AES-GMAC for COSE
The Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Rd.
Laurel
MD
20723
United States of America
brian.sipos+ietf@gmail.com
Security
CBOR Object Signing and Encryption
GMAC
This document registers COSE algorithm code points for using the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) to generate a Message Authentication Code (AES-GMAC).
The security strength provided by these registrations is identical to existing COSE registrations for AES-GCM authenticated encryption.
Introduction
The base COSE specification defines a container for Message Authentication Code (MAC) parameters and results.
This container is parameterized on an algorithm identifier used to verify the MAC result.
This document defines new fully specified algorithm identifiers for the use of Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) to generate a MAC (AES-GMAC) as defined in .
Unlike the use of AES-GMAC in CMS and IPsec , the COSE algorithm identifiers are "fully specified" meaning they rely on no extra parameters (e.g., tag length) to determine their exact operation.
Scope
This document does not define any new algorithms it only defines code points in a COSE registry so that the AES-GMAC can be used in that security environment with specific combinations of parameters.
To avoid confusion, the AES-GMAC algorithm family specified in this document is unrelated to the "AES-MAC" algorithm family from .
Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14
when, and only when, they appear in all capitals,
as shown here.
The AES-GMAC Family
While the general GMAC algorithm can be used with any underlying authenticated encryption with additional data (AEAD) block cipher, this document focuses on its use with the AES-GCM cipher.
The AES-GMAC defined in has a set of parameters associated with its use.
For the sake of adhering to COSE best practice about fully specifying what gets assigned an "algorithm" code point, AES-GMAC will be treated as an algorithm family with a single code point referring to the algorithm itself along with a specific set of parameter values.
The parameters associated with AES-GMAC are: key length and tag length.
This document restricts the allocated code points to the commonly used key lengths of 128, 192, and 256-bits, a fixed IV length of 96 bits (the recommended default), and restricts the use of a single tag length of 128 bits, which happens to be the longest possible tag length, as indicated in .
Future allocations can define the use of AES-GMAC with shortened tag lengths.
One required input for AES-GMAC is an initialization vector (IV) which is already provided by the header parameter "IV" from the "COSE Header Parameters" registry of .
The use of the AES-GMAC algorithms in COSE SHALL be combined with the IV header parameter in the same COSE layer.
A valid IV for these algorithms SHALL be exactly 96 bits (12 octets) in length.
The combination of key and IV SHALL be unique for each created MAC.
The IV generation mechanism SHALL be deterministic (not random).
The specifics of that mechanism are left to an implementation.
These IV and tag lengths are consistent with the COSE use of AES-GCM encryption in .
Registered AES-GMAC combinations
| COSE Value |
Algorithm |
Key Length |
IV Length |
Tag Length |
|
TBA1
|
AES-GMAC |
128 |
96 |
128 |
|
TBA2
|
AES-GMAC |
192 |
96 |
128 |
|
TBA3
|
AES-GMAC |
256 |
96 |
128 |
Implementations creating and validating AES-GMAC values SHALL validate that the key type, key length, and algorithm are correct and appropriate for the entities involved.
When using a COSE key for these algorithms, the following checks are made:
- The "kty" field MUST be present.
- The "kty" field MUST be "Symmetric".
- If the "alg" field is present, it MUST match the algorithm being used.
- If the "key_ops" field is present, it MUST include "MAC create" when creating an authentication tag.
- If the "key_ops" field is present, it MUST include "MAC verify" when verifying an authentication tag.
Security Considerations
This document does not define any new modes of operation for the GMAC algorithm, and so does not introduce any new security considerations.
All of the applicable considerations from apply when the algorithm is used in COSE.
The requirement to use non-random IV generation in is meant to satisfy the critical constraint on GMAC (and nonce-based MACs generally) described in Chapter 10 of to guarantee the uniqueness of the combination of key and IV.
Whether the mechanism is a simple counter, a determistic PRF, or something else does not affect the constraint to be non-random.
IANA Considerations
This section provides guidance to the Internet Assigned Numbers Authority (IANA) regarding registration of code points in accordance with BCP 26 .
COSE Algorithms
A new set of entries have been added to the "COSE Algorithms" registry with the following parameters.
AES-GMAC 128/128
- Name:
- AES-GMAC 128/128
- Value:
-
TBA1
- Description:
- AES-GMAC with 128-bit key and 128-bit tag
- Capabilities:
- [kty]
- Change controller:
- IESG
- Reference:
- [This document]
- Recommended:
- Yes
AES-GMAC 192/128
- Name:
- AES-GMAC 192/128
- Value:
-
TBA2
- Description:
- AES-GMAC with 192-bit key and 128-bit tag
- Capabilities:
- [kty]
- Change controller:
- IESG
- Reference:
- [This document]
- Recommended:
- Yes
AES-GMAC 256/128
- Name:
- AES-GMAC 256/128
- Value:
-
TBA3
- Description:
- AES-GMAC with 256-bit key and 128-bit tag
- Capabilities:
- [kty]
- Change controller:
- IESG
- Reference:
- [This document]
- Recommended:
- Yes
References
Normative References
CBOR Object Signing and Encryption (COSE)
IANA
Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
National Institute of Standards and Technology
Informative References
Evaluation of Some Blockcipher Modes of Operation
University of California, Davis
rogaway@cs.ucdavis.edu