CBOR Object Signing and Encryption B. Sipos
Internet-Draft JHU/APL
Intended status: Standards Track 12 December 2024
Expires: 15 June 2025
GMAC and KMAC for COSE and JOSE
draft-sipos-cose-gmac-kmac-00
Abstract
This document registers JOSE and COSE algorithm code points for using
two new Message Authentication Code (MAC) algorithm families. One is
the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM)
to generate a MAC (AES-GMAC), the other is the SHA-3-derived Keccak
MAC (KMAC).
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 15 June 2025.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Sipos Expires 15 June 2025 [Page 1]
�
Internet-Draft GMAC/KMAC in COSE/JOSE December 2024
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Algorithm Families . . . . . . . . . . . . . . . . . . . . . 3
2.1. AES-GMAC Family . . . . . . . . . . . . . . . . . . . . . 3
2.2. KMAC Family . . . . . . . . . . . . . . . . . . . . . . . 5
3. Security Considerations . . . . . . . . . . . . . . . . . . . 6
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
4.1. COSE Algorithms . . . . . . . . . . . . . . . . . . . . . 6
4.1.1. AES-GMAC 128/128 . . . . . . . . . . . . . . . . . . 6
4.1.2. AES-GMAC 192/128 . . . . . . . . . . . . . . . . . . 7
4.1.3. AES-GMAC 256/128 . . . . . . . . . . . . . . . . . . 7
4.1.4. KMAC 128/256 . . . . . . . . . . . . . . . . . . . . 7
4.1.5. KMAC 256/512 . . . . . . . . . . . . . . . . . . . . 8
4.2. JOSE Algorithms . . . . . . . . . . . . . . . . . . . . . 8
4.2.1. A128GMAC128 . . . . . . . . . . . . . . . . . . . . . 8
4.2.2. A192GMAC128 . . . . . . . . . . . . . . . . . . . . . 8
4.2.3. A256GMAC128 . . . . . . . . . . . . . . . . . . . . . 9
4.2.4. KMAC128 . . . . . . . . . . . . . . . . . . . . . . . 9
4.2.5. KMAC256 . . . . . . . . . . . . . . . . . . . . . . . 10
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1. Normative References . . . . . . . . . . . . . . . . . . 10
5.2. Informative References . . . . . . . . . . . . . . . . . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction
The base COSE specification [RFC9052] defines a container for Message
Authentication Code (MAC) parameters and results, and the base JOSE
specification [RFC7515] defines a similar container for "Signature"
data including MAC results. Each type of container is parameterized
on an algorithm identifier used to verify the MAC result. This
document defines new fully specified algorithm identifiers for the
use of Advanced Encryption Standard (AES) in Galois/Counter Mode
(GCM) to generate a MAC (AES-GMAC) as defined in [SP800-38D], as well
as the SHA-3-derived Keccak MAC (KMAC) as defined in [SP800-185].
Unlike the use of AES-GMAC in CMS [RFC9044] and IPsec [RFC4543] or
KMAC in CMS [RFC8702], the COSE and JOSE algorithm identifiers are
"fully specified" meaning they rely on no extra parameters (_e.g._,
tag length) to determine their exact operation.
Sipos Expires 15 June 2025 [Page 2]
�
Internet-Draft GMAC/KMAC in COSE/JOSE December 2024
1.1. Scope
This document does not define any new algorithms it only defines code
points in COSE and JOSE registries so that the AES-GMAC and KMAC can
be used in those respective security environments with specific
combinations of parameters.
To avoid confusion, the AES-GMAC algorithm family specified in this
document is unrelated to the "AES-MAC" algorithm family from
Section 3.2 of [RFC9053].
1.2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC2119]
[RFC8174] when, and only when, they appear in all capitals, as shown
here.
2. Algorithm Families
Both the AES-GMAC algorithm from [SP800-38D] and the KMAC algorithm
from [SP800-185] have a set of parameters associated with their uses.
For the sake of adhering to COSE and JOSE best practices about fully
specifying what gets assigned an "algorithm" code point in each
respective registry, the AES-GMAC and KMAC will be treated as an
_algorithm family_ with a single code point referring to the
algorithm itself along with a specific set of parameter values.
2.1. AES-GMAC Family
While the general GMAC algorithm can be used with any underlying
authenticated encryption with additional data (AEAD) block cipher,
this document focuses on its use with the AES-GCM cipher.
The parameters associated with AES-GMAC are: key length and tag
length. This document restricts the allocated code points to the
commonly used key lengths of 128, 192, and 256-bits, a fixed IV
length of 96 bits (the recommended default), and restricts the use of
a single tag length of 128 bits, which happens to be the longest
possible tag length, as indicated in Table 1. Future allocations can
define the use of AES-GMAC with shortened tag lengths.
One required input for AES-GMAC is an initialization vector (IV)
which is already provided by the header parameter "IV" from the "COSE
Header Parameters" registry of [IANA-COSE]. The use of the AES-GMAC
algorithms in COSE SHALL be combined with the IV header parameter in
the same COSE layer. A valid IV for these algorithms SHALL be
Sipos Expires 15 June 2025 [Page 3]
�
Internet-Draft GMAC/KMAC in COSE/JOSE December 2024
exactly 96 bits (12 octets) in length. The combination of key and IV
SHALL be unique for each created MAC. The IV generation mechanism
SHALL be deterministic (not random). The specifics of that mechanism
are left to an implementation.
These IV and tag lengths are consistent with the COSE use of AES-GCM
encryption in Section 4.1 of [RFC9053].
+============+=============+===========+========+========+========+
| COSE Value | JOSE Name | Algorithm | Key | IV | Tag |
| | | | Length | Length | Length |
+============+=============+===========+========+========+========+
| | A128GMAC128 | AES-GMAC | 128 | 96 | 128 |
| // TBA1 | | | | | |
+------------+-------------+-----------+--------+--------+--------+
| | A192GMAC128 | AES-GMAC | 192 | 96 | 128 |
| // TBA2 | | | | | |
+------------+-------------+-----------+--------+--------+--------+
| | A256GMAC128 | AES-GMAC | 256 | 96 | 128 |
| // TBA3 | | | | | |
+------------+-------------+-----------+--------+--------+--------+
Table 1: Registered AES-GMAC combinations
Implementations creating and validating AES-GMAC values SHALL
validate that the key type, key length, and algorithm are correct and
appropriate for the entities involved.
When using a COSE key for these algorithms, the following checks are
made:
* The "kty" field MUST be present.
* The "kty" field MUST be "Symmetric".
* If the "alg" field is present, it MUST match the algorithm being
used.
* If the "key_ops" field is present, it MUST include "MAC create"
when creating an authentication tag.
* If the "key_ops" field is present, it MUST include "MAC verify"
when verifying an authentication tag.
Sipos Expires 15 June 2025 [Page 4]
�
Internet-Draft GMAC/KMAC in COSE/JOSE December 2024
2.2. KMAC Family
The KMAC family is actually two different variants, KMAC128 and
KMAC256, related to the provided security strength of 128 and
256-bits respectively and expected to be used with identical
respective minimum key lengths.
The parameters associated with KMAC are: key length and tag length.
This document restricts the allowed code points to the commonly used
key lengths of 128 and 256-bits and restricts the use of a single
"standard" tag length for each variant as indicated in Table 2.
Future allocations can define the use of KMAC with other tag lengths.
An optional input for KMAC is a "customization bit string" used as
additional context data. When used with COSE the KMAC customization
bit string SHALL be the ASCII [RFC20] text string "COSE" without null
termination. When used with JOSE the KMAC customization bit string
SHALL be the ASCII [RFC20] text string "JOSE" without null
termination.
+============+===========+===========+============+============+
| COSE Value | JOSE Name | Algorithm | Key Length | Tag Length |
+============+===========+===========+============+============+
| | KMAC128 | KMAC128 | 128 | 256 |
| // TBA4 | | | | |
+------------+-----------+-----------+------------+------------+
| | KMAC256 | KMAC256 | 256 | 512 |
| // TBA5 | | | | |
+------------+-----------+-----------+------------+------------+
Table 2: Registered KMAC combinations
Implementations creating and validating KMAC values SHALL validate
that the key type, key length, and algorithm are correct and
appropriate for the entities involved.
When using a COSE key for these algorithms, the following checks are
made:
* The "kty" field MUST be present.
* The "kty" field MUST be "Symmetric".
* If the "alg" field is present, it MUST match the algorithm being
used.
* If the "key_ops" field is present, it MUST include "MAC create"
when creating an authentication tag.
Sipos Expires 15 June 2025 [Page 5]
�
Internet-Draft GMAC/KMAC in COSE/JOSE December 2024
* If the "key_ops" field is present, it MUST include "MAC verify"
when verifying an authentication tag.
3. Security Considerations
This document does not define any new modes of operation for the
relevant MAC algorithms, and so does not introduce any new security
considerations. All of the applicable considerations from
[SP800-38D] and [SP800-185] apply when the algorithm is used in COSE
or JOSE.
The requirement to use non-random IV generation in Section 2.1 is
meant to satisfy the critical constraint on GMAC (and nonce-based
MACs generally) described in Chapter 10 of [PR2011] to guarantee the
uniqueness of the combination of key and IV. Whether the mechanism
is a simple counter, a determistic PRF, or something else does not
affect the constraint to be non-random.
4. IANA Considerations
This section provides guidance to the Internet Assigned Numbers
Authority (IANA) regarding registration of code points in accordance
with BCP 26 [RFC1155].
4.1. COSE Algorithms
A new set of entries have been added to the "COSE Algorithms"
registry [IANA-COSE] with the following parameters.
4.1.1. AES-GMAC 128/128
Name: AES-GMAC 128/128
Value:
// TBA1
Description: AES-GMAC with 128-bit key and 128-bit tag
Capabilities: [kty]
Change controller: IESG
Reference: [This document]
Recommended: Yes
Sipos Expires 15 June 2025 [Page 6]
�
Internet-Draft GMAC/KMAC in COSE/JOSE December 2024
4.1.2. AES-GMAC 192/128
Name: AES-GMAC 192/128
Value:
// TBA2
Description: AES-GMAC with 192-bit key and 128-bit tag
Capabilities: [kty]
Change controller: IESG
Reference: [This document]
Recommended: Yes
4.1.3. AES-GMAC 256/128
Name: AES-GMAC 256/128
Value:
// TBA3
Description: AES-GMAC with 256-bit key and 128-bit tag
Capabilities: [kty]
Change controller: IESG
Reference: [This document]
Recommended: Yes
4.1.4. KMAC 128/256
Name: KMAC 128/256
Value:
// TBA4
Description: KMAC128 with 128-bit key and 256-bit tag
Capabilities: [kty]
Change controller: IESG
Reference: [This document]
Sipos Expires 15 June 2025 [Page 7]
�
Internet-Draft GMAC/KMAC in COSE/JOSE December 2024
Recommended: Yes
4.1.5. KMAC 256/512
Name: KMAC 256/512
Value:
// TBA5
Description: KMAC256 with 256-bit key and 512-bit tag
Capabilities: [kty]
Change controller: IESG
Reference: [This document]
Recommended: Yes
4.2. JOSE Algorithms
A new set of entries have been added to the "JSON Web Signature and
Encryption Algorithms" registry [IANA-JOSE] with the following
parameters.
4.2.1. A128GMAC128
Algorithm Name: A128GMAC128
Algorithm Description: AES-GMAC with 128-bit key and 128-bit tag
Algorithm Usage Location(s): alg
JOSE Implementation Requirements: Optional
Change controller: IESG
Reference: [This document]
Recommended: Yes
Algorithm Analysis Document(s): [SP800-38D]
4.2.2. A192GMAC128
Algorithm Name: A192GMAC128
Algorithm Description: AES-GMAC with 192-bit key and 128-bit tag
Sipos Expires 15 June 2025 [Page 8]
�
Internet-Draft GMAC/KMAC in COSE/JOSE December 2024
Algorithm Usage Location(s): alg
JOSE Implementation Requirements: Optional
Change controller: IESG
Reference: [This document]
Recommended: Yes
Algorithm Analysis Document(s): [SP800-38D]
4.2.3. A256GMAC128
Algorithm Name: A256GMAC128
Algorithm Description: AES-GMAC with 256-bit key and 128-bit tag
Algorithm Usage Location(s): alg
JOSE Implementation Requirements: Optional
Change controller: IESG
Reference: [This document]
Recommended: Yes
Algorithm Analysis Document(s): [SP800-38D]
4.2.4. KMAC128
Algorithm Name: KMAC128
Algorithm Description: KMAC with 128-bit key and 256-bit tag
Algorithm Usage Location(s): alg
JOSE Implementation Requirements: Optional
Change controller: IESG
Reference: [This document]
Recommended: Yes
Algorithm Analysis Document(s): [SP800-185]
Sipos Expires 15 June 2025 [Page 9]
�
Internet-Draft GMAC/KMAC in COSE/JOSE December 2024
4.2.5. KMAC256
Algorithm Name: KMAC256
Algorithm Description: KMAC with 256-bit key and 512-bit tag
Algorithm Usage Location(s): alg
JOSE Implementation Requirements: Optional
Change controller: IESG
Reference: [This document]
Recommended: Yes
Algorithm Analysis Document(s): [SP800-185]
// Others TBD
5. References
5.1. Normative References
[IANA-COSE]
IANA, "CBOR Object Signing and Encryption (COSE)",
.
[IANA-JOSE]
IANA, "JSON Object Signing and Encryption (JOSE)",
.
[RFC20] Cerf, V., "ASCII format for network interchange", STD 80,
RFC 20, DOI 10.17487/RFC0020, October 1969,
.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
2015, .
Sipos Expires 15 June 2025 [Page 10]
�
Internet-Draft GMAC/KMAC in COSE/JOSE December 2024
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, .
[RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE):
Structures and Process", STD 96, RFC 9052,
DOI 10.17487/RFC9052, August 2022,
.
[SP800-38D]
National Institute of Standards and Technology,
"Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC", November 2007,
.
[SP800-185]
National Institute of Standards and Technology, "SHA-3
Derived Functions: cSHAKE, KMAC, TupleHash, and
ParallelHash", December 2016,
.
5.2. Informative References
[PR2011] Rogaway, P., "Evaluation of Some Blockcipher Modes of
Operation", 10 February 2011,
.
[RFC1155] Rose, M. and K. McCloghrie, "Structure and identification
of management information for TCP/IP-based internets",
STD 16, RFC 1155, DOI 10.17487/RFC1155, May 1990,
.
[RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message
Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543,
DOI 10.17487/RFC4543, May 2006,
.
[RFC8702] Kampanakis, P. and Q. Dang, "Use of the SHAKE One-Way Hash
Functions in the Cryptographic Message Syntax (CMS)",
RFC 8702, DOI 10.17487/RFC8702, January 2020,
.
[RFC9044] Housley, R., "Using the AES-GMAC Algorithm with the
Cryptographic Message Syntax (CMS)", RFC 9044,
DOI 10.17487/RFC9044, June 2021,
.
Sipos Expires 15 June 2025 [Page 11]
�
Internet-Draft GMAC/KMAC in COSE/JOSE December 2024
[RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE):
Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053,
August 2022, .
Author's Address
Brian Sipos
The Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Rd.
Laurel, MD 20723
United States of America
Email: brian.sipos+ietf@gmail.com
Sipos Expires 15 June 2025 [Page 12]