COSE and JOSE Registrations for WebAuthn Algorithms
Microsoft
mbj@microsoft.com
http://self-issued.info/
Security
COSE Working Group
Cryptography
Digital Signature
Encryption
Internet-Draft
W3C
WebAuthn
FIDO Alliance
FIDO
FIDO2
The W3C Web Authentication (WebAuthn) specification
and the FIDO2 Client to Authenticator Protocol (CTAP) specification
use COSE algorithm identifiers.
This specification registers algorithms in the IANA "COSE Algorithms" registry
that are used by WebAuthn and CTAP implementations that are not already registered.
Also, they are registered in the IANA "JSON Web Signature and Encryption Algorithms" registry,
when not already registered there.
This specification defines how to use several algorithms with
COSE that are used by implementations of the
W3C Web Authentication (WebAuthn)
and FIDO2 Client to Authenticator Protocol (CTAP) specifications.
These algorithms are registered in
the IANA "COSE Algorithms" registry
and also in
the IANA "JSON Web Signature and Encryption Algorithms" registry ,
when not already registered there.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 when, and
only when, they appear in all capitals, as shown here.
The RSASSA-PKCS1-v1_5 signature algorithm is defined in .
The RSASSA-PKCS1-v1_5 signature algorithm is parameterized with a hash function (h).
A key of size 2048 bits or larger MUST be used with these algorithms.
Implementations need to check that the key type is 'RSA' when creating or verifying a signature.
The RSASSA-PKCS1-v1_5 algorithms specified in this document are in the following table.
Name
Value
Hash
Description
RS256
TBD (temporary assignment -257 already in place)
SHA-256
RSASSA-PKCS1-v1_5 using SHA-256
RS384
TBD (temporary assignment -258 already in place)
SHA-384
RSASSA-PKCS1-v1_5 using SHA-384
RS512
TBD (temporary assignment -259 already in place)
SHA-512
RSASSA-PKCS1-v1_5 using SHA-512
RS1
TBD (temporary assignment -65535 already in place)
SHA-1
RSASSA-PKCS1-v1_5 using SHA-1
This section defines algorithm encodings and representations enabling the
Standards for Efficient Cryptography Group (SECG) elliptic curve
secp256k1 to be used for
JSON Object Signing and Encryption (JOSE) and
CBOR Object Signing and Encryption (COSE) messages.
The Standards for Efficient Cryptography Group (SECG) elliptic curve
secp256k1 is represented in
a JSON Web Key (JWK) using these values:
kty: EC
crv: secp256k1

plus x and y values
to represent the curve point for the key.
Other optional values such as alg MAY also be present.
It is represented in a COSE_Key using these values:
kty (1): EC2 (2)
crv (-1): secp256k1 (TBD - requested assignment 8)

plus x (-2) and y (-3) values
to represent the curve point for the key.
Other optional values such as alg (3) MAY also be present.
The ECDSA signature algorithm is defined in .
This specification defines the use of ECDSA with the secp256k1 curve
and the SHA-256 cryptographic hash function.
Implementations need to check that the key type is EC for JOSE or
EC2 (2) for COSE when creating or verifying a signature.
The ECDSA secp256k1 SHA-256 digital signature is generated as follows:
Generate a digital signature of the JWS Signing Input
or the COSE payload
using ECDSA secp256k1 SHA-256 with
the desired private key. The output will be the pair
(R, S), where R and S are 256-bit unsigned integers.
Turn R and S into octet sequences in big-endian order,
with each array being be 32 octets long.
The octet sequence representations MUST NOT be shortened
to omit any leading zero octets contained in the values.
Concatenate the two octet sequences in the order R and then S.
(Note that many ECDSA implementations will directly produce
this concatenation as their output.)
The resulting 64-octet sequence is the JWS Signature or COSE signature value.

The ECDSA secp256k1 SHA-256 algorithm specified in this document uses these identifiers:
JOSE Alg Name
COSE Alg Value
Description
ES256K
TBD (requested assignment -43)
ECDSA using secp256k1 curve and SHA-256
This section registers the following values in the
IANA "COSE Algorithms" registry .
Name: RS256
Value: TBD (temporary assignment -257 already in place)
Description: RSASSA-PKCS1-v1_5 using SHA-256
Reference: of this document
Recommended: No

Name: RS384
Value: TBD (temporary assignment -258 already in place)
Description: RSASSA-PKCS1-v1_5 using SHA-384
Reference: of this document
Recommended: No

Name: RS512
Value: TBD (temporary assignment -259 already in place)
Description: RSASSA-PKCS1-v1_5 using SHA-512
Reference: of this document
Recommended: No

Name: RS1
Value: TBD (temporary assignment -65535 already in place)
Description: RSASSA-PKCS1-v1_5 using SHA-1
Reference: of this document
Recommended: Deprecated

Name: ES256K
Value: TBD (requested assignment -43)
Description: ECDSA using secp256k1 curve and SHA-256
Reference: of this document
Recommended: Yes

This section registers the following value in the
IANA "COSE Elliptic Curves" registry .
Name: secp256k1
Value: TBD (requested assignment 8)
Key Type: EC2
Description: SECG secp256k1 curve
Change Controller: IESG
Reference: of [[ this specification ]]
Recommended: Yes

This section registers the following value in the
IANA "JSON Web Signature and Encryption Algorithms" registry .
Algorithm Name: ES256K
Algorithm Description: ECDSA using secp256k1 curve and SHA-256
Algorithm Usage Locations: alg
JOSE Implementation Requirements: Optional
Change Controller: IESG
Reference: of [[ this specification ]]
Algorithm Analysis Document(s):

This section registers the following value in the
IANA "JSON Web Key Elliptic Curve" registry .
Curve Name: secp256k1
Curve Description: SECG secp256k1 curve
JOSE Implementation Requirements: Optional
Change Controller: IESG
Specification Document(s): of [[ this specification ]]

The security considerations on key sizes for RSA algorithms
from Section 6.1 of also apply to the RSA algorithms
in this specification.
The security considerations on the use of RSASSA-PKCS1-v1_5 with SHA-2 hash functions
from Section 8.3 of also apply to their use
in this specification.
For that reason, these algorithms are registered as being "Not Recommended".
The security considerations on the use of the SHA-1 hash function
from apply in this specification.
For that reason, the "RS1" algorithm is registered as "Deprecated".
It MUST NOT be used by COSE implementations.
A COSE algorithm identifier for this algorithm is nonetheless being registered
because deployed TPMs continue to use it, and therefore WebAuthn implementations
need a COSE algorithm identifier for "RS1" when TPM attestations using
this algorithm are being represented.
Care should be taken that a secp256k1 key is not mistaken for a P-256 key,
given that their representations are the same
except for the crv value.
The procedures and security considerations described in the
, , and
specifications apply to implementations of this specification.
Digital Signature Standard (DSS)
National Institute of Standards and
Technology (NIST)
SEC 1: Elliptic Curve Cryptography
Standards for Efficient Cryptography Group
SEC 2: Recommended Elliptic Curve Domain Parameters
Standards for Efficient Cryptography Group
Web Authentication: An API for accessing Public Key Credentials - Level 1
Google
balfanz@google.com
Google
aczeskis@google.com
Google
Jeff.Hodges@paypal.com
Mozilla
jc@mozilla.com
Microsoft
mbj@microsoft.com
http://self-issued.info/
Microsoft
akshayku@microsoft.com
Microsoft
huliao@microsoft.com
Nok Nok Labs
rolf@noknok.com
Yubico
emil@yubico.com
Client to Authenticator Protocol (CTAP)
Google
cbrand@google.com
Google
aczeskis@google.com
Yubico
jakob@yubico.com
Microsoft
mbj@microsoft.com
http://self-issued.info/
Microsoft
akshayku@microsoft.com
Nok Nok Labs
rolf@noknok.com
FIDO Alliance
adam@fidoalliance.org
OneSpan
johan.verrept@onespan.com
COSE Algorithms
IANA
COSE Elliptic Curves
IANA
JSON Web Signature and Encryption Algorithms
IANA
JSON Web Key Elliptic Curve
IANA
Thanks to
Stephen Farrell,
John Fontana,
Jeff Hodges,
John Mattsson,
Tony Nadalin,
Matt Palmer,
Jim Schaad,
Göran Selander,
Wendy Seltzer,
Sean Turner,
and
Samuel Weiler
for their roles in registering these algorithm identifiers.
[[ to be removed by the RFC Editor before publication as an RFC ]]
-01
Changed the JOSE curve identifier from P-256K
to secp256k1.
Specified that secp256k1 signing is done using the SHA-256 hash function.

-00
Created the initial working group draft from draft-jones-cose-additional-algorithms-00,
changing only the title, date, and history entry.