Ascon-AEAD128 for JOSE and COSE
draft-ochkas-cose-ascon-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Active".
|
|
|---|---|---|---|
| Authors | Dmytro Ochkas , Hélène Le Bouder , Alexander Pelov | ||
| Last updated | 2025-01-08 | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-ochkas-cose-ascon-00
Network Working Group D. Ochkas
Internet-Draft H. Le Bouder
Intended status: Informational A. Pelov
Expires: 12 July 2025 IMT Atlantique
8 January 2025
Ascon-AEAD128 for JOSE and COSE
draft-ochkas-cose-ascon-00
Abstract
This document describes JSON Object Signing and Encryption (JOSE) and
CBOR Object Signing and Encryption (COSE) serializations with Ascon
which received a lot of attention in the area of lightweight
cryptography.
In 2019, as a part of CAESAR competition, Ascon-128 and Ascon-128a
were selected as the first choice for the lightweight authenticated
encryption [asconv1.2-caesar]. After, in 2023, National Institute of
Standards and Technology (NIST) selected Ascon family of
cryptographic algorithms to be the standard for lightweight
cryptography [asconv1.2-nist]. This recognition make it particularly
interesting to use Ascon with COSE and JOSE structures.
This document does not define any new cryptography, only
serializations of existing cryptographic systems described in
[NIST.SP.800-232].
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 12 July 2025.
Ochkas, et al. Expires 12 July 2025 [Page 1]
Internet-Draft Ascon-AEAD128 for JOSE and COSE January 2025
Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Ascon algorithms . . . . . . . . . . . . . . . . . . . . . . 3
4. IV Header Parameter . . . . . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 5
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
6.1. Additions to Existing Registries . . . . . . . . . . . . 5
6.1.1. New COSE Algorithms . . . . . . . . . . . . . . . . . 5
6.1.2. New JOSE Algorithms . . . . . . . . . . . . . . . . . 6
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1. Normative References . . . . . . . . . . . . . . . . . . 6
7.2. Informative References . . . . . . . . . . . . . . . . . 7
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 7
A.1. COSE . . . . . . . . . . . . . . . . . . . . . . . . . . 7
A.1.1. Simple Ascon-AEAD128 Encryption . . . . . . . . . . . 7
A.1.2. Direct Ascon-AEAD128 Encryption with HKDF-SHA-256 . . 8
A.2. JOSE . . . . . . . . . . . . . . . . . . . . . . . . . . 8
A.2.1. Direct Compact JWE structure using Ascon-AEAD128 . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
Constrained networks such as Internet of Things (IoT) networks most
of the time are characterized by the limited computational power and
autonomy. In this context, the choice of suitable cryptographic
algorithms that provide a robust security without consuming large
amount of resources is essential. As a winner of lightweight
cryptography standardization process conducted by NIST, Ascon family
of cryptographic algorithms is a perfect candidate for the described
situation.
Ochkas, et al. Expires 12 July 2025 [Page 2]
Internet-Draft Ascon-AEAD128 for JOSE and COSE January 2025
Ascon-Based Lightweight Cryptography Standards for Constrained
Devices [NIST.SP.800-232] introduces a suite of algorithms to provide
Authenticated Encryption with Associated Data (AEAD), a hash
function, and two eXtendable Output Functions (XOFs).
This document focuses on the AEAD part of Ascon standard. It enables
the usage of Ascon-AEAD128 with JOSE and COSE for the content
encryption.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Ascon algorithms
In the scope of this document, only the authenticated encryption
Ascon is allowed for. Ascon's encryption and decryption algorithms
are parametrized by the key length k, the rate r, and the internal
round numbers a and b. [NIST.SP.800-232] specifies the Ascon-AEAD128
algorithm with the following parameters:
+===============+=========+===================+===================+
| Key Length, k | Rate, r | Outer permutation | Inner permutation |
| | | rounds, a | rounds, b |
+===============+=========+===================+===================+
| 128 | 128 | 12 | 8 |
+---------------+---------+-------------------+-------------------+
Table 1: Ascon-AEAD128 parameters
Thus, this document requests the registration of the Ascon-AEAD128
algorithm in [IANA.cose]:
+===============+=================+=============================+
| Name | alg | Description |
+===============+=================+=============================+
| Ascon-AEAD128 | TBD (requested | CBOR Object Encryption |
| | assignment XXX) | Algorithm for Ascon-AEAD128 |
+---------------+-----------------+-----------------------------+
Table 2: COSE Algorithms for Ascon
In COSE, keys may be obtained from either a key structure or a
recipient structure [RFC9052].
Ochkas, et al. Expires 12 July 2025 [Page 3]
Internet-Draft Ascon-AEAD128 for JOSE and COSE January 2025
When using a COSE key for this algorithm, the following checks are
made:
* The "kty" field MUST be present, and it MUST be "Symmetric".
* If the "alg" field is present, it MUST match the Ascon-AEAD128
algorithm being used.
* If the "key_ops" field is present, it MUST include "encrypt" when
encrypting.
* If the "key_ops" field is present, it MUST include "decrypt" when
decrypting.
Also, this document requests the registration of the Ascon-AEAD128
algorithm in [IANA.jose]:
+===============+===============+=============================+
| Name | enc | Description |
+===============+===============+=============================+
| Ascon-AEAD128 | Ascon-AEAD128 | JSON Object Encryption |
| | | Algorithm for Ascon-AEAD128 |
+---------------+---------------+-----------------------------+
Table 3: JOSE Algorithms for Ascon
Implementations that are encrypting or decrypting MUST validate that
the key type, key length, and algorithm are correct and appropriate
for the entities involved.
4. IV Header Parameter
Unlike some common AEAD algorithms, Ascon distinguishes between the
notion of initialization vector (IV) and nonce (N). While N is the
input argument for the Ascon encryption/decryption functions, IV is
the constant defined for each Ascon algorithm and is based on its
parameters.
However, [IANA.cose] does not define a separate header parameter to
specify Nonce. Thus, in COSE, whenever Full Initialization Vector
Header Parameter (Name: IV, Label: 5) or Partial Initialization
Vector Header Parameter (Name: Partial IV, Label: 6) is specified it
MUST refer to the N argument of the corresponding Ascon function.
On the other hand, JSON Web Signature and Encryption Header
Parameters registry at [IANA.jose] defines both Nonce Header
Parameter ("nonce") and Initialization Vector Header Parameter
("iv"). That is, in JOSE, both "nonce" and "iv" parameters MUST
Ochkas, et al. Expires 12 July 2025 [Page 4]
Internet-Draft Ascon-AEAD128 for JOSE and COSE January 2025
refer to the N argument of the corresponding Ascon function. There
SHOULD NOT be "nonce" and "iv" parameters specified at the same time.
In case, "nonce" and "iv" parameters are specified simultaneously,
Nonce Header Parameter MUST take precedence.
5. Security Considerations
The security considerations for [RFC7516], [RFC7517] and [RFC9053]
apply to this specification as well.
According to the most recent security analysis publications, Ascon
did not show any security vulnerabilities so far and the best attacks
target the initialization of Ascon reduced to 7 (out of 12) rounds,
concluding that Ascon has a security margin of 5 rounds (42 % of the
12 rounds).
Refer to the Ascon's List of Published Analysis section at
[asconv1.2-nist] for more details.
6. IANA Considerations
6.1. Additions to Existing Registries
6.1.1. New COSE Algorithms
IANA is requested to add the following entries to the COSE Algorithms
Registry. The following completed registration templates are
provided as described in [RFC9052] and [RFC9053].
6.1.1.1. Ascon-AEAD128 for COSE
* Name: Ascon-AEAD128
* Value: TBD (requested assignment 35)
* Description: CBOR Object Encryption Algorithm with Ascon-AEAD128
* Capabilities: [kty]
* Reference: FIPS XXX
* Recommended: Yes
Ochkas, et al. Expires 12 July 2025 [Page 5]
Internet-Draft Ascon-AEAD128 for JOSE and COSE January 2025
6.1.2. New JOSE Algorithms
IANA is requested to add the following entries to the JSON Web
Signature and Encryption Algorithms Registry. The following
completed registration templates are provided as described in
[RFC7518].
6.1.2.1. Ascon-AEAD128 for JOSE
* Algorithm Name: Ascon-AEAD128
* Algorithm Description: Ascon-AEAD128 as described in FIPS XXX.
* Algorithm Usage Location(s): enc
* JOSE Implementation Requirements: Optional
* Change Controller: IESG
* Specification Document(s): FIPS XXX
* Algorithm Analysis Documents(s): n/a
7. References
7.1. Normative References
[IANA.cose]
IANA, "CBOR Object Signing and Encryption (COSE)",
<https://www.iana.org/assignments/cose>.
[IANA.jose]
IANA, "JSON Object Signing and Encryption (JOSE)",
<https://www.iana.org/assignments/jose>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
RFC 7516, DOI 10.17487/RFC7516, May 2015,
<https://www.rfc-editor.org/rfc/rfc7516>.
[RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517,
DOI 10.17487/RFC7517, May 2015,
<https://www.rfc-editor.org/rfc/rfc7517>.
Ochkas, et al. Expires 12 July 2025 [Page 6]
Internet-Draft Ascon-AEAD128 for JOSE and COSE January 2025
[RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
DOI 10.17487/RFC7518, May 2015,
<https://www.rfc-editor.org/rfc/rfc7518>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE):
Structures and Process", STD 96, RFC 9052,
DOI 10.17487/RFC9052, August 2022,
<https://www.rfc-editor.org/rfc/rfc9052>.
[RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE):
Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053,
August 2022, <https://www.rfc-editor.org/rfc/rfc9053>.
7.2. Informative References
[asconv1.2-caesar]
Dobraunig, C., Eichlseder, M., Mendel, F., and M.
Schläffer, "Ascon v1.2, Submission to Round 3 of the
CAESAR competition", 2016,
<https://competitions.cr.yp.to/round3/asconv12.pdf>.
[asconv1.2-nist]
Dobraunig, C., Eichlseder, M., Mendel, F., and M.
Schläffer, "Ascon v1.2, Submission to Final Round of the
NIST Lightweight Cryptography project", 2021,
<https://csrc.nist.gov/CSRC/media/Projects/lightweight-
cryptography/documents/finalist-round/updated-spec-doc/
ascon-spec-final.pdf>.
[NIST.SP.800-232]
Turan, M. S., McKay, K. A., Kang, J., and J. Kelsey,
"Ascon-Based Lightweight Cryptography Standards for
Constrained Devices", DOI 10.6028/NIST.SP.800-232, 2024,
<https://doi.org/10.6028/NIST.SP.800-232.ipd>.
Appendix A. Examples
This appendix provides some examples of various Ascon-AEAD128
Encryptions with COSE and JOSE
A.1. COSE
A.1.1. Simple Ascon-AEAD128 Encryption
Ochkas, et al. Expires 12 July 2025 [Page 7]
Internet-Draft Ascon-AEAD128 for JOSE and COSE January 2025
{
"plaintext": "546869732069732074686520636f6e74656e742e",
"nonce": "00000000000000000000000000000000",
"AAD": "8367456E637279707443A1010140",
"CEK": "849B57219DAE48DE646D07DBB533566E",
"Encrypt0": "d08344a1011823a1055000000000000000000000000000000000582436ba4da1fa787205e5fff06fd4b645c637c02b505046fb242984864e1f6875c4ae5c9557",
"Encrypt0_diag": "16([h'A1011823', {5: h'00000000000000000000000000000000'}, h'36BA4DA1FA787205E5FFF06FD4B645C637C02B505046FB242984864E1F6875C4AE5C9557'])"
}
A.1.2. Direct Ascon-AEAD128 Encryption with HKDF-SHA-256
{
"plaintext": "546869732069732074686520636f6e74656e742e",
"nonce": "00000000000000000000000000000000",
"AAD": "8367456E637279707443A1010140",
"CEK": "849B57219DAE48DE646D07DBB533566E",
"key": {
"kid": "6F75722D736563726574",
"kty": "Symmetric"
},
"salt": "61616262636364646565666667676868",
"Encrypt": "d8608444a1011823a105500000000000000000000000000000000058247b09f4de6d93b6779163d978efa2d7eaac699acad60a6a9779168b5569d57ef92d3102bf818343a10129a2044a6f75722d73656372657433506161626263636464656566666767686840",
"Encrypt_diag": "96([h'A1011823', {5: h'00000000000000000000000000000000'}, h'7B09F4DE6D93B6779163D978EFA2D7EAAC699ACAD60A6A9779168B5569D57EF92D3102BF', [[h'A10129', {4: h'6F75722D736563726574', -20: h'61616262636364646565666667676868'}, h'']]])"
}
A.2. JOSE
A.2.1. Direct Compact JWE structure using Ascon-AEAD128
{
"plaintext": "546869732069732074686520636f6e74656e742e",
"nonce": "00000000000000000000000000000000",
"protected": {
"alg":"dir",
"enc":"Ascon-AEAD128"
},
"CEK": "849B57219DAE48DE646D07DBB533566E",
"jwe": "eyJhbGciOiJkaXIiLCJlbmMiOiJBc2Nvbi1BRUFEMTI4In0..AAAAAAAAAAAAAAAAAAAAAA.XjkRZmV9Dy0lpQp_4yUYIY1CGN8.zUqKLKMQnqjXFY258aNMgw"
}
TODO:
Authors' Addresses
Dmytro Ochkas
IMT Atlantique
Email: dmytro.ochkas@imt-atlantique.fr
Ochkas, et al. Expires 12 July 2025 [Page 8]
Internet-Draft Ascon-AEAD128 for JOSE and COSE January 2025
Hélène Le Bouder
IMT Atlantique
Email: helene.le-bouder@imt-atlantique.fr
Alexander Pelov
IMT Atlantique
Email: alexander.pelov@imt-atlantique.fr
Ochkas, et al. Expires 12 July 2025 [Page 9]