]> SECOM CO., LTD.

isobekohei@gmail.com

hannes.tschofenig@gmx.net

Security COSE Internet-Draft This specification defines a method for computing a hash value over a COSE Key. It defines which fields in a COSE Key structure are used in the hash computation, the method of creating a canonical form of the fields, and how to hash the byte sequence. The resulting hash value can be used for identifying or selecting a key that is the subject of the thumbprint.

Introduction This specification defines a method for computing a hash value (a.k.a. digest) over a COSE Key structure . It defines which fields in a COSE Key structure are used in the hash computation, the method of creating a canonical form for those fields, and how to hash the byte sequence. The resulting hash value can be used for identifying or selecting the key that is the subject of the thumbprint, for instance, by using the COSE Key Thumbprint value as a "kid" (key ID) value. This specification defines how thumbprints of COSE keys are created. Additionally, a new CWT confirmation method is registered in the registry created by . See Section 3.1 of for details about the use of a confirmation claim in a CWT with a proof-of-possession key.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

COSE Key Thumbprint The thumbprint of a COSE Key MUST be computed as follows: Construct a COSE_Key structure (see Section 7 of ) containing only the required parameters representing the key. This specification describes what those required parameters are and what, if necessary, what the unique encoding is. Apply the deterministic encoding described in Section 4.2.1 of to the representation constructed in step (1). Hash the bytes produced in step (2) with a cryptographic hash function H. For example, SHA-256 may be used as a hash function. The resulting value is the COSE Key Thumbprint with H of the COSE Key. The details of this computation are further described in subsequent sections.

Required COSE Key Parameters Only the required parameters of a key's representation are used when computing its COSE Key Thumbprint value. This section summarizes the required parameters. The "kty" (label: 1) element MUST be present for all key types and the integer value found in the IANA COSE Key Types registry MUST be used. The tstr data type is not used with the kty element. Many COSE Key parameters depend on the chosen key type. The subsection below list the required parameters for commonly used key types.

Octet Key Pair (OKP) The required parameters for elliptic curve public keys that use the OKP key type, such as X25519, are: "kty" (label: 1, data type: int, value: 1) "crv" (label: -1, value: int) "x" (label: -2, value: bstr) Details can be found in Section 7.1 of .

Elliptic Curve Keys w/ x- and y-coordinate pair The required parameters for elliptic curve public keys that use the EC2 key type, such as NIST P-256, are: "kty" (label: 1, data type: int, value: 2) "crv" (label: -1, data type: int) "x" (label: -2, data type: bstr) "y" (label: -3, data type: bstr) Details can be found in Section 7.1 of . Note: offers both compressed as well as uncompressed point representations. For interoperability, implementations following this specification MUST use the uncompressed point representation. Hence, the y-coordinate is expressed as a bstr. An implementation that uses the compressed point representation MUST compute the uncompressed representation for the purpose of the thumbprint calculation.

RSA Public Keys The required parameters for an RSA public key are: "kty" (label: 1, data type: int, value: 3) "n" (label: -1, data type: bstr) "e" (label: -2, data type: bstr)

Symmetric Keys The required parameters for a symmetric key are: "kty" (label: 1, data type: int, value: 4) "k" (label: -1, data type: bstr)

HSS-LMS The required parameters for HSS-LMS keys are: "kty" (label: 1, data type: int, value: 5) "pub" (label: -1, data type: bstr)

Others As other key type values are defined, the specifications defining them should be similarly consulted to determine which parameters, in addition to the "kty" element, are required.

Miscellaneous Considerations

Why Not Include Optional COSE Key Parameters? Optional parameters of COSE Keys are intentionally not included in the COSE Key Thumbprint computation so that their absence or presence in the COSE Key does not alter the resulting value. The COSE Key Thumbprint value is a digest of the parameters required to represent the key as a COSE Key -- not of additional data that may also accompany the key. Optional parameters are not included so that the COSE Key Thumbprint refers to a key -- not a key with an associated set of key attributes. Different application contexts might or might not include different subsets of optional attributes about the key in the COSE Key structure. If these were included in the calculation of the COSE Key Thumbprint, the values would be different for those COSE Keys, even though the keys are the same. The benefit of including only the required parameters is that the COSE Key Thumbprint of any COSE Key representing the key remains the same, regardless of any other attributes that are present. Different kinds of thumbprints could be defined by other specifications that might include some or all additional COSE Key parameters, if use cases arise where such different kinds of thumbprints would be useful.

Selection of Hash Function A specific hash function must be chosen by an application to compute the hash value of the hash input. For example, SHA-256 might be used as the hash function by the application. While SHA-256 is a good default choice at the time of writing, the hash function of choice can be expected to change over time as the cryptographic landscape evolves. Note that in many cases, only the party that creates a key will need to know the hash function used. A typical usage is for the producer of the key to use the thumbprint value as a "kid" (key ID) value. In this case, the consumer of the "kid" treats it as an opaque value that it uses to select the key. However, in some cases, multiple parties will be reproducing the COSE Key Thumbprint calculation and comparing the results. In these cases, the parties will need to know which hash function was used and use the same one.

Thumbprints of Keys Not in COSE Key Format A key need not be in COSE Key format to create a COSE Key Thumbprint of it. The only prerequisites are that the COSE Key representation of the key be defined and the party creating the COSE KEY Thumbprint be in possession of the necessary key material.

Relationship to Digests of X.509 Values COSE Key Thumbprint values are computed on the COSE Key element required to represent a key, rather than all members of a COSE Key that the key is represented in. Thus, they are more analogous to applications that use digests of X.509 Subject Public Key Info (SPKI) values, which are defined in Section 4.1.2.7 of , than to applications that use digests of complete certificate values, as the "x5t" (X.509 certificate SHA-1 thumbprint) value defined for X.509 certificate objects does. While logically equivalent to a digest of the SPKI representation of the key, a COSE Key Thumbprint is computed over the CBOR representation of that key, rather than over an ASN.1 representation of it.

Confirmation Methods introduced confirmation methods for use with CBOR Web Tokens (CWTs). CWTs have been defined in . This specification adds a new confirmation method based on COSE Key Thumbprints. The proof-of-possession key is identified using the "ckt" claim, the COSE Key Thumbprint claim. This claim contains the value of the COSE Key Thumbprint encoded as a binary string. Instead of communicating the actual COSE Key only the thumbprint is conveyed. This approach assumes that the recipient is able to obtain the identified COSE Key using the thumbprint contained in the "ckt" claim. In this case, the issuer of a CWT declares that the presenter possesses a particular key and that the recipient can cryptographically confirm the presenter's proof of possession of the key by including a "ckt" claim in the CWT. The following example demonstrates the use of the "ckt" claim in a CWT (with line-breaks inserted for editorial reasons):

registers the "ckt" claim and the confirmation method. The "ckt" claim is expected to be used in the "cnf" claim.

Example This section demonstrates the COSE Key Thumbprint computation for the following example COSE Key containing an ECC public key. For better readability, the example is first presented in JSON (with the long line broken for display purposes only).

The example above corresponds to the following CBOR encoding (with link breaks added for display purposes only):

Not all of the parameters from the example above are used in the COSE Key Thumbprint since the required parameters of an elliptic curve public key are: "kty" "crv" "x" "y" The required order based on Section 4.2.1 of is: "y" (label: -3, data type: bstr) "x" (label: -2, data type: bstr) "crv" (label: -1, data type: int) "kty" (label: 1, data type: int) The resulting COSE Key structure, in CBOR diagnostic format with line-breaks added for better readability, with the minimum parameters in the correct order are.

In CBOR encoding the result is (with line-breaks added for display purposes only):

Using SHA-256, the resulting thumbprint is:

Security Considerations A COSE Key Thumbprint will only uniquely identify a particular key if a single unambiguous COSE Key representation for that key is defined and used when computing the COSE Key Thumbprint. If two asymmetric keys are used by different parties with different key identifiers then the COSE Key Thumbprints will still be equal since the key identifier itself is not included in the thumbprint calculation (similarly to other optional parameters in the COSE_Key structure). When the inclusion of certain optional parameters in the thumbprint calcuation is important for a given application, this specification is not the appropriate choice. To promote interoperability among implementations, the SHA-256 hash algorithm is mandatory to implement. While thumbprint values are valuable for identifying legitimate keys, comparing thumbprint values is not a reliable means of excluding the use of particular keys (or transformations thereof). The reason is that an attacker may supply a key that is a transformation of a key in order to have it appear to be a different key. For instance, if a legitimate RSA key uses a modulus value N and an attacker supplies a key with modulus 3*N, the modified key would still work about 1/3 of the time, but would appear to be a different key. Producing thumbprints of symmetric keys needs to be done with care. Developers MUST ensure that the symmetric key has sufficient entropy to prevent attackers to precompute tables of symmetric keys with their corresponding hash values. This can be prevented if the symmetric key is a randomly selected key of at least 128 bit length. Using thumbprints with passwords (i.e. low-entropy secrets) is dangerous and MUST be avoided. If a developer is unable to determine whether all symmetric keys used in an application have sufficient entropy, then thumbprints of symmetric keys MUST NOT be used. In general, using thumbprints of symmetric keys should only be used in special applications. In most other deployment scenarios it is more appropriate to utilize a different naming scheme for key identifiers.

IANA Considerations IANA is requested to add the following entry to the "CWT Confirmation Methods" registry established by : Confirmation Method Name: ckt Confirmation Method Description: COSE Key Thumbprint JWT Confirmation Method Name: ckt Confirmation Key: [[TBD1]] Confirmation Value Type(s): binary string Change Controller: IESG Specification Document(s): [[This document]] IANA is furthermore asked to register the "ckt" claim to the "CBOR Web Token (CWT) Claims" registry created by : Claim Name: ckt Claim Description: COSE Key Thumbprint JWT Claim Name: ckt Claim Key: TBD1 Claim Value Type(s): byte string Change Controller: IESG Specification Document(s): [[This specification]]

Acknowledgements We would like to thank the authors of for their work on the JSON Web Key (JWK) Thumbprint specification. This document applies JWK Thumbprints to COSE Key structures. Additionally, we would like to thank Carsten Bormann, Orie Steele, Ilari Liusvaara, Laurence Lundblade, Daisuke Ajitomi, Michael Richardson, Mike Jones, and Brendan Moran for their feedback.

In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. This document, along with RFC 9053, obsoletes RFC 8152. Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052). This document, along with RFC 9052, obsoletes RFC 8152. This specification describes how to declare in a CBOR Web Token (CWT) (which is defined by RFC 8392) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as being the holder-of-key. This specification provides equivalent functionality to "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)" (RFC 7800) but using Concise Binary Object Representation (CBOR) and CWTs rather than JavaScript Object Notation (JSON) and JSON Web Tokens (JWTs). CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON. This specification defines a method for computing a hash value over a JSON Web Key (JWK). It defines which fields in a JWK are used in the hash computation, the method of creating a canonical form for those fields, and how to convert the resulting Unicode string into a byte sequence to be hashed. The resulting hash value can be used for identifying or selecting the key represented by the JWK that is the subject of the thumbprint. Federal Information Processing Standard, FIPS This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] The CBOR Object Signing and Encryption (COSE) message structure uses references to keys in general. For some algorithms, additional properties are defined that carry parameters relating to keys as needed. The COSE Key structure is used for transporting keys outside of COSE messages. This document extends the way that keys can be identified and transported by providing attributes that refer to or contain X.509 certificates.