CBOR Object Signing and Encryption D. Ajitomi Internet-Draft Independent Intended status: Standards Track 4 February 2023 Expires: 8 August 2023 COSE Key and JSON Web Key Representation for Key Encapsulation Mechanism (KEM) of Hybrid Public Key Encryption (HPKE) draft-ajitomi-cose-cose-key-jwk-hpke-kem-01 Abstract This document defines an additional key parameter and a new key type for CBOR Object Signing and Encryption (COSE) Key and JSON Web Key (JWK) to represent a Key Encapsulated Mechanism (KEM) key and its associated information for Hybrid Public Key Encryption (HPKE). About This Document This note is to be removed before publishing as an RFC. The latest revision of this draft can be found at https://dajiaji.github.io/i-d-cose-cose-key-jwk-hpke-kem/draft- ajitomi-cose-cose-key-jwk-hpke-kem.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft- ajitomi-cose-cose-key-jwk-hpke-kem/. Discussion of this document takes place on the CBOR Object Signing and Encryption Working Group mailing list (mailto:cose@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/cose/. Subscribe at https://www.ietf.org/mailman/listinfo/cose/. Source for this draft and an issue tracker can be found at https://github.com/dajiaji/i-d-cose-cose-key-jwk-hpke-kem. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Ajitomi Expires 8 August 2023 [Page 1] Internet-Draft COSE Key and JWK Representation for HPKE February 2023 Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 8 August 2023. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4 3. Common Key Parameter for HPKE Key Configuration . . . . . . . 4 3.1. JWK Parameter . . . . . . . . . . . . . . . . . . . . . . 4 3.1.1. "hkc" (HPKE Key Configuration) Parameter . . . . . . 4 3.1.2. Restrictions on the Use of Existing Key Parameters . 4 3.2. COSE Key Common Parameter . . . . . . . . . . . . . . . . 5 3.2.1. hkc (HPKE Key Configuration) Parameter . . . . . . . 5 3.2.2. Restrictions on the Use of Existing Key Parameters . 6 4. Generic Key Type for HPKE KEM . . . . . . . . . . . . . . . . 6 4.1. Key Type for JWK . . . . . . . . . . . . . . . . . . . . 7 4.2. Key Type for COSE_Key . . . . . . . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 7. Normative References . . . . . . . . . . . . . . . . . . . . 7 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 8 A.1. JWK for DHKEM(P-256, KDF-SHA256) Public Key with Key Type "EC" . . . . . . . . . . . . . . . . . . . . . . . . . . 8 A.2. JWK for DHKEM(X25519, KDF-SHA256) Public Key with Key Type "OKP" . . . . . . . . . . . . . . . . . . . . . . . . . . 9 A.3. JWK for DHKEM(X25519, KDF-SHA256) Private Key with Key Type "HPKE-KEM" . . . . . . . . . . . . . . . . . . . . . . . 9 A.4. COSE_Key for DHKEM(P-256, KDF-SHA256) Public Key with Key Type EC2(2) . . . . . . . . . . . . . . . . . . . . . . . 9 Ajitomi Expires 8 August 2023 [Page 2] Internet-Draft COSE Key and JWK Representation for HPKE February 2023 A.5. COSE_Key for DHKEM(X25519, KDF-SHA256) Public Key with Key Type OKP(1) . . . . . . . . . . . . . . . . . . . . . . . 10 A.6. COSE_Key for DHKEM(X25519, KDF-SHA256) Private Key with Key Type HPKE-KEM(T.B.D) . . . . . . . . . . . . . . . . . . 10 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction Hybrid Public Key Encryption (HPKE) [RFC9180], published by the Internet Research Task Force (IRTF), has already been adopted in several communication protocol specifications such as TLS Encrypted Client Hello (ECH), Oblivious DNS over HTTPS (ODoH) and Oblivious HTTP (OHTTP). HPKE itself is communication protocol independent and can be widely used as a standard scheme for public key based end-to- end encryption in various applications, not only in communication protocols. In HPKE, the sender of a ciphertext needs to know in advance not only the recipient public key, but also the HPKE mode, the KEM associated with the key, and the set of supported KDF and AEAD algorithms. The data structure of this information (hereafter referred to as HPKE key configuration information) is defined in each communication protocol specification that uses HPKE. For example, the ECH defines it as a structure called HpkeKeyConfig. When using HPKE in an application, it is necessary to define the data structure corresponding to the HpkeKeyConfig and how the information is transferred from the recipient to the sender. If the data structure and the publication method for the HPKE key configuration information were standardized, it would be easier to use HPKE in applications. This document defines how to represent a KEM key for HPKE and the HPKE key configuration information in JSON Web Key (JWK) [RFC7517] and COSE_Key defined in CBOR Object Signing and Encryption (COSE) Structures and Process [RFC9052]. Specifically, this document defines (1) a common key parameter for defining the HPKE key configuration information in existing key types that can be used for key derivation and (2) a generic key type for HPKE that can also be used to represent post-quantum KEM keys to be specified in the future. By using the generic key type for HPKE, all KEM keys registered in the IANA HPKE registry can be represented in JWK and COSE_Key without the need to define cryptographic algorithm-specific key types and parameters such as for EC or RSA as defined in [RFC7518] and [RFC9053]. The ability to include HPKE-related information in JWK, which is widely used not only as the public key representation but also as the key publication method (via the JWK Set endpoint) at the application Ajitomi Expires 8 August 2023 [Page 3] Internet-Draft COSE Key and JWK Representation for HPKE February 2023 layer, and its binary representation, COSE_Key, will facilitate the use of HPKE in a wide variety of web applications and communication systems for constrained devices. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Common Key Parameter for HPKE Key Configuration The HPKE key configuration information is defined as a common key parameter of JWK and COSE_Key. The parameter can be specified in the key that can be used for key derivation. In addition, the handling of existing key parameters is also defined. 3.1. JWK Parameter 3.1.1. "hkc" (HPKE Key Configuration) Parameter The "hkc" (KPKE key configuration) parameter identifies the KEM for the recipient key and the set of KDF and AEAD algorithms supported by the recipient. A JWK used for HPKE KEM MUST have this parameter. It MUST contain the object consisting of the following three attributes. * "kem": The HPKE KEM identifier, which is a two-byte value registered in the IANA HPKE registry. * "kdfs": The array of the HPKE KDF identifiers supported by the recipient. The KDF identifier is also a two-byte value registered in the IANA HPKE registry. * "aeads": The array of the HPKE AEAD identifiers supported by the recipient. The AEAD identifier is also a two-byte value registered in the IANA HPKE registry. The "hkc" parameter can be used with existing "EC" [RFC7518] and "OKP" [RFC8037] keys and the keys for future post-quantum KEMs. 3.1.2. Restrictions on the Use of Existing Key Parameters The restrictions on the use of existing common key parameters in a JWK for HPKE KEM are as follows: Ajitomi Expires 8 August 2023 [Page 4] Internet-Draft COSE Key and JWK Representation for HPKE February 2023 * "alg": The parameter MUST be present and contains one of the following values: - "HPKE-v1-Base" - "HPKE-v1-PSK" - "HPKE-v1-Auth" - "HPKE-v1-AuthPSK" * "use": The parameter SHOULD NOT be specified. If specified, it MUST be "enc". * "key_ops": The parameter SHOULD NOT be specified. If specified, it MUST include "deriveKey" and/or "deriveBits". * etc. 3.2. COSE Key Common Parameter 3.2.1. hkc (HPKE Key Configuration) Parameter The HPKE key configuration parameter for COSE_Key is defined as follows: * hkc (HPKE Key Configuration): The parameter MUST contain an array structure named HPKE_Key_Configuration, which contains the same information as "hkc" in JWK above. The CDDL grammar describing the HPKE_Key_Configuration structure is: HPKE_Key_Configuration = [ kem: uint, ; KEM identifier kdfs: uint / [+uint], ; KDF identifiers aeads: uint / [+uint], ; AEAD identifiers ] Ajitomi Expires 8 August 2023 [Page 5] Internet-Draft COSE Key and JWK Representation for HPKE February 2023 +=======+===========+================+============================+ | Name | CBOR Type | Value Registry | Description | +=======+===========+================+============================+ | kem | uint | HPKE KEM | The KEM identifier bound | | | | Identifiers | to the key | +-------+-----------+----------------+----------------------------+ | kdfs | uint / | HPKE KDF | The KDF identifiers | | | [+uint] | Identifiers | supported by the recipient | +-------+-----------+----------------+----------------------------+ | aeads | uint / | HPKE AEAD | The AEAD identifiers | | | [+uint] | Identifiers | supported by the recipient | +-------+-----------+----------------+----------------------------+ Table 1: HPKE Key Configuration Parameters The hkc parameter can be used with existing OKP and EC2 keys [RFC9053] and the keys for future post-quantum KEMs. 3.2.2. Restrictions on the Use of Existing Key Parameters The restrictions on the use of existing common key parameters in a COSE_Key for the HPKE KEM are as follows: * alg(3): The parameter MUST be present and contains one of the following values: - HPKE-v1-Base (T.B.D.) - HPKE-v1-PSK (T.B.D.) - HPKE-v1-Auth (T.B.D.) - HPKE-v1-AuthPSK (T.B.D.) * key_ops(4): The parameter SHOULD NOT be specified. If specified, it MUST include "derive key"(7) and/or "derive bits"(8). * etc. 4. Generic Key Type for HPKE KEM A generic key type for the HPKE KEM keys including a post-quantum KEM defined in the future is defined. Even KEM keys that can be represented by existing key types can use the generic key type defined here. Ajitomi Expires 8 August 2023 [Page 6] Internet-Draft COSE Key and JWK Representation for HPKE February 2023 4.1. Key Type for JWK A new generic key type (kty) value "HPKE-KEM" is defined to represent the private and public key used for the HPKE KEM. A key with this kty has the following parameters: * The parameter "kty" MUST be "HPKE-KEM". * The parameter "hkc" MUST be present and contains the HPKE Key Configuration defined in Section 3.1.1. * The parameter "pub" MUST be present and contains the public key encoded using the base64url [RFC4648] encoding. * The parameter "priv" MUST be present if the key is private key and contains the private key encoded using the base64url [RFC4648] encoding. 4.2. Key Type for COSE_Key A new generic kty(1) value HPKE-KEM(T.B.D.) is defined to represent the private and public key used for the HPKE KEM. A key with this kty has the following parameters: * The parameter kty(1) MUST be HPKE-KEM(T.B.D). * The parameter hkc(T.B.D.) MUST be present and contains the HPKE Key Configuration defined in Section 3.2.1. * The parameter pub(-1) MUST be present and contains the public key encoded in a byte string (bstr type). * The parameter priv(-2) MUST be present if the key is private key and contains the private key encoded in a byte string (bstr type). 5. Security Considerations TODO 6. IANA Considerations TODO 7. Normative References Ajitomi Expires 8 August 2023 [Page 7] Internet-Draft COSE Key and JWK Representation for HPKE February 2023 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10.17487/RFC7517, May 2015, . [RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, DOI 10.17487/RFC7518, May 2015, . [RFC8037] Liusvaara, I., "CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)", RFC 8037, DOI 10.17487/RFC8037, January 2017, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, August 2022, . [RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE): Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053, August 2022, . [RFC9180] Barnes, R., Bhargavan, K., Lipp, B., and C. Wood, "Hybrid Public Key Encryption", RFC 9180, DOI 10.17487/RFC9180, February 2022, . Appendix A. Examples A.1. JWK for DHKEM(P-256, KDF-SHA256) Public Key with Key Type "EC" Ajitomi Expires 8 August 2023 [Page 8] Internet-Draft COSE Key and JWK Representation for HPKE February 2023 { "kty": "EC", "kid": "01", "crv": "P-256", "alg": "HPKE-v1-Base", "hkc": { "kem": 0x010, "kdfs": [0x001, 0x002, 0x003], "aeads": [0x001, 0x002] }, "x": "-eZXC6nV-xgthy8zZMCN8pcYSeE2XfWWqckA2fsxHPc", "y": "BGU5soLgsu_y7GN2I3EPUXS9EZ7Sw0qif-V70JtInFI" } A.2. JWK for DHKEM(X25519, KDF-SHA256) Public Key with Key Type "OKP" { "kty": "OKP", "kid": "01", "crv": "X25519", "alg": "HPKE-v1-Base", "hkc": { "kem": 0x020, "kdfs": [0x001, 0x002, 0x003], "aeads": [0x001, 0x002] }, "x": "y3wJq3uXPHeoCO4FubvTc7VcBuqpvUrSvU6ZMbHDTCI" } A.3. JWK for DHKEM(X25519, KDF-SHA256) Private Key with Key Type "HPKE- KEM" { "kty": "HPKE-KEM", "kid": "01", "alg": "HPKE-v1-Base", "hkc": { "kem": 0x020, "kdfs": [0x001, 0x002, 0x003], "aeads": [0x001, 0x002] }, "pub": "y3wJq3uXPHeoCO4FubvTc7VcBuqpvUrSvU6ZMbHDTCI", "priv": "vsJ1oX5NNi0IGdwGldiac75r-Utmq3Jq4LGv48Q_Qc4" } A.4. COSE_Key for DHKEM(P-256, KDF-SHA256) Public Key with Key Type EC2(2) Ajitomi Expires 8 August 2023 [Page 9] Internet-Draft COSE Key and JWK Representation for HPKE February 2023 { 1:2, // EC2 2:'01', 3:-1(T.B.D), // HPKE-v1-Base -1:1, // P-256 6(T.B.D): [ // hkc (HPKE Key Configuration) 0x0010, // KEM identifier [0x0001, 0x0002, 0x0003], // supported KDF identifiers [0x0001, 0x0002] // supported AEAD identifiers ], -2:h'65eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c08551d', -3:h'1e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd0084d19c' } A.5. COSE_Key for DHKEM(X25519, KDF-SHA256) Public Key with Key Type OKP(1) { 1:1, // OKP 2:'01', 3:-1(T.B.D), // HPKE-v1-Base -1:4, // X25519 6(T.B.D): [ // hkc (HPKE Key Configuration) 0x0020, // KEM identifier [0x0001, 0x0002, 0x0003], // supported KDF identifiers [0x0001, 0x0002] // supported AEAD identifiers ], -2:h'd75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a' } A.6. COSE_Key for DHKEM(X25519, KDF-SHA256) Private Key with Key Type HPKE-KEM(T.B.D) { 1:-1(T.B.D.), // HPKE-KEM 2:'01', 3:-1(T.B.D), // HPKE-v1-Base 6(T.B.D): [ // hkc (HPKE Key Configuration) 0x0020, // KEM identifier [0x0001, 0x0002, 0x0003], // supported KDF identifiers [0x0001, 0x0002] // supported AEAD identifiers ], -1:h'd75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a', -2:h'9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60' } Ajitomi Expires 8 August 2023 [Page 10] Internet-Draft COSE Key and JWK Representation for HPKE February 2023 Acknowledgments We would like to thank Ilari Liusvaara, Laurence Lundblade and Orie Steele for their review feedback. Author's Address Daisuke Ajitomi Independent Email: dajiaji@gmail.com Ajitomi Expires 8 August 2023 [Page 11]