AES-CMAC for COSE
The Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Rd.
Laurel
MD
20723
United States of America
brian.sipos+ietf@gmail.com
Security
CBOR Object Signing and Encryption
CMAC
This document registers COSE algorithm code points for using the Advanced Encryption Standard (AES) in Cipher-based Message Authentication Code (CMAC) mode for use in CBOR Object Signing and Encryption (COSE) messages.
The CMAC mode of operation is an alternative to AES-CBC-MAC which is approved by US NIST FIPS 140.
Introduction
The base CBOR Object Signing and Encryption (COSE) specification defines a container for Message Authentication Code (MAC) parameters and results.
This container is parameterized on an algorithm identifier used to verify the MAC result.
This document defines new fully specified algorithm identifiers for the use of Advanced Encryption Standard (AES) in Cipher-based Message Authentication Code (CMAC) mode to generate an authentication tag as defined by US NIST .
These COSE algorithm identifiers are "fully specified" meaning they rely on no extra parameters (e.g., key length or tag length) to determine their exact operation.
The COSE algorithm code point along with the shared secret key is suffient to generate or verify the MAC tag.
The use of CMAC is an alternative to the Hash-based Message Authentication Code (HMAC) family of algorithms which relies exclusively on a block cipher instead of a cryptographic hash function.
For some implementations, cipher-based MAC can enable the use of hardware acceleration of its processing.
The CMAC mode of AES is approved by US NIST FIPS 140 .
Scope
This document does not define any new algorithms it only defines code points in a COSE registry so that the AES-CMAC can be used in that security environment with fully specified combinations of parameters.
To avoid confusion, the AES-CMAC algorithm family specified in this document is distinct from the "AES-MAC" (also known as "AES-CBC-MAC") algorithm family from .
That algorithm family is not approved by FIPS 140.
Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
The AES-CMAC Family
While the CMAC mode can be used with any underlying encryption block cipher, this document focuses on its use with the AES cipher referred to as AES-CMAC.
For the sake of adhering to COSE best practice about fully specifying what gets assigned a COSE "algorithm" code point, AES-CMAC will be treated as an algorithm family with a single code point referring to the algorithm itself along with a specific set of parameter values.
The parameters associated with AES-CMAC are: key length and tag length.
This document restricts the allocated code points to the commonly used key lengths of 128 and 256 bits and restricts the use of a single tag length of 128 bits, which happens to be the longest possible tag length, as indicated in .
These tag lengths are consistent with the COSE use of AES-CBC-MAC in .
Future allocations can define the use of AES-CMAC with shortened tag lengths.
Registered AES-CMAC combinations
| COSE Value |
Algorithm |
Key Length |
Tag Length |
|
TBA1
|
AES-CMAC |
128 |
128 |
|
TBA3
|
AES-CMAC |
256 |
128 |
When using a COSE key for these algorithms, the following checks are made:
- The "kty" field MUST be present with a value of "Symmetric".
- The "k" field MUST match the key length for the algorithm being used.
- If the "alg" field is present, it MUST match the algorithm being used.
- If the "key_ops" field is present, it MUST include "MAC create" when creating an authentication tag.
- If the "key_ops" field is present, it MUST include "MAC verify" when verifying an authentication tag.
Security Considerations
This document does not define any new behavior of the AES-CMAC family, and so does not introduce any new security considerations.
All of the applicable considerations from NIST apply when the algorithm is used in COSE.
IANA Considerations
This section provides guidance to the Internet Assigned Numbers Authority (IANA) regarding registration of code points in accordance with BCP 26 .
COSE Algorithms
A new set of entries have been added to the "COSE Algorithms" registry with the following parameters.
- Name:
- AES-CMAC 128/128
- Value:
-
TBA1
- Description:
- AES-CMAC with 128-bit key and 128-bit tag
- Capabilities:
- [kty]
- Change controller:
- IETF
- Reference:
- [This document]
- Recommended:
- Yes
- Name:
- AES-CMAC 256/128
- Value:
-
TBA3
- Description:
- AES-CMAC with 256-bit key and 128-bit tag
- Capabilities:
- [kty]
- Change controller:
- IETF
- Reference:
- [This document]
- Recommended:
- Yes
Note to IANA: The reqested COSE algorithm code points are in the positive less-than-256 range.
References
Normative References
CBOR Object Signing and Encryption (COSE)
IANA
Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
US National Institute of Standards and Technology
Informative References
Security Requirements for Cryptographic Modules
US National Institute of Standards and Technology