| Internet-Draft | COSE AES-CMAC | March 2026 |
| Sipos | Expires 24 September 2026 | [Page] |
This document registers code points for using the Advanced Encryption Standard (AES) block cipher in Cipher-based Message Authentication Code (CMAC) mode within CBOR Object Signing and Encryption (COSE) messages. Specifically, these uses are for computing authentication tag values with no additional parameters.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 24 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The base CBOR Object Signing and Encryption (COSE) specification [RFC9052] defines two message types for Message Authentication Code (MAC) parameters and results: COSE_Mac and COSE_Mac0.
These messages are parameterized on an algorithm identifier used to generate and verify the MAC tag.
This document defines new fully specified COSE algorithm code points for the use of Advanced Encryption Standard (AES) block cipher [FIPS-197] in Cipher-based Message Authentication Code (CMAC) mode [SP800-38B] to compute a MAC tag.¶
These COSE algorithm code points are "fully specified" in accordance with [RFC9864], meaning they rely on no extra parameters to determine their exact operation. The COSE algorithm code point along with the shared secret key is sufficient to generate or verify the MAC tag.¶
The use of CMAC is an alternative to the Hash-based Message Authentication Code (HMAC) family of algorithms registered by the base COSE specification in Section 3.1 of [RFC9053]. CMAC relies exclusively on a block cipher instead of the HMAC use of a cryptographic hash function. For some implementations, cipher-based MAC can be hardware accelerated.¶
To avoid confusion, the AES-CMAC algorithm family specified in this document is distinct from the "AES-MAC" (also known as "AES-CBC-MAC") algorithm family from Section 3.2 of [RFC9053].¶
This document does not define any new cryptographic algorithms or functions. It only defines code points in a COSE registry so that the AES-CMAC algorithm family can be used in COSE messages.¶
This document does not address the use of CMAC for any other purposes than to compute a fixed-length MAC tag. These registered code points are not to be used as a pseudorandom function (PRF) or key-derivation function (KDF).¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
While the CMAC mode [SP800-38B] can be used with any underlying encryption block cipher, this document focuses on its use with the AES cipher referred to as AES-CMAC.¶
For the sake of adhering to COSE best practice [RFC9864] about fully specifying what gets assigned a COSE "algorithm" code point, AES-CMAC will be treated as an algorithm family with a single COSE code point referring to the algorithm family along with a specific set of parameter values. The parameters associated with AES-CMAC family are: key length and tag length.¶
This document registers code points for the commonly used key lengths of 128 and 256 bits and tag lengths of 128 and 64 bits. The 128-bit tag happens to be the longest possible tag length while the 64-bit tag is a truncated form. These tag lengths are consistent with the COSE use of AES-CBC-MAC in Section 3.2 of [RFC9053].¶
| Name | COSE Value | Algorithm Family | Key Length | Tag Length |
|---|---|---|---|---|
| AES-CMAC 128/64 | TBA1 | AES-CMAC | 128 | 64 |
| AES-CMAC 256/64 | TBA2 | AES-CMAC | 256 | 64 |
| AES-CMAC 128/128 | TBA3 | AES-CMAC | 128 | 128 |
| AES-CMAC 256/128 | TBA4 | AES-CMAC | 256 | 128 |
When using a COSE key for these algorithms, the following checks are made:¶
This document does not define any new behavior of the AES-CMAC family, and so does not introduce any new security considerations. All of the applicable considerations from NIST [SP800-38B] apply when the algorithm family is used in COSE.¶
The CMAC mode of AES is approved by US NIST FIPS 140 [FIPS-140]. The pre-existing uses of AES-CBC-MAC in COSE [RFC9053] are not approved by FIPS 140.¶
This section provides guidance to the Internet Assigned Numbers Authority (IANA) regarding registration of code points in accordance with BCP 26 [RFC8126].¶
A new set of entries have been added to the "COSE Algorithms" registry [IANA-COSE] with the following parameters:¶
Note to IANA: The requested COSE algorithm code points are in the positive less-than-256 range. ¶