Hi Øyvind,
There is no specific spec for this but here is what I would do.
If you want to store a symmetric key (call it a CEK) that is encrypted
with a symmetric key (call it a KEK) I would use this structure:
[ / recipients array /
h'', / protected field /
{ / unprotected field /
1: -3, / alg=A128KW /
4: h'6B69642D31' / key id /
},
/ CEK encrypted with KEK /
h'AF09622B4F40F17930129D18D0CEA46F159C49E7F68B644D'
]
You could potentially tag it.
Alternatively, with a bit more overhead you could do the following:
(ABC is a placeholder for some tag)
ABC(
[
/ protected field /
h'',
/ unprotected field /
{},
null,
[ / recipients array /
h'', / protected field /
{ / unprotected field /
1: -3, / alg=A128KW /
4: h'6B69642D31' / key id /
},
/ CEK encrypted with KEK /
h'AF09622B4F40F17930129D18D0CEA46F159C49E7F68B644D'
]
]
)
Ciao
Hannes
Am 20.02.2023 um 13:40 schrieb Rønningstad, Øyvind:
Hi, I was looking at the spec, trying to find the best way to
represent an encrypted key with COSE. So, let’s say I want to store or
transmit a symmetric key in a COSE_Key structure, but I want the key
to be encrypted. In a way, I want key wrapping without the payload.
I could always wrap my COSE_Key in a COSE_Encrypt or COSE_Encrypt0,
but that also encrypts the metadata, which makes it more inconvenient
to scan a collection of keys to find the correct one to use. Ideally,
I’d like to wrap just the Key Value (“k”, with label -1) from the
COSE_Key in a COSE_Encrypt0 in-place, but the spec doesn’t seem to
give room for that: “k: This contains the value of the key.”
Can I instead use a COSE_recipient or a COSE_Encrypt(0) structure in
place of the COSE_Key, and place the different COSE_Key parameters
(except k) into the protected header or unprotected header? How should
I structure it if so?
What is the recommendation from the COSE WG? Did I miss something in
the spec about this?
Best Regards, Øyvind Rønningstad
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose