draft-ietf-cose-msg-23.txt   draft-ietf-cose-msg-24.txt 
COSE Working Group J. Schaad COSE Working Group J. Schaad
Internet-Draft August Cellars Internet-Draft August Cellars
Intended status: Standards Track October 18, 2016 Intended status: Standards Track November 22, 2016
Expires: April 21, 2017 Expires: May 26, 2017
CBOR Object Signing and Encryption (COSE) CBOR Object Signing and Encryption (COSE)
draft-ietf-cose-msg-23 draft-ietf-cose-msg-24
Abstract Abstract
Concise Binary Object Representation (CBOR) is data format designed Concise Binary Object Representation (CBOR) is data format designed
for small code size and small message size. There is a need for the for small code size and small message size. There is a need for the
ability to have basic security services defined for this data format. ability to have basic security services defined for this data format.
This document defines the CBOR Object Signing and Encryption (COSE) This document defines the CBOR Object Signing and Encryption (COSE)
specification. This specification describes how to create and specification. This specification describes how to create and
process signature, message authentication codes and encryption using process signature, message authentication codes and encryption using
CBOR for serialization. This specification additionally specifies CBOR for serialization. This specification additionally specifies
skipping to change at page 1, line 45 skipping to change at page 1, line 45
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 21, 2017. This Internet-Draft will expire on May 26, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 36 skipping to change at page 2, line 36
1.4. CBOR Related Terminology . . . . . . . . . . . . . . . . 7 1.4. CBOR Related Terminology . . . . . . . . . . . . . . . . 7
1.5. Document Terminology . . . . . . . . . . . . . . . . . . 8 1.5. Document Terminology . . . . . . . . . . . . . . . . . . 8
2. Basic COSE Structure . . . . . . . . . . . . . . . . . . . . 8 2. Basic COSE Structure . . . . . . . . . . . . . . . . . . . . 8
3. Header Parameters . . . . . . . . . . . . . . . . . . . . . . 10 3. Header Parameters . . . . . . . . . . . . . . . . . . . . . . 10
3.1. Common COSE Headers Parameters . . . . . . . . . . . . . 12 3.1. Common COSE Headers Parameters . . . . . . . . . . . . . 12
4. Signing Objects . . . . . . . . . . . . . . . . . . . . . . . 16 4. Signing Objects . . . . . . . . . . . . . . . . . . . . . . . 16
4.1. Signing with One or More Signers . . . . . . . . . . . . 16 4.1. Signing with One or More Signers . . . . . . . . . . . . 16
4.2. Signing with One Signer . . . . . . . . . . . . . . . . . 18 4.2. Signing with One Signer . . . . . . . . . . . . . . . . . 18
4.3. Externally Supplied Data . . . . . . . . . . . . . . . . 19 4.3. Externally Supplied Data . . . . . . . . . . . . . . . . 19
4.4. Signing and Verification Process . . . . . . . . . . . . 20 4.4. Signing and Verification Process . . . . . . . . . . . . 20
4.5. Computing Counter Signatures . . . . . . . . . . . . . . 21 4.5. Computing Counter Signatures . . . . . . . . . . . . . . 22
5. Encryption Objects . . . . . . . . . . . . . . . . . . . . . 22 5. Encryption Objects . . . . . . . . . . . . . . . . . . . . . 22
5.1. Enveloped COSE Structure . . . . . . . . . . . . . . . . 22 5.1. Enveloped COSE Structure . . . . . . . . . . . . . . . . 22
5.1.1. Content Key Distribution Methods . . . . . . . . . . 24 5.1.1. Content Key Distribution Methods . . . . . . . . . . 24
5.2. Single Recipient Encrypted . . . . . . . . . . . . . . . 25 5.2. Single Recipient Encrypted . . . . . . . . . . . . . . . 25
5.3. How to encrypt and decrypt for AEAD Algorithms . . . . . 25 5.3. How to encrypt and decrypt for AEAD Algorithms . . . . . 25
5.4. How to encrypt and decrypt for AE Algorithms . . . . . . 28 5.4. How to encrypt and decrypt for AE Algorithms . . . . . . 28
6. MAC Objects . . . . . . . . . . . . . . . . . . . . . . . . . 29 6. MAC Objects . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.1. MACed Message with Recipients . . . . . . . . . . . . . . 30 6.1. MACed Message with Recipients . . . . . . . . . . . . . . 30
6.2. MACed Messages with Implicit Key . . . . . . . . . . . . 31 6.2. MACed Messages with Implicit Key . . . . . . . . . . . . 31
6.3. How to compute and verify a MAC . . . . . . . . . . . . . 31 6.3. How to compute and verify a MAC . . . . . . . . . . . . . 31
skipping to change at page 4, line 14 skipping to change at page 4, line 14
16.10. CoAP Content-Format Registrations . . . . . . . . . . . 85 16.10. CoAP Content-Format Registrations . . . . . . . . . . . 85
16.11. Expert Review Instructions . . . . . . . . . . . . . . . 86 16.11. Expert Review Instructions . . . . . . . . . . . . . . . 86
17. Implementation Status . . . . . . . . . . . . . . . . . . . . 87 17. Implementation Status . . . . . . . . . . . . . . . . . . . . 87
17.1. Author's Versions . . . . . . . . . . . . . . . . . . . 88 17.1. Author's Versions . . . . . . . . . . . . . . . . . . . 88
17.2. COSE Testing Library . . . . . . . . . . . . . . . . . . 88 17.2. COSE Testing Library . . . . . . . . . . . . . . . . . . 88
18. Security Considerations . . . . . . . . . . . . . . . . . . . 89 18. Security Considerations . . . . . . . . . . . . . . . . . . . 89
19. References . . . . . . . . . . . . . . . . . . . . . . . . . 91 19. References . . . . . . . . . . . . . . . . . . . . . . . . . 91
19.1. Normative References . . . . . . . . . . . . . . . . . . 91 19.1. Normative References . . . . . . . . . . . . . . . . . . 91
19.2. Informative References . . . . . . . . . . . . . . . . . 92 19.2. Informative References . . . . . . . . . . . . . . . . . 92
Appendix A. Making Mandatory Algorithm Header Optional . . . . . 95 Appendix A. Guidelines for External Data Authentication of
Algorithms . . . . . . . . . . . . . . . . . . . . . 95
A.1. Algorithm Identification . . . . . . . . . . . . . . . . 95 A.1. Algorithm Identification . . . . . . . . . . . . . . . . 95
A.2. Counter Signature Without Headers . . . . . . . . . . . . 98 A.2. Counter Signature Without Headers . . . . . . . . . . . . 98
Appendix B. Two Layers of Recipient Information . . . . . . . . 99 Appendix B. Two Layers of Recipient Information . . . . . . . . 99
Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . 101 Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . 101
C.1. Examples of Signed Message . . . . . . . . . . . . . . . 102 C.1. Examples of Signed Message . . . . . . . . . . . . . . . 102
C.1.1. Single Signature . . . . . . . . . . . . . . . . . . 102 C.1.1. Single Signature . . . . . . . . . . . . . . . . . . 102
C.1.2. Multiple Signers . . . . . . . . . . . . . . . . . . 103 C.1.2. Multiple Signers . . . . . . . . . . . . . . . . . . 103
C.1.3. Counter Signature . . . . . . . . . . . . . . . . . . 104 C.1.3. Counter Signature . . . . . . . . . . . . . . . . . . 104
C.1.4. Signature w/ Criticality . . . . . . . . . . . . . . 105 C.1.4. Signature w/ Criticality . . . . . . . . . . . . . . 105
C.2. Single Signer Examples . . . . . . . . . . . . . . . . . 106 C.2. Single Signer Examples . . . . . . . . . . . . . . . . . 106
skipping to change at page 10, line 9 skipping to change at page 10, line 9
4. When a COSE object is carried as a CoAP payload, the CoAP 4. When a COSE object is carried as a CoAP payload, the CoAP
Content-Format Option can be used to identify the message Content-Format Option can be used to identify the message
content. The CoAP Content-Format values can be found in content. The CoAP Content-Format values can be found in
Table 26. The CBOR tag for the message structure is not required Table 26. The CBOR tag for the message structure is not required
as each security message is uniquely identified. as each security message is uniquely identified.
+-------+---------------+---------------+---------------------------+ +-------+---------------+---------------+---------------------------+
| CBOR | cose-type | Data Item | Semantics | | CBOR | cose-type | Data Item | Semantics |
| Tag | | | | | Tag | | | |
+-------+---------------+---------------+---------------------------+ +-------+---------------+---------------+---------------------------+
| TBD1 | cose-sign | COSE_Sign | COSE Signed Data Object | | 98 | cose-sign | COSE_Sign | COSE Signed Data Object |
| | | | | | | | | |
| TBD7 | cose-sign1 | COSE_Sign1 | COSE Single Signer Data | | 18 | cose-sign1 | COSE_Sign1 | COSE Single Signer Data |
| | | | Object | | | | | Object |
| | | | | | | | | |
| TBD2 | cose-encrypt | COSE_Encrypt | COSE Encrypted Data | | 96 | cose-encrypt | COSE_Encrypt | COSE Encrypted Data |
| | | | Object | | | | | Object |
| | | | | | | | | |
| TBD3 | cose-encrypt0 | COSE_Encrypt0 | COSE Single Recipient | | 16 | cose-encrypt0 | COSE_Encrypt0 | COSE Single Recipient |
| | | | Encrypted Data Object | | | | | Encrypted Data Object |
| | | | | | | | | |
| TBD4 | cose-mac | COSE_Mac | COSE Mac-ed Data Object | | 97 | cose-mac | COSE_Mac | COSE Mac-ed Data Object |
| | | | | | | | | |
| TBD6 | cose-mac0 | COSE_Mac0 | COSE Mac w/o Recipients | | 17 | cose-mac0 | COSE_Mac0 | COSE Mac w/o Recipients |
| | | | Object | | | | | Object |
+-------+---------------+---------------+---------------------------+ +-------+---------------+---------------+---------------------------+
Table 1: COSE Message Identification Table 1: COSE Message Identification
The following CDDL fragment identifies all of the top messages The following CDDL fragment identifies all of the top messages
defined in this document. Separate non-terminals are defined for the defined in this document. Separate non-terminals are defined for the
tagged and the untagged versions of the messages. tagged and the untagged versions of the messages.
COSE_Messages = COSE_Untagged_Message / COSE_Tagged_Message COSE_Messages = COSE_Untagged_Message / COSE_Tagged_Message
skipping to change at page 12, line 45 skipping to change at page 12, line 45
3.1. Common COSE Headers Parameters 3.1. Common COSE Headers Parameters
This section defines a set of common header parameters. A summary of This section defines a set of common header parameters. A summary of
these parameters can be found in Table 2. This table should be these parameters can be found in Table 2. This table should be
consulted to determine the value of label, and the type of the value. consulted to determine the value of label, and the type of the value.
The set of header parameters defined in this section are: The set of header parameters defined in this section are:
alg: This parameter is used to indicate the algorithm used for the alg: This parameter is used to indicate the algorithm used for the
security processing. This parameter MUST be present in the security processing. This parameter MUST be authenticated where
COSE_Signature, COSE_Sign1, COSE_Encrypt, COSE_Encrypt0, COSE_Mac, the ability to do so exists. This support is provided by AEAD
and COSE_Mac0 structures. When the algorithm supports algorithms or construction (COSE_Sign, COSE_Sign0, COSE_Mac and
authenticating associated data, this parameter MUST be in the COSE_Mac0). This authentication can be done either by placing the
protected header bucket. The value is taken from the "COSE header in the protected header bucket or as part of the externally
Algorithms" Registry (see Section 16.4). supplied data. The value is taken from the "COSE Algorithms"
Registry (see Section 16.4).
crit: The parameter is used to indicate which protected header crit: The parameter is used to indicate which protected header
labels an application that is processing a message is required to labels an application that is processing a message is required to
understand. Parameters defined in this document do not need to be understand. Parameters defined in this document do not need to be
included as they should be understood by all implementations. included as they should be understood by all implementations.
When present, this parameter MUST be placed in the protected When present, this parameter MUST be placed in the protected
header bucket. The array MUST have at least one value in it. header bucket. The array MUST have at least one value in it.
Not all labels need to be included in the 'crit' parameter. The Not all labels need to be included in the 'crit' parameter. The
rules for deciding which header labels are placed in the array rules for deciding which header labels are placed in the array
are: are:
skipping to change at page 17, line 12 skipping to change at page 17, line 12
signature algorithm. This allows recipients to verify the signature signature algorithm. This allows recipients to verify the signature
associated with one algorithm or the other. (The original source of associated with one algorithm or the other. (The original source of
this text is [RFC5652].) More detailed information on multiple this text is [RFC5652].) More detailed information on multiple
signature evaluation can be found in [RFC5752]. signature evaluation can be found in [RFC5752].
The signature structure can be encoded either as tagged or untagged The signature structure can be encoded either as tagged or untagged
depending on the context it will be used in. A tagged COSE_Sign depending on the context it will be used in. A tagged COSE_Sign
structure is identified by the CBOR tag TBD1. The CDDL fragment that structure is identified by the CBOR tag TBD1. The CDDL fragment that
represents this is: represents this is:
COSE_Sign_Tagged = #6.991(COSE_Sign) ; Replace 991 with TBD1 COSE_Sign_Tagged = #6.98(COSE_Sign)
A COSE Signed Message is defined in two parts. The CBOR object that A COSE Signed Message is defined in two parts. The CBOR object that
carries the body and information about the body is called the carries the body and information about the body is called the
COSE_Sign structure. The CBOR object that carries the signature and COSE_Sign structure. The CBOR object that carries the signature and
information about the signature is called the COSE_Signature information about the signature is called the COSE_Signature
structure. Examples of COSE Signed Messages can be found in structure. Examples of COSE Signed Messages can be found in
Appendix C.1. Appendix C.1.
The COSE_Sign structure is a CBOR array. The fields of the array in The COSE_Sign structure is a CBOR array. The fields of the array in
order are: order are:
skipping to change at page 18, line 29 skipping to change at page 18, line 29
field is a bstr. Algorithms MUST specify padding if the signature field is a bstr. Algorithms MUST specify padding if the signature
value is not a multiple of 8 bits. value is not a multiple of 8 bits.
The CDDL fragment that represents the above text for COSE_Signature The CDDL fragment that represents the above text for COSE_Signature
follows. follows.
COSE_Signature = [ COSE_Signature = [
Headers, Headers,
signature : bstr signature : bstr
] ]
!
4.2. Signing with One Signer 4.2. Signing with One Signer
The COSE_Sign1 signature structure is used when only one signature is The COSE_Sign1 signature structure is used when only one signature is
going to be placed on a message. The parameters dealing with the going to be placed on a message. The parameters dealing with the
content and the signature are placed in the same pair of buckets content and the signature are placed in the same pair of buckets
rather than having the separation of COSE_Sign. rather than having the separation of COSE_Sign.
The structure can be encoded either tagged or untagged depending on The structure can be encoded either tagged or untagged depending on
the context it will be used in. A tagged COSE_Sign1 structure is the context it will be used in. A tagged COSE_Sign1 structure is
identified by the CBOR tag TBD7. The CDDL fragment that represents identified by the CBOR tag TBD7. The CDDL fragment that represents
this is: this is:
COSE_Sign1_Tagged = #6.997(COSE_Sign1) ; Replace 997 with TBD7 COSE_Sign1_Tagged = #6.18(COSE_Sign1)
The CBOR object that carries the body, the signature, and the The CBOR object that carries the body, the signature, and the
information about the body and signature is called the COSE_Sign1 information about the body and signature is called the COSE_Sign1
structure. Examples of COSE_Sign1 messages can be found in structure. Examples of COSE_Sign1 messages can be found in
Appendix C.2. Appendix C.2.
The COSE_Sign1 structure is a CBOR array. The fields of the array in The COSE_Sign1 structure is a CBOR array. The fields of the array in
order are: order are:
protected as described in Section 3. protected as described in Section 3.
skipping to change at page 23, line 21 skipping to change at page 23, line 27
recipient layer. Two structures are defined: COSE_Encrypt to hold recipient layer. Two structures are defined: COSE_Encrypt to hold
the encrypted content and COSE_recipient to hold the encrypted keys the encrypted content and COSE_recipient to hold the encrypted keys
for recipients. Examples of encrypted messages can be found in for recipients. Examples of encrypted messages can be found in
Appendix C.3. Appendix C.3.
The COSE_Encrypt structure can be encoded either tagged or untagged The COSE_Encrypt structure can be encoded either tagged or untagged
depending on the context it will be used in. A tagged COSE_Encrypt depending on the context it will be used in. A tagged COSE_Encrypt
structure is identified by the CBOR tag TBD2. The CDDL fragment that structure is identified by the CBOR tag TBD2. The CDDL fragment that
represents this is: represents this is:
COSE_Encrypt_Tagged = #6.992(COSE_Encrypt) ; Replace 992 with TBD2 COSE_Encrypt_Tagged = #6.96(COSE_Encrypt)
The COSE_Encrypt structure is a CBOR array. The fields of the array The COSE_Encrypt structure is a CBOR array. The fields of the array
in order are: in order are:
protected as described in Section 3. protected as described in Section 3.
unprotected as described in Section 3. ' unprotected as described in Section 3. '
ciphertext contains the cipher text encoded as a bstr. If the ciphertext contains the cipher text encoded as a bstr. If the
cipher text is to be transported independently of the control cipher text is to be transported independently of the control
skipping to change at page 25, line 24 skipping to change at page 25, line 27
identified to the recipient, the enveloped structure ought to be identified to the recipient, the enveloped structure ought to be
used. used.
Examples of encrypted messages can be found in Appendix C.3. Examples of encrypted messages can be found in Appendix C.3.
The COSE_Encrypt0 structure can be encoded either tagged or untagged The COSE_Encrypt0 structure can be encoded either tagged or untagged
depending on the context it will be used in. A tagged COSE_Encrypt0 depending on the context it will be used in. A tagged COSE_Encrypt0
structure is identified by the CBOR tag TBD3. The CDDL fragment that structure is identified by the CBOR tag TBD3. The CDDL fragment that
represents this is: represents this is:
COSE_Encrypt0_Tagged = #6.993(COSE_Encrypt0) ; Replace 993 with TBD3 COSE_Encrypt0_Tagged = #6.16(COSE_Encrypt0)
The COSE_Encrypt0 structure is a CBOR array. The fields of the array The COSE_Encrypt0 structure is a CBOR array. The fields of the array
in order are: in order are:
protected as described in Section 3. protected as described in Section 3.
unprotected as described in Section 3. unprotected as described in Section 3.
ciphertext as described in Section 5.1. ciphertext as described in Section 5.1.
skipping to change at page 30, line 18 skipping to change at page 30, line 18
COSE_Mac structure defined in this section for carrying the body and COSE_Mac structure defined in this section for carrying the body and
the COSE_recipient structure (Section 5.1) to hold the key used for the COSE_recipient structure (Section 5.1) to hold the key used for
the MAC computation. Examples of MACed messages can be found in the MAC computation. Examples of MACed messages can be found in
Appendix C.5. Appendix C.5.
The MAC structure can be encoded either tagged or untagged depending The MAC structure can be encoded either tagged or untagged depending
on the context it will be used in. A tagged COSE_Mac structure is on the context it will be used in. A tagged COSE_Mac structure is
identified by the CBOR tag TBD4. The CDDL fragment that represents identified by the CBOR tag TBD4. The CDDL fragment that represents
this is: this is:
COSE_Mac_Tagged = #6.994(COSE_Mac) ; Replace 994 with TBD4 COSE_Mac_Tagged = #6.97(COSE_Mac)
The COSE_Mac structure is a CBOR array. The fields of the array in The COSE_Mac structure is a CBOR array. The fields of the array in
order are: order are:
protected as described in Section 3. protected as described in Section 3.
unprotected as described in Section 3. unprotected as described in Section 3.
payload contains the serialized content to be MACed. If the payload payload contains the serialized content to be MACed. If the payload
is not present in the message, the application is required to is not present in the message, the application is required to
skipping to change at page 31, line 20 skipping to change at page 31, line 20
The MACed message uses the COSE_Mac0 structure defined in this The MACed message uses the COSE_Mac0 structure defined in this
section for carrying the body. Examples of MACed messages with an section for carrying the body. Examples of MACed messages with an
implicit key can be found in Appendix C.6. implicit key can be found in Appendix C.6.
The MAC structure can be encoded either tagged or untagged depending The MAC structure can be encoded either tagged or untagged depending
on the context it will be used in. A tagged COSE_Mac0 structure is on the context it will be used in. A tagged COSE_Mac0 structure is
identified by the CBOR tag TBD6. The CDDL fragment that represents identified by the CBOR tag TBD6. The CDDL fragment that represents
this is: this is:
COSE_Mac0_Tagged = #6.996(COSE_Mac0) ; Replace 996 with TBD6 COSE_Mac0_Tagged = #6.17(COSE_Mac0)
The COSE_Mac0 structure is a CBOR array. The fields of the array in The COSE_Mac0 structure is a CBOR array. The fields of the array in
order are: order are:
protected as described in Section 3. protected as described in Section 3.
unprotected as described in Section 3. unprotected as described in Section 3.
payload as described in Section 6.1. payload as described in Section 6.1.
skipping to change at page 93, line 14 skipping to change at page 93, line 14
[I-D.moriarty-pkcs5-v2dot1] [I-D.moriarty-pkcs5-v2dot1]
Moriarty, K., Kaliski, B., and A. Rusch, "PKCS #5: Moriarty, K., Kaliski, B., and A. Rusch, "PKCS #5:
Password-Based Cryptography Specification Version 2.1", Password-Based Cryptography Specification Version 2.1",
draft-moriarty-pkcs5-v2dot1-04 (work in progress), draft-moriarty-pkcs5-v2dot1-04 (work in progress),
September 2016. September 2016.
[I-D.selander-ace-object-security] [I-D.selander-ace-object-security]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz, Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security of CoAP (OSCOAP)", draft-selander-ace- "Object Security of CoAP (OSCOAP)", draft-selander-ace-
object-security-05 (work in progress), July 2016. object-security-06 (work in progress), October 2016.
[PVSig] Brown, D. and D. Johnson, "Formal Security Proofs for a [PVSig] Brown, D. and D. Johnson, "Formal Security Proofs for a
Signature Scheme with Partial Message Recover", February Signature Scheme with Partial Message Recover", February
2000. 2000.
[RFC2633] Ramsdell, B., Ed., "S/MIME Version 3 Message [RFC2633] Ramsdell, B., Ed., "S/MIME Version 3 Message
Specification", RFC 2633, DOI 10.17487/RFC2633, June 1999, Specification", RFC 2633, DOI 10.17487/RFC2633, June 1999,
<http://www.rfc-editor.org/info/rfc2633>. <http://www.rfc-editor.org/info/rfc2633>.
[RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA-
skipping to change at page 95, line 27 skipping to change at page 95, line 27
[SP800-56A] [SP800-56A]
Barker, E., Chen, L., Roginsky, A., and M. Smid, "NIST Barker, E., Chen, L., Roginsky, A., and M. Smid, "NIST
Special Publication 800-56A: Recommendation for Pair-Wise Special Publication 800-56A: Recommendation for Pair-Wise
Key Establishment Schemes Using Discrete Logarithm Key Establishment Schemes Using Discrete Logarithm
Cryptography", May 2013. Cryptography", May 2013.
[W3C.WebCrypto] [W3C.WebCrypto]
Watson, M., "Web Cryptography API", July 2016. Watson, M., "Web Cryptography API", July 2016.
Appendix A. Making Mandatory Algorithm Header Optional Appendix A. Guidelines for External Data Authentication of Algorithms
There has been a portion of the working group who have expressed a There has been a portion of the working group who have expressed a
strong desire to relax the rule that the algorithm identifier be strong desire to relax the rule that the algorithm identifier be
required to appear in each level of a COSE object. There are two required to appear in each level of a COSE object. There are two
basic reasons that have been advanced to support this position. basic reasons that have been advanced to support this position.
First, the resulting message will be smaller if the algorithm First, the resulting message will be smaller if the algorithm
identifier is omitted from the most common messages in a CoAP identifier is omitted from the most common messages in a CoAP
environment. Second, there is a potential bug that will arise if environment. Second, there is a potential bug that will arise if
full checking is not done correctly between the different places that full checking is not done correctly between the different places that
an algorithm identifier could be placed (the message itself, an an algorithm identifier could be placed (the message itself, an
skipping to change at page 100, line 15 skipping to change at page 100, line 15
o Layer 0: Has a content encrypted with AES-GCM using a 128-bit key. o Layer 0: Has a content encrypted with AES-GCM using a 128-bit key.
o Layer 1: Uses the AES Key wrap algorithm with a 128-bit key. o Layer 1: Uses the AES Key wrap algorithm with a 128-bit key.
o Layer 2: Uses ECDH Ephemeral-Static direct to generate the layer 1 o Layer 2: Uses ECDH Ephemeral-Static direct to generate the layer 1
key. key.
In effect, this example is a decomposed version of using the ECDH- In effect, this example is a decomposed version of using the ECDH-
ES+A128KW algorithm. ES+A128KW algorithm.
Size of binary file is 184 bytes Size of binary file is 183 bytes
992( 96(
[ [
/ protected / h'a10101' / { / protected / h'a10101' / {
\ alg \ 1:1 \ AES-GCM 128 \ \ alg \ 1:1 \ AES-GCM 128 \
} / , } / ,
/ unprotected / { / unprotected / {
/ iv / 5:h'02d1f7e6f26c43d4868d87ce' / iv / 5:h'02d1f7e6f26c43d4868d87ce'
}, },
/ ciphertext / h'64f84d913ba60a76070a9a48f26e97e863e2852948658f0 / ciphertext / h'64f84d913ba60a76070a9a48f26e97e863e2852948658f0
811139868826e89218a75715b', 811139868826e89218a75715b',
/ recipients / [ / recipients / [
skipping to change at page 102, line 44 skipping to change at page 102, line 44
//artwork[@type='CDDL']/text() //artwork[@type='CDDL']/text()
C.1. Examples of Signed Message C.1. Examples of Signed Message
C.1.1. Single Signature C.1.1. Single Signature
This example uses the following: This example uses the following:
o Signature Algorithm: ECDSA w/ SHA-256, Curve P-256 o Signature Algorithm: ECDSA w/ SHA-256, Curve P-256
Size of binary file is 104 bytes Size of binary file is 103 bytes
991( 98(
[ [
/ protected / h'', / protected / h'',
/ unprotected / {}, / unprotected / {},
/ payload / 'This is the content.', / payload / 'This is the content.',
/ signatures / [ / signatures / [
[ [
/ protected / h'a10126' / { / protected / h'a10126' / {
\ alg \ 1:-7 \ ECDSA 256 \ \ alg \ 1:-7 \ ECDSA 256 \
} / , } / ,
/ unprotected / { / unprotected / {
/ kid / 4:'11' / kid / 4:'11'
}, },
/ signature / h'eae868ecc176883766c5dc5ba5b8dca25dab3c2e56a5 / signature / h'e2aeafd40d69d19dfe6e52077c5d7ff4e408282cbefb
51ce5705b793914348e14eea4aee6e0c9f09db4ef3ddeca8f3506cd1a98a8fb64327 5d06cbf414af2e19d982ac45ac98b8544c908b4507de1e90b717c3d34816fe926a2b
be470355c9657ce0' 98f53afd2fa0f30a'
] ]
] ]
] ]
) )
C.1.2. Multiple Signers C.1.2. Multiple Signers
This example uses the following: This example uses the following:
o Signature Algorithm: ECDSA w/ SHA-256, Curve P-256 o Signature Algorithm: ECDSA w/ SHA-256, Curve P-256
o Signature Algorithm: ECDSA w/ SHA-512, Curve P-521 o Signature Algorithm: ECDSA w/ SHA-512, Curve P-521
Size of binary file is 278 bytes Size of binary file is 277 bytes
991( 98(
[ [
/ protected / h'', / protected / h'',
/ unprotected / {}, / unprotected / {},
/ payload / 'This is the content.', / payload / 'This is the content.',
/ signatures / [ / signatures / [
[ [
/ protected / h'a10126' / { / protected / h'a10126' / {
\ alg \ 1:-7 \ ECDSA 256 \ \ alg \ 1:-7 \ ECDSA 256 \
} / , } / ,
/ unprotected / { / unprotected / {
/ kid / 4:'11' / kid / 4:'11'
}, },
/ signature / h'0dc1c5e62719d8f3cce1468b7c881eee6a8088b46bf8 / signature / h'e2aeafd40d69d19dfe6e52077c5d7ff4e408282cbefb
36ae956dd38fe93199199951a6a5e02a24aed5edde3509748366b1c539aaef7dea34 5d06cbf414af2e19d982ac45ac98b8544c908b4507de1e90b717c3d34816fe926a2b
f2cd618fe19fe55d' 98f53afd2fa0f30a'
], ],
[ [
/ protected / h'a1013823' / { / protected / h'a1013823' / {
\ alg \ 1:-36 \ alg \ 1:-36
} / , } / ,
/ unprotected / { / unprotected / {
/ kid / 4:'bilbo.baggins@hobbiton.example' / kid / 4:'bilbo.baggins@hobbiton.example'
}, },
/ signature / h'012ce5b1dfe8b5aa6eaa09a54c58a84ad0900e4fdf27 / signature / h'00a2d28a7c2bdb1587877420f65adf7d0b9a06635dd1
59ec22d1c861cccd75c7e1c4025a2da35e512fc2874d6ac8fd862d09ad07ed2deac2 de64bb62974c863f0b160dd2163734034e6ac003b01e8705524c5c4ca479a952f024
97b897561e04a8d42476017c11a4a34e26c570c9eff22c1dc84d56cdf6e03ed34bc9 7ee8cb0b4fb7397ba08d009e0c8bf482270cc5771aa143966e5a469a09f613488030
e934c5fdf676c7948d79e97dfe161730217c57748aadb364a0207cee811e9dde65ae c5b07ec6d722e3835adb5b2d8c44e95ffb13877dd2582866883535de3bb03d01753f
37942e8a8348cc91' 83ab87bb4f7a0297'
] ]
] ]
] ]
) )
C.1.3. Counter Signature C.1.3. Counter Signature
This example uses the following: This example uses the following:
o Signature Algorithm: ECDSA w/ SHA-256, Curve P-256 o Signature Algorithm: ECDSA w/ SHA-256, Curve P-256
o The same parameters are used for both the signature and the o The same parameters are used for both the signature and the
counter signature. counter signature.
Size of binary file is 181 bytes Size of binary file is 180 bytes
991( 98(
[ [
/ protected / h'', / protected / h'',
/ unprotected / { / unprotected / {
/ countersign / 7:[ / countersign / 7:[
/ protected / h'a10126' / { / protected / h'a10126' / {
\ alg \ 1:-7 \ ECDSA 256 \ \ alg \ 1:-7 \ ECDSA 256 \
} / , } / ,
/ unprotected / { / unprotected / {
/ kid / 4:'11' / kid / 4:'11'
}, },
/ signature / h'c9d3402485aa585cee3efc69b14496c0b00714584b26 / signature / h'5ac05e289d5d0e1b0a7f048a5d2b643813ded50bc9e4
0f8e05764b7dbc70ae2b23b89812f5895b805f07a792f7ce77ef6d63875dc37d6a78 9220f4f7278f85f19d4a77d655c9d3b51e805a74b099e1e085aacd97fc29d72f887e
ef4d175da45c9a51' 8802bb6650cceb2c'
] ]
}, },
/ payload / 'This is the content.', / payload / 'This is the content.',
/ signatures / [ / signatures / [
[ [
/ protected / h'a10126' / { / protected / h'a10126' / {
\ alg \ 1:-7 \ ECDSA 256 \ \ alg \ 1:-7 \ ECDSA 256 \
} / , } / ,
/ unprotected / { / unprotected / {
/ kid / 4:'11' / kid / 4:'11'
}, },
/ signature / h'eae868ecc176883766c5dc5ba5b8dca25dab3c2e56a5 / signature / h'e2aeafd40d69d19dfe6e52077c5d7ff4e408282cbefb
51ce5705b793914348e14eea4aee6e0c9f09db4ef3ddeca8f3506cd1a98a8fb64327 5d06cbf414af2e19d982ac45ac98b8544c908b4507de1e90b717c3d34816fe926a2b
be470355c9657ce0' 98f53afd2fa0f30a'
] ]
] ]
] ]
) )
C.1.4. Signature w/ Criticality C.1.4. Signature w/ Criticality
This example uses the following: This example uses the following:
o Signature Algorithm: ECDSA w/ SHA-256, Curve P-256 o Signature Algorithm: ECDSA w/ SHA-256, Curve P-256
o There is a criticality marker on the "reserved" header parameter o There is a criticality marker on the "reserved" header parameter
Size of binary file is 126 bytes Size of binary file is 125 bytes
991( 98(
[ [
/ protected / h'a2687265736572766564f40281687265736572766564' / / protected / h'a2687265736572766564f40281687265736572766564' /
{ {
"reserved":false, "reserved":false,
\ crit \ 2:[ \ crit \ 2:[
"reserved" "reserved"
] ]
} / , } / ,
/ unprotected / {}, / unprotected / {},
/ payload / 'This is the content.', / payload / 'This is the content.',
/ signatures / [ / signatures / [
[ [
/ protected / h'a10126' / { / protected / h'a10126' / {
\ alg \ 1:-7 \ ECDSA 256 \ \ alg \ 1:-7 \ ECDSA 256 \
} / , } / ,
/ unprotected / { / unprotected / {
/ kid / 4:'11' / kid / 4:'11'
}, },
/ signature / h'eae868ecc176883766c5dc5ba5b8dca25dab3c2e56a5 / signature / h'3fc54702aa56e1b2cb20284294c9106a63f91bac658d
51ce5705b793914348e1ff259ead2c38d8a7d8a9c87c2ce534d762dab059773115a6 69351210a031d8fc7c5ff3e4be39445b1a3e83e1510d1aca2f2e8a7c081c7645042b
176fa780e85b6b25' 18aba9d1fad1bd9c'
] ]
] ]
] ]
) )
C.2. Single Signer Examples C.2. Single Signer Examples
C.2.1. Single ECDSA signature C.2.1. Single ECDSA signature
This example uses the following: This example uses the following:
o Signature Algorithm: ECDSA w/ SHA-256, Curve P-256 o Signature Algorithm: ECDSA w/ SHA-256, Curve P-256
Size of binary file is 100 bytes Size of binary file is 98 bytes
997( 18(
[ [
/ protected / h'a10126' / { / protected / h'a10126' / {
\ alg \ 1:-7 \ ECDSA 256 \ \ alg \ 1:-7 \ ECDSA 256 \
} / , } / ,
/ unprotected / { / unprotected / {
/ kid / 4:'11' / kid / 4:'11'
}, },
/ payload / 'This is the content.', / payload / 'This is the content.',
/ signature / h'eae868ecc176883766c5dc5ba5b8dca25dab3c2e56a551ce / signature / h'eae868ecc176883766c5dc5ba5b8dca25dab3c2e56a551ce
5705b793914348e19f43d6c6ba654472da301b645b293c9ba939295b97c4bdb84778 5705b793914348e19f43d6c6ba654472da301b645b293c9ba939295b97c4bdb84778
skipping to change at page 107, line 29 skipping to change at page 107, line 29
C.3. Examples of Enveloped Messages C.3. Examples of Enveloped Messages
C.3.1. Direct ECDH C.3.1. Direct ECDH
This example uses the following: This example uses the following:
o CEK: AES-GCM w/ 128-bit key o CEK: AES-GCM w/ 128-bit key
o Recipient class: ECDH Ephemeral-Static, Curve P-256 o Recipient class: ECDH Ephemeral-Static, Curve P-256
Size of binary file is 152 bytes Size of binary file is 151 bytes
992( 96(
[ [
/ protected / h'a10101' / { / protected / h'a10101' / {
\ alg \ 1:1 \ AES-GCM 128 \ \ alg \ 1:1 \ AES-GCM 128 \
} / , } / ,
/ unprotected / { / unprotected / {
/ iv / 5:h'c9cf4df2fe6c632bf7886413' / iv / 5:h'c9cf4df2fe6c632bf7886413'
}, },
/ ciphertext / h'7adbe2709ca818fb415f1e5df66f4e1a51053ba6d65a1a0 / ciphertext / h'7adbe2709ca818fb415f1e5df66f4e1a51053ba6d65a1a0
c52a357da7a644b8070a151b0', c52a357da7a644b8070a151b0',
/ recipients / [ / recipients / [
skipping to change at page 109, line 5 skipping to change at page 109, line 5
implicit fields as part of the context. implicit fields as part of the context.
* salt: "aabbccddeeffgghh" * salt: "aabbccddeeffgghh"
* APU identity: "lighting-client" * APU identity: "lighting-client"
* APV identity: "lighting-server" * APV identity: "lighting-server"
* Supplementary Public Other: "Encryption Example 02" * Supplementary Public Other: "Encryption Example 02"
Size of binary file is 92 bytes Size of binary file is 91 bytes
992( 96(
[ [
/ protected / h'a1010a' / { / protected / h'a1010a' / {
\ alg \ 1:10 \ AES-CCM-16-64-128 \ \ alg \ 1:10 \ AES-CCM-16-64-128 \
} / , } / ,
/ unprotected / { / unprotected / {
/ iv / 5:h'89f52f65a1c580933b5261a76c' / iv / 5:h'89f52f65a1c580933b5261a76c'
}, },
/ ciphertext / h'753548a19b1307084ca7b2056924ed95f2e3b17006dfe93 / ciphertext / h'753548a19b1307084ca7b2056924ed95f2e3b17006dfe93
1b687b847', 1b687b847',
/ recipients / [ / recipients / [
skipping to change at page 109, line 40 skipping to change at page 109, line 40
) )
C.3.3. Counter Signature on Encrypted Content C.3.3. Counter Signature on Encrypted Content
This example uses the following: This example uses the following:
o CEK: AES-GCM w/ 128-bit key o CEK: AES-GCM w/ 128-bit key
o Recipient class: ECDH Ephemeral-Static, Curve P-256 o Recipient class: ECDH Ephemeral-Static, Curve P-256
Size of binary file is 327 bytes Size of binary file is 326 bytes
992( 96(
[ [
/ protected / h'a10101' / { / protected / h'a10101' / {
\ alg \ 1:1 \ AES-GCM 128 \ \ alg \ 1:1 \ AES-GCM 128 \
} / , } / ,
/ unprotected / { / unprotected / {
/ iv / 5:h'c9cf4df2fe6c632bf7886413', / iv / 5:h'c9cf4df2fe6c632bf7886413',
/ countersign / 7:[ / countersign / 7:[
/ protected / h'a1013823' / { / protected / h'a1013823' / {
\ alg \ 1:-36 \ alg \ 1:-36
} / , } / ,
/ unprotected / { / unprotected / {
/ kid / 4:'bilbo.baggins@hobbiton.example' / kid / 4:'bilbo.baggins@hobbiton.example'
}, },
/ signature / h'00aa98cbfd382610a375d046a275f30266e8d0faacb9 / signature / h'00929663c8789bb28177ae28467e66377da12302d7f9
069fde06e37825ae7825419c474f416ded0c8e3e7b55bff68f2a704135bdf99186f6 594d2999afa5dfa531294f8896f2b6cdf1740014f4c7f1a358e3a6cf57f4ed6fb02f
6659461c8cf929cc7fb300f5e2b33c3b433655042ff719804ff73b0be3e988ecebc0 cf8f7aa989f5dfd07f0700a3a7d8f3c604ba70fa9411bd10c2591b483e1d2c31de00
c70ef6616996809c6eb59a918dbe0a5edb0d15137ece0aba2a0b0f68ad2631cb62f2 3183e434d8fba18f17a4c7e3dfa003ac1cf3d30d44d2533c4989d3ac38c38b71481c
ea4d7099804218b0' c3430c9d65e7ddff'
] ]
}, },
/ ciphertext / h'7adbe2709ca818fb415f1e5df66f4e1a51053ba6d65a1a0 / ciphertext / h'7adbe2709ca818fb415f1e5df66f4e1a51053ba6d65a1a0
c52a357da7a644b8070a151b0', c52a357da7a644b8070a151b0',
/ recipients / [ / recipients / [
[ [
/ protected / h'a1013818' / { / protected / h'a1013818' / {
\ alg \ 1:-25 \ ECDH-ES + HKDF-256 \ \ alg \ 1:-25 \ ECDH-ES + HKDF-256 \
} / , } / ,
/ unprotected / { / unprotected / {
skipping to change at page 111, line 15 skipping to change at page 111, line 15
C.3.4. Encrypted Content with External Data C.3.4. Encrypted Content with External Data
This example uses the following: This example uses the following:
o CEK: AES-GCM w/ 128-bit key o CEK: AES-GCM w/ 128-bit key
o Recipient class: ECDH static-Static, Curve P-256 with AES Key Wrap o Recipient class: ECDH static-Static, Curve P-256 with AES Key Wrap
o Externally Supplied AAD: h'0011bbcc22dd44ee55ff660077' o Externally Supplied AAD: h'0011bbcc22dd44ee55ff660077'
Size of binary file is 174 bytes Size of binary file is 173 bytes
992( 96(
[ [
/ protected / h'a10101' / { / protected / h'a10101' / {
\ alg \ 1:1 \ AES-GCM 128 \ \ alg \ 1:1 \ AES-GCM 128 \
} / , } / ,
/ unprotected / { / unprotected / {
/ iv / 5:h'02d1f7e6f26c43d4868d87ce' / iv / 5:h'02d1f7e6f26c43d4868d87ce'
}, },
/ ciphertext / h'64f84d913ba60a76070a9a48f26e97e863e28529d8f5335 / ciphertext / h'64f84d913ba60a76070a9a48f26e97e863e28529d8f5335
e5f0165eee976b4a5f6c6f09d', e5f0165eee976b4a5f6c6f09d',
/ recipients / [ / recipients / [
skipping to change at page 111, line 52 skipping to change at page 111, line 52
) )
C.4. Examples of Encrypted Messages C.4. Examples of Encrypted Messages
C.4.1. Simple Encrypted Message C.4.1. Simple Encrypted Message
This example uses the following: This example uses the following:
o CEK: AES-CCM w/ 128-bit key and a 64-bit tag o CEK: AES-CCM w/ 128-bit key and a 64-bit tag
Size of binary file is 54 bytes Size of binary file is 52 bytes
993( 16(
[ [
/ protected / h'a1010a' / { / protected / h'a1010a' / {
\ alg \ 1:10 \ AES-CCM-16-64-128 \ \ alg \ 1:10 \ AES-CCM-16-64-128 \
} / , } / ,
/ unprotected / { / unprotected / {
/ iv / 5:h'89f52f65a1c580933b5261a78c' / iv / 5:h'89f52f65a1c580933b5261a78c'
}, },
/ ciphertext / h'5974e1b99a3a4cc09a659aa2e9e7fff161d38ce7edd5617 / ciphertext / h'5974e1b99a3a4cc09a659aa2e9e7fff161d38ce7edd5617
388e77baf' 388e77baf'
] ]
) )
C.4.2. Encrypted Message w/ a Partial IV C.4.2. Encrypted Message w/ a Partial IV
This example uses the following: This example uses the following:
o CEK: AES-CCM w/ 128-bit key and a 64-bit tag o CEK: AES-CCM w/ 128-bit key and a 64-bit tag
o Prefix for IV is 89F52F65A1C580933B52 o Prefix for IV is 89F52F65A1C580933B52
Size of binary file is 43 bytes Size of binary file is 41 bytes
993( 16(
[ [
/ protected / h'a1010a' / { / protected / h'a1010a' / {
\ alg \ 1:10 \ AES-CCM-16-64-128 \ \ alg \ 1:10 \ AES-CCM-16-64-128 \
} / , } / ,
/ unprotected / { / unprotected / {
/ partial iv / 6:h'61a7' / partial iv / 6:h'61a7'
}, },
/ ciphertext / h'252a8911d465c125b6764739700f0141ed09192da5c69e5 / ciphertext / h'252a8911d465c125b6764739700f0141ed09192da5c69e5
33abf852b' 33abf852b'
] ]
skipping to change at page 112, line 50 skipping to change at page 112, line 50
C.5. Examples of MACed messages C.5. Examples of MACed messages
C.5.1. Shared Secret Direct MAC C.5.1. Shared Secret Direct MAC
This example uses the following: This example uses the following:
o MAC: AES-CMAC, 256-bit key, truncated to 64 bits o MAC: AES-CMAC, 256-bit key, truncated to 64 bits
o Recipient class: direct shared secret o Recipient class: direct shared secret
Size of binary file is 58 bytes Size of binary file is 57 bytes
994( 97(
[ [
/ protected / h'a1010f' / { / protected / h'a1010f' / {
\ alg \ 1:15 \ AES-CBC-MAC-256//64 \ \ alg \ 1:15 \ AES-CBC-MAC-256//64 \
} / , } / ,
/ unprotected / {}, / unprotected / {},
/ payload / 'This is the content.', / payload / 'This is the content.',
/ tag / h'9e1226ba1f81b848', / tag / h'9e1226ba1f81b848',
/ recipients / [ / recipients / [
[ [
/ protected / h'', / protected / h'',
skipping to change at page 113, line 34 skipping to change at page 113, line 34
C.5.2. ECDH Direct MAC C.5.2. ECDH Direct MAC
This example uses the following: This example uses the following:
o MAC: HMAC w/SHA-256, 256-bit key o MAC: HMAC w/SHA-256, 256-bit key
o Recipient class: ECDH key agreement, two static keys, HKDF w/ o Recipient class: ECDH key agreement, two static keys, HKDF w/
context structure context structure
Size of binary file is 215 bytes Size of binary file is 214 bytes
994( 97(
[ [
/ protected / h'a10105' / { / protected / h'a10105' / {
\ alg \ 1:5 \ HMAC 256//256 \ \ alg \ 1:5 \ HMAC 256//256 \
} / , } / ,
/ unprotected / {}, / unprotected / {},
/ payload / 'This is the content.', / payload / 'This is the content.',
/ tag / h'81a03448acd3d305376eaa11fb3fe416a955be2cbe7ec96f012c99 / tag / h'81a03448acd3d305376eaa11fb3fe416a955be2cbe7ec96f012c99
4bc3f16a41', 4bc3f16a41',
/ recipients / [ / recipients / [
[ [
skipping to change at page 114, line 39 skipping to change at page 114, line 39
) )
C.5.3. Wrapped MAC C.5.3. Wrapped MAC
This example uses the following: This example uses the following:
o MAC: AES-MAC, 128-bit key, truncated to 64 bits o MAC: AES-MAC, 128-bit key, truncated to 64 bits
o Recipient class: AES keywrap w/ a pre-shared 256-bit key o Recipient class: AES keywrap w/ a pre-shared 256-bit key
Size of binary file is 110 bytes Size of binary file is 109 bytes
994( 97(
[ [
/ protected / h'a1010e' / { / protected / h'a1010e' / {
\ alg \ 1:14 \ AES-CBC-MAC-128//64 \ \ alg \ 1:14 \ AES-CBC-MAC-128//64 \
} / , } / ,
/ unprotected / {}, / unprotected / {},
/ payload / 'This is the content.', / payload / 'This is the content.',
/ tag / h'36f5afaf0bab5d43', / tag / h'36f5afaf0bab5d43',
/ recipients / [ / recipients / [
[ [
/ protected / h'', / protected / h'',
skipping to change at page 115, line 39 skipping to change at page 115, line 39
o MAC: HMAC w/ SHA-256, 128-bit key o MAC: HMAC w/ SHA-256, 128-bit key
o Recipient class: Uses three different methods o Recipient class: Uses three different methods
1. ECDH Ephemeral-Static, Curve P-521, AES-Key Wrap w/ 128-bit 1. ECDH Ephemeral-Static, Curve P-521, AES-Key Wrap w/ 128-bit
key key
2. AES-Key Wrap w/ 256-bit key 2. AES-Key Wrap w/ 256-bit key
Size of binary file is 310 bytes Size of binary file is 309 bytes
994( 97(
[ [
/ protected / h'a10105' / { / protected / h'a10105' / {
\ alg \ 1:5 \ HMAC 256//256 \ \ alg \ 1:5 \ HMAC 256//256 \
} / , } / ,
/ unprotected / {}, / unprotected / {},
/ payload / 'This is the content.', / payload / 'This is the content.',
/ tag / h'bf48235e809b5c42e995f2b7d5fa13620e7ed834e337f6aa43df16 / tag / h'bf48235e809b5c42e995f2b7d5fa13620e7ed834e337f6aa43df16
1e49e9323e', 1e49e9323e',
/ recipients / [ / recipients / [
[ [
skipping to change at page 117, line 6 skipping to change at page 117, line 6
C.6. Examples of MAC0 messages C.6. Examples of MAC0 messages
C.6.1. Shared Secret Direct MAC C.6.1. Shared Secret Direct MAC
This example uses the following: This example uses the following:
o MAC: AES-CMAC, 256-bit key, truncated to 64 bits o MAC: AES-CMAC, 256-bit key, truncated to 64 bits
o Recipient class: direct shared secret o Recipient class: direct shared secret
Size of binary file is 39 bytes Size of binary file is 37 bytes
996( 17(
[ [
/ protected / h'a1010f' / { / protected / h'a1010f' / {
\ alg \ 1:15 \ AES-CBC-MAC-256//64 \ \ alg \ 1:15 \ AES-CBC-MAC-256//64 \
} / , } / ,
/ unprotected / {}, / unprotected / {},
/ payload / 'This is the content.', / payload / 'This is the content.',
/ tag / h'726043745027214f' / tag / h'726043745027214f'
] ]
) )
 End of changes. 49 change blocks. 
85 lines changed or deleted 88 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/