology</xref></t>
</li>
<li pn="section-toc.1-1.1.2.4">
<t indent="0" pn="section-toc.1-1.1.2.4.1"><xref derivedContent=
"1.4" format="counter" sectionFormat="of" target="section-1.4"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-cddl-grammar-for-cbor-
data-">CDDL Grammar for CBOR Data Structures</xref></t>
</li>
<li pn="section-toc.1-1.1.2.5">
<t indent="0" pn="section-toc.1-1.1.2.5.1"><xref derivedContent=
"1.5" format="counter" sectionFormat="of" target="section-1.5"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-examples">Examples</xr
ef></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.2">
<t indent="0" pn="section-toc.1-1.2.1"><xref derivedContent="2" form
at="counter" sectionFormat="of" target="section-2"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-signature-algorithms">Signature Al
gorithms</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.2.2">
<li pn="section-toc.1-1.2.2.1">
<t indent="0" pn="section-toc.1-1.2.2.1.1"><xref derivedContent=
"2.1" format="counter" sectionFormat="of" target="section-2.1"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-ecdsa">ECDSA</xref></t
>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="se
ction-toc.1-1.2.2.1.2">
<li pn="section-toc.1-1.2.2.1.2.1">
<t indent="0" pn="section-toc.1-1.2.2.1.2.1.1"><xref derived
Content="2.1.1" format="counter" sectionFormat="of" target="section-2.1.1"/>.  <
xref derivedContent="" format="title" sectionFormat="of" target="name-security-c
onsiderations-for">Security Considerations for ECDSA</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.2.2.2">
<t indent="0" pn="section-toc.1-1.2.2.2.1"><xref derivedContent=
"2.2" format="counter" sectionFormat="of" target="section-2.2"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-edwards-curve-digital-
signa">Edwards-Curve Digital Signature Algorithm (EdDSA)</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="se
ction-toc.1-1.2.2.2.2">
<li pn="section-toc.1-1.2.2.2.2.1">
<t indent="0" pn="section-toc.1-1.2.2.2.2.1.1"><xref derived
Content="2.2.1" format="counter" sectionFormat="of" target="section-2.2.1"/>.  <
xref derivedContent="" format="title" sectionFormat="of" target="name-security-c
onsiderations-for-">Security Considerations for EdDSA</xref></t>
</li>
</ul>
</li>
</ul>
</li>
<li pn="section-toc.1-1.3">
<t indent="0" pn="section-toc.1-1.3.1"><xref derivedContent="3" form
at="counter" sectionFormat="of" target="section-3"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-message-authentication-code">Messa
ge Authentication Code (MAC) Algorithms</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.3.2">
<li pn="section-toc.1-1.3.2.1">
<t indent="0" pn="section-toc.1-1.3.2.1.1"><xref derivedContent=
"3.1" format="counter" sectionFormat="of" target="section-3.1"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-hash-based-message-aut
henti">Hash-Based Message Authentication Codes (HMACs)</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="se
ction-toc.1-1.3.2.1.2">
<li pn="section-toc.1-1.3.2.1.2.1">
<t indent="0" pn="section-toc.1-1.3.2.1.2.1.1"><xref derived
Content="3.1.1" format="counter" sectionFormat="of" target="section-3.1.1"/>.  <
xref derivedContent="" format="title" sectionFormat="of" target="name-security-c
onsiderations-for-h">Security Considerations for HMAC</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.3.2.2">
<t indent="0" pn="section-toc.1-1.3.2.2.1"><xref derivedContent=
"3.2" format="counter" sectionFormat="of" target="section-3.2"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-aes-message-authentica
tion-">AES Message Authentication Code (AES-CBC-MAC)</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="se
ction-toc.1-1.3.2.2.2">
<li pn="section-toc.1-1.3.2.2.2.1">
<t indent="0" pn="section-toc.1-1.3.2.2.2.1.1"><xref derived
Content="3.2.1" format="counter" sectionFormat="of" target="section-3.2.1"/>.  <
xref derivedContent="" format="title" sectionFormat="of" target="name-security-c
onsiderations-for-a">Security Considerations for AES-CBC-MAC </xref></t>
</li>
</ul>
</li>
</ul>
</li>
<li pn="section-toc.1-1.4">
<t indent="0" pn="section-toc.1-1.4.1"><xref derivedContent="4" form
at="counter" sectionFormat="of" target="section-4"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-content-encryption-algorith">Conte
nt Encryption Algorithms</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.4.2">
<li pn="section-toc.1-1.4.2.1">
<t indent="0" pn="section-toc.1-1.4.2.1.1"><xref derivedContent=
"4.1" format="counter" sectionFormat="of" target="section-4.1"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-aes-gcm">AES-GCM</xref
></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="se
ction-toc.1-1.4.2.1.2">
<li pn="section-toc.1-1.4.2.1.2.1">
<t indent="0" pn="section-toc.1-1.4.2.1.2.1.1"><xref derived
Content="4.1.1" format="counter" sectionFormat="of" target="section-4.1.1"/>.  <
xref derivedContent="" format="title" sectionFormat="of" target="name-security-c
onsiderations-for-ae">Security Considerations for AES-GCM</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.4.2.2">
<t indent="0" pn="section-toc.1-1.4.2.2.1"><xref derivedContent=
"4.2" format="counter" sectionFormat="of" target="section-4.2"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-aes-ccm">AES-CCM</xref
></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="se
ction-toc.1-1.4.2.2.2">
<li pn="section-toc.1-1.4.2.2.2.1">
<t indent="0" pn="section-toc.1-1.4.2.2.2.1.1"><xref derived
Content="4.2.1" format="counter" sectionFormat="of" target="section-4.2.1"/>.  <
xref derivedContent="" format="title" sectionFormat="of" target="name-security-c
onsiderations-for-aes">Security Considerations for AES-CCM</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.4.2.3">
<t indent="0" pn="section-toc.1-1.4.2.3.1"><xref derivedContent=
"4.3" format="counter" sectionFormat="of" target="section-4.3"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-chacha20-and-poly1305"
>ChaCha20 and Poly1305</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="se
ction-toc.1-1.4.2.3.2">
<li pn="section-toc.1-1.4.2.3.2.1">
<t indent="0" pn="section-toc.1-1.4.2.3.2.1.1"><xref derived
Content="4.3.1" format="counter" sectionFormat="of" target="section-4.3.1"/>.  <
xref derivedContent="" format="title" sectionFormat="of" target="name-security-c
onsiderations-for-c">Security Considerations for ChaCha20/Poly1305</xref></t>
</li>
</ul>
</li>
</ul>
</li>
<li pn="section-toc.1-1.5">
<t indent="0" pn="section-toc.1-1.5.1"><xref derivedContent="5" form
at="counter" sectionFormat="of" target="section-5"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-key-derivation-functions-kd">Key D
erivation Functions (KDFs)</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.5.2">
<li pn="section-toc.1-1.5.2.1">
<t indent="0" pn="section-toc.1-1.5.2.1.1"><xref derivedContent=
"5.1" format="counter" sectionFormat="of" target="section-5.1"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-hmac-based-extract-and
-expa">HMAC-Based Extract-and-Expand Key Derivation Function (HKDF)</xref></t>
</li>
<li pn="section-toc.1-1.5.2.2">
<t indent="0" pn="section-toc.1-1.5.2.2.1"><xref derivedContent=
"5.2" format="counter" sectionFormat="of" target="section-5.2"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-context-information-st
ructu">Context Information Structure</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.6">
<t indent="0" pn="section-toc.1-1.6.1"><xref derivedContent="6" form
at="counter" sectionFormat="of" target="section-6"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-content-key-distribution-me">Conte
nt Key Distribution Methods</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.6.2">
<li pn="section-toc.1-1.6.2.1">
<t indent="0" pn="section-toc.1-1.6.2.1.1"><xref derivedContent=
"6.1" format="counter" sectionFormat="of" target="section-6.1"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-direct-encryption">Dir
ect Encryption</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="se
ction-toc.1-1.6.2.1.2">
<li pn="section-toc.1-1.6.2.1.2.1">
<t indent="0" pn="section-toc.1-1.6.2.1.2.1.1"><xref derived
Content="6.1.1" format="counter" sectionFormat="of" target="section-6.1.1"/>.  <
xref derivedContent="" format="title" sectionFormat="of" target="name-direct-key
">Direct Key</xref></t>
</li>
<li pn="section-toc.1-1.6.2.1.2.2">
<t indent="0" pn="section-toc.1-1.6.2.1.2.2.1"><xref derived
Content="6.1.2" format="counter" sectionFormat="of" target="section-6.1.2"/>.  <
xref derivedContent="" format="title" sectionFormat="of" target="name-direct-key
-with-kdf">Direct Key with KDF</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.6.2.2">
<t indent="0" pn="section-toc.1-1.6.2.2.1"><xref derivedContent=
"6.2" format="counter" sectionFormat="of" target="section-6.2"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-key-wrap">Key Wrap</xr
ef></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="se
ction-toc.1-1.6.2.2.2">
<li pn="section-toc.1-1.6.2.2.2.1">
<t indent="0" pn="section-toc.1-1.6.2.2.2.1.1"><xref derived
Content="6.2.1" format="counter" sectionFormat="of" target="section-6.2.1"/>.  <
xref derivedContent="" format="title" sectionFormat="of" target="name-aes-key-wr
ap">AES Key Wrap</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.6.2.3">
<t indent="0" pn="section-toc.1-1.6.2.3.1"><xref derivedContent=
"6.3" format="counter" sectionFormat="of" target="section-6.3"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-direct-key-agreement">
Direct Key Agreement</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="se
ction-toc.1-1.6.2.3.2">
<li pn="section-toc.1-1.6.2.3.2.1">
<t indent="0" pn="section-toc.1-1.6.2.3.2.1.1"><xref derived
Content="6.3.1" format="counter" sectionFormat="of" target="section-6.3.1"/>.  <
xref derivedContent="" format="title" sectionFormat="of" target="name-direct-ecd
h">Direct ECDH</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.6.2.4">
<t indent="0" pn="section-toc.1-1.6.2.4.1"><xref derivedContent=
"6.4" format="counter" sectionFormat="of" target="section-6.4"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-key-agreement-with-key
-wrap">Key Agreement with Key Wrap</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="se
ction-toc.1-1.6.2.4.2">
<li pn="section-toc.1-1.6.2.4.2.1">
<t indent="0" pn="section-toc.1-1.6.2.4.2.1.1"><xref derived
Content="6.4.1" format="counter" sectionFormat="of" target="section-6.4.1"/>.  <
xref derivedContent="" format="title" sectionFormat="of" target="name-ecdh-with-
key-wrap">ECDH with Key Wrap</xref></t>
</li>
</ul>
</li>
</ul>
</li>
<li pn="section-toc.1-1.7">
<t indent="0" pn="section-toc.1-1.7.1"><xref derivedContent="7" form
at="counter" sectionFormat="of" target="section-7"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-key-object-parameters">Key Object
Parameters</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.7.2">
<li pn="section-toc.1-1.7.2.1">
<t indent="0" pn="section-toc.1-1.7.2.1.1"><xref derivedContent=
"7.1" format="counter" sectionFormat="of" target="section-7.1"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-elliptic-curve-keys">E
lliptic Curve Keys</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="se
ction-toc.1-1.7.2.1.2">
<li pn="section-toc.1-1.7.2.1.2.1">
<t indent="0" pn="section-toc.1-1.7.2.1.2.1.1"><xref derived
Content="7.1.1" format="counter" sectionFormat="of" target="section-7.1.1"/>.  <
xref derivedContent="" format="title" sectionFormat="of" target="name-double-coo
rdinate-curves">Double Coordinate Curves</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.7.2.2">
<t indent="0" pn="section-toc.1-1.7.2.2.1"><xref derivedContent=
"7.2" format="counter" sectionFormat="of" target="section-7.2"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-octet-key-pair">Octet
Key Pair</xref></t>
</li>
<li pn="section-toc.1-1.7.2.3">
<t indent="0" pn="section-toc.1-1.7.2.3.1"><xref derivedContent=
"7.3" format="counter" sectionFormat="of" target="section-7.3"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-symmetric-keys">Symmet
ric Keys</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.8">
<t indent="0" pn="section-toc.1-1.8.1"><xref derivedContent="8" form
at="counter" sectionFormat="of" target="section-8"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-cose-capabilities">COSE Capabiliti
es</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.8.2">
<li pn="section-toc.1-1.8.2.1">
<t indent="0" pn="section-toc.1-1.8.2.1.1"><xref derivedContent=
"8.1" format="counter" sectionFormat="of" target="section-8.1"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-assignments-for-existi
ng-al">Assignments for Existing Algorithms</xref></t>
</li>
<li pn="section-toc.1-1.8.2.2">
<t indent="0" pn="section-toc.1-1.8.2.2.1"><xref derivedContent=
"8.2" format="counter" sectionFormat="of" target="section-8.2"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-assignments-for-existi
ng-ke">Assignments for Existing Key Types</xref></t>
</li>
<li pn="section-toc.1-1.8.2.3">
<t indent="0" pn="section-toc.1-1.8.2.3.1"><xref derivedContent=
"8.3" format="counter" sectionFormat="of" target="section-8.3"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-examples-2">Examples</
xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.9">
<t indent="0" pn="section-toc.1-1.9.1"><xref derivedContent="9" form
at="counter" sectionFormat="of" target="section-9"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-cbor-encoding-restrictions">CBOR E
ncoding Restrictions</xref></t>
</li>
<li pn="section-toc.1-1.10">
<t indent="0" pn="section-toc.1-1.10.1"><xref derivedContent="10" fo
rmat="counter" sectionFormat="of" target="section-10"/>. <xref derivedContent=""
format="title" sectionFormat="of" target="name-iana-considerations">IANA Consid
erations</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.10.2">
<li pn="section-toc.1-1.10.2.1">
<t indent="0" pn="section-toc.1-1.10.2.1.1"><xref derivedContent
="10.1" format="counter" sectionFormat="of" target="section-10.1"/>.  <xref deri
vedContent="" format="title" sectionFormat="of" target="name-changes-to-the-cose
-key-typ">Changes to the "COSE Key Types" Registry</xref></t>
</li>
<li pn="section-toc.1-1.10.2.2">
<t indent="0" pn="section-toc.1-1.10.2.2.1"><xref derivedContent
="10.2" format="counter" sectionFormat="of" target="section-10.2"/>.  <xref deri
vedContent="" format="title" sectionFormat="of" target="name-changes-to-the-cose
-algorit">Changes to the "COSE Algorithms" Registry</xref></t>
</li>
<li pn="section-toc.1-1.10.2.3">
<t indent="0" pn="section-toc.1-1.10.2.3.1"><xref derivedContent
="10.3" format="counter" sectionFormat="of" target="section-10.3"/>.  <xref deri
vedContent="" format="title" sectionFormat="of" target="name-changes-to-the-cose
-key-type">Changes to the "COSE Key Type Parameters" Registry</xref></t>
</li>
<li pn="section-toc.1-1.10.2.4">
<t indent="0" pn="section-toc.1-1.10.2.4.1"><xref derivedContent
="10.4" format="counter" sectionFormat="of" target="section-10.4"/>.  <xref deri
vedContent="" format="title" sectionFormat="of" target="name-expert-review-instr
uctions">Expert Review Instructions</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.11">
<t indent="0" pn="section-toc.1-1.11.1"><xref derivedContent="11" fo
rmat="counter" sectionFormat="of" target="section-11"/>. <xref derivedContent=""
format="title" sectionFormat="of" target="name-security-considerations">Securit
y Considerations</xref></t>
</li>
<li pn="section-toc.1-1.12">
<t indent="0" pn="section-toc.1-1.12.1"><xref derivedContent="12" fo
rmat="counter" sectionFormat="of" target="section-12"/>. <xref derivedContent=""
format="title" sectionFormat="of" target="name-references">References</xref></t
>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.12.2">
<li pn="section-toc.1-1.12.2.1">
<t indent="0" pn="section-toc.1-1.12.2.1.1"><xref derivedContent
="12.1" format="counter" sectionFormat="of" target="section-12.1"/>.  <xref deri
vedContent="" format="title" sectionFormat="of" target="name-normative-reference
s">Normative References</xref></t>
</li>
<li pn="section-toc.1-1.12.2.2">
<t indent="0" pn="section-toc.1-1.12.2.2.1"><xref derivedContent
="12.2" format="counter" sectionFormat="of" target="section-12.2"/>.  <xref deri
vedContent="" format="title" sectionFormat="of" target="name-informative-referen
ces">Informative References</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.13">
<t indent="0" pn="section-toc.1-1.13.1"><xref derivedContent="" form
at="none" sectionFormat="of" target="section-appendix.a"/><xref derivedContent="
" format="title" sectionFormat="of" target="name-acknowledgments">Acknowledgment
s</xref></t>
</li>
<li pn="section-toc.1-1.14">
<t indent="0" pn="section-toc.1-1.14.1"><xref derivedContent="" form
at="none" sectionFormat="of" target="section-appendix.b"/><xref derivedContent="
" format="title" sectionFormat="of" target="name-authors-address">Author's Addre
ss</xref></t>
</li>
</ul>
</section>
</toc>
</front> </front>
<middle> <middle>
<section anchor="introduction"> <section anchor="introduction" numbered="true" removeInRFC="false" toc="incl
ude" pn="section-1">
<name>Introduction</name> <name slugifiedName="name-introduction">Introduction</name>
<t> <t indent="0" pn="section-1-1">
There has been an increased focus on small, constrained devices that mak e up the Internet of Things (IoT). There has been an increased focus on small, constrained devices that mak e up the Internet of Things (IoT).
One of the standards that has come out of this process is "Concise Binar One of the standards that has come out of this process is "Concise
y Object Representation (CBOR)" <xref target="RFC7049"/>. Binary Object Representation (CBOR)" <xref target="STD94" format="default
CBOR extended the data model of JavaScript Object Notation (JSON) <xref " sectionFormat="of" derivedContent="STD94"/>.
target="STD90"/> by allowing for binary data, among other changes. CBOR extended the data model of JavaScript Object Notation (JSON)
CBOR is being adopted by several of the IETF working groups dealing with <xref target="STD90" format="default" sectionFormat="of" derivedContent="
the IoT world as their encoding of data structures. STD90"/> by allowing for binary data, among other
CBOR was designed specifically to be both small in terms of messages tra changes.
nsported and implementation size and be a schema-free decoder. CBOR has been adopted by several of the IETF working groups dealing
A need exists to provide message security services for IoT, and using CB with the IoT world as their method of encoding data structures.
OR as the message-encoding format makes sense. CBOR was designed specifically to be small in terms of both messages
transported and implementation size and to have a schema-free decoder.
A need exists to provide message security services for IoT, and using
CBOR as the message-encoding format makes sense.
</t> </t>
<t> <t indent="0" pn="section-1-2">
The core COSE specification consists of two documents. The core COSE specification consists of two documents.
<xref target="I-D.ietf-cose-rfc8152bis-struct"/> contains the serializat ion structures and the procedures for using the different cryptographic algorith ms. <xref target="RFC9052" format="default" sectionFormat="of" derivedConten t="RFC9052"/> contains the serialization structures and the procedures for using the different cryptographic algorithms.
This document provides an initial set of algorithms for use with those s tructures. This document provides an initial set of algorithms for use with those s tructures.
</t> </t>
<section anchor="requirements-terminology"> <section anchor="requirements-terminology" numbered="true" removeInRFC="fa
lse" toc="include" pn="section-1.1">
<name>Requirements Terminology</name> <name slugifiedName="name-requirements-terminology">Requirements Termino
<t> logy</name>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL <t indent="0" pn="section-1.1-1">
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp1
"MAY", and "OPTIONAL" in this document are to be interpreted as 4>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> >SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<b
when, and only when, they cp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document a
re to be interpreted as
described in BCP 14 <xref target="RFC2119" format="default" sectionFor
mat="of" derivedContent="RFC2119"/> <xref target="RFC8174" format="default" sect
ionFormat="of" derivedContent="RFC8174"/> when, and only when, they
appear in all capitals, as shown here. appear in all capitals, as shown here.
</t> </t>
</section> </section>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-1.2
">
<name>Changes from RFC8152</name> <name slugifiedName="name-changes-from-rfc-8152">Changes from RFC 8152</
name>
<ul> <ul bare="false" empty="false" indent="3" spacing="normal" pn="section-1
.2-1">
<li> <li pn="section-1.2-1.1">
Extract the sections dealing with specific algorithms into this do Extracted the sections dealing with specific algorithms and placed
cument. them into this document.
The sections dealing with structure and general processing rules a The sections dealing with structure and general processing rules
re placed in <xref target="I-D.ietf-cose-rfc8152bis-struct"/>. are placed in <xref target="RFC9052" format="default" sectionFormat
="of" derivedContent="RFC9052"/>.
</li> </li>
<li>Text clarifications and changes in terminology.</li> <li pn="section-1.2-1.2">Made text clarifications and changes in termi
nology.</li>
<li pn="section-1.2-1.3">Removed all of the details relating to counte
rsignatures and placed them in <xref target="I-D.ietf-cose-countersign" format="
default" sectionFormat="of" derivedContent="COUNTERSIGN"/>.</li>
</ul> </ul>
</section> </section>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-1.3
">
<name>Document Terminology</name> <name slugifiedName="name-document-terminology">Document Terminology</na
<t>In this document, we use the following terminology: </t> me>
<t>Byte is a synonym for octet.</t> <t indent="0" pn="section-1.3-1">In this document, we use the following
<t>Constrained Application Protocol (CoAP) is a specialized web transfer terminology: </t>
protocol for use in constrained systems. It is defined in <xref target="RFC725 <dl indent="3" newline="false" spacing="normal" pn="section-1.3-2">
2"/>. </t> <dt pn="section-1.3-2.1">Byte:</dt>
<t> <dd pn="section-1.3-2.2">A synonym for octet.</dd>
Authenticated Encryption (AE) <xref target="RFC5116"/> algorithms are <dt pn="section-1.3-2.3">Constrained Application Protocol (CoAP):</dt>
encryption algorithms that provide an authentication check of the contents with <dd pn="section-1.3-2.4">A specialized
the encryption service. web transfer protocol for use in constrained systems. It is defined
An example of an AE algorithm used in COSE is AES Key Wrap <xref targe in <xref target="RFC7252" format="default" sectionFormat="of" derivedCont
t="RFC3394"/>. ent="RFC7252"/>.</dd>
These algorithms are used for key encryption algorithms, but AEAD algo <dt pn="section-1.3-2.5">Authenticated Encryption (AE) algorithms <xre
rithms would be preferred. f target="RFC5116" format="default" sectionFormat="of" derivedContent="RFC5116"/
</t> >:
<t> </dt>
Authenticated Encryption with Associated Data (AEAD) <xref target="RFC <dd pn="section-1.3-2.6">Encryption algorithms that provide an
5116"/> algorithms provide the same authentication service of the content as AE authentication check of the contents along with the encryption service.
algorithms do. An example of an AE algorithm used in COSE is AES Key Wrap <xref targe
They also allow for associated data to be included in the authenticati t="RFC3394" format="default" sectionFormat="of" derivedContent="RFC3394"/>.
on service, but which is not part of the encrypted body. These algorithms are used for key encryption, but
An example of an AEAD algorithm used in COSE is AES-GCM <xref target=" Authenticated Encryption with Associated Data (AEAD)
RFC5116"/>. algorithms would be preferred.
These algorithms are used for content encryption and can be used for k </dd>
ey encryption as well. <dt pn="section-1.3-2.7">AEAD algorithms <xref target="RFC5116" format
</t> ="default" sectionFormat="of" derivedContent="RFC5116"/>:</dt>
<t>The term 'byte string' is used for sequences of bytes, while the term <dd pn="section-1.3-2.8">Encryption algorithms that provide the same a
'text string' is used for sequences of characters.</t> uthentication service of
the content as AE algorithms do, and also allow
<t> associated data that is not part of the encrypted body to be included
in the authentication service. An example of an AEAD
algorithm used in COSE is AES-GCM <xref target="RFC5116" format="default"
sectionFormat="of" derivedContent="RFC5116"/>. These
algorithms are used for content encryption and can be used for key
encryption as well.
</dd>
</dl>
<t indent="0" pn="section-1.3-3">The term "byte string" is used for sequ
ences of bytes, while the term "text string" is used for sequences of characters
.</t>
<t indent="0" pn="section-1.3-4">
The tables for algorithms contain the following columns: The tables for algorithms contain the following columns:
</t> </t>
<ul> <ul bare="false" empty="false" indent="3" spacing="normal" pn="section-1
<li>A name for use in documents for the algorithms.</li> .3-5">
<li> <li pn="section-1.3-5.1">A name for the algorithm for use in documents
.</li>
<li pn="section-1.3-5.2">
The value used on the wire for the algorithm. The value used on the wire for the algorithm.
One place this is used is the algorithm header parameter of a messag e. One place this is used is the algorithm header parameter of a messag e.
</li> </li>
<li>A short description so that the algorithm can be easily identified when scanning the IANA registry.</li> <li pn="section-1.3-5.3">A short description so that the algorithm can be easily identified when scanning the IANA registry.</li>
</ul> </ul>
<t> <t indent="0" pn="section-1.3-6">
Additional columns may be present in the table depending on the algori Additional columns may be present in a table depending on the
thms. algorithms.
</t> </t>
</section> </section>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-1.4
">
<name>CBOR Grammar</name> <name slugifiedName="name-cddl-grammar-for-cbor-data-">CDDL Grammar for
<t> CBOR Data Structures</name>
At the time that <xref target="RFC8152"/> was initially published, the <t indent="0" pn="section-1.4-1">
CBOR Data Definition Language (CDDL) <xref target="RFC8610"/> had not yet been When COSE was originally written, the Concise Data Definition
published. Language (CDDL) <xref target="RFC8610" format="default" sectionFormat=
This document uses a variant of CDDL which is described in <xref targe "of" derivedContent="RFC8610"/> had not yet been published
t="I-D.ietf-cose-rfc8152bis-struct"/>. in an RFC, so it could not be used as the data description
language to normatively describe the CBOR data structures employed
by COSE.
For that reason, the CBOR data objects defined here are described
in prose.
Additional (non-normative) descriptions of the
COSE data objects are provided in a subset of CDDL, described in
<xref target="RFC9052" format="default" sectionFormat="of" derivedCont
ent="RFC9052"/>.
</t> </t>
</section> </section>
<section anchor="examples"> <section anchor="examples" numbered="true" removeInRFC="false" toc="includ
e" pn="section-1.5">
<name>Examples</name> <name slugifiedName="name-examples">Examples</name>
<t> <t indent="0" pn="section-1.5-1">
A GitHub project has been created at <xref target="GitHub-Examples"/> A GitHub project has been created at <xref target="GitHub-Examples" fo
that contains a set of testing examples as well. rmat="default" sectionFormat="of" derivedContent="GitHub-Examples"/> that contai
ns a set of testing examples.
Each example is found in a JSON file that contains the inputs used to create the example, some of the intermediate values that can be used for debuggi ng, and the output of the example. Each example is found in a JSON file that contains the inputs used to create the example, some of the intermediate values that can be used for debuggi ng, and the output of the example.
The results are encoded using both hexadecimal and CBOR diagnostic not The results are encoded using both hexadecimal and
ation format. CBOR diagnostic notation format.
</t> </t>
<t> <t indent="0" pn="section-1.5-2">
Some of the examples are designed to test failure case; these are clea Some of the examples are designed to be failure-testing cases; these
rly marked as such in the JSON file. are clearly marked as such in the JSON file.
If errors in the examples in this document are found, the examples on
GitHub will be updated, and a note to that effect will be placed in the JSON fil
e.
</t> </t>
</section> </section>
</section> </section>
<section anchor="SigAlgs" numbered="true" removeInRFC="false" toc="include"
<section anchor="SigAlgs"> pn="section-2">
<name slugifiedName="name-signature-algorithms">Signature Algorithms</name
<name>Signature Algorithms</name> >
<t> <t indent="0" pn="section-2-1">
<relref section="&SigSection;" target="I-D.ietf-cose-rfc8152bis-struct"/ <xref section="8.1" target="RFC9052" sectionFormat="of" format="default"
> contains a generic description of signature algorithms. derivedLink="https://rfc-editor.org/rfc/rfc9052#section-8.1" derivedContent="RF
The document defines signature algorithm identifiers for two signature a C9052"/> contains a generic description of signature algorithms.
lgorithms. This document defines signature algorithm identifiers for two signature
algorithms.
</t> </t>
<section anchor="ECDSA"> <section anchor="ECDSA" numbered="true" removeInRFC="false" toc="include"
pn="section-2.1">
<name>ECDSA</name> <name slugifiedName="name-ecdsa">ECDSA</name>
<t>ECDSA <xref target="DSS"/> defines a signature algorithm using ECC. <t indent="0" pn="section-2.1-1">The Elliptic Curve Digital Signature Al
Implementations <bcp14>SHOULD</bcp14> use a deterministic version of ECDSA such gorithm (ECDSA) <xref target="DSS" format="default" sectionFormat="of" derivedCo
as the one defined in <xref target="RFC6979"/>. The use of a deterministic sign ntent="DSS"/> defines a signature algorithm using Elliptic Curve Cryptography (E
ature algorithm allows for systems to avoid relying on random number generators CC).
in order to avoid generating the same value of 'k' (the per-message random value Implementations <bcp14>SHOULD</bcp14> use a deterministic version of
). Biased generation of the value 'k' can be attacked, and collisions of this va ECDSA such as the one defined in <xref target="RFC6979" format="default"
lue leads to leaked keys. It additionally allows for doing deterministic tests sectionFormat="of" derivedContent="RFC6979"/>. The use of
for the signature algorithm. The use of deterministic ECDSA does not lessen the a deterministic signature algorithm allows systems to avoid relying on
need to have good random number generation when creating the private key. </t> random number generators in order to avoid generating the same value
<t>The ECDSA signature algorithm is parameterized with a hash function ( of "k" (the per-message random value). Biased generation of the value
h). In the event that the length of the hash function output is greater than th "k" can be attacked, and collisions of this value lead to leaked
e group of the key, the leftmost bytes of the hash output are used. </t> keys. It additionally allows performing deterministic tests for the
<t>The algorithms defined in this document can be found in <xref target= signature algorithm. The use of deterministic ECDSA does not lessen
"x-table_ecdsa"/>. </t> the need to have good random number generation when creating the
<table anchor="x-table_ecdsa" align="center"> private key. </t>
<t indent="0" pn="section-2.1-2">The ECDSA signature algorithm is parame
<name>ECDSA Algorithm Values</name> terized with a hash function
(h). In the event that the length of the hash function output is
greater than the group of the key, the leftmost bytes of the hash
output are used. </t>
<t indent="0" pn="section-2.1-3">The algorithms defined in this document
can be found in <xref target="x-table_ecdsa" format="default" sectionFormat="of
" derivedContent="Table 1"/>. </t>
<table anchor="x-table_ecdsa" align="center" pn="table-1">
<name slugifiedName="name-ecdsa-algorithm-values">ECDSA Algorithm Valu
es</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Value</th> <th align="center" colspan="1" rowspan="1">Value</th>
<th>Hash</th> <th align="left" colspan="1" rowspan="1">Hash</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>ES256</td> <td align="left" colspan="1" rowspan="1">ES256</td>
<td>-7</td> <td align="center" colspan="1" rowspan="1">-7</td>
<td>SHA-256</td> <td align="left" colspan="1" rowspan="1">SHA-256</td>
<td>ECDSA w/ SHA-256</td> <td align="left" colspan="1" rowspan="1">ECDSA w/ SHA-256</td>
</tr> </tr>
<tr> <tr>
<td>ES384</td> <td align="left" colspan="1" rowspan="1">ES384</td>
<td>-35</td> <td align="center" colspan="1" rowspan="1">-35</td>
<td>SHA-384</td> <td align="left" colspan="1" rowspan="1">SHA-384</td>
<td>ECDSA w/ SHA-384</td> <td align="left" colspan="1" rowspan="1">ECDSA w/ SHA-384</td>
</tr> </tr>
<tr> <tr>
<td>ES512</td> <td align="left" colspan="1" rowspan="1">ES512</td>
<td>-36</td> <td align="center" colspan="1" rowspan="1">-36</td>
<td>SHA-512</td> <td align="left" colspan="1" rowspan="1">SHA-512</td>
<td>ECDSA w/ SHA-512</td> <td align="left" colspan="1" rowspan="1">ECDSA w/ SHA-512</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>This document defines ECDSA to work only with the curves P-256, P-384 <t indent="0" pn="section-2.1-5">This document defines ECDSA as working
, and P-521. This document requires that the curves be encoded using the 'EC2' only with the curves P-256,
(two coordinate elliptic curve) key type. Implementations need to check that th P-384, and P-521. This document requires that the curves be encoded
e key type and curve are correct when creating and verifying a signature. Futur using the "EC2" (two coordinate elliptic curve) key type.
e documents may define it to work with other curves and points in the future. < Implementations need to check that the key type and curve are correct
/t> when creating and verifying a signature. Future documents may define
<t>In order to promote interoperability, it is suggested that SHA-256 be it to work with other curves and key types in the future. </t>
used only with curve P-256, SHA-384 be used only with curve P-384, and SHA-512 <t indent="0" pn="section-2.1-6">In order to promote interoperability, i
be used with curve P-521. This is aligned with the recommendation in Section 4 t is suggested that SHA-256 be used only with curve P-256, SHA-384 be used only
of <xref target="RFC5480"/>. </t> with curve P-384, and SHA-512 be used only with curve P-521. This is aligned wi
<t> th the recommendation in <xref target="RFC5480" section="4" sectionFormat="of" f
ormat="default" derivedLink="https://rfc-editor.org/rfc/rfc5480#section-4" deriv
edContent="RFC5480"/>. </t>
<t indent="0" pn="section-2.1-7">
The signature algorithm results in a pair of integers (R, S). The signature algorithm results in a pair of integers (R, S).
These integers will be the same length as the length of the key used f or the signature process. These integers will be the same length as the length of the key used f or the signature process.
The signature is encoded by converting the integers into byte strings of the same length as the key size. The signature is encoded by converting the integers into byte strings of the same length as the key size.
The length is rounded up to the nearest byte and is left padded with z ero bits to get to the correct length. The length is rounded up to the nearest byte and is left padded with z ero bits to get to the correct length.
The two integers are then concatenated together to form a byte string that is the resulting signature. The two integers are then concatenated together to form a byte string that is the resulting signature.
</t> </t>
<t> <t indent="0" pn="section-2.1-8">
Using the function defined in <xref target="RFC8017"/>, the signature Using the function defined in <xref target="RFC8017" format="default"
is: sectionFormat="of" derivedContent="RFC8017"/>, the signature is:
</t> </t>
<t> <t indent="0" pn="section-2.1-9">
Signature = I2OSP(R, n) | I2OSP(S, n) Signature = I2OSP(R, n) | I2OSP(S, n)
</t> </t>
<t> <t indent="0" pn="section-2.1-10">
where n = ceiling(key_length / 8) where n = ceiling(key_length / 8)
</t> </t>
<t>When using a COSE key for this algorithm, the following checks are ma de: <t indent="0" pn="section-2.1-11">When using a COSE key for this algorit hm, the following checks are made:
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section-2
<ul> .1-12">
<li pn="section-2.1-12.1">The "kty" field <bcp14>MUST</bcp14> be prese
<li>The 'kty' field <bcp14>MUST</bcp14> be present, and it <bcp14>MUST nt, and it <bcp14>MUST</bcp14> be "EC2".</li>
</bcp14> be 'EC2'.</li> <li pn="section-2.1-12.2">If the "alg" field is present, it <bcp14>MUS
T</bcp14> match the ECDSA signature algorithm being used.</li>
<li>If the 'alg' field is present, it <bcp14>MUST</bcp14> match the EC <li pn="section-2.1-12.3">If the "key_ops" field is present, it <bcp14
DSA signature algorithm being used.</li> >MUST</bcp14> include "sign" when creating an ECDSA signature.</li>
<li pn="section-2.1-12.4">If the "key_ops" field is present, it <bcp14
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include >MUST</bcp14> include "verify" when verifying an ECDSA signature.</li>
'sign' when creating an ECDSA signature.</li>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include
'verify' when verifying an ECDSA signature.</li>
</ul> </ul>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-2
.1.1">
<name>Security Considerations for ECDSA</name> <name slugifiedName="name-security-considerations-for">Security Consid
<t>The security strength of the signature is no greater than the minim erations for ECDSA</name>
um of the security strength associated with the bit length of the key and the se <t indent="0" pn="section-2.1.1-1">The security strength of the signat
curity strength of the hash function. </t> ure is no greater than the minimum of the security strength associated with the
<t> bit length of the key and the security strength of the hash function. </t>
Note: Use of a deterministic signature technique is a good idea even <t indent="0" pn="section-2.1.1-2">
when good random number generation exists. Note: Use of a deterministic signature technique is a good idea
Doing so both reduces the possibility of having the same value of 'k even when good random number generation exists.
' in two signature operations and allows for reproducible signature values, whic Doing so both reduces the possibility of having the same value of
h helps testing. "k" in two signature operations and allows for reproducible
There have been recent attacks involving faulting the device in orde signature values, which helps testing.
r to extract the key. There have been recent attacks involving faulting the device in
This can be addressed by combining both randomness and determinism order to extract the key.
<xref target="I-D.mattsson-cfrg-det-sigs-with-noise"/>. This can be addressed by combining both randomness and determinism
<xref target="I-D.mattsson-cfrg-det-sigs-with-noise" format="default"
sectionFormat="of" derivedContent="CFRG-DET-SIGS"/>.
</t> </t>
<t>There are two substitution attacks that can theoretically be mounte d against the ECDSA signature algorithm. <t indent="0" pn="section-2.1.1-3">There are two substitution attacks that can theoretically be mounted against the ECDSA signature algorithm.
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section
<ul> -2.1.1-4">
<li pn="section-2.1.1-4.1">Changing the curve used to validate the s
<li>Changing the curve used to validate the signature: If one change ignature: If one
s the curve used to validate the signature, then potentially one could have two changes the curve used to validate the signature, then potentially
messages with the same signature, each computed under a different curve. The on one could have two messages with the same signature, each computed
ly requirement on the new curve is that its order be the same as the old one and under a different curve. The only requirements on the new curve are
it be acceptable to the client. An example would be to change from using the c that its order be the same as the old one and that it be acceptable t
urve secp256r1 (aka P-256) to using secp256k1. (Both are 256-bit curves.) We cu o
rrently do not have any way to deal with this version of the attack except to re the client. An example would be to change from using the curve
strict the overall set of curves that can be used. </li> secp256r1 (aka P-256) to using secp256k1. (Both are 256-bit
curves.) We currently do not have any way to deal with this
<li>Change the hash function used to validate the signature: If one version of the attack except to restrict the overall set of curves
either has two different hash functions of the same length or can truncate a has that can be used. </li>
h function, then one could potentially find collisions between the hash function <li pn="section-2.1.1-4.2">Changing the hash function used to valida
s rather than within a single hash function (for example, truncating SHA-512 to te the signature: If
256 bits might collide with a SHA-256 bit hash value). As the hash algorithm is one either has two different hash functions of the same length or
part of the signature algorithm identifier, this attack is mitigated by includin can truncate a hash function, then one could potentially find
g a signature algorithm identifier in the protected header bucket. </li> collisions between the hash functions rather than within a single
hash function. For example, truncating SHA-512 to 256 bits might
collide with a SHA-256 bit hash value. As the hash algorithm is
part of the signature algorithm identifier, this attack is
mitigated by including a signature algorithm identifier in the
protected-header bucket. </li>
</ul> </ul>
</section> </section>
</section> </section>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-2.2
">
<name>Edwards-Curve Digital Signature Algorithms (EdDSAs)</name> <name slugifiedName="name-edwards-curve-digital-signa">Edwards-Curve Dig
<t><xref target="RFC8032"/> describes the elliptic curve signature schem ital Signature Algorithm (EdDSA)</name>
e Edwards-curve Digital Signature Algorithm (EdDSA). In that document, the sign <t indent="0" pn="section-2.2-1"><xref target="RFC8032" format="default"
ature algorithm is instantiated using parameters for edwards25519 and edwards448 sectionFormat="of" derivedContent="RFC8032"/> describes the elliptic curve sign
curves. The document additionally describes two variants of the EdDSA algorith ature
m: Pure EdDSA, where no hash function is applied to the content before signing, scheme Edwards-curve Digital Signature Algorithm (EdDSA). In that
and HashEdDSA, where a hash function is applied to the content before signing an document, the signature algorithm is instantiated using parameters for
d the result of that hash function is signed. For EdDSA, the content to be sign the edwards25519 and edwards448 curves. The document additionally
ed (either the message or the pre-hash value) is processed twice inside of the s describes two variants of the EdDSA algorithm: Pure EdDSA, where no
ignature algorithm. For use with COSE, only the pure EdDSA version is used. Th hash function is applied to the content before signing, and HashEdDSA,
is is because it is not expected that extremely large contents are going to be n where a hash function is applied to the content before signing and the
eeded and, based on the arrangement of the message structure, the entire message result of that hash function is signed. For EdDSA, the content to be
is going to need to be held in memory in order to create or verify a signature. signed (either the message or the prehash value) is processed twice
This means that there does not appear to be a need to be able to do block upda inside of the signature algorithm. For use with COSE, only the pure
tes of the hash, followed by eliminating the message from memory. Applications EdDSA version is used. This is because it is not expected that
can provide the same features by defining the content of the message as a hash v extremely large contents are going to be needed and, based on the
alue and transporting the COSE object (with the hash value) and the content as s arrangement of the message structure, the entire message is going to
eparate items. </t> need to be held in memory in order to create or verify a signature.
<t>The algorithms defined in this document can be found in <xref target= Therefore, there does not appear to be a need to be able to do
"x-table-eddsa-algs"/>. A single signature algorithm is defined, which can be u block updates of the hash, followed by eliminating the message from
sed for multiple curves. </t> memory. Applications can provide the same features by defining the
<table anchor="x-table-eddsa-algs" align="center"> content of the message as a hash value and transporting the COSE
object (with the hash value) and the content as separate items. </t>
<name>EdDSA Algorithm Values</name> <t indent="0" pn="section-2.2-2">The algorithm defined in this document
can be found in <xref target="x-table-eddsa-algs" format="default" sectionFormat
="of" derivedContent="Table 2"/>. A single signature algorithm is defined, whic
h can be used for multiple curves. </t>
<table anchor="x-table-eddsa-algs" align="center" pn="table-2">
<name slugifiedName="name-eddsa-algorithm-value">EdDSA Algorithm Value
</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Value</th> <th align="center" colspan="1" rowspan="1">Value</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>EdDSA</td> <td align="left" colspan="1" rowspan="1">EdDSA</td>
<td>-8</td> <td align="center" colspan="1" rowspan="1">-8</td>
<td>EdDSA</td> <td align="left" colspan="1" rowspan="1">EdDSA</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t><xref target="RFC8032"/> describes the method of encoding the signatu <t indent="0" pn="section-2.2-4"><xref target="RFC8032" format="default"
re value. </t> sectionFormat="of" derivedContent="RFC8032"/> describes the method of encoding
<t>When using a COSE key for this algorithm, the following checks are ma the signature value. </t>
de: <t indent="0" pn="section-2.2-5">When using a COSE key for this algorith
m, the following checks are made:
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section-2
<ul> .2-6">
<li pn="section-2.2-6.1">The "kty" field <bcp14>MUST</bcp14> be presen
<li>The 'kty' field <bcp14>MUST</bcp14> be present, and it <bcp14>MUST t, and it <bcp14>MUST</bcp14> be "OKP" (Octet Key Pair). </li>
</bcp14> be 'OKP' (Octet Key Pair). </li> <li pn="section-2.2-6.2">The "crv" field <bcp14>MUST</bcp14> be presen
t, and it <bcp14>MUST</bcp14> be a curve defined for this signature algorithm.</
<li>The 'crv' field <bcp14>MUST</bcp14> be present, and it <bcp14>MUST li>
</bcp14> be a curve defined for this signature algorithm.</li> <li pn="section-2.2-6.3">If the "alg" field is present, it <bcp14>MUST
</bcp14> match "EdDSA".</li>
<li>If the 'alg' field is present, it <bcp14>MUST</bcp14> match 'EdDSA <li pn="section-2.2-6.4">If the "key_ops" field is present, it <bcp14>
'.</li> MUST</bcp14> include "sign" when creating an EdDSA signature.</li>
<li pn="section-2.2-6.5">If the "key_ops" field is present, it <bcp14>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include MUST</bcp14> include "verify" when verifying an EdDSA signature.</li>
'sign' when creating an EdDSA signature.</li>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include
'verify' when verifying an EdDSA signature.</li>
</ul> </ul>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-2
.2.1">
<name>Security Considerations for EdDSA</name> <name slugifiedName="name-security-considerations-for-">Security Consi
<t>How public values are computed is not the same when looking at EdDS derations for EdDSA</name>
A and Elliptic Curve Diffie-Hellman (ECDH); for this reason, the public key shou <t indent="0" pn="section-2.2.1-1">Public values are computed differen
ld not be used with the other algorithm. </t> tly in EdDSA and Elliptic Curve
<t>If batch signature verification is performed, a well-seeded cryptog Diffie-Hellman (ECDH); for this reason, the public key from one should
raphic random number generator is <bcp14>REQUIRED</bcp14> (<relref target="RFC80 not be
32" section="8.2"/>). Signing and non-batch signature verification are determin used with the other algorithm.</t>
istic operations and do not need random numbers of any kind. </t> <t indent="0" pn="section-2.2.1-2">If batch signature verification is
performed, a well-seeded
cryptographic random number generator is <bcp14>REQUIRED</bcp14>
(<xref target="RFC8032" section="8.2" sectionFormat="of" format="defaul
t" derivedLink="https://rfc-editor.org/rfc/rfc8032#section-8.2" derivedContent="
RFC8032"/>). Signing and nonbatch
signature verification are deterministic operations and do not need
random numbers of any kind. </t>
</section> </section>
</section> </section>
</section> </section>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-3">
<name slugifiedName="name-message-authentication-code">Message Authenticat
<name>Message Authentication Code (MAC) Algorithms</name> ion Code (MAC) Algorithms</name>
<t> <t indent="0" pn="section-3-1">
<relref section="&MacSection;" target="I-D.ietf-cose-rfc8152bis-struct"/ <xref section="8.2" target="RFC9052" sectionFormat="of" format="default"
> contains a generic description of MAC algorithms. derivedLink="https://rfc-editor.org/rfc/rfc9052#section-8.2" derivedContent="RFC
9052"/> contains a generic description
of MAC algorithms.
This section defines the conventions for two MAC algorithms. This section defines the conventions for two MAC algorithms.
</t> </t>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-3.1
">
<name>Hash-Based Message Authentication Codes (HMACs)</name> <name slugifiedName="name-hash-based-message-authenti">Hash-Based Messag
<t>HMAC <xref target="RFC2104"/> <xref target="RFC4231"/> was designed t e Authentication Codes (HMACs)</name>
o deal with length extension attacks. The algorithm was also designed to allow <t indent="0" pn="section-3.1-1">HMAC <xref target="RFC2104" format="def
for new hash algorithms to be directly plugged in without changes to the hash fu ault" sectionFormat="of" derivedContent="RFC2104"/> <xref target="RFC4231" forma
nction. The HMAC design process has been shown as solid since, while the securi t="default" sectionFormat="of" derivedContent="RFC4231"/> was designed
ty of hash algorithms such as MD5 has decreased over time; the security of HMAC to deal with length extension attacks. The HMAC algorithm was also design
combined with MD5 has not yet been shown to be compromised <xref target="RFC6151 ed to allow new hash functions to be
"/>. </t> directly plugged in without changes to the hash function. The HMAC design proc
<t>The HMAC algorithm is parameterized by an inner and outer padding, a ess has
hash function (h), and an authentication tag value length. For this specificati been shown to be solid; although the security of hash functions such
on, the inner and outer padding are fixed to the values set in <xref target="RFC as MD5 has decreased over time, the security of HMAC combined with MD5
2104"/>. The length of the authentication tag corresponds to the difficulty of has not yet been shown to be compromised <xref target="RFC6151" format="d
producing a forgery. For use in constrained environments, we define one HMAC al efault" sectionFormat="of" derivedContent="RFC6151"/>.
gorithm that is truncated. There are currently no known issues with truncation; </t>
however, the security strength of the message tag is correspondingly reduced in <t indent="0" pn="section-3.1-2">The HMAC algorithm is parameterized by
strength. When truncating, the leftmost tag length bits are kept and transmitt an inner and outer padding,
ed. </t> a hash function (h), and an authentication tag value length. For this
<t>The algorithms defined in this document can be found in <xref target= specification, the inner and outer padding are fixed to the values set
"x-table-hmac"/>. </t> in <xref target="RFC2104" format="default" sectionFormat="of" derivedCont
<table anchor="x-table-hmac" align="center"> ent="RFC2104"/>. The length of the authentication tag
corresponds to the difficulty of producing a forgery. For use in
<name>HMAC Algorithm Values</name> constrained environments, we define one HMAC algorithm that is
truncated. There are currently no known issues with truncation;
however, the security strength of the message tag is correspondingly
reduced in strength. When truncating, the leftmost tag-length bits
are kept and transmitted. </t>
<t indent="0" pn="section-3.1-3">The algorithms defined in this document
can be found in <xref target="x-table-hmac" format="default" sectionFormat="of"
derivedContent="Table 3"/>. </t>
<table anchor="x-table-hmac" align="center" pn="table-3">
<name slugifiedName="name-hmac-algorithm-values">HMAC Algorithm Values
</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Value</th> <th align="center" colspan="1" rowspan="1">Value</th>
<th>Hash</th> <th align="left" colspan="1" rowspan="1">Hash</th>
<th>Tag Length</th> <th align="center" colspan="1" rowspan="1">Tag Length</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>HMAC 256/64</td> <td align="left" colspan="1" rowspan="1">HMAC 256/64</td>
<td>4</td> <td align="center" colspan="1" rowspan="1">4</td>
<td>SHA-256</td> <td align="left" colspan="1" rowspan="1">SHA-256</td>
<td>64</td> <td align="center" colspan="1" rowspan="1">64</td>
<td>HMAC w/ SHA-256 truncated to 64 bits</td> <td align="left" colspan="1" rowspan="1">HMAC w/ SHA-256 truncated
to 64 bits</td>
</tr> </tr>
<tr> <tr>
<td>HMAC 256/256</td> <td align="left" colspan="1" rowspan="1">HMAC 256/256</td>
<td>5</td> <td align="center" colspan="1" rowspan="1">5</td>
<td>SHA-256</td> <td align="left" colspan="1" rowspan="1">SHA-256</td>
<td>256</td> <td align="center" colspan="1" rowspan="1">256</td>
<td>HMAC w/ SHA-256</td> <td align="left" colspan="1" rowspan="1">HMAC w/ SHA-256</td>
</tr> </tr>
<tr> <tr>
<td>HMAC 384/384</td> <td align="left" colspan="1" rowspan="1">HMAC 384/384</td>
<td>6</td> <td align="center" colspan="1" rowspan="1">6</td>
<td>SHA-384</td> <td align="left" colspan="1" rowspan="1">SHA-384</td>
<td>384</td> <td align="center" colspan="1" rowspan="1">384</td>
<td>HMAC w/ SHA-384</td> <td align="left" colspan="1" rowspan="1">HMAC w/ SHA-384</td>
</tr> </tr>
<tr> <tr>
<td>HMAC 512/512</td> <td align="left" colspan="1" rowspan="1">HMAC 512/512</td>
<td>7</td> <td align="center" colspan="1" rowspan="1">7</td>
<td>SHA-512</td> <td align="left" colspan="1" rowspan="1">SHA-512</td>
<td>512</td> <td align="center" colspan="1" rowspan="1">512</td>
<td>HMAC w/ SHA-512</td> <td align="left" colspan="1" rowspan="1">HMAC w/ SHA-512</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>Some recipient algorithms transport the key, while others derive a ke <t indent="0" pn="section-3.1-5">Some recipient algorithms transport the
y from secret data. For those algorithms that transport the key (such as AES Ke key, while others derive a key from secret data. For those algorithms that tra
y Wrap), the size of the HMAC key <bcp14>SHOULD</bcp14> be the same size as the nsport the key (such as AES Key Wrap), the size of the HMAC key <bcp14>SHOULD</b
output of the underlying hash function. For those algorithms that derive the k cp14> be the same size as the output of the underlying hash function. For thos
ey (such as ECDH), the derived key <bcp14>MUST</bcp14> be the same size as the u e algorithms that derive the key (such as ECDH), the derived key <bcp14>MUST</bc
nderlying hash function. </t> p14> be the same size as the output of the underlying hash function. </t>
<t>When using a COSE key for this algorithm, the following checks are ma <t indent="0" pn="section-3.1-6">When using a COSE key for this algorith
de: m, the following checks are made:
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section-3
<ul> .1-7">
<li pn="section-3.1-7.1">The "kty" field <bcp14>MUST</bcp14> be presen
<li>The 'kty' field <bcp14>MUST</bcp14> be present, and it <bcp14>MUST t, and it <bcp14>MUST</bcp14> be "Symmetric".</li>
</bcp14> be 'Symmetric'.</li> <li pn="section-3.1-7.2">If the "alg" field is present, it <bcp14>MUST
</bcp14> match the HMAC algorithm being used.</li>
<li>If the 'alg' field is present, it <bcp14>MUST</bcp14> match the HM <li pn="section-3.1-7.3">If the "key_ops" field is present, it <bcp14>
AC algorithm being used.</li> MUST</bcp14> include "MAC create" when creating an HMAC authentication tag.</li>
<li pn="section-3.1-7.4">If the "key_ops" field is present, it <bcp14>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include MUST</bcp14> include "MAC verify" when verifying an HMAC authentication tag.</li
'MAC create' when creating an HMAC authentication tag.</li> >
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include
'MAC verify' when verifying an HMAC authentication tag.</li>
</ul> </ul>
<t>Implementations creating and validating MAC values <bcp14>MUST</bcp14 <t indent="0" pn="section-3.1-8">Implementations creating and validating
> validate that the key type, key length, and algorithm are correct and appropri MAC values <bcp14>MUST</bcp14> validate that the key type, key length, and algo
ate for the entities involved. </t> rithm are correct and appropriate for the entities involved. </t>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-3
.1.1">
<name>Security Considerations for HMAC</name> <name slugifiedName="name-security-considerations-for-h">Security Cons
<t>HMAC has proved to be resistant to attack even when used with weake iderations for HMAC</name>
ned hash algorithms. The current best known attack is to brute force the key. <t indent="0" pn="section-3.1.1-1">HMAC has proved to be resistant to
This means that key size is going to be directly related to the security of an H attack even when used with weakened hash algorithms. The current best known att
MAC operation. </t> ack is to brute force the key. This means that key size is going to be directly
related to the security of an HMAC operation. </t>
</section> </section>
</section> </section>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-3.2
">
<name>AES Message Authentication Code (AES-CBC-MAC)</name> <name slugifiedName="name-aes-message-authentication-">AES Message Authe
<t>AES-CBC-MAC is defined in <xref target="MAC"/>. (Note that this is n ntication Code (AES-CBC-MAC)</name>
ot the same algorithm as AES Cipher-Based Message Authentication Code (AES-CMAC) <t indent="0" pn="section-3.2-1">AES-CBC-MAC is the instantiation of the
<xref target="RFC4493"/>.) </t> CBC-MAC construction (defined in <xref target="MAC" format="default" sectionFor
<t>AES-CBC-MAC is parameterized by the key length, the authentication ta mat="of" derivedContent="MAC"/>) using AES as the block cipher. For brevity, we
g length, and the Initialization Vector (IV) used. For all of these algorithms, also use "AES-MAC"
the IV is fixed to all zeros. We provide an array of algorithms for various ke to refer to AES-CBC-MAC. (Note that this is
y lengths and tag lengths. The algorithms defined in this document are found in not the same algorithm as AES Cipher-Based Message Authentication Code
<xref target="x-table-aes-mac"/>. </t> (AES-CMAC) <xref target="RFC4493" format="default" sectionFormat="of" der
<table anchor="x-table-aes-mac" align="center"> ivedContent="RFC4493"/>.) </t>
<t indent="0" pn="section-3.2-2">AES-CBC-MAC is parameterized by the key
<name>AES-MAC Algorithm Values</name> length, the
authentication tag length, and the Initialization Vector (IV) used.
For all of these algorithms, the IV is fixed to all zeros. We provide
an array of algorithms for various key and tag lengths. The
algorithms defined in this document are found in <xref target="x-table-ae
s-mac" format="default" sectionFormat="of" derivedContent="Table 4"/>. </t>
<table anchor="x-table-aes-mac" align="center" pn="table-4">
<name slugifiedName="name-aes-mac-algorithm-values">AES-MAC Algorithm
Values</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Value</th> <th align="center" colspan="1" rowspan="1">Value</th>
<th>Key Length</th> <th align="center" colspan="1" rowspan="1">Key Length</th>
<th>Tag Length</th> <th align="center" colspan="1" rowspan="1">Tag Length</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>AES-MAC 128/64</td> <td align="left" colspan="1" rowspan="1">AES-MAC 128/64</td>
<td>14</td> <td align="center" colspan="1" rowspan="1">14</td>
<td>128</td> <td align="center" colspan="1" rowspan="1">128</td>
<td>64</td> <td align="center" colspan="1" rowspan="1">64</td>
<td>AES-MAC 128-bit key, 64-bit tag</td> <td align="left" colspan="1" rowspan="1">AES-MAC 128-bit key, 64-b
it tag</td>
</tr> </tr>
<tr> <tr>
<td>AES-MAC 256/64</td> <td align="left" colspan="1" rowspan="1">AES-MAC 256/64</td>
<td>15</td> <td align="center" colspan="1" rowspan="1">15</td>
<td>256</td> <td align="center" colspan="1" rowspan="1">256</td>
<td>64</td> <td align="center" colspan="1" rowspan="1">64</td>
<td>AES-MAC 256-bit key, 64-bit tag</td> <td align="left" colspan="1" rowspan="1">AES-MAC 256-bit key, 64-b
it tag</td>
</tr> </tr>
<tr> <tr>
<td>AES-MAC 128/128</td> <td align="left" colspan="1" rowspan="1">AES-MAC 128/128</td>
<td>25</td> <td align="center" colspan="1" rowspan="1">25</td>
<td>128</td> <td align="center" colspan="1" rowspan="1">128</td>
<td>128</td> <td align="center" colspan="1" rowspan="1">128</td>
<td>AES-MAC 128-bit key, 128-bit tag</td> <td align="left" colspan="1" rowspan="1">AES-MAC 128-bit key, 128-
bit tag</td>
</tr> </tr>
<tr> <tr>
<td>AES-MAC 256/128</td> <td align="left" colspan="1" rowspan="1">AES-MAC 256/128</td>
<td>26</td> <td align="center" colspan="1" rowspan="1">26</td>
<td>256</td> <td align="center" colspan="1" rowspan="1">256</td>
<td>128</td> <td align="center" colspan="1" rowspan="1">128</td>
<td>AES-MAC 256-bit key, 128-bit tag</td> <td align="left" colspan="1" rowspan="1">AES-MAC 256-bit key, 128-
bit tag</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>Keys may be obtained either from a key structure or from a recipient <t indent="0" pn="section-3.2-4">Keys may be obtained from either a key
structure. Implementations creating and validating MAC values <bcp14>MUST</bcp1 structure or a
4> validate that the key type, key length, and algorithm are correct and appropr recipient structure. Implementations creating and validating MAC
iate for the entities involved. </t> values <bcp14>MUST</bcp14> validate that the key type, key length, and
<t>When using a COSE key for this algorithm, the following checks are ma algorithm are correct and appropriate for the entities involved. </t>
de: <t indent="0" pn="section-3.2-5">When using a COSE key for this algorith
m, the following checks are made:
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section-3
<ul> .2-6">
<li pn="section-3.2-6.1">The "kty" field <bcp14>MUST</bcp14> be presen
<li>The 'kty' field <bcp14>MUST</bcp14> be present, and it <bcp14>MUST t, and it <bcp14>MUST</bcp14> be "Symmetric".</li>
</bcp14> be 'Symmetric'.</li> <li pn="section-3.2-6.2">If the "alg" field is present, it <bcp14>MUST
</bcp14> match the AES-MAC algorithm being used.</li>
<li>If the 'alg' field is present, it <bcp14>MUST</bcp14> match the AE <li pn="section-3.2-6.3">If the "key_ops" field is present, it <bcp14>
S-MAC algorithm being used.</li> MUST</bcp14> include "MAC create" when creating an AES-MAC authentication tag.</
li>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include <li pn="section-3.2-6.4">If the "key_ops" field is present, it <bcp14>
'MAC create' when creating an AES-MAC authentication tag.</li> MUST</bcp14> include "MAC verify" when verifying an AES-MAC authentication tag.<
/li>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include
'MAC verify' when verifying an AES-MAC authentication tag.</li>
</ul> </ul>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-3
.2.1">
<name>Security Considerations AES-CBC_MAC </name> <name slugifiedName="name-security-considerations-for-a">Security Cons
<t>A number of attacks exist against Cipher Block Chaining Message Aut iderations for AES-CBC-MAC </name>
hentication Code (CBC-MAC) that need to be considered. <t indent="0" pn="section-3.2.1-1">A number of attacks exist against C
ipher Block Chaining Message Authentication Code (CBC-MAC) that need to be consi
dered.
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section
<ul> -3.2.1-2">
<li pn="section-3.2.1-2.1">A single key must only be used for messag
<li>A single key must only be used for messages of a fixed or known es of a fixed or
length. If this is not the case, an attacker will be able to generate a message known length. If this is not the case, an attacker will be able
with a valid tag given two message and tag pairs. This can be addressed by usi to generate a message with a valid tag given two
ng different keys for messages of different lengths. message and tag pairs. This can be addressed by using different
keys for
The current structure mitigates this problem, as a specific encoding structure messages of different lengths. The current structure mitigates
that includes lengths is built and signed. (CMAC also addresses this issue.) </ this problem, as a specific encoding structure that includes
li> lengths is built and signed. (CMAC also addresses this issue.)
</li>
<li>In cipher Block Chaining (CBC) mode, if the same key is used for <li pn="section-3.2.1-2.2">In Cipher Block Chaining (CBC) mode, if t
both encryption and authentication operations, an attacker can produce messages he same key is used
with a valid authentication code. </li> for both encryption and authentication operations, an attacker can
produce messages with a valid authentication code. </li>
<li>If the IV can be modified, then messages can be forged. This is <li pn="section-3.2.1-2.3">If the IV can be modified, then messages
addressed by fixing the IV to all zeros. </li> can be forged. This is addressed by fixing the IV to all zeros. </li>
</ul> </ul>
</section> </section>
</section> </section>
</section> </section>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-4">
<name slugifiedName="name-content-encryption-algorith">Content Encryption
Algorithms</name>
<t indent="0" pn="section-4-1">
<name>Content Encryption Algorithms</name> <xref section="8.3" target="RFC9052" sectionFormat="of" format="default"
<t> derivedLink="https://rfc-editor.org/rfc/rfc9052#section-8.3" derivedContent="RF
<relref section="&ContentSection;" target="I-D.ietf-cose-rfc8152bis-stru C9052"/> contains a generic description
ct"/> contains a generic description of Content Encryption algorithms. of content encryption algorithms.
This document defines the identifier and usages for three content encryp This document defines the identifier and usages for three
tion algorithms. content encryption algorithms.
</t> </t>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-4.1
">
<name>AES GCM</name> <name slugifiedName="name-aes-gcm">AES-GCM</name>
<t>The Galois/Counter Mode (GCM) mode is a generic AEAD block cipher mod <t indent="0" pn="section-4.1-1">The Galois/Counter Mode (GCM) mode is a
e defined in <xref target="AES-GCM"/>. The GCM mode is combined with the AES bl generic AEAD block cipher
ock encryption algorithm to define an AEAD cipher. </t> mode defined in <xref target="AES-GCM" format="default" sectionFormat="of
<t>The GCM mode is parameterized by the size of the authentication tag a " derivedContent="AES-GCM"/>. The GCM mode is combined
nd the size of the nonce. This document fixes the size of the nonce at 96 bits. with the AES block encryption algorithm to define an AEAD cipher.
The size of the authentication tag is limited to a small set of values. For t </t>
his document however, the size of the authentication tag is fixed at 128 bits. <t indent="0" pn="section-4.1-2">The GCM mode is parameterized by the si
</t> ze of the authentication tag
<t>The set of algorithms defined in this document are in <xref target="x and the size of the nonce. This document fixes the size of the nonce
-table-AES-GCM"/>. </t> at 96 bits. The size of the authentication tag is limited to a small
<table anchor="x-table-AES-GCM" align="center"> set of values. For this document, however, the size of the
authentication tag is fixed at 128 bits. </t>
<name>Algorithm Value for AES-GCM</name> <t indent="0" pn="section-4.1-3">The set of algorithms defined in this d
ocument is in <xref target="x-table-AES-GCM" format="default" sectionFormat="of"
derivedContent="Table 5"/>. </t>
<table anchor="x-table-AES-GCM" align="center" pn="table-5">
<name slugifiedName="name-algorithm-values-for-aes-gc">Algorithm Value
s for AES-GCM</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Value</th> <th align="center" colspan="1" rowspan="1">Value</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>A128GCM</td> <td align="left" colspan="1" rowspan="1">A128GCM</td>
<td>1</td> <td align="center" colspan="1" rowspan="1">1</td>
<td>AES-GCM mode w/ 128-bit key, 128-bit tag</td> <td align="left" colspan="1" rowspan="1">AES-GCM mode w/ 128-bit k
ey, 128-bit tag</td>
</tr> </tr>
<tr> <tr>
<td>A192GCM</td> <td align="left" colspan="1" rowspan="1">A192GCM</td>
<td>2</td> <td align="center" colspan="1" rowspan="1">2</td>
<td>AES-GCM mode w/ 192-bit key, 128-bit tag</td> <td align="left" colspan="1" rowspan="1">AES-GCM mode w/ 192-bit k
ey, 128-bit tag</td>
</tr> </tr>
<tr> <tr>
<td>A256GCM</td> <td align="left" colspan="1" rowspan="1">A256GCM</td>
<td>3</td> <td align="center" colspan="1" rowspan="1">3</td>
<td>AES-GCM mode w/ 256-bit key, 128-bit tag</td> <td align="left" colspan="1" rowspan="1">AES-GCM mode w/ 256-bit k
ey, 128-bit tag</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>Keys may be obtained either from a key structure or from a recipient <t indent="0" pn="section-4.1-5">Keys may be obtained from either a key
structure. Implementations encrypting and decrypting <bcp14>MUST</bcp14> valida structure or a recipient
te that the key type, key length, and algorithm are correct and appropriate for structure. Implementations that are encrypting or decrypting
the entities involved. </t> <bcp14>MUST</bcp14> validate that the key type, key length, and
<t>When using a COSE key for this algorithm, the following checks are ma algorithm are correct and appropriate for the entities involved. </t>
de: <t indent="0" pn="section-4.1-6">When using a COSE key for this algorith
m, the following checks are made:
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section-4
<ul> .1-7">
<li pn="section-4.1-7.1">The "kty" field <bcp14>MUST</bcp14> be presen
<li>The 'kty' field <bcp14>MUST</bcp14> be present, and it <bcp14>MUST t, and it <bcp14>MUST</bcp14> be "Symmetric".</li>
</bcp14> be 'Symmetric'.</li> <li pn="section-4.1-7.2">If the "alg" field is present, it <bcp14>MUST
</bcp14> match the AES-GCM algorithm being used.</li>
<li>If the 'alg' field is present, it <bcp14>MUST</bcp14> match the AE <li pn="section-4.1-7.3">If the "key_ops" field is present, it <bcp14>
S-GCM algorithm being used.</li> MUST</bcp14> include "encrypt" or "wrap key" when encrypting.</li>
<li pn="section-4.1-7.4">If the "key_ops" field is present, it <bcp14>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include MUST</bcp14> include "decrypt" or "unwrap key" when decrypting.</li>
'encrypt' or 'wrap key' when encrypting.</li>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include
'decrypt' or 'unwrap key' when decrypting.</li>
</ul> </ul>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-4
.1.1">
<name>Security Considerations for AES-GCM</name> <name slugifiedName="name-security-considerations-for-ae">Security Con
<t>When using AES-GCM, the following restrictions <bcp14>MUST</bcp14> siderations for AES-GCM</name>
be enforced: <t indent="0" pn="section-4.1.1-1">When using AES-GCM, the following r
estrictions <bcp14>MUST</bcp14> be enforced:
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section
<ul> -4.1.1-2">
<li pn="section-4.1.1-2.1">The key and nonce pair <bcp14>MUST</bcp14
<li>The key and nonce pair <bcp14>MUST</bcp14> be unique for every m > be unique for every
essage encrypted. </li> message encrypted. </li>
<li pn="section-4.1.1-2.2">The total number of messages encrypted fo
<li>The total number of messages encrypted for a single key <bcp14>M r a single key
UST NOT</bcp14> exceed 2^32 <xref target="SP800-38d"/>. An explicit check is re <bcp14>MUST NOT</bcp14> exceed 2<sup>32</sup> <xref target="SP800-38D
quired only in environments where it is expected that it might be exceeded. </l " format="default" sectionFormat="of" derivedContent="SP800-38D"/>.
i> An explicit check is required only in environments where it is expect
<li> ed that this limit might be exceeded. </li>
A more recent analysis in <xref target="ROBUST"/> indicates that t <li pn="section-4.1.1-2.3">
he the number of failed decryptions needs to be taken into account as part deter <xref target="RFC8446" format="default" sectionFormat="of" derived
mining when a key roll-over is to be done. Content="RFC8446"/> contains an analysis on the
Following the recommendation of for DTLS, the number of failed mes use of AES-CGM for its environment.
sage decryptions should be limited to 2^36. Based on that recommendation, one should restrict the number of
messages encrypted to 2<sup>24.5</sup>.</li>
<li pn="section-4.1.1-2.4">
A more recent analysis in <xref target="ROBUST" format="default" s
ectionFormat="of" derivedContent="ROBUST"/> indicates that
the number of failed decryptions needs to be taken into account
as part of determining when a key rollover is to be done.
Following the recommendation in DTLS (<xref target="RFC9147" secti
on="4.5.3" sectionFormat="of" format="default" derivedLink="https://rfc-editor.o
rg/rfc/rfc9147#section-4.5.3" derivedContent="RFC9147"/>), the number of
failed message decryptions should be limited to 2<sup>36</sup>.
</li> </li>
</ul> </ul>
<t>Consideration was given to supporting smaller tag values; the const <t indent="0" pn="section-4.1.1-3">Consideration was given to supporti
rained community would desire tag sizes in the 64-bit range. Doing so drasticall ng smaller tag values; the
y changes both the maximum messages size (generally not an issue) and the number constrained community would desire tag sizes in the 64-bit
of times that a key can be used. Given that Counter with CBC-MAC (CCM) is the range. Such use drastically changes both the maximum message size
usual mode for constrained environments, restricted modes are not supported. </ (generally not an issue) and the number of times that a key can be
t> used. Given that Counter with CBC-MAC (CCM) is the usual mode for
constrained environments, restricted modes are not supported. </t>
</section> </section>
</section> </section>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-4.2
">
<name>AES CCM</name> <name slugifiedName="name-aes-ccm">AES-CCM</name>
<t>CCM is a generic authentication encryption block cipher mode defined <t indent="0" pn="section-4.2-1">CCM is a generic authentication encrypt
in <xref target="RFC3610"/>. The CCM mode is combined with the AES block encryp ion block cipher mode
tion algorithm to define a commonly used content encryption algorithm used in co defined in <xref target="RFC3610" format="default" sectionFormat="of" der
nstrained devices. </t> ivedContent="RFC3610"/>. The CCM mode is combined with
<t>The CCM mode has two parameter choices. The first choice is M, the s the AES block encryption algorithm to define an AEAD cipher that is
ize of the authentication field. The choice of the value for M involves a trade commonly used in constrained devices. </t>
-off between message growth (from the tag) and the probability that an attacker <t indent="0" pn="section-4.2-2">The CCM mode has two parameter choices.
can undetectably modify a message. The second choice is L, the size of the leng The first choice is M, the
th field. This value requires a trade-off between the maximum message size and size of the authentication field. The choice of the value for M
the size of the Nonce. </t> involves a trade-off between message growth (from the tag) and the
<t>It is unfortunate that the specification for CCM specified L and M as probability that an attacker can undetectably modify a message. The
a count of bytes rather than a count of bits. This leads to possible misunders second choice is L, the size of the length field. This value requires
tandings where AES-CCM-8 is frequently used to refer to a version of CCM mode wh a trade-off between the maximum message size and the size of the
ere the size of the authentication is 64 bits and not 8 bits. These values have nonce. </t>
traditionally been specified as bit counts rather than byte counts. This docum <t indent="0" pn="section-4.2-3">It is unfortunate that the specificatio
ent will follow the convention of using bit counts so that it is easier to compa n for CCM specified L and M as a count of bytes rather than a count of bits. Th
re the different algorithms presented in this document. </t> is leads to possible misunderstandings where AES-CCM-8 is frequently used to ref
<t>We define a matrix of algorithms in this document over the values of er to a version of CCM mode where the size of the authentication is 64 bits and
L and M. Constrained devices are usually operating in situations where they use not 8 bits. In most cryptographic algorithm specifications, these values have t
short messages and want to avoid doing recipient-specific cryptographic operati raditionally been specified as bit counts rather than byte counts. This documen
ons. This favors smaller values of both L and M. Less-constrained devices will t will follow the convention of using bit counts so that it is easier to compare
want to be able to use larger messages and are more willing to generate new key the different algorithms presented in this document. </t>
s for every operation. This favors larger values of L and M. </t> <t indent="0" pn="section-4.2-4">We define a matrix of algorithms in thi
<t>The following values are used for L: s document over the values of L and M. Constrained devices are usually operatin
g in situations where they use short messages and want to avoid doing recipient-
specific cryptographic operations. This favors smaller values of both L and M.
Less-constrained devices will want to be able to use larger messages and are mo
re willing to generate new keys for every operation. This favors larger values
of L and M. </t>
<t indent="0" pn="section-4.2-5">The following values are used for L:
</t> </t>
<dl newline="false" indent="3" spacing="normal" pn="section-4.2-6">
<dl newline="false"> <dt pn="section-4.2-6.1">16 bits (2):</dt>
<dt>16 bits (2):</dt> <dd pn="section-4.2-6.2">This limits messages to 2<sup>16</sup> bytes
(64 KiB) in length.
<dd>This limits messages to 2^16 bytes (64 KiB) in length. This is su This is sufficiently long for messages in the constrained world.
fficiently long for messages in the constrained world. The nonce length is 13 b The nonce length is 13 bytes allowing for 2<sup>104</sup> possible valu
ytes allowing for 2^104 possible values of the nonce without repeating. </dd> es of
<dt>64 bits (8):</dt> the nonce without repeating. </dd>
<dt pn="section-4.2-6.3">64 bits (8):</dt>
<dd>This limits messages to 2^64 bytes in length. The nonce length is <dd pn="section-4.2-6.4">This limits messages to 2<sup>64</sup> bytes
7 bytes allowing for 2^56 possible values of the nonce without repeating. </dd in length. The
> nonce length is 7 bytes, allowing for 2<sup>56</sup> possible values of
the nonce without repeating. </dd>
</dl> </dl>
<t>The following values are used for M: <t indent="0" pn="section-4.2-7">The following values are used for M:
</t> </t>
<dl newline="false" indent="3" spacing="normal" pn="section-4.2-8">
<dl newline="false"> <dt pn="section-4.2-8.1">64 bits (8):</dt>
<dt>64 bits (8):</dt> <dd pn="section-4.2-8.2">This produces a 64-bit authentication tag. T
his implies that
<dd>This produces a 64-bit authentication tag. This implies that ther there is a 1 in 2<sup>64</sup> chance that a modified message will
e is a 1 in 2^64 chance that a modified message will authenticate. </dd> authenticate.</dd>
<dt>128 bits (16):</dt> <dt pn="section-4.2-8.3">128 bits (16):</dt>
<dd pn="section-4.2-8.4">This produces a 128-bit authentication tag.
<dd>This produces a 128-bit authentication tag. This implies that the This implies that
re is a 1 in 2^128 chance that a modified message will authenticate. </dd> there is a 1 in 2<sup>128</sup> chance that a modified message will
authenticate.</dd>
</dl> </dl>
<table anchor="x-table-AES-CCM" align="center"> <table anchor="x-table-AES-CCM" align="center" pn="table-6">
<name slugifiedName="name-algorithm-values-for-aes-cc">Algorithm Value
<name>Algorithm Values for AES-CCM</name> s for AES-CCM</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Value</th> <th align="center" colspan="1" rowspan="1">Value</th>
<th>L</th> <th align="left" colspan="1" rowspan="1">L</th>
<th>M</th> <th align="left" colspan="1" rowspan="1">M</th>
<th>Key Length</th> <th align="center" colspan="1" rowspan="1">Key Length</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>AES-CCM-16-64-128</td> <td align="left" colspan="1" rowspan="1">AES-CCM-16-64-128</td>
<td>10</td> <td align="center" colspan="1" rowspan="1">10</td>
<td>16</td> <td align="left" colspan="1" rowspan="1">16</td>
<td>64</td> <td align="left" colspan="1" rowspan="1">64</td>
<td>128</td> <td align="center" colspan="1" rowspan="1">128</td>
<td>AES-CCM mode 128-bit key, 64-bit tag, 13-byte nonce</td> <td align="left" colspan="1" rowspan="1">AES-CCM mode 128-bit key,
64-bit tag, 13-byte nonce</td>
</tr> </tr>
<tr> <tr>
<td>AES-CCM-16-64-256</td> <td align="left" colspan="1" rowspan="1">AES-CCM-16-64-256</td>
<td>11</td> <td align="center" colspan="1" rowspan="1">11</td>
<td>16</td> <td align="left" colspan="1" rowspan="1">16</td>
<td>64</td> <td align="left" colspan="1" rowspan="1">64</td>
<td>256</td> <td align="center" colspan="1" rowspan="1">256</td>
<td>AES-CCM mode 256-bit key, 64-bit tag, 13-byte nonce</td> <td align="left" colspan="1" rowspan="1">AES-CCM mode 256-bit key,
64-bit tag, 13-byte nonce</td>
</tr> </tr>
<tr> <tr>
<td>AES-CCM-64-64-128</td> <td align="left" colspan="1" rowspan="1">AES-CCM-64-64-128</td>
<td>12</td> <td align="center" colspan="1" rowspan="1">12</td>
<td>64</td> <td align="left" colspan="1" rowspan="1">64</td>
<td>64</td> <td align="left" colspan="1" rowspan="1">64</td>
<td>128</td> <td align="center" colspan="1" rowspan="1">128</td>
<td>AES-CCM mode 128-bit key, 64-bit tag, 7-byte nonce</td> <td align="left" colspan="1" rowspan="1">AES-CCM mode 128-bit key,
64-bit tag, 7-byte nonce</td>
</tr> </tr>
<tr> <tr>
<td>AES-CCM-64-64-256</td> <td align="left" colspan="1" rowspan="1">AES-CCM-64-64-256</td>
<td>13</td> <td align="center" colspan="1" rowspan="1">13</td>
<td>64</td> <td align="left" colspan="1" rowspan="1">64</td>
<td>64</td> <td align="left" colspan="1" rowspan="1">64</td>
<td>256</td> <td align="center" colspan="1" rowspan="1">256</td>
<td>AES-CCM mode 256-bit key, 64-bit tag, 7-byte nonce</td> <td align="left" colspan="1" rowspan="1">AES-CCM mode 256-bit key,
64-bit tag, 7-byte nonce</td>
</tr> </tr>
<tr> <tr>
<td>AES-CCM-16-128-128</td> <td align="left" colspan="1" rowspan="1">AES-CCM-16-128-128</td>
<td>30</td> <td align="center" colspan="1" rowspan="1">30</td>
<td>16</td> <td align="left" colspan="1" rowspan="1">16</td>
<td>128</td> <td align="left" colspan="1" rowspan="1">128</td>
<td>128</td> <td align="center" colspan="1" rowspan="1">128</td>
<td>AES-CCM mode 128-bit key, 128-bit tag, 13-byte nonce</td> <td align="left" colspan="1" rowspan="1">AES-CCM mode 128-bit key,
128-bit tag, 13-byte nonce</td>
</tr> </tr>
<tr> <tr>
<td>AES-CCM-16-128-256</td> <td align="left" colspan="1" rowspan="1">AES-CCM-16-128-256</td>
<td>31</td> <td align="center" colspan="1" rowspan="1">31</td>
<td>16</td> <td align="left" colspan="1" rowspan="1">16</td>
<td>128</td> <td align="left" colspan="1" rowspan="1">128</td>
<td>256</td> <td align="center" colspan="1" rowspan="1">256</td>
<td>AES-CCM mode 256-bit key, 128-bit tag, 13-byte nonce</td> <td align="left" colspan="1" rowspan="1">AES-CCM mode 256-bit key,
128-bit tag, 13-byte nonce</td>
</tr> </tr>
<tr> <tr>
<td>AES-CCM-64-128-128</td> <td align="left" colspan="1" rowspan="1">AES-CCM-64-128-128</td>
<td>32</td> <td align="center" colspan="1" rowspan="1">32</td>
<td>64</td> <td align="left" colspan="1" rowspan="1">64</td>
<td>128</td> <td align="left" colspan="1" rowspan="1">128</td>
<td>128</td> <td align="center" colspan="1" rowspan="1">128</td>
<td>AES-CCM mode 128-bit key, 128-bit tag, 7-byte nonce</td> <td align="left" colspan="1" rowspan="1">AES-CCM mode 128-bit key,
128-bit tag, 7-byte nonce</td>
</tr> </tr>
<tr> <tr>
<td>AES-CCM-64-128-256</td> <td align="left" colspan="1" rowspan="1">AES-CCM-64-128-256</td>
<td>33</td> <td align="center" colspan="1" rowspan="1">33</td>
<td>64</td> <td align="left" colspan="1" rowspan="1">64</td>
<td>128</td> <td align="left" colspan="1" rowspan="1">128</td>
<td>256</td> <td align="center" colspan="1" rowspan="1">256</td>
<td>AES-CCM mode 256-bit key, 128-bit tag, 7-byte nonce</td> <td align="left" colspan="1" rowspan="1">AES-CCM mode 256-bit key,
128-bit tag, 7-byte nonce</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>Keys may be obtained either from a key structure or from a recipient <t indent="0" pn="section-4.2-10">Keys may be obtained from either a key
structure. Implementations encrypting and decrypting <bcp14>MUST</bcp14> valida structure or a recipient
te that the key type, key length, and algorithm are correct and appropriate for structure. Implementations that are encrypting or decrypting
the entities involved. </t> <bcp14>MUST</bcp14> validate that the key type, key length, and
<t>When using a COSE key for this algorithm, the following checks are ma algorithm are correct and appropriate for the entities involved. </t>
de: <t indent="0" pn="section-4.2-11">When using a COSE key for this algorit
hm, the following checks are made:
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section-4
<ul> .2-12">
<li pn="section-4.2-12.1">The "kty" field <bcp14>MUST</bcp14> be prese
<li>The 'kty' field <bcp14>MUST</bcp14> be present, and it <bcp14>MUST nt, and it <bcp14>MUST</bcp14> be "Symmetric".</li>
</bcp14> be 'Symmetric'.</li> <li pn="section-4.2-12.2">If the "alg" field is present, it <bcp14>MUS
T</bcp14> match the AES-CCM algorithm being used.</li>
<li>If the 'alg' field is present, it <bcp14>MUST</bcp14> match the AE <li pn="section-4.2-12.3">If the "key_ops" field is present, it <bcp14
S-CCM algorithm being used.</li> >MUST</bcp14> include "encrypt" or "wrap key" when encrypting.</li>
<li pn="section-4.2-12.4">If the "key_ops" field is present, it <bcp14
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include >MUST</bcp14> include "decrypt" or "unwrap key" when decrypting.</li>
'encrypt' or 'wrap key' when encrypting.</li>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include
'decrypt' or 'unwrap key' when decrypting.</li>
</ul> </ul>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-4
.2.1">
<name>Security Considerations for AES-CCM</name> <name slugifiedName="name-security-considerations-for-aes">Security Co
<t>When using AES-CCM, the following restrictions <bcp14>MUST</bcp14> nsiderations for AES-CCM</name>
be enforced: <t indent="0" pn="section-4.2.1-1">When using AES-CCM, the following r
estrictions <bcp14>MUST</bcp14> be enforced:
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section
<ul> -4.2.1-2">
<li pn="section-4.2.1-2.1">The key and nonce pair <bcp14>MUST</bcp14
<li>The key and nonce pair <bcp14>MUST</bcp14> be unique for every m > be unique for every message encrypted. Note that the value of L influences the
essage encrypted. Note that the value of L influences the number of unique nonce number of unique nonces. </li>
s. </li> <li pn="section-4.2.1-2.2">The total number of times the AES block c
ipher is used
<li>The total number of times the AES block cipher is used <bcp14>MU <bcp14>MUST NOT</bcp14> exceed 2<sup>61</sup> operations. This
ST NOT</bcp14> exceed 2^61 operations. This limitation is the sum of times the limit is the sum of times the block cipher is used in
block cipher is used in computing the MAC value and in performing stream encrypt computing the MAC value and performing stream encryption
ion operations. An explicit check is required only in environments where it is operations. An explicit check is required only in environments
expected that it might be exceeded. </li> where it is expected that this limit might be exceeded. </li>
<li> <li pn="section-4.2.1-2.3">
<xref target="I-D.ietf-quic-tls"/> contains an analysis on the use <xref target="RFC9147" format="default" sectionFormat="of" derived
of AES-CCM in that environment. Content="RFC9147"/> contains an analysis on the
Based on that reommendation, one should restrict the number of mes use of AES-CCM for its environment.
sages encrypted to 2^23. Based on that recommendation, one should restrict the number of
If one is using the 64-bit tag, then the limits are signficantly s messages encrypted to 2<sup>23</sup>.
maller if one wants to keep the same integrity limits.
A protocol recommending this needs to analysis what level of integ
rity is acceptable for the smaller tag size.
It may be that to keep the desired integrity one needs to re-key a
s often as every 2^7 messages.
</li> </li>
<li> <li pn="section-4.2.1-2.4">
In addition to the number of messages successfully decrypted, the In addition to the number of messages successfully decrypted, the
number of failed decryptions needs to be kept as well. number of failed decryptions needs to be tracked as well.
If the number of failed decryptions exceeds 2^23 then a rekeying o Following the recommendation in DTLS (<xref target="RFC9147" secti
peration should occur. on="4.5.3" sectionFormat="of" format="default" derivedLink="https://rfc-editor.o
rg/rfc/rfc9147#section-4.5.3" derivedContent="RFC9147"/>),
the number of failed message decryptions should be limited to 2<sup>23.5</sup>.
If one is using the 64-bit tag, then the limits are significantly
smaller if one wants to keep the same integrity limits.
A protocol recommending this needs to analyze what level of integr
ity is acceptable for the smaller tag size.
It may be that, to keep the desired level of integrity, one needs
to rekey as often as every 2<sup>7</sup> messages.
</li> </li>
</ul> </ul>
<t><xref target="RFC3610"/> additionally calls out one other considera <t indent="0" pn="section-4.2.1-3"><xref target="RFC3610" format="defa
tion of note. It is possible to do a pre-computation attack against the algorit ult" sectionFormat="of" derivedContent="RFC3610"/> additionally calls out one ot
hm in cases where portions of the plaintext are highly predictable. This reduc her
es the security of the key size by half. Ways to deal with this attack include consideration of note. It is possible to do a precomputation
adding a random portion to the nonce value and/or increasing the key size used. attack against the algorithm in cases where portions of the
Using a portion of the nonce for a random value will decrease the number of mes plaintext are highly predictable. This reduces the security of the
sages that a single key can be used for. Increasing the key size may require mo key size by half. Ways to deal with this attack include adding a
re resources in the constrained device. See Sections 5 and 10 of <xref target=" random portion to the nonce value and/or increasing the key size
RFC3610"/> for more information. </t> used. Using a portion of the nonce for a random value will decrease
the number of messages that a single key can be used for.
Increasing the key size may require more resources in the
constrained device. See Sections <xref target="RFC3610" section="5" se
ctionFormat="bare" format="default" derivedLink="https://rfc-editor.org/rfc/rfc3
610#section-5" derivedContent="RFC3610"/> and <xref target="RFC3610" section="10
" sectionFormat="bare" format="default" derivedLink="https://rfc-editor.org/rfc/
rfc3610#section-10" derivedContent="RFC3610"/> of <xref target="RFC3610" format=
"default" sectionFormat="of" derivedContent="RFC3610"/> for more
information. </t>
</section> </section>
</section> </section>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-4.3
">
<name>ChaCha20 and Poly1305</name> <name slugifiedName="name-chacha20-and-poly1305">ChaCha20 and Poly1305</
<t>ChaCha20 and Poly1305 combined together is an AEAD mode that is defin name>
ed in <xref target="RFC8439"/>. This is an algorithm defined to be a cipher tha <t indent="0" pn="section-4.3-1">ChaCha20 and Poly1305 combined together
t is not AES and thus would not suffer from any future weaknesses found in AES. is an AEAD mode that is defined in <xref target="RFC8439" format="default" sect
These cryptographic functions are designed to be fast in software-only implemen ionFormat="of" derivedContent="RFC8439"/>. This is an algorithm defined using a
tations. </t> cipher that is not AES and thus would not suffer from any future weaknesses fou
<t>The ChaCha20/Poly1305 AEAD construction defined in <xref target="RFC8 nd in AES. These cryptographic functions are designed to be fast in software-on
439"/> has no parameterization. It takes a 256-bit key and a 96-bit nonce, as w ly implementations. </t>
ell as the plaintext and additional data as inputs and produces the ciphertext a <t indent="0" pn="section-4.3-2">The ChaCha20/Poly1305 AEAD construction
s an option. We define one algorithm identifier for this algorithm in <xref tar defined in <xref target="RFC8439" format="default" sectionFormat="of" derivedCo
get="x-table-CHACHA"/>. </t> ntent="RFC8439"/> has no parameterization. It takes as inputs a
<table anchor="x-table-CHACHA" align="center"> 256-bit key and a 96-bit nonce, as well as the plaintext and
additional data, and produces the ciphertext as an output. We define
<name>Algorithm Value for ChaCha20/Poly1305</name> one algorithm identifier for this algorithm in <xref target="x-table-CHAC
HA" format="default" sectionFormat="of" derivedContent="Table 7"/>. </t>
<table anchor="x-table-CHACHA" align="center" pn="table-7">
<name slugifiedName="name-algorithm-value-for-chacha2">Algorithm Value
for ChaCha20/Poly1305</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Value</th> <th align="center" colspan="1" rowspan="1">Value</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>ChaCha20/Poly1305</td> <td align="left" colspan="1" rowspan="1">ChaCha20/Poly1305</td>
<td>24</td> <td align="center" colspan="1" rowspan="1">24</td>
<td>ChaCha20/Poly1305 w/ 256-bit key, 128-bit tag</td> <td align="left" colspan="1" rowspan="1">ChaCha20/Poly1305 w/ 256-
bit key, 128-bit tag</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>Keys may be obtained either from a key structure or from a recipient <t indent="0" pn="section-4.3-4">Keys may be obtained from either a key
structure. Implementations encrypting and decrypting <bcp14>MUST</bcp14> valida structure or a recipient
te that the key type, key length, and algorithm are correct and appropriate for structure. Implementations that are encrypting or decrypting
the entities involved. </t> <bcp14>MUST</bcp14> validate that the key type, key length, and
<t>When using a COSE key for this algorithm, the following checks are ma algorithm are correct and appropriate for the entities involved. </t>
de: <t indent="0" pn="section-4.3-5">When using a COSE key for this algorith
m, the following checks are made:
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section-4
<ul> .3-6">
<li pn="section-4.3-6.1">The "kty" field <bcp14>MUST</bcp14> be presen
<li>The 'kty' field <bcp14>MUST</bcp14> be present, and it <bcp14>MUST t, and it <bcp14>MUST</bcp14> be "Symmetric".</li>
</bcp14> be 'Symmetric'.</li> <li pn="section-4.3-6.2">If the "alg" field is present, it <bcp14>MUST
</bcp14> match the ChaCha20/Poly1305 algorithm being used.</li>
<li>If the 'alg' field is present, it <bcp14>MUST</bcp14> match the Ch <li pn="section-4.3-6.3">If the "key_ops" field is present, it <bcp14>
aCha20/Poly1305 algorithm being used.</li> MUST</bcp14> include "encrypt" or "wrap key" when encrypting.</li>
<li pn="section-4.3-6.4">If the "key_ops" field is present, it <bcp14>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include MUST</bcp14> include "decrypt" or "unwrap key" when decrypting.</li>
'encrypt' or 'wrap key' when encrypting.</li>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include
'decrypt' or 'unwrap key' when decrypting.</li>
</ul> </ul>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-4
.3.1">
<name>Security Considerations for ChaCha20/Poly1305</name> <name slugifiedName="name-security-considerations-for-c">Security Cons
<t>The key and nonce values <bcp14>MUST</bcp14> be a unique pair for e iderations for ChaCha20/Poly1305</name>
very invocation of the algorithm. Nonce counters are considered to be an accept <t indent="0" pn="section-4.3.1-1">The key and nonce values <bcp14>MUS
able way of ensuring that they are unique. </t> T</bcp14> be a unique pair for every invocation of the algorithm. Nonce counter
<t> s are considered to be an acceptable way of ensuring that they are unique. </t>
A more recent analysis in <xref target="ROBUST"/> indicates that t <t indent="0" pn="section-4.3.1-2">A more recent analysis in <xref tar
he the number of failed decryptions needs to be taken into account as part deter get="ROBUST" format="default" sectionFormat="of" derivedContent="ROBUST"/> indic
mining when a key roll-over is to be done. ates that
Following the recommendation of for DTLS, the number of failed mes the number of failed decryptions needs to be taken into account as
sage decryptions should be limited to 2^36. part of determining when a key rollover is to be done. Following the
recommendation in DTLS (<xref target="RFC9147" section="4.5.3" sectionF
ormat="of" format="default" derivedLink="https://rfc-editor.org/rfc/rfc9147#sect
ion-4.5.3" derivedContent="RFC9147"/>), the number of failed message decryptions
should be limited to 2<sup>36</sup>.
</t> </t>
<t> <t indent="0" pn="section-4.3.1-3">
<xref target="I-D.ietf-quic-tls"/> recommends that no more than 2^ <xref target="RFC8446" format="default" sectionFormat="of" derived
24.5 messages be encrypted under a single key. Content="RFC8446"/> notes that the (64-bit) record sequence
number would wrap before the safety limit is reached for ChaCha20/Poly1305.
COSE implementations should not send more than 2<sup>64</sup> messages
encrypted using a single ChaCha20/Poly1305 key.
</t> </t>
</section> </section>
</section> </section>
</section> </section>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-5">
<name slugifiedName="name-key-derivation-functions-kd">Key Derivation Func
<name>Key Derivation Functions (KDFs)</name> tions (KDFs)</name>
<t> <t indent="0" pn="section-5-1">
<relref section="&KDFSection;" target="I-D.ietf-cose-rfc8152bis-struct"/ <xref section="8.4" target="RFC9052" sectionFormat="of" format="default"
> contains a generic description of Key Derivation Functions. derivedLink="https://rfc-editor.org/rfc/rfc9052#section-8.4" derivedContent="RF
C9052"/> contains a generic description
of key derivation functions.
This document defines a single context structure and a single KDF. This document defines a single context structure and a single KDF.
These elements are used for all of the recipient algorithms defined in t These elements are used for all of the recipient algorithms defined in
his document that require a KDF process. this document that require a KDF process.
These algorithms are defined in Sections <xref target="direct-kdf" forma These algorithms are defined in Sections <xref target="direct-kdf" forma
t="counter"/>, <xref target="ECDH" format="counter"/>, and <xref target="ECDH-wr t="counter" sectionFormat="of" derivedContent="6.1.2"/>, <xref target="ECDH" for
ap" format="counter"/>. mat="counter" sectionFormat="of" derivedContent="6.3.1"/>, and <xref target="ECD
H-wrap" format="counter" sectionFormat="of" derivedContent="6.4.1"/>.
</t> </t>
<section anchor="HKDF-section"> <section anchor="HKDF-section" numbered="true" removeInRFC="false" toc="in
clude" pn="section-5.1">
<name>HMAC-Based Extract-and-Expand Key Derivation Function (HKDF)</name <name slugifiedName="name-hmac-based-extract-and-expa">HMAC-Based Extrac
> t-and-Expand Key Derivation Function (HKDF)</name>
<t>The HKDF key derivation algorithm is defined in <xref target="RFC5869 <t indent="0" pn="section-5.1-1">The HKDF key derivation algorithm is de
"/><xref target="HKDF"/>. </t> fined in <xref target="RFC5869" format="default" sectionFormat="of" derivedConte
<t>The HKDF algorithm takes these inputs: nt="RFC5869"/> and <xref target="HKDF" format="default" sectionFormat="of" deriv
</t> edContent="HKDF"/>. </t>
<t indent="0" pn="section-5.1-2">The HKDF algorithm takes these inputs:<
<ul empty="true"> /t>
<dl indent="3" newline="false" spacing="normal" pn="section-5.1-3">
<li>secret -- a shared value that is secret. Secrets may be either pr <dt pn="section-5.1-3.1">secret:</dt>
eviously shared or derived from operations like a Diffie-Hellman (DH) key agreem <dd pn="section-5.1-3.2"> A shared value that is secret. Secrets may
ent. </li> be
either previously shared or derived from operations like a
<li>salt -- an optional value that is used to change the generation pr Diffie-Hellman (DH) key agreement. </dd>
ocess. The salt value can be either public or private. If the salt is public a <dt pn="section-5.1-3.3">salt:</dt>
nd carried in the message, then the 'salt' algorithm header parameter defined in <dd pn="section-5.1-3.4"> An optional value that is used to change the
<xref target="HKDF_Alg_Params"/> is used. While <xref target="RFC5869"/> sugge generation process. The salt value can be either public or private.
sts that the length of the salt be the same as the length of the underlying hash If the salt is public and carried in the message, then the "salt"
value, any positive salt length will improve the security as different key valu algorithm header parameter defined in <xref target="HKDF_Alg_Params" fo
es will be generated. This parameter is protected by being included in the key rmat="default" sectionFormat="of" derivedContent="Table 9"/> is used. While <xr
computation and does not need to be separately authenticated. The salt value do ef target="RFC5869" format="default" sectionFormat="of" derivedContent="RFC5869"
es not need to be unique for every message sent. </li> />
suggests that the length of the salt be the same as the length of
<li>length -- the number of bytes of output that need to be generated. the underlying hash value, any positive salt length will improve the
</li> security, as different key values will be generated. This parameter
is protected by being included in the key computation and does not
<li>context information -- Information that describes the context in w need to be separately authenticated. The salt value does not need
hich the resulting value will be used. Making this information specific to the to be unique for every message sent. </dd>
context in which the material is going to be used ensures that the resulting mat <dt pn="section-5.1-3.5">length:</dt>
erial will always be tied to that usage. The context structure defined in <xref <dd pn="section-5.1-3.6">The number of bytes of output that need to be
target="context"/> is used by the KDFs in this document. </li> generated. </dd>
<dt pn="section-5.1-3.7">context information:</dt>
<li>PRF -- The underlying pseudorandom function to be used in the HKDF <dd pn="section-5.1-3.8">Information that describes the
algorithm. The PRF is encoded into the HKDF algorithm selection. </li> context in which the resulting value will be used. Making this
</ul> information specific to the context in which the material is going
<t>HKDF is defined to use HMAC as the underlying PRF. However, it is po to be used ensures that the resulting material will always be tied
ssible to use other functions in the same construct to provide a different KDF t to that usage. The context structure defined in <xref target="context"
hat is more appropriate in the constrained world. Specifically, one can use AES format="default" sectionFormat="of" derivedContent="Section 5.2"/> is used by t
-CBC-MAC as the PRF for the expand step, but not for the extract step. When usi he KDFs in this document. </dd>
ng a good random shared secret of the correct length, the extract step can be sk <dt pn="section-5.1-3.9">PRF:</dt>
ipped. For the AES algorithm versions, the extract step is always skipped. </t <dd pn="section-5.1-3.10"> The underlying pseudorandom function to be
> used in
<t>The extract step cannot be skipped if the secret is not uniformly ran the HKDF algorithm. The PRF is encoded into the HKDF algorithm
dom, for example, if it is the result of an ECDH key agreement step. This implie selection. </dd>
s that the AES HKDF version cannot be used with ECDH. If the extract step is ski </dl>
pped, the 'salt' value is not used as part of the HKDF functionality. </t> <t indent="0" pn="section-5.1-4">HKDF is defined to use HMAC as the unde
<t>The algorithms defined in this document are found in <xref target="x- rlying PRF. However, it is
table-hkdf"/>. </t> possible to use other functions in the same construct to provide a
<table anchor="x-table-hkdf" align="center"> different KDF that is more appropriate in the constrained world.
Specifically, one can use AES-CBC-MAC as the PRF for the expand step,
<name>HKDF Algorithms</name> but not for the extract step. When using a good random shared secret
of the correct length, the extract step can be skipped. For the AES
algorithm versions, the extract step is always skipped. </t>
<t indent="0" pn="section-5.1-5">The extract step cannot be skipped if t
he secret is not uniformly
random -- for example, if it is the result of an ECDH key agreement
step. This implies that the AES HKDF version cannot be used with
ECDH. If the extract step is skipped, the "salt" value is not used as
part of the HKDF functionality. </t>
<t indent="0" pn="section-5.1-6">The algorithms defined in this document
are found in <xref target="x-table-hkdf" format="default" sectionFormat="of" de
rivedContent="Table 8"/>. </t>
<table anchor="x-table-hkdf" align="center" pn="table-8">
<name slugifiedName="name-hkdf-algorithms">HKDF Algorithms</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>PRF</th> <th align="left" colspan="1" rowspan="1">PRF</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>HKDF SHA-256</td> <td align="left" colspan="1" rowspan="1">HKDF SHA-256</td>
<td>HMAC with SHA-256</td> <td align="left" colspan="1" rowspan="1">HMAC with SHA-256</td>
<td>HKDF using HMAC SHA-256 as the PRF</td> <td align="left" colspan="1" rowspan="1">HKDF using HMAC SHA-256 a
s the PRF</td>
</tr> </tr>
<tr> <tr>
<td>HKDF SHA-512</td> <td align="left" colspan="1" rowspan="1">HKDF SHA-512</td>
<td>HMAC with SHA-512</td> <td align="left" colspan="1" rowspan="1">HMAC with SHA-512</td>
<td>HKDF using HMAC SHA-512 as the PRF</td> <td align="left" colspan="1" rowspan="1">HKDF using HMAC SHA-512 a
s the PRF</td>
</tr> </tr>
<tr> <tr>
<td>HKDF AES-MAC-128</td> <td align="left" colspan="1" rowspan="1">HKDF AES-MAC-128</td>
<td>AES-CBC-MAC-128</td> <td align="left" colspan="1" rowspan="1">AES-CBC-MAC-128</td>
<td>HKDF using AES-MAC as the PRF w/ 128-bit key</td> <td align="left" colspan="1" rowspan="1">HKDF using AES-MAC as the
PRF w/ 128-bit key</td>
</tr> </tr>
<tr> <tr>
<td>HKDF AES-MAC-256</td> <td align="left" colspan="1" rowspan="1">HKDF AES-MAC-256</td>
<td>AES-CBC-MAC-256</td> <td align="left" colspan="1" rowspan="1">AES-CBC-MAC-256</td>
<td>HKDF using AES-MAC as the PRF w/ 256-bit key</td> <td align="left" colspan="1" rowspan="1">HKDF using AES-MAC as the
PRF w/ 256-bit key</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<table anchor="HKDF_Alg_Params" align="center"> <table anchor="HKDF_Alg_Params" align="center" pn="table-9">
<name slugifiedName="name-hkdf-algorithm-parameters">HKDF Algorithm Pa
<name>HKDF Algorithm Parameters</name> rameters</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Label</th> <th align="left" colspan="1" rowspan="1">Label</th>
<th>Type</th> <th align="left" colspan="1" rowspan="1">Type</th>
<th>Algorithm</th> <th align="left" colspan="1" rowspan="1">Algorithm</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>salt</td> <td align="left" colspan="1" rowspan="1">salt</td>
<td>-20</td> <td align="left" colspan="1" rowspan="1">-20</td>
<td>bstr</td> <td align="left" colspan="1" rowspan="1">bstr</td>
<td>direct+HKDF-SHA-256, direct+HKDF-SHA-512, direct+HKDF-AES-128, <td align="left" colspan="1" rowspan="1">direct+HKDF-SHA-256, dire
direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECDH-ES+HKDF-512, ECDH-SS+HKDF-256, ECDH ct+HKDF-SHA-512, direct+HKDF-AES-128, direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECD
-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, ECDH-SS+A128KW, EC H-ES+HKDF-512, ECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192K
DH-SS+A192KW, ECDH-SS+A256KW </td> W, ECDH-ES+A256KW, ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KW </td>
<td>Random salt</td> <td align="left" colspan="1" rowspan="1">Random salt</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
<section anchor="context"> <section anchor="context" numbered="true" removeInRFC="false" toc="include
" pn="section-5.2">
<name>Context Information Structure</name> <name slugifiedName="name-context-information-structu">Context Informati
<t>The context information structure is used to ensure that the derived on Structure</name>
keying material is "bound" to the context of the transaction. The context infor <t indent="0" pn="section-5.2-1">The context information structure is us
mation structure used here is based on that defined in <xref target="SP800-56A"/ ed to ensure that the
>. By using CBOR for the encoding of the context information structure, we auto derived keying material is "bound" to the context of the transaction.
matically get the same type and length separation of fields that is obtained by The context information structure used here is based on that defined
the use of ASN.1. This means that there is no need to encode the lengths for th in <xref target="SP800-56A" format="default" sectionFormat="of" derivedCo
e base elements, as it is done by the encoding used in JOSE (Section 4.6.2 of <x ntent="SP800-56A"/>. By using CBOR for the encoding of the
ref target="RFC7518"/>). </t> context information structure, we automatically get the same type and
<t>The context information structure refers to PartyU and PartyV as the length separation of fields that is obtained by the use of ASN.1.
two parties that are doing the key derivation. Unless the application protocol This means that there is no need to encode the lengths for the base
defines differently, we assign PartyU to the entity that is creating the message elements, as it is done by the encoding used in JSON Object Signing
and PartyV to the entity that is receiving the message. By doing this associat and Encryption (JOSE) (<xref target="RFC7518" section="4.6.2" sectionForm
ion, different keys will be derived for each direction as the context informatio at="of" format="default" derivedLink="https://rfc-editor.org/rfc/rfc7518#section
n is different in each direction. </t> -4.6.2" derivedContent="RFC7518"/>).</t>
<t>The context structure is built from information that is known to both <t indent="0" pn="section-5.2-2">The context information structure refer
entities. This information can be obtained from a variety of sources: s to PartyU and PartyV as
the two parties that are doing the key derivation. Unless the
application protocol defines differently, we assign PartyU to the
entity that is creating the message and PartyV to the entity that is
receiving the message. By defining this association, different keys
will be derived for each direction, as the context information is
different in each direction.</t>
<t indent="0" pn="section-5.2-3">The context structure is built from inf
ormation that is known to both entities. This information can be obtained from
a variety of sources:
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section-5
<ul> .2-4">
<li pn="section-5.2-4.1">Fields can be defined by the application. Th
<li>Fields can be defined by the application. This is commonly used t is is commonly used to assign fixed names to parties, but it can be used for oth
o assign fixed names to parties, but it can be used for other items such as nonc er items such as nonces. </li>
es. </li> <li pn="section-5.2-4.2">Fields can be defined by usage of the output.
Examples of this are the algorithm and key size that are being generated. </l
<li>Fields can be defined by usage of the output. Examples of this ar i>
e the algorithm and key size that are being generated. </li> <li pn="section-5.2-4.3">Fields can be defined by parameters from the
message. We define
<li>Fields can be defined by parameters from the message. We define a a set of header parameters in <xref target="KDF_Context_Alg_Params" for
set of header parameters in <xref target="KDF_Context_Alg_Params"/> that can be mat="default" sectionFormat="of" derivedContent="Table 10"/> that can be used to
used to carry the values associated with the context structure. Examples of th carry the
is are identities and nonce values. These header parameters are designed to be values associated with the context structure. Examples of this are
placed in the unprotected bucket of the recipient structure; they do not need to identities and nonce values. These header parameters are designed
be in the protected bucket since they already are included in the cryptographic to be placed in the unprotected bucket of the recipient structure;
computation by virtue of being included in the context structure. </li> they do not need to be in the protected bucket, since they are already
included in the cryptographic computation by virtue of being
included in the context structure. </li>
</ul> </ul>
<table anchor="KDF_Context_Alg_Params" align="center"> <table anchor="KDF_Context_Alg_Params" align="center" pn="table-10">
<name slugifiedName="name-context-algorithm-parameter">Context Algorit
<name>Context Algorithm Parameters</name> hm Parameters</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Label</th> <th align="left" colspan="1" rowspan="1">Label</th>
<th>Type</th> <th align="left" colspan="1" rowspan="1">Type</th>
<th>Algorithm</th> <th align="left" colspan="1" rowspan="1">Algorithm</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>PartyU identity</td> <td align="left" colspan="1" rowspan="1">PartyU identity</td>
<td>-21</td> <td align="left" colspan="1" rowspan="1">-21</td>
<td>bstr</td> <td align="left" colspan="1" rowspan="1">bstr</td>
<td>direct+HKDF-SHA-256, direct+HKDF-SHA-512, direct+HKDF-AES-128, <td align="left" colspan="1" rowspan="1">direct+HKDF-SHA-256, dire
direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECDH-ES+HKDF-512, ECDH-SS+HKDF-256, ECDH ct+HKDF-SHA-512, direct+HKDF-AES-128, direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECD
-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, ECDH-SS+A128KW, EC H-ES+HKDF-512, ECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192K
DH-SS+A192KW, ECDH-SS+A256KW </td> W, ECDH-ES+A256KW, ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KW </td>
<td>Party U identity information</td> <td align="left" colspan="1" rowspan="1">PartyU identity informati
on</td>
</tr> </tr>
<tr> <tr>
<td>PartyU nonce</td> <td align="left" colspan="1" rowspan="1">PartyU nonce</td>
<td>-22</td> <td align="left" colspan="1" rowspan="1">-22</td>
<td>bstr / int</td> <td align="left" colspan="1" rowspan="1">bstr / int</td>
<td>direct+HKDF-SHA-256, direct+HKDF-SHA-512, direct+HKDF-AES-128, <td align="left" colspan="1" rowspan="1">direct+HKDF-SHA-256, dire
direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECDH-ES+HKDF-512, ECDH-SS+HKDF-256, ECDH ct+HKDF-SHA-512, direct+HKDF-AES-128, direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECD
-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, ECDH-SS+A128KW, EC H-ES+HKDF-512, ECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192K
DH-SS+A192KW, ECDH-SS+A256KW </td> W, ECDH-ES+A256KW, ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KW </td>
<td>Party U provided nonce</td> <td align="left" colspan="1" rowspan="1">PartyU provided nonce</td
>
</tr> </tr>
<tr> <tr>
<td>PartyU other</td> <td align="left" colspan="1" rowspan="1">PartyU other</td>
<td>-23</td> <td align="left" colspan="1" rowspan="1">-23</td>
<td>bstr</td> <td align="left" colspan="1" rowspan="1">bstr</td>
<td>direct+HKDF-SHA-256, direct+HKDF-SHA-512, direct+HKDF-AES-128, <td align="left" colspan="1" rowspan="1">direct+HKDF-SHA-256, dire
direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECDH-ES+HKDF-512, ECDH-SS+HKDF-256, ECDH ct+HKDF-SHA-512, direct+HKDF-AES-128, direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECD
-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, ECDH-SS+A128KW, EC H-ES+HKDF-512, ECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192K
DH-SS+A192KW, ECDH-SS+A256KW </td> W, ECDH-ES+A256KW, ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KW </td>
<td>Party U other provided information</td> <td align="left" colspan="1" rowspan="1">PartyU other provided inf
ormation</td>
</tr> </tr>
<tr> <tr>
<td>PartyV identity</td> <td align="left" colspan="1" rowspan="1">PartyV identity</td>
<td>-24</td> <td align="left" colspan="1" rowspan="1">-24</td>
<td>bstr</td> <td align="left" colspan="1" rowspan="1">bstr</td>
<td>direct+HKDF-SHA-256, direct+HKDF-SHA-512, direct+HKDF-AES-128, <td align="left" colspan="1" rowspan="1">direct+HKDF-SHA-256, dire
direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECDH-ES+HKDF-512, ECDH-SS+HKDF-256, ECDH ct+HKDF-SHA-512, direct+HKDF-AES-128, direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECD
-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, ECDH-SS+A128KW, EC H-ES+HKDF-512, ECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192K
DH-SS+A192KW, ECDH-SS+A256KW </td> W, ECDH-ES+A256KW, ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KW </td>
<td>Party V identity information</td> <td align="left" colspan="1" rowspan="1">PartyV identity informati
on</td>
</tr> </tr>
<tr> <tr>
<td>PartyV nonce</td> <td align="left" colspan="1" rowspan="1">PartyV nonce</td>
<td>-25</td> <td align="left" colspan="1" rowspan="1">-25</td>
<td>bstr / int</td> <td align="left" colspan="1" rowspan="1">bstr / int</td>
<td>direct+HKDF-SHA-256, direct+HKDF-SHA-512, direct+HKDF-AES-128, <td align="left" colspan="1" rowspan="1">direct+HKDF-SHA-256, dire
direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECDH-ES+HKDF-512, ECDH-SS+HKDF-256, ECDH ct+HKDF-SHA-512, direct+HKDF-AES-128, direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECD
-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, ECDH-SS+A128KW, EC H-ES+HKDF-512, ECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192K
DH-SS+A192KW, ECDH-SS+A256KW </td> W, ECDH-ES+A256KW, ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KW </td>
<td>Party V provided nonce</td> <td align="left" colspan="1" rowspan="1">PartyV provided nonce</td
>
</tr> </tr>
<tr> <tr>
<td>PartyV other</td> <td align="left" colspan="1" rowspan="1">PartyV other</td>
<td>-26</td> <td align="left" colspan="1" rowspan="1">-26</td>
<td>bstr</td> <td align="left" colspan="1" rowspan="1">bstr</td>
<td>direct+HKDF-SHA-256, direct+HKDF-SHA-512, direct+HKDF-AES-128, <td align="left" colspan="1" rowspan="1">direct+HKDF-SHA-256, dire
direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECDH-ES+HKDF-512, ECDH-SS+HKDF-256, ECDH ct+HKDF-SHA-512, direct+HKDF-AES-128, direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECD
-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, ECDH-SS+A128KW, EC H-ES+HKDF-512, ECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192K
DH-SS+A192KW, ECDH-SS+A256KW </td> W, ECDH-ES+A256KW, ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KW </td>
<td>Party V other provided information</td> <td align="left" colspan="1" rowspan="1">PartyV other provided inf
ormation</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>We define a CBOR object to hold the context information. This object is referred to as COSE_KDF_Context. The object is based on a CBOR array type. The fields in the array are: <t indent="0" pn="section-5.2-6">We define a CBOR object to hold the con text information. This object is referred to as COSE_KDF_Context. The object i s based on a CBOR array type. The fields in the array are:
</t> </t>
<dl newline="false" indent="3" spacing="normal" pn="section-5.2-7">
<dl newline="false"> <dt pn="section-5.2-7.1">AlgorithmID:</dt>
<dt>AlgorithmID:</dt> <dd pn="section-5.2-7.2">
<dd>
This field indicates the algorithm for which the key material will b e used. This field indicates the algorithm for which the key material will b e used.
This normally is either a key wrap algorithm identifier or a content This normally is either a key wrap algorithm identifier or a
encryption algorithm identifier. content encryption algorithm identifier.
The values are from the "COSE Algorithms" registry. The values are from the "COSE Algorithms" registry.
This field is required to be present. This field is required to be present.
The field exists in the context information so that a different key is generated for each algorithm even of all of the other context information is the same. The field exists in the context information so that a different key is generated for each algorithm even if all of the other context information is the same.
In practice, this means if algorithm A is broken and thus finding th e key is relatively easy, the key derived for algorithm B will not be the same a s the key derived for algorithm A. In practice, this means if algorithm A is broken and thus finding th e key is relatively easy, the key derived for algorithm B will not be the same a s the key derived for algorithm A.
</dd> </dd>
<dt pn="section-5.2-7.3">PartyUInfo:</dt>
<dt>PartyUInfo:</dt> <dd pn="section-5.2-7.4">
<t indent="0" pn="section-5.2-7.4.1">This field holds information ab
<dd> out PartyU. The PartyUInfo is
<t>This field holds information about party U. The PartyUInfo is en encoded as a CBOR array. The elements of PartyUInfo are encoded
coded as a CBOR array. The elements of PartyUInfo are encoded in the order pres in the order presented below. The elements of the PartyUInfo
ented below. The elements of the PartyUInfo array are: array are:
</t> </t>
<dl newline="false" indent="3" spacing="normal" pn="section-5.2-7.4.
<dl newline="false"> 2">
<dt>identity:</dt> <dt pn="section-5.2-7.4.2.1">identity:</dt>
<dd pn="section-5.2-7.4.2.2">
<dd> <t indent="0" pn="section-5.2-7.4.2.2.1">This contains the ident
<t>This contains the identity information for party U. The iden ity information for PartyU. The
tities can be assigned in one of two manners. First, a protocol can assign iden identities can be assigned in one of two manners. First, a
tities based on roles. For example, the roles of "client" and "server" may be a protocol can assign identities based on roles. For example,
ssigned to different entities in the protocol. Each entity would then use the c the roles of "client" and "server" may be assigned to
orrect label for the data they send or receive. The second way for a protocol t different entities in the protocol. Each entity would then
o assign identities is to use a name based on a naming system (i.e., DNS, X.509 use the correct label for the data it sends or receives. The
names). second way for a protocol to assign identities is to use a
name based on a naming system (i.e., DNS or X.509 names).
</t>
<t indent="0" pn="section-5.2-7.4.2.2.2"> We define an algorithm
parameter, "PartyU identity", that
can be used to carry identity information in the message.
However, identity information is often known as part of the
protocol and can thus be inferred rather than made explicit.
If identity information is carried in the message,
applications <bcp14>SHOULD</bcp14> have a way of validating
the supplied identity information. The identity information
does not need to be specified and is set to nil in that case.
</t> </t>
<t> We define an algorithm parameter 'PartyU identity' that can be used to carry identity information in the message. However, identity informa tion is often known as part of the protocol and can thus be inferred rather than made explicit. If identity information is carried in the message, applications <bcp14>SHOULD</bcp14> have a way of validating the supplied identity informatio n. The identity information does not need to be specified and is set to nil in that case. </t>
</dd> </dd>
<dt>nonce:</dt> <dt pn="section-5.2-7.4.2.3">nonce:</dt>
<dd pn="section-5.2-7.4.2.4">
<dd> <t indent="0" pn="section-5.2-7.4.2.4.1">This contains a nonce v
<t>This contains a nonce value. The nonce can either be implici alue. The nonce can be either
t from the protocol or be carried as a value in the unprotected header bucket. implicit from the protocol or carried as a value in the
unprotected header bucket.
</t> </t>
<t> We define an algorithm parameter 'PartyU nonce' that can be <t indent="0" pn="section-5.2-7.4.2.4.2"> We define an algorithm
used to carry this value in the message; however, the nonce value could be deter parameter, "PartyU nonce", that can be used to carry this value in the message;
mined by the application and the value determined from elsewhere. however, the nonce value could be determined by the application and its
value obtained in a different manner.
</t> </t>
<t> This option does not need to be specified and is set to nil <t indent="0" pn="section-5.2-7.4.2.4.3"> This option does not n
in that case. </t> eed to be specified; if not
needed, it is set to nil. </t>
</dd> </dd>
<dt>other:</dt> <dt pn="section-5.2-7.4.2.5">other:</dt>
<dd pn="section-5.2-7.4.2.6">This contains other information that
<dd>This contains other information that is defined by the protoco is defined by the protocol. This option does not need to be specified; if not ne
l. This option does not need to be specified and is set to nil in that case. </d eded, it is set to nil. </dd>
d>
</dl> </dl>
</dd> </dd>
<dt>PartyVInfo:</dt> <dt pn="section-5.2-7.5">PartyVInfo:</dt>
<dd pn="section-5.2-7.6">This field holds information about PartyV. T
<dd>This field holds information about party V. The content of the st he content of the structure is the same as for the PartyUInfo but for PartyV. <
ructure is the same as for the PartyUInfo but for party V. </dd> /dd>
<dt>SuppPubInfo:</dt> <dt pn="section-5.2-7.7">SuppPubInfo:</dt>
<dd pn="section-5.2-7.8">
<dd> <t indent="0" pn="section-5.2-7.8.1">This field contains public info
<t>This field contains public information that is mutually known to rmation that is mutually known to both parties, and is encoded as a CBOR array.
both parties.
</t> </t>
<dl newline="false" indent="3" spacing="normal" pn="section-5.2-7.8.
<dl newline="false"> 2">
<dt>keyDataLength:</dt> <dt pn="section-5.2-7.8.2.1">keyDataLength:</dt>
<dd pn="section-5.2-7.8.2.2">This is set to the number of bits of
<dd>This is set to the number of bits of the desired output value. the desired output
This practice means if algorithm A can use two different key lengths, the key value. This practice means if algorithm A can use two different
derived for longer key size will not contain the key for shorter key size as a p key lengths, the key derived for the longer key size will not
refix. </dd> contain the key for the shorter key size as a prefix. </dd>
<dt>protected:</dt> <dt pn="section-5.2-7.8.2.3">protected:</dt>
<dd pn="section-5.2-7.8.2.4">This field contains the protected par
<dd>This field contains the protected parameter field. If there a ameter field. If there
re no elements in the protected field, then use a zero-length bstr. </dd> are no elements in the "protected" field, then use a zero-length
<dt>other:</dt> bstr. </dd>
<dt pn="section-5.2-7.8.2.5">other:</dt>
<dd>This field is for free form data defined by the application. <dd pn="section-5.2-7.8.2.6">This field is for free-form data defi
An example is that an application could define two different byte strings to be ned by the application.
placed here to generate different keys for a data stream versus a control stream For example, an application could define two different
. This field is optional and will only be present if the application defines a byte strings to be placed here to generate different keys for a
structure for this information. Applications that define this <bcp14>SHOULD</bc data stream versus a control stream. This field is optional and
p14> use CBOR to encode the data so that types and lengths are correctly include will only be present if the application defines a structure for
d. </dd> this information. Applications that define this
<bcp14>SHOULD</bcp14> use CBOR to encode the data so that types
and lengths are correctly included. </dd>
</dl> </dl>
</dd> </dd>
<dt>SuppPrivInfo:</dt> <dt pn="section-5.2-7.9">SuppPrivInfo:</dt>
<dd pn="section-5.2-7.10">This field contains private information that
<dd>This field contains private information that is mutually known pri is mutually known private information. An example of this information would be
vate information. An example of this information would be a preexisting shared a pre-existing shared secret. (This could, for example, be used in combination
secret. (This could, for example, be used in combination with an ECDH key agree with an ECDH key agreement to provide a secondary proof of identity.) The field
ment to provide a secondary proof of identity.) The field is optional and will o is optional and will only be present if the application defines a structure for
nly be present if the application defines a structure for this information. App this information. Applications that define this <bcp14>SHOULD</bcp14> use CBOR
lications that define this <bcp14>SHOULD</bcp14> use CBOR to encode the data so to encode the data so that types and lengths are correctly included. </dd>
that types and lengths are correctly included. </dd>
</dl> </dl>
<t>The following CDDL fragment corresponds to the text above. </t> <t indent="0" pn="section-5.2-8">The following CDDL fragment corresponds
<artwork type="CDDL" name="" alt=""><![CDATA[ to the text above. </t>
<sourcecode type="cddl" markers="false" pn="section-5.2-9">
PartyInfo = ( PartyInfo = (
identity : bstr / nil, identity : bstr / nil,
nonce : bstr / int / nil, nonce : bstr / int / nil,
other : bstr / nil other : bstr / nil
) )
COSE_KDF_Context = [ COSE_KDF_Context = [
AlgorithmID : int / tstr, AlgorithmID : int / tstr,
PartyUInfo : [ PartyInfo ], PartyUInfo : [ PartyInfo ],
PartyVInfo : [ PartyInfo ], PartyVInfo : [ PartyInfo ],
SuppPubInfo : [ SuppPubInfo : [
keyDataLength : uint, keyDataLength : uint,
protected : empty_or_serialized_map, protected : empty_or_serialized_map,
? other : bstr ? other : bstr
], ],
? SuppPrivInfo : bstr ? SuppPrivInfo : bstr
] ]
]]></artwork> </sourcecode>
</section> </section>
</section> </section>
<section anchor="key-management-algs"> <section anchor="key-management-algs" numbered="true" removeInRFC="false" to
c="include" pn="section-6">
<name slugifiedName="name-content-key-distribution-me">Content Key Distrib
ution Methods</name>
<t indent="0" pn="section-6-1">
<name>Content Key Distribution Methods</name> <xref section="8.5" target="RFC9052" sectionFormat="of" format="default"
<t> derivedLink="https://rfc-editor.org/rfc/rfc9052#section-8.5" derivedContent="RF
<relref section="&CKeyDistributeSection;" target="I-D.ietf-cose-rfc8152b C9052"/> contains a generic description of content key distribution methods.
is-struct"/> contains a generic description of content key distribution methods.
This document defines the identifiers and usage for a number of content key distribution methods. This document defines the identifiers and usage for a number of content key distribution methods.
</t> </t>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-6.1
<name>Direct Encryption</name> ">
<t> <name slugifiedName="name-direct-encryption">Direct Encryption</name>
Direct encryption algorithm is defined in <relref section="&DirectDist <t indent="0" pn="section-6.1-1">
ribute;" target="I-D.ietf-cose-rfc8152bis-struct"/>. A direct encryption algorithm is defined in <xref section="8.5.1" targ
Information about how to fill in the COSE_Recipient structure are deta et="RFC9052" sectionFormat="of" format="default" derivedLink="https://rfc-editor
iled there. .org/rfc/rfc9052#section-8.5.1" derivedContent="RFC9052"/>.
Information about how to fill in the COSE_Recipient structure is detai
led there.
</t> </t>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-6
.1.1">
<name>Direct Key</name> <name slugifiedName="name-direct-key">Direct Key</name>
<t> <t indent="0" pn="section-6.1.1-1">
This recipient algorithm is the simplest; the identified key is direct ly used as the key for the next layer down in the message. This recipient algorithm is the simplest; the identified key is direct ly used as the key for the next layer down in the message.
There are no algorithm parameters defined for this algorithm. There are no algorithm parameters defined for this algorithm.
The algorithm identifier value is assigned in <xref target="x-table-d irect"/>. The algorithm identifier value is assigned in <xref target="x-table-d irect" format="default" sectionFormat="of" derivedContent="Table 11"/>.
</t> </t>
<t> <t indent="0" pn="section-6.1.1-2">
When this algorithm is used, the protected field <bcp14>MUST</bcp14> b When this algorithm is used, the "protected" field
e zero length. <bcp14>MUST</bcp14> be zero length.
The key type <bcp14>MUST</bcp14> be 'Symmetric'. The key type <bcp14>MUST</bcp14> be "Symmetric".
</t> </t>
<table anchor="x-table-direct" align="center"> <table anchor="x-table-direct" align="center" pn="table-11">
<name slugifiedName="name-direct-key-2">Direct Key</name>
<name>Direct Key</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Value</th> <th align="center" colspan="1" rowspan="1">Value</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>direct</td> <td align="left" colspan="1" rowspan="1">direct</td>
<td>-6</td> <td align="center" colspan="1" rowspan="1">-6</td>
<td>Direct use of CEK</td> <td align="left" colspan="1" rowspan="1">Direct use of content e
ncryption key (CEK)</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<section> <section numbered="true" removeInRFC="false" toc="exclude" pn="section
-6.1.1.1">
<name>Security Considerations for Direct Key</name> <name slugifiedName="name-security-considerations-for-d">Security Co
<t>This recipient algorithm has several potential problems that need nsiderations for Direct Key</name>
to be considered: <t indent="0" pn="section-6.1.1.1-1">This recipient algorithm has se
veral potential problems that need to be considered:
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="secti
<ul> on-6.1.1.1-2">
<li pn="section-6.1.1.1-2.1">These keys need to have some method o
<li>These keys need to have some method to be regularly updated ov f being regularly updated over time. All of the content encryption algorithms s
er time. All of the content encryption algorithms specified in this document ha pecified in this document have limits on how many times a key can be used withou
ve limits on how many times a key can be used without significant loss of securi t significant loss of security. </li>
ty. </li> <li pn="section-6.1.1.1-2.2">These keys need to be dedicated to a
single algorithm. There have been a number of attacks developed over time when
<li>These keys need to be dedicated to a single algorithm. There a single key is used for multiple different algorithms. One example of this is
have been a number of attacks developed over time when a single key is used for the use of a single key for both the CBC encryption mode and the CBC-MAC authent
multiple different algorithms. One example of this is the use of a single key f ication mode. </li>
or both the CBC encryption mode and the CBC-MAC authentication mode. </li> <li pn="section-6.1.1.1-2.3">Breaking one message means all messag
es are broken. If an adversary succeeds in determining the key for a single mes
<li>Breaking one message means all messages are broken. If an adv sage, then the key for all messages is also determined. </li>
ersary succeeds in determining the key for a single message, then the key for al
l messages is also determined. </li>
</ul> </ul>
</section> </section>
</section> </section>
<section anchor="direct-kdf"> <section anchor="direct-kdf" numbered="true" removeInRFC="false" toc="in
clude" pn="section-6.1.2">
<name>Direct Key with KDF</name> <name slugifiedName="name-direct-key-with-kdf">Direct Key with KDF</na
<t>These recipient algorithms take a common shared secret between the me>
two parties and applies the HKDF function (<xref target="HKDF-section"/>), using <t indent="0" pn="section-6.1.2-1">These recipient algorithms take a c
the context structure defined in <xref target="context"/> to transform the shar ommon shared secret between
ed secret into the CEK. the two parties and apply the HKDF function (<xref target="HKDF-section
" format="default" sectionFormat="of" derivedContent="Section 5.1"/>), using the
The 'protected' field can be of non-zero length. Either the 'salt' para context structure defined in
meter of HKDF or the 'PartyU nonce' parameter of the context structure <bcp14>MU <xref target="context" format="default" sectionFormat="of" derivedConte
ST</bcp14> be present. The salt/nonce parameter can be generated either randoml nt="Section 5.2"/> to transform the shared secret into the
y or deterministically. The requirement is that it be a unique value for the sh CEK. The "protected" field can be of nonzero length. Either
ared secret in question. </t> the "salt" parameter for HKDF (<xref target="HKDF_Alg_Params" format="
<t>If the salt/nonce value is generated randomly, then it is suggested default" sectionFormat="of" derivedContent="Table 9"/>) or the "PartyU nonce" pa
that the length of the random value be the same length as the output of the has rameter
h function underlying HKDF. While there is no way to guarantee that it will be for the context structure (<xref target="KDF_Context_Alg_Params" forma
unique, there is a high probability that it will be unique. If the salt/nonce v t="default" sectionFormat="of" derivedContent="Table 10"/>) <bcp14>MUST</bcp14>
alue is generated deterministically, it can be guaranteed to be unique, and thus be
there is no length requirement. </t> present (both can be present if desired). The value in the
<t>A new IV must be used for each message if the same key is used. Th "salt"/"nonce" parameter
e IV can be modified in a predictable manner, a random manner, or an unpredictab can be generated either randomly or deterministically. The
le manner (i.e., encrypting a counter). </t> requirement is that it be a unique value for the shared secret in
<t>The IV used for a key can also be generated from the same HKDF func question. </t>
tionality as the key is generated. If HKDF is used for generating the IV, the a <t indent="0" pn="section-6.1.2-2">If the salt/nonce value is generate
lgorithm identifier is set to "IV-GENERATION". </t> d randomly, then it is suggested that the length of the random value be the same
length as the output of the hash function underlying HKDF. While there is no w
<t>The set of algorithms defined in this document can be found in <xre ay to guarantee that it will be unique, there is a high probability that it will
f target="x-table-direct-kdf"/>. </t> be unique. If the salt/nonce value is generated deterministically, it can be g
uaranteed to be unique, and thus there is no length requirement. </t>
<table anchor="x-table-direct-kdf" align="center"> <t indent="0" pn="section-6.1.2-3">A new IV must be used for each mess
age if the same key is used. The IV can be modified in a predictable manner, a
<name>Direct Key with KDF</name> random manner, or an unpredictable manner (e.g., encrypting a counter). </t>
<t indent="0" pn="section-6.1.2-4">The IV used for a key can also be g
enerated using the same HKDF
functionality used to generate the key. If HKDF is used for
generating the IV, the algorithm identifier is set to 34
("IV-GENERATION"). </t>
<t indent="0" pn="section-6.1.2-5">The set of algorithms defined in th
is document can be found in <xref target="x-table-direct-kdf" format="default" s
ectionFormat="of" derivedContent="Table 12"/>. </t>
<table anchor="x-table-direct-kdf" align="center" pn="table-12">
<name slugifiedName="name-direct-key-with-kdf-2">Direct Key with KDF
</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Value</th> <th align="center" colspan="1" rowspan="1">Value</th>
<th>KDF</th> <th align="left" colspan="1" rowspan="1">KDF</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>direct+HKDF-SHA-256</td> <td align="left" colspan="1" rowspan="1">direct+HKDF-SHA-256</td
<td>-10</td> >
<td>HKDF SHA-256</td> <td align="center" colspan="1" rowspan="1">-10</td>
<td>Shared secret w/ HKDF and SHA-256</td> <td align="left" colspan="1" rowspan="1">HKDF SHA-256</td>
<td align="left" colspan="1" rowspan="1">Shared secret w/ HKDF a
nd SHA-256</td>
</tr> </tr>
<tr> <tr>
<td>direct+HKDF-SHA-512</td> <td align="left" colspan="1" rowspan="1">direct+HKDF-SHA-512</td
<td>-11</td> >
<td>HKDF SHA-512</td> <td align="center" colspan="1" rowspan="1">-11</td>
<td>Shared secret w/ HKDF and SHA-512</td> <td align="left" colspan="1" rowspan="1">HKDF SHA-512</td>
<td align="left" colspan="1" rowspan="1">Shared secret w/ HKDF a
nd SHA-512</td>
</tr> </tr>
<tr> <tr>
<td>direct+HKDF-AES-128</td> <td align="left" colspan="1" rowspan="1">direct+HKDF-AES-128</td
<td>-12</td> >
<td>HKDF AES-MAC-128</td> <td align="center" colspan="1" rowspan="1">-12</td>
<td>Shared secret w/ AES-MAC 128-bit key</td> <td align="left" colspan="1" rowspan="1">HKDF AES-MAC-128</td>
<td align="left" colspan="1" rowspan="1">Shared secret w/ AES-MA
C 128-bit key</td>
</tr> </tr>
<tr> <tr>
<td>direct+HKDF-AES-256</td> <td align="left" colspan="1" rowspan="1">direct+HKDF-AES-256</td
<td>-13</td> >
<td>HKDF AES-MAC-256</td> <td align="center" colspan="1" rowspan="1">-13</td>
<td>Shared secret w/ AES-MAC 256-bit key</td> <td align="left" colspan="1" rowspan="1">HKDF AES-MAC-256</td>
<td align="left" colspan="1" rowspan="1">Shared secret w/ AES-MA
C 256-bit key</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>When using a COSE key for this algorithm, the following checks are made: <t indent="0" pn="section-6.1.2-7">When using a COSE key for this algo rithm, the following checks are made:
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section
<ul> -6.1.2-8">
<li pn="section-6.1.2-8.1">The "kty" field <bcp14>MUST</bcp14> be pr
<li>The 'kty' field <bcp14>MUST</bcp14> be present, and it <bcp14>MU esent, and it <bcp14>MUST</bcp14> be "Symmetric".</li>
ST</bcp14> be 'Symmetric'.</li> <li pn="section-6.1.2-8.2">If the "alg" field is present, it <bcp14>
MUST</bcp14> match the algorithm being used.</li>
<li>If the 'alg' field is present, it <bcp14>MUST</bcp14> match the <li pn="section-6.1.2-8.3">If the "key_ops" field is present, it <bc
algorithm being used.</li> p14>MUST</bcp14> include "derive key" or "derive bits".</li>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> includ
e 'deriveKey' or 'deriveBits'.</li>
</ul> </ul>
<section> <section numbered="true" removeInRFC="false" toc="exclude" pn="section
-6.1.2.1">
<name>Security Considerations for Direct Key with KDF</name> <name slugifiedName="name-security-considerations-for-di">Security C
<t>The shared secret needs to have some method to be regularly updat onsiderations for Direct Key with KDF</name>
ed over time. The shared secret forms the basis of trust. Although not used di <t indent="0" pn="section-6.1.2.1-1">The shared secret needs to have
rectly, it should still be subject to scheduled rotation. </t> some method of being regularly
<t>While these methods do not provide for perfect forward secrecy, a updated over time. The shared secret forms the basis of trust.
s the same shared secret is used for all of the keys generated, if the key for a Although not used directly, it should still be subject to
ny single message is discovered, only the message (or series of messages) using scheduled rotation. </t>
that derived key are compromised. A new key derivation step will generate a new <t indent="0" pn="section-6.1.2.1-2">These methods do not provide fo
key that requires the same amount of work to get the key. </t> r perfect forward secrecy, as
the same shared secret is used for all of the keys generated;
however, if the key for any single message is discovered, only the
message or series of messages using that derived key are
compromised. A new key derivation step will generate a new key that
requires the same
amount of work to get the key. </t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="key_wrap_algs"> <section anchor="key_wrap_algs" numbered="true" removeInRFC="false" toc="i
<name>Key Wrap</name> nclude" pn="section-6.2">
<t> <name slugifiedName="name-key-wrap">Key Wrap</name>
Key wrap is defined in <relref section="&DirectDistribute;" target="I <t indent="0" pn="section-6.2-1">
-D.ietf-cose-rfc8152bis-struct"/>. Key wrap is defined in <xref section="8.5.2" target="RFC9052" section
Format="of" format="default" derivedLink="https://rfc-editor.org/rfc/rfc9052#sec
tion-8.5.2" derivedContent="RFC9052"/>.
Information about how to fill in the COSE_Recipient structure is detai led there. Information about how to fill in the COSE_Recipient structure is detai led there.
</t> </t>
<section numbered="true" removeInRFC="false" toc="include" pn="section-6
<section> .2.1">
<name>AES Key Wrap</name> <name slugifiedName="name-aes-key-wrap">AES Key Wrap</name>
<t>The AES Key Wrap algorithm is defined in <xref target="RFC3394"/>. T <t indent="0" pn="section-6.2.1-1">The AES Key Wrap algorithm is defin
his algorithm uses an AES key to wrap a value that is a multiple of 64 bits. As ed in <xref target="RFC3394" format="default" sectionFormat="of" derivedContent=
such, it can be used to wrap a key for any of the content encryption algorithms "RFC3394"/>.
defined in this document. The algorithm requires a single fixed parameter, the This algorithm uses an AES key to wrap a value that is a multiple of
initial value. This is fixed to the value specified in Section 2.2.3.1 of <xre 64 bits. As such, it can be used to wrap a key for any of the
f target="RFC3394"/>. There are no public key parameters that vary on a per-inv content encryption algorithms defined in this document. The algorithm
ocation basis. The protected header bucket <bcp14>MUST</bcp14> be empty. </t> requires a single fixed parameter, the initial value. This is fixed
<t>Keys may be obtained either from a key structure or from a recipient to the value specified in <xref target="RFC3394" section="2.2.3.1" sectio
structure. Implementations encrypting and decrypting <bcp14>MUST</bcp14> valida nFormat="of" format="default" derivedLink="https://rfc-editor.org/rfc/rfc3394#se
te that the key type, key length, and algorithm are correct and appropriate for ction-2.2.3.1" derivedContent="RFC3394"/>. There are no public key parameters t
the entities involved. </t> hat vary on
<t>When using a COSE key for this algorithm, the following checks are ma a per-invocation basis. The protected header bucket
de: <bcp14>MUST</bcp14> be empty. </t>
</t> <t indent="0" pn="section-6.2.1-2">Keys may be obtained from either a
key structure or a recipient
<ul> structure. Implementations that are encrypting or decrypting
<bcp14>MUST</bcp14> validate that the key type, key length, and
<li>The 'kty' field <bcp14>MUST</bcp14> be present, and it <bcp14>MUST algorithm are correct and appropriate for the entities involved. </t>
</bcp14> be 'Symmetric'.</li> <t indent="0" pn="section-6.2.1-3">When using a COSE key for this algo
rithm, the following checks are made:
<li>If the 'alg' field is present, it <bcp14>MUST</bcp14> match the AE </t>
S Key Wrap algorithm being used.</li> <ul bare="false" empty="false" indent="3" spacing="normal" pn="section
-6.2.1-4">
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include <li pn="section-6.2.1-4.1">The "kty" field <bcp14>MUST</bcp14> be pr
'encrypt' or 'wrap key' when encrypting.</li> esent, and it <bcp14>MUST</bcp14> be "Symmetric".</li>
<li pn="section-6.2.1-4.2">If the "alg" field is present, it <bcp14>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include MUST</bcp14> match the AES Key Wrap algorithm being used.</li>
'decrypt' or 'unwrap key' when decrypting.</li> <li pn="section-6.2.1-4.3">If the "key_ops" field is present, it <bc
</ul> p14>MUST</bcp14> include "encrypt" or "wrap key" when encrypting.</li>
<table anchor="x-table_aes_keywrap" align="center"> <li pn="section-6.2.1-4.4">If the "key_ops" field is present, it <bc
p14>MUST</bcp14> include "decrypt" or "unwrap key" when decrypting.</li>
<name>AES Key Wrap Algorithm Values</name> </ul>
<thead> <table anchor="x-table_aes_keywrap" align="center" pn="table-13">
<tr> <name slugifiedName="name-aes-key-wrap-algorithm-valu">AES Key Wrap
<th>Name</th> Algorithm Values</name>
<th>Value</th> <thead>
<th>Key Size</th> <tr>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Name</th>
</tr> <th align="center" colspan="1" rowspan="1">Value</th>
</thead> <th align="center" colspan="1" rowspan="1">Key Size</th>
<tbody> <th align="left" colspan="1" rowspan="1">Description</th>
<tr> </tr>
<td>A128KW</td> </thead>
<td>-3</td> <tbody>
<td>128</td> <tr>
<td>AES Key Wrap w/ 128-bit key</td> <td align="left" colspan="1" rowspan="1">A128KW</td>
</tr> <td align="center" colspan="1" rowspan="1">-3</td>
<tr> <td align="center" colspan="1" rowspan="1">128</td>
<td>A192KW</td> <td align="left" colspan="1" rowspan="1">AES Key Wrap w/ 128-bit
<td>-4</td> key</td>
<td>192</td> </tr>
<td>AES Key Wrap w/ 192-bit key</td> <tr>
</tr> <td align="left" colspan="1" rowspan="1">A192KW</td>
<tr> <td align="center" colspan="1" rowspan="1">-4</td>
<td>A256KW</td> <td align="center" colspan="1" rowspan="1">192</td>
<td>-5</td> <td align="left" colspan="1" rowspan="1">AES Key Wrap w/ 192-bit
<td>256</td> key</td>
<td>AES Key Wrap w/ 256-bit key</td> </tr>
</tr> <tr>
</tbody> <td align="left" colspan="1" rowspan="1">A256KW</td>
</table> <td align="center" colspan="1" rowspan="1">-5</td>
<section> <td align="center" colspan="1" rowspan="1">256</td>
<td align="left" colspan="1" rowspan="1">AES Key Wrap w/ 256-bit
<name>Security Considerations for AES-KW</name> key</td>
<t>The shared secret needs to have some method to be regularly updated </tr>
over time. The shared secret is the basis of trust. </t> </tbody>
</section> </table>
<section numbered="true" removeInRFC="false" toc="exclude" pn="section
-6.2.1.1">
<name slugifiedName="name-security-considerations-for-aes-">Security
Considerations for AES Key Wrap</name>
<t indent="0" pn="section-6.2.1.1-1">The shared secret needs to have
some method of being regularly updated over time. The shared secret is the bas
is of trust. </t>
</section>
</section> </section>
</section> </section>
<section numbered="true" removeInRFC="false" toc="include" pn="section-6.3
<section> ">
<name>Direct Key Agreement</name> <name slugifiedName="name-direct-key-agreement">Direct Key Agreement</na
me>
<t> <t indent="0" pn="section-6.3-1">
Key Transport is defined in <relref section="9.5.4" target="I-D.ietf-c Direct Key Agreement is defined in <xref section="8.5.4" target="RFC90
ose-rfc8152bis-struct"/>. 52" sectionFormat="of" format="default" derivedLink="https://rfc-editor.org/rfc/
rfc9052#section-8.5.4" derivedContent="RFC9052"/>.
Information about how to fill in the COSE_Recipient structure is detai led there. Information about how to fill in the COSE_Recipient structure is detai led there.
</t> </t>
<section anchor="ECDH" numbered="true" removeInRFC="false" toc="include"
<section anchor="ECDH"> pn="section-6.3.1">
<name slugifiedName="name-direct-ecdh">Direct ECDH</name>
<name>Direct ECDH</name> <t indent="0" pn="section-6.3.1-1">The mathematics for ECDH can be fou
<t>The mathematics for ECDH can be found in <xref target="RFC6090"/>. I nd in <xref target="RFC6090" format="default" sectionFormat="of" derivedContent=
n this document, the algorithm is extended to be used with the two curves define "RFC6090"/>. In this document, the algorithm is extended to be used with the tw
d in <xref target="RFC7748"/>. </t> o curves defined in <xref target="RFC7748" format="default" sectionFormat="of" d
<t>ECDH is parameterized by the following: erivedContent="RFC7748"/>. </t>
</t> <t indent="0" pn="section-6.3.1-2">ECDH is parameterized by the follow
ing:
<ul> </t>
<dl indent="3" newline="false" spacing="normal" pn="section-6.3.1-3">
<li> <dt pn="section-6.3.1-3.1">Curve Type/Curve:</dt>
<t>Curve Type/Curve: The curve selected controls not only the size o <dd pn="section-6.3.1-3.2">
f the shared secret, but the mathematics for computing the shared secret. The c <t indent="0" pn="section-6.3.1-3.2.1">The curve selected controls
urve selected also controls how a point in the curve is represented and what hap not only the size of the shared secret, but the mathematics for computing the s
pens for the identity points on the curve. In this specification, we allow for hared secret. The curve selected also controls how a point in the curve is repr
a number of different curves to be used. A set of curves are defined in <xref t esented and what happens for the identity points on the curve. In this specific
arget="x-table-ec-curves"/>. ation, we allow for a number of different curves to be used. A set of curves is
defined in <xref target="x-table-ec-curves" format="default" sectionFormat="of"
</t> derivedContent="Table 18"/>.</t>
<t> The math used to obtain the computed secret is based on the curv <t indent="0" pn="section-6.3.1-3.2.2"> The math used to obtain th
e selected and not on the ECDH algorithm. For this reason, a new algorithm does e computed secret is based on the curve selected and not on the ECDH algorithm.
not need to be defined for each of the curves. </t> For this reason, a new algorithm does not need to be defined for each of the cu
</li> rves. </t>
</dd>
<li>Computed Secret to Shared Secret: Once the computed secret is know <dt pn="section-6.3.1-3.3">Computed Secret to Shared Secret:</dt>
n, the resulting value needs to be converted to a byte string to run the KDF. T <dd pn="section-6.3.1-3.4"> Once the computed
he x-coordinate is used for all of the curves defined in this document. For cur secret is known, the resulting value needs to be converted to a byte
ves X25519 and X448, the resulting value is used directly as it is a byte string string to run the KDF. The x-coordinate is used for all of the
of a known length. For the P-256, P-384, and P-521 curves, the x-coordinate is curves defined in this document. For curves X25519 and X448, the
run through the I2OSP function defined in <xref target="RFC8017"/>, using the s resulting value is used directly, as it is a byte string of a known
ame computation for n as is defined in <xref target="ECDSA"/>. </li> length. For the P-256, P-384, and P-521 curves, the x-coordinate is
run through the Integer-to-Octet-String primitive (I2OSP) function
<li>Ephemeral-Static or Static-Static: The key agreement process may b defined in <xref target="RFC8017" format="default" sectionFormat="of" d
e done using either a static or an ephemeral key for the sender's side. When us erivedContent="RFC8017"/>,
ing ephemeral keys, the sender <bcp14>MUST</bcp14> generate a new ephemeral key using the same computation for n as is defined in <xref target="ECDSA"
for every key agreement operation. The ephemeral key is placed in the 'ephemera format="default" sectionFormat="of" derivedContent="Section 2.1"/>. </dd>
l key' parameter and <bcp14>MUST</bcp14> be present for all algorithm identifier <dt pn="section-6.3.1-3.5">Ephemeral-Static or Static-Static:</dt>
s that use ephemeral keys. When using static keys, the sender <bcp14>MUST</bcp1 <dd pn="section-6.3.1-3.6"> The key agreement
4> either generate a new random value or create a unique value. process may be done using either a static or an ephemeral
For the KDFs used, this means either the 'salt' parameter for HKDF (<xre key for the sender's side. When using ephemeral keys, the
f target="HKDF_Alg_Params"/>) or the 'PartyU nonce' parameter for the context st sender <bcp14>MUST</bcp14> generate a new ephemeral key for
ructure (<xref target="KDF_Context_Alg_Params"/>) <bcp14>MUST</bcp14> be present every key agreement operation. The ephemeral key is placed
(both can be present if desired). The value in the parameter <bcp14>MUST</bcp14 in the "ephemeral key" parameter and <bcp14>MUST</bcp14> be
> be unique for the pair of keys being used. It is acceptable to use a global c present for all algorithm identifiers that use ephemeral
ounter that is incremented for every static-static operation and use the resulti keys. When using static keys, the sender
ng value. Care must be taken that the counter is saved to permanent storage in <bcp14>MUST</bcp14> either generate a new random value or
a way to avoid reuse of that counter value. When using static keys, the static k create a unique value for use as a KDF input. For the KDFs used, this
ey should be identified to the recipient. The static key can be identified eith means that either
er by providing the key ('static key') or by providing a key identifier for the the "salt" parameter for HKDF (<xref target="HKDF_Alg_Params" format="
static key ('static key id'). Both of these header parameters are defined in <x default" sectionFormat="of" derivedContent="Table 9"/>) or the "PartyU nonce" pa
ref target="x-table-ecdh-es-parameter-table"/>. rameter
</li> for the context structure (<xref target="KDF_Context_Alg_Params" forma
t="default" sectionFormat="of" derivedContent="Table 10"/>) <bcp14>MUST</bcp14>
<li>Key Derivation Algorithm: The result of an ECDH key agreement proc be
ess does not provide a uniformly random secret. As such, it needs to be run thr present (both can be present if desired). The value in the
ough a KDF in order to produce a usable key. Processing the secret through a KD parameter <bcp14>MUST</bcp14> be unique for the pair of keys
F also allows for the introduction of context material: how the key is going to being used. It is acceptable to use a global counter that
be used and one-time material for static-static key agreement. All of the algor is incremented for every Static-Static operation and use the
ithms defined in this document use one of the HKDF algorithms defined in <xref t resulting value. Care must be taken that the counter is
arget="HKDF-section"/> with the context structure defined in <xref target="conte saved to permanent storage in a way that avoids reuse of that
xt"/>. </li> counter value. When using static keys, the static key should
be identified to the recipient. The static key can be
<li>Key Wrap Algorithm: No key wrap algorithm is used. This is repres identified by providing either the key ("static key") or
ented in <xref target="x-table-ecdh-es-table"/> as 'none'. The key size for the a key identifier for the static key ("static key
context structure is the content layer encryption algorithm size. </li> id"). Both of these header parameters are defined in <xref target="x-
</ul> table-ecdh-es-parameter-table" format="default" sectionFormat="of" derivedConten
<t> t="Table 15"/>.
</dd>
<dt pn="section-6.3.1-3.7">Key Derivation Algorithm:</dt>
<dd pn="section-6.3.1-3.8">The result of an ECDH
key agreement process does not provide a uniformly random secret.
As such, it needs to be run through a KDF in order to produce a usable
key. Processing the secret through a KDF also allows for the
introduction of context material: how the key is going to be used
and one-time material for Static-Static key agreement. All of the
algorithms defined in this document use one of the HKDF algorithms
defined in <xref target="HKDF-section" format="default" sectionFormat="
of" derivedContent="Section 5.1"/> with the context structure
defined in <xref target="context" format="default" sectionFormat="of" d
erivedContent="Section 5.2"/>. </dd>
<dt pn="section-6.3.1-3.9">Key Wrap Algorithm:</dt>
<dd pn="section-6.3.1-3.10"> No key wrap algorithm is used.
This is represented in <xref target="x-table-ecdh-es-table" format="def
ault" sectionFormat="of" derivedContent="Table 14"/> as
"none". The key size for the context structure is the
content layer encryption algorithm size. </dd>
</dl>
<t indent="0" pn="section-6.3.1-4">
COSE does not have an Ephemeral-Ephemeral version defined. COSE does not have an Ephemeral-Ephemeral version defined.
The reason for this is that COSE is not an online protocol by itself a The reason for this is that COSE is not an online protocol by itself a
nd thus does not have a method to establish ephemeral secrets on both sides. nd thus does not have a method of establishing ephemeral secrets on both sides.
The expectation is that a protocol would establish the secrets for bot The expectation is that a protocol would establish the secrets for bot
h sides, and then they would be used as static-static for the purposes of COSE, h sides, and then they would be used as Static-Static for the purposes of COSE,
or that the protocol would generate a shared secret and a direct encryption woul or that the protocol would generate a shared secret and a direct encryption woul
d be used. d be used.
</t>
<t>The set of direct ECDH algorithms defined in this document are found
in <xref target="x-table-ecdh-es-table"/>. </t>
<table anchor="x-table-ecdh-es-table" align="center">
<name>ECDH Algorithm Values</name>
<thead>
<tr>
<th>Name</th>
<th>Value</th>
<th>KDF</th>
<th>Ephemeral- Static</th>
<th>Key Wrap</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>ECDH-ES + HKDF-256</td>
<td>-25</td>
<td>HKDF - SHA-256</td>
<td>yes</td>
<td>none</td>
<td>ECDH ES w/ HKDF - generate key directly</td>
</tr>
<tr>
<td>ECDH-ES + HKDF-512</td>
<td>-26</td>
<td>HKDF - SHA-512</td>
<td>yes</td>
<td>none</td>
<td>ECDH ES w/ HKDF - generate key directly</td>
</tr>
<tr>
<td>ECDH-SS + HKDF-256</td>
<td>-27</td>
<td>HKDF - SHA-256</td>
<td>no</td>
<td>none</td>
<td>ECDH SS w/ HKDF - generate key directly</td>
</tr>
<tr>
<td>ECDH-SS + HKDF-512</td>
<td>-28</td>
<td>HKDF - SHA-512</td>
<td>no</td>
<td>none</td>
<td>ECDH SS w/ HKDF - generate key directly</td>
</tr>
</tbody>
</table>
<table anchor="x-table-ecdh-es-parameter-table" align="center">
<name>ECDH Algorithm Parameters</name>
<thead>
<tr>
<th>Name</th>
<th>Label</th>
<th>Type</th>
<th>Algorithm</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>ephemeral key</td>
<td>-1</td>
<td>COSE_Key</td>
<td>ECDH-ES+HKDF-256, ECDH-ES+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A1
92KW, ECDH-ES+A256KW</td>
<td>Ephemeral public key for the sender</td>
</tr>
<tr>
<td>static key</td>
<td>-2</td>
<td>COSE_Key</td>
<td>ECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-SS+A128KW, ECDH-SS+A1
92KW, ECDH-SS+A256KW </td>
<td>Static public key for the sender</td>
</tr>
<tr>
<td>static key id </td>
<td>-3</td>
<td>bstr</td>
<td>ECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-SS+A128KW, ECDH-SS+A1
92KW, ECDH-SS+A256KW </td>
<td>Static public key identifier for the sender</td>
</tr>
</tbody>
</table>
<t>This document defines these algorithms to be used with the curves P-2
56, P-384, P-521, X25519, and X448. Implementations <bcp14>MUST</bcp14> verify
that the key type and curve are correct. Different curves are restricted to dif
ferent key types. Implementations <bcp14>MUST</bcp14> verify that the curve and
algorithm are appropriate for the entities involved. </t>
<t>When using a COSE key for this algorithm, the following checks are ma
de:
</t>
<ul>
<li>The 'kty' field <bcp14>MUST</bcp14> be present, and it <bcp14>MUST
</bcp14> be 'EC2' or 'OKP'.</li>
<li>If the 'alg' field is present, it <bcp14>MUST</bcp14> match the ke
y agreement algorithm being used.</li>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include
'derive key' or 'derive bits' for the private key.</li>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> be empty
for the public key.</li>
</ul>
<section>
<name>Security Considerations for ECDH</name>
<t>
There is a method of checking that points provided from external ent
ities are valid.
For the 'EC2' key format, this can be done by checking that the x an
d y values form a point on the curve.
For the 'OKP' format, there is no simple way to do point validation.
</t> </t>
<t> <t indent="0" pn="section-6.3.1-5">The set of direct ECDH algorithms d
Consideration was given to requiring that the public keys of both en efined in this document is found
tities be provided as part of the key derivation process (as recommended in <rel in <xref target="x-table-ecdh-es-table" format="default" sectionFormat="o
ref target="RFC7748" section="6.4"/>). f" derivedContent="Table 14"/>. </t>
This was not done as COSE is used in a store and forward format rath <table anchor="x-table-ecdh-es-table" align="center" pn="table-14">
er than in online key exchange. <name slugifiedName="name-ecdh-algorithm-values">ECDH Algorithm Valu
es</name>
<thead>
<tr>
<th align="left" colspan="1" rowspan="1">Name</th>
<th align="left" colspan="1" rowspan="1">Value</th>
<th align="left" colspan="1" rowspan="1">KDF</th>
<th align="left" colspan="1" rowspan="1">Ephemeral-Static</th>
<th align="left" colspan="1" rowspan="1">Key Wrap</th>
<th align="left" colspan="1" rowspan="1">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" colspan="1" rowspan="1">ECDH-ES + HKDF-256</td>
<td align="left" colspan="1" rowspan="1">-25</td>
<td align="left" colspan="1" rowspan="1">HKDF -- SHA-256</td>
<td align="left" colspan="1" rowspan="1">yes</td>
<td align="left" colspan="1" rowspan="1">none</td>
<td align="left" colspan="1" rowspan="1">ECDH ES w/ HKDF -- gene
rate key directly</td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">ECDH-ES + HKDF-512</td>
<td align="left" colspan="1" rowspan="1">-26</td>
<td align="left" colspan="1" rowspan="1">HKDF -- SHA-512</td>
<td align="left" colspan="1" rowspan="1">yes</td>
<td align="left" colspan="1" rowspan="1">none</td>
<td align="left" colspan="1" rowspan="1">ECDH ES w/ HKDF -- gene
rate key directly</td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">ECDH-SS + HKDF-256</td>
<td align="left" colspan="1" rowspan="1">-27</td>
<td align="left" colspan="1" rowspan="1">HKDF -- SHA-256</td>
<td align="left" colspan="1" rowspan="1">no</td>
<td align="left" colspan="1" rowspan="1">none</td>
<td align="left" colspan="1" rowspan="1">ECDH SS w/ HKDF -- gene
rate key directly</td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">ECDH-SS + HKDF-512</td>
<td align="left" colspan="1" rowspan="1">-28</td>
<td align="left" colspan="1" rowspan="1">HKDF -- SHA-512</td>
<td align="left" colspan="1" rowspan="1">no</td>
<td align="left" colspan="1" rowspan="1">none</td>
<td align="left" colspan="1" rowspan="1">ECDH SS w/ HKDF -- gene
rate key directly</td>
</tr>
</tbody>
</table>
<table anchor="x-table-ecdh-es-parameter-table" align="center" pn="tab
le-15">
<name slugifiedName="name-ecdh-algorithm-parameters">ECDH Algorithm
Parameters</name>
<thead>
<tr>
<th align="left" colspan="1" rowspan="1">Name</th>
<th align="left" colspan="1" rowspan="1">Label</th>
<th align="left" colspan="1" rowspan="1">Type</th>
<th align="left" colspan="1" rowspan="1">Algorithm</th>
<th align="left" colspan="1" rowspan="1">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" colspan="1" rowspan="1">ephemeral key</td>
<td align="left" colspan="1" rowspan="1">-1</td>
<td align="left" colspan="1" rowspan="1">COSE_Key</td>
<td align="left" colspan="1" rowspan="1">ECDH-ES+HKDF-256, ECDH-
ES+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW</td>
<td align="left" colspan="1" rowspan="1">Ephemeral public key fo
r the sender</td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">static key</td>
<td align="left" colspan="1" rowspan="1">-2</td>
<td align="left" colspan="1" rowspan="1">COSE_Key</td>
<td align="left" colspan="1" rowspan="1">ECDH-SS+HKDF-256, ECDH-
SS+HKDF-512, ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KW </td>
<td align="left" colspan="1" rowspan="1">Static public key for t
he sender</td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">static key id </td>
<td align="left" colspan="1" rowspan="1">-3</td>
<td align="left" colspan="1" rowspan="1">bstr</td>
<td align="left" colspan="1" rowspan="1">ECDH-SS+HKDF-256, ECDH-
SS+HKDF-512, ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KW </td>
<td align="left" colspan="1" rowspan="1">Static public key ident
ifier for the sender</td>
</tr>
</tbody>
</table>
<t indent="0" pn="section-6.3.1-8">This document defines these algorit
hms to be used with the curves P-256, P-384, P-521, X25519, and X448. Implement
ations <bcp14>MUST</bcp14> verify that the key type and curve are correct. Diff
erent curves are restricted to different key types. Implementations <bcp14>MUST
</bcp14> verify that the curve and algorithm are appropriate for the entities in
volved. </t>
<t indent="0" pn="section-6.3.1-9">When using a COSE key for this algo
rithm, the following checks are made:
</t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section
-6.3.1-10">
<li pn="section-6.3.1-10.1">The "kty" field <bcp14>MUST</bcp14> be p
resent, and it <bcp14>MUST</bcp14> be "EC2" or "OKP".</li>
<li pn="section-6.3.1-10.2">If the "alg" field is present, it <bcp14
>MUST</bcp14> match the
key agreement algorithm being used.</li>
<li pn="section-6.3.1-10.3">If the "key_ops" field is present, it <b
cp14>MUST</bcp14> include "derive key" or "derive bits" for the private key.</li
>
<li pn="section-6.3.1-10.4">If the "key_ops" field is present, it <b
cp14>MUST</bcp14> be empty for the public key.</li>
</ul>
<section numbered="true" removeInRFC="false" toc="exclude" pn="section
-6.3.1.1">
<name slugifiedName="name-security-considerations-for-e">Security Co
nsiderations for ECDH</name>
<t indent="0" pn="section-6.3.1.1-1">
There is a method of checking that points provided from external ent
ities are valid.
For the "EC2" key format, this can be done by checking that the x an
d y values form a point on the curve.
For the "OKP" format, there is no simple way to perform point valida
tion.
</t>
<t indent="0" pn="section-6.3.1.1-2">
Consideration was given to requiring that the public keys of both
entities be provided as part of the key derivation process (as
recommended in <xref target="RFC7748" section="6.1" sectionFormat="of
" format="default" derivedLink="https://rfc-editor.org/rfc/rfc7748#section-6.1"
derivedContent="RFC7748"/>). This was
not done, because COSE is used in a store-and-forward
format rather than in online key exchange.
In order for this to be a problem, either the receiver public key ha s to be chosen maliciously or the sender has to be malicious. In order for this to be a problem, either the receiver public key ha s to be chosen maliciously or the sender has to be malicious.
In either case, all security evaporates anyway. In either case, all security evaporates anyway.
</t> </t>
<t>A proof of possession of the private key associated with the public <t indent="0" pn="section-6.3.1.1-3">A proof of possession of the pr
key is recommended when a key is moved from untrusted to trusted (either by the ivate key associated with the public key is recommended when a key is moved from
end user or by the entity that is responsible for making trust statements on ke untrusted to trusted (either by the end user or by the entity that is responsib
ys). </t> le for making trust statements on keys). </t>
</section>
</section> </section>
</section> </section>
</section> <section numbered="true" removeInRFC="false" toc="include" pn="section-6.4
<section> ">
<name>Key Agreement with Key Wrap</name> <name slugifiedName="name-key-agreement-with-key-wrap">Key Agreement wit
<t> h Key Wrap</name>
Key Agreement with Key Wrap is defined in <relref section="9.5.5" targ <t indent="0" pn="section-6.4-1">
et="I-D.ietf-cose-rfc8152bis-struct"/>. Key Agreement with Key Wrap is defined in <xref section="8.5.5" target
Information about how to fill in the COSE_Recipient structure are deta ="RFC9052" sectionFormat="of" format="default" derivedLink="https://rfc-editor.o
iled there. rg/rfc/rfc9052#section-8.5.5" derivedContent="RFC9052"/>.
</t> Information about how to fill in the COSE_Recipient structure is detai
led there.
<section anchor="ECDH-wrap">
<name>ECDH with Key Wrap</name>
<t>These algorithms are defined in <xref target="x-table-ecdh-es-table-w
rap"/>. </t>
<t>ECDH with Key Agreement is parameterized by the same header parameter
s as for ECDH; see <xref target="ECDH"/>, with the following modifications:
</t>
<ul>
<li>Key Wrap Algorithm: Any of the key wrap algorithms defined in <xre
f target="key_wrap_algs"/> are supported. The size of the key used for the key
wrap algorithm is fed into the KDF. The set of identifiers are found in <xref t
arget="x-table-ecdh-es-table-wrap"/>. </li>
</ul>
<table anchor="x-table-ecdh-es-table-wrap" align="center">
<name>ECDH Algorithm Values with Key Wrap</name>
<thead>
<tr>
<th>Name</th>
<th>Value</th>
<th>KDF</th>
<th>Ephemeral- Static</th>
<th>Key Wrap</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>ECDH-ES + A128KW</td>
<td>-29</td>
<td>HKDF - SHA-256</td>
<td>yes</td>
<td>A128KW</td>
<td>ECDH ES w/ Concat KDF and AES Key Wrap w/ 128-bit key</td>
</tr>
<tr>
<td>ECDH-ES + A192KW</td>
<td>-30</td>
<td>HKDF - SHA-256</td>
<td>yes</td>
<td>A192KW</td>
<td>ECDH ES w/ Concat KDF and AES Key Wrap w/ 192-bit key</td>
</tr>
<tr>
<td>ECDH-ES + A256KW</td>
<td>-31</td>
<td>HKDF - SHA-256</td>
<td>yes</td>
<td>A256KW</td>
<td>ECDH ES w/ Concat KDF and AES Key Wrap w/ 256-bit key</td>
</tr>
<tr>
<td>ECDH-SS + A128KW</td>
<td>-32</td>
<td>HKDF - SHA-256</td>
<td>no</td>
<td>A128KW</td>
<td>ECDH SS w/ Concat KDF and AES Key Wrap w/ 128-bit key</td>
</tr>
<tr>
<td>ECDH-SS + A192KW</td>
<td>-33</td>
<td>HKDF - SHA-256</td>
<td>no</td>
<td>A192KW</td>
<td>ECDH SS w/ Concat KDF and AES Key Wrap w/ 192-bit key</td>
</tr>
<tr>
<td>ECDH-SS + A256KW</td>
<td>-34</td>
<td>HKDF - SHA-256</td>
<td>no</td>
<td>A256KW</td>
<td>ECDH SS w/ Concat KDF and AES Key Wrap w/ 256-bit key</td>
</tr>
</tbody>
</table>
<t>When using a COSE key for this algorithm, the following checks are ma
de:
</t> </t>
<section anchor="ECDH-wrap" numbered="true" removeInRFC="false" toc="inc
<ul> lude" pn="section-6.4.1">
<name slugifiedName="name-ecdh-with-key-wrap">ECDH with Key Wrap</name
<li>The 'kty' field <bcp14>MUST</bcp14> be present, and it <bcp14>MUST >
</bcp14> be 'EC2' or 'OKP'.</li> <t indent="0" pn="section-6.4.1-1">These algorithms are defined in <xr
ef target="x-table-ecdh-es-table-wrap" format="default" sectionFormat="of" deriv
<li>If the 'alg' field is present, it <bcp14>MUST</bcp14> match the ke edContent="Table 16"/>. </t>
y agreement algorithm being used.</li> <t indent="0" pn="section-6.4.1-2">ECDH with Key Agreement is paramete
rized by the same header parameters as for ECDH; see <xref target="ECDH" format=
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> include "default" sectionFormat="of" derivedContent="Section 6.3.1"/>, with the followin
'derive key' or 'derive bits' for the private key.</li> g modifications:
</t>
<li>If the 'key_ops' field is present, it <bcp14>MUST</bcp14> be empty <dl indent="3" newline="false" spacing="normal" pn="section-6.4.1-3">
for the public key.</li> <dt pn="section-6.4.1-3.1">Key Wrap Algorithm:</dt>
</ul> <dd pn="section-6.4.1-3.2"> Any of the key wrap algorithms
defined in <xref target="key_wrap_algs" format="default" sectionFormat=
"of" derivedContent="Section 6.2"/> are supported. The size
of the key used for the key wrap algorithm is fed into the KDF. The
set of identifiers is found in <xref target="x-table-ecdh-es-table-wrap
" format="default" sectionFormat="of" derivedContent="Table 16"/>. </dd>
</dl>
<table anchor="x-table-ecdh-es-table-wrap" align="center" pn="table-16
">
<name slugifiedName="name-ecdh-algorithm-values-with-">ECDH Algorith
m Values with Key Wrap</name>
<thead>
<tr>
<th align="left" colspan="1" rowspan="1">Name</th>
<th align="left" colspan="1" rowspan="1">Value</th>
<th align="left" colspan="1" rowspan="1">KDF</th>
<th align="left" colspan="1" rowspan="1">Ephemeral-Static</th>
<th align="left" colspan="1" rowspan="1">Key Wrap</th>
<th align="left" colspan="1" rowspan="1">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" colspan="1" rowspan="1">ECDH-ES + A128KW</td>
<td align="left" colspan="1" rowspan="1">-29</td>
<td align="left" colspan="1" rowspan="1">HKDF -- SHA-256</td>
<td align="left" colspan="1" rowspan="1">yes</td>
<td align="left" colspan="1" rowspan="1">A128KW</td>
<td align="left" colspan="1" rowspan="1">ECDH ES w/ HKDF and AES
Key Wrap w/ 128-bit key</td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">ECDH-ES + A192KW</td>
<td align="left" colspan="1" rowspan="1">-30</td>
<td align="left" colspan="1" rowspan="1">HKDF -- SHA-256</td>
<td align="left" colspan="1" rowspan="1">yes</td>
<td align="left" colspan="1" rowspan="1">A192KW</td>
<td align="left" colspan="1" rowspan="1">ECDH ES w/ HKDF and AES
Key Wrap w/ 192-bit key</td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">ECDH-ES + A256KW</td>
<td align="left" colspan="1" rowspan="1">-31</td>
<td align="left" colspan="1" rowspan="1">HKDF -- SHA-256</td>
<td align="left" colspan="1" rowspan="1">yes</td>
<td align="left" colspan="1" rowspan="1">A256KW</td>
<td align="left" colspan="1" rowspan="1">ECDH ES w/ HKDF and AES
Key Wrap w/ 256-bit key</td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">ECDH-SS + A128KW</td>
<td align="left" colspan="1" rowspan="1">-32</td>
<td align="left" colspan="1" rowspan="1">HKDF -- SHA-256</td>
<td align="left" colspan="1" rowspan="1">no</td>
<td align="left" colspan="1" rowspan="1">A128KW</td>
<td align="left" colspan="1" rowspan="1">ECDH SS w/ HKDF and AES
Key Wrap w/ 128-bit key</td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">ECDH-SS + A192KW</td>
<td align="left" colspan="1" rowspan="1">-33</td>
<td align="left" colspan="1" rowspan="1">HKDF -- SHA-256</td>
<td align="left" colspan="1" rowspan="1">no</td>
<td align="left" colspan="1" rowspan="1">A192KW</td>
<td align="left" colspan="1" rowspan="1">ECDH SS w/ HKDF and AES
Key Wrap w/ 192-bit key</td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">ECDH-SS + A256KW</td>
<td align="left" colspan="1" rowspan="1">-34</td>
<td align="left" colspan="1" rowspan="1">HKDF -- SHA-256</td>
<td align="left" colspan="1" rowspan="1">no</td>
<td align="left" colspan="1" rowspan="1">A256KW</td>
<td align="left" colspan="1" rowspan="1">ECDH SS w/ HKDF and AES
Key Wrap w/ 256-bit key</td>
</tr>
</tbody>
</table>
<t indent="0" pn="section-6.4.1-5">When using a COSE key for this algo
rithm, the following checks are made:
</t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section
-6.4.1-6">
<li pn="section-6.4.1-6.1">The "kty" field <bcp14>MUST</bcp14> be pr
esent, and it <bcp14>MUST</bcp14> be "EC2" or "OKP".</li>
<li pn="section-6.4.1-6.2">If the "alg" field is present, it <bcp14>
MUST</bcp14> match the key agreement algorithm being used.</li>
<li pn="section-6.4.1-6.3">If the "key_ops" field is present, it <bc
p14>MUST</bcp14> include "derive key" or "derive bits" for the private key.</li>
<li pn="section-6.4.1-6.4">If the "key_ops" field is present, it <bc
p14>MUST</bcp14> be empty for the public key.</li>
</ul>
</section>
</section> </section>
</section> </section>
</section> <section anchor="Key-specific-labels" numbered="true" removeInRFC="false" to
<section anchor="Key-specific-labels"> c="include" pn="section-7">
<name slugifiedName="name-key-object-parameters">Key Object Parameters</na
<name>Key Object Parameters</name> me>
<t>The COSE_Key object defines a way to hold a single key object. It is s <t indent="0" pn="section-7-1">The COSE_Key object defines a way to hold a
till required that the members of individual key types be defined. This section single key object. It is still required that the members of individual key typ
of the document is where we define an initial set of members for specific key t es be defined. This section of the document is where we define an initial set o
ypes. </t> f members for specific key types. </t>
<t>For each of the key types, we define both public and private members. <t indent="0" pn="section-7-2">For each of the key types, we define both p
The public members are what is transmitted to others for their usage. Private m ublic and private members.
embers allow for the archival of keys by individuals. However, there are some c The public members are what is transmitted to others for their usage.
ircumstances in which private keys may be distributed to entities in a protocol. Private members allow individuals to archive keys. However,
Examples include: entities that have poor random number generation, centraliz there are some circumstances in which private keys may be distributed to
ed key creation for multi-cast type operations, and protocols in which a shared entities in a protocol. Examples include: entities that have poor
secret is used as a bearer token for authorization purposes. </t> random number generation, centralized key creation for multicast-type
<t>Key types are identified by the 'kty' member of the COSE_Key object. I operations, and protocols in which a shared secret is used as a bearer
n this document, we define four values for the member: </t> token for authorization purposes. </t>
<table anchor="x-table_key_types" align="center"> <t indent="0" pn="section-7-3">Key types are identified by the "kty" membe
r of the COSE_Key object. In this document, we define four values for the membe
<name>Key Type Values</name> r: </t>
<table anchor="x-table_key_types" align="center" pn="table-17">
<name slugifiedName="name-key-type-values">Key Type Values</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Value</th> <th align="center" colspan="1" rowspan="1">Value</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>OKP</td> <td align="left" colspan="1" rowspan="1">OKP</td>
<td>1</td> <td align="center" colspan="1" rowspan="1">1</td>
<td>Octet Key Pair</td> <td align="left" colspan="1" rowspan="1">Octet Key Pair</td>
</tr> </tr>
<tr> <tr>
<td>EC2</td> <td align="left" colspan="1" rowspan="1">EC2</td>
<td>2</td> <td align="center" colspan="1" rowspan="1">2</td>
<td>Elliptic Curve Keys w/ x- and y-coordinate pair</td> <td align="left" colspan="1" rowspan="1">Elliptic Curve Keys w/ x- a
nd y-coordinate pair</td>
</tr> </tr>
<tr> <tr>
<td>Symmetric</td> <td align="left" colspan="1" rowspan="1">Symmetric</td>
<td>4</td> <td align="center" colspan="1" rowspan="1">4</td>
<td>Symmetric Keys</td> <td align="left" colspan="1" rowspan="1">Symmetric Keys</td>
</tr> </tr>
<tr> <tr>
<td>Reserved</td> <td align="left" colspan="1" rowspan="1">Reserved</td>
<td>0</td> <td align="center" colspan="1" rowspan="1">0</td>
<td>This value is reserved</td> <td align="left" colspan="1" rowspan="1">This value is reserved</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-7.1
">
<name>Elliptic Curve Keys</name> <name slugifiedName="name-elliptic-curve-keys">Elliptic Curve Keys</name
<t>Two different key structures are defined for elliptic curve keys. On >
e version uses both an x-coordinate and a y-coordinate, potentially with point c <t indent="0" pn="section-7.1-1">Two different key structures are define
ompression ('EC2'). This is the traditional EC point representation that is use d for elliptic curve keys.
d in <xref target="RFC5480"/>. The other version uses only the x-coordinate as One version uses both an x-coordinate and a y-coordinate, potentially
the y-coordinate is either to be recomputed or not needed for the key agreement with point compression ("EC2"). This is the conventional
operation ('OKP'). </t> elliptic curve (EC) point
<t>Applications <bcp14>MUST</bcp14> check that the curve and the key typ representation that is used in <xref target="RFC5480" format="default" se
e are consistent and reject a key if they are not. </t> ctionFormat="of" derivedContent="RFC5480"/>. The other
<table anchor="x-table-ec-curves" align="center"> version uses only the x-coordinate, as the y-coordinate is either to
be recomputed or not needed for the key agreement operation ("OKP").
<name>Elliptic Curves</name> </t>
<t indent="0" pn="section-7.1-2">Applications <bcp14>MUST</bcp14> check
that the curve and the key type are consistent and reject a key if they are not.
</t>
<table anchor="x-table-ec-curves" align="center" pn="table-18">
<name slugifiedName="name-elliptic-curves">Elliptic Curves</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Value</th> <th align="center" colspan="1" rowspan="1">Value</th>
<th>Key Type</th> <th align="center" colspan="1" rowspan="1">Key Type</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>P-256</td> <td align="left" colspan="1" rowspan="1">P-256</td>
<td>1</td> <td align="center" colspan="1" rowspan="1">1</td>
<td>EC2</td> <td align="center" colspan="1" rowspan="1">EC2</td>
<td>NIST P-256 also known as secp256r1</td> <td align="left" colspan="1" rowspan="1">NIST P-256, also known as
secp256r1</td>
</tr> </tr>
<tr> <tr>
<td>P-384</td> <td align="left" colspan="1" rowspan="1">P-384</td>
<td>2</td> <td align="center" colspan="1" rowspan="1">2</td>
<td>EC2</td> <td align="center" colspan="1" rowspan="1">EC2</td>
<td>NIST P-384 also known as secp384r1</td> <td align="left" colspan="1" rowspan="1">NIST P-384, also known as
secp384r1</td>
</tr> </tr>
<tr> <tr>
<td>P-521</td> <td align="left" colspan="1" rowspan="1">P-521</td>
<td>3</td> <td align="center" colspan="1" rowspan="1">3</td>
<td>EC2</td> <td align="center" colspan="1" rowspan="1">EC2</td>
<td>NIST P-521 also known as secp521r1</td> <td align="left" colspan="1" rowspan="1">NIST P-521, also known as
secp521r1</td>
</tr> </tr>
<tr> <tr>
<td>X25519</td> <td align="left" colspan="1" rowspan="1">X25519</td>
<td>4</td> <td align="center" colspan="1" rowspan="1">4</td>
<td>OKP</td> <td align="center" colspan="1" rowspan="1">OKP</td>
<td>X25519 for use w/ ECDH only</td> <td align="left" colspan="1" rowspan="1">X25519 for use w/ ECDH on
ly</td>
</tr> </tr>
<tr> <tr>
<td>X448</td> <td align="left" colspan="1" rowspan="1">X448</td>
<td>5</td> <td align="center" colspan="1" rowspan="1">5</td>
<td>OKP</td> <td align="center" colspan="1" rowspan="1">OKP</td>
<td>X448 for use w/ ECDH only</td> <td align="left" colspan="1" rowspan="1">X448 for use w/ ECDH only
</td>
</tr> </tr>
<tr> <tr>
<td>Ed25519</td> <td align="left" colspan="1" rowspan="1">Ed25519</td>
<td>6</td> <td align="center" colspan="1" rowspan="1">6</td>
<td>OKP</td> <td align="center" colspan="1" rowspan="1">OKP</td>
<td>Ed25519 for use w/ EdDSA only</td> <td align="left" colspan="1" rowspan="1">Ed25519 for use w/ EdDSA
only</td>
</tr> </tr>
<tr> <tr>
<td>Ed448</td> <td align="left" colspan="1" rowspan="1">Ed448</td>
<td>7</td> <td align="center" colspan="1" rowspan="1">7</td>
<td>OKP</td> <td align="center" colspan="1" rowspan="1">OKP</td>
<td>Ed448 for use w/ EdDSA only</td> <td align="left" colspan="1" rowspan="1">Ed448 for use w/ EdDSA on
ly</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<section anchor="EC2-Keys"> <section anchor="EC2-Keys" numbered="true" removeInRFC="false" toc="incl
ude" pn="section-7.1.1">
<name>Double Coordinate Curves</name> <name slugifiedName="name-double-coordinate-curves">Double Coordinate
<t>The traditional way of sending ECs has been to send either both the Curves</name>
x-coordinate and y-coordinate or the x-coordinate and a sign bit for the y-coor <t indent="0" pn="section-7.1.1-1">Generally, protocols transmit ellip
dinate. The latter encoding has not been recommended in the IETF due to potenti tic-curve points as either the
al IPR issues. However, for operations in constrained environments, the ability x-coordinate and y-coordinate or the x-coordinate and a sign bit
to shrink a message by not sending the y-coordinate is potentially useful. </t for the y-coordinate. The latter encoding has not been recommended
> by the IETF due to potential IPR
<t>For EC keys with both coordinates, the 'kty' member is set to 2 (EC issues. However, for operations in constrained environments, the
2). The key parameters defined in this section are summarized in <xref target=" ability to shrink a message by not sending the y-coordinate is
x-table-ec2-keys"/>. The members that are defined for this key type are: potentially useful. </t>
<t indent="0" pn="section-7.1.1-2">For EC keys with both coordinates,
the "kty" member is set to 2 (EC2). The key parameters defined in this section
are summarized in <xref target="x-table-ec2-keys" format="default" sectionFormat
="of" derivedContent="Table 19"/>. The members that are defined for this key ty
pe are:
</t> </t>
<dl newline="false" indent="6" spacing="normal" pn="section-7.1.1-3">
<dl newline="false" indent="5"> <dt pn="section-7.1.1-3.1">crv:</dt>
<dt>crv:</dt> <dd pn="section-7.1.1-3.2">This contains an identifier of the curve
to be used with the key. The curves defined in this document for this key type c
<dd>This contains an identifier of the curve to be used with the key an be found in <xref target="x-table-ec-curves" format="default" sectionFormat="
. The curves defined in this document for this key type can be found in <xref ta of" derivedContent="Table 18"/>. Other curves may be registered in the future,
rget="x-table-ec-curves"/>. Other curves may be registered in the future, and p and private curves can be used as well. </dd>
rivate curves can be used as well. </dd> <dt pn="section-7.1.1-3.3">x:</dt>
<dt>x:</dt> <dd pn="section-7.1.1-3.4">This contains the x-coordinate for the EC
point. The integer
<dd>This contains the x-coordinate for the EC point. The integer is is converted to a byte string as defined in <xref target="SEC1" forma
converted to a byte string as defined in <xref target="SEC1"/>. Leading zero o t="default" sectionFormat="of" derivedContent="SEC1"/>.
ctets <bcp14>MUST</bcp14> be preserved. Leading-zero octets <bcp14>MUST</bcp14> be preserved.
</dd> </dd>
<dt>y:</dt> <dt pn="section-7.1.1-3.5">y:</dt>
<dd pn="section-7.1.1-3.6">This contains either the sign bit or the
<dd>This contains either the sign bit or the value of the y-coordina value of the y-coordinate for the EC point. When encoding the value y, the inte
te for the EC point. When encoding the value y, the integer is converted to an ger is converted to a byte string (as defined in <xref target="SEC1" format="def
byte string (as defined in <xref target="SEC1"/>) and encoded as a CBOR bstr. L ault" sectionFormat="of" derivedContent="SEC1"/>) and encoded as a CBOR bstr. L
eading zero octets <bcp14>MUST</bcp14> be preserved. The compressed point encod eading-zero octets <bcp14>MUST</bcp14> be preserved. Compressed point encoding
ing is also supported. Compute the sign bit as laid out in the Elliptic-Curve-P is also supported. Compute the sign bit as laid out in the Elliptic-Curve-Point
oint-to-Octet-String Conversion function of <xref target="SEC1"/>. If the sign -to-Octet-String Conversion function of <xref target="SEC1" format="default" sec
bit is zero, then encode y as a CBOR false value; otherwise, encode y as a CBOR tionFormat="of" derivedContent="SEC1"/>. If the sign bit is zero, then encode y
true value. The encoding of the infinity point is not supported. </dd> as a CBOR false value; otherwise, encode y as a CBOR true value. The encoding
<dt>d:</dt> of the infinity point is not supported. </dd>
<dt pn="section-7.1.1-3.7">d:</dt>
<dd>This contains the private key. </dd> <dd pn="section-7.1.1-3.8">This contains the private key. </dd>
</dl> </dl>
<t>For public keys, it is <bcp14>REQUIRED</bcp14> that 'crv', 'x', and <t indent="0" pn="section-7.1.1-4">For public keys, it is <bcp14>REQUI
'y' be present in the structure. For private keys, it is <bcp14>REQUIRED</bcp1 RED</bcp14> that "crv", "x", and "y" be present in the structure. For private k
4> that 'crv' and 'd' be present in the structure. For private keys, it is <bcp eys, it is <bcp14>REQUIRED</bcp14> that "crv" and "d" be present in the structur
14>RECOMMENDED</bcp14> that 'x' and 'y' also be present, but they can be recompu e. For private keys, it is <bcp14>RECOMMENDED</bcp14> that "x" and "y" also be
ted from the required elements and omitting them saves on space. </t> present, but they can be recomputed from the required elements, and omitting the
<table anchor="x-table-ec2-keys" align="center"> m saves on space. </t>
<table anchor="x-table-ec2-keys" align="center" pn="table-19">
<name>EC Key Parameters</name> <name slugifiedName="name-ec-key-parameters">EC Key Parameters</name
>
<thead> <thead>
<tr> <tr>
<th>Key Type</th> <th align="center" colspan="1" rowspan="1">Key Type</th>
<th>Name</th> <th align="center" colspan="1" rowspan="1">Name</th>
<th>Label</th> <th align="center" colspan="1" rowspan="1">Label</th>
<th>CBOR Type</th> <th align="left" colspan="1" rowspan="1">CBOR Type</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>2</td> <td align="center" colspan="1" rowspan="1">2</td>
<td>crv</td> <td align="center" colspan="1" rowspan="1">crv</td>
<td>-1</td> <td align="center" colspan="1" rowspan="1">-1</td>
<td>int / tstr</td> <td align="left" colspan="1" rowspan="1">int / tstr</td>
<td>EC identifier - Taken from the "COSE Elliptic Curves" regist <td align="left" colspan="1" rowspan="1">EC identifier -- Taken
ry</td> from the "COSE Elliptic Curves" registry</td>
</tr> </tr>
<tr> <tr>
<td>2</td> <td align="center" colspan="1" rowspan="1">2</td>
<td>x</td> <td align="center" colspan="1" rowspan="1">x</td>
<td>-2</td> <td align="center" colspan="1" rowspan="1">-2</td>
<td>bstr</td> <td align="left" colspan="1" rowspan="1">bstr</td>
<td>x-coordinate</td> <td align="left" colspan="1" rowspan="1">x-coordinate</td>
</tr> </tr>
<tr> <tr>
<td>2</td> <td align="center" colspan="1" rowspan="1">2</td>
<td>y</td> <td align="center" colspan="1" rowspan="1">y</td>
<td>-3</td> <td align="center" colspan="1" rowspan="1">-3</td>
<td>bstr / bool</td> <td align="left" colspan="1" rowspan="1">bstr / bool</td>
<td>y-coordinate</td> <td align="left" colspan="1" rowspan="1">y-coordinate</td>
</tr> </tr>
<tr> <tr>
<td>2</td> <td align="center" colspan="1" rowspan="1">2</td>
<td>d</td> <td align="center" colspan="1" rowspan="1">d</td>
<td>-4</td> <td align="center" colspan="1" rowspan="1">-4</td>
<td>bstr</td> <td align="left" colspan="1" rowspan="1">bstr</td>
<td>Private key</td> <td align="left" colspan="1" rowspan="1">Private key</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
</section> </section>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-7.2
">
<name>Octet Key Pair</name> <name slugifiedName="name-octet-key-pair">Octet Key Pair</name>
<t>A new key type is defined for Octet Key Pairs (OKP). Do not assume t <t indent="0" pn="section-7.2-1">A new key type is defined for Octet Key
hat keys using this type are elliptic curves. This key type could be used for o Pairs (OKPs). Do not assume that keys using this type are elliptic curves. Th
ther curve types (for example, mathematics based on hyper-elliptic surfaces). < is key type could be used for other curve types (for example, mathematics based
/t> on hyper-elliptic surfaces). </t>
<t>The key parameters defined in this section are summarized in <xref ta <t indent="0" pn="section-7.2-2">The key parameters defined in this sect
rget="x-table-ec1-keys"/>. The members that are defined for this key type are: ion are summarized in <xref target="x-table-ec1-keys" format="default" sectionFo
rmat="of" derivedContent="Table 20"/>. The members that are defined for this ke
y type are:
</t> </t>
<dl newline="false" indent="6" spacing="normal" pn="section-7.2-3">
<dl newline="false" indent="5"> <dt pn="section-7.2-3.1">crv:</dt>
<dt>crv:</dt> <dd pn="section-7.2-3.2">This contains an identifier of the curve to b
e used with the key. The curves defined in this document for this key type can b
<dd>This contains an identifier of the curve to be used with the key. e found in <xref target="x-table-ec-curves" format="default" sectionFormat="of"
The curves defined in this document for this key type can be found in <xref targ derivedContent="Table 18"/>. Other curves may be registered in the future, and
et="x-table-ec-curves"/>. Other curves may be registered in the future and priv private curves can be used as well. </dd>
ate curves can be used as well. </dd> <dt pn="section-7.2-3.3">x:</dt>
<dt>x:</dt> <dd pn="section-7.2-3.4">This contains the public key. The byte strin
g contains the public key as defined by the algorithm. (For X25519, internally i
<dd>This contains the public key. The byte string contains the public t is a little-endian integer.) </dd>
key as defined by the algorithm. (For X25519, internally it is a little-endian <dt pn="section-7.2-3.5">d:</dt>
integer.) </dd> <dd pn="section-7.2-3.6">This contains the private key. </dd>
<dt>d:</dt>
<dd>This contains the private key. </dd>
</dl> </dl>
<t>For public keys, it is <bcp14>REQUIRED</bcp14> that 'crv' and 'x' be <t indent="0" pn="section-7.2-4">For public keys, it is <bcp14>REQUIRED<
present in the structure. For private keys, it is <bcp14>REQUIRED</bcp14> that /bcp14> that "crv" and "x" be present in the structure. For private keys, it i
'crv' and 'd' be present in the structure. For private keys, it is <bcp14>RECO s <bcp14>REQUIRED</bcp14> that "crv" and "d" be present in the structure. For p
MMENDED</bcp14> that 'x' also be present, but it can be recomputed from the requ rivate keys, it is <bcp14>RECOMMENDED</bcp14> that "x" also be present, but it c
ired elements and omitting it saves on space. </t> an be recomputed from the required elements, and omitting it saves on space. </
<table anchor="x-table-ec1-keys" align="center"> t>
<table anchor="x-table-ec1-keys" align="center" pn="table-20">
<name>Octet Key Pair Parameters</name> <name slugifiedName="name-octet-key-pair-parameters">Octet Key Pair Pa
rameters</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Key Type</th> <th align="center" colspan="1" rowspan="1">Key Type</th>
<th>Label</th> <th align="center" colspan="1" rowspan="1">Label</th>
<th>Type</th> <th align="left" colspan="1" rowspan="1">Type</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>crv</td> <td align="left" colspan="1" rowspan="1">crv</td>
<td>1</td> <td align="center" colspan="1" rowspan="1">1</td>
<td>-1</td> <td align="center" colspan="1" rowspan="1">-1</td>
<td>int / tstr</td> <td align="left" colspan="1" rowspan="1">int / tstr</td>
<td>EC identifier - Taken from the "COSE Elliptic Curves" registry <td align="left" colspan="1" rowspan="1">EC identifier -- Taken fr
</td> om the "COSE Elliptic Curves" registry</td>
</tr> </tr>
<tr> <tr>
<td>x</td> <td align="left" colspan="1" rowspan="1">x</td>
<td>1</td> <td align="center" colspan="1" rowspan="1">1</td>
<td>-2</td> <td align="center" colspan="1" rowspan="1">-2</td>
<td>bstr</td> <td align="left" colspan="1" rowspan="1">bstr</td>
<td>Public Key</td> <td align="left" colspan="1" rowspan="1">Public Key</td>
</tr> </tr>
<tr> <tr>
<td>d</td> <td align="left" colspan="1" rowspan="1">d</td>
<td>1</td> <td align="center" colspan="1" rowspan="1">1</td>
<td>-4</td> <td align="center" colspan="1" rowspan="1">-4</td>
<td>bstr</td> <td align="left" colspan="1" rowspan="1">bstr</td>
<td>Private key</td> <td align="left" colspan="1" rowspan="1">Private key</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
<section> <section numbered="true" removeInRFC="false" toc="include" pn="section-7.3
">
<name>Symmetric Keys</name> <name slugifiedName="name-symmetric-keys">Symmetric Keys</name>
<t>Occasionally it is required that a symmetric key be transported betwe <t indent="0" pn="section-7.3-1">Occasionally, it is required that a sym
en entities. This key structure allows for that to happen. </t> metric key be transported between entities. This key structure allows for that
<t>For symmetric keys, the 'kty' member is set to 4 ('Symmetric'). The to happen. </t>
member that is defined for this key type is: <t indent="0" pn="section-7.3-2">For symmetric keys, the "kty" member is
set to 4 ("Symmetric"). The member that is defined for this key type is:
</t> </t>
<dl newline="false" indent="3" spacing="normal" pn="section-7.3-3">
<dl newline="false"> <dt pn="section-7.3-3.1">k:</dt>
<dt>k:</dt> <dd pn="section-7.3-3.2">This contains the value of the key. </dd>
<dd>This contains the value of the key. </dd>
</dl> </dl>
<t>This key structure does not have a form that contains only public mem <t indent="0" pn="section-7.3-4">This key structure does not have a form
bers. As it is expected that this key structure is going to be transmitted, car that contains only public members. As it is expected that this key structure i
e must be taken that it is never transmitted accidentally or insecurely. For sy s going to be transmitted, care must be taken that it is never transmitted accid
mmetric keys, it is <bcp14>REQUIRED</bcp14> that 'k' be present in the structure entally or insecurely. For symmetric keys, it is <bcp14>REQUIRED</bcp14> that "
. </t> k" be present in the structure. </t>
<table anchor="x-table-symmetric-keys" align="center"> <table anchor="x-table-symmetric-keys" align="center" pn="table-21">
<name slugifiedName="name-symmetric-key-parameters">Symmetric Key Para
<name>Symmetric Key Parameters</name> meters</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="center" colspan="1" rowspan="1">Name</th>
<th>Key Type</th> <th align="center" colspan="1" rowspan="1">Key Type</th>
<th>Label</th> <th align="center" colspan="1" rowspan="1">Label</th>
<th>Type</th> <th align="center" colspan="1" rowspan="1">Type</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>k</td> <td align="center" colspan="1" rowspan="1">k</td>
<td>4</td> <td align="center" colspan="1" rowspan="1">4</td>
<td>-1</td> <td align="center" colspan="1" rowspan="1">-1</td>
<td>bstr</td> <td align="center" colspan="1" rowspan="1">bstr</td>
<td>Key Value</td> <td align="left" colspan="1" rowspan="1">Key Value</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
</section> </section>
<section anchor="COSE-Capabilities" numbered="true" removeInRFC="false" toc=
"include" pn="section-8">
<name slugifiedName="name-cose-capabilities">COSE Capabilities</name>
<t indent="0" pn="section-8-1">
<section anchor="COSE-Capabilities"> The capabilities of an algorithm or key type need to be
<name>COSE Capabilities</name> specified in some situations.
<t> This has a counterpart
There are some situations that have been identified where identification in the S/MIME specifications, where SMIMECapabilities is
of capabilities of an algorithm or a key type need to be specified. defined in <xref target="RFC8551" section="2.5.2" sectionFormat="of" for
One example of this is in <xref target="I-D.ietf-core-oscore-groupcomm"/ mat="default" derivedLink="https://rfc-editor.org/rfc/rfc8551#section-2.5.2" der
> where the capabilities of the counter signature algorithm are mixed into the t ivedContent="RFC8551"/>. This document defines the same concept
raffic key derivation process. for COSE.
This has a counterpart in the S/MIME specifications where SMIMECapabilit
ies is defined in <xref target="RFC8551" section="2.5a.2"/>.
This document defines the same concept for COSE.
</t> </t>
<t indent="0" pn="section-8-2">
<t> The algorithm identifier is not included in the capabilities data, as
The algorithm identifier is not included in the capabilities data as it it should be encoded elsewhere in the message. The key type identifier
should be encoded elsewhere in the message. is included in the capabilities data, as it is not expected to be
The key type identifier is included in the capabilities data as it is no encoded elsewhere.
t expected to be encoded elsewhere.
</t> </t>
<t indent="0" pn="section-8-3">
<t>
Two different types of capabilities are defined: capabilities for algori thms and capabilities for key type. Two different types of capabilities are defined: capabilities for algori thms and capabilities for key type.
Once defined by registration with IANA, the list of capabilities for an algorithm or key type is immutable. Once defined by registration with IANA, the list of capabilities for an algorithm or key type is immutable.
If it is later found that a new capability is needed for a key type or a n algorithm, it will require that a new code point be assigned to deal with that . If it is later found that a new capability is needed for a key type or a lgorithm, it will require that a new code point be assigned to deal with that.
As a general rule, the capabilities are going to map to algorithm-specif ic header parameters or key parameters, but they do not need to do so. As a general rule, the capabilities are going to map to algorithm-specif ic header parameters or key parameters, but they do not need to do so.
An example of this is the HSS-LMS key capabilities defined below where t he hash algorithm used is included. An example of this is the HSS-LMS key type capabilities defined below, w here the hash algorithm used is included.
</t> </t>
<t indent="0" pn="section-8-4">
<t> The capability structure is an array of values; the values included in t
The capability structure is an array of values, the values included in t he structure are dependent on a specific algorithm or key type.
he structure are dependent on a specific algorithm or key type. For algorithm capabilities, the first element should always be a
For algorithm capabilities, the first element should always be a key typ key type value if applicable, but the items that are specific to a key
e value if applicable, but the items that are specific to a key (for example a c (for example, a curve) should not be included in the algorithm
urve) should not be included in the algorithm capabilities. capabilities.
This means that if one wishes to enumerate all of the capabilities for a This means that if one wishes to enumerate all of the capabilities for
device which implements ECDH, it requires that all of the combinations of algor a device that implements ECDH, it requires that all of the
ithms and key pairs to be specified. combinations of algorithms and key pairs be specified.
The last example of <xref target="cap-examples"/> provides a case where The last example of <xref target="cap-examples" format="default" section
this is done by allowing for a cross product to be specified between an array of Format="of" derivedContent="Section 8.3"/> provides a case
algorithm capabilities and key type capabilities (see ECDH-ES+A25KW element). where this is done by allowing for a cross product to be specified
between an array of algorithm capabilities and key type capabilities
(see the ECDH-ES+A25KW element).
For a key, the first element should be the key type value. For a key, the first element should be the key type value.
While this means that the key type value will be duplicated if both an a lgorithm and key capability are used, the key type is needed in order to underst and the rest of the values. While this means that the key type value will be duplicated if both an a lgorithm and key capability are used, the key type is needed in order to underst and the rest of the values.
</t> </t>
<section numbered="true" removeInRFC="false" toc="include" pn="section-8.1
<section> ">
<name>Assignments for Existing Algorithms</name> <name slugifiedName="name-assignments-for-existing-al">Assignments for E
<t> xisting Algorithms</name>
For the current set of algorithms in the registry, those in this docum <t indent="0" pn="section-8.1-1">
ent as well as those in <xref target="RFC8230"/> and <xref target="I-D.ietf-cose For the current set of algorithms in the registry other than IV-GENERA
-hash-sig"/>, the capabilities list is an array with one element, the key type ( TION (those in this document as well as those in <xref target="RFC8230" format="
from the "COSE Key Types" Registry). default" sectionFormat="of" derivedContent="RFC8230"/>, <xref target="RFC8778" f
It is expected that future registered algorithms could have zero, one, ormat="default" sectionFormat="of" derivedContent="RFC8778"/>, and <xref target=
or multiple elements. "RFC9021" format="default" sectionFormat="of" derivedContent="RFC9021"/>), the c
apabilities list is an array with one element, the key type (from the "COSE Key
Types" Registry). It is expected that future registered algorithms could have z
ero, one, or multiple elements.
</t> </t>
</section> </section>
<section numbered="true" removeInRFC="false" toc="include" pn="section-8.2
<section> ">
<name>Assignments for Existing Key Types</name> <name slugifiedName="name-assignments-for-existing-ke">Assignments for E
<t> xisting Key Types</name>
There are a number of pre-existing key types, the following deals with <t indent="0" pn="section-8.2-1">
creating the capability definition for those structures: There are a number of pre-existing key types; the following deals with
</t> creating the capability definition for those structures:
<ul> </t>
<li> <ul bare="false" empty="false" indent="3" spacing="normal" pn="section-8
<t>OKP, EC2: The list of capabilities is:</t> .2-2">
<ul> <li pn="section-8.2-2.1">
<li>The key type value. (1 for OKP or 2 for EC2.)</li> <t indent="0" pn="section-8.2-2.1.1">OKP, EC2: The list of capabilit
<li>One curve for that key type from the "COSE Elliptic Curve" reg ies is:</t>
istry.</li> <ul bare="false" empty="false" indent="3" spacing="normal" pn="secti
on-8.2-2.1.2">
<li pn="section-8.2-2.1.2.1">The key type value. (1 for OKP or 2
for EC2.)</li>
<li pn="section-8.2-2.1.2.2">One curve for that key type from the
"COSE Elliptic Curves" registry.</li>
</ul> </ul>
</li> </li>
<li> <li pn="section-8.2-2.2">
<t>RSA: The list of capabilities is:</t> <t indent="0" pn="section-8.2-2.2.1">RSA: The list of capabilities i
<ul> s:</t>
<li>The key type value (3).</li> <ul bare="false" empty="false" indent="3" spacing="normal" pn="secti
on-8.2-2.2.2">
<li pn="section-8.2-2.2.2.1">The key type value (3).</li>
</ul> </ul>
</li> </li>
<li> <li pn="section-8.2-2.3">
<t>Symmetric: The list of capabilities is:</t> <t indent="0" pn="section-8.2-2.3.1">Symmetric: The list of capabili
<ul> ties is:</t>
<li>The key type value (4).</li> <ul bare="false" empty="false" indent="3" spacing="normal" pn="secti
on-8.2-2.3.2">
<li pn="section-8.2-2.3.2.1">The key type value (4).</li>
</ul> </ul>
</li> </li>
<li> <li pn="section-8.2-2.4">
<t>HSS-LMS: The list of capabilities is:</t> <t indent="0" pn="section-8.2-2.4.1">HSS-LMS: The list of capabiliti
<ul> es is:</t>
<li>The key type value (5),</li> <ul bare="false" empty="false" indent="3" spacing="normal" pn="secti
<li>Algorithm identifier for the underlying hash function from the on-8.2-2.4.2">
"COSE Algorithms" registry.</li> <li pn="section-8.2-2.4.2.1">The key type value (5).</li>
<li pn="section-8.2-2.4.2.2">Algorithm identifier for the underlyi
ng hash function from the "COSE
Algorithms" registry.</li>
</ul>
</li>
<li pn="section-8.2-2.5">
<t indent="0" pn="section-8.2-2.5.1">WalnutDSA: The list of capabili
ties is:</t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="secti
on-8.2-2.5.2">
<li pn="section-8.2-2.5.2.1">The key type value (6).</li>
<li pn="section-8.2-2.5.2.2">The N value (group and matrix size) f
or the key, a uint.</li>
<li pn="section-8.2-2.5.2.3">The q value (finite field order) for
the key, a uint.</li>
</ul> </ul>
</li> </li>
</ul> </ul>
</section> </section>
<section anchor="cap-examples" numbered="true" removeInRFC="false" toc="in
<section anchor="cap-examples"> clude" pn="section-8.3">
<name>Examples</name> <name slugifiedName="name-examples-2">Examples</name>
<t> <t indent="0" pn="section-8.3-1">
Capabilities can be use in a key derivation process to make sure that Capabilities can be used in a key derivation process to make sure
both sides are using the same parameters. that both sides are using the same parameters.
This is the approach that is being used by the group communication KDF The three examples below show different ways that one might utilize pa
in <xref target="I-D.ietf-core-oscore-groupcomm"/>. rameters in specifying an application protocol:
The three examples below show different ways that one might include th
ings:
</t> </t>
<ul> <ul bare="false" empty="false" indent="3" spacing="normal" pn="section-8
<li> .3-2">
Just an algorithm capability: This is useful if the protocol wants to <li pn="section-8.3-2.1">
require a specific algorithm such as ECDSA, but it is agnostic about which curve Only an algorithm capability: This is useful if the protocol wants to
is being used. require a specific algorithm, such as ES256, but it is agnostic about which curv
This does require that the algorithm identifier be specified in the pr e is being used.
otocol. See the first example. This requires that the algorithm identifier be specified in the protoc
ol. See the first example.
</li> </li>
<li> <li pn="section-8.3-2.2">
Just a key type capability: This is useful if the protccol wants to Only a key type capability: This is useful if the protocol wants
require a specific a specific key type and curve, such as P-256, but will accept to require a specific key type and curve, such as
any algorithm using that curve (e.g. both ECDSA and ECDH). P-256, but will accept any algorithm using that curve (e.g., both
ECDSA and ECDH).
See the second example. See the second example.
</li> </li>
<li> <li pn="section-8.3-2.3">
Both an algorithm and a key type capability: This is used if the pr Both algorithm and key type capabilities: This is used if the
otocol needs to nail down all of the options surrounding an algorithm E.g. EdDS protocol needs to nail down all of the options surrounding an
A with the curve X25519. algorithm -- e.g., EdDSA with the curve Ed25519.
As with the first example, the algorithm identifier needs to be spec As with the first example, the algorithm identifier needs to be spec
ified in the protocol. See the third example which just concatenates the two cap ified in the protocol. See the third example, which just concatenates the two ca
abilities together. pabilities together.
</li> </li>
</ul> </ul>
<sourcecode type="cbor-pretty" markers="false" pn="section-8.3-3">
<artwork> Algorithm ES256
Algorithm ECDSA
0x8102 / [2 \ EC2 \ ] / 0x8102 / [2 \ EC2 \ ] /
Key type EC2 with P-256 curve: Key type EC2 with P-256 curve:
0x820201 / [2 \ EC2 \, 1 \ P-256 \] / 0x820201 / [2 \ EC2 \, 1 \ P-256 \] /
ECDH-ES + A256KW with an X25519 curve: ECDH-ES + A256KW with an X25519 curve:
0x8101820104 / [1 \ OKP \],[1 \ OKP \, 4 \ X25519 \] / 0x8101820104 / [1 \ OKP \],[1 \ OKP \, 4 \ X25519 \] /
</artwork> </sourcecode>
<t indent="0" pn="section-8.3-4">
<t> The capabilities can also be used by an entity to advertise what it is
The capabilities can also be used by and entity to advertise what it i capable of doing.
s capabable of doing. The decoded example below is one of many encodings that could be used
The decoded example below is one of many encoding that could be used f for that purpose.
or that purpose.
Each array element includes three fields: the algorithm identifier, on e or more algorithm capabilities, and one or more key type capabilities. Each array element includes three fields: the algorithm identifier, on e or more algorithm capabilities, and one or more key type capabilities.
</t> </t>
<sourcecode type="cbor-diag" markers="false" pn="section-8.3-5">
<artwork>
[ [
[-8 / EdDSA /, [-8 / EdDSA /,
[1 / OKP key type /], [1 / OKP key type /],
[ [
[1 / OKP /, 6 / Ed25519 / ], [1 / OKP /, 6 / Ed25519 / ],
[1 /OKP/, 7 /Ed448 /] [1 /OKP/, 7 /Ed448 /]
] ]
], ],
[-7 / ECDSA with SHA-256/, [-7 / ECDSA with SHA-256/,
[2 /EC2 key type/], [2 /EC2 key type/],
skipping to change at line 1844 skipping to change at line 2314
[ [
[2 /EC2/, 1 /P-256/], [2 /EC2/, 1 /P-256/],
[1 /OKP/, 4 / X25519/ ] [1 /OKP/, 4 / X25519/ ]
] ]
], ],
[ 1 / A128GCM /, [ 1 / A128GCM /,
[ 4 / Symmetric / ], [ 4 / Symmetric / ],
[ 4 / Symmetric /] [ 4 / Symmetric /]
] ]
] ]
</artwork> </sourcecode>
<t> <t indent="0" pn="section-8.3-6">
Examining the above: Examining the above:
</t> </t>
<ul> <ul bare="false" empty="false" indent="3" spacing="normal" pn="section-8
<li>The first element indicates that the entity supports EdDSA with cu .3-7">
rves Ed25519 and Ed448.</li> <li pn="section-8.3-7.1">The first element indicates that the entity s
<li>The second element indicates that the entity supports ECDSA with c upports EdDSA with curves Ed25519 and Ed448.</li>
urves P-256 and P-521.</li> <li pn="section-8.3-7.2">The second element indicates that the entity
<li> supports ECDSA with SHA-256 with curves P-256 and P-521.</li>
The third element indicates that the entity support ephemeral-static <li pn="section-8.3-7.3">
ECDH using AES256 key wrap. The third element indicates that the entity supports Ephemeral-Stati
c ECDH using AES256 key wrap.
The entity can support the P-256 curve with an EC2 key type and the X25519 curve with an OKP key type. The entity can support the P-256 curve with an EC2 key type and the X25519 curve with an OKP key type.
</li> </li>
<li>The last element indicates that the entity supports AES-GCM of 128 bits for content encryption.</li> <li pn="section-8.3-7.4">The last element indicates that the entity su pports AES-GCM of 128 bits for content encryption.</li>
</ul> </ul>
<t> <t indent="0" pn="section-8.3-8">
The entity does not advertise that it supports any MAC algorithms. The entity does not advertise that it supports any MAC algorithms.
</t> </t>
</section> </section>
</section> </section>
<section anchor="CBOR-Canonical" numbered="true" removeInRFC="false" toc="in
<section anchor="CBOR-Canonical"> clude" pn="section-9">
<name slugifiedName="name-cbor-encoding-restrictions">CBOR Encoding Restri
<name>CBOR Encoding Restrictions</name> ctions</name>
<t>This document limits the restrictions it imposes on how the CBOR Encode <t indent="0" pn="section-9-1">This document limits the restrictions it im
r needs to work. poses on how the CBOR
It has been narrowed down to the following restrictions: </t> Encoder needs to work. The new encoding restrictions are aligned with
the Core Deterministic Encoding Requirements specified in <xref sectionFormat=
<ul> "of" section="4.2.1" target="STD94" format="default" derivedLink="https://rfc-ed
itor.org/rfc/rfc8949#section-4.2.1" derivedContent="STD94">RFC 8949</xref>.
<li> It has been narrowed down to the following restrictions:</t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section-9-2
">
<li pn="section-9-2.1">
The restriction applies to the encoding of the COSE_KDF_Context. The restriction applies to the encoding of the COSE_KDF_Context.
</li> </li>
<li pn="section-9-2.2">
<li> Encoding <bcp14>MUST</bcp14> be done using definite lengths,
Encoding <bcp14>MUST</bcp14> be done using definite lengths and the le and the length of the (encoded) argument <bcp14>MUST</bcp14>
ngth of the <bcp14>MUST</bcp14> be the minimum possible length. be the minimum possible length. This means that the integer
This means that the integer 1 is encoded as "0x01" and not "0x1801". 1 is encoded as "0x01" and not "0x1801".
</li> </li>
<li pn="section-9-2.3">
<li>
Applications <bcp14>MUST NOT</bcp14> generate messages with the same l abel used twice as a key in a single map. Applications <bcp14>MUST NOT</bcp14> generate messages with the same l abel used twice as a key in a single map.
Applications <bcp14>MUST NOT</bcp14> parse and process messages with t Applications <bcp14>MUST NOT</bcp14> parse and process messages with
he same label used twice as a key in a single map. the same label used twice as a key in a single map.
Applications can enforce the parse and process requirement by using pa Applications can enforce the parse-and-process
rsers that will fail the parse step or by using parsers that will pass all keys requirement by using parsers that will fail the parse step or by
to the application, and the application can perform the check for duplicate keys using parsers that will pass all keys to the application, and the
. application can perform the check for duplicate keys.
</li> </li>
</ul> </ul>
</section> </section>
<section anchor="iana-considerations" numbered="true" removeInRFC="false" to
<section anchor="iana-considerations"> c="include" pn="section-10">
<name slugifiedName="name-iana-considerations">IANA Considerations</name>
<name>IANA Considerations</name> <t indent="0" pn="section-10-1">IANA has updated all COSE registries excep
<section> t for "COSE
<name>Changes to "COSE Key Types" registry.</name> Header Parameters" and "COSE Key Common Parameters" to point to this docum
<t> ent instead of <xref target="RFC8152" format="default" sectionFormat="of" derive
IANA is requested to create a new column in the "COSE Key Types" registr dContent="RFC8152"/>.</t>
y. <section numbered="true" removeInRFC="false" toc="include" pn="section-10.
The new column is to be labeled "Capabilities". 1">
The new column is to be populated according the entries in <xref target= <name slugifiedName="name-changes-to-the-cose-key-typ">Changes to the "C
"initial-kty-caps"/>. OSE Key Types" Registry</name>
</t> <t indent="0" pn="section-10.1-1">
IANA has added a new column in the "COSE Key Types" registry.
<table anchor="initial-kty-caps"> The new column is labeled "Capabilities" and has been populated accordin
<name>Key Type Capabilities</name> g to the entries in <xref target="initial-kty-caps" format="default" sectionForm
at="of" derivedContent="Table 22"/>.
</t>
<table anchor="initial-kty-caps" align="center" pn="table-22">
<name slugifiedName="name-key-type-capabilities">Key Type Capabilities
</name>
<thead> <thead>
<tr> <tr>
<th>Value</th> <th align="left" colspan="1" rowspan="1">Value</th>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Capabilities</th> <th align="left" colspan="1" rowspan="1">Capabilities</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>1</td> <td align="left" colspan="1" rowspan="1">1</td>
<td>OKP</td> <td align="left" colspan="1" rowspan="1">OKP</td>
<td>[kty(1), crv]</td> <td align="left" colspan="1" rowspan="1">[kty(1), crv]</td>
</tr> </tr>
<tr> <tr>
<td>2</td> <td align="left" colspan="1" rowspan="1">2</td>
<td>EC2</td> <td align="left" colspan="1" rowspan="1">EC2</td>
<td>[kty(2), crv]</td> <td align="left" colspan="1" rowspan="1">[kty(2), crv]</td>
</tr> </tr>
<tr> <tr>
<td>3</td> <td align="left" colspan="1" rowspan="1">3</td>
<td>RSA</td> <td align="left" colspan="1" rowspan="1">RSA</td>
<td>[kty(3)]</td> <td align="left" colspan="1" rowspan="1">[kty(3)]</td>
</tr> </tr>
<tr> <tr>
<td>4</td> <td align="left" colspan="1" rowspan="1">4</td>
<td>Symmetric</td> <td align="left" colspan="1" rowspan="1">Symmetric</td>
<td>[kty(4)]</td> <td align="left" colspan="1" rowspan="1">[kty(4)]</td>
</tr> </tr>
<tr> <tr>
<td>5</td> <td align="left" colspan="1" rowspan="1">5</td>
<td>HSS-LMS</td> <td align="left" colspan="1" rowspan="1">HSS-LMS</td>
<td>[kty(5), hash algorithm]</td> <td align="left" colspan="1" rowspan="1">[kty(5), hash algorithm]<
/td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">6</td>
<td align="left" colspan="1" rowspan="1">WalnutDSA</td>
<td align="left" colspan="1" rowspan="1">[kty(6), N value, q value
]</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>
IANA is requested to update the pointer for expert review to [[this do
cument]].
</t>
</section> </section>
<section numbered="true" removeInRFC="false" toc="include" pn="section-10.
<section> 2">
<name>Changes to "COSE Algorithms" registry</name> <name slugifiedName="name-changes-to-the-cose-algorit">Changes to the "C
<t> OSE Algorithms" Registry</name>
IANA is requested to create a new column in the "COSE Algorithms" regi <t indent="0" pn="section-10.2-1">
stry. IANA has added a new column in the "COSE Algorithms" registry.
The new column is to be labeled "Capabilities". The new column is labeled "Capabilities" and has been populated with "
The new column is populated with "[kty]" for all current, non-provisio [kty]" for all current,
nal, registrations. nonprovisional registrations.
It is expected that the documents which define those algorithms will b
e expanded to include this registration.
If this is not done then the Designated Expert should be consulted bef
ore final registration for this document is done.
</t>
<t>
IANA is requested to update all references from RFC 8152 to [[This Doc
ument]].
</t>
<t>
IANA is requested to update the pointer for expert rview to [[this doc
ument]].
</t> </t>
<t> <t indent="0" pn="section-10.2-2">
IANA is requested to update the reference column in the "COSE Algorith IANA has updated the Reference column in the "COSE Algorithms" registr
ms" registry to include [[This Document]] as a reference for all rows where it i y to include this document as a reference for all rows where it was not already
s not already present. present.
</t> </t>
<t indent="0" pn="section-10.2-3">
<t> IANA has added a new row to the "COSE Algorithms" registry.
IANA is requested to add a new row to the "COSE Algorithms" registry.
</t> </t>
<table align="center" pn="table-23">
<table> <name slugifiedName="name-new-entry-in-the-cose-algor">New entry in th
e COSE Algorithms registry</name>
<thead> <thead>
<tr> <tr>
<th>Name</th> <th align="left" colspan="1" rowspan="1">Name</th>
<th>Value</th> <th align="left" colspan="1" rowspan="1">Value</th>
<th>Description</th> <th align="left" colspan="1" rowspan="1">Description</th>
<th>Reference</th> <th align="left" colspan="1" rowspan="1">Reference</th>
<th>Recommended</th> <th align="left" colspan="1" rowspan="1">Recommended</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>IV Generation</td> <td align="left" colspan="1" rowspan="1">IV-GENERATION</td>
<td>IV-GENERATION</td> <td align="left" colspan="1" rowspan="1">34</td>
<td>For doing IV generation for symmetric algorithms.</td> <td align="left" colspan="1" rowspan="1">For doing IV generation f
<td>[[THIS DOCUMENT]]</td> or symmetric algorithms.</td>
<td>No</td> <td align="left" colspan="1" rowspan="1">RFC 9053</td>
<td align="left" colspan="1" rowspan="1">No</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t indent="0" pn="section-10.2-5">
<t> The Capabilities column for this registration is to be empty.
The capabilities column for this registration is to be empty.
</t> </t>
</section> </section>
<section numbered="true" removeInRFC="false" toc="include" pn="section-10.
<section> 3">
<name>Changes to the "COSE Key Type Parameters" registry</name> <name slugifiedName="name-changes-to-the-cose-key-type">Changes to the "
<t> COSE Key Type Parameters" Registry</name>
IANA is requested to modify the description to "Public Key" for the li <t indent="0" pn="section-10.3-1">
ne with "Key Type" of 2 and the "Name" of "x". IANA has modified the description to "Public Key" for the
See <xref target="x-table-ec1-keys"/> which has been modified with thi line with "Key Type" of 1 and the "Name" of "x".
s change. See <xref target="x-table-ec1-keys" format="default" sectionFormat="of
</t> " derivedContent="Table 20"/>, which has been modified with
<t> this change.
IANA is requested to update the references in the table from RFC8152 t
o [[This Document]].
</t>
<t>
IANA is requested to update the pointer for expert rview to [[this doc
ument]].
</t> </t>
</section> </section>
<section anchor="review" numbered="true" removeInRFC="false" toc="include"
<section anchor="IANA-Alg-Registry"> pn="section-10.4">
<name>COSE Header Algorithm Parameters Registry</name> <name slugifiedName="name-expert-review-instructions">Expert Review Inst
<t> ructions</name>
IANA created a registry titled "COSE Header Algorithm Parameters" as <t indent="0" pn="section-10.4-1">
part of processing <xref target="RFC8152"/>. All of the IANA registries established by <xref target="RFC8152" forma
The registry has been created to use the "Expert Review Required" regi t="default" sectionFormat="of" derivedContent="RFC8152"/> are, at least in part,
stration procedure <xref target="RFC8126"/>. defined as Expert Review <xref target="RFC8126" format="default" sectionFormat=
</t> "of" derivedContent="RFC8126"/>. This section gives some general guidelines for
<t> what the experts should be looking for, but they are being designated as expert
IANA is requested to update the references from <xref target="RFC8152" s for a reason, so they should be given substantial latitude.
/> to this document.
</t> </t>
<t> <t indent="0" pn="section-10.4-2">Expert reviewers should take the follo
IANA is requested to update the pointer for expert rview to [[this doc wing into consideration:
ument]].
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section-1
0.4-3">
<li pn="section-10.4-3.1">Point squatting should be discouraged. Revi
ewers are encouraged to get sufficient information for registration requests to
ensure that the usage is not going to duplicate an existing registration and tha
t the code point is likely to be used in deployments. The ranges tagged as priv
ate use are intended for testing purposes and closed environments; code points i
n other ranges should not be assigned for testing. </li>
<li pn="section-10.4-3.2">Standards Track or BCP RFCs are required to
register a code point in the Standards Action range.
Specifications should exist for Specification Required ranges,
but early assignment before an RFC is available is considered to be
permissible. Specifications are needed for the first-come, first-served range
if the points are expected to be used outside of closed environments in an
interoperable way. When specifications are not provided, the description
provided needs to have sufficient information to identify what the point is
being used for. </li>
<li pn="section-10.4-3.3">Experts should take into account the expecte
d usage of fields when
approving code point assignment.
The fact that the Standards Action range is only available to Standards Track do
cuments does not mean that a Standards Track document cannot have points assigne
d outside of that range. The length of the encoded value should
be weighed against how many code points of that length are left and the size of
device it will be used on.</li>
<li pn="section-10.4-3.4">When algorithms are registered, vanity regis
trations should be discouraged. One way to do this is to require registrations
to provide additional documentation on security analysis of the algorithm. Anot
her thing that should be considered is requesting an opinion on the algorithm fr
om the Crypto Forum Research Group (CFRG). Algorithms are expected to meet the s
ecurity requirements of the
community and the requirements of the message structures in order to be
suitable for registration.
</li>
</ul>
</section> </section>
<section title="Expert Review Instructions" anchor="review" >
<t>
All of the IANA registries established by <xref target="RFC8152"/> are
, at least in part, defined as expert review. This section gives some general g
uidelines for what the experts should be looking for, but they are being designa
ted as experts for a reason, so they should be given substantial latitude.
</t>
<t>Expert reviewers should take into consideration the following points:
</t>
<ul>
<li>Point squatting should be discouraged. Reviewers are encouraged to get suff
icient information for registration requests to ensure that the usage is not goi
ng to duplicate one that is already registered, and that the point is likely to
be used in deployments. The zones tagged as private use are intended for testin
g purposes and closed environments; code points in other ranges should not be as
signed for testing. </li>
<li>Specifications are required for the standards track range of point assignmen
t. Specifications should exist for specification required ranges, but early ass
ignment before a specification is available is considered to be permissible. Sp
ecifications are needed for the first-come, first-serve range if they are expect
ed to be used outside of closed environments in an interoperable way. When spec
ifications are not provided, the description provided needs to have sufficient i
nformation to identify what the point is being used for. </li>
<li>Experts should take into account the expected usage of fields when approving
point assignment. The fact that there is a range for standards track documents
does not mean that a standards track document cannot have points assigned outsi
de of that range. The length of the encoded value should be weighed against how
many code points of that length are left, the size of device it will be used on
, and the number of code points left that encode to that size. </li>
<li>When algorithms are registered, vanity registrations should be discouraged.
One way to do this is to require registrations to provide additional documentat
ion on security analysis of the algorithm. Another thing that should be conside
red is requesting an opinion on the algorithm from the Crypto Forum Research Gro
up (CFRG). Algorithms that do not meet the security requirements of the communi
ty and the messages structures should not be registered. </li>
</ul>
</section>
</section> </section>
<section anchor="security-considerations" numbered="true" removeInRFC="false
<section anchor="security-considerations"> " toc="include" pn="section-11">
<name slugifiedName="name-security-considerations">Security Considerations
<name>Security Considerations</name> </name>
<t>There are a number of security considerations that need to be taken int <t indent="0" pn="section-11-1">There are a number of security considerati
o account by implementers of this specification. The security considerations th ons that need to be taken into account by implementers of this specification. T
at are specific to an individual algorithm are placed next to the description of he security considerations that are specific to an individual algorithm are plac
the algorithm. While some considerations have been highlighted here, additiona ed next to the description of the algorithm. While some considerations have bee
l considerations may be found in the documents listed in the references. </t> n highlighted here, additional considerations may be found in the documents list
<t>Implementations need to protect the private key material for any indivi ed in the references. </t>
duals. There are some cases in this document that need to be highlighted on thi <t indent="0" pn="section-11-2">Implementations need to protect the privat
s issue. e key material for all
individuals. Some cases in this document need to be highlighted with
regard to this issue.
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section-11-
<ul> 3">
<li pn="section-11-3.1">Use of the same key for two different algorithms
<li>Using the same key for two different algorithms can leak information can leak information about the key. It is therefore recommended that keys be r
about the key. It is therefore recommended that keys be restricted to a single estricted to a single algorithm. </li>
algorithm. </li> <li pn="section-11-3.2">Use of "direct" as a recipient algorithm combine
d with a second recipient algorithm exposes the direct key to the second recipie
<li>Use of 'direct' as a recipient algorithm combined with a second reci nt; <xref section="8.5" target="RFC9052" sectionFormat="of" format="default" der
pient algorithm exposes the direct key to the second recipient. </li> ivedLink="https://rfc-editor.org/rfc/rfc9052#section-8.5" derivedContent="RFC905
2"/> forbids combining "direct" recipient algorithms with other modes. </li>
<li>Several of the algorithms in this document have limits on the number <li pn="section-11-3.3">Several of the algorithms in this document have
of times that a key can be used without leaking information about the key. </l limits on the number of times that a key can be used without leaking information
i> about the key. </li>
</ul> </ul>
<t>The use of ECDH and direct plus KDF (with no key wrap) will not directl <t indent="0" pn="section-11-4">The use of ECDH and direct plus KDF (with
y lead to the private key being leaked; the one way function of the KDF will pre no key wrap) will not
vent that. There is, however, a different issue that needs to be addressed. Ha directly lead to the private key being leaked; the one-way function of
ving two recipients requires that the CEK be shared between two recipients. The the KDF will prevent that. There is, however, a different issue that
second recipient therefore has a CEK that was derived from material that can be needs to be addressed. Having two recipients requires that the CEK be
used for the weak proof of origin. The second recipient could create a message shared between two recipients. The second recipient therefore has a CEK
using the same CEK and send it to the first recipient; the first recipient woul that was derived from material that can be used for the weak proof of
d, for either static-static ECDH or direct plus KDF, make an assumption that the origin. The second recipient could create a message using the same CEK
CEK could be used for proof of origin even though it is from the wrong entity. and send it to the first recipient; the first recipient would, for
If the key wrap step is added, then no proof of origin is implied and this is n either Static-Static ECDH or direct plus KDF, make an assumption that
ot an issue. </t> the CEK could be used for proof of origin, even though it is from the
<t>Although it has been mentioned before, the use of a single key for mult wrong entity. If the key wrap step is added, then no proof of origin is
iple algorithms has been demonstrated in some cases to leak information about a implied and this is not an issue. </t>
key, provide the opportunity for attackers to forge integrity tags, or gain info <t indent="0" pn="section-11-5">Although it has been mentioned before, it
rmation about encrypted content. Binding a key to a single algorithm prevents t bears repeating that the use of a single key for
hese problems. Key creators and key consumers are strongly encouraged not only multiple algorithms has been demonstrated in some cases to leak
to create new keys for each different algorithm, but to include that selection o information about a key, providing the opportunity for attackers to forge
f algorithm in any distribution of key material and strictly enforce the matchin integrity tags or gain information about encrypted content. Binding a
g of algorithms in the key structure to algorithms in the message structure. In key to a single algorithm prevents these problems. Key creators and key
addition to checking that algorithms are correct, the key form needs to be chec consumers are strongly encouraged to not only create new keys for each
ked as well. Do not use an 'EC2' key where an 'OKP' key is expected. </t> different algorithm, but to include that selection of algorithm in any
<t>Before using a key for transmission, or before acting on information re distribution of key material and strictly enforce the matching of
ceived, a trust decision on a key needs to be made. Is the data or action somet algorithms in the key structure to algorithms in the message structure.
hing that the entity associated with the key has a right to see or a right to re In addition to checking that algorithms are correct, the key form needs
quest? A number of factors are associated with this trust decision. Some of the to be checked as well. Do not use an "EC2" key where an "OKP" key is
ones that are highlighted here are: expected. </t>
<t indent="0" pn="section-11-6">Before using a key for transmission, or be
fore acting on information
received, a trust decision on a key needs to be made. Is the data or
action something that the entity associated with the key has a right to
see or a right to request? A number of factors are associated with this
trust decision. Some highlighted here are:
</t> </t>
<ul bare="false" empty="false" indent="3" spacing="normal" pn="section-11-
<ul> 7">
<li pn="section-11-7.1">What are the permissions associated with the key
<li>What are the permissions associated with the key owner?</li> owner?</li>
<li pn="section-11-7.2">Is the cryptographic algorithm acceptable in the
<li>Is the cryptographic algorithm acceptable in the current context?</l current context?</li>
i> <li pn="section-11-7.3">Have the restrictions associated with the key, s
uch as algorithm
<li>Have the restrictions associated with the key, such as algorithm or or freshness, been checked, and are they correct?</li>
freshness, been checked and are they correct?</li> <li pn="section-11-7.4">Is the request something that is reasonable, giv
en the current state of the application?</li>
<li>Is the request something that is reasonable, given the current state <li pn="section-11-7.5">Have any security considerations that are part o
of the application?</li> f the message been enforced (as specified by the application or "crit" header pa
rameter)?</li>
<li>Have any security considerations that are part of the message been e
nforced (as specified by the application or 'crit' parameter)?</li>
</ul> </ul>
<t>There are a large number of algorithms presented in this document that <t indent="0" pn="section-11-8">There are a large number of algorithms pre
use nonce values. For all of the nonces defined in this document, there is some sented in this
type of restriction on the nonce being a unique value either for a key or for s document that use nonce values. For all of the nonces defined
ome other conditions. In all of these cases, there is no known requirement on t in this document, there is some type of restriction on the nonce
he nonce being both unique and unpredictable; under these circumstances, it's re being a unique value for either a key or some other
asonable to use a counter for creation of the nonce. In cases where one wants t conditions. In all of these cases, there is no known
he pattern of the nonce to be unpredictable as well as unique, one can use a key requirement on the nonce being both unique and unpredictable;
created for that purpose and encrypt the counter to produce the nonce value. < under these circumstances, it's reasonable to use a counter for
/t> creation of the nonce. In cases where one wants the pattern of
<t>One area that has been getting exposure is traffic analysis of encrypte the nonce to be unpredictable as well as unique, one can use a
d messages based on the length of the message. This specification does not prov key created for that purpose and encrypt the counter to produce
ide for a uniform method of providing padding as part of the message structure. the nonce value. </t>
An observer can distinguish between two different messages (for example, 'YES' <t indent="0" pn="section-11-9">One area that has been getting
and 'NO') based on the length for all of the content encryption algorithms that exposure is traffic analysis of encrypted messages based on the
are defined in this document. This means that it is up to the applications to d length of the message. This specification does not provide
ocument how content padding is to be done in order to prevent or discourage such a uniform method for providing padding as part of the message
analysis. (For example, the text strings could be defined as 'YES' and 'NO '.) structure. An observer can distinguish between two different
</t> messages (for example, "YES" and "NO") based on the length for
<t> all of the content encryption algorithms that are defined in
The analsys done in <xref target="I-D.ietf-quic-tls"/> is based on the n this document. This means that it is up to the applications to
umber of records/packets that are sent. document how content padding is to be done in order to prevent
This should map well to the number of messages sent when use COSE so tha or discourage such analysis. (For example, the text strings
t analysis should hold here as well. could be defined as "YES" and "NO ".) </t>
It needs to be noted that the limits are based on the number of messages <t indent="0" pn="section-11-10"> The analysis done
, but QUIC and DTLS are always pair-wise based endpoints, <xref target="I-D.ietf in <xref target="RFC9147" format="default" sectionFormat="of" derivedConte
-core-oscore-groupcomm"/> use COSE in a group communication. nt="RFC9147"/> is based on the number of records that
Under these circumstances it may be that no one single entity will see a are sent. This should map well to the number of messages sent
ll of the messages that are encrypted an therefore no single entity can trigger when using COSE, so that analysis should hold here as well, under
the rekey operation. the assumption that the COSE messages are roughly the same size
as DTLS records.
It needs to be noted that the limits are based on the number of messages,
but QUIC and DTLS are always pairwise-based endpoints. In contrast, <xref targ
et="I-D.ietf-core-oscore-groupcomm" format="default" sectionFormat="of" derivedC
ontent="OSCORE-GROUPCOMM"/> uses COSE in a group communication scenario. Under
these circumstances, it may be that no one
single entity will see all of the messages that are encrypted, and
therefore no single entity can trigger the rekey operation.
</t> </t>
</section> </section>
</middle> </middle>
<back> <back>
<references> <displayreference target="I-D.ietf-core-oscore-groupcomm" to="OSCORE-GROUPCO
<name>References</name> MM"/>
<references> <displayreference target="I-D.mattsson-cfrg-det-sigs-with-noise" to="CFRG-DE
T-SIGS"/>
<name>Normative References</name> <displayreference target="I-D.ietf-cose-countersign" to="COUNTERSIGN"/>
<xi:include href="reference.I-D.ietf-cose-rfc8152bis-struct.xml"/> <references pn="section-12">
<xi:include href="reference.RFC.2104.xml"/> <name slugifiedName="name-references">References</name>
<xi:include href="reference.RFC.2119.xml"/> <references pn="section-12.1">
<xi:include href="reference.RFC.3394.xml"/> <name slugifiedName="name-normative-references">Normative References</na
<xi:include href="reference.RFC.3610.xml"/> me>
<xi:include href="reference.RFC.5869.xml"/> <reference anchor="AES-GCM" target="https://csrc.nist.gov/publications/n
<xi:include href="reference.RFC.6090.xml"/> istpubs/800-38D/SP-800-38D.pdf" quoteTitle="true" derivedAnchor="AES-GCM">
<xi:include href="reference.RFC.6979.xml"/>
<xi:include href="reference.RFC.7049.xml"/>
<xi:include href="reference.RFC.8439.xml"/>
<xi:include href="reference.RFC.7748.xml"/>
<xi:include href="reference.RFC.8174.xml"/>
<reference anchor="AES-GCM" target="https://csrc.nist.gov/publications/n
istpubs/800-38D/SP-800-38D.pdf">
<front> <front>
<title>Recommendation for Block Cipher Modes of Operation: Galois/Co unter Mode (GCM) and GMAC</title> <title>Recommendation for Block Cipher Modes of Operation: Galois/Co unter Mode (GCM) and GMAC</title>
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-38D"/>
<seriesInfo name="NIST Special Publication" value="800-38D"/> <seriesInfo name="NIST Special Publication" value="800-38D"/>
<author> <author initials="M" surname="Dworkin"/>
<organization>National Institute of Standards and Technology</orga
nization>
</author>
<date year="2007" month="November"/> <date year="2007" month="November"/>
</front> </front>
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-38D"/>
</reference> </reference>
<reference anchor="DSS" target="http://nvlpubs.nist.gov/nistpubs/FIPS/NI ST.FIPS.186-4.pdf"> <reference anchor="DSS" target="https://nvlpubs.nist.gov/nistpubs/FIPS/N IST.FIPS.186-4.pdf" quoteTitle="true" derivedAnchor="DSS">
<front> <front>
<title>Digital Signature Standard (DSS)</title> <title>Digital Signature Standard (DSS)</title>
<seriesInfo name="DOI" value="10.6028/NIST.FIPS.186-4"/>
<seriesInfo name="FIPS PUB" value="186-4"/> <seriesInfo name="FIPS PUB" value="186-4"/>
<author> <author>
<organization>National Institute of Standards and Technology</orga nization> <organization showOnFrontPage="true">National Institute of Standar ds and Technology</organization>
</author> </author>
<date year="2013" month="July"/> <date year="2013" month="July"/>
</front> </front>
<seriesInfo name="DOI" value="10.6028/NIST.FIPS.186-4"/>
</reference> </reference>
<reference anchor="MAC"> <reference anchor="MAC" target="https://cacr.uwaterloo.ca/hac/" quoteTit
<!-- le="true" derivedAnchor="MAC">
RFC Editor - help
A. Menezes, P. van Oorschot, S. Vanstone,
Handbook of Applied Cryptography, CRC Press, Inc., Boca Raton
(1996).
-->
<front> <front>
<title>Handbook of Applied Cryptography</title> <title>Handbook of Applied Cryptography</title>
<author initials="A." surname="Menezes"/>
<author initials="A." surname="Menees"/>
<author initials="P." surname="van Oorschot"/> <author initials="P." surname="van Oorschot"/>
<author initials="S." surname="Vanstone"/> <author initials="S." surname="Vanstone"/>
<date year="1996"/> <date year="1996"/>
</front> </front>
<refcontent>CRC Press, Boca Raton</refcontent>
</reference> </reference>
<reference anchor="SEC1" target="http://www.secg.org/sec1-v2.pdf"> <reference anchor="RFC2104" target="https://www.rfc-editor.org/info/rfc2
104" quoteTitle="true" derivedAnchor="RFC2104">
<front>
<title>HMAC: Keyed-Hashing for Message Authentication</title>
<author fullname="H. Krawczyk" initials="H" surname="Krawczyk"/>
<author fullname="M. Bellare" initials="M" surname="Bellare"/>
<author fullname="R. Canetti" initials="R" surname="Canetti"/>
<date month="February" year="1997"/>
<abstract>
<t indent="0">This document describes HMAC, a mechanism for messag
e authentication using cryptographic hash functions. HMAC can be used with any
iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a s
ecret shared key. The cryptographic strength of HMAC depends on the properties
of the underlying hash function. This memo provides information for the Interne
t community. This memo does not specify an Internet standard of any kind</t>
</abstract>
</front>
<seriesInfo name="RFC" value="2104"/>
<seriesInfo name="DOI" value="10.17487/RFC2104"/>
</reference>
<reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2
119" quoteTitle="true" derivedAnchor="RFC2119">
<front>
<title>Key words for use in RFCs to Indicate Requirement Levels</tit
le>
<author fullname="S. Bradner" initials="S" surname="Bradner"/>
<date month="March" year="1997"/>
<abstract>
<t indent="0">In many standards track documents several words are
used to signify the requirements in the specification. These words are often ca
pitalized. This document defines these words as they should be interpreted in I
ETF documents. This document specifies an Internet Best Current Practices for t
he Internet Community, and requests discussion and suggestions for improvements.
</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC3394" target="https://www.rfc-editor.org/info/rfc3
394" quoteTitle="true" derivedAnchor="RFC3394">
<front>
<title>Advanced Encryption Standard (AES) Key Wrap Algorithm</title>
<author fullname="J. Schaad" initials="J" surname="Schaad"/>
<author fullname="R. Housley" initials="R" surname="Housley"/>
<date month="September" year="2002"/>
</front>
<seriesInfo name="RFC" value="3394"/>
<seriesInfo name="DOI" value="10.17487/RFC3394"/>
</reference>
<reference anchor="RFC3610" target="https://www.rfc-editor.org/info/rfc3
610" quoteTitle="true" derivedAnchor="RFC3610">
<front>
<title>Counter with CBC-MAC (CCM)</title>
<author fullname="D. Whiting" initials="D" surname="Whiting"/>
<author fullname="R. Housley" initials="R" surname="Housley"/>
<author fullname="N. Ferguson" initials="N" surname="Ferguson"/>
<date month="September" year="2003"/>
<abstract>
<t indent="0">Counter with CBC-MAC (CCM) is a generic authenticate
d encryption block cipher mode. CCM is defined for use with 128-bit block ciphe
rs, such as the Advanced Encryption Standard (AES).</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3610"/>
<seriesInfo name="DOI" value="10.17487/RFC3610"/>
</reference>
<reference anchor="RFC5869" target="https://www.rfc-editor.org/info/rfc5
869" quoteTitle="true" derivedAnchor="RFC5869">
<front>
<title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)<
/title>
<author fullname="H. Krawczyk" initials="H" surname="Krawczyk"/>
<author fullname="P. Eronen" initials="P" surname="Eronen"/>
<date month="May" year="2010"/>
<abstract>
<t indent="0">This document specifies a simple Hashed Message Auth
entication Code (HMAC)-based key derivation function (HKDF), which can be used a
s a building block in various protocols and applications. The key derivation fu
nction (KDF) is intended to support a wide range of applications and requirement
s, and is conservative in its use of cryptographic hash functions. This documen
t is not an Internet Standards Track specification; it is published for informat
ional purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5869"/>
<seriesInfo name="DOI" value="10.17487/RFC5869"/>
</reference>
<reference anchor="RFC6090" target="https://www.rfc-editor.org/info/rfc6
090" quoteTitle="true" derivedAnchor="RFC6090">
<front>
<title>Fundamental Elliptic Curve Cryptography Algorithms</title>
<author fullname="D. McGrew" initials="D" surname="McGrew"/>
<author fullname="K. Igoe" initials="K" surname="Igoe"/>
<author fullname="M. Salter" initials="M" surname="Salter"/>
<date month="February" year="2011"/>
<abstract>
<t indent="0">This note describes the fundamental algorithms of El
liptic Curve Cryptography (ECC) as they were defined in some seminal references
from 1994 and earlier. These descriptions may be useful for implementing the fu
ndamental algorithms without using any of the specialized methods that were deve
loped in following years. Only elliptic curves defined over fields of character
istic greater than three are in scope; these curves are those used in Suite B.
This document is not an Internet Standards Track specification; it is published
for informational purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6090"/>
<seriesInfo name="DOI" value="10.17487/RFC6090"/>
</reference>
<reference anchor="RFC6979" target="https://www.rfc-editor.org/info/rfc6
979" quoteTitle="true" derivedAnchor="RFC6979">
<front>
<title>Deterministic Usage of the Digital Signature Algorithm (DSA)
and Elliptic Curve Digital Signature Algorithm (ECDSA)</title>
<author fullname="T. Pornin" initials="T" surname="Pornin"/>
<date month="August" year="2013"/>
<abstract>
<t indent="0">This document defines a deterministic digital signat
ure generation procedure. Such signatures are compatible with standard Digital
Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)
digital signatures and can be processed with unmodified verifiers, which need n
ot be aware of the procedure described therein. Deterministic signatures retain
the cryptographic security features associated with digital signatures but can
be more easily implemented in various environments, since they do not need acces
s to a source of high-quality randomness.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6979"/>
<seriesInfo name="DOI" value="10.17487/RFC6979"/>
</reference>
<reference anchor="RFC7748" target="https://www.rfc-editor.org/info/rfc7
748" quoteTitle="true" derivedAnchor="RFC7748">
<front>
<title>Elliptic Curves for Security</title>
<author fullname="A. Langley" initials="A" surname="Langley"/>
<author fullname="M. Hamburg" initials="M" surname="Hamburg"/>
<author fullname="S. Turner" initials="S" surname="Turner"/>
<date month="January" year="2016"/>
<abstract>
<t indent="0">This memo specifies two elliptic curves over prime f
ields that offer a high level of practical security in cryptographic application
s, including Transport Layer Security (TLS). These curves are intended to opera
te at the ~128-bit and ~224-bit security level, respectively, and are generated
deterministically based on a list of required properties.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7748"/>
<seriesInfo name="DOI" value="10.17487/RFC7748"/>
</reference>
<reference anchor="RFC8017" target="https://www.rfc-editor.org/info/rfc8
017" quoteTitle="true" derivedAnchor="RFC8017">
<front>
<title>PKCS #1: RSA Cryptography Specifications Version 2.2</title>
<author fullname="K. Moriarty" initials="K" role="editor" surname="M
oriarty"/>
<author fullname="B. Kaliski" initials="B" surname="Kaliski"/>
<author fullname="J. Jonsson" initials="J" surname="Jonsson"/>
<author fullname="A. Rusch" initials="A" surname="Rusch"/>
<date month="November" year="2016"/>
<abstract>
<t indent="0">This document provides recommendations for the imple
mentation of public-key cryptography based on the RSA algorithm, covering crypto
graphic primitives, encryption schemes, signature schemes with appendix, and ASN
.1 syntax for representing keys and for identifying the schemes.</t>
<t indent="0">This document represents a republication of PKCS #1
v2.2 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series. By
publishing this RFC, change control is transferred to the IETF.</t>
<t indent="0">This document also obsoletes RFC 3447.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8017"/>
<seriesInfo name="DOI" value="10.17487/RFC8017"/>
</reference>
<reference anchor="RFC8032" target="https://www.rfc-editor.org/info/rfc8
032" quoteTitle="true" derivedAnchor="RFC8032">
<front>
<title>Edwards-Curve Digital Signature Algorithm (EdDSA)</title>
<author fullname="S. Josefsson" initials="S" surname="Josefsson"/>
<author fullname="I. Liusvaara" initials="I" surname="Liusvaara"/>
<date month="January" year="2017"/>
<abstract>
<t indent="0">This document describes elliptic curve signature sch
eme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instant
iated with recommended parameters for the edwards25519 and edwards448 curves. A
n example implementation and test vectors are provided.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8032"/>
<seriesInfo name="DOI" value="10.17487/RFC8032"/>
</reference>
<reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8
174" quoteTitle="true" derivedAnchor="RFC8174">
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
tle>
<author fullname="B. Leiba" initials="B" surname="Leiba"/>
<date month="May" year="2017"/>
<abstract>
<t indent="0">RFC 2119 specifies common key words that may be used
in protocol specifications. This document aims to reduce the ambiguity by clar
ifying that only UPPERCASE usage of the key words have the defined special meani
ngs.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
<reference anchor="RFC8439" target="https://www.rfc-editor.org/info/rfc8
439" quoteTitle="true" derivedAnchor="RFC8439">
<front>
<title>ChaCha20 and Poly1305 for IETF Protocols</title>
<author fullname="Y. Nir" initials="Y" surname="Nir"/>
<author fullname="A. Langley" initials="A" surname="Langley"/>
<date month="June" year="2018"/>
<abstract>
<t indent="0">This document defines the ChaCha20 stream cipher as
well as the use of the Poly1305 authenticator, both as stand-alone algorithms an
d as a "combined mode", or Authenticated Encryption with Associated Data (AEAD)
algorithm.</t>
<t indent="0">RFC 7539, the predecessor of this document, was mean
t to serve as a stable reference and an implementation guide. It was a product o
f the Crypto Forum Research Group (CFRG). This document merges the errata filed
against RFC 7539 and adds a little text to the Security Considerations section.<
/t>
</abstract>
</front>
<seriesInfo name="RFC" value="8439"/>
<seriesInfo name="DOI" value="10.17487/RFC8439"/>
</reference>
<reference anchor="RFC9052" target="https://www.rfc-editor.org/info/rfc9
052" quoteTitle="true" derivedAnchor="RFC9052">
<front>
<title>CBOR Object Signing and Encryption (COSE): Structures and Pro
cess</title>
<author initials="J" surname="Schaad">
<organization showOnFrontPage="true"/>
</author>
<date month="August" year="2022"/>
</front>
<seriesInfo name="STD" value="96"/>
<seriesInfo name="RFC" value="9052"/>
<seriesInfo name="DOI" value="10.17487/RFC9052"/>
</reference>
<reference anchor="SEC1" target="https://www.secg.org/sec1-v2.pdf" quote
Title="true" derivedAnchor="SEC1">
<front> <front>
<title>SEC 1: Elliptic Curve Cryptography</title> <title>SEC 1: Elliptic Curve Cryptography</title>
<author> <author>
<organization>Certicom Research</organization> <organization showOnFrontPage="true">Certicom Research</organizati on>
</author> </author>
<date year="2009" month="May"/> <date year="2009" month="May"/>
</front> </front>
<refcontent>Standards for Efficient Cryptography</refcontent>
</reference>
<reference anchor="STD94" target="https://www.rfc-editor.org/info/std94"
quoteTitle="true" derivedAnchor="STD94">
<front>
<title>Concise Binary Object Representation (CBOR)</title>
<author initials="C." surname="Bormann" fullname="C. Bormann">
<organization showOnFrontPage="true"/>
</author>
<author initials="P." surname="Hoffman" fullname="P. Hoffman">
<organization showOnFrontPage="true"/>
</author>
<date year="2020" month="December"/>
</front>
<seriesInfo name="STD" value="94"/>
<seriesInfo name="RFC" value="8949"/>
</reference> </reference>
<xi:include href="reference.RFC.8032.xml"/>
<xi:include href="reference.RFC.8017.xml"/>
</references> </references>
<references> <references pn="section-12.2">
<name>Informative References</name> <name slugifiedName="name-informative-references">Informative References
<xi:include href="reference.RFC.8126.xml"/> </name>
<xi:include href="reference.RFC.8610.xml"/> <reference anchor="I-D.mattsson-cfrg-det-sigs-with-noise" quoteTitle="tr
<xi:include href="reference.RFC.4231.xml"/> ue" target="https://datatracker.ietf.org/doc/html/draft-mattsson-cfrg-det-sigs-w
<xi:include href="reference.RFC.4493.xml"/> ith-noise-04" derivedAnchor="CFRG-DET-SIGS">
<xi:include href="reference.RFC.5116.xml"/>
<xi:include href="reference.RFC.5480.xml"/>
<xi:include href="reference.RFC.6151.xml"/>
<!-- <xi:include href="bibxml9/reference.STD.0090.xml"/> -->
<referencegroup anchor="STD90" target="https://www.rfc-editor.org/info/std90">
<!-- reference.RFC.8259.xml -->
<reference anchor="RFC8259" target="https://www.rfc-editor.org/info/rfc8259">
<front>
<title>
The JavaScript Object Notation (JSON) Data Interchange Format
</title>
<author initials="T." surname="Bray" fullname="T. Bray" role="editor">
<organization/>
</author>
<date year="2017" month="December"/>
<abstract>
<t>
JavaScript Object Notation (JSON) is a lightweight, text-based, language-indepen
dent data interchange format. It was derived from the ECMAScript Programming Lan
guage Standard. JSON defines a small set of formatting rules for the portable re
presentation of structured data.
</t>
<t>
This document removes inconsistencies with other specifications of JSON, repairs
specification errors, and offers experience-based interoperability guidance.
</t>
</abstract>
</front>
<seriesInfo name="STD" value="90"/>
<seriesInfo name="RFC" value="8259"/>
<seriesInfo name="DOI" value="10.17487/RFC8259"/>
</reference>
</referencegroup>
<xi:include href="reference.RFC.7252.xml"/>
<xi:include href="reference.RFC.7518.xml"/>
<xi:include href="reference.RFC.8152.xml"/>
<xi:include href="reference.RFC.8551.xml"/>
<xi:include href="reference.RFC.8230.xml"/>
<xi:include href="reference.I-D.ietf-core-oscore-groupcomm.xml"/>
<xi:include href="reference.I-D.ietf-cose-hash-sig.xml"/>
<reference anchor="SP800-38d" target="https://nvlpubs.nist.gov/nistpubs/
Legacy/SP/nistspecialpublication800-38d.pdf">
<front> <front>
<title>Recommendation for Block Cipher Modes of Operation: Galois/C <title>Deterministic ECDSA and EdDSA Signatures with Additional Rand
ounter Mode (GCM) and GMAC</title> omness</title>
<seriesInfo name="NIST Special Publication 800-38D" value=""/> <author fullname="John Preuß Mattsson">
<author initials="M." surname="Dworkin"/> <organization showOnFrontPage="true">Ericsson</organization>
<date year="2007" month="Nov"/> </author>
<author fullname="Erik Thormarker">
<organization showOnFrontPage="true">Ericsson</organization>
</author>
<author fullname="Sini Ruohomaa">
<organization showOnFrontPage="true">Ericsson</organization>
</author>
<date month="February" day="15" year="2022"/>
<abstract>
<t indent="0"> Deterministic elliptic-curve signatures such as d
eterministic ECDSA
and EdDSA have gained popularity over randomized ECDSA as their
security do not depend on a source of high-quality randomness.
Recent research has however found that implementations of these
signature algorithms may be vulnerable to certain side-channel and
fault injection attacks due to their determinism. One countermeasure
to such attacks is to re-add randomness to the otherwise
deterministic calculation of the per-message secret number. This
document updates RFC 6979 and RFC 8032 to recommend constructions
with additional randomness for deployments where side-channel attacks
and fault injection attacks are a concern. The updates are invisible
to the validator of the signature and compatible with existing ECDSA
and EdDSA validators.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-mattsson-cfrg-det-sigs-
with-noise-04"/>
<format type="TXT" target="https://www.ietf.org/archive/id/draft-matts
son-cfrg-det-sigs-with-noise-04.txt"/>
<refcontent>Work in Progress</refcontent>
</reference> </reference>
<reference anchor="I-D.ietf-cose-countersign" quoteTitle="true" target="
https://datatracker.ietf.org/doc/html/draft-ietf-cose-countersign-08" derivedAnc
hor="COUNTERSIGN">
<front>
<title>CBOR Object Signing and Encryption (COSE): Countersignatures<
/title>
<author fullname="Jim Schaad">
<organization showOnFrontPage="true">August Cellars</organization>
</author>
<author fullname="Russ Housley">
<organization showOnFrontPage="true">Vigil Security, LLC</organiza
tion>
</author>
<date month="August" day="22" year="2022"/>
<abstract>
<t indent="0"> Concise Binary Object Representation (CBOR) is a
data format designed
for small code size and small message size. CBOR Object Signing and
Encryption (COSE) defines a set of security services for CBOR. This
document defines a countersignature algorithm along with the needed
header parameters and CBOR tags for COSE. This document updates RFC
INSERT the number assigned to [I-D.ietf-cose-rfc8152bis-struct].
<reference anchor="SP800-56A" target="http://nvlpubs.nist.gov/nistpubs/S </t>
pecialPublications/NIST.SP.800-56Ar2.pdf"> </abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-cose-countersign-0
8"/>
<format type="TXT" target="https://www.ietf.org/archive/id/draft-ietf-
cose-countersign-08.txt"/>
<refcontent>Work in Progress</refcontent>
</reference>
<reference anchor="GitHub-Examples" target="https://github.com/cose-wg/E
xamples" quoteTitle="true" derivedAnchor="GitHub-Examples">
<front>
<title>GitHub Examples of COSE</title>
<author/>
<date month="June" day="3" year="2020"/>
</front>
<refcontent>commit 3221310</refcontent>
</reference>
<reference anchor="HKDF" target="https://eprint.iacr.org/2010/264.pdf" q
uoteTitle="true" derivedAnchor="HKDF">
<front>
<title>Cryptographic Extraction and Key Derivation: The HKDF Scheme<
/title>
<author initials="H." surname="Krawczyk">
<organization showOnFrontPage="true">IBM T.J. Watson Research Cent
er</organization>
</author>
<date year="2010"/>
</front>
</reference>
<reference anchor="I-D.ietf-core-oscore-groupcomm" quoteTitle="true" tar
get="https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-groupcomm-14"
derivedAnchor="OSCORE-GROUPCOMM">
<front>
<title>Group OSCORE - Secure Group Communication for CoAP</title>
<author fullname="Marco Tiloca">
<organization showOnFrontPage="true">RISE AB</organization>
</author>
<author fullname="Göran Selander">
<organization showOnFrontPage="true">Ericsson AB</organization>
</author>
<author fullname="Francesca Palombini">
<organization showOnFrontPage="true">Ericsson AB</organization>
</author>
<author fullname="John Preuss Mattsson">
<organization showOnFrontPage="true">Ericsson AB</organization>
</author>
<author fullname="Jiye Park">
<organization showOnFrontPage="true">Universitaet Duisburg-Essen</
organization>
</author>
<date month="March" day="7" year="2022"/>
<abstract>
<t indent="0"> This document defines Group Object Security for C
onstrained RESTful
Environments (Group OSCORE), providing end-to-end security of CoAP
messages exchanged between members of a group, e.g., sent over IP
multicast. In particular, the described approach defines how OSCORE
is used in a group communication setting to provide source
authentication for CoAP group requests, sent by a client to multiple
servers, and for protection of the corresponding CoAP responses.
Group OSCORE also defines a pairwise mode where each member of the
group can efficiently derive a symmetric pairwise key with any other
member of the group for pairwise OSCORE communication.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-groupc
omm-14"/>
<format type="TXT" target="https://www.ietf.org/archive/id/draft-ietf-
core-oscore-groupcomm-14.txt"/>
<refcontent>Work in Progress</refcontent>
</reference>
<reference anchor="RFC4231" target="https://www.rfc-editor.org/info/rfc4
231" quoteTitle="true" derivedAnchor="RFC4231">
<front>
<title>Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA-256,
HMAC-SHA-384, and HMAC-SHA-512</title>
<author fullname="M. Nystrom" initials="M" surname="Nystrom"/>
<date month="December" year="2005"/>
<abstract>
<t indent="0">This document provides test vectors for the HMAC-SHA
-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 message authentication scheme
s. It also provides ASN.1 object identifiers and Uniform Resource Identifiers (
URIs) to identify use of these schemes in protocols. The test vectors provided
in this document may be used for conformance testing. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4231"/>
<seriesInfo name="DOI" value="10.17487/RFC4231"/>
</reference>
<reference anchor="RFC4493" target="https://www.rfc-editor.org/info/rfc4
493" quoteTitle="true" derivedAnchor="RFC4493">
<front>
<title>The AES-CMAC Algorithm</title>
<author fullname="JH. Song" initials="JH" surname="Song"/>
<author fullname="R. Poovendran" initials="R" surname="Poovendran"/>
<author fullname="J. Lee" initials="J" surname="Lee"/>
<author fullname="T. Iwata" initials="T" surname="Iwata"/>
<date month="June" year="2006"/>
<abstract>
<t indent="0">The National Institute of Standards and Technology (
NIST) has recently specified the Cipher-based Message Authentication Code (CMAC)
, which is equivalent to the One-Key CBC MAC1 (OMAC1) submitted by Iwata and Kur
osawa. This memo specifies an authentication algorithm based on CMAC with the 1
28-bit Advanced Encryption Standard (AES). This new authentication algorithm is
named AES-CMAC. The purpose of this document is to make the AES-CMAC algorithm
conveniently available to the Internet Community. This memo provides informati
on for the Internet community.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4493"/>
<seriesInfo name="DOI" value="10.17487/RFC4493"/>
</reference>
<reference anchor="RFC5116" target="https://www.rfc-editor.org/info/rfc5
116" quoteTitle="true" derivedAnchor="RFC5116">
<front>
<title>An Interface and Algorithms for Authenticated Encryption</tit
le>
<author fullname="D. McGrew" initials="D" surname="McGrew"/>
<date month="January" year="2008"/>
<abstract>
<t indent="0">This document defines algorithms for Authenticated E
ncryption with Associated Data (AEAD), and defines a uniform interface and a reg
istry for such algorithms. The interface and registry can be used as an applica
tion-independent set of cryptoalgorithm suites. This approach provides advantag
es in efficiency and security, and promotes the reuse of crypto implementations.
[STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5116"/>
<seriesInfo name="DOI" value="10.17487/RFC5116"/>
</reference>
<reference anchor="RFC5480" target="https://www.rfc-editor.org/info/rfc5
480" quoteTitle="true" derivedAnchor="RFC5480">
<front>
<title>Elliptic Curve Cryptography Subject Public Key Information</t
itle>
<author fullname="S. Turner" initials="S" surname="Turner"/>
<author fullname="D. Brown" initials="D" surname="Brown"/>
<author fullname="K. Yiu" initials="K" surname="Yiu"/>
<author fullname="R. Housley" initials="R" surname="Housley"/>
<author fullname="T. Polk" initials="T" surname="Polk"/>
<date month="March" year="2009"/>
<abstract>
<t indent="0">This document specifies the syntax and semantics for
the Subject Public Key Information field in certificates that support Elliptic
Curve Cryptography. This document updates Sections 2.3.5 and 5, and the ASN.1 m
odule of "Algorithms and Identifiers for the Internet X.509 Public Key Infrastru
cture Certificate and Certificate Revocation List (CRL) Profile", RFC 3279. [STA
NDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5480"/>
<seriesInfo name="DOI" value="10.17487/RFC5480"/>
</reference>
<reference anchor="RFC6151" target="https://www.rfc-editor.org/info/rfc6
151" quoteTitle="true" derivedAnchor="RFC6151">
<front>
<title>Updated Security Considerations for the MD5 Message-Digest an
d the HMAC-MD5 Algorithms</title>
<author fullname="S. Turner" initials="S" surname="Turner"/>
<author fullname="L. Chen" initials="L" surname="Chen"/>
<date month="March" year="2011"/>
<abstract>
<t indent="0">This document updates the security considerations fo
r the MD5 message digest algorithm. It also updates the security considerations
for HMAC-MD5. This document is not an Internet Standards Track specification;
it is published for informational purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6151"/>
<seriesInfo name="DOI" value="10.17487/RFC6151"/>
</reference>
<reference anchor="RFC7252" target="https://www.rfc-editor.org/info/rfc7
252" quoteTitle="true" derivedAnchor="RFC7252">
<front>
<title>The Constrained Application Protocol (CoAP)</title>
<author fullname="Z. Shelby" initials="Z" surname="Shelby"/>
<author fullname="K. Hartke" initials="K" surname="Hartke"/>
<author fullname="C. Bormann" initials="C" surname="Bormann"/>
<date month="June" year="2014"/>
<abstract>
<t indent="0">The Constrained Application Protocol (CoAP) is a spe
cialized web transfer protocol for use with constrained nodes and constrained (e
.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers wit
h small amounts of ROM and RAM, while constrained networks such as IPv6 over Low
-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error r
ates and a typical throughput of 10s of kbit/s. The protocol is designed for mac
hine- to-machine (M2M) applications such as smart energy and building automation
.</t>
<t indent="0">CoAP provides a request/response interaction model b
etween application endpoints, supports built-in discovery of services and resour
ces, and includes key concepts of the Web such as URIs and Internet media types.
CoAP is designed to easily interface with HTTP for integration with the Web whi
le meeting specialized requirements such as multicast support, very low overhead
, and simplicity for constrained environments.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7252"/>
<seriesInfo name="DOI" value="10.17487/RFC7252"/>
</reference>
<reference anchor="RFC7518" target="https://www.rfc-editor.org/info/rfc7
518" quoteTitle="true" derivedAnchor="RFC7518">
<front>
<title>JSON Web Algorithms (JWA)</title>
<author fullname="M. Jones" initials="M" surname="Jones"/>
<date month="May" year="2015"/>
<abstract>
<t indent="0">This specification registers cryptographic algorithm
s and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encrypt
ion (JWE), and JSON Web Key (JWK) specifications. It defines several IANA regis
tries for these identifiers.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7518"/>
<seriesInfo name="DOI" value="10.17487/RFC7518"/>
</reference>
<reference anchor="RFC8126" target="https://www.rfc-editor.org/info/rfc8
126" quoteTitle="true" derivedAnchor="RFC8126">
<front>
<title>Guidelines for Writing an IANA Considerations Section in RFCs
</title>
<author fullname="M. Cotton" initials="M" surname="Cotton"/>
<author fullname="B. Leiba" initials="B" surname="Leiba"/>
<author fullname="T. Narten" initials="T" surname="Narten"/>
<date month="June" year="2017"/>
<abstract>
<t indent="0">Many protocols make use of points of extensibility t
hat use constants to identify various protocol parameters. To ensure that the va
lues in these fields do not have conflicting uses and to promote interoperabilit
y, their allocations are often coordinated by a central record keeper. For IETF
protocols, that role is filled by the Internet Assigned Numbers Authority (IANA)
.</t>
<t indent="0">To make assignments in a given registry prudently, g
uidance describing the conditions under which new values should be assigned, as
well as when and how modifications to existing values can be made, is needed. Th
is document defines a framework for the documentation of these guidelines by spe
cification authors, in order to assure that the provided guidance for the IANA C
onsiderations is clear and addresses the various issues that are likely in the o
peration of a registry.</t>
<t indent="0">This is the third edition of this document; it obsol
etes RFC 5226.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="26"/>
<seriesInfo name="RFC" value="8126"/>
<seriesInfo name="DOI" value="10.17487/RFC8126"/>
</reference>
<reference anchor="RFC8152" target="https://www.rfc-editor.org/info/rfc8
152" quoteTitle="true" derivedAnchor="RFC8152">
<front>
<title>CBOR Object Signing and Encryption (COSE)</title>
<author fullname="J. Schaad" initials="J" surname="Schaad"/>
<date month="July" year="2017"/>
<abstract>
<t indent="0">Concise Binary Object Representation (CBOR) is a dat
a format designed for small code size and small message size. There is a need f
or the ability to have basic security services defined for this data format. Th
is document defines the CBOR Object Signing and Encryption (COSE) protocol. Thi
s specification describes how to create and process signatures, message authenti
cation codes, and encryption using CBOR for serialization. This specification a
dditionally describes how to represent cryptographic keys using CBOR.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8152"/>
<seriesInfo name="DOI" value="10.17487/RFC8152"/>
</reference>
<reference anchor="RFC8230" target="https://www.rfc-editor.org/info/rfc8
230" quoteTitle="true" derivedAnchor="RFC8230">
<front>
<title>Using RSA Algorithms with CBOR Object Signing and Encryption
(COSE) Messages</title>
<author fullname="M. Jones" initials="M" surname="Jones"/>
<date month="September" year="2017"/>
<abstract>
<t indent="0">The CBOR Object Signing and Encryption (COSE) specif
ication defines cryptographic message encodings using Concise Binary Object Repr
esentation (CBOR). This specification defines algorithm encodings and represent
ations enabling RSA algorithms to be used for COSE messages. Encodings are spec
ified for the use of RSA Probabilistic Signature Scheme (RSASSA-PSS) signatures,
RSA Encryption Scheme - Optimal Asymmetric Encryption Padding (RSAES-OAEP) encr
yption, and RSA keys.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8230"/>
<seriesInfo name="DOI" value="10.17487/RFC8230"/>
</reference>
<reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8
446" quoteTitle="true" derivedAnchor="RFC8446">
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.3</titl
e>
<author fullname="E. Rescorla" initials="E" surname="Rescorla"/>
<date month="August" year="2018"/>
<abstract>
<t indent="0">This document specifies version 1.3 of the Transport
Layer Security (TLS) protocol. TLS allows client/server applications to communi
cate over the Internet in a way that is designed to prevent eavesdropping, tampe
ring, and message forgery.</t>
<t indent="0">This document updates RFCs 5705 and 6066, and obsole
tes RFCs 5077, 5246, and 6961. This document also specifies new requirements for
TLS 1.2 implementations.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8446"/>
<seriesInfo name="DOI" value="10.17487/RFC8446"/>
</reference>
<reference anchor="RFC8551" target="https://www.rfc-editor.org/info/rfc8
551" quoteTitle="true" derivedAnchor="RFC8551">
<front>
<title>Secure/Multipurpose Internet Mail Extensions (S/MIME) Version
4.0 Message Specification</title>
<author fullname="J. Schaad" initials="J" surname="Schaad"/>
<author fullname="B. Ramsdell" initials="B" surname="Ramsdell"/>
<author fullname="S. Turner" initials="S" surname="Turner"/>
<date month="April" year="2019"/>
<abstract>
<t indent="0">This document defines Secure/Multipurpose Internet M
ail Extensions (S/MIME) version 4.0. S/MIME provides a consistent way to send a
nd receive secure MIME data. Digital signatures provide authentication, message
integrity, and non-repudiation with proof of origin. Encryption provides data
confidentiality. Compression can be used to reduce data size. This document ob
soletes RFC 5751.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8551"/>
<seriesInfo name="DOI" value="10.17487/RFC8551"/>
</reference>
<reference anchor="RFC8610" target="https://www.rfc-editor.org/info/rfc8
610" quoteTitle="true" derivedAnchor="RFC8610">
<front>
<title>Concise Data Definition Language (CDDL): A Notational Convent
ion to Express Concise Binary Object Representation (CBOR) and JSON Data Structu
res</title>
<author fullname="H. Birkholz" initials="H" surname="Birkholz"/>
<author fullname="C. Vigano" initials="C" surname="Vigano"/>
<author fullname="C. Bormann" initials="C" surname="Bormann"/>
<date month="June" year="2019"/>
<abstract>
<t indent="0">This document proposes a notational convention to ex
press Concise Binary Object Representation (CBOR) data structures (RFC 7049). I
ts main goal is to provide an easy and unambiguous way to express structures for
protocol messages and data formats that use CBOR or JSON.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8610"/>
<seriesInfo name="DOI" value="10.17487/RFC8610"/>
</reference>
<reference anchor="RFC8778" target="https://www.rfc-editor.org/info/rfc8
778" quoteTitle="true" derivedAnchor="RFC8778">
<front>
<title>Use of the HSS/LMS Hash-Based Signature Algorithm with CBOR O
bject Signing and Encryption (COSE)</title>
<author fullname="R. Housley" initials="R" surname="Housley"/>
<date month="April" year="2020"/>
<abstract>
<t indent="0">This document specifies the conventions for using th
e Hierarchical Signature System (HSS) / Leighton-Micali Signature (LMS) hash-bas
ed signature algorithm with the CBOR Object Signing and Encryption (COSE) syntax
. The HSS/LMS algorithm is one form of hash-based digital signature; it is desc
ribed in RFC 8554.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8778"/>
<seriesInfo name="DOI" value="10.17487/RFC8778"/>
</reference>
<reference anchor="RFC9021" target="https://www.rfc-editor.org/info/rfc9
021" quoteTitle="true" derivedAnchor="RFC9021">
<front>
<title>Use of the Walnut Digital Signature Algorithm with CBOR Objec
t Signing and Encryption (COSE)</title>
<author fullname="D. Atkins" initials="D" surname="Atkins"/>
<date month="May" year="2021"/>
<abstract>
<t indent="0">This document specifies the conventions for using th
e Walnut Digital Signature Algorithm (WalnutDSA) for digital signatures with the
CBOR Object Signing and Encryption (COSE) syntax. WalnutDSA is a lightweight, q
uantum-resistant signature scheme based on Group Theoretic Cryptography with imp
lementation and computational efficiency of signature verification in constraine
d environments, even on 8- and 16-bit platforms.</t>
<t indent="0">The goal of this publication is to document a way to
use the lightweight, quantum-resistant WalnutDSA signature algorithm in COSE in
a way that would allow multiple developers to build compatible implementations.
As of this publication, the security properties of WalnutDSA have not been eval
uated by the IETF and its use has not been endorsed by the IETF.</t>
<t indent="0">WalnutDSA and the Walnut Digital Signature Algorithm
are trademarks of Veridify Security Inc.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9021"/>
<seriesInfo name="DOI" value="10.17487/RFC9021"/>
</reference>
<reference anchor="RFC9147" target="https://www.rfc-editor.org/info/rfc9
147" quoteTitle="true" derivedAnchor="RFC9147">
<front>
<title>The Datagram Transport Layer Security (DTLS) Protocol Version
1.3</title>
<author fullname="E. Rescorla" initials="E" surname="Rescorla"/>
<author fullname="H. Tschofenig" initials="H" surname="Tschofenig"/>
<author fullname="N. Modadugu" initials="N" surname="Modadugu"/>
<date month="April" year="2022"/>
<abstract>
<t indent="0">This document specifies version 1.3 of the Datagram
Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applicat
ions to communicate over the Internet in a way that is designed to prevent eaves
dropping, tampering, and message forgery.</t>
<t indent="0">The DTLS 1.3 protocol is based on the Transport Laye
r Security (TLS) 1.3 protocol and provides equivalent security guarantees with t
he exception of order protection / non-replayability. Datagram semantics of the
underlying transport are preserved by the DTLS protocol.</t>
<t indent="0">This document obsoletes RFC 6347.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9147"/>
<seriesInfo name="DOI" value="10.17487/RFC9147"/>
</reference>
<reference anchor="ROBUST" target="https://eprint.iacr.org/2020/718.pdf"
quoteTitle="true" derivedAnchor="ROBUST">
<front>
<title>Robust Channels: Handling Unreliable Networks in the Record L
ayers of QUIC and DTLS</title>
<author initials="M." surname="Fischlin"/>
<author initials="F." surname="Günther"/>
<author initials="C." surname="Janson"/>
<date year="2020" month="Feb"/>
</front>
</reference>
<reference anchor="SP800-38D" target="https://nvlpubs.nist.gov/nistpubs/
Legacy/SP/nistspecialpublication800-38d.pdf" quoteTitle="true" derivedAnchor="SP
800-38D">
<front>
<title>Recommendation for Block Cipher Modes of Operation: Galois/Co
unter Mode (GCM) and GMAC</title>
<seriesInfo name="NIST Special Publication" value="800-38D"/>
<author initials="M." surname="Dworkin"/>
<date year="2007" month="November"/>
</front>
</reference>
<reference anchor="SP800-56A" target="https://nvlpubs.nist.gov/nistpubs/
SpecialPublications/NIST.SP.800-56Ar2.pdf" quoteTitle="true" derivedAnchor="SP80
0-56A">
<front> <front>
<title>Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography</title> <title>Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography</title>
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-56Ar2"/>
<seriesInfo name="NIST Special Publication 800-56A," value="Revision
2"/>
<author initials="E." surname="Barker"> <author initials="E." surname="Barker">
<organization>U.S. National Institute of Standards and Technology< /organization> <organization showOnFrontPage="true"/>
</author> </author>
<author initials="L." surname="Chen"> <author initials="L." surname="Chen">
<organization>U.S. National Institute of Standards and Technology< /organization> <organization showOnFrontPage="true"/>
</author> </author>
<author initials="A." surname="Roginsky"> <author initials="A." surname="Roginsky">
<organization>U.S. National Institute of Standards and Technology< /organization> <organization showOnFrontPage="true"/>
</author> </author>
<author initials="M." surname="Smid"> <author initials="A." surname="Vassilev">
<organization>Orion Security Solutions, Inc.</organization> <organization showOnFrontPage="true"/>
</author> </author>
<date year="2013" month="May"/> <author initials="R." surname="Davis">
<organization showOnFrontPage="true"/>
</author>
<date year="2018" month="April"/>
</front> </front>
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-56Ar3"/>
<refcontent>NIST Special Publication 800-56A, Revision 3</refcontent>
</reference> </reference>
<reference anchor="GitHub-Examples" target="https://github.com/cose-wg/E xamples"> <reference anchor="STD90" target="https://www.rfc-editor.org/info/std90" quoteTitle="true" derivedAnchor="STD90">
<front> <front>
<title>GitHub Examples of COSE</title> <title>The JavaScript Object Notation (JSON) Data Interchange Format
<author/> </title>
<author initials="T." surname="Bray" fullname="Tim Bray" role="edito
r">
<organization showOnFrontPage="true"/>
</author>
<date month="December" year="2017"/>
</front> </front>
<seriesInfo name="STD" value="90"/>
<seriesInfo name="RFC" value="8259"/>
</reference> </reference>
<xi:include href="reference.I-D.mattsson-cfrg-det-sigs-with-noise.xml"/>
<reference anchor="HKDF" target="https://eprint.iacr.org/2010/264.pdf">
<front>
<title>Cryptographic Extraction and Key Derivation: The HKDF Scheme</t
itle>
<author initials="H." surname="Krawczyk">
<organization>IBM T.J. Watson Research Center</organization>
</author>
<date year="2010"/>
</front>
</reference>
<reference anchor="ROBUST" target="https://www.felixguenther.info/docs/QUI
P2020_RobustChannels.pdf">
<front>
<title>Robust Channels: Handling Unreliable Networks in the Record Lay
ers of QUIC and DTLS</title>
<author initials="M." surname="Fischlin"/>
<author initials="F." surname="Günther"/>
<author initials="C." surname="Janson"/>
<date year="2020" month="Feb"/>
</front>
</reference>
<xi:include href="reference.I-D.ietf-quic-tls.xml"/>
</references> </references>
</references> </references>
<section numbered="false"> <section numbered="false" removeInRFC="false" toc="include" pn="section-appe
ndix.a">
<name slugifiedName="name-acknowledgments">Acknowledgments</name>
<t indent="0" pn="section-appendix.a-1">This document is a product of the
COSE Working Group of the IETF. </t>
<t indent="0" pn="section-appendix.a-2">The following individuals are to b
lame for getting me started on this
project in the first place: <contact fullname="Richard Barnes"/>,
<contact fullname="Matt Miller"/>, and <contact fullname="Martin Tho
mson"/>. </t>
<t indent="0" pn="section-appendix.a-3">The initial draft version of the s
pecification was based to some degree on
the outputs of the JOSE and S/MIME Working Groups. </t>
<t indent="0" pn="section-appendix.a-4">The following individuals provided
input into the final form of the
document: <contact fullname="Carsten Bormann"/>, <contact fullname="John
Bradley"/>, <contact fullname="Brian Campbell"/>, <contact fullname="Michae
l B. Jones"/>, <contact fullname="Ilari Liusvaara"/>,
<contact fullname="Francesca Palombini"/>, <contact fullname="Ludwig
Seitz"/>, and <contact fullname="Göran Selander"/>. </t>
</section>
<section anchor="authors-addresses" numbered="false" removeInRFC="false" toc
="include" pn="section-appendix.b">
<name slugifiedName="name-authors-address">Author's Address</name>
<author initials="J." surname="Schaad" fullname="Jim Schaad">
<organization showOnFrontPage="true">August Cellars</organization>
<address>
<name>Acknowledgments</name> </address>
<t>This document is a product of the COSE working group of the IETF. </t> </author>
<t>The following individuals are to blame for getting me started on this p
roject in the first place: Richard Barnes, Matt Miller, and Martin Thomson. </t
>
<t>The initial version of the specification was based to some degree on th
e outputs of the JOSE and S/MIME working groups. </t>
<t>The following individuals provided input into the final form of the doc
ument: Carsten Bormann, John Bradley, Brain Campbell, Michael B. Jones, Ilari Li
usvaara, Francesca Palombini, Ludwig Seitz, and Göran Selander. </t>
</section> </section>
</back> </back>
</rfc> </rfc>
 End of changes. 296 change blocks. 
2384 lines changed or deleted 3836 lines changed or added

This html diff was produced by rfcdiff 1.48.