[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Nits]

Versions: 00

DICE Working Group                                              S. Kumar
Internet-Draft                                          Philips Research
Intended status: Standards Track                               R. Struik
Expires: September 10, 2015                  Struik Security Consultancy
                                                          March 09, 2015


  Transport-layer Multicast Security for Low-Power and Lossy Networks
                                 (LLNs)
                 draft-kumar-dice-multicast-security-00

Abstract

   CoAP and 6LoWPAN are fast emerging as the de-facto protocol standards
   in the area of resource-constrained devices forming Low-power and
   Lossy Networks (LLNs).  Unicast communication in such networks are
   secured at the transport layer using DTLS, as mandated by CoAP.  For
   various applications, IP multicast-based group communications in such
   networks provide clear advantages.  However, at this point, CoAP does
   not specify how to secure group communications in an interoperable
   way.  This draft specifies two methods for securing CoAP-based group
   communication at the transport layer and targets deployment scenarios
   that may require group authentication, respectively source
   authentication.  The specification leverages the fact that DTLS is
   already used as the mechanism of choice to secure unicast
   communications and allows group communications security to be
   implemented as an extension of DTLS record layer processing, thereby
   minimizing incremental implementation cost.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 10, 2015.






Kumar & Struik         Expires September 10, 2015               [Page 1]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   4
     1.2.  Outline . . . . . . . . . . . . . . . . . . . . . . . . .   5
   2.  Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . .   5
     2.1.  Group Communication Use Cases . . . . . . . . . . . . . .   5
     2.2.  Security Requirements . . . . . . . . . . . . . . . . . .   6
   3.  Overview of Transport level Secure Multicast  . . . . . . . .   7
     3.1.  Setting up Group Security Association . . . . . . . . . .   8
     3.2.  Group Communication packets . . . . . . . . . . . . . . .   8
   4.  Group-level Data Authenticity . . . . . . . . . . . . . . . .   9
     4.1.  Group message format  . . . . . . . . . . . . . . . . . .  11
     4.2.  Group message processing  . . . . . . . . . . . . . . . .  11
       4.2.1.  Sending Secure Multicast Messages . . . . . . . . . .  11
       4.2.2.  Receiving Secure Multicast Messages . . . . . . . . .  12
   5.  Source-level Data Authenticity  . . . . . . . . . . . . . . .  12
     5.1.  Group message format  . . . . . . . . . . . . . . . . . .  14
     5.2.  Group message processing  . . . . . . . . . . . . . . . .  15
       5.2.1.  Sending Secure Multicast Messages . . . . . . . . . .  15
       5.2.2.  Receiving Secure Multicast Messages . . . . . . . . .  16
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  16
     6.1.  Late joiners  . . . . . . . . . . . . . . . . . . . . . .  16
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  17
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  17
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  17
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  17
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  19








Kumar & Struik         Expires September 10, 2015               [Page 2]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


1.  Introduction

   There is an ever growing number of electronic devices, sensors and
   actuators that have become wireless and Internet connected, thus
   creating a trend towards the Internet-of-Things (IoT).  These
   connected devices are equipped with communication capability based on
   CoAP [RFC7252] and 6LoWPAN [RFC6347] standards that enables them to
   interact with each other as well as with the wider Internet services.
   However, the devices in such wireless networks are characterized by
   power constraints (as these are usually battery-operated), have
   limited computational resources (low CPU clock, small RAM and flash
   storage) and often, the communication bandwidth is limited and
   unreliable (e.g., IEEE 802.15.4 radio).  Hence, such wireless control
   networks are also known as Low-power and Lossy Networks (LLNs).

   In addition to the usual device-to-device unicast communication that
   would allow devices to interact with each other, group communication
   is an important feature in LLNs.  It is more effective in LLNs to
   convey messages to a group of devices without requiring the sender to
   perform multiple time and energy consuming unicast transmissions to
   reach each individual group member.  For example, in a lighting
   control system, lighting devices are often grouped according to the
   layout of the building, and control commands are issued
   simultaneously to a group of devices.  Group communication for LLNs
   is based on the CoAP sent over IP- multicast [RFC7390].

   Currently, CoAP messages are protected using Datagram Transport Layer
   Security (DTLS) [RFC6347].  However, DTLS is mainly used to secure a
   connection between two endpoints and it cannot be used to protect
   multicast group communication.  Group communication in LLNs is
   equally important and should be secured as it is also vulnerable to
   the usual attacks over the air (eavesdropping, tampering, message
   forgery, replay, etc.).  Although there have been a lot of efforts in
   IETF to standardize mechanisms to secure multicast communication
   [RFC3830] [RFC4082] [RFC3740] [RFC4046] [RFC4535], they are not
   necessarily suitable for LLNs which have much more limited bandwidth
   and resources.  For example, the MIKEY Architecture [RFC3830] is
   mainly designed to facilitate multimedia distribution, while TESLA
   [RFC4082] is proposed as a protocol for broadcast authentication of
   the source with good time synchronization.  [RFC3740] and [RFC4046]
   provide reference architectures for multicast security.  [RFC4535]
   describes Group Secure Association Key Management Protocol (GSAKMP),
   a security framework for creating and managing cryptographic groups
   on a network which can be reused for key management in our context
   with any needed adaptation for LLNs.

   An existing IP multicast security protocol could be used after
   profiling as shown in [I-D.mglt-dice-ipsec-for-application-payload].



Kumar & Struik         Expires September 10, 2015               [Page 3]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


   However since DTLS is already mandated for CoAP unicast, this would
   require an additional security protocol to be implemented on
   constrained devices.  This draft describes an alternative transport
   layer approach by reusing already available functionalities in DTLS.
   This allows CoAP group communication security to be implemented with
   minimal additional resources as an extension to the DTLS record layer
   processing.

1.1.  Terminology

   This specification uses the following terminology:

   o  Group Controller: Entity responsible for creating a multicast
      group and establishing security associations among authorized
      group members.  This entity is also responsible for renewing/
      updating multicast group keys and related policies.

   o  Sender: Entity that sends data to the multicast group.  In a
      1-to-N multicast group, only a single sender transmits data to the
      group; in an M-to-N multicast group (where M and N do not
      necessarily have the same value), M group members are senders.

   o  Listener: Entity that receives multicast messages when listening
      to a multicast IP address.

   o  Security Association (SA): Set of policies and cryptographic
      keying material that together provide security services to network
      traffic matching this policy [RFC3740].  Here, a Security
      Association usually includes the following attributes:

      *  selectors, such as source and destination transport addresses;

      *  properties, such as identities;

      *  cryptographic policy, such as the algorithms, modes, key
         lifetimes, and key lengths used for authentication or
         confidentiality;

      *  keying material for authentication, encryption and signing.

   o  Group Security Association: A bundling of security associations
      (SAs) that together define how a group communicates securely
      [RFC3740].

   o  Keying material: Data specified as part of the SA that is
      necessary to establish and maintain a cryptographic security
      association, such as keys, key pairs, and IVs [RFC4949].




Kumar & Struik         Expires September 10, 2015               [Page 4]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


   o  Group authentication: Evidence that a received group message
      originated from some member of this group.  This provides
      assurances that this message was not tampered with by an adversary
      outside this group, but does not pinpoint who precisely in the
      group originated this message.

   o  Source authentication: Evidence that a received group message
      originated from a specifically identified group member.  This
      provides assurances that this message was not tampered with by any
      other group member or an adversary outside this group.

1.2.  Outline

   The remainder of this draft is organized as follows.  Section 2
   provides use cases for group communications with LLNs.  Section 3
   provides an overview of transport layer secure multicasting, while
   Section 4 and Section 5 provide the detailed specifications for
   securing multicast messaging providing for group authentication and
   source authentication, respectively.

2.  Use Cases

   This section introduces some use cases for group communications in
   LLNs and identifies a set of security requirements for these use
   cases.

2.1.  Group Communication Use Cases

   "Group Communication for CoAP" [RFC7390] provides the necessary
   background for multicast-based CoAP communication in LLNs and the
   interested reader is encouraged to first read this document to
   understand the non-security related details.  This document also
   lists a few group communication uses cases with detailed
   descriptions.

   a.  Lighting control: Consider a building equipped with 6LoWPAN IP-
       connected lighting devices, switches, and 6LoWPAN border routers.
       The devices are organized in groups according to their physical
       location in the building, e.g., lighting devices and switches in
       a room or corridor can be configured as a single multicast group.
       The switches are then used to control the lighting devices in the
       group by sending on/off/dimming commands to all lighting devices
       in the group. 6LoWPAN border routers that are connected to an
       IPv6 network backbone (which is also multicast-enabled) are used
       to interconnect 6LoWPANs in the building.  Consequently, this
       would also enable logical multicast groups to be formed even if
       devices in the lighting group may be physically in different
       subnets (e.g. on wired and wireless networks).  Group



Kumar & Struik         Expires September 10, 2015               [Page 5]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


       communications enables synchronous operation of a group of
       6LoWPAN connected lights ensuring that the light preset (e.g.
       dimming level or color) of a large group of luminaires are
       changed at the same perceived time.  This is especially useful
       for providing a visual synchronicity of light effects to the
       user.

   b.  Integrated Building control: enabling Building Automation and
       Control Systems to control multiple heating, ventilation and air-
       conditioning units to pre-defined presets.

   c.  Software and Firmware updates: software and firmware updates
       often comprise quite a large amount of data and can, thereby,
       overload an LLN that is otherwise typically used to communicate
       only small amounts of data infrequently.  Multicasting such
       updated data to a larger group of devices at once, rather than
       sending this as unicast messages to each individual device in
       turn, can significantly reduce the network load and may also
       decrease the overall time latency for propagating this data to
       all devices.  With updates of relatively large amounts of data,
       securing the individual messages is important, even if the
       complete update itself is secured as a whole, since checking
       individual received data piecemeal for tampering avoids that
       devices store large amounts of partially corrupted data and may
       detect tampering hereof only after all data has been received.

   d.  Parameter and Configuration update: settings of a group of
       similar devices are updated simultaneously and efficiently.
       Parameters could be, for example, network load management or
       network access controls

   e.  Commissioning of LLN systems: querying information about the
       devices in the local network and their capabilities, e.g., by a
       commissioning device.

   f.  Emergency broadcast: a particular emergency related information
       (e.g. natural disaster) is relayed to multiple devices.

2.2.  Security Requirements

   "Group Communications for CoAP" [RFC7390] already defines a set of
   security requirements for group communication in LLNs.  We re-iterate
   and further describe those security requirements in this section with
   respect to the use cases:

   a.  Group communication topology: We consider both 1-to-N (one sender
       with multiple listeners) and M-to-N (multiple senders with
       multiple listeners) communication topologies.  The 1-to-N



Kumar & Struik         Expires September 10, 2015               [Page 6]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


       communication topology is the simplest group communication
       scenario that would serve the needs of a typical LLN.  For
       example, in a simple lighting control use case, a switch would be
       the only entity that is responsible for sending control commands
       to a group of lighting devices.  In more advanced lighting
       control use cases, an M-to-N communication topology would be
       required, for example if multiple sensors (presence or day-light)
       are responsible to trigger events to a group of lighting devices.

   b.  Group-level data confidentiality: Data confidentiality may be
       required if privacy sensitive data is exchanged in the group.
       Confidentiality is only required at the group level since any
       member of the group can decrypt the message.

   c.  Group-level authentication and integrity: In certain use cases,
       it is sufficient to ensure the weaker group-level authentication
       of group messages.  Such cases include M-to-N communication
       topology where M senders all perform similar roles and where M is
       of approximately the same size as group size N.  Group-level
       authentication is achieved by a single group key that is known to
       all group members and used to provide authenticity to the group
       messages (e.g., using a Message Authentication Code, MAC).

   d.  Source-level authentication: Certain use-cases require a stronger
       source-level authentication of group messages.  This is
       especially needed in M-to-N communication topology, where M is
       closer to 1.  Source authentication can be provided using public-
       key cryptography in which every group message is signed by its
       sender.

3.  Overview of Transport level Secure Multicast

   The IETF CoRE WG has selected DTLS [RFC6347] as the default must-
   implement security protocol for securing CoAP unicast traffic.  The
   goal of this draft is to secure CoAP Group communication with minimal
   additional overhead on resource-constrained embedded devices.  We
   propose to reuse some of the functionalities of DTLS such that a
   transport-layer multicast security solution can be implemented by
   extending the DTLS implementation (that already exists on these
   devices) with minimal adaptation.

   We first give a general overview of how the transport-layer multicast
   security can be implemented and then provide two variations: one for
   group authentication and the other for source authentication.







Kumar & Struik         Expires September 10, 2015               [Page 7]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


3.1.  Setting up Group Security Association

   A group controller in an LLN creates a multicast group.  The group
   controller may be hosted by a remote server, or a border router that
   creates a new group over the network.  In some cases, devices may be
   configured using a commissioning tool that mediates the communication
   between the devices and the group controller.  The controller in the
   network can be discovered by the devices using various methods
   defined in [I-D.vanderstok-core-dna] such as DNS-SD [RFC6763] and
   Resource Directory [I-D.ietf-core-resource-directory].  The group
   controller communicates with individual device in unicast to add them
   to the new group.  This configuration can be done as unicast CoAP
   based messages sent over a DTLS secured link.  The CoAP resource on
   the devices that is used to configure the group [RFC7390]can also be
   used to configure the devices with the Group Security Association
   (GSA) consisting of keying material, security policies security
   parameters and ciphersuites.  [Note: The details of the CoAP based
   configuration needs further elaboration in a new revision.]

3.2.  Group Communication packets

   Senders in the group can authenticate and/or encrypt the CoAP group
   messages using the keying material in the GSA.  The authenticated
   and/or encrypted message contains a security header which includes a
   replay counter.  This is passed down to the lower layer of the IPv6
   protocol stack for transmission to the multicast address as depicted
   in Figure 1.


       +--------+-+---------------------------------------------+-+
       |        | +---------------------------------------------+ |
       |        | |        | +--------------------------------+ | |
       |        | |        | |             | +--------------+ | | |
       |   IP   | |   UDP  | |  Security   | |   multicast  | | | |
       | header | | header | |   Header    | |    message   | | | |
       |        | |        | |             | +--------------+ | | |
       |        | |        | +--------------------------------+ | |
       |        | +---------------------------------------------+ |
       +--------+-+---------------------------------------------+-+


     Figure 1: Sending a multicast message protected using DTLS Record
                                   Layer

   The listeners when receiving the message, use the multicast IPv6
   destination address and port (i.e., multicast group identifier) to
   derive the corresponding GSA needed for that group connection.  The




Kumar & Struik         Expires September 10, 2015               [Page 8]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


   received message's authenticity is verified and/or decrypted using
   the keying material for that connection and the security header.

4.  Group-level Data Authenticity

   This section describes in detail the group level authenticity
   mechanism for transport level secure group messages.  We assume that
   group membership has been configured by the group controller as
   described in Section 3.1 , and all member devices in the group have
   the GSA.  The group-level authentication GSA contains the following
   elements:


           CipherSuite
           server write MAC key
           server write encryption key
           server write IV
           SenderID

   The group controller chooses a CipherSuite for the GSA based on
   knowledge that all devices in the group support the specific
   CipherSuite.  Based on the CipherSuite selected, one or more of the
   other elements may be empty.  For example, if only using authenticity
   only ciphersuite, the encryption key and IV is not sent, similarly if
   an AEAD ciphersuite is used then MAC key is not sent.  The SenderID
   is only sent to devices which are senders in the group

   The GSA is used to instantiate the needed elements of the
   "SecurityParameters" structure (shown below) as defined in [RFC5246]
   for all devices.





















Kumar & Struik         Expires September 10, 2015               [Page 9]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


           struct {
                     ConnectionEnd          entity;
                     PRFAlgorithm           prf_algorithm;
                     BulkCipherAlgorithm    bulk_cipher_algorithm;
                     CipherType             cipher_type;
                     uint8                  enc_key_length;
                     uint8                  block_length;
                     uint8                  fixed_iv_length;
                     uint8                  record_iv_length;
                     MACAlgorithm           mac_algorithm;
                     uint8                  mac_length;
                     uint8                  mac_key_length;
                     CompressionMethod      compression_algorithm;
                     opaque                 master_secret[48];
                     opaque                 client_random[32];
                     opaque                 server_random[32];
           } SecurityParameters;


   a.  SecurityParameters.entity is set to ConnectionEnd.server for
       senders and ConnectionEnd.client for listeners.

   b.  bulk_cipher_algorithm, cipher_type, enc_key_length, block_length,
       fixed_iv_length, record_iv_length, mac_algorithm, mac_length, and
       mac_key_length is set based on the ciphersuite present in the
       GSA.

   c.  cipher_type is CipherType.aead (if confidentiality is needed)

   d.  enc_key_length, block_length are sent in the GSA.

   e.  prf_algorithm, compression_algorithm, master_secret[48],
       client_random[32], and server_random[32] are not used and
       therefore not set.

   The current read and write states are then instantiated for all group
   members based on the keying material in the GSA and according to
   their roles:

   a.  Listeners (ConnectionEnd.client) directly use "server write"
       parameters in the GSA for instantiating the current read state.
       The write state is not instantiated and not used.

   b.  Senders (ConnectionEnd.server) first pass each of the "server
       write" parameters in the GSA through a function
       output=F(SenderID, input) [Note: F needs to be defined later].
       The output is then used for instantiating the current write
       state.



Kumar & Struik         Expires September 10, 2015              [Page 10]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


   If a device is both a sender and listener, then the read and write
   states are both instantiated as above.  Additionally each connection
   state contains the epoch (set to zero) and sequence number which is
   incremented for each record sent; the first record sent has the
   sequence number 0.

4.1.  Group message format

   To reuse the DTLS implementation for group message processing, the
   DTLS Records are used to send messages in the group.

   The following Figure 2 illustrates the structure of the DTLS record
   layer header, the epoch and seq_number are used to ensure message
   freshness and to detect message replays.


   +---------+---------+--------+--------+--------+------------+-------+
   | 1 Byte  | 2 Byte  | 2 Byte | 6 Byte | 2 Byte |            |       |
   +---------+---------+--------+--------+--------+------------+-------+
   | Content | Version | epoch  |  seq_  | Length | Ciphertext |  MAC  |
   |   Type  | Ma | Mi |        | number |        |   (Enc)    | (Enc) |
   +---------+---------+--------+--------+--------+------------+-------+


      Figure 2: The DTLS record layer header to transport group-level
                          authenticated messages

   The same packet structure is used to transport group messages with
   the Content Type set to ContentType.application_data, the version set
   to DTLS version 1.2 (mandated by CoAP) which uses the version {254,
   253}, epoch is fixed for all devices by the controller and the
   seq_number based on current connection state.  The seq_number is
   increased by one whenever the sender sends a new group message in the
   record.  Finally, the message is protected (encrypted and
   authenticated with a MAC) using the session keys in the "server
   write" parameters.

4.2.  Group message processing

4.2.1.  Sending Secure Multicast Messages

   Senders in the multicast group when sending a CoAP group message from
   the application, create the DTLS record payload based on the "server
   write" parameters.  It also manages its own epoch and seq_number in
   the "server write" connection state; the first record sent has the
   seq_number 0.  After creating the DTLS record, the seq_number is
   incremented in the "server write" connection state.  The DTLS record




Kumar & Struik         Expires September 10, 2015              [Page 11]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


   is then passed down to UDP and IPv6 layer for transmission on the
   multicast IPv6 destination address and port.

4.2.2.  Receiving Secure Multicast Messages

   When a listeners receives a protected multicast message from the
   sender, it looks up the corresponding "client read" connection state
   based on the multicast IP destination and port of the connection.
   This is different from standard DTLS logic in that the current
   "client read" connection state is bound to the source IP address and
   port.

   Listener devices in a multiple senders multicast group, need to store
   multiple "client read" connection states for the different senders
   linked to the Source IP addresses.  The keying material is same for
   all senders however tracking the epoch and the seq_number of the last
   received packets needs to be kept different for different senders.

   The listeners first perform a "server write" keys lookup by using the
   multicast IPv6 destination address and port of the packet.  Then the
   key is passed through the same F function described above to get
   specific keys for the particular sender.  The listeners decrypt and
   check the MAC of the message using this key.  This guarantees that no
   one without access to the GSA has spoofed the message.  Subsequently,
   the listeners retrieve the "client read" connection state which
   contains the last stored epoch and seq_number of the sender, which is
   used to check the freshness of the message received.  The listeners
   must ensure that the epoch is the same and seq_number in the message
   received is at least equal to the stored value, otherwise the message
   is discarded.  Alternatively a windowing mechanism can be used to
   accept genuine out-of-order packets.  Once the authenticity and
   freshness of the message have been checked, the listeners can pass
   the message to the higher layer protocols.  The seq_number in the
   corresponding "client read" connection state are updated as well.

5.  Source-level Data Authenticity

   This section describes in detail the source level authenticity
   mechanism based on public-key cryptography for transport level secure
   group messages.  We assume that group membership has been configured
   by the group controller as described in Section 3.1 , and all member
   devices in the group have the GSA.

   The source-level authentication GSA contains the following elements:

   a.  For Senders:





Kumar & Struik         Expires September 10, 2015              [Page 12]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


           CipherSuite
           {SenderID, SenderID Private Key}
           server write encryption key
           server write IV


   b.  For Listeners:


           CipherSuite
           {SenderID1, SenderID1 Public Key}
           {SenderID2, SenderID2 Public Key}
           {SenderID3, SenderID3 Public Key}
           ...
           server write encryption key
           server write IV

   The group controller chooses a CipherSuite for the GSA for all
   devices based on knowledge that all devices in the group support the
   specific CipherSuite.  Based on the CipherSuite selected, one or more
   of the other elements may be empty.  For example, if only
   authenticity is needed then the encryption key and IV is not sent.

   The GSA is used to instantiate the needed elements of the
   "SecurityParameters" structure (shown below) as defined in [RFC5246]
   for all devices.


           struct {
                     ConnectionEnd          entity;
                     PRFAlgorithm           prf_algorithm;
                     BulkCipherAlgorithm    bulk_cipher_algorithm;
                     CipherType             cipher_type;
                     uint8                  enc_key_length;
                     uint8                  block_length;
                     uint8                  fixed_iv_length;
                     uint8                  record_iv_length;
                     MACAlgorithm           mac_algorithm;
                     uint8                  mac_length;
                     uint8                  mac_key_length;
                     CompressionMethod      compression_algorithm;
                     opaque                 master_secret[48];
                     opaque                 client_random[32];
                     opaque                 server_random[32];
           } SecurityParameters;






Kumar & Struik         Expires September 10, 2015              [Page 13]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


   a.  SecurityParameters.entity is set to ConnectionEnd.server for
       senders and ConnectionEnd.client for listeners.

   b.  bulk_cipher_algorithm, cipher_type, enc_key_length, block_length,
       fixed_iv_length, and record_iv_length is set based on the
       ciphersuite present in the GSA.

   c.  mac_algorithm, mac_length, and mac_key_length are set different
       to DTLS since we use public key algorithms.  The mac here
       therefore is a public-key based signature.

   d.  enc_key_length, block_length are sent in the GSA if encryption is
       needed.

   e.  prf_algorithm, compression_algorithm, master_secret[48],
       client_random[32], and server_random[32] are not used and
       therefore not set.

   The current read and write states are then instantiated for all group
   members based on the keying material in the GSA and according to
   their roles:

   a.  Listeners (ConnectionEnd.client) use the SenderID's public keys
       for instantiating the current read state for different senders.
       If confidentiality is needed, the "server write" parameters in
       the GSA is also added to the current read state.  The write state
       is not instantiated and not used.

   b.  Senders (ConnectionEnd.server) use the SenderID private key to
       instantiate the current write state.  If confidentiality is used,
       first pass each of the "server write" parameters in the GSA
       through a function output=F(SenderID, input) [Note: F needs to be
       defined later.].

   If a device is both a sender and listener, then the read and write
   states are both instantiated as above.  Additionally each connection
   state contains the epoch (set to zero) and sequence number which is
   incremented for each record sent; the first record sent has the
   sequence number 0.

5.1.  Group message format

   To reuse the DTLS implementation for group message processing, the
   DTLS Records are used to send messages in the group with minor
   changes.






Kumar & Struik         Expires September 10, 2015              [Page 14]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


   The following Figure 2 illustrates the structure of the DTLS record
   layer header, the epoch and seq_number are used to ensure message
   freshness and to detect message replays.


   +---------+---------+--------+--------+--------+------------+-------+
   | 1 Byte  | 2 Byte  | 2 Byte | 6 Byte | 2 Byte |            |       |
   +----------------------------------------------------------------+--+
   | Content | Version | epoch  |  seq_  | Length | Ciphertext | Sig-  |
   |   Type  | Ma + Mi |        | number |        |  (if enc)  | nature|
   +---------+----+----+--------+--------+--------+------------+-------+



     Figure 3: The DTLS record layer header to transport source-level
                           authenticity messages

   The same packet structure is used to transport group messages with
   the Content Type set to ContentType.application_data, the version set
   to DTLS version 1.2 (mandated by CoAP) which uses the version {254,
   253}, epoch is fixed for all devices by the controller and the
   seq_number based on current connection state.  The seq_number is
   increased by one whenever the sender sends a new group message in the
   record.  Finally, the message is signed using the SenderID private
   key and added to the signature field.  If confidentiality is needed
   then data is encrypted using the session keys in the "server write"
   parameters.

5.2.  Group message processing

5.2.1.  Sending Secure Multicast Messages

   Senders in the multicast group when sending a CoAP group message from
   the application, create the DTLS record payload based on the current
   write connection state, i.e. the data (along with the headers) is
   signed using the private key and if confidentiality is needed, the
   server write parameters are used to encrypt the data.  It also
   manages its own epoch and seq_number in the current write connection
   state; the first record sent has the seq_number 0.  After creating
   the DTLS record, the seq_number is incremented in the "server write"
   connection state.  The DTLS record is then passed down to UDP and
   IPv6 layer for transmission on the multicast IPv6 destination address
   and port.








Kumar & Struik         Expires September 10, 2015              [Page 15]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


5.2.2.  Receiving Secure Multicast Messages

   When a listeners receives a protected multicast message from the
   sender, it looks up the corresponding "client read" connection state
   based on the source address, source port, multicast IP destination
   and destination port of the connection.  This is different from
   standard DTLS logic in that the current "client read" connection
   state is bound only to the source IP address and source port.

   Listener devices in a multiple senders multicast group, need to store
   multiple "client read" connection states for the different senders
   linked to the source IP addresses.  Each of these connection states
   contain the public key of the corresponding sender.  Further tracking
   the epoch and the seq_number of the last received packets needs to be
   kept different for different senders.

   The listeners first perform a public key lookup by retrieving the
   "client read" connection state using the source address, source port,
   multicast IPv6 destination address and port of the packet.  The
   listeners verifies the signature of the message using this public
   key.  This guarantees that no one without access to the GSA for the
   specific device has spoofed the message.  Subsequently, the listeners
   retrieve from the "client read" connection state the last stored
   epoch and seq_number of the sender, which is used to check the
   freshness of the message received.  The listeners must ensure that
   the epoch is the same and seq_number in the message received is
   higher than the stored value, otherwise the message is discarded.
   Alternatively a windowing mechanism can be used to accept genuine
   out-of-order packets.  Once the authenticity and freshness of the
   message have been checked, the listeners can pass the message to the
   higher layer protocols.  The the seq_number in the corresponding
   "client read" connection state are updated as well.

6.  Security Considerations

   Some of the security issues that should be taken into consideration
   are discussed below.

6.1.  Late joiners

   Listeners who are late joiners to a multicast group, do not know the
   current epoch and seq_number being used by different senders.  When
   they receive a packet from a sender with a random seq_number in it,
   it is impossible for the listener to verify if the packet is fresh
   and has not been replayed by an attacker.  To overcome this late
   joiner security issue, the group controller which can act as a
   listener in the multicast group can maintain the epoch and seq_number
   of each sender.  When late joiners send a request to the group



Kumar & Struik         Expires September 10, 2015              [Page 16]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


   controller to join the multicast group, the group controller can send
   the list of epoch and seq_numbers to the late joiner.

7.  Acknowledgements

8.  References

8.1.  Normative References

   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated
              Encryption", RFC 5116, January 2008.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5288]  Salowey, J., Choudhury, A., and D. McGrew, "AES Galois
              Counter Mode (GCM) Cipher Suites for TLS", RFC 5288,
              August 2008.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.

   [RFC6655]  McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for
              Transport Layer Security (TLS)", RFC 6655, July 2012.

   [RFC7252]  Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
              Application Protocol (CoAP)", RFC 7252, June 2014.

   [RFC7390]  Rahman, A. and E. Dijk, "Group Communication for the
              Constrained Application Protocol (CoAP)", RFC 7390,
              October 2014.

8.2.  Informative References

   [FIPS.180-2.2002]
              National Institute of Standards and Technology, "Secure
              Hash Standard", FIPS PUB 180-2, August 2002,
              <http://csrc.nist.gov/publications/fips/fips180-2/
              fips180-2.pdf>.

   [FIPS.197.2001]
              National Institute of Standards and Technology, "Advanced
              Encryption Standard (AES)", FIPS PUB 197, November 2001,
              <http://csrc.nist.gov/publications/fips/fips197/
              fips-197.pdf>.






Kumar & Struik         Expires September 10, 2015              [Page 17]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


   [I-D.dijk-core-groupcomm-misc]
              Dijk, E. and A. Rahman, "Miscellaneous CoAP Group
              Communication Topics", draft-dijk-core-groupcomm-misc-06
              (work in progress), June 2014.

   [I-D.ietf-core-resource-directory]
              Shelby, Z. and C. Bormann, "CoRE Resource Directory",
              draft-ietf-core-resource-directory-02 (work in progress),
              November 2014.

   [I-D.mcgrew-aero]
              McGrew, D. and J. Foley, "Authenticated Encryption with
              Replay prOtection (AERO)", draft-mcgrew-aero-01 (work in
              progress), February 2014.

   [I-D.mglt-dice-ipsec-for-application-payload]
              Migault, D. and C. Bormann, "IPsec/ESP for Application
              Payload", draft-mglt-dice-ipsec-for-application-payload-00
              (work in progress), July 2014.

   [I-D.vanderstok-core-dna]
              Stok, P., Lynn, K., and A. Brandt, "CoRE Discovery,
              Naming, and Addressing", draft-vanderstok-core-dna-02
              (work in progress), July 2012.

   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
              Hashing for Message Authentication", RFC 2104, February
              1997.

   [RFC3740]  Hardjono, T. and B. Weis, "The Multicast Group Security
              Architecture", RFC 3740, March 2004.

   [RFC3830]  Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K.
              Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830,
              August 2004.

   [RFC4046]  Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm,
              "Multicast Security (MSEC) Group Key Management
              Architecture", RFC 4046, April 2005.

   [RFC4082]  Perrig, A., Song, D., Canetti, R., Tygar, J., and B.
              Briscoe, "Timed Efficient Stream Loss-Tolerant
              Authentication (TESLA): Multicast Source Authentication
              Transform Introduction", RFC 4082, June 2005.

   [RFC4535]  Harney, H., Meth, U., Colegrove, A., and G. Gross,
              "GSAKMP: Group Secure Association Key Management
              Protocol", RFC 4535, June 2006.



Kumar & Struik         Expires September 10, 2015              [Page 18]


Internet-Draft Transport-layer Multicast Security for LLNs    March 2015


   [RFC4785]  Blumenthal, U. and P. Goel, "Pre-Shared Key (PSK)
              Ciphersuites with NULL Encryption for Transport Layer
              Security (TLS)", RFC 4785, January 2007.

   [RFC4944]  Montenegro, G., Kushalnagar, N., Hui, J., and D. Culler,
              "Transmission of IPv6 Packets over IEEE 802.15.4
              Networks", RFC 4944, September 2007.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2", RFC
              4949, August 2007.

   [RFC5374]  Weis, B., Gross, G., and D. Ignjatic, "Multicast
              Extensions to the Security Architecture for the Internet
              Protocol", RFC 5374, November 2008.

   [RFC6282]  Hui, J. and P. Thubert, "Compression Format for IPv6
              Datagrams over IEEE 802.15.4-Based Networks", RFC 6282,
              September 2011.

   [RFC6763]  Cheshire, S. and M. Krochmal, "DNS-Based Service
              Discovery", RFC 6763, February 2013.

Authors' Addresses

   Sandeep S. Kumar
   Philips Research
   High Tech Campus 34
   Eindhoven  5656 AE
   The Netherlands

   Email: ietf.author@sandeep-kumar.org


   Rene Struik
   Struik Security Consultancy

   Email: rstruik.ext@gmail.com














Kumar & Struik         Expires September 10, 2015              [Page 19]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/