CBOR Object Signing and Encryption                              B. Sipos
Internet-Draft                                                   JHU/APL
Intended status: Standards Track                        12 December 2024
Expires: 15 June 2025


                    GMAC and KMAC for COSE and JOSE
                     draft-sipos-cose-gmac-kmac-00

Abstract

   This document registers JOSE and COSE algorithm code points for using
   two new Message Authentication Code (MAC) algorithm families.  One is
   the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM)
   to generate a MAC (AES-GMAC), the other is the SHA-3-derived Keccak
   MAC (KMAC).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 15 June 2025.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.




Sipos                     Expires 15 June 2025                  [Page 1]

Internet-Draft           GMAC/KMAC in COSE/JOSE            December 2024


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Scope . . . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.2.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Algorithm Families  . . . . . . . . . . . . . . . . . . . . .   3
     2.1.  AES-GMAC Family . . . . . . . . . . . . . . . . . . . . .   3
     2.2.  KMAC Family . . . . . . . . . . . . . . . . . . . . . . .   5
   3.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
     4.1.  COSE Algorithms . . . . . . . . . . . . . . . . . . . . .   6
       4.1.1.  AES-GMAC 128/128  . . . . . . . . . . . . . . . . . .   6
       4.1.2.  AES-GMAC 192/128  . . . . . . . . . . . . . . . . . .   7
       4.1.3.  AES-GMAC 256/128  . . . . . . . . . . . . . . . . . .   7
       4.1.4.  KMAC 128/256  . . . . . . . . . . . . . . . . . . . .   7
       4.1.5.  KMAC 256/512  . . . . . . . . . . . . . . . . . . . .   8
     4.2.  JOSE Algorithms . . . . . . . . . . . . . . . . . . . . .   8
       4.2.1.  A128GMAC128 . . . . . . . . . . . . . . . . . . . . .   8
       4.2.2.  A192GMAC128 . . . . . . . . . . . . . . . . . . . . .   8
       4.2.3.  A256GMAC128 . . . . . . . . . . . . . . . . . . . . .   9
       4.2.4.  KMAC128 . . . . . . . . . . . . . . . . . . . . . . .   9
       4.2.5.  KMAC256 . . . . . . . . . . . . . . . . . . . . . . .  10
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     5.1.  Normative References  . . . . . . . . . . . . . . . . . .  10
     5.2.  Informative References  . . . . . . . . . . . . . . . . .  11
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  12

1.  Introduction

   The base COSE specification [RFC9052] defines a container for Message
   Authentication Code (MAC) parameters and results, and the base JOSE
   specification [RFC7515] defines a similar container for "Signature"
   data including MAC results.  Each type of container is parameterized
   on an algorithm identifier used to verify the MAC result.  This
   document defines new fully specified algorithm identifiers for the
   use of Advanced Encryption Standard (AES) in Galois/Counter Mode
   (GCM) to generate a MAC (AES-GMAC) as defined in [SP800-38D], as well
   as the SHA-3-derived Keccak MAC (KMAC) as defined in [SP800-185].

   Unlike the use of AES-GMAC in CMS [RFC9044] and IPsec [RFC4543] or
   KMAC in CMS [RFC8702], the COSE and JOSE algorithm identifiers are
   "fully specified" meaning they rely on no extra parameters (_e.g._,
   tag length) to determine their exact operation.








Sipos                     Expires 15 June 2025                  [Page 2]

Internet-Draft           GMAC/KMAC in COSE/JOSE            December 2024


1.1.  Scope

   This document does not define any new algorithms it only defines code
   points in COSE and JOSE registries so that the AES-GMAC and KMAC can
   be used in those respective security environments with specific
   combinations of parameters.

   To avoid confusion, the AES-GMAC algorithm family specified in this
   document is unrelated to the "AES-MAC" algorithm family from
   Section 3.2 of [RFC9053].

1.2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14 [RFC2119]
   [RFC8174] when, and only when, they appear in all capitals, as shown
   here.

2.  Algorithm Families

   Both the AES-GMAC algorithm from [SP800-38D] and the KMAC algorithm
   from [SP800-185] have a set of parameters associated with their uses.
   For the sake of adhering to COSE and JOSE best practices about fully
   specifying what gets assigned an "algorithm" code point in each
   respective registry, the AES-GMAC and KMAC will be treated as an
   _algorithm family_ with a single code point referring to the
   algorithm itself along with a specific set of parameter values.

2.1.  AES-GMAC Family

   While the general GMAC algorithm can be used with any underlying
   authenticated encryption with additional data (AEAD) block cipher,
   this document focuses on its use with the AES-GCM cipher.

   The parameters associated with AES-GMAC are: key length and tag
   length.  This document restricts the allocated code points to the
   commonly used key lengths of 128, 192, and 256-bits, a fixed IV
   length of 96 bits (the recommended default), and restricts the use of
   a single tag length of 128 bits, which happens to be the longest
   possible tag length, as indicated in Table 1.  Future allocations can
   define the use of AES-GMAC with shortened tag lengths.

   One required input for AES-GMAC is an initialization vector (IV)
   which is already provided by the header parameter "IV" from the "COSE
   Header Parameters" registry of [IANA-COSE].  The use of the AES-GMAC
   algorithms in COSE SHALL be combined with the IV header parameter in
   the same COSE layer.  A valid IV for these algorithms SHALL be



Sipos                     Expires 15 June 2025                  [Page 3]

Internet-Draft           GMAC/KMAC in COSE/JOSE            December 2024


   exactly 96 bits (12 octets) in length.  The combination of key and IV
   SHALL be unique for each created MAC.  The IV generation mechanism
   SHALL be deterministic (not random).  The specifics of that mechanism
   are left to an implementation.

   These IV and tag lengths are consistent with the COSE use of AES-GCM
   encryption in Section 4.1 of [RFC9053].

    +============+=============+===========+========+========+========+
    | COSE Value | JOSE Name   | Algorithm | Key    | IV     | Tag    |
    |            |             |           | Length | Length | Length |
    +============+=============+===========+========+========+========+
    |            | A128GMAC128 | AES-GMAC  | 128    | 96     | 128    |
    | // TBA1    |             |           |        |        |        |
    +------------+-------------+-----------+--------+--------+--------+
    |            | A192GMAC128 | AES-GMAC  | 192    | 96     | 128    |
    | // TBA2    |             |           |        |        |        |
    +------------+-------------+-----------+--------+--------+--------+
    |            | A256GMAC128 | AES-GMAC  | 256    | 96     | 128    |
    | // TBA3    |             |           |        |        |        |
    +------------+-------------+-----------+--------+--------+--------+

                 Table 1: Registered AES-GMAC combinations

   Implementations creating and validating AES-GMAC values SHALL
   validate that the key type, key length, and algorithm are correct and
   appropriate for the entities involved.

   When using a COSE key for these algorithms, the following checks are
   made:

   *  The "kty" field MUST be present.

   *  The "kty" field MUST be "Symmetric".

   *  If the "alg" field is present, it MUST match the algorithm being
      used.

   *  If the "key_ops" field is present, it MUST include "MAC create"
      when creating an authentication tag.

   *  If the "key_ops" field is present, it MUST include "MAC verify"
      when verifying an authentication tag.








Sipos                     Expires 15 June 2025                  [Page 4]

Internet-Draft           GMAC/KMAC in COSE/JOSE            December 2024


2.2.  KMAC Family

   The KMAC family is actually two different variants, KMAC128 and
   KMAC256, related to the provided security strength of 128 and
   256-bits respectively and expected to be used with identical
   respective minimum key lengths.

   The parameters associated with KMAC are: key length and tag length.
   This document restricts the allowed code points to the commonly used
   key lengths of 128 and 256-bits and restricts the use of a single
   "standard" tag length for each variant as indicated in Table 2.
   Future allocations can define the use of KMAC with other tag lengths.

   An optional input for KMAC is a "customization bit string" used as
   additional context data.  When used with COSE the KMAC customization
   bit string SHALL be the ASCII [RFC20] text string "COSE" without null
   termination.  When used with JOSE the KMAC customization bit string
   SHALL be the ASCII [RFC20] text string "JOSE" without null
   termination.

     +============+===========+===========+============+============+
     | COSE Value | JOSE Name | Algorithm | Key Length | Tag Length |
     +============+===========+===========+============+============+
     |            | KMAC128   | KMAC128   | 128        | 256        |
     | // TBA4    |           |           |            |            |
     +------------+-----------+-----------+------------+------------+
     |            | KMAC256   | KMAC256   | 256        | 512        |
     | // TBA5    |           |           |            |            |
     +------------+-----------+-----------+------------+------------+

                  Table 2: Registered KMAC combinations

   Implementations creating and validating KMAC values SHALL validate
   that the key type, key length, and algorithm are correct and
   appropriate for the entities involved.

   When using a COSE key for these algorithms, the following checks are
   made:

   *  The "kty" field MUST be present.

   *  The "kty" field MUST be "Symmetric".

   *  If the "alg" field is present, it MUST match the algorithm being
      used.

   *  If the "key_ops" field is present, it MUST include "MAC create"
      when creating an authentication tag.



Sipos                     Expires 15 June 2025                  [Page 5]

Internet-Draft           GMAC/KMAC in COSE/JOSE            December 2024


   *  If the "key_ops" field is present, it MUST include "MAC verify"
      when verifying an authentication tag.

3.  Security Considerations

   This document does not define any new modes of operation for the
   relevant MAC algorithms, and so does not introduce any new security
   considerations.  All of the applicable considerations from
   [SP800-38D] and [SP800-185] apply when the algorithm is used in COSE
   or JOSE.

   The requirement to use non-random IV generation in Section 2.1 is
   meant to satisfy the critical constraint on GMAC (and nonce-based
   MACs generally) described in Chapter 10 of [PR2011] to guarantee the
   uniqueness of the combination of key and IV.  Whether the mechanism
   is a simple counter, a determistic PRF, or something else does not
   affect the constraint to be non-random.

4.  IANA Considerations

   This section provides guidance to the Internet Assigned Numbers
   Authority (IANA) regarding registration of code points in accordance
   with BCP 26 [RFC1155].

4.1.  COSE Algorithms

   A new set of entries have been added to the "COSE Algorithms"
   registry [IANA-COSE] with the following parameters.

4.1.1.  AES-GMAC 128/128

   Name:  AES-GMAC 128/128

   Value:
      // TBA1

   Description:  AES-GMAC with 128-bit key and 128-bit tag

   Capabilities:  [kty]

   Change controller:  IESG

   Reference:  [This document]

   Recommended:  Yes






Sipos                     Expires 15 June 2025                  [Page 6]

Internet-Draft           GMAC/KMAC in COSE/JOSE            December 2024


4.1.2.  AES-GMAC 192/128

   Name:  AES-GMAC 192/128

   Value:
      // TBA2

   Description:  AES-GMAC with 192-bit key and 128-bit tag

   Capabilities:  [kty]

   Change controller:  IESG

   Reference:  [This document]

   Recommended:  Yes

4.1.3.  AES-GMAC 256/128

   Name:  AES-GMAC 256/128

   Value:
      // TBA3

   Description:  AES-GMAC with 256-bit key and 128-bit tag

   Capabilities:  [kty]

   Change controller:  IESG

   Reference:  [This document]

   Recommended:  Yes

4.1.4.  KMAC 128/256

   Name:  KMAC 128/256

   Value:
      // TBA4

   Description:  KMAC128 with 128-bit key and 256-bit tag

   Capabilities:  [kty]

   Change controller:  IESG

   Reference:  [This document]



Sipos                     Expires 15 June 2025                  [Page 7]

Internet-Draft           GMAC/KMAC in COSE/JOSE            December 2024


   Recommended:  Yes

4.1.5.  KMAC 256/512

   Name:  KMAC 256/512

   Value:
      // TBA5

   Description:  KMAC256 with 256-bit key and 512-bit tag

   Capabilities:  [kty]

   Change controller:  IESG

   Reference:  [This document]

   Recommended:  Yes

4.2.  JOSE Algorithms

   A new set of entries have been added to the "JSON Web Signature and
   Encryption Algorithms" registry [IANA-JOSE] with the following
   parameters.

4.2.1.  A128GMAC128

   Algorithm Name:  A128GMAC128

   Algorithm Description:  AES-GMAC with 128-bit key and 128-bit tag

   Algorithm Usage Location(s):  alg

   JOSE Implementation Requirements:  Optional

   Change controller:  IESG

   Reference:  [This document]

   Recommended:  Yes

   Algorithm Analysis Document(s):  [SP800-38D]

4.2.2.  A192GMAC128

   Algorithm Name:  A192GMAC128

   Algorithm Description:  AES-GMAC with 192-bit key and 128-bit tag



Sipos                     Expires 15 June 2025                  [Page 8]

Internet-Draft           GMAC/KMAC in COSE/JOSE            December 2024


   Algorithm Usage Location(s):  alg

   JOSE Implementation Requirements:  Optional

   Change controller:  IESG

   Reference:  [This document]

   Recommended:  Yes

   Algorithm Analysis Document(s):  [SP800-38D]

4.2.3.  A256GMAC128

   Algorithm Name:  A256GMAC128

   Algorithm Description:  AES-GMAC with 256-bit key and 128-bit tag

   Algorithm Usage Location(s):  alg

   JOSE Implementation Requirements:  Optional

   Change controller:  IESG

   Reference:  [This document]

   Recommended:  Yes

   Algorithm Analysis Document(s):  [SP800-38D]

4.2.4.  KMAC128

   Algorithm Name:  KMAC128

   Algorithm Description:  KMAC with 128-bit key and 256-bit tag

   Algorithm Usage Location(s):  alg

   JOSE Implementation Requirements:  Optional

   Change controller:  IESG

   Reference:  [This document]

   Recommended:  Yes

   Algorithm Analysis Document(s):  [SP800-185]




Sipos                     Expires 15 June 2025                  [Page 9]

Internet-Draft           GMAC/KMAC in COSE/JOSE            December 2024


4.2.5.  KMAC256

   Algorithm Name:  KMAC256

   Algorithm Description:  KMAC with 256-bit key and 512-bit tag

   Algorithm Usage Location(s):  alg

   JOSE Implementation Requirements:  Optional

   Change controller:  IESG

   Reference:  [This document]

   Recommended:  Yes

   Algorithm Analysis Document(s):  [SP800-185]


   // Others TBD

5.  References

5.1.  Normative References

   [IANA-COSE]
              IANA, "CBOR Object Signing and Encryption (COSE)",
              <https://www.iana.org/assignments/cose/>.

   [IANA-JOSE]
              IANA, "JSON Object Signing and Encryption (JOSE)",
              <https://www.iana.org/assignments/jose/>.

   [RFC20]    Cerf, V., "ASCII format for network interchange", STD 80,
              RFC 20, DOI 10.17487/RFC0020, October 1969,
              <https://www.rfc-editor.org/info/rfc20>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC7515]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web
              Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
              2015, <https://www.rfc-editor.org/info/rfc7515>.






Sipos                     Expires 15 June 2025                 [Page 10]

Internet-Draft           GMAC/KMAC in COSE/JOSE            December 2024


   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC9052]  Schaad, J., "CBOR Object Signing and Encryption (COSE):
              Structures and Process", STD 96, RFC 9052,
              DOI 10.17487/RFC9052, August 2022,
              <https://www.rfc-editor.org/info/rfc9052>.

   [SP800-38D]
              National Institute of Standards and Technology,
              "Recommendation for Block Cipher Modes of Operation:
              Galois/Counter Mode (GCM) and GMAC", November 2007,
              <https://nvlpubs.nist.gov/nistpubs/legacy/sp/
              nistspecialpublication800-38d.pdf>.

   [SP800-185]
              National Institute of Standards and Technology, "SHA-3
              Derived Functions: cSHAKE, KMAC, TupleHash, and
              ParallelHash", December 2016,
              <https://nvlpubs.nist.gov/nistpubs/specialpublications/
              nist.sp.800-185.pdf>.

5.2.  Informative References

   [PR2011]   Rogaway, P., "Evaluation of Some Blockcipher Modes of
              Operation", 10 February 2011,
              <https://www.cs.ucdavis.edu/~rogaway/papers/modes.pdf>.

   [RFC1155]  Rose, M. and K. McCloghrie, "Structure and identification
              of management information for TCP/IP-based internets",
              STD 16, RFC 1155, DOI 10.17487/RFC1155, May 1990,
              <https://www.rfc-editor.org/info/rfc1155>.

   [RFC4543]  McGrew, D. and J. Viega, "The Use of Galois Message
              Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543,
              DOI 10.17487/RFC4543, May 2006,
              <https://www.rfc-editor.org/info/rfc4543>.

   [RFC8702]  Kampanakis, P. and Q. Dang, "Use of the SHAKE One-Way Hash
              Functions in the Cryptographic Message Syntax (CMS)",
              RFC 8702, DOI 10.17487/RFC8702, January 2020,
              <https://www.rfc-editor.org/info/rfc8702>.

   [RFC9044]  Housley, R., "Using the AES-GMAC Algorithm with the
              Cryptographic Message Syntax (CMS)", RFC 9044,
              DOI 10.17487/RFC9044, June 2021,
              <https://www.rfc-editor.org/info/rfc9044>.



Sipos                     Expires 15 June 2025                 [Page 11]

Internet-Draft           GMAC/KMAC in COSE/JOSE            December 2024


   [RFC9053]  Schaad, J., "CBOR Object Signing and Encryption (COSE):
              Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053,
              August 2022, <https://www.rfc-editor.org/info/rfc9053>.

Author's Address

   Brian Sipos
   The Johns Hopkins University Applied Physics Laboratory
   11100 Johns Hopkins Rd.
   Laurel, MD 20723
   United States of America
   Email: brian.sipos+ietf@gmail.com







































Sipos                     Expires 15 June 2025                 [Page 12]