COSE
What is COSE?
COSECBOR Object Signing and Encryption (RFC 9052) is the binary, CBOR-based counterpart to JOSE, designed for constrained IoT devices and modern protocols.
COSE, standardised in RFC 9052 (with algorithms in RFC 9053, superseding the original RFC 8152), defines a compact, deterministic way to sign and encrypt structured data using CBOR (RFC 8949). It mirrors JOSE concepts: COSE_Sign / COSE_Sign1 for signatures, COSE_Encrypt / COSE_Encrypt0 for encryption, COSE_Mac for MAC, and COSE_Key for key representation. COSE is the cryptographic backbone of WebAuthn / FIDO2 (RP-stored credential public keys are COSE_Keys), the CBOR Web Token (CWT, RFC 8392) used in OAuth-for-IoT and EU Digital COVID Certificates, IoT firmware-update standards such as SUIT (RFC 9019), and EDHOC/OSCORE for constrained IP networks. The CBOR representation is typically 30-50% smaller than the equivalent JOSE encoding.
● Examples
- 01
A WebAuthn authenticator returns the user public key in attestedCredentialData as a COSE_Key with algorithm -7 (ES256).
- 02
An EU Digital COVID Certificate is a COSE_Sign1 over a CWT payload, displayed as a QR code.
● Frequently asked questions
What is COSE?
CBOR Object Signing and Encryption (RFC 9052) is the binary, CBOR-based counterpart to JOSE, designed for constrained IoT devices and modern protocols. It belongs to the Cryptography category of cybersecurity.
What does COSE mean?
CBOR Object Signing and Encryption (RFC 9052) is the binary, CBOR-based counterpart to JOSE, designed for constrained IoT devices and modern protocols.
How does COSE work?
COSE, standardised in RFC 9052 (with algorithms in RFC 9053, superseding the original RFC 8152), defines a compact, deterministic way to sign and encrypt structured data using CBOR (RFC 8949). It mirrors JOSE concepts: COSE_Sign / COSE_Sign1 for signatures, COSE_Encrypt / COSE_Encrypt0 for encryption, COSE_Mac for MAC, and COSE_Key for key representation. COSE is the cryptographic backbone of WebAuthn / FIDO2 (RP-stored credential public keys are COSE_Keys), the CBOR Web Token (CWT, RFC 8392) used in OAuth-for-IoT and EU Digital COVID Certificates, IoT firmware-update standards such as SUIT (RFC 9019), and EDHOC/OSCORE for constrained IP networks. The CBOR representation is typically 30-50% smaller than the equivalent JOSE encoding.
How do you defend against COSE?
Defences for COSE typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for COSE?
Common alternative names include: CBOR Object Signing and Encryption.
● Related terms
- cryptography№ 565
JOSE
JavaScript Object Signing and Encryption: an IETF family of standards (RFC 7515-7520 and 8037) for representing signed and encrypted data using JSON.
- cryptography№ 573
JWS
JSON Web Signature (RFC 7515) is a JOSE format that protects the integrity and origin of arbitrary content using a digital signature or MAC over a Base64URL-encoded header and payload.
- cryptography№ 571
JWE
JSON Web Encryption (RFC 7516) is a JOSE format that confidentially encapsulates a payload using authenticated encryption and either a key-wrapping or key-agreement scheme.
- identity-access№ 414
FIDO2
An open authentication standard from the FIDO Alliance combining WebAuthn (browser API) and CTAP (authenticator protocol) to enable phishing-resistant, passwordless sign-in.
- identity-access№ 1230
WebAuthn
A W3C standard JavaScript API that allows web applications to register and authenticate users with public-key credentials stored on platform or roaming authenticators.
- ot-iot№ 552
IoT Security
The discipline of protecting Internet-of-Things devices, gateways, networks, and cloud services from compromise, given their scale, constrained resources, and long lifetimes.