]> Arm Limited

brendan.moran.ietf@gmail.com

Nordic Semiconductor

oyvind.ronningstad@gmail.com

akira.tsukamoto@gmail.com

Security SUIT Internet-Draft This document specifies algorithm profiles for SUIT manifest parsers and authors to ensure better interoperability. These profiles apply specifically to a constrained node software update use case.

Introduction Mandatory algorithms may change over time due to an evolving threat landscape. Algorithms are grouped into algorithm profiles to account for this. Profiles may be deprecated over time. SUIT will define four choices of MTI profile specifically for constrained node software update. These profiles are: One Symmetric MTI profile Two "Current" Asymmetric MTI profiles One "Future" Asymmetric MTI profile At least one MTI algorithm in each category MUST be FIPS qualified. Because SUIT presents an asymmetric communication profile, with powerful/complex manifest authors and constrained manifest recipients, the requirements for Recipients and Authors are different. Recipients MAY choose which MTI profile they wish to implement. It is RECOMMENDED that they implement the "Future" Asymmetric MTI profile. Recipients MAY implement any number of other profiles. Authors MUST implement all MTI profiles. Authors MAY implement any number of other profiles. Other use-cases of SUIT MAY define their own MTI algorithms.

Algorithms The algorithms that form a part of the profiles defined in this document are grouped into: Digest Algorithms Authentication Algorithms Key Exchange Algorithms Encryption Algorithms The COSE algorithm ID for each algorithm is given in parentheses.

Digest Algorithms SHA-256 (-16)

Authentication Algorithms Authentication Algorithms are divided into three groups: Symmetric, Asymmetric Classical, and Asymmetric Post-Quantum

Symmetric Authentication Algorithm HMAC-256 (5)

Asymmetric Classical Authentication Algorithms ES256 (-7) EdDSA (-8)

Asymmetric Post-Quantum Authentication Algorithms HSS-LMS (-46)

Key Exchange Algorithms Key Exchange Algorithms are divided into two groups: Symmetric, and Asymmetric Classical

Symmetric A128 (-3)

Asymmetric Classical COSE HPKE (TBD) ECDH-ES + HKDF-256 (-25)

Encryption Algorithms A128GCM (1)

Profiles Recognized profiles are defined below.

 Symmetric MTI profile: suit-sha256-hmac-a128-ccm This profile requires the following algorithms: SHA-256 HMAC-256 A128W Key Wrap AES-CCM-16-128-128

Current Asymmetric MTI Profile 1: suit-sha256-es256-ecdh-a128gcm This profile requires the following algorithms: SHA-256 ES256 ECDH AES-128-GCM

Current Asymmetric MTI Profile 2: suit-sha256-eddsa-ecdh-a128gcm This profile requires the following algorithms: SHA-256 EDDSA ECDH AES-128-GCM

Future Asymmetric MTI Profile: suit-sha256-hsslms-hpke-a128gcm This profile requires the following algorithms: SHA-256 HSS-LMS HPKE AES-128-GCM

Other Profiles: Optional classical and PQC profiles are defined below. suit-sha256-eddsa-ecdh-es-chacha-poly SHA-256 EdDSA ECDH-ES + HKDF-256 ChaCha20 + Poly1305 suit-sha256-falcon512-hpke-a128gcm SHA-256 Falcon-512 HPKE AES-128-GCM suit-shake256-dilithium-kyber-a128gcm SHAKE256 Crystals-Dilithium Crystal-Kyber AES-128GCM

Security Considerations For the avoidance of doubt, there are scenarios where payload or manifest encryption are not required. In these scenarios, the encryption element of the selected profile is simply not used.

IANA Considerations TODO -- back

A. Full CDDL The following CDDL creates a subset of COSE for use with SUIT. Both tagged and untagged messages are defined. SUIT only uses tagged COSE messages, but untagged messages are also defined for use in protocols that share a ciphersuite with SUIT. To be valid, the following CDDL MUST have the COSE CDDL appended to it. The COSE CDDL can be obtained by following the directions in .

.and COSE_Messages SUIT_COSE_Profile_ES256_ECDH_A128GCM = SUIT_COSE_Profile<-7,1> .and COSE_Messages SUIT_COSE_Profile_EDDSA_ECDH_A128GCM = SUIT_COSE_Profile<-8,1> .and COSE_Messages SUIT_COSE_Profile_HSSLMS_HPKE_A128GCM = SUIT_COSE_Profile<-46,1> .and COSE_Messages SUIT_COSE_Profile = SUIT_COSE_Messages SUIT_COSE_Messages = SUIT_COSE_Untagged_Message / SUIT_COSE_Tagged_Message SUIT_COSE_Untagged_Message = SUIT_COSE_Sign / SUIT_COSE_Sign1 / SUIT_COSE_Encrypt / SUIT_COSE_Encrypt0 / SUIT_COSE_Mac / SUIT_COSE_Mac0 SUIT_COSE_Tagged_Message = SUIT_COSE_Sign_Tagged / SUIT_COSE_Sign1_Tagged / SUIT_COSE_Encrypt_Tagged / SUIT_COSE_Encrypt0_Tagged / SUIT_COSE_Mac_Tagged / SUIT_COSE_Mac0_Tagged ; Note: This is not the same definition as is used in COSE. ; It restricts a COSE header definition further without ; repeating the COSE definition. It should be merged ; with COSE by using the CDDL .and operator. SUIT_COSE_Profile_Headers = ( protected : bstr .cbor SUIT_COSE_alg_map, unprotected : SUIT_COSE_header_map ) SUIT_COSE_alg_map = { 1 => algid, * int => any } SUIT_COSE_header_map = { * int => any } SUIT_COSE_Sign_Tagged = #6.98(SUIT_COSE_Sign) SUIT_COSE_Sign = [ SUIT_COSE_Profile_Headers, payload : bstr / nil, signatures : [+ SUIT_COSE_Signature] ] SUIT_COSE_Signature = [ SUIT_COSE_Profile_Headers, signature : bstr ] SUIT_COSE_Sign1_Tagged = #6.18(SUIT_COSE_Sign1) SUIT_COSE_Sign1 = [ SUIT_COSE_Profile_Headers, payload : bstr / nil, signature : bstr ] SUIT_COSE_Encrypt_Tagged = #6.96(SUIT_COSE_Encrypt) SUIT_COSE_Encrypt = [ SUIT_COSE_Profile_Headers, ciphertext : bstr / nil, recipients : [+SUIT_COSE_recipient] ] SUIT_COSE_recipient = [ SUIT_COSE_Profile_Headers, ciphertext : bstr / nil, ? recipients : [+SUIT_COSE_recipient] ] SUIT_COSE_Encrypt0_Tagged = #6.16(SUIT_COSE_Encrypt0) SUIT_COSE_Encrypt0 = [ SUIT_COSE_Profile_Headers, ciphertext : bstr / nil, ] SUIT_COSE_Mac_Tagged = #6.97(SUIT_COSE_Mac) SUIT_COSE_Mac = [ SUIT_COSE_Profile_Headers, payload : bstr / nil, tag : bstr, recipients :[+SUIT_COSE_recipient] ] SUIT_COSE_Mac0_Tagged = #6.17(SUIT_COSE_Mac0) SUIT_COSE_Mac0 = [ SUIT_COSE_Profile_Headers, payload : bstr / nil, tag : bstr, ] ]]>

Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need for the ability to have basic security services defined for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. This document specifies the conventions for using the Hierarchical Signature System (HSS) / Leighton-Micali Signature (LMS) hash-based signature algorithm with the CBOR Object Signing and Encryption (COSE) syntax. The HSS/LMS algorithm is one form of hash-based digital signature; it is described in RFC 8554. Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. This document, along with RFC 9053, obsoletes RFC 8152. Arm Limited Arm Limited Fraunhofer SIT Inria Nordic Semiconductor This specification describes the format of a manifest. A manifest is a bundle of metadata about code/data obtained by a recipient (chiefly the firmware for an IoT device), where to find the that code/data, the devices to which it applies, and cryptographic information protecting the manifest. Software updates and Trusted Invocation both tend to use sequences of common operations, so the manifest encodes those sequences of operations, rather than declaring the metadata.