CBOR Object Signing and Encryption                              B. Sipos
Internet-Draft                                                   JHU/APL
Intended status: Standards Track                         23 January 2025
Expires: 27 July 2025


                           AES-GMAC for COSE
                        draft-sipos-cose-gmac-00

Abstract

   This document registers COSE algorithm code points for using the
   Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) to
   generate a Message Authentication Code (AES-GMAC).  The security
   strength provided by these registrations is identical to existing
   COSE registrations for AES-GCM authenticated encryption.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 27 July 2025.

Copyright Notice

   Copyright (c) 2025 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.




Sipos                     Expires 27 July 2025                  [Page 1]

Internet-Draft                  COSE GMAC                   January 2025


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Scope . . . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.2.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  The AES-GMAC Family . . . . . . . . . . . . . . . . . . . . .   3
   3.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
     4.1.  COSE Algorithms . . . . . . . . . . . . . . . . . . . . .   5
       4.1.1.  AES-GMAC 128/128  . . . . . . . . . . . . . . . . . .   5
       4.1.2.  AES-GMAC 192/128  . . . . . . . . . . . . . . . . . .   5
       4.1.3.  AES-GMAC 256/128  . . . . . . . . . . . . . . . . . .   6
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     5.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   The base COSE specification [RFC9052] defines a container for Message
   Authentication Code (MAC) parameters and results.  This container is
   parameterized on an algorithm identifier used to verify the MAC
   result.  This document defines new fully specified algorithm
   identifiers for the use of Advanced Encryption Standard (AES) in
   Galois/Counter Mode (GCM) to generate a MAC (AES-GMAC) as defined in
   [SP800-38D].

   Unlike the use of AES-GMAC in CMS [RFC9044] and IPsec [RFC4543], the
   COSE algorithm identifiers are "fully specified" meaning they rely on
   no extra parameters (_e.g._, tag length) to determine their exact
   operation.

1.1.  Scope

   This document does not define any new algorithms it only defines code
   points in a COSE registry so that the AES-GMAC can be used in that
   security environment with specific combinations of parameters.

   To avoid confusion, the AES-GMAC algorithm family specified in this
   document is unrelated to the "AES-MAC" algorithm family from
   Section 3.2 of [RFC9053].










Sipos                     Expires 27 July 2025                  [Page 2]

Internet-Draft                  COSE GMAC                   January 2025


1.2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14 [RFC2119]
   [RFC8174] when, and only when, they appear in all capitals, as shown
   here.

2.  The AES-GMAC Family

   While the general GMAC algorithm can be used with any underlying
   authenticated encryption with additional data (AEAD) block cipher,
   this document focuses on its use with the AES-GCM cipher.

   The AES-GMAC defined in [SP800-38D] has a set of parameters
   associated with its use.  For the sake of adhering to COSE best
   practice about fully specifying what gets assigned an "algorithm"
   code point, AES-GMAC will be treated as an _algorithm family_ with a
   single code point referring to the algorithm itself along with a
   specific set of parameter values.

   The parameters associated with AES-GMAC are: key length and tag
   length.  This document restricts the allocated code points to the
   commonly used key lengths of 128, 192, and 256-bits, a fixed IV
   length of 96 bits (the recommended default), and restricts the use of
   a single tag length of 128 bits, which happens to be the longest
   possible tag length, as indicated in Table 1.  Future allocations can
   define the use of AES-GMAC with shortened tag lengths.

   One required input for AES-GMAC is an initialization vector (IV)
   which is already provided by the header parameter "IV" from the "COSE
   Header Parameters" registry of [IANA-COSE].  The use of the AES-GMAC
   algorithms in COSE SHALL be combined with the IV header parameter in
   the same COSE layer.  A valid IV for these algorithms SHALL be
   exactly 96 bits (12 octets) in length.  The combination of key and IV
   SHALL be unique for each created MAC.  The IV generation mechanism
   SHALL be deterministic (not random).  The specifics of that mechanism
   are left to an implementation.

   These IV and tag lengths are consistent with the COSE use of AES-GCM
   encryption in Section 4.1 of [RFC9053].










Sipos                     Expires 27 July 2025                  [Page 3]

Internet-Draft                  COSE GMAC                   January 2025


     +============+===========+============+===========+============+
     | COSE Value | Algorithm | Key Length | IV Length | Tag Length |
     +============+===========+============+===========+============+
     |            | AES-GMAC  | 128        | 96        | 128        |
     | // TBA1    |           |            |           |            |
     +------------+-----------+------------+-----------+------------+
     |            | AES-GMAC  | 192        | 96        | 128        |
     | // TBA2    |           |            |           |            |
     +------------+-----------+------------+-----------+------------+
     |            | AES-GMAC  | 256        | 96        | 128        |
     | // TBA3    |           |            |           |            |
     +------------+-----------+------------+-----------+------------+

                Table 1: Registered AES-GMAC combinations

   Implementations creating and validating AES-GMAC values SHALL
   validate that the key type, key length, and algorithm are correct and
   appropriate for the entities involved.

   When using a COSE key for these algorithms, the following checks are
   made:

   *  The "kty" field MUST be present.

   *  The "kty" field MUST be "Symmetric".

   *  If the "alg" field is present, it MUST match the algorithm being
      used.

   *  If the "key_ops" field is present, it MUST include "MAC create"
      when creating an authentication tag.

   *  If the "key_ops" field is present, it MUST include "MAC verify"
      when verifying an authentication tag.

3.  Security Considerations

   This document does not define any new modes of operation for the GMAC
   algorithm, and so does not introduce any new security considerations.
   All of the applicable considerations from [SP800-38D] apply when the
   algorithm is used in COSE.

   The requirement to use non-random IV generation in Section 2 is meant
   to satisfy the critical constraint on GMAC (and nonce-based MACs
   generally) described in Chapter 10 of [PR2011] to guarantee the
   uniqueness of the combination of key and IV.  Whether the mechanism
   is a simple counter, a determistic PRF, or something else does not
   affect the constraint to be non-random.



Sipos                     Expires 27 July 2025                  [Page 4]

Internet-Draft                  COSE GMAC                   January 2025


4.  IANA Considerations

   This section provides guidance to the Internet Assigned Numbers
   Authority (IANA) regarding registration of code points in accordance
   with BCP 26 [RFC1155].

4.1.  COSE Algorithms

   A new set of entries have been added to the "COSE Algorithms"
   registry [IANA-COSE] with the following parameters.

4.1.1.  AES-GMAC 128/128

   Name:  AES-GMAC 128/128

   Value:
      // TBA1

   Description:  AES-GMAC with 128-bit key and 128-bit tag

   Capabilities:  [kty]

   Change controller:  IESG

   Reference:  [This document]

   Recommended:  Yes

4.1.2.  AES-GMAC 192/128

   Name:  AES-GMAC 192/128

   Value:
      // TBA2

   Description:  AES-GMAC with 192-bit key and 128-bit tag

   Capabilities:  [kty]

   Change controller:  IESG

   Reference:  [This document]

   Recommended:  Yes







Sipos                     Expires 27 July 2025                  [Page 5]

Internet-Draft                  COSE GMAC                   January 2025


4.1.3.  AES-GMAC 256/128

   Name:  AES-GMAC 256/128

   Value:
      // TBA3

   Description:  AES-GMAC with 256-bit key and 128-bit tag

   Capabilities:  [kty]

   Change controller:  IESG

   Reference:  [This document]

   Recommended:  Yes

5.  References

5.1.  Normative References

   [IANA-COSE]
              IANA, "CBOR Object Signing and Encryption (COSE)",
              <https://www.iana.org/assignments/cose/>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC9052]  Schaad, J., "CBOR Object Signing and Encryption (COSE):
              Structures and Process", STD 96, RFC 9052,
              DOI 10.17487/RFC9052, August 2022,
              <https://www.rfc-editor.org/info/rfc9052>.

   [SP800-38D]
              National Institute of Standards and Technology,
              "Recommendation for Block Cipher Modes of Operation:
              Galois/Counter Mode (GCM) and GMAC", November 2007,
              <https://nvlpubs.nist.gov/nistpubs/legacy/sp/
              nistspecialpublication800-38d.pdf>.

5.2.  Informative References




Sipos                     Expires 27 July 2025                  [Page 6]

Internet-Draft                  COSE GMAC                   January 2025


   [PR2011]   Rogaway, P., "Evaluation of Some Blockcipher Modes of
              Operation", 10 February 2011,
              <https://www.cs.ucdavis.edu/~rogaway/papers/modes.pdf>.

   [RFC1155]  Rose, M. and K. McCloghrie, "Structure and identification
              of management information for TCP/IP-based internets",
              STD 16, RFC 1155, DOI 10.17487/RFC1155, May 1990,
              <https://www.rfc-editor.org/info/rfc1155>.

   [RFC4543]  McGrew, D. and J. Viega, "The Use of Galois Message
              Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543,
              DOI 10.17487/RFC4543, May 2006,
              <https://www.rfc-editor.org/info/rfc4543>.

   [RFC9044]  Housley, R., "Using the AES-GMAC Algorithm with the
              Cryptographic Message Syntax (CMS)", RFC 9044,
              DOI 10.17487/RFC9044, June 2021,
              <https://www.rfc-editor.org/info/rfc9044>.

   [RFC9053]  Schaad, J., "CBOR Object Signing and Encryption (COSE):
              Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053,
              August 2022, <https://www.rfc-editor.org/info/rfc9053>.

Author's Address

   Brian Sipos
   The Johns Hopkins University Applied Physics Laboratory
   11100 Johns Hopkins Rd.
   Laurel, MD 20723
   United States of America
   Email: brian.sipos+ietf@gmail.com




















Sipos                     Expires 27 July 2025                  [Page 7]