rfc9052.original | rfc9052.txt | |||
---|---|---|---|---|
COSE Working Group J. Schaad | Internet Engineering Task Force (IETF) J. Schaad | |||
Internet-Draft August Cellars | Request for Comments: 9052 August Cellars | |||
Obsoletes: 8152 (if approved) 1 February 2021 | STD: 96 July 2021 | |||
Intended status: Standards Track | Obsoletes: 8152 | |||
Expires: 5 August 2021 | Category: Standards Track | |||
ISSN: 2070-1721 | ||||
CBOR Object Signing and Encryption (COSE): Structures and Process | CBOR Object Signing and Encryption (COSE): Structures and Process | |||
draft-ietf-cose-rfc8152bis-struct-15 | ||||
Abstract | Abstract | |||
Concise Binary Object Representation (CBOR) is a data format designed | Concise Binary Object Representation (CBOR) is a data format designed | |||
for small code size and small message size. There is a need for the | for small code size and small message size. There is a need for the | |||
ability to have basic security services defined for this data format. | ability to have basic security services defined for this data format. | |||
This document defines the CBOR Object Signing and Encryption (COSE) | This document defines the CBOR Object Signing and Encryption (COSE) | |||
protocol. This specification describes how to create and process | protocol. This specification describes how to create and process | |||
signatures, message authentication codes, and encryption using CBOR | signatures, message authentication codes, and encryption using CBOR | |||
for serialization. This specification additionally describes how to | for serialization. This specification additionally describes how to | |||
represent cryptographic keys using CBOR. | represent cryptographic keys using CBOR. | |||
This document along with [I-D.ietf-cose-rfc8152bis-algs] obsoletes | This document, along with RFC 9053, obsoletes RFC 8152. | |||
RFC8152. | ||||
Contributing to this document | ||||
This note is to be removed before publishing as an RFC. | ||||
The source for this draft is being maintained in GitHub. Suggested | ||||
changes should be submitted as pull requests at https://github.com/ | ||||
cose-wg/cose-rfc8152bis. Instructions are on that page as well. | ||||
Editorial changes can be managed in GitHub, but any substantial | ||||
issues need to be discussed on the COSE mailing list. | ||||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
provisions of BCP 78 and BCP 79. | ||||
Internet-Drafts are working documents of the Internet Engineering | This document is a product of the Internet Engineering Task Force | |||
Task Force (IETF). Note that other groups may also distribute | (IETF). It represents the consensus of the IETF community. It has | |||
working documents as Internet-Drafts. The list of current Internet- | received public review and has been approved for publication by the | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Internet Engineering Steering Group (IESG). Further information on | |||
Internet Standards is available in Section 2 of RFC 7841. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | Information about the current status of this document, any errata, | |||
and may be updated, replaced, or obsoleted by other documents at any | and how to provide feedback on it may be obtained at | |||
time. It is inappropriate to use Internet-Drafts as reference | https://www.rfc-editor.org/info/rfc9052. | |||
material or to cite them other than as "work in progress." | ||||
This Internet-Draft will expire on 5 August 2021. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
extracted from this document must include Simplified BSD License text | to this document. Code Components extracted from this document must | |||
as described in Section 4.e of the Trust Legal Provisions and are | include Simplified BSD License text as described in Section 4.e of | |||
provided without warranty as described in the Simplified BSD License. | the Trust Legal Provisions and are provided without warranty as | |||
described in the Simplified BSD License. | ||||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction | |||
1.1. Requirements Terminology . . . . . . . . . . . . . . . . 6 | 1.1. Requirements Terminology | |||
1.2. Changes from RFC8152 . . . . . . . . . . . . . . . . . . 6 | 1.2. Changes from RFC 8152 | |||
1.3. Design Changes from JOSE . . . . . . . . . . . . . . . . 6 | 1.3. Design Changes from JOSE | |||
1.4. CBOR Grammar . . . . . . . . . . . . . . . . . . . . . . 7 | 1.4. CBOR Grammar | |||
1.5. CBOR-Related Terminology . . . . . . . . . . . . . . . . 8 | 1.5. CBOR-Related Terminology | |||
1.6. Document Terminology . . . . . . . . . . . . . . . . . . 9 | 1.6. Document Terminology | |||
2. Basic COSE Structure . . . . . . . . . . . . . . . . . . . . 10 | 2. Basic COSE Structure | |||
3. Header Parameters . . . . . . . . . . . . . . . . . . . . . . 13 | 3. Header Parameters | |||
3.1. Common COSE Header Parameters . . . . . . . . . . . . . . 15 | 3.1. Common COSE Header Parameters | |||
4. Signing Objects . . . . . . . . . . . . . . . . . . . . . . . 18 | 4. Signing Objects | |||
4.1. Signing with One or More Signers . . . . . . . . . . . . 18 | 4.1. Signing with One or More Signers | |||
4.2. Signing with One Signer . . . . . . . . . . . . . . . . . 20 | 4.2. Signing with One Signer | |||
4.3. Externally Supplied Data . . . . . . . . . . . . . . . . 21 | 4.3. Externally Supplied Data | |||
4.4. Signing and Verification Process . . . . . . . . . . . . 22 | 4.4. Signing and Verification Process | |||
5. Encryption Objects . . . . . . . . . . . . . . . . . . . . . 24 | 5. Encryption Objects | |||
5.1. Enveloped COSE Structure . . . . . . . . . . . . . . . . 24 | 5.1. Enveloped COSE Structure | |||
5.1.1. Content Key Distribution Methods . . . . . . . . . . 26 | 5.1.1. Content Key Distribution Methods | |||
5.2. Single Recipient Encrypted . . . . . . . . . . . . . . . 26 | 5.2. Single Recipient Encrypted | |||
5.3. How to Encrypt and Decrypt for AEAD Algorithms . . . . . 27 | 5.3. How to Encrypt and Decrypt for AEAD Algorithms | |||
5.4. How to Encrypt and Decrypt for AE Algorithms . . . . . . 29 | 5.4. How to Encrypt and Decrypt for AE Algorithms | |||
6. MAC Objects . . . . . . . . . . . . . . . . . . . . . . . . . 30 | 6. MAC Objects | |||
6.1. MACed Message with Recipients . . . . . . . . . . . . . . 31 | 6.1. MACed Message with Recipients | |||
6.2. MACed Messages with Implicit Key . . . . . . . . . . . . 32 | 6.2. MACed Messages with Implicit Key | |||
6.3. How to Compute and Verify a MAC . . . . . . . . . . . . . 33 | 6.3. How to Compute and Verify a MAC | |||
7. Key Objects . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 7. Key Objects | |||
7.1. COSE Key Common Parameters . . . . . . . . . . . . . . . 35 | 7.1. COSE Key Common Parameters | |||
8. Taxonomy of Algorithms used by COSE . . . . . . . . . . . . . 37 | 8. Taxonomy of Algorithms Used by COSE | |||
8.1. Signature Algorithms . . . . . . . . . . . . . . . . . . 38 | 8.1. Signature Algorithms | |||
8.2. Message Authentication Code (MAC) Algorithms . . . . . . 40 | 8.2. Message Authentication Code (MAC) Algorithms | |||
8.3. Content Encryption Algorithms . . . . . . . . . . . . . . 40 | 8.3. Content Encryption Algorithms | |||
8.4. Key Derivation Functions (KDFs) . . . . . . . . . . . . . 41 | 8.4. Key Derivation Functions (KDFs) | |||
8.5. Content Key Distribution Methods . . . . . . . . . . . . 41 | 8.5. Content Key Distribution Methods | |||
8.5.1. Direct Encryption . . . . . . . . . . . . . . . . . . 42 | 8.5.1. Direct Encryption | |||
8.5.2. Key Wrap . . . . . . . . . . . . . . . . . . . . . . 42 | 8.5.2. Key Wrap | |||
8.5.3. Key Transport . . . . . . . . . . . . . . . . . . . . 43 | 8.5.3. Key Transport | |||
8.5.4. Direct Key Agreement . . . . . . . . . . . . . . . . 43 | 8.5.4. Direct Key Agreement | |||
8.5.5. Key Agreement with Key Wrap . . . . . . . . . . . . . 44 | 8.5.5. Key Agreement with Key Wrap | |||
9. CBOR Encoding Restrictions . . . . . . . . . . . . . . . . . 45 | 9. CBOR Encoding Restrictions | |||
10. Application Profiling Considerations . . . . . . . . . . . . 45 | 10. Application Profiling Considerations | |||
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46 | 11. IANA Considerations | |||
11.1. COSE Header Parameters Registry . . . . . . . . . . . . 47 | 11.1. COSE Header Parameters Registry | |||
11.2. COSE Key Common Parameters Registry . . . . . . . . . . 47 | 11.2. COSE Key Common Parameters Registry | |||
11.3. Media Type Registrations . . . . . . . . . . . . . . . . 47 | 11.3. Media Type Registrations | |||
11.3.1. COSE Security Message . . . . . . . . . . . . . . . 47 | 11.3.1. COSE Security Message | |||
11.3.2. COSE Key Media Type . . . . . . . . . . . . . . . . 48 | 11.3.2. COSE Key Media Type | |||
11.4. CoAP Content-Formats Registry . . . . . . . . . . . . . 50 | 11.4. CoAP Content-Formats Registry | |||
11.5. CBOR Tags Registry . . . . . . . . . . . . . . . . . . . 50 | 11.5. CBOR Tags Registry | |||
11.6. Expert Review Instructions . . . . . . . . . . . . . . . 51 | 11.6. Expert Review Instructions | |||
12. Security Considerations . . . . . . . . . . . . . . . . . . . 52 | 12. Security Considerations | |||
13. Implementation Status . . . . . . . . . . . . . . . . . . . . 53 | 13. References | |||
13.1. Author's Versions . . . . . . . . . . . . . . . . . . . 54 | 13.1. Normative References | |||
13.2. JavaScript Version . . . . . . . . . . . . . . . . . . . 55 | 13.2. Informative References | |||
13.3. Python Version . . . . . . . . . . . . . . . . . . . . . 55 | ||||
13.4. COSE Testing Library . . . . . . . . . . . . . . . . . . 55 | ||||
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 56 | ||||
14.1. Normative References . . . . . . . . . . . . . . . . . . 56 | ||||
14.2. Informative References . . . . . . . . . . . . . . . . . 56 | ||||
Appendix A. Guidelines for External Data Authentication of | Appendix A. Guidelines for External Data Authentication of | |||
Algorithms . . . . . . . . . . . . . . . . . . . . . . . 60 | Algorithms | |||
Appendix B. Two Layers of Recipient Information . . . . . . . . 63 | Appendix B. Two Layers of Recipient Information | |||
Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . 65 | Appendix C. Examples | |||
C.1. Examples of Signed Messages . . . . . . . . . . . . . . . 66 | C.1. Examples of Signed Messages | |||
C.1.1. Single Signature . . . . . . . . . . . . . . . . . . 66 | C.1.1. Single Signature | |||
C.1.2. Multiple Signers . . . . . . . . . . . . . . . . . . 67 | C.1.2. Multiple Signers | |||
C.1.3. Signature with Criticality . . . . . . . . . . . . . 68 | C.1.3. Signature with Criticality | |||
C.2. Single Signer Examples . . . . . . . . . . . . . . . . . 69 | C.2. Single Signer Examples | |||
C.2.1. Single ECDSA Signature . . . . . . . . . . . . . . . 69 | C.2.1. Single ECDSA Signature | |||
C.3. Examples of Enveloped Messages . . . . . . . . . . . . . 70 | C.3. Examples of Enveloped Messages | |||
C.3.1. Direct ECDH . . . . . . . . . . . . . . . . . . . . . 70 | C.3.1. Direct ECDH | |||
C.3.2. Direct Plus Key Derivation . . . . . . . . . . . . . 71 | C.3.2. Direct Plus Key Derivation | |||
C.3.3. Encrypted Content with External Data . . . . . . . . 72 | C.3.3. Encrypted Content with External Data | |||
C.4. Examples of Encrypted Messages . . . . . . . . . . . . . 73 | C.4. Examples of Encrypted Messages | |||
C.4.1. Simple Encrypted Message . . . . . . . . . . . . . . 73 | C.4.1. Simple Encrypted Message | |||
C.4.2. Encrypted Message with a Partial IV . . . . . . . . . 74 | C.4.2. Encrypted Message with a Partial IV | |||
C.5. Examples of MACed Messages . . . . . . . . . . . . . . . 74 | C.5. Examples of MACed Messages | |||
C.5.1. Shared Secret Direct MAC . . . . . . . . . . . . . . 74 | C.5.1. Shared Secret Direct MAC | |||
C.5.2. ECDH Direct MAC . . . . . . . . . . . . . . . . . . . 75 | C.5.2. ECDH Direct MAC | |||
C.5.3. Wrapped MAC . . . . . . . . . . . . . . . . . . . . . 76 | C.5.3. Wrapped MAC | |||
C.5.4. Multi-Recipient MACed Message . . . . . . . . . . . . 77 | C.5.4. Multi-Recipient MACed Message | |||
C.6. Examples of MAC0 Messages . . . . . . . . . . . . . . . . 78 | C.6. Examples of MAC0 Messages | |||
C.6.1. Shared Secret Direct MAC . . . . . . . . . . . . . . 78 | C.6.1. Shared-Secret Direct MAC | |||
C.7. COSE Keys . . . . . . . . . . . . . . . . . . . . . . . . 79 | C.7. COSE Keys | |||
C.7.1. Public Keys . . . . . . . . . . . . . . . . . . . . . 79 | C.7.1. Public Keys | |||
C.7.2. Private Keys . . . . . . . . . . . . . . . . . . . . 80 | C.7.2. Private Keys | |||
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 82 | Acknowledgments | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 83 | Author's Address | |||
1. Introduction | 1. Introduction | |||
There has been an increased focus on small, constrained devices that | There has been an increased focus on small, constrained devices that | |||
make up the Internet of Things (IoT). One of the standards that has | make up the Internet of Things (IoT). One of the standards that has | |||
come out of this process is "Concise Binary Object Representation | come out of this process is "Concise Binary Object Representation | |||
(CBOR)" [I-D.ietf-cbor-7049bis]. CBOR extended the data model of the | (CBOR)" [RFC8949]. CBOR extended the data model of the JavaScript | |||
JavaScript Object Notation (JSON) [STD90] by allowing for binary | Object Notation (JSON) [STD90] by allowing for binary data, among | |||
data, among other changes. CBOR has been adopted by several of the | other changes. CBOR has been adopted by several of the IETF working | |||
IETF working groups dealing with the IoT world as their encoding of | groups dealing with the IoT world as their encoding of data | |||
data structures. CBOR was designed specifically both to be small in | structures. CBOR was designed specifically to be small in terms of | |||
terms of messages transported and implementation size and to be a | both messages transported and implementation size and to be a schema- | |||
schema-free decoder. A need exists to provide message security | free decoder. A need exists to provide message security services for | |||
services for IoT, and using CBOR as the message-encoding format makes | IoT, and using CBOR as the message-encoding format makes sense. | |||
sense. | ||||
The JOSE working group produced a set of documents [RFC7515] | The JOSE Working Group produced a set of documents [RFC7515] | |||
[RFC7516] [RFC7517] [RFC7518] that specified how to process | [RFC7516] [RFC7517] [RFC7518] that specified how to process | |||
encryption, signatures, and Message Authentication Code (MAC) | encryption, signatures, and Message Authentication Code (MAC) | |||
operations and how to encode keys using JSON. This document defines | operations and how to encode keys using JSON. This document defines | |||
the CBOR Object Signing and Encryption (COSE) standard, which does | the CBOR Object Signing and Encryption (COSE) standard, which does | |||
the same thing for the CBOR encoding format. This document is | the same thing for the CBOR encoding format. This document is | |||
combined with [I-D.ietf-cose-rfc8152bis-algs] which provides an | combined with [RFC9053], which provides an initial set of algorithms. | |||
initial set of algorithms. While there is a strong attempt to keep | While there is a strong attempt to keep the flavor of the original | |||
the flavor of the original JSON Object Signing and Encryption (JOSE) | JSON Object Signing and Encryption (JOSE) documents, two | |||
documents, two considerations are taken into account: | considerations are taken into account: | |||
* CBOR has capabilities that are not present in JSON and are | * CBOR has capabilities that are not present in JSON and are | |||
appropriate to use. One example of this is the fact that CBOR has | appropriate to use. One example of this is the fact that CBOR has | |||
a method of encoding binary directly without first converting it | a method of encoding binary directly without first converting it | |||
into a base64-encoded text string. | into a base64-encoded text string. | |||
* COSE is not a direct copy of the JOSE specification. In the | * COSE is not a direct copy of the JOSE specification. In the | |||
process of creating COSE, decisions that were made for JOSE were | process of creating COSE, decisions that were made for JOSE were | |||
re-examined. In many cases, different results were decided on as | re-examined. In many cases, different results were decided on, as | |||
the criteria were not always the same. | the criteria were not always the same. | |||
This document contains: | This document contains: | |||
* The description of the structure for the CBOR objects which are | * The description of the structure for the CBOR objects that are | |||
transmitted over the wire. Two objects are defined for each of | transmitted over the wire. Two objects each are defined for | |||
encryption, signing and message authentication. One object is | encryption, signing, and message authentication. One object is | |||
defined for transporting keys and one for transporting groups of | defined for transporting keys and one for transporting groups of | |||
keys. | keys. | |||
* The procedures used to build the inputs to the cryptographic | * The procedures used to build the inputs to the cryptographic | |||
functions required for each of the structures. | functions required for each of the structures. | |||
* A set of attributes that apply to the different security objects. | * A set of attributes that apply to the different security objects. | |||
This document does not contain the rules and procedures for using | This document does not contain the rules and procedures for using | |||
specific cryptographic algorithms. Details on specific algorithms | specific cryptographic algorithms. Details on specific algorithms | |||
can be found in [I-D.ietf-cose-rfc8152bis-algs] and [RFC8230]. | can be found in [RFC9053] and [RFC8230]. Details for additional | |||
Details for additional algorithms are expected to be defined in | algorithms are expected to be defined in future documents. | |||
future documents. | ||||
COSE was initially designed as part of a solution to provide security | COSE was initially designed as part of a solution to provide security | |||
to Constrained RESTful Environments (CoRE), and this is done using | to Constrained RESTful Environments (CoRE), and this is done using | |||
[RFC8613] and [I-D.ietf-core-groupcomm-bis]. However, COSE is not | [RFC8613] and [CORE-GROUPCOMM]. However, COSE is not restricted to | |||
restricted to just these cases and can be used in any place where one | just these cases and can be used in any place where one would | |||
would consider either JOSE or CMS [RFC5652] for the purpose of | consider either JOSE or Cryptographic Message Syntax (CMS) [RFC5652] | |||
providing security services. COSE, like JOSE and CMS, is only for | for the purpose of providing security services. COSE, like JOSE and | |||
use in store and forward or offline protocols. The use of COSE in | CMS, is only for use in store-and-forward or offline protocols. The | |||
online protocols needing encryption, require that an online key | use of COSE in online protocols needing encryption requires that an | |||
establishment process be done before sending objects back and forth. | online key establishment process be done before sending objects back | |||
Any application which uses COSE for security services first needs to | and forth. Any application that uses COSE for security services | |||
determine what security services are required and then select the | first needs to determine what security services are required and then | |||
appropriate COSE structures and cryptographic algorithms based on | select the appropriate COSE structures and cryptographic algorithms | |||
those needs. Section 10 provides additional information on what | based on those needs. Section 10 provides additional information on | |||
applications need to specify when using COSE. | what applications need to specify when using COSE. | |||
One feature that is present in CMS that is not present in this | One feature that is present in CMS that is not present in this | |||
standard is a digest structure. This omission is deliberate. It is | standard is a digest structure. This omission is deliberate. It is | |||
better for the structure to be defined in each protocol as different | better for the structure to be defined in each protocol as different | |||
protocols will want to include a different set of fields as part of | protocols will want to include a different set of fields as part of | |||
the structure. While an algorithm identifier and the digest value | the structure. While an algorithm identifier and the digest value | |||
are going to be common to all applications, the two values may not | are going to be common to all applications, the two values may not | |||
always be adjacent as the algorithm could be defined once with | always be adjacent, as the algorithm could be defined once with | |||
multiple values. Applications may additionally want to define | multiple values. Applications may additionally want to define | |||
additional data fields as part of the structure. One such | additional data fields as part of the structure. One such | |||
application-specific element would be to include a URI or other | application-specific element would be to include a URI or other | |||
pointer to where the data that is being hashed can be obtained. | pointer to where the data that is being hashed can be obtained. | |||
[I-D.ietf-cose-hash-algs] contains one such possible structure along | [RFC9054] contains one such possible structure and defines a set of | |||
with defining a set of digest algorithms. | digest algorithms. | |||
During the process of advancing COSE to Internet Standard, it was | During the process of advancing COSE to Internet Standard, it was | |||
noticed the description of the security properties of | noticed that the description of the security properties of | |||
countersignatures was incorrect for the COSE_Sign1 structure. Since | countersignatures was incorrect for the COSE_Sign1 structure. Since | |||
the security properties that were described, those of a true | the security properties that were described -- those of a true | |||
countersignature, were those that the working group desired, the | countersignature -- were those that the working group desired, the | |||
decision was made to remove all of the countersignature text from | decision was made to remove all of the countersignature text from | |||
this document and create a new document [I-D.ietf-cose-countersign] | this document and create a new document [COSE-COUNTERSIGN] to both | |||
to both deprecate the old countersignature algorithm and header | deprecate the old countersignature algorithm and header parameters | |||
parameters and to define a new algorithm and header parameters with | and define a new algorithm and header parameters with the desired | |||
the desired security properties. | security properties. | |||
1.1. Requirements Terminology | 1.1. Requirements Terminology | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in | |||
14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
1.2. Changes from RFC8152 | 1.2. Changes from RFC 8152 | |||
* Split the original document into this document and | * Split the original document into this document and [RFC9053]. | |||
[I-D.ietf-cose-rfc8152bis-algs]. | ||||
* Add some text describing why there is no digest structure defined | * Added some text describing why there is no digest structure | |||
by COSE. | defined by COSE. | |||
* Text clarifications and changes in terminology. | * Made text clarifications and changes in terminology. | |||
* All of the details relating to countersignatures have been removed | * Removed all of the details relating to countersignatures and | |||
and placed in [I-D.ietf-cose-countersign]. | placed in [COSE-COUNTERSIGN]. | |||
1.3. Design Changes from JOSE | 1.3. Design Changes from JOSE | |||
* Define a single overall message structure so that encrypted, | * A single overall message structure has been defined so that | |||
signed, and MACed messages can easily be identified and still have | encrypted, signed, and MACed messages can easily be identified and | |||
a consistent view. | still have a consistent view. | |||
* Signed messages distinguish between the protected and unprotected | * Signed messages distinguish between the protected and unprotected | |||
header parameters that relate to the content and those that relate | header parameters that relate to the content and those that relate | |||
to the signature. | to the signature. | |||
* MACed messages are separated from signed messages. | * MACed messages are separated from signed messages. | |||
* MACed messages have the ability to use the same set of recipient | * MACed messages have the ability to use the same set of recipient | |||
algorithms as enveloped messages for obtaining the MAC | algorithms as enveloped messages for obtaining the MAC | |||
authentication key. | authentication key. | |||
* Use binary encodings, rather than base64url encodings, to encode | * Binary encodings are used, rather than base64url encodings, to | |||
binary data. | encode binary data. | |||
* Combine the authentication tag for encryption algorithms with the | * The authentication tag for encryption algorithms has been combined | |||
ciphertext. | with the ciphertext. | |||
* The set of cryptographic algorithms has been expanded in some | * The set of cryptographic algorithms has been expanded in some | |||
directions and trimmed in others. | directions and trimmed in others. | |||
1.4. CBOR Grammar | 1.4. CBOR Grammar | |||
There was not a standard CBOR grammar available when COSE was | There was not a standard CBOR grammar available when COSE was | |||
originally written. For that reason the CBOR data objects defined | originally written. For that reason, the CBOR data objects defined | |||
here are described in prose. Since that time CBOR Data Definition | here are described in prose. Since that time, Concise Data | |||
Language (CDDL) [RFC8610] has been published as an RFC. The CBOR | Definition Language (CDDL) [RFC8610] has been published as an RFC. | |||
grammar presented in this document is compatible with CDDL. | The CBOR grammar presented in this document is compatible with CDDL. | |||
The document was developed by first working on the grammar and then | This document was developed by first working on the grammar and then | |||
developing the prose to go with it. An artifact of this is that the | developing the prose to go with it. An artifact of this is that the | |||
prose was written using the primitive type strings defined by CBOR | prose was written using the primitive-type strings defined by Concise | |||
Data Definition Language (CDDL) [RFC8610]. In this specification, | Data Definition Language (CDDL) [RFC8610]. In this specification, | |||
the following primitive types are used: | the following primitive types are used: | |||
any -- non-specific value that permits all CBOR values to be | any: A nonspecific value that permits all CBOR values to be placed | |||
placed here. | here. | |||
bool -- a boolean value (true: major type 7, value 21; false: | bool: A boolean value (true: major type 7, value 21; false: major | |||
major type 7, value 20). | type 7, value 20). | |||
bstr -- byte string (major type 2). | bstr: Byte string (major type 2). | |||
int -- an unsigned integer or a negative integer. | int: An unsigned integer or a negative integer. | |||
nil -- a null value (major type 7, value 22). | nil: A null value (major type 7, value 22). | |||
nint -- a negative integer (major type 1). | nint: A negative integer (major type 1). | |||
tstr -- a UTF-8 text string (major type 3). | tstr: A UTF-8 text string (major type 3). | |||
uint -- an unsigned integer (major type 0). | uint: An unsigned integer (major type 0). | |||
Two syntaxes from CDDL appear in this document as shorthand. These | Two syntaxes from CDDL appear in this document as shorthand. These | |||
are: | are: | |||
FOO / BAR -- indicates that either FOO or BAR can appear here. | FOO / BAR: Indicates that either FOO or BAR can appear here. | |||
[+ FOO] -- indicates that the type FOO appears one or more times | [+ FOO]: Indicates that the type FOO appears one or more times in an | |||
in an array. | array. | |||
* FOO -- indicates that the type FOO appears zero or more times. | * FOO: Indicates that the type FOO appears zero or more times. | |||
Two of the constraints defined by CDDL are also used in this | Two of the constraints defined by CDDL are also used in this | |||
document. These are: | document. These are: | |||
type1 .cbor type2 -- indicates that the contents of type1, usually | type1 .cbor type2: Indicates that the contents of type1, usually | |||
bstr, contains a value of type2. | bstr, contains a value of type2. | |||
type1 .size integer -- indicates that the contents of type1 is | type1 .size integer: Indicates that the contents of type1 is integer | |||
integer bytes long | bytes long. | |||
As well as the prose description, a version of a CBOR grammar is | As well as the prose description, a version of a CBOR grammar is | |||
presented in CDDL. The CDDL grammar is informational; the prose | presented in CDDL. The CDDL grammar is informational; the prose | |||
description is normative. | description is normative. | |||
The collected CDDL can be extracted from the XML version of this | The collected CDDL can be extracted from the XML version of this | |||
document via the following XPath expression below. (Depending on the | document via the XPath expression below. (Depending on the XPath | |||
XPath evaluator one is using, it may be necessary to deal with > | evaluator one is using, it may be necessary to deal with > as an | |||
as an entity.) | entity.) | |||
//sourcecode[@type='CDDL']/text() | //sourcecode[@type='CDDL']/text() | |||
CDDL expects the initial non-terminal symbol to be the first symbol | CDDL expects the initial nonterminal symbol to be the first symbol in | |||
in the file. For this reason, the first fragment of CDDL is | the file. For this reason, the first fragment of CDDL is presented | |||
presented here. | here. | |||
start = COSE_Messages / COSE_Key / COSE_KeySet / Internal_Types | start = COSE_Messages / COSE_Key / COSE_KeySet / Internal_Types | |||
; This is defined to make the tool quieter: | ; This is defined to make the tool quieter: | |||
Internal_Types = Sig_structure / Enc_structure / MAC_structure | Internal_Types = Sig_structure / Enc_structure / MAC_structure | |||
The non-terminal Internal_Types is defined for dealing with the | The nonterminal Internal_Types is defined for dealing with the | |||
automated validation tools used during the writing of this document. | automated validation tools used during the writing of this document. | |||
It references those non-terminals that are used for security | It references those nonterminals that are used for security | |||
computations but are not emitted for transport. | computations but are not emitted for transport. | |||
1.5. CBOR-Related Terminology | 1.5. CBOR-Related Terminology | |||
In JSON, maps are called objects and only have one kind of map key: a | In JSON, maps are called objects and only have one kind of map key: a | |||
text string. In COSE, we use text strings, negative integers, and | text string. In COSE, we use text strings, negative integers, and | |||
unsigned integers as map keys. The integers are used for compactness | unsigned integers as map keys. The integers are used for compactness | |||
of encoding and easy comparison. The inclusion of text strings | of encoding and easy comparison. The inclusion of text strings | |||
allows for an additional range of short encoded values to be used as | allows for an additional range of short encoded values to be used as | |||
well. Since the word "key" is mainly used in its other meaning, as a | well. Since the word "key" is mainly used in its other meaning, as a | |||
cryptographic key, we use the term "label" for this usage as a map | cryptographic key, we use the term "label" for this usage as a map | |||
key. | key. | |||
The presence a label that is neither a text string or an integer, in | In a CBOR map, the presence a label that is neither a text string nor | |||
a CBOR map, is an error. Applications can either fail processing or | an integer is an error. Applications can either fail processing or | |||
process messages by ignoring incorrect labels; however, they MUST NOT | process messages by ignoring incorrect labels; however, they MUST NOT | |||
create messages with incorrect labels. | create messages with incorrect labels. | |||
A CDDL grammar fragment defines the non-terminal 'label', as in the | A CDDL grammar fragment defines the nonterminal "label", as in the | |||
previous paragraph, and 'values', which permits any value to be used. | previous paragraph, and "values", which permits any value to be used. | |||
label = int / tstr | label = int / tstr | |||
values = any | values = any | |||
1.6. Document Terminology | 1.6. Document Terminology | |||
In this document, we use the following terminology: | In this document, we use the following terminology: | |||
Byte is a synonym for octet. | Byte is a synonym for octet. | |||
Constrained Application Protocol (CoAP) is a specialized web transfer | Constrained Application Protocol (CoAP) is a specialized web transfer | |||
protocol for use in constrained systems. It is defined in [RFC7252]. | protocol for use in constrained systems. It is defined in [RFC7252]. | |||
Authenticated Encryption (AE) [RFC5116] algorithms are encryption | Authenticated Encryption (AE) [RFC5116] algorithms are encryption | |||
algorithms that provide an authentication check of the contents with | algorithms that provide an authentication check of the contents with | |||
the encryption service. An example of an AE algorithm used in COSE | the encryption service. An example of an AE algorithm used in COSE | |||
is AES Key Wrap [RFC3394]. These algorithms are used for key | is Advanced Encryption Standard (AES) Key Wrap [RFC3394]. These | |||
encryption algorithms, but AEAD algorithms would be preferred. | algorithms are used for key encryption algorithms, but Authenticated | |||
Encryption with Associated Data (AEAD) algorithms would be preferred. | ||||
Authenticated Encryption with Associated Data (AEAD) [RFC5116] | AEAD [RFC5116] algorithms provide the same authentication service of | |||
algorithms provide the same authentication service of the content as | the content as AE algorithms do. They also allow associated data | |||
AE algorithms do. They also allow for associated data to be included | that is not part of the encrypted body to be included in the | |||
in the authentication service, but which is not part of the encrypted | authentication service. An example of an AEAD algorithm used in COSE | |||
body. An example of an AEAD algorithm used in COSE is AES-GCM | is AES in Galois/Counter Mode (GCM) [RFC5116]. These algorithms are | |||
[RFC5116]. These algorithms are used for content encryption and can | used for content encryption and can be used for key encryption as | |||
be used for key encryption as well. | well. | |||
Context is used throughout the document to represent information that | "Context" is used throughout the document to represent information | |||
is not part of the COSE message. Information which is part of the | that is not part of the COSE message. Information that is part of | |||
context can come from several different sources including: Protocol | the context can come from several different sources, including | |||
interactions, associated key structures, and program configuration. | protocol interactions, associated key structures, and program | |||
The context to use can be implicit, identified using the 'kid | configuration. The context to use can be implicit, identified using | |||
context' header parameter defined in [RFC8613], or identified by a | the "kid context" header parameter defined in [RFC8613], or | |||
protocol-specific identifier. Context should generally be included | identified by a protocol-specific identifier. Context should | |||
in the cryptographic construction; for more details see Section 4.3. | generally be included in the cryptographic construction; for more | |||
details, see Section 4.3. | ||||
The term 'byte string' is used for sequences of bytes, while the term | The term "byte string" is used for sequences of bytes, while the term | |||
'text string' is used for sequences of characters. | "text string" is used for sequences of characters. | |||
2. Basic COSE Structure | 2. Basic COSE Structure | |||
The COSE object structure is designed so that there can be a large | The COSE object structure is designed so that there can be a large | |||
amount of common code when parsing and processing the different types | amount of common code when parsing and processing the different types | |||
of security messages. All of the message structures are built on the | of security messages. All of the message structures are built on the | |||
CBOR array type. The first three elements of the array always | CBOR array type. The first three elements of the array always | |||
contain the same information: | contain the same information: | |||
1. The protected header parameters, encoded and wrapped in a bstr. | 1. The protected header parameters, encoded and wrapped in a bstr. | |||
2. The unprotected header parameters as a map. | 2. The unprotected header parameters as a map. | |||
3. The content of the message. The content is either the plaintext | 3. The content of the message. The content is either the plaintext | |||
or the ciphertext as appropriate. The content may be detached | or the ciphertext, as appropriate. The content may be detached | |||
(i.e. transported separately from the COSE structure), but the | (i.e., transported separately from the COSE structure), but the | |||
location is still used. The content is wrapped in a bstr when | location is still used. The content is wrapped in a bstr when | |||
present and is a nil value when detached. | present and is a nil value when detached. | |||
Elements after this point are dependent on the specific message type. | Elements after this point are dependent on the specific message type. | |||
COSE messages are built using the concept of layers to separate | COSE messages are built using the concept of layers to separate | |||
different types of cryptographic concepts. As an example of how this | different types of cryptographic concepts. As an example of how this | |||
works, consider the COSE_Encrypt message (Section 5.1). This message | works, consider the COSE_Encrypt message (Section 5.1). This message | |||
type is broken into two layers: the content layer and the recipient | type is broken into two layers: the content layer and the recipient | |||
layer. The content layer contains the encrypted plaintext and | layer. The content layer contains the encrypted plaintext and | |||
information about the encrypted message. The recipient layer | information about the encrypted message. The recipient layer | |||
contains the encrypted content encryption key (CEK) and information | contains the encrypted content encryption key (CEK) and information | |||
about how it is encrypted for each recipient. A single layer version | about how it is encrypted for each recipient. A single-layer version | |||
of the encryption message COSE_Encrypt0 (Section 5.2) is provided for | of the encryption message COSE_Encrypt0 (Section 5.2) is provided for | |||
cases where the CEK is pre-shared. | cases where the CEK is preshared. | |||
Identification of which type of message has been presented is done by | Identification of which type of message has been presented is done by | |||
the following methods: | the following methods: | |||
1. The specific message type is known from the context. This may be | 1. The specific message type is known from the context. This may be | |||
defined by a marker in the containing structure or by | defined by a marker in the containing structure or by | |||
restrictions specified by the application protocol. | restrictions specified by the application protocol. | |||
2. The message type is identified by a CBOR tag. Messages with a | 2. The message type is identified by a CBOR tag. Messages with a | |||
CBOR tag are known in this specification as tagged messages, | CBOR tag are known in this specification as tagged messages, | |||
while those without the CBOR tag are known as untagged messages. | while those without the CBOR tag are known as untagged messages. | |||
This document defines a CBOR tag for each of the message | This document defines a CBOR tag for each of the message | |||
structures. These tags can be found in Table 1. | structures. These tags can be found in Table 1. | |||
3. When a COSE object is carried in a media type of 'application/ | 3. When a COSE object is carried in a media type of "application/ | |||
cose', the optional parameter 'cose-type' can be used to identify | cose", the optional parameter "cose-type" can be used to identify | |||
the embedded object. The parameter is OPTIONAL if the tagged | the embedded object. The parameter is OPTIONAL if the tagged | |||
version of the structure is used. The parameter is REQUIRED if | version of the structure is used. The parameter is REQUIRED if | |||
the untagged version of the structure is used. The value to use | the untagged version of the structure is used. The value to use | |||
with the parameter for each of the structures can be found in | with the parameter for each of the structures can be found in | |||
Table 1. | Table 1. | |||
4. When a COSE object is carried as a CoAP payload, the CoAP | 4. When a COSE object is carried as a CoAP payload, the CoAP | |||
Content-Format Option can be used to identify the message | Content-Format Option can be used to identify the message | |||
content. The CoAP Content-Format values can be found in Table 2. | content. The CoAP Content-Format values can be found in Table 2. | |||
The CBOR tag for the message structure is not required as each | The CBOR tag for the message structure is not required, as each | |||
security message is uniquely identified. | security message is uniquely identified. | |||
+==========+===============+===============+=======================+ | +==========+===============+===============+=======================+ | |||
| CBOR Tag | cose-type | Data Item | Semantics | | | CBOR Tag | cose-type | Data Item | Semantics | | |||
+==========+===============+===============+=======================+ | +==========+===============+===============+=======================+ | |||
| 98 | cose-sign | COSE_Sign | COSE Signed Data | | | 98 | cose-sign | COSE_Sign | COSE Signed Data | | |||
| | | | Object | | | | | | Object | | |||
+----------+---------------+---------------+-----------------------+ | +----------+---------------+---------------+-----------------------+ | |||
| 18 | cose-sign1 | COSE_Sign1 | COSE Single Signer | | | 18 | cose-sign1 | COSE_Sign1 | COSE Single Signer | | |||
| | | | Data Object | | | | | | Data Object | | |||
skipping to change at page 12, line 5 ¶ | skipping to change at line 493 ¶ | |||
+----------+---------------+---------------+-----------------------+ | +----------+---------------+---------------+-----------------------+ | |||
| 97 | cose-mac | COSE_Mac | COSE MACed Data | | | 97 | cose-mac | COSE_Mac | COSE MACed Data | | |||
| | | | Object | | | | | | Object | | |||
+----------+---------------+---------------+-----------------------+ | +----------+---------------+---------------+-----------------------+ | |||
| 17 | cose-mac0 | COSE_Mac0 | COSE Mac w/o | | | 17 | cose-mac0 | COSE_Mac0 | COSE Mac w/o | | |||
| | | | Recipients Object | | | | | | Recipients Object | | |||
+----------+---------------+---------------+-----------------------+ | +----------+---------------+---------------+-----------------------+ | |||
Table 1: COSE Message Identification | Table 1: COSE Message Identification | |||
+===========================+==========+=====+============+ | +===========================+==========+=====+===========+ | |||
| Media Type | Encoding | ID | Reference | | | Media Type | Encoding | ID | Reference | | |||
+===========================+==========+=====+============+ | +===========================+==========+=====+===========+ | |||
| application/cose; cose- | | 98 | [[THIS | | | application/cose; cose- | | 98 | RFC 9052 | | |||
| type="cose-sign" | | | DOCUMENT]] | | | type="cose-sign" | | | | | |||
+---------------------------+----------+-----+------------+ | +---------------------------+----------+-----+-----------+ | |||
| application/cose; cose- | | 18 | [[THIS | | | application/cose; cose- | | 18 | RFC 9052 | | |||
| type="cose-sign1" | | | DOCUMENT]] | | | type="cose-sign1" | | | | | |||
+---------------------------+----------+-----+------------+ | +---------------------------+----------+-----+-----------+ | |||
| application/cose; cose- | | 96 | [[THIS | | | application/cose; cose- | | 96 | RFC 9052 | | |||
| type="cose-encrypt" | | | DOCUMENT]] | | | type="cose-encrypt" | | | | | |||
+---------------------------+----------+-----+------------+ | +---------------------------+----------+-----+-----------+ | |||
| application/cose; cose- | | 16 | [[THIS | | | application/cose; cose- | | 16 | RFC 9052 | | |||
| type="cose-encrypt0" | | | DOCUMENT]] | | | type="cose-encrypt0" | | | | | |||
+---------------------------+----------+-----+------------+ | +---------------------------+----------+-----+-----------+ | |||
| application/cose; cose- | | 97 | [[THIS | | | application/cose; cose- | | 97 | RFC 9052 | | |||
| type="cose-mac" | | | DOCUMENT]] | | | type="cose-mac" | | | | | |||
+---------------------------+----------+-----+------------+ | +---------------------------+----------+-----+-----------+ | |||
| application/cose; cose- | | 17 | [[THIS | | | application/cose; cose- | | 17 | RFC 9052 | | |||
| type="cose-mac0" | | | DOCUMENT]] | | | type="cose-mac0" | | | | | |||
+---------------------------+----------+-----+------------+ | +---------------------------+----------+-----+-----------+ | |||
| application/cose-key | | 101 | [[THIS | | | application/cose-key | | 101 | RFC 9052 | | |||
| | | | DOCUMENT]] | | +---------------------------+----------+-----+-----------+ | |||
+---------------------------+----------+-----+------------+ | | application/cose-key-set | | 102 | RFC 9052 | | |||
| application/cose-key-set | | 102 | [[THIS | | +---------------------------+----------+-----+-----------+ | |||
| | | | DOCUMENT]] | | ||||
+---------------------------+----------+-----+------------+ | ||||
Table 2: CoAP Content-Formats for COSE | Table 2: CoAP Content-Formats for COSE | |||
The following CDDL fragment identifies all of the top messages | The following CDDL fragment identifies all of the top messages | |||
defined in this document. Separate non-terminals are defined for the | defined in this document. Separate nonterminals are defined for the | |||
tagged and the untagged versions of the messages. | tagged and untagged versions of the messages. | |||
COSE_Messages = COSE_Untagged_Message / COSE_Tagged_Message | COSE_Messages = COSE_Untagged_Message / COSE_Tagged_Message | |||
COSE_Untagged_Message = COSE_Sign / COSE_Sign1 / | COSE_Untagged_Message = COSE_Sign / COSE_Sign1 / | |||
COSE_Encrypt / COSE_Encrypt0 / | COSE_Encrypt / COSE_Encrypt0 / | |||
COSE_Mac / COSE_Mac0 | COSE_Mac / COSE_Mac0 | |||
COSE_Tagged_Message = COSE_Sign_Tagged / COSE_Sign1_Tagged / | COSE_Tagged_Message = COSE_Sign_Tagged / COSE_Sign1_Tagged / | |||
COSE_Encrypt_Tagged / COSE_Encrypt0_Tagged / | COSE_Encrypt_Tagged / COSE_Encrypt0_Tagged / | |||
COSE_Mac_Tagged / COSE_Mac0_Tagged | COSE_Mac_Tagged / COSE_Mac0_Tagged | |||
skipping to change at page 13, line 18 ¶ | skipping to change at line 548 ¶ | |||
information that are not considered to be part of the payload itself, | information that are not considered to be part of the payload itself, | |||
but are used for holding information about content, algorithms, keys, | but are used for holding information about content, algorithms, keys, | |||
or evaluation hints for the processing of the layer. These two | or evaluation hints for the processing of the layer. These two | |||
buckets are available for use in all of the structures except for | buckets are available for use in all of the structures except for | |||
keys. While these buckets are present, they may not always be usable | keys. While these buckets are present, they may not always be usable | |||
in all instances. For example, while the protected bucket is defined | in all instances. For example, while the protected bucket is defined | |||
as part of the recipient structure, some of the algorithms used for | as part of the recipient structure, some of the algorithms used for | |||
recipient structures do not provide for authenticated data. If this | recipient structures do not provide for authenticated data. If this | |||
is the case, the protected bucket is left empty. | is the case, the protected bucket is left empty. | |||
Both buckets are implemented as CBOR maps. The map key is a 'label' | Both buckets are implemented as CBOR maps. The map key is a "label" | |||
(Section 1.5). The value portion is dependent on the definition for | (Section 1.5). The value portion is dependent on the definition for | |||
the label. Both maps use the same set of label/value pairs. The | the label. Both maps use the same set of label/value pairs. The | |||
integer and text string values for labels have been divided into | integer and text-string values for labels have been divided into | |||
several sections including a standard range, a private range, and a | several sections, including a standard range, a private range, and a | |||
range that is dependent on the algorithm selected. The defined | range that is dependent on the algorithm selected. The defined | |||
labels can be found in the "COSE Header Parameters" IANA registry | labels can be found in the "COSE Header Parameters" IANA registry | |||
(Section 11.1). | (Section 11.1). | |||
The two buckets are: | The two buckets are: | |||
protected: Contains parameters about the current layer that are | protected: Contains parameters about the current layer that are | |||
cryptographically protected. This bucket MUST be empty if it is | cryptographically protected. This bucket MUST be empty if it is | |||
not going to be included in a cryptographic computation. This | not going to be included in a cryptographic computation. This | |||
bucket is encoded in the message as a binary object. This value | bucket is encoded in the message as a binary object. This value | |||
is obtained by CBOR encoding the protected map and wrapping it in | is obtained by CBOR encoding the protected map and wrapping it in | |||
a bstr object. Senders SHOULD encode a zero-length map as a zero- | a bstr object. Senders SHOULD encode a zero-length map as a zero- | |||
length byte string rather than as a zero-length map (encoded as | length byte string rather than as a zero-length map (encoded as | |||
h'a0'). The zero-length binary encoding is preferred because it | h'a0'). The zero-length binary encoding is preferred, because it | |||
is both shorter and the version used in the serialization | is both shorter and the version used in the serialization | |||
structures for cryptographic computation. Recipients MUST accept | structures for cryptographic computation. Recipients MUST accept | |||
both a zero-length byte string and a zero-length map encoded in a | both a zero-length byte string and a zero-length map encoded in a | |||
byte string. | byte string. | |||
Wrapping the encoding with a byte string allows for the protected | Wrapping the encoding with a byte string allows the protected map | |||
map to be transported with a greater chance that it will not be | to be transported with a greater chance that it will not be | |||
altered accidentally in transit. (Badly behaved intermediates | altered accidentally in transit. (Badly behaved intermediates | |||
could decode and re-encode, but this will result in a failure to | could decode and re-encode, but this will result in a failure to | |||
verify unless the re-encoded byte string is identical to the | verify unless the re-encoded byte string is identical to the | |||
decoded byte string.) This avoids the problem of all parties | decoded byte string.) This avoids the problem of all parties | |||
needing to be able to do a common canonical encoding of the map | needing to be able to do a common canonical encoding of the map | |||
for input to cyprtographic operations. | for input to crytographic operations. | |||
unprotected: Contains parameters about the current layer that are | unprotected: Contains parameters about the current layer that are | |||
not cryptographically protected. | not cryptographically protected. | |||
Only header parameters that deal with the current layer are to be | Only header parameters that deal with the current layer are to be | |||
placed at that layer. As an example of this, the header parameter | placed at that layer. As an example of this, the header parameter | |||
'content type' describes the content of the message being carried in | "content type" describes the content of the message being carried in | |||
the message. As such, this header parameter is placed only in the | the message. As such, this header parameter is placed only in the | |||
content layer and is not placed in the recipient or signature layers. | content layer and is not placed in the recipient or signature layers. | |||
In principle, one should be able to process any given layer without | In principle, one should be able to process any given layer without | |||
reference to any other layer. With the exception of the COSE_Sign | reference to any other layer. With the exception of the COSE_Sign | |||
structure, the only data that needs to cross layers is the | structure, the only data that needs to cross layers is the | |||
cryptographic key. | cryptographic key. | |||
The buckets are present in all of the security objects defined in | The buckets are present in all of the security objects defined in | |||
this document. The fields in order are the 'protected' bucket (as a | this document. The fields, in order, are the "protected" bucket (as | |||
CBOR 'bstr' type) and then the 'unprotected' bucket (as a CBOR 'map' | a CBOR "bstr" type) and then the "unprotected" bucket (as a CBOR | |||
type). The presence of both buckets is required. The header | "map" type). The presence of both buckets is required. The header | |||
parameters that go into the buckets come from the IANA "COSE Header | parameters that go into the buckets come from the IANA "COSE Header | |||
Parameters" registry (Section 11.1). Some header parameters are | Parameters" registry (Section 11.1). Some header parameters are | |||
defined in the next section. | defined in the next section. | |||
Labels in each of the maps MUST be unique. When processing messages, | Labels in each of the maps MUST be unique. When processing messages, | |||
if a label appears multiple times, the message MUST be rejected as | if a label appears multiple times, the message MUST be rejected as | |||
malformed. Applications SHOULD verify that the same label does not | malformed. Applications SHOULD verify that the same label does not | |||
occur in both the protected and unprotected header parameters. If | occur in both the protected and unprotected header parameters. If | |||
the message is not rejected as malformed, attributes MUST be obtained | the message is not rejected as malformed, attributes MUST be obtained | |||
from the protected bucket, and only if not found are attributes | from the protected bucket, and only if not found are attributes | |||
obtained from the unprotected bucket. | obtained from the unprotected bucket. | |||
The following CDDL fragment represents the two header parameter | The following CDDL fragment represents the two header-parameter | |||
buckets. A group "Headers" is defined in CDDL that represents the | buckets. A group "Headers" is defined in CDDL that represents the | |||
two buckets in which attributes are placed. This group is used to | two buckets in which attributes are placed. This group is used to | |||
provide these two fields consistently in all locations. A type is | provide these two fields consistently in all locations. A type is | |||
also defined that represents the map of common header parameters. | also defined that represents the map of common header parameters. | |||
Headers = ( | Headers = ( | |||
protected : empty_or_serialized_map, | protected : empty_or_serialized_map, | |||
unprotected : header_map | unprotected : header_map | |||
) | ) | |||
skipping to change at page 15, line 9 ¶ | skipping to change at line 632 ¶ | |||
Generic_Headers, | Generic_Headers, | |||
* label => values | * label => values | |||
} | } | |||
empty_or_serialized_map = bstr .cbor header_map / bstr .size 0 | empty_or_serialized_map = bstr .cbor header_map / bstr .size 0 | |||
3.1. Common COSE Header Parameters | 3.1. Common COSE Header Parameters | |||
This section defines a set of common header parameters. A summary of | This section defines a set of common header parameters. A summary of | |||
these header parameters can be found in Table 3. This table should | these header parameters can be found in Table 3. This table should | |||
be consulted to determine the value of label and the type of the | be consulted to determine the value of the label and the type of the | |||
value. | value. | |||
The set of header parameters defined in this section are: | The set of header parameters defined in this section is as follows: | |||
alg: This header parameter is used to indicate the algorithm used | alg: This header parameter is used to indicate the algorithm used | |||
for the security processing. This header parameter MUST be | for the security processing. This header parameter MUST be | |||
authenticated where the ability to do so exists. This support is | authenticated where the ability to do so exists. This support is | |||
provided by AEAD algorithms or construction (e.g. COSE_Sign and | provided by AEAD algorithms or construction (e.g., COSE_Sign and | |||
COSE_Mac0). This authentication can be done either by placing the | COSE_Mac0). This authentication can be done either by placing the | |||
header parameter in the protected header parameter bucket or as | header parameter in the protected-header-parameter bucket or as | |||
part of the externally supplied data Section 4.3). The value is | part of the externally supplied data (Section 4.3). The value is | |||
taken from the "COSE Algorithms" registry (see [COSE.Algorithms]). | taken from the "COSE Algorithms" registry (see [COSE.Algorithms]). | |||
crit: This header parameter is used to indicate which protected | crit: This header parameter is used to indicate which protected | |||
header parameters an application that is processing a message is | header parameters an application that is processing a message is | |||
required to understand. Header parameters defined in this | required to understand. Header parameters defined in this | |||
document do not need to be included as they should be understood | document do not need to be included, as they should be understood | |||
by all implementations. When present, this the 'crit' header | by all implementations. When present, the "crit" header parameter | |||
parameter MUST be placed in the protected header parameter bucket. | MUST be placed in the protected-header-parameter bucket. The | |||
The array MUST have at least one value in it. | array MUST have at least one value in it. | |||
Not all header parameter labels need to be included in the 'crit' | Not all header-parameter labels need to be included in the "crit" | |||
header parameter. The rules for deciding which header parameters | header parameter. The rules for deciding which header parameters | |||
are placed in the array are: | are placed in the array are: | |||
* Integer labels in the range of 0 to 7 SHOULD be omitted. | * Integer labels in the range of 0 to 7 SHOULD be omitted. | |||
* Integer labels in the range -1 to -128 can be omitted. | * Integer labels in the range -1 to -128 can be omitted. | |||
Algorithms can assign labels in this range where the ability to | Algorithms can assign labels in this range where the ability to | |||
process the content of the label is considered to be core to | process the content of the label is considered to be core to | |||
implementing the algorithm. Algorithms can assign labels | implementing the algorithm. Algorithms can assign labels | |||
outside of this range where the ability to process the content | outside of this range where the ability to process the content | |||
of the label is not considered to be core, but needs to be | of the label is not considered to be core but needs to be | |||
understood to correctly process this instance. Integer labels | understood to correctly process this instance. Integer labels | |||
in the range -129 to -65536 SHOULD be included as these would | in the range -129 to -65536 SHOULD be included, as these would | |||
be less common header parameters that might not be generally | be less common header parameters that might not be generally | |||
supported. | supported. | |||
* Labels for header parameters required for an application MAY be | * Labels for header parameters required for an application MAY be | |||
omitted. Applications should have a statement if the label can | omitted. Applications should have a statement if the label can | |||
be omitted. | be omitted. | |||
The header parameters indicated by 'crit' can be processed by | The header parameters indicated by "crit" can be processed by | |||
either the security library code or an application using a | either the security-library code or an application using a | |||
security library; the only requirement is that the header | security library; the only requirement is that the header | |||
parameter is processed. If the 'crit' value list includes a label | parameter is processed. If the "crit" value list includes a label | |||
for which the header parameter is not in the protected header | for which the header parameter is not in the protected-header- | |||
parameters bucket, this is a fatal error in processing the | parameters bucket, this is a fatal error in processing the | |||
message. | message. | |||
content type: This header parameter is used to indicate the content | content type: This header parameter is used to indicate the content | |||
type of the data in the payload or ciphertext fields. Integers | type of the data in the "payload" or "ciphertext" fields. | |||
are from the "CoAP Content-Formats" IANA registry table | Integers are from the "CoAP Content-Formats" IANA registry table | |||
[COAP.Formats]. Text values following the syntax of "<type- | [COAP.Formats]. Text values follow the syntax of "<type- | |||
name>/<subtype-name>" where <type-name> and <subtype-name> are | name>/<subtype-name>", where <type-name> and <subtype-name> are | |||
defined in Section 4.2 of [RFC6838]. Leading and trailing | defined in Section 4.2 of [RFC6838]. Leading and trailing | |||
whitespace is also omitted. Textual content values along with | whitespace is also omitted. Textual content values, along with | |||
parameters and subparameters can be located using the IANA "Media | parameters and subparameters, can be located using the IANA "Media | |||
Types" registry. Applications SHOULD provide this header | Types" registry. Applications SHOULD provide this header | |||
parameter if the content structure is potentially ambiguous. | parameter if the content structure is potentially ambiguous. | |||
kid: This header parameter identifies one piece of data that can be | kid: This header parameter identifies one piece of data that can be | |||
used as input to find the needed cryptographic key. The value of | used as input to find the needed cryptographic key. The value of | |||
this header parameter can be matched against the 'kid' member in a | this header parameter can be matched against the "kid" member in a | |||
COSE_Key structure. Other methods of key distribution can define | COSE_Key structure. Other methods of key distribution can define | |||
an equivalent field to be matched. Applications MUST NOT assume | an equivalent field to be matched. Applications MUST NOT assume | |||
that 'kid' values are unique. There may be more than one key with | that "kid" values are unique. There may be more than one key with | |||
the same 'kid' value, so all of the keys associated with this | the same "kid" value, so all of the keys associated with this | |||
'kid' may need to be checked. The internal structure of 'kid' | "kid" may need to be checked. The internal structure of "kid" | |||
values is not defined and cannot be relied on by applications. | values is not defined and cannot be relied on by applications. | |||
Key identifier values are hints about which key to use. This is | Key identifier values are hints about which key to use. This is | |||
not a security-critical field. For this reason, it can be placed | not a security-critical field. For this reason, it can be placed | |||
in the unprotected header parameters bucket. | in the unprotected-header-parameters bucket. | |||
IV: This header parameter holds the Initialization Vector (IV) | IV: This header parameter holds the Initialization Vector (IV) | |||
value. For some symmetric encryption algorithms, this may be | value. For some symmetric encryption algorithms, this may be | |||
referred to as a nonce. The IV can be placed in the unprotected | referred to as a nonce. The IV can be placed in the unprotected | |||
bucket as modifying the IV will cause the decryption to yield | bucket, as modifying the IV will cause the decryption to yield | |||
plaintext that is readily detectable as garbled. | plaintext that is readily detectable as garbled. | |||
Partial IV: This header parameter holds a part of the IV value. | Partial IV: This header parameter holds a part of the IV value. | |||
When using the COSE_Encrypt0 structure, a portion of the IV can be | When using the COSE_Encrypt0 structure, a portion of the IV can be | |||
part of the context associated with the key (Context IV) while a | part of the context associated with the key (Context IV), while a | |||
portion can be changed with each message (Partial IV). This field | portion can be changed with each message (Partial IV). This field | |||
is used to carry a value that causes the IV to be changed for each | is used to carry a value that causes the IV to be changed for each | |||
message. The Partial IV can be placed in the unprotected bucket | message. The Partial IV can be placed in the unprotected bucket, | |||
as modifying the value will cause the decryption to yield | as modifying the value will cause the decryption to yield | |||
plaintext that is readily detectable as garbled. The | plaintext that is readily detectable as garbled. The | |||
'Initialization Vector' and 'Partial Initialization Vector' header | "Initialization Vector" and "Partial Initialization Vector" header | |||
parameters MUST NOT both be present in the same security layer. | parameters MUST NOT both be present in the same security layer. | |||
The message IV is generated by the following steps: | The message IV is generated by the following steps: | |||
1. Left-pad the Partial IV with zeros to the length of IV | 1. Left-pad the Partial IV with zeros to the length of IV | |||
(determined by the algorithm). | (determined by the algorithm). | |||
2. XOR the padded Partial IV with the context IV. | 2. XOR the padded Partial IV with the Context IV. | |||
+=========+=======+========+=====================+==================+ | +=========+=======+========+=====================+==================+ | |||
| Name | Label | Value | Value Registry | Description | | | Name | Label | Value | Value Registry | Description | | |||
| | | Type | | | | | | | Type | | | | |||
+=========+=======+========+=====================+==================+ | +=========+=======+========+=====================+==================+ | |||
| alg | 1 | int / | COSE Algorithms | Cryptographic | | | alg | 1 | int / | COSE Algorithms | Cryptographic | | |||
| | | tstr | registry | algorithm to use | | | | | tstr | registry | algorithm to use | | |||
+---------+-------+--------+---------------------+------------------+ | +---------+-------+--------+---------------------+------------------+ | |||
| crit | 2 | [+ | COSE Header | Critical header | | | crit | 2 | [+ | COSE Header | Critical header | | |||
| | | label] | Parameters | parameters to be | | | | | label] | Parameters | parameters to be | | |||
skipping to change at page 17, line 42 ¶ | skipping to change at line 761 ¶ | |||
+---------+-------+--------+---------------------+------------------+ | +---------+-------+--------+---------------------+------------------+ | |||
| Partial | 6 | bstr | | Partial | | | Partial | 6 | bstr | | Partial | | |||
| IV | | | | Initialization | | | IV | | | | Initialization | | |||
| | | | | Vector | | | | | | | Vector | | |||
+---------+-------+--------+---------------------+------------------+ | +---------+-------+--------+---------------------+------------------+ | |||
Table 3: Common Header Parameters | Table 3: Common Header Parameters | |||
The CDDL fragment that represents the set of header parameters | The CDDL fragment that represents the set of header parameters | |||
defined in this section is given below. Each of the header | defined in this section is given below. Each of the header | |||
parameters is tagged as optional because they do not need to be in | parameters is tagged as optional, because they do not need to be in | |||
every map; header parameters required in specific maps are discussed | every map; header parameters required in specific maps are discussed | |||
above. | above. | |||
Generic_Headers = ( | Generic_Headers = ( | |||
? 1 => int / tstr, ; algorithm identifier | ? 1 => int / tstr, ; algorithm identifier | |||
? 2 => [+label], ; criticality | ? 2 => [+label], ; criticality | |||
? 3 => tstr / int, ; content type | ? 3 => tstr / int, ; content type | |||
? 4 => bstr, ; key identifier | ? 4 => bstr, ; key identifier | |||
? 5 => bstr, ; IV | ? 5 => bstr, ; IV | |||
? 6 => bstr ; Partial IV | ? 6 => bstr ; Partial IV | |||
skipping to change at page 18, line 29 ¶ | skipping to change at line 789 ¶ | |||
be converted between each other; as the signature computation | be converted between each other; as the signature computation | |||
includes a parameter identifying which structure is being used, the | includes a parameter identifying which structure is being used, the | |||
converted structure will fail signature validation. | converted structure will fail signature validation. | |||
4.1. Signing with One or More Signers | 4.1. Signing with One or More Signers | |||
The COSE_Sign structure allows for one or more signatures to be | The COSE_Sign structure allows for one or more signatures to be | |||
applied to a message payload. Header parameters relating to the | applied to a message payload. Header parameters relating to the | |||
content and header parameters relating to the signature are carried | content and header parameters relating to the signature are carried | |||
along with the signature itself. These header parameters may be | along with the signature itself. These header parameters may be | |||
authenticated by the signature, or just present. An example of a | authenticated by the signature, or just be present. An example of a | |||
header parameter about the content is the content type header | header parameter about the content is the content type header | |||
parameter. An example of a header parameter about the signature | parameter. An example of a header parameter about the signature | |||
would be the algorithm and key used to create the signature. | would be the algorithm and key used to create the signature. | |||
RFC 5652 indicates that: | RFC 5652 indicates that: | |||
| When more than one signature is present, the successful validation | | When more than one signature is present, the successful validation | |||
| of one signature associated with a given signer is usually treated | | of one signature associated with a given signer is usually treated | |||
| as a successful signature by that signer. However, there are some | | as a successful signature by that signer. However, there are some | |||
| application environments where other rules are needed. An | | application environments where other rules are needed. An | |||
| application that employs a rule other than one valid signature for | | application that employs a rule other than one valid signature for | |||
| each signer must specify those rules. Also, where simple matching | | each signer must specify those rules. Also, where simple matching | |||
| of the signer identifier is not sufficient to determine whether | | of the signer identifier is not sufficient to determine whether | |||
| the signatures were generated by the same signer, the application | | the signatures were generated by the same signer, the application | |||
| specification must describe how to determine which signatures were | | specification must describe how to determine which signatures were | |||
| generated by the same signer. Support for different communities | | generated by the same signer. Support of different communities of | |||
| of recipients is the primary reason that signers choose to include | | recipients is the primary reason that signers choose to include | |||
| more than one signature. | | more than one signature. | |||
For example, the COSE_Sign structure might include signatures | For example, the COSE_Sign structure might include signatures | |||
generated with the Edwards-curve Digital Signature Algorithm (EdDSA) | generated with the Edwards-curve Digital Signature Algorithm (EdDSA) | |||
[RFC8032] and with the Elliptic Curve Digital Signature Algorithm | [RFC8032] and the Elliptic Curve Digital Signature Algorithm (ECDSA) | |||
(ECDSA) [DSS]. This allows recipients to verify the signature | [DSS]. This allows recipients to verify the signature associated | |||
associated with one algorithm or the other. More-detailed | with one algorithm or the other. More detailed information on | |||
information on multiple signature evaluations can be found in | multiple signature evaluations can be found in [RFC5752]. | |||
[RFC5752]. | ||||
The signature structure can be encoded as either tagged or untagged | The signature structure can be encoded as either tagged or untagged, | |||
depending on the context it will be used in. A tagged COSE_Sign | depending on the context it will be used in. A tagged COSE_Sign | |||
structure is identified by the CBOR tag 98. The CDDL fragment that | structure is identified by the CBOR tag 98. The CDDL fragment that | |||
represents this is: | represents this is: | |||
COSE_Sign_Tagged = #6.98(COSE_Sign) | COSE_Sign_Tagged = #6.98(COSE_Sign) | |||
A COSE Signed Message is defined in two parts. The CBOR object that | A COSE Signed Message is defined in two parts. The CBOR object that | |||
carries the body and information about the body is called the | carries the body and information about the body is called the | |||
COSE_Sign structure. The CBOR object that carries the signature and | COSE_Sign structure. The CBOR object that carries the signature and | |||
information about the signature is called the COSE_Signature | information about the signature is called the COSE_Signature | |||
structure. Examples of COSE Signed Messages can be found in | structure. Examples of COSE Signed Messages can be found in | |||
Appendix C.1. | Appendix C.1. | |||
The COSE_Sign structure is a CBOR array. The fields of the array in | The COSE_Sign structure is a CBOR array. The fields of the array, in | |||
order are: | order, are: | |||
protected: This is as described in Section 3. | protected: This is as described in Section 3. | |||
unprotected: This is as described in Section 3. | unprotected: This is as described in Section 3. | |||
payload: This field contains the serialized content to be signed. | payload: This field contains the serialized content to be signed. | |||
If the payload is not present in the message, the application is | If the payload is not present in the message, the application is | |||
required to supply the payload separately. The payload is wrapped | required to supply the payload separately. The payload is wrapped | |||
in a bstr to ensure that it is transported without changes. If | in a bstr to ensure that it is transported without changes. If | |||
the payload is transported separately ("detached content"), then a | the payload is transported separately ("detached content"), then a | |||
skipping to change at page 20, line 12 ¶ | skipping to change at line 867 ¶ | |||
The CDDL fragment that represents the above text for COSE_Sign | The CDDL fragment that represents the above text for COSE_Sign | |||
follows. | follows. | |||
COSE_Sign = [ | COSE_Sign = [ | |||
Headers, | Headers, | |||
payload : bstr / nil, | payload : bstr / nil, | |||
signatures : [+ COSE_Signature] | signatures : [+ COSE_Signature] | |||
] | ] | |||
The COSE_Signature structure is a CBOR array. The fields of the | The COSE_Signature structure is a CBOR array. The fields of the | |||
array in order are: | array, in order, are: | |||
protected: This is as described in Section 3. | protected: This is as described in Section 3. | |||
unprotected: This is as described in Section 3. | unprotected: This is as described in Section 3. | |||
signature: This field contains the computed signature value. The | signature: This field contains the computed signature value. The | |||
type of the field is a bstr. Algorithms MUST specify padding if | type of the field is a bstr. Algorithms MUST specify padding if | |||
the signature value is not a multiple of 8 bits. | the signature value is not a multiple of 8 bits. | |||
The CDDL fragment that represents the above text for COSE_Signature | The CDDL fragment that represents the above text for COSE_Signature | |||
skipping to change at page 20, line 34 ¶ | skipping to change at line 889 ¶ | |||
COSE_Signature = [ | COSE_Signature = [ | |||
Headers, | Headers, | |||
signature : bstr | signature : bstr | |||
] | ] | |||
4.2. Signing with One Signer | 4.2. Signing with One Signer | |||
The COSE_Sign1 signature structure is used when only one signature is | The COSE_Sign1 signature structure is used when only one signature is | |||
going to be placed on a message. The header parameters dealing with | going to be placed on a message. The header parameters dealing with | |||
the content and the signature are placed in the same pair of buckets | the content and the signature are placed in the same pair of buckets, | |||
rather than having the separation of COSE_Sign. | rather than having the separation of COSE_Sign. | |||
The structure can be encoded as either tagged or untagged depending | The structure can be encoded as either tagged or untagged depending | |||
on the context it will be used in. A tagged COSE_Sign1 structure is | on the context it will be used in. A tagged COSE_Sign1 structure is | |||
identified by the CBOR tag 18. The CDDL fragment that represents | identified by the CBOR tag 18. The CDDL fragment that represents | |||
this is: | this is: | |||
COSE_Sign1_Tagged = #6.18(COSE_Sign1) | COSE_Sign1_Tagged = #6.18(COSE_Sign1) | |||
The CBOR object that carries the body, the signature, and the | The CBOR object that carries the body, the signature, and the | |||
information about the body and signature is called the COSE_Sign1 | information about the body and signature is called the COSE_Sign1 | |||
structure. Examples of COSE_Sign1 messages can be found in | structure. Examples of COSE_Sign1 messages can be found in | |||
Appendix C.2. | Appendix C.2. | |||
The COSE_Sign1 structure is a CBOR array. The fields of the array in | The COSE_Sign1 structure is a CBOR array. The fields of the array, | |||
order are: | in order, are: | |||
protected: This is as described in Section 3. | protected: This is as described in Section 3. | |||
unprotected: This is as described in Section 3. | unprotected: This is as described in Section 3. | |||
payload: This is as described in Section 4.1. | payload: This is as described in Section 4.1. | |||
signature: This field contains the computed signature value. The | signature: This field contains the computed signature value. The | |||
type of the field is a bstr. | type of the field is a bstr. | |||
skipping to change at page 21, line 24 ¶ | skipping to change at line 928 ¶ | |||
COSE_Sign1 = [ | COSE_Sign1 = [ | |||
Headers, | Headers, | |||
payload : bstr / nil, | payload : bstr / nil, | |||
signature : bstr | signature : bstr | |||
] | ] | |||
4.3. Externally Supplied Data | 4.3. Externally Supplied Data | |||
One of the features offered in the COSE document is the ability for | One of the features offered in the COSE document is the ability for | |||
applications to provide additional data to be authenticated, but that | applications to provide additional data that is to be authenticated | |||
is not carried as part of the COSE object. The primary reason for | but is not carried as part of the COSE object. The primary reason | |||
supporting this can be seen by looking at the CoAP message structure | for supporting this can be seen by looking at the CoAP message | |||
[RFC7252], where the facility exists for options to be carried before | structure [RFC7252], where the facility exists for options to be | |||
the payload. Examples of data that can be placed in this location | carried before the payload. Examples of data that can be placed in | |||
would be the CoAP code or CoAP options. If the data is in the | this location would be the CoAP code or CoAP options. If the data is | |||
headers of the CoAP message, then it is available for proxies to help | in the headers of the CoAP message, then it is available for proxies | |||
in performing its operations. For example, the Accept Option can be | to help in performing its operations. For example, the Accept option | |||
used by a proxy to determine if an appropriate value is in the | can be used by a proxy to determine if an appropriate value is in the | |||
proxy's cache. But the sender can cause a failure at the server if a | proxy's cache. But the sender can cause a failure at the server if a | |||
proxy, or an attacker, changes the set of accept values by including | proxy, or an attacker, changes the set of Accept values by including | |||
the field in the externally supplied data. | the field in the externally supplied data. | |||
This document describes the process for using a byte array of | This document describes the process for using a byte array of | |||
externally supplied authenticated data; the method of constructing | externally supplied authenticated data; the method of constructing | |||
the byte array is a function of the application. Applications that | the byte array is a function of the application. Applications that | |||
use this feature need to define how the externally supplied | use this feature need to define how the externally supplied | |||
authenticated data is to be constructed. Such a construction needs | authenticated data is to be constructed. Such a construction needs | |||
to take into account the following issues: | to take into account the following issues: | |||
* If multiple items are included, applications need to ensure that | * If multiple items are included, applications need to ensure that | |||
the same byte string cannot be produced if there are different | the same byte string cannot be produced if there are different | |||
inputs. This would occur by concatenating the text strings 'AB' | inputs. This would occur by concatenating the text strings "AB" | |||
and 'CDE' or by concatenating the text strings 'ABC' and 'DE'. | and "CDE" or by concatenating the text strings "ABC" and "DE". | |||
This is usually addressed by making fields a fixed width and/or | This is usually addressed by making fields a fixed width and/or | |||
encoding the length of the field as part of the output. Using | encoding the length of the field as part of the output. Using | |||
options from CoAP [RFC7252] as an example, these fields use a TLV | options from CoAP [RFC7252] as an example, these fields use a TLV | |||
structure so they can be concatenated without any problems. | structure so they can be concatenated without any problems. | |||
* If multiple items are included, an order for the items needs to be | * If multiple items are included, an order for the items needs to be | |||
defined. Using options from CoAP as an example, an application | defined. Using options from CoAP as an example, an application | |||
could state that the fields are to be ordered by the option | could state that the fields are to be ordered by the option | |||
number. | number. | |||
* Applications need to ensure that the byte string is going to be | * Applications need to ensure that the byte string is going to be | |||
the same on both sides. Using options from CoAP might give a | the same on both sides. Using options from CoAP might give a | |||
problem if the same relative numbering is kept. An intermediate | problem if the same relative numbering is kept. An intermediate | |||
node could insert or remove an option, changing how the relative | node could insert or remove an option, changing how the relative | |||
number is done. An application would need to specify that the | numbering is done. An application would need to specify that the | |||
relative number must be re-encoded to be relative only to the | relative number must be re-encoded to be relative only to the | |||
options that are in the external data. | options that are in the external data. | |||
4.4. Signing and Verification Process | 4.4. Signing and Verification Process | |||
In order to create a signature, a well-defined byte string is needed. | In order to create a signature, a well-defined byte string is needed. | |||
The Sig_structure is used to create the canonical form. This signing | The Sig_structure is used to create the canonical form. This signing | |||
and verification process takes in the body information (COSE_Sign or | and verification process takes in the body information (COSE_Sign or | |||
COSE_Sign1), the signer information (COSE_Signature), and the | COSE_Sign1), the signer information (COSE_Signature), and the | |||
application data (external source). A Sig_structure is a CBOR array. | application data (external source). A Sig_structure is a CBOR array. | |||
The fields of the Sig_structure in order are: | The fields of the Sig_structure, in order, are: | |||
1. A context text string identifying the context of the signature. | 1. A context text string identifying the context of the signature. | |||
The context text string is: | The context text string is: | |||
"Signature" for signatures using the COSE_Signature structure. | "Signature" for signatures using the COSE_Signature structure. | |||
"Signature1" for signatures using the COSE_Sign1 structure. | "Signature1" for signatures using the COSE_Sign1 structure. | |||
2. The protected attributes from the body structure encoded in a | 2. The protected attributes from the body structure, encoded in a | |||
bstr type. If there are no protected attributes, a zero-length | bstr type. If there are no protected attributes, a zero-length | |||
byte string is used. | byte string is used. | |||
3. The protected attributes from the signer structure encoded in a | 3. The protected attributes from the signer structure, encoded in a | |||
bstr type. If there are no protected attributes, a zero-length | bstr type. If there are no protected attributes, a zero-length | |||
byte string is used. This field is omitted for the COSE_Sign1 | byte string is used. This field is omitted for the COSE_Sign1 | |||
signature structure. | signature structure. | |||
4. The externally supplied data from the application encoded in a | 4. The externally supplied data from the application, encoded in a | |||
bstr type. If this field is not supplied, it defaults to a zero- | bstr type. If this field is not supplied, it defaults to a zero- | |||
length byte string. (See Section 4.3 for application guidance on | length byte string. (See Section 4.3 for application guidance on | |||
constructing this field.) | constructing this field.) | |||
5. The payload to be signed encoded in a bstr type. The payload is | 5. The payload to be signed, encoded in a bstr type. The payload is | |||
placed here independent of how it is transported. | placed here, independent of how it is transported. | |||
The CDDL fragment that describes the above text is: | The CDDL fragment that describes the above text is: | |||
Sig_structure = [ | Sig_structure = [ | |||
context : "Signature" / "Signature1", | context : "Signature" / "Signature1", | |||
body_protected : empty_or_serialized_map, | body_protected : empty_or_serialized_map, | |||
? sign_protected : empty_or_serialized_map, | ? sign_protected : empty_or_serialized_map, | |||
external_aad : bstr, | external_aad : bstr, | |||
payload : bstr | payload : bstr | |||
] | ] | |||
How to compute a signature: | How to compute a signature: | |||
1. Create a Sig_structure and populate it with the appropriate | 1. Create a Sig_structure and populate it with the appropriate | |||
fields. | fields. | |||
2. Create the value ToBeSigned by encoding the Sig_structure to a | 2. Create the value ToBeSigned by encoding the Sig_structure to a | |||
byte string, using the encoding described in Section 9. | byte string, using the encoding described in Section 9. | |||
3. Call the signature creation algorithm passing in K (the key to | 3. Call the signature creation algorithm, passing in K (the key to | |||
sign with), alg (the algorithm to sign with), and ToBeSigned (the | sign with), alg (the algorithm to sign with), and ToBeSigned (the | |||
value to sign). | value to sign). | |||
4. Place the resulting signature value in the correct location. | 4. Place the resulting signature value in the correct location. | |||
This is the 'signature' field of the COSE_Signature or COSE_Sign1 | This is the "signature" field of the COSE_Signature or COSE_Sign1 | |||
structure. | structure. | |||
The steps for verifying a signature are: | The steps for verifying a signature are: | |||
1. Create a Sig_structure and populate it with the appropriate | 1. Create a Sig_structure and populate it with the appropriate | |||
fields. | fields. | |||
2. Create the value ToBeSigned by encoding the Sig_structure to a | 2. Create the value ToBeSigned by encoding the Sig_structure to a | |||
byte string, using the encoding described in Section 9. | byte string, using the encoding described in Section 9. | |||
3. Call the signature verification algorithm passing in K (the key | 3. Call the signature verification algorithm, passing in K (the key | |||
to verify with), alg (the algorithm used sign with), ToBeSigned | to verify with), alg (the algorithm used to sign with), | |||
(the value to sign), and sig (the signature to be verified). | ToBeSigned (the value to sign), and sig (the signature to be | |||
verified). | ||||
In addition to performing the signature verification, the application | In addition to performing the signature verification, the application | |||
performs the appropriate checks to ensure that the key is correctly | performs the appropriate checks to ensure that the key is correctly | |||
paired with the signing identity and that the signing identity is | paired with the signing identity and that the signing identity is | |||
authorized before performing actions. | authorized before performing actions. | |||
5. Encryption Objects | 5. Encryption Objects | |||
COSE supports two different encryption structures. COSE_Encrypt0 is | COSE supports two different encryption structures. COSE_Encrypt0 is | |||
used when a recipient structure is not needed because the key to be | used when a recipient structure is not needed because the key to be | |||
used is known implicitly. COSE_Encrypt is used the rest of the time. | used is known implicitly. COSE_Encrypt is used the rest of the time. | |||
This includes cases where there are multiple recipients or a | This includes cases where there are multiple recipients or a | |||
recipient algorithm other than direct (i.e. pre-shared secret) is | recipient algorithm other than direct (i.e., preshared secret) is | |||
used. | used. | |||
5.1. Enveloped COSE Structure | 5.1. Enveloped COSE Structure | |||
The enveloped structure allows for one or more recipients of a | The enveloped structure allows for one or more recipients of a | |||
message. There are provisions for header parameters about the | message. There are provisions for header parameters about the | |||
content and header parameters about the recipient information to be | content and header parameters about the recipient information to be | |||
carried in the message. The protected header parameters associated | carried in the message. The protected header parameters associated | |||
with the content are authenticated by the content encryption | with the content are authenticated by the content encryption | |||
algorithm. The protected header parameters associated with the | algorithm. The protected header parameters associated with the | |||
recipient are authenticated by the recipient algorithm (when the | recipient are authenticated by the recipient algorithm (when the | |||
algorithm supports it). Examples of header parameters about the | algorithm supports it). Examples of header parameters about the | |||
content are the type of the content and the content encryption | content are the type of the content and the content encryption | |||
algorithm. Examples of header parameters about the recipient are the | algorithm. Examples of header parameters about the recipient are the | |||
recipient's key identifier and the recipient's encryption algorithm. | recipient's key identifier and the recipient's encryption algorithm. | |||
The same techniques and nearly the same structure are used for | The same techniques and nearly the same structure are used for | |||
encrypting both the plaintext and the keys. This is different from | encrypting both the plaintext and the keys. This is different from | |||
the approach used by both "Cryptographic Message Syntax (CMS)" | the approach used by both "Cryptographic Message Syntax (CMS)" | |||
[RFC5652] and "JSON Web Encryption (JWE)" [RFC7516] where different | [RFC5652] and "JSON Web Encryption (JWE)" [RFC7516], where different | |||
structures are used for the content layer and for the recipient | structures are used for the content layer and the recipient layer. | |||
layer. Two structures are defined: COSE_Encrypt to hold the | Two structures are defined: COSE_Encrypt to hold the encrypted | |||
encrypted content and COSE_recipient to hold the encrypted keys for | content and COSE_recipient to hold the encrypted keys for recipients. | |||
recipients. Examples of encrypted messages can be found in | Examples of encrypted messages can be found in Appendix C.3. | |||
Appendix C.3. | ||||
The COSE_Encrypt structure can be encoded as either tagged or | The COSE_Encrypt structure can be encoded as either tagged or | |||
untagged depending on the context it will be used in. A tagged | untagged, depending on the context it will be used in. A tagged | |||
COSE_Encrypt structure is identified by the CBOR tag 96. The CDDL | COSE_Encrypt structure is identified by the CBOR tag 96. The CDDL | |||
fragment that represents this is: | fragment that represents this is: | |||
COSE_Encrypt_Tagged = #6.96(COSE_Encrypt) | COSE_Encrypt_Tagged = #6.96(COSE_Encrypt) | |||
The COSE_Encrypt structure is a CBOR array. The fields of the array | The COSE_Encrypt structure is a CBOR array. The fields of the array, | |||
in order are: | in order, are: | |||
protected: This is as described in Section 3. | protected: This is as described in Section 3. | |||
unprotected: This is as described in Section 3. | unprotected: This is as described in Section 3. | |||
ciphertext: This field contains the ciphertext encoded as a bstr. | ciphertext: This field contains the ciphertext, encoded as a bstr. | |||
If the ciphertext is to be transported independently of the | If the ciphertext is to be transported independently of the | |||
control information about the encryption process (i.e., detached | control information about the encryption process (i.e., detached | |||
content), then the field is encoded as a nil value. | content), then the field is encoded as a nil value. | |||
recipients: This field contains an array of recipient information | recipients: This field contains an array of recipient information | |||
structures. The type for the recipient information structure is a | structures. The type for the recipient information structure is a | |||
COSE_recipient. | COSE_recipient. | |||
The CDDL fragment that corresponds to the above text is: | The CDDL fragment that corresponds to the above text is: | |||
COSE_Encrypt = [ | COSE_Encrypt = [ | |||
Headers, | Headers, | |||
ciphertext : bstr / nil, | ciphertext : bstr / nil, | |||
recipients : [+COSE_recipient] | recipients : [+COSE_recipient] | |||
] | ] | |||
The COSE_recipient structure is a CBOR array. The fields of the | The COSE_recipient structure is a CBOR array. The fields of the | |||
array in order are: | array, in order, are: | |||
protected: This is as described in Section 3. | protected: This is as described in Section 3. | |||
unprotected: This is as described in Section 3. | unprotected: This is as described in Section 3. | |||
ciphertext: This field contains the encrypted key encoded as a bstr. | ciphertext: This field contains the encrypted key, encoded as a | |||
All encoded keys are symmetric keys; the binary value of the key | bstr. All encoded keys are symmetric keys; the binary value of | |||
is the content. If there is not an encrypted key, then this field | the key is the content. If there is not an encrypted key, then | |||
is encoded as a nil value. | this field is encoded as a nil value. | |||
recipients: This field contains an array of recipient information | recipients: This field contains an array of recipient information | |||
structures. The type for the recipient information structure is a | structures. The type for the recipient information structure is a | |||
COSE_recipient (an example of this can be found in Appendix B). | COSE_recipient (an example of this can be found in Appendix B). | |||
If there are no recipient information structures, this element is | If there are no recipient information structures, this element is | |||
absent. | absent. | |||
The CDDL fragment that corresponds to the above text for | The CDDL fragment that corresponds to the above text for | |||
COSE_recipient is: | COSE_recipient is: | |||
skipping to change at page 26, line 19 ¶ | skipping to change at line 1151 ¶ | |||
each recipient, using a key specific to that recipient. The details | each recipient, using a key specific to that recipient. The details | |||
of this encryption depend on which class the recipient algorithm | of this encryption depend on which class the recipient algorithm | |||
falls into. Specific details on each of the classes can be found in | falls into. Specific details on each of the classes can be found in | |||
Section 8.5. A short summary of the five content key distribution | Section 8.5. A short summary of the five content key distribution | |||
methods is: | methods is: | |||
direct: The CEK is the same as the identified previously distributed | direct: The CEK is the same as the identified previously distributed | |||
symmetric key or is derived from a previously distributed secret. | symmetric key or is derived from a previously distributed secret. | |||
No CEK is transported in the message. | No CEK is transported in the message. | |||
symmetric key-encryption keys (KEK): The CEK is encrypted using a | symmetric key-encryption keys (KEKs): The CEK is encrypted using a | |||
previously distributed symmetric KEK. Also known as key wrap. | previously distributed symmetric KEK. Also known as key wrap. | |||
key agreement: The recipient's public key and a sender's private key | key agreement: The recipient's public key and a sender's private key | |||
are used to generate a pairwise secret, a Key Derivation Function | are used to generate a pairwise secret, a Key Derivation Function | |||
(KDF) is applied to derive a key, and then the CEK is either the | (KDF) is applied to derive a key, and then the CEK is either the | |||
derived key or encrypted by the derived key. | derived key or encrypted by the derived key. | |||
key transport: The CEK is encrypted with the recipient's public key. | key transport: The CEK is encrypted with the recipient's public key. | |||
passwords: The CEK is encrypted in a KEK that is derived from a | passwords: The CEK is encrypted in a KEK that is derived from a | |||
skipping to change at page 26, line 45 ¶ | skipping to change at line 1177 ¶ | |||
The COSE_Encrypt0 encrypted structure does not have the ability to | The COSE_Encrypt0 encrypted structure does not have the ability to | |||
specify recipients of the message. The structure assumes that the | specify recipients of the message. The structure assumes that the | |||
recipient of the object will already know the identity of the key to | recipient of the object will already know the identity of the key to | |||
be used in order to decrypt the message. If a key needs to be | be used in order to decrypt the message. If a key needs to be | |||
identified to the recipient, the enveloped structure ought to be | identified to the recipient, the enveloped structure ought to be | |||
used. | used. | |||
Examples of encrypted messages can be found in Appendix C.3. | Examples of encrypted messages can be found in Appendix C.3. | |||
The COSE_Encrypt0 structure can be encoded as either tagged or | The COSE_Encrypt0 structure can be encoded as either tagged or | |||
untagged depending on the context it will be used in. A tagged | untagged, depending on the context it will be used in. A tagged | |||
COSE_Encrypt0 structure is identified by the CBOR tag 16. The CDDL | COSE_Encrypt0 structure is identified by the CBOR tag 16. The CDDL | |||
fragment that represents this is: | fragment that represents this is: | |||
COSE_Encrypt0_Tagged = #6.16(COSE_Encrypt0) | COSE_Encrypt0_Tagged = #6.16(COSE_Encrypt0) | |||
The COSE_Encrypt0 structure is a CBOR array. The fields of the array | The COSE_Encrypt0 structure is a CBOR array. The fields of the | |||
in order are: | array, in order, are: | |||
protected: This is as described in Section 3. | protected: This is as described in Section 3. | |||
unprotected: This is as described in Section 3. | unprotected: This is as described in Section 3. | |||
ciphertext: This is as described in Section 5.1. | ciphertext: This is as described in Section 5.1. | |||
The CDDL fragment for COSE_Encrypt0 that corresponds to the above | The CDDL fragment for COSE_Encrypt0 that corresponds to the above | |||
text is: | text is: | |||
skipping to change at page 27, line 25 ¶ | skipping to change at line 1206 ¶ | |||
Headers, | Headers, | |||
ciphertext : bstr / nil, | ciphertext : bstr / nil, | |||
] | ] | |||
5.3. How to Encrypt and Decrypt for AEAD Algorithms | 5.3. How to Encrypt and Decrypt for AEAD Algorithms | |||
The encryption algorithm for AEAD algorithms is fairly simple. The | The encryption algorithm for AEAD algorithms is fairly simple. The | |||
first step is to create a consistent byte string for the | first step is to create a consistent byte string for the | |||
authenticated data structure. For this purpose, we use an | authenticated data structure. For this purpose, we use an | |||
Enc_structure. The Enc_structure is a CBOR array. The fields of the | Enc_structure. The Enc_structure is a CBOR array. The fields of the | |||
Enc_structure in order are: | Enc_structure, in order, are: | |||
1. A context text string identifying the context of the | 1. A context text string identifying the context of the | |||
authenticated data structure. The context text string is: | authenticated data structure. The context text string is: | |||
"Encrypt0" for the content encryption of a COSE_Encrypt0 data | "Encrypt0" for the content encryption of a COSE_Encrypt0 data | |||
structure. | structure. | |||
"Encrypt" for the first layer of a COSE_Encrypt data structure | "Encrypt" for the first layer of a COSE_Encrypt data structure | |||
(i.e., for content encryption). | (i.e., for content encryption). | |||
"Enc_Recipient" for a recipient encoding to be placed in an | "Enc_Recipient" for a recipient encoding to be placed in a | |||
COSE_Encrypt data structure. | COSE_Encrypt data structure. | |||
"Mac_Recipient" for a recipient encoding to be placed in a | "Mac_Recipient" for a recipient encoding to be placed in a | |||
MACed message structure. | MACed message structure. | |||
"Rec_Recipient" for a recipient encoding to be placed in a | "Rec_Recipient" for a recipient encoding to be placed in a | |||
recipient structure. | recipient structure. | |||
2. The protected attributes from the body structure encoded in a | 2. The protected attributes from the body structure, encoded in a | |||
bstr type. If there are no protected attributes, a zero-length | bstr type. If there are no protected attributes, a zero-length | |||
byte string is used. | byte string is used. | |||
3. The externally supplied data from the application encoded in a | 3. The externally supplied data from the application encoded in a | |||
bstr type. If this field is not supplied, it defaults to a zero- | bstr type. If this field is not supplied, it defaults to a zero- | |||
length byte string. (See Section 4.3 for application guidance on | length byte string. (See Section 4.3 for application guidance on | |||
constructing this field.) | constructing this field.) | |||
The CDDL fragment that describes the above text is: | The CDDL fragment that describes the above text is: | |||
skipping to change at page 28, line 28 ¶ | skipping to change at line 1258 ¶ | |||
2. Encode the Enc_structure to a byte string (Additional | 2. Encode the Enc_structure to a byte string (Additional | |||
Authenticated Data (AAD)), using the encoding described in | Authenticated Data (AAD)), using the encoding described in | |||
Section 9. | Section 9. | |||
3. Determine the encryption key (K). This step is dependent on the | 3. Determine the encryption key (K). This step is dependent on the | |||
class of recipient algorithm being used. For: | class of recipient algorithm being used. For: | |||
No Recipients: The key to be used is determined by the algorithm | No Recipients: The key to be used is determined by the algorithm | |||
and key at the current layer. Examples are key transport keys | and key at the current layer. Examples are key transport keys | |||
(Section 8.5.3), key wrap keys (Section 8.5.2), or pre-shared | (Section 8.5.3), key wrap keys (Section 8.5.2), and preshared | |||
secrets. | secrets. | |||
Direct Encryption and Direct Key Agreement: The key is | Direct Encryption and Direct Key Agreement: The key is | |||
determined by the key and algorithm in the recipient | determined by the key and algorithm in the recipient | |||
structure. The encryption algorithm and size of the key to be | structure. The encryption algorithm and size of the key to be | |||
used are inputs into the KDF used for the recipient. (For | used are inputs into the KDF used for the recipient. (For | |||
direct, the KDF can be thought of as the identity operation.) | direct, the KDF can be thought of as the identity operation.) | |||
Examples of these algorithms are found in Sections 6.1.2 and | Examples of these algorithms are found in Sections 6.1.2 and | |||
6.3 of [I-D.ietf-cose-rfc8152bis-algs]. | 6.3 of [RFC9053]. | |||
Other: The key is randomly or pseudo-randomly generated. | Other: The key is randomly or pseudorandomly generated. | |||
4. Call the encryption algorithm with K (the encryption key), P (the | 4. Call the encryption algorithm with K (the encryption key), P (the | |||
plaintext), and AAD. Place the returned ciphertext into the | plaintext), and AAD. Place the returned ciphertext into the | |||
'ciphertext' field of the structure. | "ciphertext" field of the structure. | |||
5. For recipients of the message, recursively perform the encryption | 5. For recipients of the message, recursively perform the encryption | |||
algorithm for that recipient, using K (the encryption key) as the | algorithm for that recipient, using K (the encryption key) as the | |||
plaintext. | plaintext. | |||
How to decrypt a message: | How to decrypt a message: | |||
1. Create an Enc_structure and populate it with the appropriate | 1. Create an Enc_structure and populate it with the appropriate | |||
fields. | fields. | |||
2. Encode the Enc_structure to a byte string (AAD), using the | 2. Encode the Enc_structure to a byte string (AAD), using the | |||
encoding described in Section 9. | encoding described in Section 9. | |||
3. Determine the decryption key. This step is dependent on the | 3. Determine the decryption key. This step is dependent on the | |||
class of recipient algorithm being used. For: | class of recipient algorithm being used. For: | |||
No Recipients: The key to be used is determined by the algorithm | No Recipients: The key to be used is determined by the algorithm | |||
and key at the current layer. Examples are key transport keys | and key at the current layer. Examples are key transport keys | |||
(Section 8.5.3), key wrap keys (Section 8.5.2), or pre-shared | (Section 8.5.3), key wrap keys (Section 8.5.2), and preshared | |||
secrets. | secrets. | |||
Direct Encryption and Direct Key Agreement: The key is | Direct Encryption and Direct Key Agreement: The key is | |||
determined by the key and algorithm in the recipient | determined by the key and algorithm in the recipient | |||
structure. The encryption algorithm and size of the key to be | structure. The encryption algorithm and size of the key to be | |||
used are inputs into the KDF used for the recipient. (For | used are inputs into the KDF used for the recipient. (For | |||
direct, the KDF can be thought of as the identity operation.) | direct, the KDF can be thought of as the identity operation.) | |||
Other: The key is determined by decoding and decrypting one of | Other: The key is determined by decoding and decrypting one of | |||
the recipient structures. | the recipient structures. | |||
4. Call the decryption algorithm with K (the decryption key to use), | 4. Call the decryption algorithm with K (the decryption key to use), | |||
C (the ciphertext), and AAD. | C (the ciphertext), and AAD. | |||
5.4. How to Encrypt and Decrypt for AE Algorithms | 5.4. How to Encrypt and Decrypt for AE Algorithms | |||
How to encrypt a message: | How to encrypt a message: | |||
1. Verify that the 'protected' field is empty. | 1. Verify that the "protected" field is empty. | |||
2. Verify that there was no external additional authenticated data | 2. Verify that there was no external additional authenticated data | |||
supplied for this operation. | supplied for this operation. | |||
3. Determine the encryption key. This step is dependent on the | 3. Determine the encryption key. This step is dependent on the | |||
class of recipient algorithm being used. For: | class of recipient algorithm being used. For: | |||
No Recipients: The key to be used is determined by the algorithm | No Recipients: The key to be used is determined by the algorithm | |||
and key at the current layer. Examples are key transport keys | and key at the current layer. Examples are key transport keys | |||
(Section 8.5.3), key wrap keys (Section 8.5.2), or pre-shared | (Section 8.5.3), key wrap keys (Section 8.5.2), and preshared | |||
secrets. | secrets. | |||
Direct Encryption and Direct Key Agreement: The key is | Direct Encryption and Direct Key Agreement: The key is | |||
determined by the key and algorithm in the recipient | determined by the key and algorithm in the recipient | |||
structure. The encryption algorithm and size of the key to be | structure. The encryption algorithm and size of the key to be | |||
used are inputs into the KDF used for the recipient. (For | used are inputs into the KDF used for the recipient. (For | |||
direct, the KDF can be thought of as the identity operation.) | direct, the KDF can be thought of as the identity operation.) | |||
Examples of these algorithms are found in Sections 6.1.2 and | Examples of these algorithms are found in Sections 6.1.2 and | |||
6.3 of [I-D.ietf-cose-rfc8152bis-algs]. | 6.3 of [RFC9053]. | |||
Other: The key is randomly generated. | Other: The key is randomly generated. | |||
4. Call the encryption algorithm with K (the encryption key to use) | 4. Call the encryption algorithm with K (the encryption key to use) | |||
and P (the plaintext). Place the returned ciphertext into the | and P (the plaintext). Place the returned ciphertext into the | |||
'ciphertext' field of the structure. | "ciphertext" field of the structure. | |||
5. For recipients of the message, recursively perform the encryption | 5. For recipients of the message, recursively perform the encryption | |||
algorithm for that recipient, using K (the encryption key) as the | algorithm for that recipient, using K (the encryption key) as the | |||
plaintext. | plaintext. | |||
How to decrypt a message: | How to decrypt a message: | |||
1. Verify that the 'protected' field is empty. | 1. Verify that the "protected" field is empty. | |||
2. Verify that there was no external additional authenticated data | 2. Verify that there was no external additional authenticated data | |||
supplied for this operation. | supplied for this operation. | |||
3. Determine the decryption key. This step is dependent on the | 3. Determine the decryption key. This step is dependent on the | |||
class of recipient algorithm being used. For: | class of recipient algorithm being used. For: | |||
No Recipients: The key to be used is determined by the algorithm | No Recipients: The key to be used is determined by the algorithm | |||
and key at the current layer. Examples are key transport keys | and key at the current layer. Examples are key transport keys | |||
(Section 8.5.3), key wrap keys (Section 8.5.2), or pre-shared | (Section 8.5.3), key wrap keys (Section 8.5.2), and preshared | |||
secrets. | secrets. | |||
Direct Encryption and Direct Key Agreement: The key is | Direct Encryption and Direct Key Agreement: The key is | |||
determined by the key and algorithm in the recipient | determined by the key and algorithm in the recipient | |||
structure. The encryption algorithm and size of the key to be | structure. The encryption algorithm and size of the key to be | |||
used are inputs into the KDF used for the recipient. (For | used are inputs into the KDF used for the recipient. (For | |||
direct, the KDF can be thought of as the identity operation.) | direct, the KDF can be thought of as the identity operation.) | |||
Examples of these algorithms are found in Sections 6.1.2 and | Examples of these algorithms are found in Sections 6.1.2 and | |||
6.3 of [I-D.ietf-cose-rfc8152bis-algs]. | 6.3 of [RFC9053]. | |||
Other: The key is determined by decoding and decrypting one of | Other: The key is determined by decoding and decrypting one of | |||
the recipient structures. | the recipient structures. | |||
4. Call the decryption algorithm with K (the decryption key to use) | 4. Call the decryption algorithm with K (the decryption key to use) | |||
and C (the ciphertext). | and C (the ciphertext). | |||
6. MAC Objects | 6. MAC Objects | |||
COSE supports two different MAC structures. COSE_MAC0 is used when a | COSE supports two different MAC structures. COSE_MAC0 is used when a | |||
recipient structure is not needed because the key to be used is | recipient structure is not needed because the key to be used is | |||
implicitly known. COSE_MAC is used for all other cases. These | implicitly known. COSE_MAC is used for all other cases. These | |||
include a requirement for multiple recipients, the key being unknown, | include a requirement for multiple recipients, the key being unknown, | |||
or a recipient algorithm of other than direct. | or a recipient algorithm other than direct. | |||
In this section, we describe the structure and methods to be used | In this section, we describe the structure and methods to be used | |||
when doing MAC authentication in COSE. This document allows for the | when doing MAC authentication in COSE. This document allows for the | |||
use of all of the same classes of recipient algorithms as are allowed | use of all of the same classes of recipient algorithms as are allowed | |||
for encryption. | for encryption. | |||
When using MAC operations, there are two modes in which they can be | There are two modes in which MAC operations can be used. The first | |||
used. The first is just a check that the content has not been | is just a check that the content has not been changed since the MAC | |||
changed since the MAC was computed. Any class of recipient algorithm | was computed. Any class of recipient algorithm can be used for this | |||
can be used for this purpose. The second mode is to both check that | purpose. The second mode is to both check that the content has not | |||
the content has not been changed since the MAC was computed and to | been changed since the MAC was computed and use the recipient | |||
use the recipient algorithm to verify who sent it. The classes of | algorithm to verify who sent it. The classes of recipient algorithms | |||
recipient algorithms that support this are those that use a pre- | that support this are those that use a preshared secret or do static- | |||
shared secret or do static-static (SS) key agreement (without the key | static (SS) key agreement (without the key wrap step). In both of | |||
wrap step). In both of these cases, the entity that created and sent | these cases, the entity that created and sent the message MAC can be | |||
the message MAC can be validated. (This knowledge of the sender | validated. (This knowledge of the sender assumes that there are only | |||
assumes that there are only two parties involved and that you did not | two parties involved and that you did not send the message to | |||
send the message to yourself.) The origination property can be | yourself.) The origination property can be obtained with both of the | |||
obtained with both of the MAC message structures. | MAC message structures. | |||
6.1. MACed Message with Recipients | 6.1. MACed Message with Recipients | |||
The multiple recipient MACed message uses two structures: the | A multiple-recipient MACed message uses two structures: the COSE_Mac | |||
COSE_Mac structure defined in this section for carrying the body and | structure defined in this section for carrying the body and the | |||
the COSE_recipient structure (Section 5.1) to hold the key used for | COSE_recipient structure (Section 5.1) to hold the key used for the | |||
the MAC computation. Examples of MACed messages can be found in | MAC computation. Examples of MACed messages can be found in | |||
Appendix C.5. | Appendix C.5. | |||
The MAC structure can be encoded as either tagged or untagged | The MAC structure can be encoded as either tagged or untagged | |||
depending on the context it will be used in. A tagged COSE_Mac | depending on the context it will be used in. A tagged COSE_Mac | |||
structure is identified by the CBOR tag 97. The CDDL fragment that | structure is identified by the CBOR tag 97. The CDDL fragment that | |||
represents this is: | represents this is: | |||
COSE_Mac_Tagged = #6.97(COSE_Mac) | COSE_Mac_Tagged = #6.97(COSE_Mac) | |||
The COSE_Mac structure is a CBOR array. The fields of the array in | The COSE_Mac structure is a CBOR array. The fields of the array, in | |||
order are: | order, are: | |||
protected: This is as described in Section 3. | protected: This is as described in Section 3. | |||
unprotected: This is as described in Section 3. | unprotected: This is as described in Section 3. | |||
payload: This field contains the serialized content to be MACed. If | payload: This field contains the serialized content to be MACed. If | |||
the payload is not present in the message, the application is | the payload is not present in the message, the application is | |||
required to supply the payload separately. The payload is wrapped | required to supply the payload separately. The payload is wrapped | |||
in a bstr to ensure that it is transported without changes. If | in a bstr to ensure that it is transported without changes. If | |||
the payload is transported separately (i.e., detached content), | the payload is transported separately (i.e., detached content), | |||
skipping to change at page 32, line 36 ¶ | skipping to change at line 1453 ¶ | |||
6.2. MACed Messages with Implicit Key | 6.2. MACed Messages with Implicit Key | |||
In this section, we describe the structure and methods to be used | In this section, we describe the structure and methods to be used | |||
when doing MAC authentication for those cases where the recipient is | when doing MAC authentication for those cases where the recipient is | |||
implicitly known. | implicitly known. | |||
The MACed message uses the COSE_Mac0 structure defined in this | The MACed message uses the COSE_Mac0 structure defined in this | |||
section for carrying the body. Examples of MACed messages with an | section for carrying the body. Examples of MACed messages with an | |||
implicit key can be found in Appendix C.6. | implicit key can be found in Appendix C.6. | |||
The MAC structure can be encoded as either tagged or untagged | The MAC structure can be encoded as either tagged or untagged, | |||
depending on the context it will be used in. A tagged COSE_Mac0 | depending on the context it will be used in. A tagged COSE_Mac0 | |||
structure is identified by the CBOR tag 17. The CDDL fragment that | structure is identified by the CBOR tag 17. The CDDL fragment that | |||
represents this is: | represents this is: | |||
COSE_Mac0_Tagged = #6.17(COSE_Mac0) | COSE_Mac0_Tagged = #6.17(COSE_Mac0) | |||
The COSE_Mac0 structure is a CBOR array. The fields of the array in | The COSE_Mac0 structure is a CBOR array. The fields of the array, in | |||
order are: | order, are: | |||
protected: This is as described in Section 3. | protected: This is as described in Section 3. | |||
unprotected: This is as described in Section 3. | unprotected: This is as described in Section 3. | |||
payload: This is as described in Section 6.1. | payload: This is as described in Section 6.1. | |||
tag: This field contains the MAC value. | tag: This field contains the MAC value. | |||
The CDDL fragment that corresponds to the above text is: | The CDDL fragment that corresponds to the above text is: | |||
skipping to change at page 33, line 19 ¶ | skipping to change at line 1483 ¶ | |||
COSE_Mac0 = [ | COSE_Mac0 = [ | |||
Headers, | Headers, | |||
payload : bstr / nil, | payload : bstr / nil, | |||
tag : bstr, | tag : bstr, | |||
] | ] | |||
6.3. How to Compute and Verify a MAC | 6.3. How to Compute and Verify a MAC | |||
In order to get a consistent encoding of the data to be | In order to get a consistent encoding of the data to be | |||
authenticated, the MAC_structure is used to have a canonical form. | authenticated, the MAC_structure is used to have a canonical form. | |||
The MAC_structure is a CBOR array. The fields of the MAC_structure | The MAC_structure is a CBOR array. The fields of the MAC_structure, | |||
in order are: | in order, are: | |||
1. A context text string that identifies the structure that is being | 1. A context text string that identifies the structure that is being | |||
encoded. This context text string is "MAC" for the COSE_Mac | encoded. This context text string is "MAC" for the COSE_Mac | |||
structure. This context text string is "MAC0" for the COSE_Mac0 | structure. This context text string is "MAC0" for the COSE_Mac0 | |||
structure. | structure. | |||
2. The protected attributes from the COSE_MAC structure. If there | 2. The protected attributes from the COSE_MAC structure. If there | |||
are no protected attributes, a zero-length bstr is used. | are no protected attributes, a zero-length bstr is used. | |||
3. The externally supplied data from the application encoded as a | 3. The externally supplied data from the application, encoded as a | |||
bstr type. If this field is not supplied, it defaults to a zero- | bstr type. If this field is not supplied, it defaults to a zero- | |||
length byte string. (See Section 4.3 for application guidance on | length byte string. (See Section 4.3 for application guidance on | |||
constructing this field.) | constructing this field.) | |||
4. The payload to be MACed encoded in a bstr type. The payload is | 4. The payload to be MACed, encoded in a bstr type. The payload is | |||
placed here independent of how it is transported. | placed here, independent of how it is transported. | |||
The CDDL fragment that corresponds to the above text is: | The CDDL fragment that corresponds to the above text is: | |||
MAC_structure = [ | MAC_structure = [ | |||
context : "MAC" / "MAC0", | context : "MAC" / "MAC0", | |||
protected : empty_or_serialized_map, | protected : empty_or_serialized_map, | |||
external_aad : bstr, | external_aad : bstr, | |||
payload : bstr | payload : bstr | |||
] | ] | |||
The steps to compute a MAC are: | The steps to compute a MAC are: | |||
1. Create a MAC_structure and populate it with the appropriate | 1. Create a MAC_structure and populate it with the appropriate | |||
fields. | fields. | |||
2. Create the value ToBeMaced by encoding the MAC_structure to a | 2. Create the value ToBeMaced by encoding the MAC_structure to a | |||
byte string, using the encoding described in Section 9. | byte string, using the encoding described in Section 9. | |||
3. Call the MAC creation algorithm passing in K (the key to use), | 3. Call the MAC creation algorithm, passing in K (the key to use), | |||
alg (the algorithm to MAC with), and ToBeMaced (the value to | alg (the algorithm to MAC with), and ToBeMaced (the value to | |||
compute the MAC on). | compute the MAC on). | |||
4. Place the resulting MAC in the 'tag' field of the COSE_Mac or | 4. Place the resulting MAC in the "tag" field of the COSE_Mac or | |||
COSE_Mac0 structure. | COSE_Mac0 structure. | |||
5. For COSE_Mac structures, encrypt and encode the MAC key for each | 5. For COSE_Mac structures, encrypt and encode the MAC key for each | |||
recipient of the message. | recipient of the message. | |||
The steps to verify a MAC are: | The steps to verify a MAC are: | |||
1. Create a MAC_structure and populate it with the appropriate | 1. Create a MAC_structure and populate it with the appropriate | |||
fields. | fields. | |||
2. Create the value ToBeMaced by encoding the MAC_structure to a | 2. Create the value ToBeMaced by encoding the MAC_structure to a | |||
byte string, using the encoding described in Section 9. | byte string, using the encoding described in Section 9. | |||
3. For COSE_Mac structures, obtain the cryptographic key from one of | 3. For COSE_Mac structures, obtain the cryptographic key from one of | |||
the recipients of the message. | the recipients of the message. | |||
4. Call the MAC creation algorithm passing in K (the key to use), | 4. Call the MAC creation algorithm, passing in K (the key to use), | |||
alg (the algorithm to MAC with), and ToBeMaced (the value to | alg (the algorithm to MAC with), and ToBeMaced (the value to | |||
compute the MAC on). | compute the MAC on). | |||
5. Compare the MAC value to the 'tag' field of the COSE_Mac or | 5. Compare the MAC value to the "tag" field of the COSE_Mac or | |||
COSE_Mac0 structure. | COSE_Mac0 structure. | |||
7. Key Objects | 7. Key Objects | |||
A COSE Key structure is built on a CBOR map. The set of common | A COSE Key structure is built on a CBOR map. The set of common | |||
parameters that can appear in a COSE Key can be found in the IANA | parameters that can appear in a COSE Key can be found in the IANA | |||
"COSE Key Common Parameters" registry (Section 11.2). Additional | "COSE Key Common Parameters" registry (Section 11.2). Additional | |||
parameters defined for specific key types can be found in the IANA | parameters defined for specific key types can be found in the IANA | |||
"COSE Key Type Parameters" registry ([COSE.KeyParameters]). | "COSE Key Type Parameters" registry [COSE.KeyTypes]. | |||
A COSE Key Set uses a CBOR array object as its underlying type. The | A COSE Key Set uses a CBOR array object as its underlying type. The | |||
values of the array elements are COSE Keys. A COSE Key Set MUST have | values of the array elements are COSE Keys. A COSE Key Set MUST have | |||
at least one element in the array. Examples of COSE Key Sets can be | at least one element in the array. Examples of COSE Key Sets can be | |||
found in Appendix C.7. | found in Appendix C.7. | |||
Each element in a COSE Key Set MUST be processed independently. If | Each element in a COSE Key Set MUST be processed independently. If | |||
one element in a COSE Key Set is either malformed or uses a key that | one element in a COSE Key Set is either malformed or uses a key that | |||
is not understood by an application, that key is ignored and the | is not understood by an application, that key is ignored, and the | |||
other keys are processed normally. | other keys are processed normally. | |||
The element "kty" is a required element in a COSE_Key map. | The element "kty" is a required element in a COSE_Key map. | |||
The CDDL grammar describing COSE_Key and COSE_KeySet is: | The CDDL grammar describing COSE_Key and COSE_KeySet is: | |||
COSE_Key = { | COSE_Key = { | |||
1 => tstr / int, ; kty | 1 => tstr / int, ; kty | |||
? 2 => bstr, ; kid | ? 2 => bstr, ; kid | |||
? 3 => tstr / int, ; alg | ? 3 => tstr / int, ; alg | |||
skipping to change at page 35, line 25 ¶ | skipping to change at line 1585 ¶ | |||
* label => values | * label => values | |||
} | } | |||
COSE_KeySet = [+COSE_Key] | COSE_KeySet = [+COSE_Key] | |||
7.1. COSE Key Common Parameters | 7.1. COSE Key Common Parameters | |||
This document defines a set of common parameters for a COSE Key | This document defines a set of common parameters for a COSE Key | |||
object. Table 4 provides a summary of the parameters defined in this | object. Table 4 provides a summary of the parameters defined in this | |||
section. There are also parameters that are defined for specific key | section. There are also parameters that are defined for specific key | |||
types. Key-type-specific parameters can be found in | types. Key-type-specific parameters can be found in [RFC9053]. | |||
[I-D.ietf-cose-rfc8152bis-algs]. | ||||
+=========+=======+========+============+====================+ | +=========+=======+========+============+====================+ | |||
| Name | Label | CBOR | Value | Description | | | Name | Label | CBOR | Value | Description | | |||
| | | Type | Registry | | | | | | Type | Registry | | | |||
+=========+=======+========+============+====================+ | +=========+=======+========+============+====================+ | |||
| kty | 1 | tstr / | COSE Key | Identification of | | | kty | 1 | tstr / | COSE Key | Identification of | | |||
| | | int | Types | the key type | | | | | int | Types | the key type | | |||
+---------+-------+--------+------------+--------------------+ | +---------+-------+--------+------------+--------------------+ | |||
| kid | 2 | bstr | | Key identification | | | kid | 2 | bstr | | Key identification | | |||
| | | | | value -- match to | | | | | | | value -- match to | | |||
| | | | | kid in message | | | | | | | "kid" in message | | |||
+---------+-------+--------+------------+--------------------+ | +---------+-------+--------+------------+--------------------+ | |||
| alg | 3 | tstr / | COSE | Key usage | | | alg | 3 | tstr / | COSE | Key usage | | |||
| | | int | Algorithms | restriction to | | | | | int | Algorithms | restriction to | | |||
| | | | | this algorithm | | | | | | | this algorithm | | |||
+---------+-------+--------+------------+--------------------+ | +---------+-------+--------+------------+--------------------+ | |||
| key_ops | 4 | [+ | | Restrict set of | | | key_ops | 4 | [+ | | Restrict set of | | |||
| | | (tstr/ | | permissible | | | | | (tstr/ | | permissible | | |||
| | | int)] | | operations | | | | | int)] | | operations | | |||
+---------+-------+--------+------------+--------------------+ | +---------+-------+--------+------------+--------------------+ | |||
| Base IV | 5 | bstr | | Base IV to be xor- | | | Base IV | 5 | bstr | | Base IV to be xor- | | |||
skipping to change at page 36, line 11 ¶ | skipping to change at line 1619 ¶ | |||
+---------+-------+--------+------------+--------------------+ | +---------+-------+--------+------------+--------------------+ | |||
Table 4: Key Map Labels | Table 4: Key Map Labels | |||
kty: This parameter is used to identify the family of keys for this | kty: This parameter is used to identify the family of keys for this | |||
structure and, thus, the set of key-type-specific parameters to be | structure and, thus, the set of key-type-specific parameters to be | |||
found. The set of values defined in this document can be found in | found. The set of values defined in this document can be found in | |||
[COSE.KeyTypes]. This parameter MUST be present in a key object. | [COSE.KeyTypes]. This parameter MUST be present in a key object. | |||
Implementations MUST verify that the key type is appropriate for | Implementations MUST verify that the key type is appropriate for | |||
the algorithm being processed. The key type MUST be included as | the algorithm being processed. The key type MUST be included as | |||
part of the trust decision process. | part of the trust-decision process. | |||
alg: This parameter is used to restrict the algorithm that is used | alg: This parameter is used to restrict the algorithm that is used | |||
with the key. If this parameter is present in the key structure, | with the key. If this parameter is present in the key structure, | |||
the application MUST verify that this algorithm matches the | the application MUST verify that this algorithm matches the | |||
algorithm for which the key is being used. If the algorithms do | algorithm for which the key is being used. If the algorithms do | |||
not match, then this key object MUST NOT be used to perform the | not match, then this key object MUST NOT be used to perform the | |||
cryptographic operation. Note that the same key can be in a | cryptographic operation. Note that the same key can be in a | |||
different key structure with a different or no algorithm | different key structure with a different or no algorithm | |||
specified; however, this is considered to be a poor security | specified; however, this is considered to be a poor security | |||
practice. | practice. | |||
kid: This parameter is used to give an identifier for a key. The | kid: This parameter is used to give an identifier for a key. The | |||
identifier is not structured and can be anything from a user- | identifier is not structured and can be anything from a user- | |||
provided byte string to a value computed on the public portion of | provided byte string to a value computed on the public portion of | |||
the key. This field is intended for matching against a 'kid' | the key. This field is intended for matching against a "kid" | |||
parameter in a message in order to filter down the set of keys | parameter in a message in order to filter down the set of keys | |||
that need to be checked. The value of the identifier is not a | that need to be checked. The value of the identifier is not a | |||
unique value and can occur in other key objects, even for | unique value and can occur in other key objects, even for | |||
different keys. | different keys. | |||
key_ops: This parameter is defined to restrict the set of operations | key_ops: This parameter is defined to restrict the set of operations | |||
that a key is to be used for. The value of the field is an array | that a key is to be used for. The value of the field is an array | |||
of values from Table 5. Algorithms define the values of key ops | of values from Table 5. Algorithms define the values of key ops | |||
that are permitted to appear and are required for specific | that are permitted to appear and are required for specific | |||
operations. The set of values matches that in [RFC7517] and | operations. The set of values matches that in [RFC7517] and | |||
[W3C.WebCrypto]. | [W3C.WebCrypto]. | |||
Base IV: This parameter is defined to carry the base portion of an | Base IV: This parameter is defined to carry the base portion of an | |||
IV. It is designed to be used with the Partial IV header | IV. It is designed to be used with the Partial IV header | |||
parameter defined in Section 3.1. This field provides the ability | parameter defined in Section 3.1. This field provides the ability | |||
to associate a Base IV with a key that is then modified on a per | to associate a Base IV with a key that is then modified on a per- | |||
message basis with the Partial IV. | message basis with the Partial IV. | |||
Extreme care needs to be taken when using a Base IV in an | Extreme care needs to be taken when using a Base IV in an | |||
application. Many encryption algorithms lose security if the same | application. Many encryption algorithms lose security if the same | |||
IV is used twice. | IV is used twice. | |||
If different keys are derived for each sender, starting at the | If different keys are derived for each sender, starting at the | |||
same Base IV is likely to satisfy this condition. If the same key | same Base IV is likely to satisfy this condition. If the same key | |||
is used for multiple senders, then the application needs to | is used for multiple senders, then the application needs to | |||
provide for a method of dividing the IV space up between the | provide for a method of dividing the IV space up between the | |||
skipping to change at page 37, line 44 ¶ | skipping to change at line 1701 ¶ | |||
+---------+-------+----------------------------------------------+ | +---------+-------+----------------------------------------------+ | |||
| MAC | 9 | The key is used for creating MACs. | | | MAC | 9 | The key is used for creating MACs. | | |||
| create | | | | | create | | | | |||
+---------+-------+----------------------------------------------+ | +---------+-------+----------------------------------------------+ | |||
| MAC | 10 | The key is used for validating MACs. | | | MAC | 10 | The key is used for validating MACs. | | |||
| verify | | | | | verify | | | | |||
+---------+-------+----------------------------------------------+ | +---------+-------+----------------------------------------------+ | |||
Table 5: Key Operation Values | Table 5: Key Operation Values | |||
8. Taxonomy of Algorithms used by COSE | 8. Taxonomy of Algorithms Used by COSE | |||
In this section, a taxonomy of the different algorithm types that can | In this section, a taxonomy of the different algorithm types that can | |||
be used in COSE is laid out. This taxonomy should not be considered | be used in COSE is laid out. This taxonomy should not be considered | |||
to be exhaustive. New algorithms will be created which will not fit | to be exhaustive. New algorithms will be created that will not fit | |||
into this taxonomy. | into this taxonomy. | |||
8.1. Signature Algorithms | 8.1. Signature Algorithms | |||
Signature algorithms provide data origination and data integrity | Signature algorithms provide data-origination and data-integrity | |||
services. Data origination provides the ability to infer who | services. Data origination provides the ability to infer who | |||
originated the data based on who signed the data. Data integrity | originated the data based on who signed the data. Data integrity | |||
provides the ability to verify that the data has not been modified | provides the ability to verify that the data has not been modified | |||
since it was signed. | since it was signed. | |||
There are two general signature algorithm schemes. The first is | There are two general signature algorithm schemes. The first is | |||
signature with appendix. In this scheme, the message content is | signature with appendix. In this scheme, the message content is | |||
processed and a signature is produced; the signature is called the | processed and a signature is produced; the signature is called the | |||
appendix. This is the scheme used by algorithms such as ECDSA and | appendix. This is the scheme used by algorithms such as ECDSA and | |||
the RSA Probabilistic Signature Scheme (RSASSA-PSS). (In fact, the | the RSA Probabilistic Signature Scheme (RSASSA-PSS). (In fact, the | |||
SSA in RSASSA-PSS stands for Signature Scheme with Appendix.) | SSA in RSASSA-PSS stands for Signature Scheme with Appendix.) | |||
The signature functions for this scheme are: | The signature functions for this scheme are: | |||
signature = Sign(message content, key) | signature = Sign(message content, key) | |||
valid = Verification(message content, key, signature) | valid = Verification(message content, key, signature) | |||
The second scheme is signature with message recovery (an example of | The second scheme is signature with message recovery; an example of | |||
such an algorithm is [PVSig]). In this scheme, the message content | such an algorithm is [PVSig]. In this scheme, the message content is | |||
is processed, but part of it is included in the signature. Moving | processed, but part of it is included in the signature. Moving bytes | |||
bytes of the message content into the signature allows for smaller | of the message content into the signature allows for smaller | |||
signatures; the signature size is still potentially large, but the | signatures; the signature size is still potentially large, but the | |||
message content has shrunk. This has implications for systems | message content has shrunk. This has implications for systems | |||
implementing these algorithms and for applications that use them. | implementing these algorithms and applications that use them. The | |||
The first is that the message content is not fully available until | first is that the message content is not fully available until after | |||
after a signature has been validated. Until that point, the part of | a signature has been validated. Until that point, the part of the | |||
the message contained inside of the signature is unrecoverable. The | message contained inside of the signature is unrecoverable. The | |||
second is that the security analysis of the strength of the signature | second implication is that the security analysis of the strength of | |||
can be very much dependent on the structure of the message content. | the signature can be very much dependent on the structure of the | |||
Finally, in the event that multiple signatures are applied to a | message content. Finally, in the event that multiple signatures are | |||
message, all of the signature algorithms are going to be required to | applied to a message, all of the signature algorithms are going to be | |||
consume the same bytes of message content. This means that the | required to consume the same bytes of message content. This means | |||
mixing of the signature with message recovery and signature with | that the mixing of the signature-with-message-recovery and signature- | |||
appendix schemes in a single message is not supported. | with-appendix schemes in a single message is not supported. | |||
The signature functions for this scheme are: | The signature functions for this scheme are: | |||
signature, message sent = Sign(message content, key) | signature, message sent = Sign(message content, key) | |||
valid, message content = Verification(message sent, key, signature) | valid, message content = Verification(message sent, key, signature) | |||
No message recovery signature algorithms have been formally defined | No message recovery signature algorithms have been formally defined | |||
for COSE yet, and given the new constraints arising from this | for COSE yet. Given the new constraints arising from this scheme, | |||
schemes, while some of these issues have already been identified | while some of these issues have already been identified, there is a | |||
there is a high probability that additional issues will arise when | high probability that additional issues will arise when integrating | |||
integrating message recovery signature algorithms. The first | message recovery signature algorithms. The first algorithm defined | |||
algorithm defined is going to need to make decisions about these | is going to need to make decisions about these issues, and those | |||
issues and those decisions are likely to be binding on any further | decisions are likely to be binding on any further algorithms defined. | |||
algorithms defined. | ||||
We use the following terms below: | We use the following terms below: | |||
message content bytes: The byte provided by the application to be | message content bytes: The byte provided by the application to be | |||
signed. | signed. | |||
to-be-signed bytes: The byte string passed into the signature | to-be-signed bytes: The byte string passed into the signature | |||
algorithm. | algorithm. | |||
recovered bytes: The bytes recovered during the signature | recovered bytes: The bytes recovered during the signature | |||
verification process. | verification process. | |||
Some of the issues that have already been identified are: | Some of the issues that have already been identified are: | |||
* The to-be-signed bytes are not the same as the message content | * The to-be-signed bytes are not the same as the message content | |||
bytes. This is because we build a larger to-be-signed message | bytes. This is because we build a larger to-be-signed message | |||
during the signature processing. The recovered bytes length may | during the signature processing. The length of the recovered | |||
exceed the message content length, but not the length of the to- | bytes may exceed the length of the message content, but not the | |||
be-signed bytes. This may lead to privacy considerations if, for | length of the to-be-signed bytes. This may lead to privacy | |||
example, the externally supplied data contains confidential | considerations if, for example, the externally supplied data | |||
information. | contains confidential information. | |||
* There may be difficulties in determining where the recovered bytes | * There may be difficulties in determining where the recovered bytes | |||
match up with the to-be-signed bytes, because the recovered bytes | match up with the to-be-signed bytes, because the recovered bytes | |||
contains data not in the message content bytes. One possible | contain data not in the message content bytes. One possible | |||
option would be to create a padding scheme to prevent that. | option would be to create a padding scheme to prevent that. | |||
* Not all message recovery signature algorithms take the recovered | * Not all message recovery signature algorithms take the recovered | |||
bytes from the end of the to-be-signed bytes. This is a problem | bytes from the end of the to-be-signed bytes. This is a problem, | |||
because the message content bytes are at the end of the to-be- | because the message content bytes are at the end of the to-be- | |||
signed bytes. If the bytes to be recovered are taken from the | signed bytes. If the bytes to be recovered are taken from the | |||
start of the to-be-signed bytes then, by default, none of the | start of the to-be-signed bytes, then, by default, none of the | |||
message content bytes may be included in the recovered bytes. One | message content bytes may be included in the recovered bytes. One | |||
possible option to deal with this is to reverse the to-be-signed | possible option to deal with this is to reverse the to-be-signed | |||
data in the event that recovered bytes are taken from the start | data in the event that recovered bytes are taken from the start | |||
rather than end of the to-be-signed bytes. | rather than the end of the to-be-signed bytes. | |||
Signature algorithms are used with the COSE_Signature and COSE_Sign1 | Signature algorithms are used with the COSE_Signature and COSE_Sign1 | |||
structures. At the time of this writing, only signatures with | structures. At the time of this writing, only signatures with | |||
appendixes are defined for use with COSE; however, considerable | appendices are defined for use with COSE; however, considerable | |||
interest has been expressed in using a signature with message | interest has been expressed in using a signature-with-message- | |||
recovery algorithm due to the effective size reduction that is | recovery algorithm, due to the effective size reduction that is | |||
possible. | possible. | |||
8.2. Message Authentication Code (MAC) Algorithms | 8.2. Message Authentication Code (MAC) Algorithms | |||
Message Authentication Codes (MACs) provide data authentication and | Message Authentication Codes (MACs) provide data authentication and | |||
integrity protection. They provide either no or very limited data | integrity protection. They provide either no or very limited data | |||
origination. A MAC, for example, cannot be used to prove the | origination. A MAC, for example, cannot be used to prove the | |||
identity of the sender to a third party. | identity of the sender to a third party. | |||
MACs use the same scheme as signature with appendix algorithms. The | MACs use the same scheme as signature-with-appendix algorithms. The | |||
message content is processed and an authentication code is produced. | message content is processed, and an authentication code is produced. | |||
The authentication code is frequently called a tag. | The authentication code is frequently called a tag. | |||
The MAC functions are: | The MAC functions are: | |||
tag = MAC_Create(message content, key) | tag = MAC_Create(message content, key) | |||
valid = MAC_Verify(message content, key, tag) | valid = MAC_Verify(message content, key, tag) | |||
MAC algorithms can be based on either a block cipher algorithm (i.e., | MAC algorithms can be based on either a block cipher algorithm (i.e., | |||
AES-MAC) or a hash algorithm (i.e., a Hash-based Message | AES-MAC) or a hash algorithm (i.e., a Hash-based Message | |||
Authentication Code (HMAC)). [I-D.ietf-cose-rfc8152bis-algs] defines | Authentication Code (HMAC)). [RFC9053] defines a MAC algorithm using | |||
a MAC algorithm using each of these constructions. | each of these constructions. | |||
MAC algorithms are used in the COSE_Mac and COSE_Mac0 structures. | MAC algorithms are used in the COSE_Mac and COSE_Mac0 structures. | |||
8.3. Content Encryption Algorithms | 8.3. Content Encryption Algorithms | |||
Content encryption algorithms provide data confidentiality for | Content encryption algorithms provide data confidentiality for | |||
potentially large blocks of data using a symmetric key. They provide | potentially large blocks of data using a symmetric key. They provide | |||
integrity on the data that was encrypted; however, they provide | integrity on the data that was encrypted; however, they provide | |||
either no or very limited data origination. (One cannot, for | either no or very limited data origination. (One cannot, for | |||
example, be used to prove the identity of the sender to a third | example, be used to prove the identity of the sender to a third | |||
skipping to change at page 41, line 4 ¶ | skipping to change at line 1849 ¶ | |||
those that support authentication both of the content and additional | those that support authentication both of the content and additional | |||
data. The encryption process will generate some type of | data. The encryption process will generate some type of | |||
authentication value, but that value may be either explicit or | authentication value, but that value may be either explicit or | |||
implicit in terms of the algorithm definition. For simplicity's | implicit in terms of the algorithm definition. For simplicity's | |||
sake, the authentication code will normally be defined as being | sake, the authentication code will normally be defined as being | |||
appended to the ciphertext stream. The encryption functions are: | appended to the ciphertext stream. The encryption functions are: | |||
ciphertext = Encrypt(message content, key, additional data) | ciphertext = Encrypt(message content, key, additional data) | |||
valid, message content = Decrypt(ciphertext, key, additional data) | valid, message content = Decrypt(ciphertext, key, additional data) | |||
Most AEAD algorithms are logically defined as returning the message | Most AEAD algorithms are logically defined as returning the message | |||
content only if the decryption is valid. Many but not all | content only if the decryption is valid. Many, but not all, | |||
implementations will follow this convention. The message content | implementations will follow this convention. The message content | |||
MUST NOT be used if the decryption does not validate. | MUST NOT be used if the decryption does not validate. | |||
These algorithms are used in COSE_Encrypt and COSE_Encrypt0. | These algorithms are used in COSE_Encrypt and COSE_Encrypt0. | |||
8.4. Key Derivation Functions (KDFs) | 8.4. Key Derivation Functions (KDFs) | |||
KDFs are used to take some secret value and generate a different one. | KDFs are used to take some secret value and generate a different one. | |||
The secret value comes in three flavors: | The secret value comes in three flavors: | |||
* Secrets that are uniformly random: This is the type of secret that | * Secrets that are uniformly random. This is the type of secret | |||
is created by a good random number generator. | that is created by a good random number generator. | |||
* Secrets that are not uniformly random: This is type of secret that | * Secrets that are not uniformly random. This is the type of secret | |||
is created by operations like key agreement. | that is created by operations like key agreement. | |||
* Secrets that are not random: This is the type of secret that | * Secrets that are not random. This is the type of secret that | |||
people generate for things like passwords. | people generate for things like passwords. | |||
General KDFs work well with the first type of secret, can do | General KDFs work well with the first type of secret, can do | |||
reasonably well with the second type of secret, and generally do | reasonably well with the second type of secret, and generally do | |||
poorly with the last type of secret. Functions like Argon2 | poorly with the last type of secret. Functions like Argon2 | |||
[I-D.irtf-cfrg-argon2] need to be used for non-random secrets. | [CFRG-ARGON2] need to be used for nonrandom secrets. | |||
The same KDF can be set up to deal with the first two types of | The same KDF can be set up to deal with the first two types of | |||
secrets in a different way. The KDF defined in section 5.1 of | secrets in different ways. The KDF defined in Section 5.1 of | |||
[I-D.ietf-cose-rfc8152bis-algs] is such a function. This is | [RFC9053] is such a function. This is reflected in the set of | |||
reflected in the set of algorithms defined around the HMAC-based | algorithms defined around the HMAC-based Extract-and-Expand Key | |||
Extract-and-Expand Key Derivation Function (HKDF). | Derivation Function (HKDF). | |||
When using KDFs, one component that is included is context | When using KDFs, one component that is included is context | |||
information. Context information is used to allow for different | information. Context information is used to allow for different | |||
keying information to be derived from the same secret. The use of | keying information to be derived from the same secret. The use of | |||
context-based keying material is considered to be a good security | context-based keying material is considered to be a good security | |||
practice. | practice. | |||
8.5. Content Key Distribution Methods | 8.5. Content Key Distribution Methods | |||
Content key distribution methods (recipient algorithms) can be | Content key distribution methods (recipient algorithms) can be | |||
defined into a number of different classes. COSE has the ability to | defined into a number of different classes. COSE has the ability to | |||
support many classes of recipient algorithms. In this section, a | support many classes of recipient algorithms. In this section, a | |||
number of classes are listed. The names of the recipient algorithm | number of classes are listed. The names of the recipient algorithm | |||
classes used here are the same as those defined in [RFC7516]. Other | classes used here are the same as those defined in [RFC7516]. Other | |||
specifications use different terms for the recipient algorithm | specifications use different terms for the recipient algorithm | |||
classes or do not support some of the recipient algorithm classes. | classes or do not support some of the recipient algorithm classes. | |||
8.5.1. Direct Encryption | 8.5.1. Direct Encryption | |||
The direct encryption class algorithms share a secret between the | The Direct Encryption class of algorithms share a secret between the | |||
sender and the recipient that is used either directly or after | sender and the recipient that is used either directly or after | |||
manipulation as the CEK. When direct encryption mode is used, it | manipulation as the CEK. When direct-encryption mode is used, it | |||
MUST be the only mode used on the message. | MUST be the only mode used on the message. | |||
The COSE_Recipient structure for the recipient is organized as | The COSE_Recipient structure for the recipient is organized as | |||
follows: | follows: | |||
* The 'protected' field MUST be a zero-length byte string unless it | * The "protected" field MUST be a zero-length byte string unless it | |||
is used in the computation of the content key. | is used in the computation of the content key. | |||
* The 'alg' header parameter MUST be present. | * The "alg" header parameter MUST be present. | |||
* A header parameter identifying the shared secret SHOULD be | * A header parameter identifying the shared secret SHOULD be | |||
present. | present. | |||
* The 'ciphertext' field MUST be a zero-length byte string. | * The "ciphertext" field MUST be a zero-length byte string. | |||
* The 'recipients' field MUST be absent. | * The "recipients" field MUST be absent. | |||
8.5.2. Key Wrap | 8.5.2. Key Wrap | |||
In key wrap mode, the CEK is randomly generated and that key is then | In key wrap mode, the CEK is randomly generated, and that key is then | |||
encrypted by a shared secret between the sender and the recipient. | encrypted by a shared secret between the sender and the recipient. | |||
All of the currently defined key wrap algorithms for COSE are AE | All of the currently defined key wrap algorithms for COSE are AE | |||
algorithms. Key wrap mode is considered to be superior to direct | algorithms. Key wrap mode is considered to be superior to Direct | |||
encryption if the system has any capability for doing random key | Encryption if the system has any capability for doing random-key | |||
generation. This is because the shared key is used to wrap random | generation. This is because the shared key is used to wrap random | |||
data rather than data that has some degree of organization and may in | data rather than data that has some degree of organization and may in | |||
fact be repeating the same content. The use of key wrap loses the | fact be repeating the same content. The use of key wrap loses the | |||
weak data origination that is provided by the direct encryption | weak data origination that is provided by the direct-encryption | |||
algorithms. | algorithms. | |||
The COSE_Recipient structure for the recipient is organized as | The COSE_Recipient structure for the recipient is organized as | |||
follows: | follows: | |||
* The 'protected' field MUST be absent if the key wrap algorithm is | * The "protected" field MUST be absent if the key wrap algorithm is | |||
an AE algorithm. | an AE algorithm. | |||
* The 'recipients' field is normally absent, but can be used. | * The "recipients" field is normally absent but can be used. | |||
Applications MUST deal with a recipient field being present that | Applications MUST deal with a recipient field being present that | |||
has an unsupported algorithm. Failing to decrypt that specific | has an unsupported algorithm. Failing to decrypt that specific | |||
recipient is an acceptable way of dealing with it. Failing to | recipient is an acceptable way of dealing with it. Failing to | |||
process the message is not an acceptable way of dealing with it. | process the message is not an acceptable way of dealing with it. | |||
* The plaintext to be encrypted is the key from next layer down | * The plaintext to be encrypted is the key from the next layer down | |||
(usually the content layer). | (usually the content layer). | |||
* At a minimum, the 'unprotected' field MUST contain the 'alg' | * At a minimum, the "unprotected" field MUST contain the "alg" | |||
header parameter and SHOULD contain a header parameter identifying | header parameter and SHOULD contain a header parameter identifying | |||
the shared secret. | the shared secret. | |||
8.5.3. Key Transport | 8.5.3. Key Transport | |||
Key transport mode is also called key encryption mode in some | Key transport mode is also called key encryption mode in some | |||
standards. Key transport mode differs from key wrap mode in that it | standards. Key transport mode differs from key wrap mode in that it | |||
uses an asymmetric encryption algorithm rather than a symmetric | uses an asymmetric encryption algorithm rather than a symmetric | |||
encryption algorithm to protect the key. A set of key transport | encryption algorithm to protect the key. A set of key transport | |||
algorithms are defined in [RFC8230]. | algorithms is defined in [RFC8230]. | |||
When using a key transport algorithm, the COSE_Recipient structure | When using a key transport algorithm, the COSE_Recipient structure | |||
for the recipient is organized as follows: | for the recipient is organized as follows: | |||
* The 'protected' field MUST be absent. | * The "protected" field MUST be absent. | |||
* The plaintext to be encrypted is the key from the next layer down | * The plaintext to be encrypted is the key from the next layer down | |||
(usually the content layer). | (usually the content layer). | |||
* At a minimum, the 'unprotected' field MUST contain the 'alg' | * At a minimum, the "unprotected" field MUST contain the "alg" | |||
header parameter and SHOULD contain a parameter identifying the | header parameter and SHOULD contain a parameter identifying the | |||
asymmetric key. | asymmetric key. | |||
8.5.4. Direct Key Agreement | 8.5.4. Direct Key Agreement | |||
The 'direct key agreement' class of recipient algorithms uses a key | The Direct Key Agreement class of recipient algorithms uses a key | |||
agreement method to create a shared secret. A KDF is then applied to | agreement method to create a shared secret. A KDF is then applied to | |||
the shared secret to derive a key to be used in protecting the data. | the shared secret to derive a key to be used in protecting the data. | |||
This key is normally used as a CEK or MAC key, but could be used for | This key is normally used as a CEK or MAC key but could be used for | |||
other purposes if more than two layers are in use (see Appendix B). | other purposes if more than two layers are in use (see Appendix B). | |||
The most commonly used key agreement algorithm is Diffie-Hellman, but | The most commonly used key agreement algorithm is Diffie-Hellman, but | |||
other variants exist. Since COSE is designed for a store and forward | other variants exist. Since COSE is designed for a store-and-forward | |||
environment rather than an online environment, many of the DH | environment rather than an online environment, many of the DH | |||
variants cannot be used as the receiver of the message cannot provide | variants cannot be used, as the receiver of the message cannot | |||
any dynamic key material. One side effect of this is that forward | provide any dynamic key material. One side effect of this is that | |||
secrecy (see [RFC4949]) is not achievable. A static key will always | forward secrecy (see [RFC4949]) is not achievable. A static key will | |||
be used for the receiver of the COSE object. | always be used for the receiver of the COSE object. | |||
Two variants of DH that are supported are: | Two variants of DH that are supported are: | |||
Ephemeral-Static (ES) DH: where the sender of the message creates | Ephemeral-Static (ES) DH: The sender of the message creates a one- | |||
a one-time DH key and uses a static key for the recipient. The | time DH key and uses a static key for the recipient. The use of | |||
use of the ephemeral sender key means that no additional random | the ephemeral sender key means that no additional random input is | |||
input is needed as this is randomly generated for each message. | needed, as this is randomly generated for each message. | |||
Static-Static (SS) DH: where a static key is used for both the | Static-Static (SS) DH: A static key is used for both the sender and | |||
sender and the recipient. The use of static keys allows for the | the recipient. The use of static keys allows for the recipient to | |||
recipient to get a weak version of data origination for the | get a weak version of data origination for the message. When | |||
message. When static-static key agreement is used, then some | static-static key agreement is used, then some piece of unique | |||
piece of unique data for the KDF is required to ensure that a | data for the KDF is required to ensure that a different key is | |||
different key is created for each message. | created for each message. | |||
When direct key agreement mode is used, there MUST be only one | When direct key agreement mode is used, there MUST be only one | |||
recipient in the message. This method creates the key directly, and | recipient in the message. This method creates the key directly, and | |||
that makes it difficult to mix with additional recipients. If | that makes it difficult to mix with additional recipients. If | |||
multiple recipients are needed, then the version with key wrap needs | multiple recipients are needed, then the version with key wrap needs | |||
to be used. | to be used. | |||
The COSE_Recipient structure for the recipient is organized as | The COSE_Recipient structure for the recipient is organized as | |||
follows: | follows: | |||
* At a minimum, headers MUST contain the 'alg' header parameter and | * At a minimum, headers MUST contain the "alg" header parameter and | |||
SHOULD contain a header parameter identifying the recipient's | SHOULD contain a header parameter identifying the recipient's | |||
asymmetric key. | asymmetric key. | |||
* The headers SHOULD identify the sender's key for the static-static | * The headers SHOULD identify the sender's key for the static-static | |||
versions and MUST contain the sender's ephemeral key for the | versions and MUST contain the sender's ephemeral key for the | |||
ephemeral-static versions. | ephemeral-static versions. | |||
8.5.5. Key Agreement with Key Wrap | 8.5.5. Key Agreement with Key Wrap | |||
Key Agreement with Key Wrap uses a randomly generated CEK. The CEK | Key Agreement with Key Wrap uses a randomly generated CEK. The CEK | |||
is then encrypted using a key wrap algorithm and a key derived from | is then encrypted using a key wrap algorithm and a key derived from | |||
the shared secret computed by the key agreement algorithm. The | the shared secret computed by the key agreement algorithm. The | |||
function for this would be: | function for this would be: | |||
encryptedKey = KeyWrap(KDF(DH-Shared, context), CEK) | encryptedKey = KeyWrap(KDF(DH-Shared, context), CEK) | |||
The COSE_Recipient structure for the recipient is organized as | The COSE_Recipient structure for the recipient is organized as | |||
follows: | follows: | |||
* The 'protected' field is fed into the KDF context structure. | * The "protected" field is fed into the KDF context structure. | |||
* The plaintext to be encrypted is the key from the next layer down | * The plaintext to be encrypted is the key from the next layer down | |||
(usually the content layer). | (usually the content layer). | |||
* The 'alg' header parameter MUST be present in the layer. | * The "alg" header parameter MUST be present in the layer. | |||
* A header parameter identifying the recipient's key SHOULD be | * A header parameter identifying the recipient's key SHOULD be | |||
present. A header parameter identifying the sender's key SHOULD | present. A header parameter identifying the sender's key SHOULD | |||
be present. | be present. | |||
9. CBOR Encoding Restrictions | 9. CBOR Encoding Restrictions | |||
This document limits the restrictions it imposes on how the CBOR | This document limits the restrictions it imposes on how the CBOR | |||
Encoder needs to work. It has been narrowed down to the following | encoder needs to work. It has been narrowed down to the following | |||
restrictions: | restrictions: | |||
* The restriction applies to the encoding of the Sig_structure, the | * The restriction applies to the encoding of the COSE_KDF_Context, | |||
Enc_structure, and the MAC_structure. | the Sig_structure, the Enc_structure, and the MAC_structure. | |||
* Encoding MUST be done using definite lengths and the value's | * Encoding MUST be done using definite lengths, and the value's | |||
length MUST be the minimum possible length. This means that the | length MUST be the minimum possible length. This means that the | |||
integer 1 is encoded as "0x01" and not "0x1801". | integer 1 is encoded as "0x01" and not "0x1801". | |||
* Applications MUST NOT generate messages with the same label used | * Applications MUST NOT generate messages with the same label used | |||
twice as a key in a single map. Applications MUST NOT parse and | twice as a key in a single map. Applications MUST NOT parse and | |||
process messages with the same label used twice as a key in a | process messages with the same label used twice as a key in a | |||
single map. Applications can enforce the parse and process | single map. Applications can enforce the parse and process | |||
requirement by using parsers that will fail the parse step or by | requirement by using parsers that will fail the parse step or by | |||
using parsers that will pass all keys to the application, and the | using parsers that will pass all keys to the application, and the | |||
application can perform the check for duplicate keys. | application can perform the check for duplicate keys. | |||
10. Application Profiling Considerations | 10. Application Profiling Considerations | |||
This document is designed to provide a set of security services, but | This document is designed to provide a set of security services but | |||
not impose algorithm implementation requirements for specific usage. | not impose algorithm implementation requirements for specific usage. | |||
The interoperability requirements are provided for how each of the | The interoperability requirements are provided for how each of the | |||
individual services are used and how the algorithms are to be used | individual services are used and how the algorithms are to be used | |||
for interoperability. The requirements about which algorithms and | for interoperability. The requirements about which algorithms and | |||
which services are needed are deferred to each application. | which services are needed are deferred to each application. | |||
An example of a profile can be found in [RFC8613] where one was | An example of a profile can be found in [RFC8613], where one was | |||
developed for carrying content in combination with CoAP headers. | developed for carrying content in combination with CoAP headers. | |||
It is intended that a profile of this document be created that | It is intended that a profile of this document be created that | |||
defines the interoperability requirements for that specific | defines the interoperability requirements for that specific | |||
application. This section provides a set of guidelines and topics | application. This section provides a set of guidelines and topics | |||
that need to be considered when profiling this document. | that need to be considered when profiling this document. | |||
* Applications need to determine the set of messages defined in this | * Applications need to determine the set of messages defined in this | |||
document that they will be using. The set of messages corresponds | document that they will be using. The set of messages corresponds | |||
fairly directly to the set of security services that are needed | fairly directly to the needed set of security services security | |||
and to the security levels needed. | levels. | |||
* Applications may define new header parameters for a specific | * Applications may define new header parameters for a specific | |||
purpose. Applications will often times select specific header | purpose. Applications will oftentimes select specific header | |||
parameters to use or not to use. For example, an application | parameters to use or not to use. For example, an application | |||
would normally state a preference for using either the IV or the | would normally state a preference for using either the IV or the | |||
Partial IV header parameter. If the Partial IV header parameter | Partial IV header parameter. If the Partial IV header parameter | |||
is specified, then the application also needs to define how the | is specified, then the application also needs to define how the | |||
fixed portion of the IV is determined. | fixed portion of the IV is determined. | |||
* When applications use externally defined authenticated data, they | * When applications use externally defined authenticated data, they | |||
need to define how that data is encoded. This document assumes | need to define how that data is encoded. This document assumes | |||
that the data will be provided as a byte string. More information | that the data will be provided as a byte string. More information | |||
can be found in Section 4.3. | can be found in Section 4.3. | |||
* Applications need to determine the set of security algorithms that | * Applications need to determine the set of security algorithms that | |||
are to be used. When selecting the algorithms to be used as the | is to be used. When selecting the algorithms to be used as the | |||
mandatory-to-implement set, consideration should be given to | mandatory-to-implement set, consideration should be given to | |||
choosing different types of algorithms when two are chosen for a | choosing different types of algorithms when two are chosen for a | |||
specific purpose. An example of this would be choosing HMAC- | specific purpose. An example of this would be choosing HMAC- | |||
SHA512 and AES-CMAC as different MAC algorithms; the construction | SHA512 and AES-CMAC (Cipher-Based Message Authentication Code) as | |||
is vastly different between these two algorithms. This means that | different MAC algorithms; the construction is vastly different | |||
a weakening of one algorithm would be unlikely to lead to a | between these two algorithms. This means that a weakening of one | |||
weakening of the other algorithms. Of course, these algorithms do | algorithm would be unlikely to lead to a weakening of the other | |||
not provide the same level of security and thus may not be | algorithms. Of course, these algorithms do not provide the same | |||
comparable for the desired security functionality. Additional | level of security and thus may not be comparable for the desired | |||
guidance can be found in [BCP201]. | security functionality. Additional guidance can be found in | |||
[BCP201]. | ||||
* Applications may need to provide some type of negotiation or | * Applications may need to provide some type of negotiation or | |||
discovery method if multiple algorithms or message structures are | discovery method if multiple algorithms or message structures are | |||
permitted. The method can be as simple as requiring pre- | permitted. The method can be as simple as requiring | |||
configuration of the set of algorithms to providing a discovery | preconfiguration of the set of algorithms to providing a discovery | |||
method built into the protocol. S/MIME provided a number of | method built into the protocol. S/MIME provided a number of | |||
different ways to approach the problem that applications could | different ways to approach the problem that applications could | |||
follow: | follow: | |||
- Advertising in the message (S/MIME capabilities) [RFC5751]. | - Advertising in the message (S/MIME capabilities) [RFC8551]. | |||
- Advertising in the certificate (capabilities extension) | - Advertising in the certificate (capabilities extension) | |||
[RFC4262]. | [RFC4262]. | |||
- Minimum requirements for the S/MIME, which have been updated | - Minimum requirements for the S/MIME, which have been updated | |||
over time [RFC2633] [RFC5751] (note that [RFC2633] has been | over time [RFC2633] [RFC5751] [RFC8551]. (Note that [RFC2633] | |||
obsoleted by [RFC5751]). | was obsoleted by [RFC3851], which was obsoleted by [RFC5751], | |||
which was obsoleted by [RFC8551].) | ||||
11. IANA Considerations | 11. IANA Considerations | |||
The registries and registrations listed below were created during | The registries and registrations listed below were defined by RFC | |||
processing of RFC 8152 [RFC8152]. The majority of the following | 8152 [RFC8152]. The majority of the following actions are to update | |||
actions are to update the references to point to this document. | the references to point to this document. | |||
Note that while [I-D.ietf-cose-rfc8152bis-algs] also updates the | Note that while [RFC9053] also updates the registries and | |||
registries and registrations originally established by [RFC8152], the | registrations originally established by [RFC8152], the requested | |||
requested updates are mutually exclusive. The updates requested in | updates are mutually exclusive. The updates requested in this | |||
this document do not conflict or overlap with the updates requested | document do not conflict or overlap with the updates requested in | |||
in [I-D.ietf-cose-rfc8152bis-algs], and vice versa. | [RFC9053], and vice versa. | |||
11.1. COSE Header Parameters Registry | 11.1. COSE Header Parameters Registry | |||
IANA created a registry titled "COSE Header Parameters" as part of | The "COSE Header Parameters" registry was defined by [RFC8152]. IANA | |||
processing [RFC8152]. IANA is requested to update the reference for | has updated the reference for this registry to point to this document | |||
this registry from [RFC8152] to this document. IANA is also | instead of [RFC8152]. IANA has also updated all entries that | |||
requested to update the reference for all entries, except "counter | referenced [RFC8152], except "counter signature" and | |||
signature" and "CounterSignature0", in the table from [RFC8152] to | "CounterSignature0", to refer to this document. The references for | |||
this document. The reference for "counter signature" and | "counter signature" and "CounterSignature0" continue to reference | |||
"CounterSignature0" are to be left as-is. | [RFC8152]. | |||
11.2. COSE Key Common Parameters Registry | 11.2. COSE Key Common Parameters Registry | |||
IANA created a registry titled "COSE Key Common Parameters" as part | The "COSE Key Common Parameters" registry was defined [RFC8152]. | |||
of the processing of [RFC8152]. IANA is requested to update the | IANA has updated the reference for this registry to point to this | |||
reference for this registry from [RFC8152] to this document. IANA is | document instead of [RFC8152]. IANA has also updated the entries | |||
also requested to update the reference for entries in the table from | that referenced [RFC8152] to refer to this document. | |||
[RFC8152] to this document. | ||||
11.3. Media Type Registrations | 11.3. Media Type Registrations | |||
11.3.1. COSE Security Message | 11.3.1. COSE Security Message | |||
This section registers the 'application/cose' media type in the | IANA has registered the "application/cose" media type in the "Media | |||
"Media Types" registry. These media types are used to indicate that | Types" registry. These media types are used to indicate that the | |||
the content is a COSE message. | content is a COSE message. | |||
Type name: application | Type name: application | |||
Subtype name: cose | Subtype name: cose | |||
Required parameters: N/A | Required parameters: N/A | |||
Optional parameters: cose-type | Optional parameters: cose-type | |||
Encoding considerations: binary | Encoding considerations: binary | |||
Security considerations: See the Security Considerations section | Security considerations: See the Security Considerations section of | |||
of [[This Document]]. | RFC 9052. | |||
Interoperability considerations: N/A | Interoperability considerations: N/A | |||
Published specification: [[this document]] | Published specification: RFC 9052 | |||
Applications that use this media type: IoT applications sending | ||||
security content over HTTP(S) transports. | ||||
Fragment identifier considerations: N/A | Applications that use this media type: IoT applications sending | |||
security content over HTTP(S) transports. | ||||
Additional information: | Fragment identifier considerations: N/A | |||
- Deprecated alias names for this type: N/A | Additional information: | |||
* Deprecated alias names for this type: N/A | ||||
- Magic number(s): N/A | * Magic number(s): N/A | |||
- File extension(s): cbor | * File extension(s): cbor | |||
- Macintosh file type code(s): N/A | * Macintosh file type code(s): N/A | |||
Person & email address to contact for further information: | Person & email address to contact for further information: iesg@ietf | |||
iesg@ietf.org | .org | |||
Intended usage: COMMON | Intended usage: COMMON | |||
Restrictions on usage: N/A | Restrictions on usage: N/A | |||
Author: Jim Schaad, ietf@augustcellars.com | Author: Jim Schaad, ietf@augustcellars.com | |||
Change Controller: IESG | Change Controller: IESG | |||
Provisional registration? No | Provisional registration? No | |||
11.3.2. COSE Key Media Type | 11.3.2. COSE Key Media Type | |||
This section registers the 'application/cose-key' and 'application/ | IANA has registered the "application/cose-key" and "application/cose- | |||
cose-key-set' media types in the "Media Types" registry. These media | key-set" media types in the "Media Types" registry. These media | |||
types are used to indicate, respectively, that content is a COSE_Key | types are used to indicate, respectively, that content is a COSE_Key | |||
or COSE_KeySet object. | or COSE_KeySet object. | |||
The template for registering 'application/cose-key' is: | The template for "application/cose-key" is as follows: | |||
Type name: application | Type name: application | |||
Subtype name: cose-key | Subtype name: cose-key | |||
Required parameters: N/A | Required parameters: N/A | |||
Optional parameters: N/A | Optional parameters: N/A | |||
Encoding considerations: binary | Encoding considerations: binary | |||
Security considerations: See the Security Considerations section | ||||
of [[This Document]]. | ||||
Interoperability considerations: N/A | Security considerations: See the Security Considerations section of | |||
RFC 9052. | ||||
Published specification: [[this document]] | Interoperability considerations: N/A | |||
Applications that use this media type: Distribution of COSE based | Published specification: RFC 9052 | |||
Applications that use this media type: Distribution of COSE-based | ||||
keys for IoT applications. | keys for IoT applications. | |||
Fragment identifier considerations: N/A | Fragment identifier considerations: N/A | |||
Additional information: | Additional information: | |||
* Deprecated alias names for this type: N/A | ||||
- Deprecated alias names for this type: N/A | * Magic number(s): N/A | |||
- Magic number(s): N/A | * File extension(s): cbor | |||
- File extension(s): cbor | * Macintosh file type code(s): N/A | |||
- Macintosh file type code(s): N/A | Person & email address to contact for further information: iesg@ietf | |||
.org | ||||
Person & email address to contact for further information: | Intended usage: COMMON | |||
iesg@ietf.org | ||||
Intended usage: COMMON | Restrictions on usage: N/A | |||
Restrictions on usage: N/A | Author: Jim Schaad, ietf@augustcellars.com | |||
Author: Jim Schaad, ietf@augustcellars.com | Change Controller: IESG | |||
Change Controller: IESG | Provisional registration? No | |||
Provisional registration? No | The template for registering "application/cose-key-set" is: | |||
The template for registering 'application/cose-key-set' is: | Type name: application | |||
Type name: application | Subtype name: cose-key-set | |||
Subtype name: cose-key-set | Required parameters: N/A | |||
Required parameters: N/A | Optional parameters: N/A | |||
Optional parameters: N/A | Encoding considerations: binary | |||
Encoding considerations: binary | Security considerations: See the Security Considerations section of | |||
Security considerations: See the Security Considerations section | RFC 9052. | |||
of [[This Document]]. | ||||
Interoperability considerations: N/A | Interoperability considerations: N/A | |||
Published specification: [[this document]] | Published specification: RFC 9052 | |||
Applications that use this media type: Distribution of COSE based | Applications that use this media type: Distribution of COSE-based | |||
keys for IoT applications. | keys for IoT applications. | |||
Fragment identifier considerations: N/A | Fragment identifier considerations: N/A | |||
Additional information: | ||||
- Deprecated alias names for this type: N/A | Additional information: | |||
* Deprecated alias names for this type: N/A | ||||
- Magic number(s): N/A | * Magic number(s): N/A | |||
- File extension(s): cbor | * File extension(s): cbor | |||
- Macintosh file type code(s): N/A | * Macintosh file type code(s): N/A | |||
Person & email address to contact for further information: | Person & email address to contact for further information: iesg@ietf | |||
iesg@ietf.org | .org | |||
Intended usage: COMMON | Intended usage: COMMON | |||
Restrictions on usage: N/A | Restrictions on usage: N/A | |||
Author: Jim Schaad, ietf@augustcellars.com | Author: Jim Schaad, ietf@augustcellars.com | |||
Change Controller: IESG | Change Controller: IESG | |||
Provisional registration? No | Provisional registration? No | |||
11.4. CoAP Content-Formats Registry | 11.4. CoAP Content-Formats Registry | |||
IANA added entries to the "CoAP Content-Formats" registry while | IANA added entries to the "CoAP Content-Formats" registry as defined | |||
processing [RFC8152]. IANA is requested to update the reference | in [RFC8152]. IANA has updated the reference to point to this | |||
value from [RFC8152] to [[This Document]]. | document instead of [RFC8152]. | |||
11.5. CBOR Tags Registry | 11.5. CBOR Tags Registry | |||
IANA is requested to update the references from [RFC8152] to [[This | IANA has updated the references to point to this document instead of | |||
Document]]. | [RFC8152]. | |||
11.6. Expert Review Instructions | 11.6. Expert Review Instructions | |||
All of the IANA registries established by [RFC8152] are, at least in | All of the IANA registries established by [RFC8152] are, at least in | |||
part, defined as expert review. This section gives some general | part, defined as expert review. This section gives some general | |||
guidelines for what the experts should be looking for, but they are | guidelines for what the experts should be looking for, but they are | |||
being designated as experts for a reason, so they should be given | being designated as experts for a reason, so they should be given | |||
substantial latitude. | substantial latitude. | |||
Expert reviewers should take into consideration the following points: | Expert reviewers should take the following into consideration: | |||
* Point squatting should be discouraged. Reviewers are encouraged | * Point squatting should be discouraged. Reviewers are encouraged | |||
to get sufficient information for registration requests to ensure | to get sufficient information for registration requests to ensure | |||
that the usage is not going to duplicate one that is already | that the usage is not going to duplicate an existing registration | |||
registered, and that the point is likely to be used in | and that the code point is likely to be used in deployments. The | |||
deployments. The zones tagged as private use are intended for | zones tagged as private use are intended for testing purposes and | |||
testing purposes and closed environments; code points in other | closed environments; code points in other ranges should not be | |||
ranges should not be assigned for testing. | assigned for testing. | |||
* Specifications are required for the standards track range of point | * Specifications are required for the Standards Track range of code | |||
assignment. Specifications should exist for specification | point assignment. Specifications should exist for specification | |||
required ranges, but early assignment before a specification is | required ranges, but early assignment before a specification is | |||
available is considered to be permissible. Specifications are | available is considered to be permissible. Specifications are | |||
needed for the first-come, first-serve range if they are expected | needed for the first-come, first-serve range if the points are | |||
to be used outside of closed environments in an interoperable way. | expected to be used outside of closed environments in an | |||
When specifications are not provided, the description provided | interoperable way. When specifications are not provided, the | |||
needs to have sufficient information to identify what the point is | description provided needs to have sufficient information to | |||
being used for. | identify what the point is being used for. | |||
* Experts should take into account the expected usage of fields when | * Experts should take into account the expected usage of fields when | |||
approving point assignment. The fact that there is a range for | approving code point assignment. The fact that there is a range | |||
standards track documents does not mean that a standards track | for Standards Track documents does not mean that a Standards Track | |||
document cannot have points assigned outside of that range. The | document cannot have code points assigned outside of that range. | |||
length of the encoded value should be weighed against how many | The length of the encoded value should be weighed against how many | |||
code points of that length are left, the size of device it will be | code points of that length are left, the size of device it will be | |||
used on, and the number of code points left that encode to that | used on, and the number of code points left that encode to that | |||
size. | size. | |||
* When algorithms are registered, vanity registrations should be | * When algorithms are registered, vanity registrations should be | |||
discouraged. One way to do this is to require registrations to | discouraged. One way to do this is to require registrations to | |||
provide additional documentation on security analysis of the | provide additional documentation on security analysis of the | |||
algorithm. Another thing that should be considered is requesting | algorithm. Another thing that should be considered is requesting | |||
an opinion on the algorithm from the Crypto Forum Research Group | an opinion on the algorithm from the Crypto Forum Research Group | |||
(CFRG). Algorithms that do not meet the security requirements of | (CFRG). Algorithms that do not meet the security requirements of | |||
the community and the messages structures should not be | the community and the message structures should not be registered. | |||
registered. | ||||
12. Security Considerations | 12. Security Considerations | |||
There are a number of security considerations that need to be taken | There are a number of security considerations that need to be taken | |||
into account by implementers of this specification. While some | into account by implementers of this specification. While some | |||
considerations have been highlighted here, additional considerations | considerations have been highlighted here, additional considerations | |||
may be found in the documents listed in the references. | may be found in the documents listed in the references. | |||
Implementations need to protect the private key material for any | Implementations need to protect the private key material for all | |||
individuals. There are some cases that need to be highlighted on | individuals. There are some cases that need to be highlighted on | |||
this issue. | this issue. | |||
* Using the same key for two different algorithms can leak | * Use of the same key for two different algorithms can leak | |||
information about the key. It is therefore recommended that keys | information about the key. It is therefore recommended that keys | |||
be restricted to a single algorithm. | be restricted to a single algorithm. | |||
* Use of 'direct' as a recipient algorithm combined with a second | * Use of "direct" as a recipient algorithm combined with a second | |||
recipient algorithm exposes the direct key to the second | recipient algorithm exposes the direct key to the second | |||
recipient. | recipient. | |||
* Several of the algorithms in [I-D.ietf-cose-rfc8152bis-algs] have | * Several of the algorithms in [RFC9053] have limits on the number | |||
limits on the number of times that a key can be used without | of times that a key can be used without leaking information about | |||
leaking information about the key. | the key. | |||
The use of ECDH and direct plus KDF (with no key wrap) will not | The use of Elliptic Curve Diffie-Hellman (ECDH) and direct plus KDF | |||
directly lead to the private key being leaked; the one way function | (with no key wrap) will not directly lead to the private key being | |||
of the KDF will prevent that. There is, however, a different issue | leaked; the one-way function of the KDF will prevent that. There is, | |||
that needs to be addressed. Having two recipients requires that the | however, a different issue that needs to be addressed. Having two | |||
CEK be shared between two recipients. The second recipient therefore | recipients requires that the CEK be shared between two recipients. | |||
has a CEK that was derived from material that can be used for the | The second recipient therefore has a CEK that was derived from | |||
weak proof of origin. The second recipient could create a message | material that can be used for the weak proof of origin. The second | |||
using the same CEK and send it to the first recipient; the first | recipient could create a message using the same CEK and send it to | |||
recipient would, for either static-static ECDH or direct plus KDF, | the first recipient; the first recipient would, for either static- | |||
make an assumption that the CEK could be used for proof of origin | static ECDH or direct plus KDF, make an assumption that the CEK could | |||
even though it is from the wrong entity. If the key wrap step is | be used for proof of origin, even though it is from the wrong entity. | |||
added, then no proof of origin is implied and this is not an issue. | If the key wrap step is added, then no proof of origin is implied and | |||
this is not an issue. | ||||
Although it has been mentioned before, the use of a single key for | Although it has been mentioned before, the use of a single key for | |||
multiple algorithms has been demonstrated in some cases to leak | multiple algorithms has been demonstrated in some cases to leak | |||
information about that key, provide the opportunity for attackers to | information about that key, providing the opportunity for attackers | |||
forge integrity tags, or gain information about encrypted content. | to forge integrity tags or gain information about encrypted content. | |||
Binding a key to a single algorithm prevents these problems. Key | Binding a key to a single algorithm prevents these problems. Key | |||
creators and key consumers are strongly encouraged not only to create | creators and key consumers are strongly encouraged not only to create | |||
new keys for each different algorithm, but to include that selection | new keys for each different algorithm, but to include that selection | |||
of algorithm in any distribution of key material and strictly enforce | of algorithm in any distribution of key material and strictly enforce | |||
the matching of algorithms in the key structure to algorithms in the | the matching of algorithms in the key structure to algorithms in the | |||
message structure. In addition to checking that algorithms are | message structure. In addition to checking that algorithms are | |||
correct, the key form needs to be checked as well. Do not use an | correct, the key form needs to be checked as well. Do not use an | |||
'EC2' key where an 'OKP' key is expected. | "EC2" key where an "OKP" key is expected. | |||
Before using a key for transmission, or before acting on information | Before using a key for transmission, or before acting on information | |||
received, a trust decision on a key needs to be made. Is the data or | received, a trust decision on a key needs to be made. Is the data or | |||
action something that the entity associated with the key has a right | action something that the entity associated with the key has a right | |||
to see or a right to request? A number of factors are associated | to see or a right to request? A number of factors are associated | |||
with this trust decision. Some of the ones that are highlighted here | with this trust decision. Some of the ones that are highlighted here | |||
are: | are: | |||
* What are the permissions associated with the key owner? | * What are the permissions associated with the key owner? | |||
* Is the cryptographic algorithm acceptable in the current context? | * Is the cryptographic algorithm acceptable in the current context? | |||
* Have the restrictions associated with the key, such as algorithm | * Have the restrictions associated with the key, such as algorithm | |||
or freshness, been checked and are they correct? | or freshness, been checked, and are they correct? | |||
* Is the request something that is reasonable, given the current | * Is the request something that is reasonable, given the current | |||
state of the application? | state of the application? | |||
* Have any security considerations that are part of the message been | * Have any security considerations that are part of the message been | |||
enforced (as specified by the application or 'crit' header | enforced (as specified by the application or "crit" header | |||
parameter)? | parameter)? | |||
One area that has been getting exposure is traffic analysis of | One area that has been getting exposure is traffic analysis of | |||
encrypted messages based on the length of the message. This | encrypted messages based on the length of the message. This | |||
specification does not provide for a uniform method of providing | specification does not provide for a uniform method of providing | |||
padding as part of the message structure. An observer can | padding as part of the message structure. An observer can | |||
distinguish between two different messages (for example, 'YES' and | distinguish between two different messages (for example, "YES" and | |||
'NO') based on the length for all of the content encryption | "NO") based on the length for all of the content encryption | |||
algorithms that are defined in [I-D.ietf-cose-rfc8152bis-algs] | algorithms that are defined in [RFC9053]. This means that it is up | |||
document. This means that it is up to the applications to document | to the applications to document how content padding is to be done in | |||
how content padding is to be done in order to prevent or discourage | order to prevent or discourage such analysis. (For example, the text | |||
such analysis. (For example, the text strings could be defined as | strings could be defined as "YES" and "NO".) | |||
'YES' and 'NO '.) | ||||
13. Implementation Status | ||||
This section is to be removed before publishing as an RFC. | ||||
This section records the status of known implementations of the | ||||
protocol defined by this specification at the time of posting of this | ||||
Internet-Draft, and is based on a proposal described in [RFC7942]. | ||||
The description of implementations in this section is intended to | ||||
assist the IETF in its decision processes in progressing drafts to | ||||
RFCs. Please note that the listing of any individual implementation | ||||
here does not imply endorsement by the IETF. Furthermore, no effort | ||||
has been spent to verify the information presented here that was | ||||
supplied by IETF contributors. This is not intended as, and must not | ||||
be construed to be, a catalog of available implementations or their | ||||
features. Readers are advised to note that other implementations may | ||||
exist. | ||||
According to [RFC7942], "this will allow reviewers and working groups | ||||
to assign due consideration to documents that have the benefit of | ||||
running code, which may serve as evidence of valuable experimentation | ||||
and feedback that have made the implemented protocols more mature. | ||||
It is up to the individual working groups to use this information as | ||||
they see fit". | ||||
13.1. Author's Versions | ||||
There are three different implementations that have been created by | ||||
the author of the document both to create the examples that are | ||||
included in the document and to validate the structures and | ||||
methodology used in the design of COSE. | ||||
* Implementation Location: https://github.com/cose-wg | ||||
* Primary Maintainer: Jim Schaad | ||||
* Languages: There are three different languages that are currently | ||||
supported: Java, C# and C. | ||||
* Cryptography: The Java and C# libraries use Bouncy Castle to | ||||
provide the required cryptography. The C version uses OPENSSL | ||||
Version 1.1 for the cryptography. | ||||
* Coverage: All versions have support to allow for implicit | ||||
algorithm support as they allow for the application to set | ||||
attributes that are not to be sent in the message. | ||||
* Testing: All of the examples in the example library are generated | ||||
by the C# library and then validated using the Java and C | ||||
libraries. All three libraries have tests to allow for the | ||||
creating of the same messages that are in the example library | ||||
followed by validating them. These are not compared against the | ||||
example library. The Java and C# libraries have unit testing | ||||
included. Not all of the MUST statements in the document have | ||||
been implemented as part of the libraries. One such statement is | ||||
the requirement that unique labels be present. | ||||
* Licensing: Revised BSD License | ||||
13.2. JavaScript Version | ||||
* Implementation Location: https://github.com/erdtman/cose-js | ||||
* Primary Maintainer: Samuel Erdtman | ||||
* Languages: JavaScript | ||||
* Cryptography: TBD | ||||
* Coverage: Full Encrypt, Signature and MAC objects are supported. | ||||
* Testing: Basic testing against the common example library. | ||||
* Licensing: Apache License 2.0 | ||||
13.3. Python Version | ||||
* Implementation Location: https://github.com/TimothyClaeys/COSE- | ||||
PYTHON | ||||
* Primary Maintainer: Timothy Claeys | ||||
* Languages: Python | ||||
* Cryptography: pyecdsak, crypto python libraries | ||||
* Coverage: TBD | 13. References | |||
* Testing: Basic testing plus running against the common example | 13.1. Normative References | |||
library. | ||||
* Licensing: BSD 3-Clause License | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | ||||
DOI 10.17487/RFC2119, March 1997, | ||||
<https://www.rfc-editor.org/info/rfc2119>. | ||||
13.4. COSE Testing Library | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | ||||
May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||||
* Implementation Location: https://github.com/cose-wg/Examples | [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object | |||
Representation (CBOR)", STD 94, RFC 8949, | ||||
DOI 10.17487/RFC8949, December 2020, | ||||
<https://www.rfc-editor.org/info/rfc8949>. | ||||
* Primary Maintainer: Jim Schaad | [RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE): | |||
* Description: A set of tests for the COSE library is provided as | Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053, July | |||
part of the implementation effort. Both success and fail tests | 2021, <https://www.rfc-editor.org/info/rfc9053>. | |||
have been provided. All of the examples in this document are part | ||||
of this example set. | ||||
* Coverage: An attempt has been made to have test cases for every | 13.2. Informative References | |||
message type and algorithm in the document. Currently examples | ||||
dealing with ECDH with Goldilocks are missing. | ||||
* Licensing: Public Domain | [BCP201] Housley, R., "Guidelines for Cryptographic Algorithm | |||
Agility and Selecting Mandatory-to-Implement Algorithms", | ||||
BCP 201, RFC 7696, November 2015, | ||||
<https://www.rfc-editor.org/info/bcp201>. | ||||
14. References | [CFRG-ARGON2] | |||
Biryukov, A., Dinu, D., Khovratovich, D., and S. | ||||
Josefsson, "The memory-hard Argon2 password hash and | ||||
proof-of-work function", Work in Progress, Internet-Draft, | ||||
draft-irtf-cfrg-argon2-13, 11 March 2021, | ||||
<https://datatracker.ietf.org/doc/html/draft-irtf-cfrg- | ||||
argon2-13>. | ||||
14.1. Normative References | [COAP.Formats] | |||
IANA, "CoAP Content-Formats", | ||||
<https://www.iana.org/assignments/core-parameters/>. | ||||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [CORE-GROUPCOMM] | |||
Requirement Levels", BCP 14, RFC 2119, | Dijk, E., Wang, C., and M. Tiloca, "Group Communication | |||
DOI 10.17487/RFC2119, March 1997, | for the Constrained Application Protocol (CoAP)", Work in | |||
<https://www.rfc-editor.org/info/rfc2119>. | Progress, Internet-Draft, draft-ietf-core-groupcomm-bis- | |||
03, 22 February 2021, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-core- | ||||
groupcomm-bis-03>. | ||||
[I-D.ietf-cbor-7049bis] | [COSE-COUNTERSIGN] | |||
Bormann, C. and P. Hoffman, "Concise Binary Object | Schaad, J. and R. Housley, "CBOR Object Signing and | |||
Representation (CBOR)", Work in Progress, Internet-Draft, | Encryption (COSE): Countersignatures", Work in Progress, | |||
draft-ietf-cbor-7049bis-16, 30 September 2020, | Internet-Draft, draft-ietf-cose-countersign-05, 23 June | |||
<https://tools.ietf.org/html/draft-ietf-cbor-7049bis-16>. | 2021, <https://datatracker.ietf.org/doc/html/draft-ietf- | |||
cose-countersign-05>. | ||||
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [COSE.Algorithms] | |||
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | IANA, "COSE Algorithms", | |||
May 2017, <https://www.rfc-editor.org/info/rfc8174>. | <https://www.iana.org/assignments/cose/>. | |||
[I-D.ietf-cose-rfc8152bis-algs] | [COSE.KeyParameters] | |||
Schaad, J., "CBOR Object Signing and Encryption (COSE): | IANA, "COSE Key Common Parameters", | |||
Initial Algorithms", Work in Progress, Internet-Draft, | <https://www.iana.org/assignments/cose/>. | |||
draft-ietf-cose-rfc8152bis-algs-12, 24 September 2020, | ||||
<https://tools.ietf.org/html/draft-ietf-cose-rfc8152bis- | ||||
algs-12>. | ||||
14.2. Informative References | [COSE.KeyTypes] | |||
IANA, "COSE Key Types", | ||||
<https://www.iana.org/assignments/cose/>. | ||||
[RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", | [DSS] National Institute of Standards and Technology, "Digital | |||
RFC 8152, DOI 10.17487/RFC8152, July 2017, | Signature Standard (DSS)", FIPS 186-4, | |||
<https://www.rfc-editor.org/info/rfc8152>. | DOI 10.6028/NIST.FIPS.186-4, July 2013, | |||
<https://nvlpubs.nist.gov/nistpubs/FIPS/ | ||||
NIST.FIPS.186-4.pdf>. | ||||
[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data | [PVSig] Brown, D.R.L. and D.B. Johnson, "Formal Security Proofs | |||
Definition Language (CDDL): A Notational Convention to | for a Signature Scheme with Partial Message Recovery", | |||
Express Concise Binary Object Representation (CBOR) and | LNCS Volume 2020, DOI 10.1007/3-540-45353-9_11, June 2000, | |||
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, | <https://www.certicom.com/content/dam/certicom/images/ | |||
June 2019, <https://www.rfc-editor.org/info/rfc8610>. | pdfs/CerticomWP-PVSigSec_login.pdf>. | |||
[RFC2633] Ramsdell, B., Ed., "S/MIME Version 3 Message | [RFC2633] Ramsdell, B., Ed., "S/MIME Version 3 Message | |||
Specification", RFC 2633, DOI 10.17487/RFC2633, June 1999, | Specification", RFC 2633, DOI 10.17487/RFC2633, June 1999, | |||
<https://www.rfc-editor.org/info/rfc2633>. | <https://www.rfc-editor.org/info/rfc2633>. | |||
[RFC3394] Schaad, J. and R. Housley, "Advanced Encryption Standard | ||||
(AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394, | ||||
September 2002, <https://www.rfc-editor.org/info/rfc3394>. | ||||
[RFC3851] Ramsdell, B., Ed., "Secure/Multipurpose Internet Mail | ||||
Extensions (S/MIME) Version 3.1 Message Specification", | ||||
RFC 3851, DOI 10.17487/RFC3851, July 2004, | ||||
<https://www.rfc-editor.org/info/rfc3851>. | ||||
[RFC4262] Santesson, S., "X.509 Certificate Extension for Secure/ | [RFC4262] Santesson, S., "X.509 Certificate Extension for Secure/ | |||
Multipurpose Internet Mail Extensions (S/MIME) | Multipurpose Internet Mail Extensions (S/MIME) | |||
Capabilities", RFC 4262, DOI 10.17487/RFC4262, December | Capabilities", RFC 4262, DOI 10.17487/RFC4262, December | |||
2005, <https://www.rfc-editor.org/info/rfc4262>. | 2005, <https://www.rfc-editor.org/info/rfc4262>. | |||
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", | [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", | |||
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, | FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, | |||
<https://www.rfc-editor.org/info/rfc4949>. | <https://www.rfc-editor.org/info/rfc4949>. | |||
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | |||
skipping to change at page 57, line 47 ¶ | skipping to change at line 2579 ¶ | |||
"Use of the RSA-KEM Key Transport Algorithm in the | "Use of the RSA-KEM Key Transport Algorithm in the | |||
Cryptographic Message Syntax (CMS)", RFC 5990, | Cryptographic Message Syntax (CMS)", RFC 5990, | |||
DOI 10.17487/RFC5990, September 2010, | DOI 10.17487/RFC5990, September 2010, | |||
<https://www.rfc-editor.org/info/rfc5990>. | <https://www.rfc-editor.org/info/rfc5990>. | |||
[RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type | [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type | |||
Specifications and Registration Procedures", BCP 13, | Specifications and Registration Procedures", BCP 13, | |||
RFC 6838, DOI 10.17487/RFC6838, January 2013, | RFC 6838, DOI 10.17487/RFC6838, January 2013, | |||
<https://www.rfc-editor.org/info/rfc6838>. | <https://www.rfc-editor.org/info/rfc6838>. | |||
[STD90] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | ||||
Interchange Format", STD 90, RFC 8259, December 2017. | ||||
<https://www.rfc-editor.org/info/std90> | ||||
[BCP201] Housley, R., "Guidelines for Cryptographic Algorithm | ||||
Agility and Selecting Mandatory-to-Implement Algorithms", | ||||
BCP 201, RFC 7696, November 2015. | ||||
<https://www.rfc-editor.org/info/bcp201> | ||||
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained | [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained | |||
Application Protocol (CoAP)", RFC 7252, | Application Protocol (CoAP)", RFC 7252, | |||
DOI 10.17487/RFC7252, June 2014, | DOI 10.17487/RFC7252, June 2014, | |||
<https://www.rfc-editor.org/info/rfc7252>. | <https://www.rfc-editor.org/info/rfc7252>. | |||
[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | |||
Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May | Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May | |||
2015, <https://www.rfc-editor.org/info/rfc7515>. | 2015, <https://www.rfc-editor.org/info/rfc7515>. | |||
[RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", | [RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", | |||
skipping to change at page 58, line 37 ¶ | skipping to change at line 2605 ¶ | |||
[RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, | [RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, | |||
DOI 10.17487/RFC7518, May 2015, | DOI 10.17487/RFC7518, May 2015, | |||
<https://www.rfc-editor.org/info/rfc7518>. | <https://www.rfc-editor.org/info/rfc7518>. | |||
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital | [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital | |||
Signature Algorithm (EdDSA)", RFC 8032, | Signature Algorithm (EdDSA)", RFC 8032, | |||
DOI 10.17487/RFC8032, January 2017, | DOI 10.17487/RFC8032, January 2017, | |||
<https://www.rfc-editor.org/info/rfc8032>. | <https://www.rfc-editor.org/info/rfc8032>. | |||
[DSS] National Institute of Standards and Technology, "Digital | [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", | |||
Signature Standard (DSS)", DOI 10.6028/NIST.FIPS.186-4, | RFC 8152, DOI 10.17487/RFC8152, July 2017, | |||
FIPS PUB 186-4, July 2013, | <https://www.rfc-editor.org/info/rfc8152>. | |||
<http://nvlpubs.nist.gov/nistpubs/FIPS/ | ||||
NIST.FIPS.186-4.pdf>. | ||||
[PVSig] Brown, D. and D. Johnson, "Formal Security Proofs for a | ||||
Signature Scheme with Partial Message Recovery", | ||||
DOI 10.1007/3-540-45353-9_11, LNCS Volume 2020, June 2000, | ||||
<https://doi.org/10.1007/3-540-45353-9_11>. | ||||
[W3C.WebCrypto] | ||||
Watson, M., "Web Cryptography API", W3C Recommendation, | ||||
January 2017, <https://www.w3.org/TR/WebCryptoAPI/>. | ||||
[RFC8230] Jones, M., "Using RSA Algorithms with CBOR Object Signing | [RFC8230] Jones, M., "Using RSA Algorithms with CBOR Object Signing | |||
and Encryption (COSE) Messages", RFC 8230, | and Encryption (COSE) Messages", RFC 8230, | |||
DOI 10.17487/RFC8230, September 2017, | DOI 10.17487/RFC8230, September 2017, | |||
<https://www.rfc-editor.org/info/rfc8230>. | <https://www.rfc-editor.org/info/rfc8230>. | |||
[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running | [RFC8551] Schaad, J., Ramsdell, B., and S. Turner, "Secure/ | |||
Code: The Implementation Status Section", BCP 205, | Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 | |||
RFC 7942, DOI 10.17487/RFC7942, July 2016, | Message Specification", RFC 8551, DOI 10.17487/RFC8551, | |||
<https://www.rfc-editor.org/info/rfc7942>. | April 2019, <https://www.rfc-editor.org/info/rfc8551>. | |||
[RFC3394] Schaad, J. and R. Housley, "Advanced Encryption Standard | ||||
(AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394, | ||||
September 2002, <https://www.rfc-editor.org/info/rfc3394>. | ||||
[I-D.ietf-cose-hash-algs] | ||||
Schaad, J., "CBOR Object Signing and Encryption (COSE): | ||||
Hash Algorithms", Work in Progress, Internet-Draft, draft- | ||||
ietf-cose-hash-algs-09, 14 September 2020, | ||||
<https://tools.ietf.org/html/draft-ietf-cose-hash-algs- | ||||
09>. | ||||
[I-D.ietf-core-groupcomm-bis] | [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data | |||
Dijk, E., Wang, C., and M. Tiloca, "Group Communication | Definition Language (CDDL): A Notational Convention to | |||
for the Constrained Application Protocol (CoAP)", Work in | Express Concise Binary Object Representation (CBOR) and | |||
Progress, Internet-Draft, draft-ietf-core-groupcomm-bis- | JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, | |||
02, 2 November 2020, <https://tools.ietf.org/html/draft- | June 2019, <https://www.rfc-editor.org/info/rfc8610>. | |||
ietf-core-groupcomm-bis-02>. | ||||
[RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, | [RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, | |||
"Object Security for Constrained RESTful Environments | "Object Security for Constrained RESTful Environments | |||
(OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, | (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, | |||
<https://www.rfc-editor.org/info/rfc8613>. | <https://www.rfc-editor.org/info/rfc8613>. | |||
[I-D.irtf-cfrg-argon2] | [RFC9054] Schaad, J., "CBOR Object Signing and Encryption (COSE): | |||
Biryukov, A., Dinu, D., Khovratovich, D., and S. | Hash Algorithms", RFC 9054, DOI 10.17487/RFC9054, July | |||
Josefsson, "The memory-hard Argon2 password hash and | 2021, <https://www.rfc-editor.org/info/rfc9054>. | |||
proof-of-work function", Work in Progress, Internet-Draft, | ||||
draft-irtf-cfrg-argon2-12, 8 September 2020, | ||||
<https://tools.ietf.org/html/draft-irtf-cfrg-argon2-12>. | ||||
[COAP.Formats] | ||||
IANA, "CoAP Content-Formats", | ||||
<https://www.iana.org/assignments/core-parameters/core- | ||||
parameters.xhtml#content-formats>. | ||||
[COSE.Algorithms] | ||||
IANA, "COSE Algorithms", | ||||
<https://www.iana.org/assignments/cose/ | ||||
cose.xhtml#algorithms>. | ||||
[COSE.KeyParameters] | ||||
IANA, "COSE Key Parameters", | ||||
<https://www.iana.org/assignments/cose/cose.xhtml#key- | ||||
common-parameters>. | ||||
[COSE.KeyTypes] | [STD90] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | |||
IANA, "COSE Key Types", | Interchange Format", STD 90, RFC 8259, December 2017, | |||
<https://www.iana.org/assignments/cose/cose.xhtml#key- | <https://www.rfc-editor.org/info/std90>. | |||
type>. | ||||
[I-D.ietf-cose-countersign] | [W3C.WebCrypto] | |||
Schaad, J., "CBOR Object Signing and Encryption (COSE): | Watson, M., Ed., "Web Cryptography API", W3C | |||
Countersignatures". | Recommendation, 26 January 2017, | |||
<https://www.w3.org/TR/WebCryptoAPI/>. | ||||
Appendix A. Guidelines for External Data Authentication of Algorithms | Appendix A. Guidelines for External Data Authentication of Algorithms | |||
During development of COSE, the requirement that the algorithm | During development of COSE, the requirement that the algorithm | |||
identifier be located in the protected attributes was relaxed from a | identifier be located in the protected attributes was relaxed from a | |||
must to a should. There were two basic reasons that have been | must to a should. Two basic reasons have been advanced to support | |||
advanced to support this position. First, the resulting message will | this position. First, the resulting message will be smaller if the | |||
be smaller if the algorithm identifier is omitted from the most | algorithm identifier is omitted from the most common messages in a | |||
common messages in a CoAP environment. Second, there is a potential | CoAP environment. Second, there is a potential bug that will arise | |||
bug that will arise if full checking is not done correctly between | if full checking is not done correctly between the different places | |||
the different places that an algorithm identifier could be placed | that an algorithm identifier could be placed (the message itself, an | |||
(the message itself, an application statement, the key structure that | application statement, the key structure that the sender possesses, | |||
the sender possesses, and the key structure the recipient possesses). | and the key structure the recipient possesses). | |||
This appendix lays out how such a change can be made and the details | This appendix lays out how such a change can be made and the details | |||
that an application needs to specify in order to use this option. | that an application needs to specify in order to use this option. | |||
Two different sets of details are specified: those needed to omit an | Two different sets of details are specified: those needed to omit an | |||
algorithm identifier and those needed to use the variant on the | algorithm identifier and those needed to use the variant on the | |||
countersignature attribute that contains no attributes about itself. | countersignature attribute that contains no attributes about itself. | |||
Three sets of recommendations are laid out. The first set of | Three sets of recommendations are laid out. The first set of | |||
recommendations applies to having an implicit algorithm identified | recommendations applies to having an implicit algorithm identified | |||
for a single layer of a COSE object. The second set of | for a single layer of a COSE object. The second set of | |||
skipping to change at page 61, line 12 ¶ | skipping to change at line 2677 ¶ | |||
recommendations applies to having implicit algorithms for multiple | recommendations applies to having implicit algorithms for multiple | |||
COSE object constructs. | COSE object constructs. | |||
The key words from [RFC2119] are deliberately not used here. This | The key words from [RFC2119] are deliberately not used here. This | |||
specification can provide recommendations, but it cannot enforce | specification can provide recommendations, but it cannot enforce | |||
them. | them. | |||
This set of recommendations applies to the case where an application | This set of recommendations applies to the case where an application | |||
is distributing a fixed algorithm along with the key information for | is distributing a fixed algorithm along with the key information for | |||
use in a single COSE object. This normally applies to the smallest | use in a single COSE object. This normally applies to the smallest | |||
of the COSE objects, specifically COSE_Sign1, COSE_Mac0, and | of the COSE objects -- specifically, COSE_Sign1, COSE_Mac0, and | |||
COSE_Encrypt0, but could apply to the other structures as well. | COSE_Encrypt0 -- but could apply to the other structures as well. | |||
The following items should be taken into account: | The following items should be taken into account: | |||
* Applications need to list the set of COSE structures that implicit | * Applications need to list the set of COSE structures that implicit | |||
algorithms are to be used in. Applications need to require that | algorithms are to be used in. Applications need to require that | |||
the receipt of an explicit algorithm identifier in one of these | the receipt of an explicit algorithm identifier in one of these | |||
structures will lead to the message being rejected. This | structures will lead to the message being rejected. This | |||
requirement is stated so that there will never be a case where | requirement is stated so that there will never be a case where | |||
there is any ambiguity about the question of which algorithm | there is any ambiguity about the question of which algorithm | |||
should be used, the implicit or the explicit one. This applies | should be used, the implicit or the explicit one. This applies | |||
even if the transported algorithm identifier is a protected | even if the transported algorithm identifier is a protected | |||
attribute. This applies even if the transported algorithm is the | attribute. This applies even if the transported algorithm is the | |||
same as the implicit algorithm. | same as the implicit algorithm. | |||
* Applications need to define the set of information that is to be | * Applications need to define the set of information that is to be | |||
considered to be part of a context when omitting algorithm | considered to be part of a context when omitting algorithm | |||
identifiers. At a minimum, this would be the key identifier (if | identifiers. At a minimum, this would be the key identifier (if | |||
needed), the key, the algorithm, and the COSE structure it is used | needed), the key, the algorithm, and the COSE structure it is used | |||
with. Applications should restrict the use of a single key to a | with. Applications should restrict the use of a single key to a | |||
single algorithm. As noted for some of the algorithms in | single algorithm. As noted for some of the algorithms in | |||
[I-D.ietf-cose-rfc8152bis-algs], the use of the same key in | [RFC9053], the use of the same key in different, related | |||
different related algorithms can lead to leakage of information | algorithms can lead to leakage of information about the key, | |||
about the key, leakage about the data or the ability to perform | leakage about the data, or the ability to perform forgeries. | |||
forgeries. | ||||
* In many cases, applications that make the algorithm identifier | * In many cases, applications that make the algorithm identifier | |||
implicit will also want to make the context identifier implicit | implicit will also want to make the context identifier implicit | |||
for the same reason. That is, omitting the context identifier | for the same reason. That is, omitting the context identifier | |||
will decrease the message size (potentially significantly | will decrease the message size (potentially significantly, | |||
depending on the length of the identifier). Applications that do | depending on the length of the identifier). Applications that do | |||
this will need to describe the circumstances where the context | this will need to describe the circumstances where the context | |||
identifier is to be omitted and how the context identifier is to | identifier is to be omitted and how the context identifier is to | |||
be inferred in these cases. (An exhaustive search over all of the | be inferred in these cases. (An exhaustive search over all of the | |||
keys would normally not be considered to be acceptable.) An | keys would normally not be considered to be acceptable.) An | |||
example of how this can be done is to tie the context to a | example of how this can be done is to tie the context to a | |||
transaction identifier. Both would be sent on the original | transaction identifier. Both would be sent on the original | |||
message, but only the transaction identifier would need to be sent | message, but only the transaction identifier would need to be sent | |||
after that point as the context is tied into the transaction | after that point, as the context is tied into the transaction | |||
identifier. Another way would be to associate a context with a | identifier. Another way would be to associate a context with a | |||
network address. All messages coming from a single network | network address. All messages coming from a single network | |||
address can be assumed to be associated with a specific context. | address can be assumed to be associated with a specific context. | |||
(In this case, the address would normally be distributed as part | (In this case, the address would normally be distributed as part | |||
of the context.) | of the context.) | |||
* Applications cannot rely on key identifiers being unique unless | * Applications cannot rely on key identifiers being unique unless | |||
they take significant efforts to ensure that they are computed in | they take significant efforts to ensure that they are computed in | |||
such a way as to create this guarantee. Even when an application | such a way as to create this guarantee. Even when an application | |||
does this, the uniqueness might be violated if the application is | does this, the uniqueness might be violated if the application is | |||
skipping to change at page 62, line 32 ¶ | skipping to change at line 2745 ¶ | |||
encryption, MAC, and signature algorithms. It can be used in the | encryption, MAC, and signature algorithms. It can be used in the | |||
SuppPrivInfo field for those algorithms that use a KDF to derive a | SuppPrivInfo field for those algorithms that use a KDF to derive a | |||
key value. Applications may also want to protect other | key value. Applications may also want to protect other | |||
information that is part of the context structure as well. It | information that is part of the context structure as well. It | |||
should be noted that those fields, such as the key or a Base IV, | should be noted that those fields, such as the key or a Base IV, | |||
are protected by virtue of being used in the cryptographic | are protected by virtue of being used in the cryptographic | |||
computation and do not need to be included in the external data | computation and do not need to be included in the external data | |||
field. | field. | |||
The second case is having multiple implicit algorithm identifiers | The second case is having multiple implicit algorithm identifiers | |||
specified for a multiple layer COSE object. An example of how this | specified for a multiple-layer COSE object. An example of how this | |||
would work is the encryption context that an application specifies, | would work is the encryption context that an application specifies, | |||
which contains a content encryption algorithm, a key wrap algorithm, | which contains a content encryption algorithm, a key wrap algorithm, | |||
a key identifier, and a shared secret. The sender omits sending the | a key identifier, and a shared secret. The sender omits sending the | |||
algorithm identifier for both the content layer and the recipient | algorithm identifier for both the content layer and the recipient | |||
layer leaving only the key identifier. The receiver then uses the | layer, leaving only the key identifier. The receiver then uses the | |||
key identifier to get the implicit algorithm identifiers. | key identifier to get the implicit algorithm identifiers. | |||
The following additional items need to be taken into consideration: | The following additional items need to be taken into consideration: | |||
* Applications that want to support this will need to define a | * Applications that want to support this will need to define a | |||
structure that allows for, and clearly identifies, both the COSE | structure that allows for, and clearly identifies, both the COSE | |||
structure to be used with a given key and the structure and | structure to be used with a given key and the structure and | |||
algorithm to be used for the secondary layer. The key for the | algorithm to be used for the secondary layer. The key for the | |||
secondary layer is computed as normal from the recipient layer. | secondary layer is computed as normal from the recipient layer. | |||
skipping to change at page 63, line 11 ¶ | skipping to change at line 2772 ¶ | |||
targeted at potentially unrelated layers or different COSE objects. | targeted at potentially unrelated layers or different COSE objects. | |||
There are a number of different scenarios where this might be | There are a number of different scenarios where this might be | |||
applicable. Some of these scenarios are: | applicable. Some of these scenarios are: | |||
* Two contexts are distributed as a pair. Each of the contexts is | * Two contexts are distributed as a pair. Each of the contexts is | |||
for use with a COSE_Encrypt message. Each context will consist of | for use with a COSE_Encrypt message. Each context will consist of | |||
distinct secret keys and IVs and potentially even different | distinct secret keys and IVs and potentially even different | |||
algorithms. One context is for sending messages from party A to | algorithms. One context is for sending messages from party A to | |||
party B, and the second context is for sending messages from party | party B, and the second context is for sending messages from party | |||
B to party A. This means that there is no chance for a reflection | B to party A. This means that there is no chance for a reflection | |||
attack to occur as each party uses different secret keys to send | attack to occur, as each party uses different secret keys to send | |||
its messages; a message that is reflected back to it would fail to | its messages; a message that is reflected back to it would fail to | |||
decrypt. | decrypt. | |||
* Two contexts are distributed as a pair. The first context is used | * Two contexts are distributed as a pair. The first context is used | |||
for encryption of the message, and the second context is used to | for encryption of the message, and the second context is used to | |||
place a countersignature on the message. The intention is that | place a countersignature on the message. The intention is that | |||
the second context can be distributed to other entities | the second context can be distributed to other entities | |||
independently of the first context. This allows these entities to | independently of the first context. This allows these entities to | |||
validate that the message came from an individual without being | validate that the message came from an individual without being | |||
able to decrypt the message and see the content. | able to decrypt the message and see the content. | |||
skipping to change at page 63, line 41 ¶ | skipping to change at line 2802 ¶ | |||
considered: | considered: | |||
* Applications need to ensure that the multiple contexts stay | * Applications need to ensure that the multiple contexts stay | |||
associated. If one of the contexts is invalidated for any reason, | associated. If one of the contexts is invalidated for any reason, | |||
all of the contexts associated with it should also be invalidated. | all of the contexts associated with it should also be invalidated. | |||
Appendix B. Two Layers of Recipient Information | Appendix B. Two Layers of Recipient Information | |||
All of the currently defined recipient algorithm classes only use two | All of the currently defined recipient algorithm classes only use two | |||
layers of the COSE structure. The first layer (COSE_Encrypt) is the | layers of the COSE structure. The first layer (COSE_Encrypt) is the | |||
message content, and the second layer (COSE_Recipint) is the content | message content, and the second layer (COSE_Recipient) is the content | |||
key encryption. However, if one uses a recipient algorithm such as | key encryption. However, if one uses a recipient algorithm such as | |||
the RSA Key Encapsulation Mechanism (RSA-KEM) (see Appendix A of RSA- | the RSA Key Encapsulation Mechanism (RSA-KEM) (see Appendix A of RSA- | |||
KEM [RFC5990]), then it makes sense to have two layers of the | KEM [RFC5990]), then it makes sense to have two layers of the | |||
COSE_Recipient structure. | COSE_Recipient structure. | |||
These layers would be: | These layers would be: | |||
* Layer 0: The content encryption layer. This layer contains the | * Layer 0: The content encryption layer. This layer contains the | |||
payload of the message. | payload of the message. | |||
* Layer 1: The encryption of the CEK by a KEK. | * Layer 1: The encryption of the CEK by a KEK. | |||
* Layer 2: The encryption of a long random secret using an RSA key | * Layer 2: The encryption of a long random secret using an RSA key | |||
and a key derivation function to convert that secret into the KEK. | and a key derivation function to convert that secret into the KEK. | |||
This is an example of what a triple layer message would look like. | This is an example of what a triple-layer message would look like. | |||
The message has the following layers: | The message has the following layers: | |||
* Layer 0: Has a content encrypted with AES-GCM using a 128-bit key. | * Layer 0: Has content encrypted with AES-GCM using a 128-bit key. | |||
* Layer 1: Uses the AES Key Wrap algorithm with a 128-bit key. | * Layer 1: Uses the AES Key Wrap algorithm with a 128-bit key. | |||
* Layer 2: Uses ECDH Ephemeral-Static direct to generate the layer 1 | * Layer 2: Uses ECDH Ephemeral-Static direct to generate the Layer 1 | |||
key. | key. | |||
In effect, this example is a decomposed version of using the | In effect, this example is a decomposed version of using the ECDH- | |||
ECDH-ES+A128KW algorithm. | ES+A128KW algorithm. | |||
Size of binary file is 183 bytes | Size of binary file is 183 bytes | |||
96( | 96( | |||
[ / COSE_Encrypt / | [ / COSE_Encrypt / | |||
/ protected h'a10101' / << { | / protected h'a10101' / << { | |||
/ alg / 1:1 / AES-GCM 128 / | / alg / 1:1 / AES-GCM 128 / | |||
} >>, | } >>, | |||
/ unprotected / { | / unprotected / { | |||
/ iv / 5:h'02d1f7e6f26c43d4868d87ce' | / iv / 5:h'02d1f7e6f26c43d4868d87ce' | |||
}, | }, | |||
/ ciphertext / h'64f84d913ba60a76070a9a48f26e97e863e2852948658f0 | / ciphertext / h'64f84d913ba60a76070a9a48f26e97e863e2852948658f0 | |||
811139868826e89218a75715b', | 811139868826e89218a75715b', | |||
skipping to change at page 66, line 10 ¶ | skipping to change at line 2887 ¶ | |||
features and message types that have been defined in this document. | features and message types that have been defined in this document. | |||
To make the examples easier to read, they are presented using the | To make the examples easier to read, they are presented using the | |||
extended CBOR diagnostic notation (defined in [RFC8610]) rather than | extended CBOR diagnostic notation (defined in [RFC8610]) rather than | |||
as a binary dump. | as a binary dump. | |||
A GitHub project has been created at <https://github.com/cose-wg/ | A GitHub project has been created at <https://github.com/cose-wg/ | |||
Examples> that contains not only the examples presented in this | Examples> that contains not only the examples presented in this | |||
document, but a more complete set of testing examples as well. Each | document, but a more complete set of testing examples as well. Each | |||
example is found in a JSON file that contains the inputs used to | example is found in a JSON file that contains the inputs used to | |||
create the example, some of the intermediate values that can be used | create the example, some of the intermediate values that can be used | |||
in debugging the example and the output of the example presented both | in debugging the example, and the output of the example presented | |||
as a hex dump and in CBOR diagnostic notation format. Some of the | both as a hex dump and in CBOR diagnostic notation format. Some of | |||
examples at the site are designed failure testing cases; these are | the examples at the site are designed failure-testing cases; these | |||
clearly marked as such in the JSON file. If errors in the examples | are clearly marked as such in the JSON file. If errors in the | |||
in this document are found, the examples on GitHub will be updated, | examples in this document are found, the examples on GitHub will be | |||
and a note to that effect will be placed in the JSON file. | updated, and a note to that effect will be placed in the JSON file. | |||
As noted, the examples are presented using the CBOR's diagnostic | As noted, the examples are presented using CBOR's diagnostic | |||
notation. A Ruby-based tool exists that can convert between the | notation. A Ruby-based tool exists that can convert between the | |||
diagnostic notation and binary. This tool can be installed with the | diagnostic notation and binary. This tool can be installed with the | |||
command line: | command line: | |||
gem install cbor-diag | gem install cbor-diag | |||
The diagnostic notation can be converted into binary files using the | The diagnostic notation can be converted into binary files using the | |||
following command line: | following command line: | |||
diag2cbor.rb < inputfile > outputfile | diag2cbor.rb < inputfile > outputfile | |||
The examples can be extracted from the XML version of this document | The examples can be extracted from the XML version of this document | |||
via an XPath expression as all of the sourcecode is tagged with the | via an XPath expression, as all of the source code is tagged with the | |||
attribute type='CBORdiag'. (Depending on the XPath evaluator one is | attribute type='cbor-diag'. (Depending on the XPath evaluator one is | |||
using, it may be necessary to deal with > as an entity.) | using, it may be necessary to deal with > as an entity.) | |||
//sourcecode[@type='CDDL']/text() | //sourcecode[@type='CDDL']/text() | |||
C.1. Examples of Signed Messages | C.1. Examples of Signed Messages | |||
C.1.1. Single Signature | C.1.1. Single Signature | |||
This example uses the following: | This example uses the following: | |||
skipping to change at page 68, line 44 ¶ | skipping to change at line 2994 ¶ | |||
] | ] | |||
] | ] | |||
) | ) | |||
C.1.3. Signature with Criticality | C.1.3. Signature with Criticality | |||
This example uses the following: | This example uses the following: | |||
* Signature Algorithm: ECDSA w/ SHA-256, Curve P-256 | * Signature Algorithm: ECDSA w/ SHA-256, Curve P-256 | |||
* There is a criticality marker on the "reserved" header parameter | * There is a criticality marker on the "reserved" header parameter. | |||
Size of binary file is 125 bytes | Size of binary file is 125 bytes | |||
98( | 98( | |||
[ | [ | |||
/ protected h'a2687265736572766564f40281687265736572766564' / | / protected h'a2687265736572766564f40281687265736572766564' / | |||
<< { | << { | |||
"reserved":false, | "reserved":false, | |||
/ crit / 2:[ | / crit / 2:[ | |||
"reserved" | "reserved" | |||
] | ] | |||
} >>, | } >>, | |||
/ unprotected / {}, | / unprotected / {}, | |||
skipping to change at page 76, line 37 ¶ | skipping to change at line 3299 ¶ | |||
] | ] | |||
] | ] | |||
) | ) | |||
C.5.3. Wrapped MAC | C.5.3. Wrapped MAC | |||
This example uses the following: | This example uses the following: | |||
* MAC: AES-MAC, 128-bit key, truncated to 64 bits | * MAC: AES-MAC, 128-bit key, truncated to 64 bits | |||
* Recipient class: AES Key Wrap w/ a pre-shared 256-bit key | * Recipient class: AES Key Wrap w/ a preshared 256-bit key | |||
Size of binary file is 109 bytes | Size of binary file is 109 bytes | |||
97( | 97( | |||
[ | [ | |||
/ protected h'a1010e' / << { | / protected h'a1010e' / << { | |||
/ alg / 1:14 / AES-CBC-MAC-128//64 / | / alg / 1:14 / AES-CBC-MAC-128//64 / | |||
} >> , | } >> , | |||
/ unprotected / {}, | / unprotected / {}, | |||
/ payload / 'This is the content.', | / payload / 'This is the content.', | |||
/ tag / h'36f5afaf0bab5d43', | / tag / h'36f5afaf0bab5d43', | |||
/ recipients / [ | / recipients / [ | |||
[ | [ | |||
skipping to change at page 77, line 32 ¶ | skipping to change at line 3331 ¶ | |||
] | ] | |||
] | ] | |||
) | ) | |||
C.5.4. Multi-Recipient MACed Message | C.5.4. Multi-Recipient MACed Message | |||
This example uses the following: | This example uses the following: | |||
* MAC: HMAC w/ SHA-256, 128-bit key | * MAC: HMAC w/ SHA-256, 128-bit key | |||
* Recipient class: Uses three different methods | * Recipient class: Uses three different methods. | |||
1. ECDH Ephemeral-Static, Curve P-521, AES Key Wrap w/ 128-bit | 1. ECDH Ephemeral-Static, Curve P-521, AES Key Wrap w/ 128-bit | |||
key | key | |||
2. AES Key Wrap w/ 256-bit key | 2. AES Key Wrap w/ 256-bit key | |||
Size of binary file is 309 bytes | Size of binary file is 309 bytes | |||
97( | 97( | |||
[ | [ | |||
/ protected h'a10105' / << { | / protected h'a10105' / << { | |||
/ alg / 1:5 / HMAC 256//256 / | / alg / 1:5 / HMAC 256//256 / | |||
} >> , | } >> , | |||
/ unprotected / {}, | / unprotected / {}, | |||
/ payload / 'This is the content.', | / payload / 'This is the content.', | |||
/ tag / h'bf48235e809b5c42e995f2b7d5fa13620e7ed834e337f6aa43df16 | / tag / h'bf48235e809b5c42e995f2b7d5fa13620e7ed834e337f6aa43df16 | |||
1e49e9323e', | 1e49e9323e', | |||
/ recipients / [ | / recipients / [ | |||
skipping to change at page 78, line 47 ¶ | skipping to change at line 3383 ¶ | |||
}, | }, | |||
/ ciphertext / h'0b2c7cfce04e98276342d6476a7723c090dfdd15f9a | / ciphertext / h'0b2c7cfce04e98276342d6476a7723c090dfdd15f9a | |||
518e7736549e998370695e6d6a83b4ae507bb' | 518e7736549e998370695e6d6a83b4ae507bb' | |||
] | ] | |||
] | ] | |||
] | ] | |||
) | ) | |||
C.6. Examples of MAC0 Messages | C.6. Examples of MAC0 Messages | |||
C.6.1. Shared Secret Direct MAC | C.6.1. Shared-Secret Direct MAC | |||
This example uses the following: | This example uses the following: | |||
* MAC: AES-CMAC, 256-bit key, truncated to 64 bits | * MAC: AES-CMAC, 256-bit key, truncated to 64 bits | |||
* Recipient class: direct shared secret | * Recipient class: direct shared secret | |||
Size of binary file is 37 bytes | Size of binary file is 37 bytes | |||
17( | 17( | |||
[ | [ | |||
/ protected h'a1010f' / << { | / protected h'a1010f' / << { | |||
/ alg / 1:15 / AES-CBC-MAC-256//64 / | / alg / 1:15 / AES-CBC-MAC-256//64 / | |||
} >> , | } >> , | |||
/ unprotected / {}, | / unprotected / {}, | |||
skipping to change at page 79, line 28 ¶ | skipping to change at line 3413 ¶ | |||
Note that this example uses the same inputs as Appendix C.5.1. | Note that this example uses the same inputs as Appendix C.5.1. | |||
C.7. COSE Keys | C.7. COSE Keys | |||
C.7.1. Public Keys | C.7.1. Public Keys | |||
This is an example of a COSE Key Set. This example includes the | This is an example of a COSE Key Set. This example includes the | |||
public keys for all of the previous examples. | public keys for all of the previous examples. | |||
In order the keys are: | In order, the keys are: | |||
* An EC key with a kid of "meriadoc.brandybuck@buckland.example" | * An EC key with a kid of "meriadoc.brandybuck@buckland.example" | |||
* An EC key with a kid of "peregrin.took@tuckborough.example" | * An EC key with a kid of "11" | |||
* An EC key with a kid of "bilbo.baggins@hobbiton.example" | * An EC key with a kid of "bilbo.baggins@hobbiton.example" | |||
* An EC key with a kid of "11" | * An EC key with a kid of "peregrin.took@tuckborough.example" | |||
Size of binary file is 481 bytes | Size of binary file is 481 bytes | |||
[ | [ | |||
{ | { | |||
-1:1, | -1:1, | |||
-2:h'65eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c0 | -2:h'65eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c0 | |||
8551d', | 8551d', | |||
-3:h'1e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd008 | -3:h'1e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd008 | |||
4d19c', | 4d19c', | |||
skipping to change at page 82, line 40 ¶ | skipping to change at line 3557 ¶ | |||
{ | { | |||
1:4, | 1:4, | |||
2:'018c0ae5-4d9b-471b-bfd6-eef314bc7037', | 2:'018c0ae5-4d9b-471b-bfd6-eef314bc7037', | |||
-1:h'849b57219dae48de646d07dbb533566e976686457c1491be3a76dcea6c4 | -1:h'849b57219dae48de646d07dbb533566e976686457c1491be3a76dcea6c4 | |||
27188' | 27188' | |||
} | } | |||
] | ] | |||
Acknowledgments | Acknowledgments | |||
This document is a product of the COSE working group of the IETF. | This document is a product of the COSE Working Group of the IETF. | |||
The following individuals are to blame for getting me started on this | The following individuals are to blame for getting me started on this | |||
project in the first place: Richard Barnes, Matt Miller, and Martin | project in the first place: Richard Barnes, Matt Miller, and Martin | |||
Thomson. | Thomson. | |||
The initial version of the specification was based to some degree on | The initial draft version of the specification was based to some | |||
the outputs of the JOSE and S/MIME working groups. | degree on the outputs of the JOSE and S/MIME Working Groups. | |||
The following individuals provided input into the final form of the | The following individuals provided input into the final form of the | |||
document: Carsten Bormann, John Bradley, Brain Campbell, Michael B. | document: Carsten Bormann, John Bradley, Brian Campbell, Michael | |||
Jones, Ilari Liusvaara, Francesca Palombini, Ludwig Seitz, and | B. Jones, Ilari Liusvaara, Francesca Palombini, Ludwig Seitz, and | |||
Göran Selander. | Göran Selander. | |||
Author's Address | Author's Address | |||
Jim Schaad | Jim Schaad | |||
August Cellars | August Cellars | |||
Email: ietf@augustcellars.com | Email: ietf@augustcellars.com | |||
End of changes. 357 change blocks. | ||||
946 lines changed or deleted | 818 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |