Skip to main content

1. Introduction

  1. Introduction

There has been an increased focus on small, constrained devices that make up the Internet of Things (IoT). One of the standards that has come out of this process is "Concise Binary Object Representation (CBOR)" [STD94]. CBOR extended the data model of JavaScript Object Notation (JSON) [STD90] by allowing for binary data, among other changes. CBOR has been adopted by several of the IETF working groups dealing with the IoT world as their method of encoding data structures. CBOR was designed specifically to be small in terms of both messages transported and implementation size and to have a schema-free decoder. A need exists to provide message security services for IoT, and using CBOR as the message-encoding format makes sense.

The core COSE specification consists of two documents. [RFC9052] contains the serialization structures and the procedures for using the different cryptographic algorithms. This document provides an initial set of algorithms for use with those structures.

1.1. Requirements Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

1.2. Changes from RFC 8152

  • Extracted the sections dealing with specific algorithms and placed them into this document. The sections dealing with structure and general processing rules are placed in [RFC9052].

  • Made text clarifications and changes in terminology.

  • Removed all of the details relating to countersignatures and placed them in [COUNTERSIGN].

1.3. Document Terminology

In this document, we use the following terminology:

Byte: A synonym for octet.

Constrained Application Protocol (CoAP): A specialized web transfer protocol for use in constrained systems. It is defined in [RFC7252].

Authenticated Encryption (AE) algorithms [RFC5116]: Encryption algorithms that provide an authentication check of the contents along with the encryption service. An example of an AE algorithm used in COSE is AES Key Wrap [RFC3394]. These algorithms are used for key encryption, but Authenticated Encryption with Associated Data (AEAD) algorithms would be preferred.

AEAD algorithms [RFC5116]: Encryption algorithms that provide the same authentication service of the content as AE algorithms do, and also allow associated data that is not part of the encrypted body to be included in the authentication service. An example of an AEAD algorithm used in COSE is AES-GCM [RFC5116]. These algorithms are used for content encryption and can be used for key encryption as well.

The term "byte string" is used for sequences of bytes, while the term "text string" is used for sequences of characters.

The tables for algorithms contain the following columns:

  • A name for the algorithm for use in documents.

  • The value used on the wire for the algorithm. One place this is used is the algorithm header parameter of a message.

  • A short description so that the algorithm can be easily identified when scanning the IANA registry.

Additional columns may be present in a table depending on the algorithms.

1.4. CDDL Grammar for CBOR Data Structures

When COSE was originally written, the Concise Data Definition Language (CDDL) [RFC8610] had not yet been published in an RFC, so it could not be used as the data description language to normatively describe the CBOR data structures employed by COSE. For that reason, the CBOR data objects defined here are described in prose. Additional (non-normative) descriptions of the COSE data objects are provided in a subset of CDDL, described in [RFC9052].

1.5. Examples

A GitHub project has been created at [GitHub-Examples] that contains a set of testing examples. Each example is found in a JSON file that contains the inputs used to create the example, some of the intermediate values that can be used for debugging, and the output of the example. The results are encoded using both hexadecimal and CBOR diagnostic notation format.

Some of the examples are designed to be failure-testing cases; these are clearly marked as such in the JSON file.

Last updated on