draft-ietf-core-oscore-edhoc-00.txt   draft-ietf-core-oscore-edhoc-01.txt 
CoRE Working Group F. Palombini CoRE Working Group F. Palombini
Internet-Draft Ericsson Internet-Draft Ericsson
Intended status: Standards Track M. Tiloca Intended status: Standards Track M. Tiloca
Expires: 3 October 2021 R. Hoeglund Expires: January 13, 2022 R. Hoeglund
RISE AB RISE AB
S. Hristozov S. Hristozov
Fraunhofer AISEC Fraunhofer AISEC
G. Selander G. Selander
Ericsson Ericsson
1 April 2021 July 12, 2021
Combining EDHOC and OSCORE Combining EDHOC and OSCORE
draft-ietf-core-oscore-edhoc-00 draft-ietf-core-oscore-edhoc-01
Abstract Abstract
This document defines an optimization approach for combining the This document defines an optimization approach for combining the
lightweight authenticated key exchange protocol EDHOC run over CoAP lightweight authenticated key exchange protocol EDHOC run over CoAP
with the first subsequent OSCORE transaction. This combination with the first subsequent OSCORE transaction. This combination
reduces the number of round trips required to set up an OSCORE reduces the number of round trips required to set up an OSCORE
Security Context and to complete an OSCORE transaction using that Security Context and to complete an OSCORE transaction using that
Security Context. Security Context.
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 3 October 2021. This Internet-Draft will expire on January 13, 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Simplified BSD License text to this document. Code Components extracted from this document must
as described in Section 4.e of the Trust Legal Provisions and are include Simplified BSD License text as described in Section 4.e of
provided without warranty as described in the Simplified BSD License. the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. EDHOC Overview . . . . . . . . . . . . . . . . . . . . . . . 3
3. EDHOC Option . . . . . . . . . . . . . . . . . . . . . . . . 5 3. EDHOC Combined with OSCORE . . . . . . . . . . . . . . . . . 5
4. EDHOC Combined with OSCORE . . . . . . . . . . . . . . . . . 6 3.1. EDHOC Option . . . . . . . . . . . . . . . . . . . . . . 7
4.1. Client Processing . . . . . . . . . . . . . . . . . . . . 6 3.2. Client Processing . . . . . . . . . . . . . . . . . . . . 8
4.2. Server Processing . . . . . . . . . . . . . . . . . . . . 7 3.3. Server Processing . . . . . . . . . . . . . . . . . . . . 9
5. Example of EDHOC + OSCORE Request . . . . . . . . . . . . . . 9 3.4. Example of EDHOC + OSCORE Request . . . . . . . . . . . . 10
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 4. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
7.1. CoAP Option Numbers Registry . . . . . . . . . . . . . . 10 5.1. CoAP Option Numbers Registry . . . . . . . . . . . . . . 11
8. Normative References . . . . . . . . . . . . . . . . . . . . 10 6. Normative References . . . . . . . . . . . . . . . . . . . . 12
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11 Appendix A. Additional OSCORE/EDHOC-related Processing . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 A.1. From OSCORE to EDHOC Identifier . . . . . . . . . . . . . 13
A.2. EDHOC Message Processing . . . . . . . . . . . . . . . . 14
A.2.1. Initiator Processing of Message 1 . . . . . . . . . . 14
A.2.2. Responder Processing of Message 1 . . . . . . . . . . 14
A.2.3. Responder Processing of Message 2 . . . . . . . . . . 15
A.2.4. Initiator Processing of Message 2 . . . . . . . . . . 15
A.3. Checking CBOR Encoding of Numeric Values . . . . . . . . 15
Appendix B. Document Updates . . . . . . . . . . . . . . . . . . 16
B.1. Version -00 to -01 . . . . . . . . . . . . . . . . . . . 16
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
This document defines an optimization approach to combine the Ephemeral Diffie-Hellman Over COSE (EDHOC) [I-D.ietf-lake-edhoc] is a
lightweight authenticated key exchange protocol EDHOC lightweight authenticated key exchange protocol, especially intended
[I-D.ietf-lake-edhoc], when running over CoAP [RFC7252], with the for use in constrained scenarios. In particular, EDHOC messages can
first subsequent OSCORE [RFC8613] transaction. be transported over the Constrained Application Protocol (CoAP)
[RFC7252] and used for establishing a Security Context for Object
Security for Constrained RESTful Environments (OSCORE) [RFC8613].
This allows for a minimum number of round trips necessary to setup This document defines an optimization approach that combines EDHOC
the OSCORE Security Context and complete an OSCORE transaction, for run over CoAP with the first subsequent OSCORE transaction. This
allows for a minimum number of round trips necessary to setup the
OSCORE Security Context and complete an OSCORE transaction, for
example when an IoT device gets configured in a network for the first example when an IoT device gets configured in a network for the first
time. time.
This optimization is desirable, since the number of protocol round This optimization is desirable, since the number of protocol round
trips impacts the minimum number of flights, which in turn can have a trips impacts on the minimum number of flights, which in turn can
substantial impact on the latency of conveying the first OSCORE have a substantial impact on the latency of conveying the first
request, when using certain radio technologies. OSCORE request, when using certain radio technologies.
Without this optimization, it is not possible, not even in theory, to Without this optimization, it is not possible, not even in theory, to
achieve the minimum number of flights. This optimization makes it achieve the minimum number of flights. This optimization makes it
possible also in practice, since the last message of the EDHOC possible also in practice, since the last message of the EDHOC
protocol can be made relatively small (see Section 1 of protocol can be made relatively small (see Section 1 of
[I-D.ietf-lake-edhoc]), thus allowing additional OSCORE protected [I-D.ietf-lake-edhoc]), thus allowing additional OSCORE protected
CoAP data within target MTU sizes. CoAP data within target MTU sizes.
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
The reader is expected to be familiar with terms and concepts defined The reader is expected to be familiar with terms and concepts defined
in CoAP [RFC7252], CBOR [RFC8949], CBOR sequences [RFC8742], OSCORE in CoAP [RFC7252], CBOR [RFC8949], CBOR sequences [RFC8742], OSCORE
[RFC8613] and EDHOC [I-D.ietf-lake-edhoc]. [RFC8613] and EDHOC [I-D.ietf-lake-edhoc].
2. Background 2. EDHOC Overview
EDHOC is a 3-message key exchange protocol. Section 7.2 of The EDHOC protocol allows two peers to agree on a cryptographic
[I-D.ietf-lake-edhoc] specifies how to transport EDHOC over CoAP: the secret, in a mutually-authenticated way and by using Diffie-Hellman
EDHOC data (referred to as "EDHOC messages") are transported in the ephemeral keys to achieve perfect forward secrecy. The two peers are
payload of CoAP requests and responses. denoted as Initiator and Responder, as the one sending or receiving
the initial EDHOC message_1, respectively.
This draft deals with the case of the Initiator acting as CoAP Client After successful processing of EDHOC message_3, both peers agree on a
and the Responder acting as CoAP Server; instead, the case of the cryptographic secret that can be used to derive further security
Initiator acting as CoAP Server cannot be optimized by using this material, and especially to establish an OSCORE Security Context
approach. [RFC8613]. The Responder can also send an optional EDHOC message_4
to achieve key confirmation, e.g., in deployments where no protected
application message is sent from the Responder to the Initiator.
That is, the CoAP Client sends a POST request containing EDHOC Appendix A.3 of [I-D.ietf-lake-edhoc] specifies how to transport
message_1 to a reserved resource at the CoAP Server. This triggers EDHOC over CoAP. That is, the EDHOC data (referred to as "EDHOC
the EDHOC exchange on the CoAP Server, which replies with a 2.04 messages") are transported in the payload of CoAP requests and
(Changed) Response containing EDHOC message_2. Finally, the CoAP responses. The default message flow consists in the CoAP Client
Client sends EDHOC message_3, as a CoAP POST request to the same acting as Initiator and the CoAP Server acting as Responder.
resource used for EDHOC message_1. The Content-Format of these CoAP
messages may be set to "application/edhoc".
After this exchange takes place, and after successful verifications Alternatively, the two roles can be reversed. In the rest of this
specified in the EDHOC protocol, the Client and Server derive the document, EDHOC messages are considered to be transported over CoAP.
OSCORE Security Context, as specified in Section 7.2.1 of
[I-D.ietf-lake-edhoc]. Then, they are ready to use OSCORE.
This sequential way of running EDHOC and then OSCORE is specified in Figure 1 shows a Client and Server running EDHOC as Initiator and
Figure 1. As shown in the figure, this mechanism takes 3 round trips Responder, respectively. That is, the Client sends a POST request
to complete. with payload EDHOC message_1 to a reserved resource at the CoAP
Server, by default at Uri-Path "/.well-known/edhoc". This triggers
the EDHOC exchange at the Server, which replies with a 2.04 (Changed)
Response with payload EDHOC message_2. Finally, the Client sends a
CoAP POST request to the same resource used for EDHOC message_1, with
payload EDHOC message_3. The Content-Format of these CoAP messages
may be set to "application/edhoc".
After this exchange takes place, and after successful verifications
as specified in the EDHOC protocol, the Client and Server can derive
an OSCORE Security Context, as defined in Appendix A.2 of
[I-D.ietf-lake-edhoc]. After that, they can use OSCORE to protect
their communications.
CoAP Client CoAP Server CoAP Client CoAP Server
(EDHOC Initiator) (EDHOC Responder)
| ------------- EDHOC message_1 ------------> | | ------------- EDHOC message_1 ------------> |
| Header: POST (Code=0.02) |
| Uri-Path: "/.well-known/edhoc" |
| Content-Format: application/edhoc |
| | | |
| <------------ EDHOC message_2 ------------- | | <------------ EDHOC message_2 ------------- |
| Header: 2.04 Changed |
| Content-Format: application/edhoc |
| | | |
EDHOC verification | EDHOC verification |
| | | |
| ------------- EDHOC message_3 ------------> | | ------------- EDHOC message_3 ------------> |
| Header: POST (Code=0.02) |
| Uri-Path: "/.well-known/edhoc" |
| Content-Format: application/edhoc |
| | | |
| EDHOC verification | EDHOC verification
| + | +
OSCORE Sec Ctx OSCORE Sec Ctx OSCORE Sec Ctx OSCORE Sec Ctx
Derivation Derivation Derivation Derivation
| | | |
| ------------- OSCORE Request -------------> | | ------------- OSCORE Request -------------> |
| Header: POST (Code=0.02) |
| | | |
| <------------ OSCORE Response ------------- | | <------------ OSCORE Response ------------- |
| Header: 2.04 Changed |
| | | |
Figure 1: EDHOC and OSCORE run sequentially Figure 1: EDHOC and OSCORE run sequentially
The number of roundtrips can be minimized as follows. Already after As shown in Figure 1, this purely-sequential way of first running
receiving EDHOC message_2 and before sending EDHOC message_3, the EDHOC and then using OSCORE takes three round trips to complete.
CoAP Client has all the information needed to derive the OSCORE
Security Context.
This means that the Client can potentially send at the same time both Section 3 defines an optimization for combining EDHOC with the first
EDHOC message_3 and the subsequent OSCORE Request. On a semantic subsequent OSCORE transaction. This reduces the number of round
level, this approach practically requires to send two separate REST trips required to set up an OSCORE Security Context and to complete
requests at the same time. an OSCORE transaction using that Security Context.
The high level message flow of running EDHOC and OSCORE combined is 3. EDHOC Combined with OSCORE
shown in Figure 2.
Defining the specific details of how to transport the data and of This section defines an optimization for combining the EDHOC exchange
their processing order is the goal of this specification, as defined with the first subsequent OSCORE transaction, thus minimizing the
in Section 4. number of round trips between the two peers.
This approach can be used only if the default EDHOC message flow is
used, i.e., when the Client acts as Initiator and the Server acts as
Responder, while it cannot be used in the case with reversed roles.
When running the purely-sequential flow of Section 2, the Client has
all the information to derive the OSCORE Security Context already
after receiving EDHOC message_2 and before sending EDHOC message_3.
Hence, the Client can potentially send both EDHOC message_3 and the
subsequent OSCORE Request at the same time. On a semantic level,
this requires sending two REST requests at once, as in Figure 2.
CoAP Client CoAP Server CoAP Client CoAP Server
(EDHOC Initiator) (EDHOC Responder)
| ------------- EDHOC message_1 ------------> | | ------------- EDHOC message_1 ------------> |
| Header: POST (Code=0.02) |
| Uri-Path: "/.well-known/edhoc" |
| Content-Format: application/edhoc |
| | | |
| <------------ EDHOC message_2 ------------- | | <------------ EDHOC message_2 ------------- |
| Header: 2.04 Changed |
| Content-Format: application/edhoc |
| | | |
EDHOC verification | EDHOC verification |
+ | + |
OSCORE Sec Ctx | OSCORE Sec Ctx |
Derivation | Derivation |
| | | |
| ---- EDHOC message_3 + OSCORE Request ----> | | ---- EDHOC message_3 + OSCORE Request ----> |
| Header: POST (Code=0.02) |
| | | |
| EDHOC verification | EDHOC verification
| + | +
| OSCORE Sec Ctx | OSCORE Sec Ctx
| Derivation | Derivation
| | | |
| <------------ OSCORE Response ------------- | | <------------ OSCORE Response ------------- |
| Header: 2.04 Changed |
| | | |
Figure 2: EDHOC and OSCORE combined Figure 2: EDHOC and OSCORE combined
3. EDHOC Option To this end, the specific approach defined in this section consists
of sending EDHOC message_3 inside an OSCORE protected CoAP message.
This section defines the EDHOC Option, used in a CoAP request to The resulting EDHOC + OSCORE request is in practice the OSCORE
signal that the request combines EDHOC message_3 and OSCORE protected Request from Figure 1, as still sent to a protected resource and with
data. the correct CoAP method and options, but with the addition that it
also transports EDHOC message_3.
As EDHOC message_3 may be too large to be included in a CoAP Option,
e.g., if containing a large public key certificate chain, it has to
be transported in the CoAP payload of the EDHOC + OSCORE request.
The rest of this section specifies how to transport the data in the
EDHOC + OSCORE request and their processing order. In particular,
the use of this approach is explicitly signalled by including an
EDHOC Option (see Section 3.1) in the EDHOC + OSCORE request. The
processing of the EDHOC + OSCORE request is specified in Section 3.2
for the Client side and in Section 3.3 for the Server side.
3.1. EDHOC Option
This section defines the EDHOC Option. The option is used in a CoAP
request, to signal that the request payload conveys both an EDHOC
message_3 and OSCORE protected data, combined together.
The EDHOC Option has the properties summarized in Figure 3, which The EDHOC Option has the properties summarized in Figure 3, which
extends Table 4 of [RFC7252]. The option is Critical, Safe-to- extends Table 4 of [RFC7252]. The option is Critical, Safe-to-
Forward, and part of the Cache-Key. The option MUST occur at most Forward, and part of the Cache-Key. The option MUST occur at most
once and is always empty. If any value is sent, the value is simply once and is always empty. If any value is sent, the value is simply
ignored. The option is intended only for CoAP requests and is of ignored. The option is intended only for CoAP requests and is of
Class U for OSCORE [RFC8613]. Class U for OSCORE [RFC8613].
+-------+---+---+---+---+-------+--------+--------+---------+ +-------+---+---+---+---+-------+--------+--------+---------+
| No. | C | U | N | R | Name | Format | Length | Default | | No. | C | U | N | R | Name | Format | Length | Default |
+-------+---+---+---+---+-------+--------+--------+---------+ +-------+---+---+---+---+-------+--------+--------+---------+
| TBD13 | x | | | | EDHOC | Empty | 0 | (none) | | TBD21 | x | | | | EDHOC | Empty | 0 | (none) |
+-------+---+---+---+---+-------+--------+--------+---------+ +-------+---+---+---+---+-------+--------+--------+---------+
C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable
Figure 3: The EDHOC Option. Figure 3: The EDHOC Option.
The presence of this option means that the message payload contains The presence of this option means that the message payload contains
also EDHOC data, that must be extracted and processed as defined in also EDHOC data, that must be extracted and processed as defined in
Section 4.2, before the rest of the message can be processed. Section 3.3, before the rest of the message can be processed.
Figure 4 shows the format of a CoAP message containing both the EDHOC Figure 4 shows the format of a CoAP message containing both the EDHOC
data and the OSCORE ciphertext, using the newly defined EDHOC option data and the OSCORE ciphertext, using the newly defined EDHOC option
for signalling. for signalling.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Ver| T | TKL | Code | Message ID | |Ver| T | TKL | Code | Message ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Token (if any, TKL bytes) ... | Token (if any, TKL bytes) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OSCORE option | EDHOC option | other options (if any) ... | OSCORE option | EDHOC option | Other options (if any) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|1 1 1 1 1 1 1 1| Payload |1 1 1 1 1 1 1 1| Payload
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: CoAP message for EDHOC and OSCORE combined - signalled Figure 4: CoAP message for EDHOC and OSCORE combined - signalled with
with the EDHOC Option the EDHOC Option
4. EDHOC Combined with OSCORE
The approach defined in this specification consists of sending EDHOC
message_3 inside an OSCORE protected CoAP message.
The resulting EDHOC + OSCORE request is in practice the OSCORE
Request from Figure 1, sent to a protected resource and with the
correct CoAP method and options, with the addition that it also
transports EDHOC message_3.
Since EDHOC message_3 may be too large to be included in a CoAP
Option, e.g. if containing a large public key certificate chain, it
has to be transported through the CoAP payload.
The use of this approach is explicitly signalled by including an
EDHOC Option (see Section 3) in the EDHOC + OSCORE request.
4.1. Client Processing 3.2. Client Processing
The Client prepares an EDHOC + OSCORE request as follows. The Client prepares an EDHOC + OSCORE request as follows.
1. Compose EDHOC message_3 as per Section 5.4.2 of 1. Compose EDHOC message_3 as per Section 5.4.2 of
[I-D.ietf-lake-edhoc]. [I-D.ietf-lake-edhoc].
Since the Client is the EDHOC Initiator and the used Correlation Since the Client is the EDHOC Initiator, the EDHOC message_3
Method is 1 (see Section 3.2.4 of [I-D.ietf-lake-edhoc]), the always includes the connection identifier C_R and CIPHERTEXT_3.
EDHOC message_3 always includes the Connection Identifier C_R and Note that C_R is the OSCORE Sender ID of the Client, encoded as
CIPHERTEXT_3. Note that C_R is the OSCORE Sender ID of the per Appendix A.1.
Client, encoded as a bstr_identifier (see Section 5.1 of
[I-D.ietf-lake-edhoc]).
2. Encrypt the original CoAP request as per Section 8.1 of 2. Encrypt the original CoAP request as per Section 8.1 of
[RFC8613], using the new OSCORE Security Context established [RFC8613], using the new OSCORE Security Context established
after receiving EDHOC message_2. after receiving EDHOC message_2.
Note that the OSCORE ciphertext is not computed over EDHOC Note that the OSCORE ciphertext is not computed over EDHOC
message_3, which is not protected by OSCORE. That is, the result message_3, which is not protected by OSCORE. That is, the result
of this step is the OSCORE Request as in Figure 1. of this step is the OSCORE Request as in Figure 1.
3. Build a CBOR sequence [RFC8742] composed of two CBOR byte strings 3. Build a CBOR sequence [RFC8742] composed of two CBOR byte strings
skipping to change at page 7, line 34 skipping to change at page 9, line 6
message_3 resulting from step 3. message_3 resulting from step 3.
* The second CBOR byte string has as value the OSCORE ciphertext * The second CBOR byte string has as value the OSCORE ciphertext
of the OSCORE protected CoAP request resulting from step 2. of the OSCORE protected CoAP request resulting from step 2.
4. Compose the EDHOC + OSCORE request, as the OSCORE protected CoAP 4. Compose the EDHOC + OSCORE request, as the OSCORE protected CoAP
request resulting from step 2, where the payload is replaced with request resulting from step 2, where the payload is replaced with
the CBOR sequence built at step 3. the CBOR sequence built at step 3.
5. Signal the usage of this approach within the EDHOC + OSCORE 5. Signal the usage of this approach within the EDHOC + OSCORE
request, by including the new EDHOC Option defined in Section 3. request, by including the new EDHOC Option defined in
Section 3.1.
4.2. Server Processing 3.3. Server Processing
When receiving an EDHOC + OSCORE request, the Server performs the When receiving a request containing the EDHOC option, i.e., an EDHOC
following steps. + OSCORE request, the Server MUST perform the following steps.
1. Check the presence of the EDHOC option defined in Section 3, to 1. Check that the payload of the EDHOC + OSCORE request is a CBOR
determine that the received request is an EDHOC + OSCORE request. sequence composed of two CBOR byte strings. If this is not the
If this is the case, the Server continues with the steps defined case, the Server MUST stop processing the request and MUST
below. respond with a 4.00 (Bad Request) error message.
2. Extract CIPHERTEXT_3 from the payload of the EDHOC + OSCORE 2. Extract CIPHERTEXT_3 from the payload of the EDHOC + OSCORE
request, as the first CBOR byte string in the CBOR sequence. request, as the first CBOR byte string in the CBOR sequence.
3. Rebuild EDHOC message_3, as a CBOR sequence composed of two CBOR 3. Rebuild EDHOC message_3, as a CBOR sequence composed of two CBOR
byte strings in the following order. byte strings in the following order.
* The first CBOR byte string is the 'kid' of the Client * The first CBOR byte string is the 'kid' of the Client
indicated in the OSCORE option of the EDHOC + OSCORE request, indicated in the OSCORE option of the EDHOC + OSCORE request
encoded as a bstr_identifier (see Section 5.1 of (i.e., the OSCORE Sender ID of the Client), encoded as per
[I-D.ietf-lake-edhoc]). Appendix A.1.
* The second CBOR byte string is the CIPHERTEXT_3 retrieved at * The second CBOR byte string is the CIPHERTEXT_3 retrieved at
step 2. step 2.
4. Perform the EDHOC processing on the EDHOC message_3 rebuilt at 4. Perform the EDHOC processing on the EDHOC message_3 rebuilt at
step 3, including verifications, and the OSCORE Security Context step 3, including verifications as per Section 5.4.3 of
derivation, as per Section 5.4.3 and Section 7.2.1 of [I-D.ietf-lake-edhoc] and the OSCORE Security Context derivation
[I-D.ietf-lake-edhoc], respectively. as per Appendix A.2 of [I-D.ietf-lake-edhoc].
If the applicability statement used in the EDHOC session
specifies that EDHOC message_4 shall be sent, the Server MUST
stop the EDHOC processing and consider it failed, as due to a
client error.
5. Extract the OSCORE ciphertext from the payload of the EDHOC + 5. Extract the OSCORE ciphertext from the payload of the EDHOC +
OSCORE request, as the value of the second CBOR byte string in OSCORE request, as the value of the second CBOR byte string in
the CBOR sequence. the CBOR sequence.
6. Rebuild the OSCORE protected CoAP request as the EDHOC + OSCORE 6. Rebuild the OSCORE protected CoAP request as the EDHOC + OSCORE
request, where the payload is replaced with the OSCORE ciphertext request, where the payload is replaced with the OSCORE ciphertext
resulting from step 5. resulting from step 5.
7. Decrypt and verify the OSCORE protected CoAP request resulting 7. Decrypt and verify the OSCORE protected CoAP request resulting
from step 6, as per Section 8.2 of [RFC8613], by using the new from step 6, as per Section 8.2 of [RFC8613], by using the new
OSCORE Security Context established at step 4. OSCORE Security Context established at step 4.
8. Process the CoAP request resulting from step 7. 8. Process the CoAP request resulting from step 7.
If steps 4 (EDHOC processing) and 7 (OSCORE processing) are both If steps 4 (EDHOC processing) and 7 (OSCORE processing) are both
successfully completed, the Server MUST reply with an OSCORE successfully completed, the Server MUST reply with an OSCORE
protected response, in order for the Client to achieve key protected response, in order for the Client to achieve key
confirmation (see Section 5.4.2 of [I-D.ietf-lake-edhoc]). The usage confirmation (see Section 5.4.2 of [I-D.ietf-lake-edhoc]). The usage
of EDHOC message_4 as defined in Section 7.1 of [I-D.ietf-lake-edhoc] of EDHOC message_4 as defined in Section 5.5 of [I-D.ietf-lake-edhoc]
is not applicable to the approach defined in this specification. is not applicable to the approach defined in this document.
If step 4 (EDHOC processing) fails, the server discontinues the If step 4 (EDHOC processing) fails, the server discontinues the
protocol as per Section 5.4.3 of [I-D.ietf-lake-edhoc] and sends an protocol as per Section 5.4.3 of [I-D.ietf-lake-edhoc] and responds
EDHOC error message, formatted as defined in Section 6.1 of with an EDHOC error message, formatted as defined in Section 6.2 of
[I-D.ietf-lake-edhoc]. In particular, the CoAP response conveying [I-D.ietf-lake-edhoc]. In particular, the CoAP response conveying
the EDHOC error message: the EDHOC error message MUST have Content-Format set to application/
edhoc defined in Section 8.9 of [I-D.ietf-lake-edhoc].
* MUST have Content-Format set to application/edhoc defined in
Section 9.5 of [I-D.ietf-lake-edhoc].
* MUST specify a CoAP error response code, i.e. 4.00 (Bad Request)
in case of client error (e.g. due to a malformed EDHOC message_3),
or 5.00 (Internal Server Error) in case of server error (e.g. due
to failure in deriving EDHOC key material).
If step 4 (EDHOC processing) is successfully completed but step 7 If step 4 (EDHOC processing) is successfully completed but step 7
(OSCORE processing) fails, the same OSCORE error handling applies as (OSCORE processing) fails, the same OSCORE error handling applies as
defined in Section 8.2 of [RFC8613]. defined in Section 8.2 of [RFC8613].
5. Example of EDHOC + OSCORE Request 3.4. Example of EDHOC + OSCORE Request
An example based on the OSCORE test vector from Appendix C.4 of Figure 5 shows an example of EDHOC + OSCORE Request, based on the
[RFC8613] and the EDHOC test vector from Appendix B.2 of OSCORE test vector from Appendix C.4 of [RFC8613] and the EDHOC test
[I-D.ietf-lake-edhoc] is given in Figure 5. In particular, the vector from Appendix D.2 of [I-D.ietf-lake-edhoc]. In particular,
example assumes that: the example assumes that:
* The used OSCORE Partial IV is 0, consistently with the first o The used OSCORE Partial IV is 0, consistently with the first
request protected with the new OSCORE Security Context. request protected with the new OSCORE Security Context.
* The OSCORE Sender ID of the Client is 0x20. This corresponds to o The OSCORE Sender ID of the Client is 0x00. This corresponds to
the EDHOC Connection Identifier C_R, which is encoded as the the numeric EDHOC connection identifier C_R with value 0, which in
bstr_identifier 0x08 in EDHOC message_3. EDHOC message_3 is encoded as the CBOR integer 0, hence as 0x00.
* The EDHOC option is registered with CoAP option number 13. o The EDHOC option is registered with CoAP option number 21.
o OSCORE option value: 0x090020 (3 bytes) o OSCORE option value: 0x090020 (3 bytes)
o EDHOC option value: - (0 bytes) o EDHOC option value: - (0 bytes)
o C_R: 0x20 (1 byte) o C_R: 0x00 (1 byte)
o CIPHERTEXT_3: 0x5253c3991999a5ffb86921e99b607c067770e0 o CIPHERTEXT_3: 0x52d5535f3147e85f1cfacd9e78abf9e0a81bbf
(19 bytes) (19 bytes)
o EDHOC message_3: 0x08 5253c3991999a5ffb86921e99b607c067770e0 o EDHOC message_3: 0x00 52d5535f3147e85f1cfacd9e78abf9e0a81bbf
(20 bytes) (20 bytes)
o OSCORE ciphertext: 0x612f1092f1776f1c1668b3825e (13 bytes) o OSCORE ciphertext: 0x612f1092f1776f1c1668b3825e (13 bytes)
From there: From there:
o Protected CoAP request (OSCORE message): o Protected CoAP request (OSCORE message):
0x44025d1f ; CoAP 4-byte header 0x44025d1f ; CoAP 4-byte header
00003974 ; Token 00003974 ; Token
39 6c6f63616c686f7374 ; Uri-Host Option: "localhost" 39 6c6f63616c686f7374 ; Uri-Host Option: "localhost"
63 090020 ; OSCORE Option 63 090020 ; OSCORE Option
40 ; EDHOC Option C0 ; EDHOC Option
ff 5253c3991999a5ffb86921e99b607c067770e0 ff 52d5535f3147e85f1cfacd9e78abf9e0a81bbf
4d612f1092f1776f1c1668b3825e 4d612f1092f1776f1c1668b3825e
(57 bytes) (57 bytes)
Figure 5: Example of CoAP message with EDHOC and OSCORE combined Figure 5: Example of CoAP message with EDHOC and OSCORE combined
6. Security Considerations 4. Security Considerations
The same security considerations from OSCORE [RFC8613] and EDHOC The same security considerations from OSCORE [RFC8613] and EDHOC
[I-D.ietf-lake-edhoc] hold for this document. [I-D.ietf-lake-edhoc] hold for this document.
TODO (more considerations) TODO (more considerations)
7. IANA Considerations 5. IANA Considerations
RFC Editor: Please replace "[[this document]]" with the RFC number of
this document and delete this paragraph.
This document has the following actions for IANA. This document has the following actions for IANA.
7.1. CoAP Option Numbers Registry 5.1. CoAP Option Numbers Registry
IANA is asked to enter the following option numbers to the "CoAP IANA is asked to enter the following option numbers to the "CoAP
Option Numbers" registry defined in [RFC7252] within the "CoRE Option Numbers" registry defined in [RFC7252] within the "CoRE
Parameters" registry. Parameters" registry.
[ [
The CoAP option numbers 13 and 21 are both consistent with the The CoAP option numbers 13 and 21 are both consistent with the
properties of the EDHOC Option defined in Section 3, and they both properties of the EDHOC Option defined in Section 3.1, and they both
allow the EDHOC Option to always result in an overall size of 1 byte. allow the EDHOC Option to always result in an overall size of 1 byte.
This is because: This is because:
* The EDHOC option is always empty, i.e. with zero-length value; and o The EDHOC option is always empty, i.e., with zero-length value;
and
* Since the OSCORE option with option number 9 is always present in o Since the OSCORE option with option number 9 is always present in
the CoAP request, the EDHOC option would be encoded with a maximum the CoAP request, the EDHOC option would be encoded with a maximum
delta of 4 or 12, depending on its option number being 13 or 21. delta of 4 or 12, depending on its option number being 13 or 21.
At the time of writing, the CoAP option numbers 13 and 21 are both At the time of writing, the CoAP option numbers 13 and 21 are both
unassigned in the "CoAP Option Numbers" registry, as first available unassigned in the "CoAP Option Numbers" registry, as first available
and consistent option numbers for the EDHOC option. and consistent option numbers for the EDHOC option.
This document suggests 21 (TBD21) as option number to be assigned to
the new EDHOC option, since both 13 and 21 are consistent for the use
case in question, but different use cases or protocols may make
better use of the option number 13.
] ]
+--------+-------+-------------------+ +--------+-------+-------------------+
| Number | Name | Reference | | Number | Name | Reference |
+--------+-------+-------------------+ +--------+-------+-------------------+
| TBD13 | EDHOC | [[this document]] | | TBD21 | EDHOC | [[this document]] |
+--------+-------+-------------------+ +--------+-------+-------------------+
8. Normative References 6. Normative References
[I-D.ietf-lake-edhoc] [I-D.ietf-lake-edhoc]
Selander, G., Mattsson, J. P., and F. Palombini, Selander, G., Mattsson, J. P., and F. Palombini,
"Ephemeral Diffie-Hellman Over COSE (EDHOC)", Work in "Ephemeral Diffie-Hellman Over COSE (EDHOC)", draft-ietf-
Progress, Internet-Draft, draft-ietf-lake-edhoc-05, 22 lake-edhoc-06 (work in progress), April 2021.
February 2021, <https://www.ietf.org/archive/id/draft-
ietf-lake-edhoc-05.txt>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014, DOI 10.17487/RFC7252, June 2014,
<https://www.rfc-editor.org/info/rfc7252>. <https://www.rfc-editor.org/info/rfc7252>.
skipping to change at page 11, line 40 skipping to change at page 13, line 23
[RFC8742] Bormann, C., "Concise Binary Object Representation (CBOR) [RFC8742] Bormann, C., "Concise Binary Object Representation (CBOR)
Sequences", RFC 8742, DOI 10.17487/RFC8742, February 2020, Sequences", RFC 8742, DOI 10.17487/RFC8742, February 2020,
<https://www.rfc-editor.org/info/rfc8742>. <https://www.rfc-editor.org/info/rfc8742>.
[RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object
Representation (CBOR)", STD 94, RFC 8949, Representation (CBOR)", STD 94, RFC 8949,
DOI 10.17487/RFC8949, December 2020, DOI 10.17487/RFC8949, December 2020,
<https://www.rfc-editor.org/info/rfc8949>. <https://www.rfc-editor.org/info/rfc8949>.
Appendix A. Additional OSCORE/EDHOC-related Processing
Appendix A.1 in [I-D.ietf-lake-edhoc] defines a rule for converting
from EDHOC connection identifier to OSCORE Sender/Recipient ID.
This appendix defines the rule for converting from OSCORE Sender/
Recipient ID to EDHOC connection identifier, and related processing.
A.1. From OSCORE to EDHOC Identifier
The process defined in this section ensures that every OSCORE Sender/
Recipient ID is converted to only one of the two corresponding,
equivalent EDHOC connection identifiers, see Appendix A.1 in
[I-D.ietf-lake-edhoc].
An OSCORE Sender/Recipient ID, OSCORE_ID, is converted to an EDHOC
connection identifier, EDHOC_ID, as follows.
o If OSCORE_ID is 0 bytes in size, it is converted to the empty byte
string EDHOC_ID (0x40 in CBOR encoding).
o If OSCORE_ID is longer than 5 bytes in size, it is converted to a
byte-valued EDHOC_ID, i.e., a CBOR byte string with value
OSCORE_ID.
For example, the OSCORE_ID 0x001122334455 is converted to the
byte-valued EDHOC_ID 0x001122334455 (0x46001122334455 in CBOR
encoding).
o If OSCORE_ID is 1-5 bytes in size, the following applies.
* If OSCORE_ID is a valid CBOR encoding for an integer value
(i.e., it can be correctly decoded as a CBOR integer), then it
is converted to a numeric EDHOC_ID having OSCORE_ID as its CBOR
encoded form.
For example, the OSCORE_ID 0x01 is converted to the numeric
EDHOC_ID 1 (0x01 in CBOR encoding), while the OSCORE_ID 0x2B is
converted to the numeric EDHOC_ID -12 (0x2B in CBOR encoding).
* If OSCORE_ID is _not_ a valid CBOR encoding for an integer
value (i.e., it _cannot_ be correctly decoded as a CBOR
integer), then it is converted to a byte-valued EDHOC_ID having
OSCORE_ID as its value.
For example, the OSCORE_ID 0xFF is converted to the byte-valued
EDHOC_ID 0xFF (0x41FF in CBOR encoding).
Implementations can easily determine which case holds for a given
OSCORE_ID with no need to try to actually CBOR-decode it, e.g., by
using the approach in Appendix A.3.
A.2. EDHOC Message Processing
This section specifies additional EDHOC message processing in
addition to what is specified in Section 5 of [I-D.ietf-lake-edhoc].
A.2.1. Initiator Processing of Message 1
The Initiator selects C_I as follows.
1. The Initiator initializes a set ID_SET as the empty set.
2. The Initiator selects an available OSCORE Recipient ID, ID*,
which is not included in ID_SET.
3. The Initiator converts ID* to the EDHOC connection identifier
C_I, as per Appendix A.1.
4. If the resulting C_I is already used, the Initiator adds ID* to
ID_SET and moves back to step 2. Otherwise, it uses C_I as its
EDHOC connection identifier.
A.2.2. Responder Processing of Message 1
The Responder MUST discontinue the protocol and reply with an EDHOC
error message, if C_I is a CBOR byte string and it has as value a
valid CBOR encoding of an integer value (e.g., C_I is CBOR encoded as
0x4100).
In fact, this would mean that the Initiator has not followed the
conversion rule in Appendix A.1 when converting its (to be) OSCORE
Recipient ID to C_I.
A.2.3. Responder Processing of Message 2
The Responder selects C_R as follows.
1. The Responder initializes a set ID_SET as the empty set.
2. The Responder selects an available OSCORE Recipient ID, ID*,
which is not included in ID_SET.
3. The Responder converts ID* to the EDHOC connection identifier
C_R, as per Appendix A.1.
4. If the resulting C_R is already used or it is equal byte-by-byte
to the C_I specified in EDHOC message_1, the Initiator adds ID*
to ID_SET and moves back to step 2. Otherwise, it uses C_R as
its EDHOC connection identifier.
A.2.4. Initiator Processing of Message 2
The Initiator MUST discontinue the protocol and reply with an EDHOC
error message, if any of the following conditions holds.
o C_R is equal byte-by-byte to the C_I that was specified in EDHOC
message_1.
o C_R is a CBOR byte string and it has as value a valid CBOR
encoding of an integer value (e.g., C_R is CBOR encoded as
0x4100).
In fact, this would mean that the Responder has not followed the
conversion rule in Appendix A.1 when converting its (to be) OSCORE
Recipient ID to C_R.
A.3. Checking CBOR Encoding of Numeric Values
Given a binary string of N bytes in size, it is a valid CBOR encoding
of an integer value if and only if, for that size N, its first byte
is equal to one of the byte values specified in the "First byte"
column of the table below.
+---+-----------------------+
| N | First byte |
+---+-----------------------+
| 1 | 0x00-0x17 , 0x20-0x37 |
+---+-----------------------+
| 2 | 0x18 , 0x38 |
+---+-----------------------+
| 3 | 0x19 , 0x39 |
+---+-----------------------+
| 4 | 0x1A , 0x3A |
+---+-----------------------+
| 5 | 0x1B , 0x3B |
+---+-----------------------+
Appendix B. Document Updates
RFC Editor: Please remove this section.
B.1. Version -00 to -01
o Improved background overview of EDHOC.
o Added explicit rules for converting OSCORE Sender/Recipient IDs to
EDHOC connection identifiers following the removal of
bstr_identifier from EDHOC.
o Revised section organization.
o Recommended number for EDHOC option changed to 21.
o Editorial improvements.
Acknowledgments Acknowledgments
The authors sincerely thank Christian Amsuess, Klaus Hartke, Jim The authors sincerely thank Christian Amsuess, Klaus Hartke, Jim
Schaad and Malisa Vucinic for their feedback and comments in the Schaad and Malisa Vucinic for their feedback and comments in the
discussion leading up to this draft. discussion leading up to this draft.
The work on this document has been partly supported by VINNOVA and The work on this document has been partly supported by VINNOVA and
the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home
(Grant agreement 952652). (Grant agreement 952652).
skipping to change at page 12, line 4 skipping to change at page 16, line 48
The authors sincerely thank Christian Amsuess, Klaus Hartke, Jim The authors sincerely thank Christian Amsuess, Klaus Hartke, Jim
Schaad and Malisa Vucinic for their feedback and comments in the Schaad and Malisa Vucinic for their feedback and comments in the
discussion leading up to this draft. discussion leading up to this draft.
The work on this document has been partly supported by VINNOVA and The work on this document has been partly supported by VINNOVA and
the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home
(Grant agreement 952652). (Grant agreement 952652).
Authors' Addresses Authors' Addresses
Francesca Palombini Francesca Palombini
Ericsson Ericsson
Email: francesca.palombini@ericsson.com Email: francesca.palombini@ericsson.com
Marco Tiloca Marco Tiloca
RISE AB RISE AB
Isafjordsgatan 22 Isafjordsgatan 22
SE-16440 Stockholm Kista Kista SE-16440 Stockholm
Sweden Sweden
Email: marco.tiloca@ri.se Email: marco.tiloca@ri.se
Rikard Hoeglund Rikard Hoeglund
RISE AB RISE AB
Isafjordsgatan 22 Isafjordsgatan 22
SE-16440 Stockholm Kista Kista SE-16440 Stockholm
Sweden Sweden
Email: rikard.hoglund@ri.se Email: rikard.hoglund@ri.se
Stefan Hristozov Stefan Hristozov
Fraunhofer AISEC Fraunhofer AISEC
Email: stefan.hristozov@aisec.fraunhofer.de Email: stefan.hristozov@aisec.fraunhofer.de
Goeran Selander Goeran Selander
 End of changes. 72 change blocks. 
159 lines changed or deleted 375 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/