CBOR Object Signing and Encryption (COSE)2017-01-112024-03-22COSE Header ParametersIntegers less than -65536Private UseInteger values in the range -1 to -65536delegated to the COSE Header Algorithm Parameters registryInteger values between 1 and 255Standards Action With Expert ReviewInteger values from 256 to 65535Specification RequiredInteger values greater than 65535Expert ReviewStrings of length 1Standards Action With Expert ReviewStrings of length 2Specification RequiredStrings of length greater than 2Expert ReviewFrancesca Palombini, Carsten BormannReserved for Private Usedelegated to the COSE Header Algorithm Parameters registryReservedalgint / tstrCOSE Algorithms registryCryptographic algorithm to usecrit[+ label]COSE Header Parameters registryCritical headers to be understoodcontent typetstr / uintCOAP Content-Formats
or Media Types registryContent type of the payloadkidbstrKey identifierIVbstrFull Initialization VectorPartial IVbstrPartial Initialization Vectorcounter signatureCOSE_Signature / [+ COSE_Signature ]CBOR-encoded signature structure (Deprecated by )UnassignedCounterSignature0bstrCounter signature with implied signer and headers (Deprecated by )kid contextbstrIdentifies the context for the key identifierRFC8613, Section 5.1Countersignature version 2COSE_Countersignature / [+ COSE_Countersignature]V2 countersignature attributeCountersignature0 version 2COSE_Countersignature0V2 Abbreviated CountersignaturekcwtCOSE_MessagesA CBOR Web Token (CWT) containing a COSE_Key in a 'cnf'
claim and possibly other claims. CWT is defined in .
COSE_Messages is defined in .kccsmapA CWT Claims Set (CCS) containing a COSE_Key in a 'cnf'
claim and possibly other claims. CCS is defined in .CWT ClaimsmapLocation for CWT Claims in COSE Header Parameters.Unassignedc5tCOSE_CertHashHash of a C509Certificate (TEMPORARY - registered 2024-03-11, expires 2025-03-11)c5uuriURI pointing to a COSE_C509 containing a ordered chain of certificates (TEMPORARY - registered 2024-03-11, expires 2025-03-11)c5bCOSE_C509An unordered bag of C509 certificates (TEMPORARY - registered 2024-03-11, expires 2025-03-11)c5cCOSE_C509An ordered chain of C509 certificates (TEMPORARY - registered 2024-03-11, expires 2025-03-11)Unassignedx5bagCOSE_X509An unordered bag of X.509 certificatesx5chainCOSE_X509An ordered chain of X.509 certificatesx5tCOSE_CertHashHash of an X.509 certificatex5uuriURI pointing to an X.509 certificateUnassignedCUPHNoncebstrChallenge NonceFIDO Device Onboard SpecificationCUPHOwnerPubKeyarrayPublic KeyFIDO Device Onboard SpecificationCOSE Header Algorithm ParametersExpert ReviewGöran Selander, Derek Atkins, Sean TurnerUnassignedx5chain-senderECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-SS+A128KW,
ECDH-SS+A192KW, ECDH-SS+A256KWCOSE_X509static key X.509 certificate chainx5u-senderECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-SS+A128KW,
ECDH-SS+A192KW, ECDH-SS+A256KWuriURI for the sender's X.509 certificatex5t-senderECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-SS+A128KW,
ECDH-SS+A192KW, ECDH-SS+A256KWCOSE_CertHashThumbprint for the sender's X.509 certificatePartyV otherdirect+HKDF-SHA-256, direct+HKDF-SHA-512, direct+HKDF-AES-128,
direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECDH-ES+HKDF-512,
ECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192KW,
ECDH-ES+A256KW, ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KWbstrParty V other provided informationPartyV noncedirect+HKDF-SHA-256, direct+HKDF-SHA-512, direct+HKDF-AES-128,
direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECDH-ES+HKDF-512,
ECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192KW,
ECDH-ES+A256KW, ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KWbstr / intParty V provided noncePartyV identitydirect+HKDF-SHA-256, direct+HKDF-SHA-512, direct+HKDF-AES-128,
direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECDH-ES+HKDF-512,
ECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192KW,
ECDH-ES+A256KW, ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KWbstrParty V identity informationPartyU otherdirect+HKDF-SHA-256, direct+HKDF-SHA-512, direct+HKDF-AES-128,
direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECDH-ES+HKDF-512,
ECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192KW,
ECDH-ES+A256KW, ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KWbstrParty U other provided informationPartyU noncedirect+HKDF-SHA-256, direct+HKDF-SHA-512, direct+HKDF-AES-128,
direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECDH-ES+HKDF-512,
ECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192KW,
ECDH-ES+A256KW, ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KWbstr / intParty U provided noncePartyU identitydirect+HKDF-SHA-256, direct+HKDF-SHA-512, direct+HKDF-AES-128,
direct+HKDF-AES-256, ECDH-ES+HKDF-256, ECDH-ES+HKDF-512,
ECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192KW,
ECDH-ES+A256KW, ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KWbstrParty U identity informationsaltdirect+HKDF-SHA-256, direct+HKDF-SHA-512,
direct+HKDF-AES-128, direct+HKDF-AES-256, ECDH-ES+HKDF-256,
ECDH-ES+HKDF-512, ECDH-SS+HKDF-256, ECDH-SS+HKDF-512,
ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW,
ECDH-SS+A128KW, ECDH-SS+A192KW, ECDH-SS+A256KWbstrRandom saltUnassignedstatic key idECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-SS+A128KW,
ECDH-SS+A192KW, ECDH-SS+A256KWbstrStatic public key identifier for the senderstatic keyECDH-SS+HKDF-256, ECDH-SS+HKDF-512, ECDH-SS+A128KW,
ECDH-SS+A192KW, ECDH-SS+A256KWCOSE_KeyStatic public key for the senderephemeral keyECDH-ES+HKDF-256, ECDH-ES+HKDF-512, ECDH-ES+A128KW,
ECDH-ES+A192KW, ECDH-ES+A256KWCOSE_KeyEphemeral public key for the senderCOSE AlgorithmsIntegers less than -65536Private UseInteger values from -65536 to -257Specification RequiredInteger values between -256 and 255Standards Action With Expert ReviewInteger values from 256 to 65535Specification RequiredInteger values greater than 65535Expert ReviewStrings of length 1Standards Action With Expert ReviewStrings of length 2Specification RequiredStrings of length greater than 2Expert ReviewGöran Selander, Derek Atkins, Sean TurnerReserved for Private Useless than -65536NoUnassigned-65536RS1-65535RSASSA-PKCS1-v1_5 using SHA-1[kty]IESGDeprecatedA128CTR-65534AES-CTR w/ 128-bit key[kty]IETFDeprecatedA192CTR-65533AES-CTR w/ 192-bit key[kty]IETFDeprecatedA256CTR-65532AES-CTR w/ 256-bit key[kty]IETFDeprecatedA128CBC-65531AES-CBC w/ 128-bit key[kty]IETFDeprecatedA192CBC-65530AES-CBC w/ 192-bit key[kty]IETFDeprecatedA256CBC-65529AES-CBC w/ 256-bit key[kty]IETFDeprecatedUnassigned-65528 to -261WalnutDSA-260WalnutDSA signature[kty]NoRS512-259RSASSA-PKCS1-v1_5 using SHA-512[kty]IESGNoRS384-258RSASSA-PKCS1-v1_5 using SHA-384[kty]IESGNoRS256-257RSASSA-PKCS1-v1_5 using SHA-256[kty]IESGNoUnassigned-256 to -48ES256K-47ECDSA using secp256k1 curve and SHA-256[kty]IESGNoHSS-LMS-46HSS/LMS hash-based digital signature[kty]YesSHAKE256-45SHAKE-256 512-bit Hash Value[kty]YesSHA-512-44SHA-2 512-bit Hash[kty]YesSHA-384-43SHA-2 384-bit Hash[kty]YesRSAES-OAEP w/ SHA-512-42RSAES-OAEP w/ SHA-512[kty]YesRSAES-OAEP w/ SHA-256-41RSAES-OAEP w/ SHA-256[kty]YesRSAES-OAEP w/ RFC 8017 default parameters-40RSAES-OAEP w/ SHA-1[kty]YesPS512-39RSASSA-PSS w/ SHA-512[kty]YesPS384-38RSASSA-PSS w/ SHA-384[kty]YesPS256-37RSASSA-PSS w/ SHA-256[kty]YesES512-36ECDSA w/ SHA-512[kty]YesES384-35ECDSA w/ SHA-384[kty]YesECDH-SS + A256KW-34ECDH SS w/ Concat KDF and AES Key Wrap w/ 256-bit key[kty]YesECDH-SS + A192KW-33ECDH SS w/ Concat KDF and AES Key Wrap w/ 192-bit key[kty]YesECDH-SS + A128KW-32ECDH SS w/ Concat KDF and AES Key Wrap w/ 128-bit key[kty]YesECDH-ES + A256KW-31ECDH ES w/ Concat KDF and AES Key Wrap w/ 256-bit key[kty]YesECDH-ES + A192KW-30ECDH ES w/ Concat KDF and AES Key Wrap w/ 192-bit key[kty]YesECDH-ES + A128KW-29ECDH ES w/ Concat KDF and AES Key Wrap w/ 128-bit key[kty]YesECDH-SS + HKDF-512-28ECDH SS w/ HKDF - generate key directly[kty]YesECDH-SS + HKDF-256-27ECDH SS w/ HKDF - generate key directly[kty]YesECDH-ES + HKDF-512-26ECDH ES w/ HKDF - generate key directly[kty]YesECDH-ES + HKDF-256-25ECDH ES w/ HKDF - generate key directly[kty]YesUnassigned-24 to -19SHAKE128-18SHAKE-128 256-bit Hash Value[kty]YesSHA-512/256-17SHA-2 512-bit Hash truncated to 256-bits[kty]YesSHA-256-16SHA-2 256-bit Hash[kty]YesSHA-256/64-15SHA-2 256-bit Hash truncated to 64-bits[kty]Filter OnlySHA-1-14SHA-1 Hash[kty]Filter Onlydirect+HKDF-AES-256-13Shared secret w/ AES-MAC 256-bit key[kty]Yesdirect+HKDF-AES-128-12Shared secret w/ AES-MAC 128-bit key[kty]Yesdirect+HKDF-SHA-512-11Shared secret w/ HKDF and SHA-512[kty]Yesdirect+HKDF-SHA-256-10Shared secret w/ HKDF and SHA-256[kty]YesUnassigned-9EdDSA-8EdDSA[kty]YesES256-7ECDSA w/ SHA-256[kty]Yesdirect-6Direct use of CEK[kty]YesA256KW-5AES Key Wrap w/ 256-bit key[kty]YesA192KW-4AES Key Wrap w/ 192-bit key[kty]YesA128KW-3AES Key Wrap w/ 128-bit key[kty]YesUnassigned-2 to -1Reserved0NoA128GCM1AES-GCM mode w/ 128-bit key, 128-bit tag[kty]YesA192GCM2AES-GCM mode w/ 192-bit key, 128-bit tag[kty]YesA256GCM3AES-GCM mode w/ 256-bit key, 128-bit tag[kty]YesHMAC 256/644HMAC w/ SHA-256 truncated to 64 bits[kty]YesHMAC 256/2565HMAC w/ SHA-256[kty]YesHMAC 384/3846HMAC w/ SHA-384[kty]YesHMAC 512/5127HMAC w/ SHA-512[kty]YesUnassigned8-9AES-CCM-16-64-12810AES-CCM mode 128-bit key, 64-bit tag, 13-byte nonce[kty]YesAES-CCM-16-64-25611AES-CCM mode 256-bit key, 64-bit tag, 13-byte nonce[kty]YesAES-CCM-64-64-12812AES-CCM mode 128-bit key, 64-bit tag, 7-byte nonce[kty]YesAES-CCM-64-64-25613AES-CCM mode 256-bit key, 64-bit tag, 7-byte nonce[kty]YesAES-MAC 128/6414AES-MAC 128-bit key, 64-bit tag[kty]YesAES-MAC 256/6415AES-MAC 256-bit key, 64-bit tag[kty]YesUnassigned16-23ChaCha20/Poly130524ChaCha20/Poly1305 w/ 256-bit key, 128-bit tag[kty]YesAES-MAC 128/12825AES-MAC 128-bit key, 128-bit tag[kty]YesAES-MAC 256/12826AES-MAC 256-bit key, 128-bit tag[kty]YesUnassigned27-29AES-CCM-16-128-12830AES-CCM mode 128-bit key, 128-bit tag, 13-byte nonce[kty]YesAES-CCM-16-128-25631AES-CCM mode 256-bit key, 128-bit tag, 13-byte nonce[kty]YesAES-CCM-64-128-12832AES-CCM mode 128-bit key, 128-bit tag, 7-byte nonce[kty]YesAES-CCM-64-128-25633AES-CCM mode 256-bit key, 128-bit tag, 7-byte nonce[kty]YesIV-GENERATION34For doing IV generation for symmetric algorithms.NoCOSE Key Common ParametersIntegers less than -65536Private UseInteger values in the range -65536 to -1used for key parameters specific to a single algorithm
delegated to the COSE Key Type Parameters registryInteger values between 0 and 255Standards Action With Expert ReviewInteger values from 256 to 65535Specification RequiredInteger values greater than 65535Expert ReviewStrings of length 1Standards Action With Expert ReviewStrings of length 2Specification RequiredStrings of length greater than 2Expert ReviewFrancesca Palombini, Carsten BormannReserved for Private Useused for key parameters specific to a single algorithm
delegated to the COSE Key Type Parameters registryReservedktytstr / intCOSE Key TypesIdentification of the key typekidbstrKey identification value - match to kid in messagealgtstr / intCOSE AlgorithmsKey usage restriction to this algorithmkey_ops[+ (tstr/int)]Restrict set of permissible operationsBase IVbstrBase IV to be XORed with Partial IVsCOSE Key Type ParametersExpert ReviewGöran Selander, Derek Atkins, Sean Turner1crvint / tstrEC identifier -- Taken from the "COSE Elliptic Curves" registry1xbstrPublic Key1dbstrPrivate key2crvint / tstrEC identifier -- Taken from the "COSE Elliptic Curves" registry2xbstrx-coordinate2ybstr / booly-coordinate2dbstrPrivate key3nbstrthe RSA modulus n3ebstrthe RSA public exponent e3dbstrthe RSA private exponent d3pbstrthe prime factor p of n3qbstrthe prime factor q of n3dPbstrdP is d mod (p - 1)3dQbstrdQ is d mod (q - 1)3qInvbstrqInv is the CRT coefficient q^(-1) mod p3otherarrayother prime infos, an array3r_ibstra prime factor r_i of n, where i >= 33d_ibstrd_i = d mod (r_i - 1)3t_ibstrthe CRT coefficient t_i = (r_1 * r_2 * ... *
r_(i-1))^(-1) mod r_i4kbstrKey Value5pubbstrPublic key for HSS/LMS hash-based digital signature6NuintGroup and Matrix (NxN) size6quintFinite field F_q6t-valuesarray (of uint)List of T-values, entries in F_q6matrix 1array (of array of uint)NxN Matrix of entries in F_q in column-major form6permutation 1array (of uint)Permutation associated with matrix 16matrix 2array (of array of uint)NxN Matrix of entries in F_q in column-major formCOSE Key TypesExpert ReviewGöran Selander, Derek Atkins, Sean TurnerReserved0This value is reservedOKP1Octet Key Pair[kty(1), crv]EC22Elliptic Curve Keys w/ x- and y-coordinate pair[kty(2), crv]RSA3RSA Key[kty(3)]Symmetric4Symmetric Keys[kty(4)]HSS-LMS5Public key for HSS/LMS hash-based digital signature[kty(5), hash algorithm]WalnutDSA6WalnutDSA public key[kty(6)]COSE Elliptic CurvesIntegers less than -65536Private UseInteger values -65536 to -257Specification RequiredInteger values -256 to 255Standards Action With Expert ReviewInteger values 256 to 65535Specification RequiredInteger values greater than 65535Expert ReviewGöran Selander, Derek Atkins, Sean TurnerReserved for Private UseInteger values less than -65536NoUnassigned-65536 to -1Reserved0NoP-2561EC2NIST P-256 also known as secp256r1YesP-3842EC2NIST P-384 also known as secp384r1YesP-5213EC2NIST P-521 also known as secp521r1YesX255194OKPX25519 for use w/ ECDH onlyYesX4485OKPX448 for use w/ ECDH onlyYesEd255196OKPEd25519 for use w/ EdDSA onlyYesEd4487OKPEd448 for use w/ EdDSA onlyYessecp256k18EC2SECG secp256k1 curveIESGNoUnassigned9-255brainpoolP256r1256EC2BrainpoolP256r1ISO/IEC JTC 1/SC 17/WG 10ISO/IEC 18013-5:2021, 9.1.5.2NobrainpoolP320r1257EC2BrainpoolP320r1ISO/IEC JTC 1/SC 17/WG 10ISO/IEC 18013-5:2021, 9.1.5.2NobrainpoolP384r1258EC2BrainpoolP384r1ISO/IEC JTC 1/SC 17/WG 10ISO/IEC 18013-5:2021, 9.1.5.2NobrainpoolP512r1259EC2BrainpoolP512r1ISO/IEC JTC 1/SC 17/WG 10ISO/IEC 18013-5:2021, 9.1.5.2No