In April and May 2022, NCC Group Cryptography Services engaged in a security and cryptography assessment reviewing Microsoftβs contributions to theΒ go-cose library, a Go library implementing signing and verification for CBOR Object Signing and Encryption (COSE), as specified inΒ RFC 8152. This library focuses on a minimal feature set to enable the signing and verification of COSE messages using a single signer, aka βsign1β. The purpose of this assessment was to identify cryptographic vulnerabilities and application-level security issues that could adversely affect the security of the go-cose library.
The Public Report for this review may be downloaded below:
Yesterday β 26 May 2022NCC Group Research