draft-ietf-core-oscore-groupcomm-07.txt   draft-ietf-core-oscore-groupcomm-08.txt 
CoRE Working Group M. Tiloca CoRE Working Group M. Tiloca
Internet-Draft RISE AB Internet-Draft RISE AB
Intended status: Standards Track G. Selander Intended status: Standards Track G. Selander
Expires: September 10, 2020 F. Palombini Expires: October 8, 2020 F. Palombini
Ericsson AB Ericsson AB
J. Park J. Park
Universitaet Duisburg-Essen Universitaet Duisburg-Essen
March 09, 2020 April 06, 2020
Group OSCORE - Secure Group Communication for CoAP Group OSCORE - Secure Group Communication for CoAP
draft-ietf-core-oscore-groupcomm-07 draft-ietf-core-oscore-groupcomm-08
Abstract Abstract
This document defines Group Object Security for Constrained RESTful This document defines Group Object Security for Constrained RESTful
Environments (Group OSCORE), providing end-to-end security of CoAP Environments (Group OSCORE), providing end-to-end security of CoAP
messages exchanged between members of a group, e.g. using IP messages exchanged between members of a group, e.g. using IP
multicast. In particular, the described approach defines how OSCORE multicast. In particular, the described approach defines how OSCORE
should be used in a group communication setting to provide source should be used in a group communication setting to provide source
authentication for CoAP group requests, sent by a client to multiple authentication for CoAP group requests, sent by a client to multiple
servers, and the corresponding CoAP responses. servers, and the corresponding CoAP responses.
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 10, 2020. This Internet-Draft will expire on October 8, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. Security Context . . . . . . . . . . . . . . . . . . . . . . 6 2. Security Context . . . . . . . . . . . . . . . . . . . . . . 7
2.1. Common Context . . . . . . . . . . . . . . . . . . . . . 7 2.1. Common Context . . . . . . . . . . . . . . . . . . . . . 7
2.2. Sender Context and Recipient Context . . . . . . . . . . 8 2.2. Sender Context and Recipient Context . . . . . . . . . . 8
2.3. The Group Manager . . . . . . . . . . . . . . . . . . . . 9 2.3. The Group Manager . . . . . . . . . . . . . . . . . . . . 9
2.4. Management of Group Keying Material . . . . . . . . . . . 9 2.4. Management of Group Keying Material . . . . . . . . . . . 10
2.5. Wrap-Around of Partial IVs . . . . . . . . . . . . . . . 10 2.5. Exhaustion of Partial IV Values . . . . . . . . . . . . . 11
3. Pairwise Keys . . . . . . . . . . . . . . . . . . . . . . . . 11 3. Pairwise Keys . . . . . . . . . . . . . . . . . . . . . . . . 12
3.1. Note on Implementation . . . . . . . . . . . . . . . . . 12 3.1. Key Derivation . . . . . . . . . . . . . . . . . . . . . 12
4. The COSE Object . . . . . . . . . . . . . . . . . . . . . . . 12 3.2. Usage of Sequence Numbers . . . . . . . . . . . . . . . . 13
4.1. Counter Signature . . . . . . . . . . . . . . . . . . . . 12 3.3. Note on Implementation . . . . . . . . . . . . . . . . . 13
4.2. The 'kid' and 'kid context' parameters . . . . . . . . . 13 4. The COSE Object . . . . . . . . . . . . . . . . . . . . . . . 14
4.3. external_aad . . . . . . . . . . . . . . . . . . . . . . 13 4.1. Counter Signature . . . . . . . . . . . . . . . . . . . . 14
4.3.1. external_aad for Encryption . . . . . . . . . . . . . 13 4.2. The 'kid' and 'kid context' parameters . . . . . . . . . 14
4.3.2. external_aad for Signing . . . . . . . . . . . . . . 14 4.3. external_aad . . . . . . . . . . . . . . . . . . . . . . 15
5. OSCORE Header Compression . . . . . . . . . . . . . . . . . . 15 4.3.1. external_aad for Encryption . . . . . . . . . . . . . 15
5.1. Examples of Compressed COSE Objects . . . . . . . . . . . 15 4.3.2. external_aad for Signing . . . . . . . . . . . . . . 16
5. OSCORE Header Compression . . . . . . . . . . . . . . . . . . 17
5.1. Examples of Compressed COSE Objects . . . . . . . . . . . 17
6. Message Binding, Sequence Numbers, Freshness and Replay 6. Message Binding, Sequence Numbers, Freshness and Replay
Protection . . . . . . . . . . . . . . . . . . . . . . . . . 17 Protection . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.1. Synchronization of Sender Sequence Numbers . . . . . . . 17 6.1. Synchronization of Sender Sequence Numbers . . . . . . . 19
7. Message Processing . . . . . . . . . . . . . . . . . . . . . 17 7. Message Processing . . . . . . . . . . . . . . . . . . . . . 19
7.1. Protecting the Request . . . . . . . . . . . . . . . . . 18 7.1. Protecting the Request . . . . . . . . . . . . . . . . . 20
7.1.1. Supporting Observe . . . . . . . . . . . . . . . . . 18 7.1.1. Supporting Observe . . . . . . . . . . . . . . . . . 21
7.2. Verifying the Request . . . . . . . . . . . . . . . . . . 18 7.2. Verifying the Request . . . . . . . . . . . . . . . . . . 21
7.2.1. Supporting Observe . . . . . . . . . . . . . . . . . 19 7.2.1. Supporting Observe . . . . . . . . . . . . . . . . . 22
7.3. Protecting the Response . . . . . . . . . . . . . . . . . 20 7.3. Protecting the Response . . . . . . . . . . . . . . . . . 22
7.3.1. Supporting Observe . . . . . . . . . . . . . . . . . 20 7.3.1. Supporting Observe . . . . . . . . . . . . . . . . . 23
7.4. Verifying the Response . . . . . . . . . . . . . . . . . 21 7.4. Verifying the Response . . . . . . . . . . . . . . . . . 23
7.4.1. Supporting Observe . . . . . . . . . . . . . . . . . 22 7.4.1. Supporting Observe . . . . . . . . . . . . . . . . . 24
8. Responsibilities of the Group Manager . . . . . . . . . . . . 22 8. Responsibilities of the Group Manager . . . . . . . . . . . . 24
9. Optimized Mode . . . . . . . . . . . . . . . . . . . . . . . 23 9. Optimized Mode . . . . . . . . . . . . . . . . . . . . . . . 25
9.1. Optimized Request . . . . . . . . . . . . . . . . . . . . 23 9.1. Optimized Request . . . . . . . . . . . . . . . . . . . . 25
9.1.1. Optimized Compressed Request . . . . . . . . . . . . 23 9.1.1. Optimized Compressed Request . . . . . . . . . . . . 25
9.2. Optimized Response . . . . . . . . . . . . . . . . . . . 23 9.2. Optimized Response . . . . . . . . . . . . . . . . . . . 26
9.2.1. Optimized Compressed Response . . . . . . . . . . . . 24 9.2.1. Optimized Compressed Response . . . . . . . . . . . . 26
10. Security Considerations . . . . . . . . . . . . . . . . . . . 24 10. Security Considerations . . . . . . . . . . . . . . . . . . . 26
10.1. Group-level Security . . . . . . . . . . . . . . . . . . 25 10.1. Group-level Security . . . . . . . . . . . . . . . . . . 27
10.2. Uniqueness of (key, nonce) . . . . . . . . . . . . . . . 25 10.2. Uniqueness of (key, nonce) . . . . . . . . . . . . . . . 28
10.3. Management of Group Keying Material . . . . . . . . . . 26 10.3. Management of Group Keying Material . . . . . . . . . . 28
10.4. Update of Security Context and Key Rotation . . . . . . 26 10.4. Update of Security Context and Key Rotation . . . . . . 29
10.4.1. Late Update on the Sender . . . . . . . . . . . . . 27 10.4.1. Late Update on the Sender . . . . . . . . . . . . . 29
10.4.2. Late Update on the Recipient . . . . . . . . . . . . 27 10.4.2. Late Update on the Recipient . . . . . . . . . . . . 30
10.5. Collision of Group Identifiers . . . . . . . . . . . . . 28 10.5. Collision of Group Identifiers . . . . . . . . . . . . . 30
10.6. Cross-group Message Injection . . . . . . . . . . . . . 28 10.6. Cross-group Message Injection . . . . . . . . . . . . . 30
10.7. Group OSCORE for Unicast Requests . . . . . . . . . . . 29 10.7. Group OSCORE for Unicast Requests . . . . . . . . . . . 32
10.8. End-to-end Protection . . . . . . . . . . . . . . . . . 30 10.8. End-to-end Protection . . . . . . . . . . . . . . . . . 33
10.9. Security Context Establishment . . . . . . . . . . . . . 31 10.9. Security Context Establishment . . . . . . . . . . . . . 33
10.10. Master Secret . . . . . . . . . . . . . . . . . . . . . 31 10.10. Master Secret . . . . . . . . . . . . . . . . . . . . . 34
10.11. Replay Protection . . . . . . . . . . . . . . . . . . . 31 10.11. Replay Protection . . . . . . . . . . . . . . . . . . . 34
10.12. Client Aliveness . . . . . . . . . . . . . . . . . . . . 32 10.12. Client Aliveness . . . . . . . . . . . . . . . . . . . . 35
10.13. Cryptographic Considerations . . . . . . . . . . . . . . 32 10.13. Cryptographic Considerations . . . . . . . . . . . . . . 35
10.14. Message Segmentation . . . . . . . . . . . . . . . . . . 33 10.14. Message Segmentation . . . . . . . . . . . . . . . . . . 36
10.15. Privacy Considerations . . . . . . . . . . . . . . . . . 33 10.15. Privacy Considerations . . . . . . . . . . . . . . . . . 36
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37
11.1. Counter Signature Parameters Registry . . . . . . . . . 34 11.1. Counter Signature Parameters Registry . . . . . . . . . 37
11.2. Counter Signature Key Parameters Registry . . . . . . . 36 11.2. Counter Signature Key Parameters Registry . . . . . . . 40
11.3. OSCORE Flag Bits Registry . . . . . . . . . . . . . . . 38 11.3. OSCORE Flag Bits Registry . . . . . . . . . . . . . . . 42
11.4. Expert Review Instructions . . . . . . . . . . . . . . . 38 11.4. Expert Review Instructions . . . . . . . . . . . . . . . 42
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 39 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 43
12.1. Normative References . . . . . . . . . . . . . . . . . . 39 12.1. Normative References . . . . . . . . . . . . . . . . . . 43
12.2. Informative References . . . . . . . . . . . . . . . . . 40 12.2. Informative References . . . . . . . . . . . . . . . . . 44
Appendix A. Assumptions and Security Objectives . . . . . . . . 42 Appendix A. Assumptions and Security Objectives . . . . . . . . 46
A.1. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 42 A.1. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 47
A.2. Security Objectives . . . . . . . . . . . . . . . . . . . 44 A.2. Security Objectives . . . . . . . . . . . . . . . . . . . 48
Appendix B. List of Use Cases . . . . . . . . . . . . . . . . . 45 Appendix B. List of Use Cases . . . . . . . . . . . . . . . . . 49
Appendix C. Example of Group Identifier Format . . . . . . . . . 47 Appendix C. Example of Group Identifier Format . . . . . . . . . 51
Appendix D. Set-up of New Endpoints . . . . . . . . . . . . . . 48 Appendix D. Set-up of New Endpoints . . . . . . . . . . . . . . 52
Appendix E. Examples of Synchronization Approaches . . . . . . . 49 Appendix E. Examples of Synchronization Approaches . . . . . . . 53
E.1. Best-Effort Synchronization . . . . . . . . . . . . . . . 49 E.1. Best-Effort Synchronization . . . . . . . . . . . . . . . 53
E.2. Baseline Synchronization . . . . . . . . . . . . . . . . 49 E.2. Baseline Synchronization . . . . . . . . . . . . . . . . 53
E.3. Challenge-Response Synchronization . . . . . . . . . . . 49 E.3. Challenge-Response Synchronization . . . . . . . . . . . 54
Appendix F. No Verification of Signatures . . . . . . . . . . . 51 Appendix F. No Verification of Signatures . . . . . . . . . . . 56
Appendix G. Pairwise Mode . . . . . . . . . . . . . . . . . . . 52 Appendix G. Pairwise Mode . . . . . . . . . . . . . . . . . . . 57
G.1. Pre-Requirements . . . . . . . . . . . . . . . . . . . . 52 G.1. Pre-Requirements . . . . . . . . . . . . . . . . . . . . 57
G.2. Pairwise Protected Request . . . . . . . . . . . . . . . 53 G.2. Pairwise Protected Request . . . . . . . . . . . . . . . 57
G.3. Pairwise Protected Response . . . . . . . . . . . . . . . 54 G.3. Pairwise Protected Response . . . . . . . . . . . . . . . 58
Appendix H. Document Updates . . . . . . . . . . . . . . . . . . 54 Appendix H. Document Updates . . . . . . . . . . . . . . . . . . 58
H.1. Version -06 to -07 . . . . . . . . . . . . . . . . . . . 54 H.1. Version -07 to -08 . . . . . . . . . . . . . . . . . . . 58
H.2. Version -05 to -06 . . . . . . . . . . . . . . . . . . . 55 H.2. Version -06 to -07 . . . . . . . . . . . . . . . . . . . 60
H.3. Version -04 to -05 . . . . . . . . . . . . . . . . . . . 55 H.3. Version -05 to -06 . . . . . . . . . . . . . . . . . . . 60
H.4. Version -03 to -04 . . . . . . . . . . . . . . . . . . . 56 H.4. Version -04 to -05 . . . . . . . . . . . . . . . . . . . 61
H.5. Version -02 to -03 . . . . . . . . . . . . . . . . . . . 57 H.5. Version -03 to -04 . . . . . . . . . . . . . . . . . . . 61
H.6. Version -01 to -02 . . . . . . . . . . . . . . . . . . . 57 H.6. Version -02 to -03 . . . . . . . . . . . . . . . . . . . 62
H.7. Version -00 to -01 . . . . . . . . . . . . . . . . . . . 58 H.7. Version -01 to -02 . . . . . . . . . . . . . . . . . . . 63
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 59 H.8. Version -00 to -01 . . . . . . . . . . . . . . . . . . . 64
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 59 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 64
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 65
1. Introduction 1. Introduction
The Constrained Application Protocol (CoAP) [RFC7252] is a web The Constrained Application Protocol (CoAP) [RFC7252] is a web
transfer protocol specifically designed for constrained devices and transfer protocol specifically designed for constrained devices and
networks [RFC7228]. Group communication for CoAP networks [RFC7228]. Group communication for CoAP
[I-D.dijk-core-groupcomm-bis] addresses use cases where deployed [I-D.ietf-core-groupcomm-bis] addresses use cases where deployed
devices benefit from a group communication model, for example to devices benefit from a group communication model, for example to
reduce latencies, improve performance and reduce bandwidth reduce latencies, improve performance and reduce bandwidth
utilization. Use cases include lighting control, integrated building utilization. Use cases include lighting control, integrated building
control, software and firmware updates, parameter and configuration control, software and firmware updates, parameter and configuration
updates, commissioning of constrained networks, and emergency updates, commissioning of constrained networks, and emergency
multicast (see Appendix B). This specification defines the security multicast (see Appendix B). This specification defines the security
protocol for Group communication for CoAP protocol for Group communication for CoAP
[I-D.dijk-core-groupcomm-bis]. [I-D.ietf-core-groupcomm-bis].
Object Security for Constrained RESTful Environments (OSCORE) Object Security for Constrained RESTful Environments (OSCORE)
[RFC8613] describes a security protocol based on the exchange of [RFC8613] describes a security protocol based on the exchange of
protected CoAP messages. OSCORE builds on CBOR Object Signing and protected CoAP messages. OSCORE builds on CBOR Object Signing and
Encryption (COSE) [RFC8152] and provides end-to-end encryption, Encryption (COSE) [RFC8152] and provides end-to-end encryption,
integrity, replay protection and binding of response to request integrity, replay protection and binding of response to request
between a sender and a recipient, independent of transport also in between a sender and a recipient, independent of transport also in
the presence of intermediaries. To this end, a CoAP message is the presence of intermediaries. To this end, a CoAP message is
protected by including its payload (if any), certain options, and protected by including its payload (if any), certain options, and
header fields in a COSE object, which replaces the authenticated and header fields in a COSE object, which replaces the authenticated and
encrypted fields in the protected message. encrypted fields in the protected message.
This document defines Group OSCORE, providing the same end-to-end This document defines Group OSCORE, providing the same end-to-end
security properties as OSCORE in the case where CoAP requests have security properties as OSCORE in the case where CoAP requests have
multiple recipients. In particular, the described approach defines multiple recipients. In particular, the described approach defines
how OSCORE should be used in a group communication setting to provide how OSCORE should be used in a group communication setting to provide
source authentication for CoAP group requests, sent by a client to source authentication for CoAP group requests, sent by a client to
multiple servers, and the corresponding CoAP responses. multiple servers, and the corresponding CoAP responses.
Group OSCORE provides source authentication of CoAP requests by means Group OSCORE provides source authentication of CoAP messages, by
of digital signatures produced with the private key of the client and means of two possible methods. The first method relies on a digital
embedded in the protected CoAP messages. CoAP responses from the signature produced with the private key of the sender and embedded in
server may be digitally signed by the private key of the server or the protected CoAP message. The second method relies on a symmetric
integrity protected with a symmetric key derived from a pairwise key, which is derived from a pairwise shared secred computed from the
security context derived from client and server asymmetric keys. asymmetric keys of the message sender and recipient.
The second method is intended for one-to-one messages sent in the
group. These include all responses, as individually sent by servers,
as well as requests addressed to an individual server. For instance,
such requests are sent as part of an exchange using the CoAP Echo
option [I-D.ietf-core-echo-request-tag], or as part of a block-wise
transfer [RFC7959] in the group, after the first block-wise request
possibly targeting all servers in the group and including the CoAP
Block2 option (see Section 2.3.6 of [I-D.ietf-core-groupcomm-bis]).
Just like OSCORE, Group OSCORE is independent of transport layer and Just like OSCORE, Group OSCORE is independent of transport layer and
works wherever CoAP does. Group communication for CoAP works wherever CoAP does. Group communication for CoAP
[I-D.dijk-core-groupcomm-bis] uses UDP/IP multicast as the underlying [I-D.ietf-core-groupcomm-bis] uses UDP/IP multicast as the underlying
data transport. data transport.
As with OSCORE, it is possible to combine Group OSCORE with As with OSCORE, it is possible to combine Group OSCORE with
communication security on other layers. One example is the use of communication security on other layers. One example is the use of
transport layer security, such as DTLS [RFC6347], between one client transport layer security, such as DTLS [RFC6347], between one client
and one proxy (and vice versa), or between one proxy and one server and one proxy (and vice versa), or between one proxy and one server
(and vice versa), in order to protect the routing information of (and vice versa), in order to protect the routing information of
packets from observers. Note that DTLS cannot be used to secure packets from observers. Note that DTLS cannot be used to secure
messages sent over IP multicast. messages sent over IP multicast.
Group OSCORE defines different modes of operation: Group OSCORE defines different modes of operation:
o In the signature mode, Group OSCORE requests and responses are o In the signature mode, Group OSCORE requests and responses are
digitally signed. The signature mode supports all COSE algorithms digitally signed. The signature mode supports all COSE algorithms
as well as signature verification by intermediaries. as well as signature verification by intermediaries.
o The pairwise mode allows two group members to exchange (unicast) o The pairwise mode allows two group members to exchange unicast
OSCORE requests and responses protected with symmetric keys. OSCORE requests and responses protected with symmetric keys.
These symmetric keys are derived from Diffie-Hellman shared These symmetric keys are derived from Diffie-Hellman shared
secrets, calculated with the asymmetric keys of the two group secrets, calculated with the asymmetric keys of the two group
members. This allows for shorter integrity tags and therefore members. This allows for shorter integrity tags and therefore
lower message overhead. lower message overhead.
o In the (hybrid) optimized mode, the CoAP requests are digitally o In the (hybrid) optimized mode, the CoAP requests are digitally
signed as in the signature mode, and the CoAP responses are signed as in the signature mode, and the CoAP responses are
integrity protected with the symmetric key of the pairwise mode. integrity protected with the symmetric key of the pairwise mode.
skipping to change at page 5, line 41 skipping to change at page 6, line 8
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Readers are expected to be familiar with the terms and concepts Readers are expected to be familiar with the terms and concepts
described in CoAP [RFC7252] including "endpoint", "client", "server", described in CoAP [RFC7252] including "endpoint", "client", "server",
"sender" and "recipient"; group communication for CoAP "sender" and "recipient"; group communication for CoAP
[I-D.dijk-core-groupcomm-bis]; COSE and counter signatures [RFC8152]. [I-D.ietf-core-groupcomm-bis]; COSE and counter signatures [RFC8152].
Readers are also expected to be familiar with the terms and concepts Readers are also expected to be familiar with the terms and concepts
for protection and processing of CoAP messages through OSCORE, such for protection and processing of CoAP messages through OSCORE, such
as "Security Context" and "Master Secret", defined in [RFC8613]. as "Security Context" and "Master Secret", defined in [RFC8613].
Terminology for constrained environments, such as "constrained Terminology for constrained environments, such as "constrained
device", "constrained-node network", is defined in [RFC7228]. device", "constrained-node network", is defined in [RFC7228].
This document refers also to the following terminology. This document refers also to the following terminology.
skipping to change at page 6, line 22 skipping to change at page 6, line 36
refers thus to a "security group", not to be confused with refers thus to a "security group", not to be confused with
CoAP/network/multicast group or application group. CoAP/network/multicast group or application group.
o Group Manager: entity responsible for a group. Each endpoint in a o Group Manager: entity responsible for a group. Each endpoint in a
group communicates securely with the respective Group Manager, group communicates securely with the respective Group Manager,
which is neither required to be an actual group member nor to take which is neither required to be an actual group member nor to take
part in the group communication. The full list of part in the group communication. The full list of
responsibilities of the Group Manager is provided in Section 8. responsibilities of the Group Manager is provided in Section 8.
o Silent server: member of a group that never responds to requests. o Silent server: member of a group that never responds to requests.
Note that an endpoint can implement both a silent server and a Given that, for CoAP group communications, messages are normally
client, the two roles are independent. sent without requesting a confirmation, the idea of a server
silently acting on a message is not unreasonable. Note that an
endpoint can implement both a silent server and a client, the two
roles are independent. An endpoint implementing only a silent
server processes only incoming requests, and, in case it supports
only the signature mode, it maintains less keying material and
especially does not have a Sender Context for the group.
o Group Identifier (Gid): identifier assigned to the group. Group o Group Identifier (Gid): identifier assigned to the group. Group
Identifiers must be unique within the set of groups of a given Identifiers must be unique within the set of groups of a given
Group Manager. Group Manager.
o Group request: CoAP request message sent by a client in the group o Group request: CoAP request message sent by a client in the group
to all servers in that group. to all servers in that group.
o Source authentication: evidence that a received message in the o Source authentication: evidence that a received message in the
group originated from a specific identified group member. This group originated from a specific identified group member. This
skipping to change at page 7, line 6 skipping to change at page 7, line 27
o One Common Context, shared by all the endpoints in the group. o One Common Context, shared by all the endpoints in the group.
Three new parameters are included in the Common Context: Counter Three new parameters are included in the Common Context: Counter
Signature Algorithm, Counter Signature Parameters and Counter Signature Algorithm, Counter Signature Parameters and Counter
Signature Key Parameters. Signature Key Parameters.
o One Sender Context, extended with the endpoint's private key. The o One Sender Context, extended with the endpoint's private key. The
Sender Context is omitted if the endpoint is configured Sender Context is omitted if the endpoint is configured
exclusively as silent server. exclusively as silent server.
o One Recipient Context for each endpoint from which messages are o One Recipient Context for each endpoint from which messages are
received. The Recipient Context is extended with the public key received. No Recipient Contexts are maintained as associated to
of the associated endpoint. endpoints from which messages are not (expected to be) received.
The Recipient Context is extended with the public key of the
associated endpoint.
+---------------------------+----------------------------------+ +---------------------------+----------------------------------+
| Context Component | New Information Elements | | Context Component | New Information Elements |
+---------------------------+----------------------------------+ +---------------------------+----------------------------------+
| | Counter Signature Algorithm | | | Counter Signature Algorithm |
| Common Context | Counter Signature Parameters | | Common Context | Counter Signature Parameters |
| | Counter Signature Key Parameters | | | Counter Signature Key Parameters |
+---------------------------+----------------------------------+ +---------------------------+----------------------------------+
| Sender Context | Endpoint's own private key | | Sender Context | Endpoint's own private key |
+---------------------------+----------------------------------+ +---------------------------+----------------------------------+
skipping to change at page 8, line 47 skipping to change at page 9, line 23
a message is received from this particular endpoint in the group (see a message is received from this particular endpoint in the group (see
Section 7.2 and Section 7.4). The received message together with the Section 7.2 and Section 7.4). The received message together with the
Common Context contains the necessary information to derive a Common Context contains the necessary information to derive a
security context for verifying a message, except for the public key security context for verifying a message, except for the public key
of the associated endpoint. of the associated endpoint.
For severely constrained devices, it may be not feasible to For severely constrained devices, it may be not feasible to
simultaneously handle the ongoing processing of a recently received simultaneously handle the ongoing processing of a recently received
message in parallel with the retrieval of the associated endpoint's message in parallel with the retrieval of the associated endpoint's
public key. Such devices can be configured to drop a received public key. Such devices can be configured to drop a received
message for which there is no Recipient Context, and instead retrieve message for which there is no Recipient Context, and retrieve the
the public key in order to have it available to verify subsequent public key in order to have it available to verify subsequent
messages from that endpoint. messages from that endpoint.
Note that each Recipient Context includes a Replay Window, unless the
recipient acts only as client and hence processes only responses as
incoming messages.
2.3. The Group Manager 2.3. The Group Manager
Endpoints communicating with Group OSCORE need, in addition to the Endpoints communicating with Group OSCORE need, in addition to the
OSCORE input parameters, also to be provisioned with information OSCORE input parameters, also to be provisioned with information
about the group(s) and other endpoints in the group(s). about the group(s) and other endpoints in the group(s).
The Group Manager is an entity responsible for the group, including The Group Manager is an entity responsible for the group, including
the Group Identifier (Gid), as well as Sender ID and Recipient ID of the Group Identifier (Gid) used as ID Context, as well as the Sender
the group members (see Section 8). The Group Manager records the ID and Recipient ID of the group members (see Section 8).
public keys of endpoints joining the group and provides information
The Group Manager is exclusively in control of the Gid values
uniquely assigned to the different groups under its control, as well
as of the Sender ID and Recipient ID values uniquely assigned to the
members of each of those groups. According to a hierarchical
approach, the Gid value assigned to a group is associated to a
dedicated space for the values of Sender ID and Recipient ID of the
members of that group. In addition, the Group Manager records the
public keys of endpoints joining a group, and provides information
about the group and its members to other members. about the group and its members to other members.
An endpoint receives the Group Identifier and OSCORE input An endpoint receives the Group Identifier and OSCORE input
parameters, including its own Sender ID, from the Group Manager upon parameters, including its own Sender ID, from the Group Manager upon
joining the group. That Sender ID is valid only within that group, joining the group. That Sender ID is valid only within that group,
and is unique within the group. Endpoints which are configured only and is unique within the group. Endpoints which are configured only
as silent servers do not have a Sender ID. as silent servers do not have a Sender ID.
A group member can retrieve public keys and other information A group member can retrieve from the Group Manager the public key and
associated to another group member from the Group Manager, from which other information associated to another group member, with which it
it can generate the Recipient Context. An application can configure can generate the corresponding Recipient Context. An application can
a group member to asynchronously retrieve information about Recipient configure a group member to asynchronously retrieve information about
Contexts, e.g. by Observing [RFC7641] the Group Manager to get Recipient Contexts, e.g. by Observing [RFC7641] the Group Manager to
updates on the group membership. get updates on the group membership.
According to this specification, it is RECOMMENDED to use a Group According to this specification, it is RECOMMENDED to use a Group
Manager as described in [I-D.ietf-ace-key-groupcomm-oscore], where Manager as described in [I-D.ietf-ace-key-groupcomm-oscore], where
the join process is based on the ACE framework for authentication and the join process is based on the ACE framework for authentication and
authorization in constrained environments [I-D.ietf-ace-oauth-authz]. authorization in constrained environments [I-D.ietf-ace-oauth-authz].
Further details about how public keys can be handled and retrieved in Further details about how public keys can be handled and retrieved in
the group is out of the scope of this document. the group is out of the scope of this document.
The Group Manager may serve additional entities acting as signature
checkers, e.g. intermediary gateways. These entities do not join a
group as members, but can retrieve public keys of group members from
the Group Manager, in order to verify counter signatures of group
messages. A signature checker is required to be authorized for
retrieving public keys of members in a specific group from the Group
Manager. To this end, the same method mentioned above and based on
the ACE framework can be used.
2.4. Management of Group Keying Material 2.4. Management of Group Keying Material
In order to establish a new Security Context in a group, a new Group In order to establish a new Security Context in a group, a new Group
Identifier (Gid) for that group and a new value for the Master Secret Identifier (Gid) for that group and a new value for the Master Secret
parameter MUST be distributed. An example of Gid format supporting parameter MUST be distributed. An example of Gid format supporting
this operation is provided in Appendix C. When distributing the new this operation is provided in Appendix C. When distributing the new
Gid and Master Secret, the Group Manager MAY distribute also a new Gid and Master Secret, the Group Manager MAY distribute also a new
value for the Master Salt parameter, and SHOULD preserve the current value for the Master Salt parameter, and SHOULD preserve the current
value of the Sender ID of each group member. value of the Sender ID of each group member.
skipping to change at page 10, line 13 skipping to change at page 10, line 49
own Sender Context and Recipient Contexts as described in Section 2, own Sender Context and Recipient Contexts as described in Section 2,
using the updated Gid and Master Secret parameter. The Master Salt using the updated Gid and Master Secret parameter. The Master Salt
used for the re-derivations is the updated Master Salt parameter if used for the re-derivations is the updated Master Salt parameter if
provided by the Group Manager, or the empty byte string otherwise. provided by the Group Manager, or the empty byte string otherwise.
From then on, each group member MUST use its latest installed Sender From then on, each group member MUST use its latest installed Sender
Context to protect outgoing messages. Context to protect outgoing messages.
After a new Gid has been distributed, a same Recipient ID ('kid') After a new Gid has been distributed, a same Recipient ID ('kid')
should not be considered as a persistent and reliable indicator of should not be considered as a persistent and reliable indicator of
the same group member. Such an indication can be actually achieved the same group member. Such an indication can be actually achieved
only by verifying countersignatures of received messages. As a only by using that members's public key. This occurs when verifying
consequence, group members may end up retaining stale Recipient countersignatures of received messages (in signature mode), or when
Contexts, that are no longer useful to verify incoming secure verifying messages integrity-protected with pairwise keying material
messages. Applications may define policies to delete (long-)unused derived from asymmetric keys (in pairwise mode). As a consequence,
Recipient Contexts and reduce the impact on storage space. group members may end up retaining stale Recipient Contexts, that are
no longer useful to verify incoming secure messages.
In order to alleviate this issue, the Group Manager SHOULD NOT
recycle 'kid' values within a same group, especially in the short
term. Furthermore, applications may define policies to: i) delete
(long-)unused Recipient Contexts and reduce the impact on storage
space; as well as ii) check with the Group Manager that an owned
public key is currently the one associated to a 'kid' value, after a
number of consecutive failed verifications.
The distribution of a new Gid and Master Secret may result in The distribution of a new Gid and Master Secret may result in
temporarily misaligned Security Contexts among group members. In temporarily misaligned Security Contexts among group members. In
particular, this may result in a group member not able to process particular, this may result in a group member not able to process
messages received right after a new Gid and Master Secret have been messages received right after a new Gid and Master Secret have been
distributed. A discussion on practical consequences and possible distributed. A discussion on practical consequences and possible
ways to address them is provided in Section 10.4. ways to address them is provided in Section 10.4.
If required by the application (see Appendix A.1), it is RECOMMENDED If required by the application (see Appendix A.1), it is RECOMMENDED
to adopt a group key management scheme, and securely distribute a new to adopt a group key management scheme, and securely distribute a new
skipping to change at page 10, line 41 skipping to change at page 11, line 37
necessary to preserve backward security and forward security in the necessary to preserve backward security and forward security in the
group, if the application requires it. group, if the application requires it.
The specific approach used to distribute the new Gid and Master The specific approach used to distribute the new Gid and Master
Secret parameter to the group is out of the scope of this document. Secret parameter to the group is out of the scope of this document.
However, it is RECOMMENDED that the Group Manager supports the However, it is RECOMMENDED that the Group Manager supports the
distribution of the new Gid and Master Secret parameter to the group distribution of the new Gid and Master Secret parameter to the group
according to the Group Rekeying Process described in according to the Group Rekeying Process described in
[I-D.ietf-ace-key-groupcomm-oscore]. [I-D.ietf-ace-key-groupcomm-oscore].
2.5. Wrap-Around of Partial IVs 2.5. Exhaustion of Partial IV Values
An endpoint can eventually experience a wrap-around of its own Sender An endpoint can eventually exhaust its own Sender Sequence Number,
Sequence Number, which is incremented after sending each new message which is incremented after sending each new message including a
including a Partial IV. This is the case for all group requests, all Partial IV. This is the case for all group requests, all Observe
Observe notifications [RFC7641] and, optionally, any other response. notifications [RFC7641] and, optionally, any other response.
When a wrap-around happens, the endpoint MUST NOT transmit further If an implementation's integers only support wrapping addition, the
messages for that group until it has derived a new Sender Context, in implementation MUST detect a wrap-around of the Sender Sequence
order to avoid reusing nonces with the same keys. Number value and treat that as exhausted instead.
Upon exhausting its own Sender Sequence Number, the endpoint MUST NOT
transmit further messages for that group until it has derived a new
Sender Context, in order to avoid reusing nonces with the same keys.
Furthermore, the endpoint SHOULD inform the Group Manager, that can Furthermore, the endpoint SHOULD inform the Group Manager, that can
take one of the following actions: take one of the following actions:
o The Group Manager renews the Security Context in the group (see o The Group Manager renews the Security Context in the group (see
Section 2.4). Section 2.4).
o The Group Manager provides a new Sender ID value to the endpoint o The Group Manager provides a new Sender ID value to the endpoint
that has experienced the wrap-around. Then, the endpoint derives that has experienced the exhaustion. Then, the endpoint derives a
a new Sender Context using the new Sender ID, as described in new Sender Context using the new Sender ID, as described in
Section 3.2 of [RFC8613]. Section 3.2 of [RFC8613].
In either case, same considerations from Section 2.4 hold about In either case, same considerations from Section 2.4 hold about
possible retaining of stale Recipient Contexts. possible retaining of stale Recipient Contexts.
3. Pairwise Keys 3. Pairwise Keys
Certain signature schemes, such as EdDSA and ECDSA, support a secure Certain signature schemes, such as EdDSA and ECDSA, support a secure
combined signature and encryption scheme. This section specifies the combined signature and encryption scheme. This section specifies the
derivation of pairwise encryption keys for use in the pairwise and derivation of pairwise encryption keys for use in the pairwise and
optimized modes of Group OSCORE. optimized modes of Group OSCORE.
3.1. Key Derivation
Two group members can derive a symmetric pairwise key, from their Two group members can derive a symmetric pairwise key, from their
Sender/Recipient Key and a static-static Diffe-Hellman shared secret. Sender/Recipient Key and a static-static Diffe-Hellman shared secret
The key derivation is as follows, and uses the same construction used [NIST-800-56A]. The key derivation is as follows, and uses the same
in Section 3.2.1 of [RFC8613]. construction used in Section 3.2.1 of [RFC8613].
Pairwise key = HKDF(Sender/Recipient Key, Shared Secret, info, L) Pairwise key = HKDF(Sender/Recipient Key, Shared Secret, info, L)
where: where:
o The Sender/Recipient key is the Sender Key of the sender, i.e. the o The Sender/Recipient key is the Sender Key of the sender, i.e. the
Recipient Key that the recipient stores in its own Recipient Recipient Key that the recipient stores in its own Recipient
Context corresponding to the sender. Context corresponding to the sender.
o The Shared Secret is computed as a static-static Diffie-Hellman o The Shared Secret is computed as a static-static Diffie-Hellman
shared secret, where the sender uses its own private key and the shared secret [NIST-800-56A], where the sender uses its own
recipient's public key, while the recipient uses its own private private key and the recipient's public key, while the recipient
key and the senders's public key. uses its own private key and the senders's public key. The Shared
Secret may be stored in memory, rather than recomputed each time
it is needed.
o info and L are defined as in Section 3.2.1 of [RFC8613]. o info and L are defined as in Section 3.2.1 of [RFC8613].
The security of using the same key pair for Diffie-Hellman and for The security of using the same key pair for Diffie-Hellman and for
signing is proven in [Degabriele]. The derivation of pairwise keys signing is proven in [Degabriele]. The derivation of pairwise keys
defined above is compatible with ECDSA and EdDSA asymmetric keys, but defined above is compatible with ECDSA and EdDSA asymmetric keys, but
is not compatible with RSA asymmetric keys. is not compatible with RSA asymmetric keys.
If EdDSA asymmetric keys are used, the Edward coordinates are mapped If EdDSA asymmetric keys are used, the Edward coordinates are mapped
to Montgomery coordinates using the maps defined in Sections 4.1 and to Montgomery coordinates using the maps defined in Sections 4.1 and
4.2 of [RFC7748], before using the X25519 and X448 functions defined 4.2 of [RFC7748], before using the X25519 and X448 functions defined
in Section 5 of [RFC7748]. in Section 5 of [RFC7748].
3.1. Note on Implementation After completing the establishment of a new Security Context (see
Section 2.4), every group member MUST delete all its pairwise keys.
Since new Sender/Recipient keys are derived from the new group keying
material (see Section 2.2), every group member MUST use such new
Sender/Recipient keys when possibly deriving new pairwise keys.
As long as any two group members preserve the same asymmetric keys,
the Diffie-Hellman shared secret does not change across updates of
the group keying material.
3.2. Usage of Sequence Numbers
When using any of its pairwise keys, a sender endpoint MUST use the
current fresh value of its own Sender Sequence Number, from its own
Sender Context (see Section 2.2). That is, the same Sender Sequence
Number space is used for all outgoing messages sent to the group and
protected with Group OSCORE, thus limiting both storage and
complexity.
On the other hand, when combining one-to-many and one-to-one
communication in the group, this may result in the Partial IV values
moving forward more often. Fundamentally, this is due to the fact
that not all the recipients receive all messages from a given sender.
For instance, requests sent over multicast (in signature mode) are
addressed to the whole group, while requests sent over unicast (in
signature mode or pairwise mode) are not.
As a consequence, replay checks may be invoked more often on the
recipient side, where larger replay windows should be considered.
3.3. Note on Implementation
In order to optimize performance, an endpoint A may derive a pairwise In order to optimize performance, an endpoint A may derive a pairwise
key used with an endpoint B in the OSCORE group only once, and then key used with an endpoint B in the OSCORE group only once, and then
store it in its own Security Context for future retrieval. This can store it in its own Security Context for future retrieval. This can
work as follows. work as follows.
Endpoint A can have a Pairwise Sender Context associated to B, within Endpoint A can have a Pairwise Sender Context associated to B, within
its own Sender Context. This Pairwise Sender Context includes: its own Sender Context. This Pairwise Sender Context includes:
o The Recipient ID of B for A, i.e. the Sender ID of B. o The Recipient ID of B for A, i.e. the Sender ID of B.
skipping to change at page 13, line 23 skipping to change at page 15, line 9
The value of the 'kid context' parameter in the 'unprotected' field The value of the 'kid context' parameter in the 'unprotected' field
of requests messages MUST be set to the ID Context, i.e. the Group of requests messages MUST be set to the ID Context, i.e. the Group
Identifier value (Gid) of the group's Security Context. That is, Identifier value (Gid) of the group's Security Context. That is,
unlike in [RFC8613], the 'kid context' parameter is always present in unlike in [RFC8613], the 'kid context' parameter is always present in
requests. requests.
4.3. external_aad 4.3. external_aad
The external_aad of the Additional Authenticated Data (AAD) is built The external_aad of the Additional Authenticated Data (AAD) is built
differently. In particular, it has one structure used for the differently. In particular, it has one structure used for the
encryption process producing the ciphertext, and one structure used encryption process producing the ciphertext, and a second structure
for the signing process producing the counter signature. used for the signing process producing the counter signature.
4.3.1. external_aad for Encryption 4.3.1. external_aad for Encryption
The first external_aad structure used for the encryption process The first external_aad structure used for the encryption process
producing the ciphertext (see Section 5.3 of [RFC8152]) includes also producing the ciphertext (see Section 5.3 of [RFC8152]) includes also
the counter signature algorithm and related parameters used to sign the counter signature algorithm and related parameters used to sign
messages. In particular, compared with Section 5.4 of [RFC8613], the messages. In particular, compared with Section 5.4 of [RFC8613], the
'algorithms' array in the aad_array MUST also include: 'algorithms' array in the aad_array MUST also include:
o 'alg_countersign', which contains the Counter Signature Algorithm o 'alg_countersign', which contains the Counter Signature Algorithm
skipping to change at page 15, line 4 skipping to change at page 16, line 46
oscore_version : uint, oscore_version : uint,
algorithms : [alg_aead : int / tstr, algorithms : [alg_aead : int / tstr,
alg_countersign : int / tstr, alg_countersign : int / tstr,
par_countersign : any / nil, par_countersign : any / nil,
par_countersign_key : any / nil], par_countersign_key : any / nil],
request_kid : bstr, request_kid : bstr,
request_piv : bstr, request_piv : bstr,
options : bstr, options : bstr,
OSCORE_option: bstr OSCORE_option: bstr
] ]
Note for implementation: this requires the value of the OSCORE option Note for implementation: this requires the value of the OSCORE option
to be fully ready, before starting the signing process. to be fully ready, before starting the signing process. Also, this
requires that the aad_array is long enough to contain the longest
possible OSCORE option.
5. OSCORE Header Compression 5. OSCORE Header Compression
The OSCORE header compression defined in Section 6 of [RFC8613] is The OSCORE header compression defined in Section 6 of [RFC8613] is
used, with the following differences. used, with the following differences.
o The payload of the OSCORE message SHALL encode the ciphertext of o The payload of the OSCORE message SHALL encode the ciphertext of
the COSE object concatenated with the value of the the COSE object. In the signature mode as well as in the
CounterSignature0 of the COSE object, computed as described in optimized compressed requests of the optimized mode (see
Section 4.1. Section 9.1.1), the ciphertext above is concatenated with the
value of the CounterSignature0 of the COSE object, computed as
described in Section 4.1.
o This specification defines the usage of the sixth least o This specification defines the usage of the sixth least
significant bit, namely the Pairwise Flag bit, in the first byte significant bit, namely the Pairwise Flag bit, in the first byte
of the OSCORE option containing the OSCORE flag bits. This flag of the OSCORE option containing the OSCORE flag bits. This flag
bit is registered in Section 11.3 of this specification. bit is registered in Section 11.3 of this specification.
o The Pairwise Flag bit is set to 1 if the OSCORE message is o The Pairwise Flag bit is set to 1 if the OSCORE message is
protected using pairwise keying material, which is shared with a protected using pairwise keying material, which is shared with a
single group member as single intended recipient and derived as single group member as single intended recipient and derived as
defined in Section 3. This is used, for instance, to send defined in Section 3. This is used, for instance, to send
skipping to change at page 15, line 44 skipping to change at page 17, line 44
capable or willing to process OSCORE messages protected using capable or willing to process OSCORE messages protected using
pairwise keying material. pairwise keying material.
* The recipient can not retrieve a Security Context which is both * The recipient can not retrieve a Security Context which is both
valid to process the message and also associated to an OSCORE valid to process the message and also associated to an OSCORE
group. group.
5.1. Examples of Compressed COSE Objects 5.1. Examples of Compressed COSE Objects
This section covers a list of OSCORE Header Compression examples for This section covers a list of OSCORE Header Compression examples for
group requests and responses. The examples assume that the group requests and responses, with Group OSCORE used in signature
COSE_Encrypt0 object is set (which means the CoAP message and mode.
cryptographic material is known). Note that the examples do not
include the full CoAP unprotected message or the full Security The examples assume that the COSE_Encrypt0 object is set (which means
Context, but only the input necessary to the compression mechanism, the CoAP message and cryptographic material is known). Note that the
i.e. the COSE_Encrypt0 object. The output is the compressed COSE examples do not include the full CoAP unprotected message or the full
object as defined in Section 5 and divided into two parts, since the Security Context, but only the input necessary to the compression
object is transported in two CoAP fields: OSCORE option and payload. mechanism, i.e. the COSE_Encrypt0 object. The output is the
compressed COSE object as defined in Section 5 and divided into two
parts, since the object is transported in two CoAP fields: OSCORE
option and payload.
The examples assume that the label for the new kid context defined in The examples assume that the label for the new kid context defined in
[RFC8613] has value 10. COUNTERSIGN is the CounterSignature0 byte [RFC8613] has value 10. The examples also assume that the plaintext
string as described in Section 4 and is 64 bytes long. (see Section 5.3 of [RFC8613]) is 6 bytes long, and that the AEAD tag
is 8 bytes long, hence resulting in a ciphertext which is 14 bytes
long. Finally, COUNTERSIGN is the CounterSignature0 byte string as
described in Section 4 and is 64 bytes long.
1. Request with ciphertext = 0xaea0155667924dff8a24e4cb35b9, kid = 1. Request with ciphertext = 0xaea0155667924dff8a24e4cb35b9, kid =
0x25, Partial IV = 5 and kid context = 0x44616c 0x25, Partial IV = 5 and kid context = 0x44616c
Before compression (96 bytes): Before compression (96 bytes):
[ [
h'', h'',
{ 4:h'25', 6:h'05', 10:h'44616c', 9:COUNTERSIGN }, { 4:h'25', 6:h'05', 10:h'44616c', 9:COUNTERSIGN },
h'aea0155667924dff8a24e4cb35b9' h'aea0155667924dff8a24e4cb35b9'
skipping to change at page 16, line 29 skipping to change at page 18, line 34
After compression (85 bytes): After compression (85 bytes):
Flag byte: 0b00011001 = 0x19 Flag byte: 0b00011001 = 0x19
Option Value: 19 05 03 44 61 6c 25 (7 bytes) Option Value: 19 05 03 44 61 6c 25 (7 bytes)
Payload: ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 COUNTERSIGN Payload: ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 COUNTERSIGN
(14 bytes + size of COUNTERSIGN) (14 bytes + size of COUNTERSIGN)
1. Response with ciphertext = 60b035059d9ef5667c5a0710823b, kid = 1. Response with ciphertext = 0x60b035059d9ef5667c5a0710823b, kid =
0x52 and no Partial IV. 0x52 and no Partial IV.
Before compression (88 bytes): Before compression (88 bytes):
[ [
h'', h'',
{ 4:h'52', 9:COUNTERSIGN }, { 4:h'52', 9:COUNTERSIGN },
h'60b035059d9ef5667c5a0710823b' h'60b035059d9ef5667c5a0710823b'
] ]
After compression (80 bytes): After compression (80 bytes):
Flag byte: 0b00001000 = 0x08 Flag byte: 0b00001000 = 0x08
Option Value: 08 52 (2 bytes) Option Value: 08 52 (2 bytes)
Payload: 60 b0 35 05 9d 9e f5 66 7c 5a 07 10 82 3b COUNTERSIGN Payload: 60 b0 35 05 9d 9e f5 66 7c 5a 07 10 82 3b COUNTERSIGN
(14 bytes + size of COUNTERSIGN) (14 bytes + size of COUNTERSIGN)
6. Message Binding, Sequence Numbers, Freshness and Replay Protection 6. Message Binding, Sequence Numbers, Freshness and Replay Protection
skipping to change at page 17, line 37 skipping to change at page 19, line 45
Sender Sequence Numbers is part of the group communication policy, Sender Sequence Numbers is part of the group communication policy,
and different servers can use different methods. and different servers can use different methods.
Appendix E describes three possible approaches that can be considered Appendix E describes three possible approaches that can be considered
for synchronization of sequence numbers. for synchronization of sequence numbers.
7. Message Processing 7. Message Processing
Each request message and response message is protected and processed Each request message and response message is protected and processed
as specified in [RFC8613], with the modifications described in the as specified in [RFC8613], with the modifications described in the
following sections. The following security objectives are fulfilled, following sections. In particular, the following sections refer to
as further discussed in Appendix A.2: data replay protection, group- the signature mode of Group OSCORE, while the optimized mode and the
level data confidentiality, source authentication and message pairwise mode are described in Section 9 and Appendix G,
integrity. respectively.
As per [RFC7252][I-D.dijk-core-groupcomm-bis], group requests sent The following security objectives are fulfilled, as further discussed
over multicast MUST be Non-Confirmable. Thus, senders should store in Appendix A.2: data replay protection, group-level data
their outgoing messages for an amount of time defined by the confidentiality, source authentication and message integrity.
application and sufficient to correctly handle possible
retransmissions. However, this does not prevent the acknowledgment As per [RFC7252][I-D.ietf-core-groupcomm-bis], group requests sent
of Confirmable group requests in non-multicast environments. over multicast MUST be Non-Confirmable, and thus cannot be
Besides, according to Section 5.2.3 of [RFC7252], responses to Non- retransmitted by the CoAP messaging layer. Instead, applications
Confirmable group requests SHOULD be also Non-Confirmable. However, should store such outgoing messages for a pre-defined, sufficient
endpoints MUST be prepared to receive Confirmable responses in reply amount of time, in order to correctly perform possible
to a Non-Confirmable group request. retransmissions at the application layer. However, this does not
prevent the acknowledgment of Confirmable group requests in non-
multicast environments. Besides, according to Section 5.2.3 of
[RFC7252], responses to Non-Confirmable group requests SHOULD be also
Non-Confirmable. However, endpoints MUST be prepared to receive
Confirmable responses in reply to a Non-Confirmable group request.
Furthermore, endpoints in the group locally perform error handling Furthermore, endpoints in the group locally perform error handling
and processing of invalid messages according to the same principles and processing of invalid messages according to the same principles
adopted in [RFC8613]. However, a recipient MUST stop processing and adopted in [RFC8613]. However, a recipient MUST stop processing and
silently reject any message which is malformed and does not follow silently reject any message which is malformed and does not follow
the format specified in Section 4, or which is not cryptographically the format specified in Section 4, or which is not cryptographically
validated in a successful way. Either case, it is RECOMMENDED that validated in a successful way. In either case, it is RECOMMENDED
the recipient does not send back any error message. This prevents that the recipient does not send back any error message. This
servers from replying with multiple error messages to a client prevents servers from replying with multiple error messages to a
sending a group request, so avoiding the risk of flooding and client sending a group request, so avoiding the risk of flooding and
possibly congesting the group. possibly congesting the group.
7.1. Protecting the Request 7.1. Protecting the Request
A client transmits a secure group request as described in Section 8.1 A client transmits a secure group request as described in Section 8.1
of [RFC8613], with the following modifications. of [RFC8613], with the following modifications.
o In step 2, the 'algorithms' array in the Additional Authenticated o In step 2, the 'algorithms' array in the Additional Authenticated
Data is modified as described in Section 4 of this specification. Data is modified as described in Section 4 of this specification.
skipping to change at page 20, line 30 skipping to change at page 22, line 45
OSCORE mesage is modified as described in Section 5 of this OSCORE mesage is modified as described in Section 5 of this
specification. In particular, the payload of the OSCORE message specification. In particular, the payload of the OSCORE message
includes also the counter signature. includes also the counter signature.
Note that the server MUST always protect a response by using its own Note that the server MUST always protect a response by using its own
Sender Context from the latest owned Security Context. Sender Context from the latest owned Security Context.
Consistently, upon the establishment of a new Security Context, the Consistently, upon the establishment of a new Security Context, the
server may end up protecting a response by using a Security Context server may end up protecting a response by using a Security Context
different from the one used to protect the group request (see different from the one used to protect the group request (see
Section 10.4). In such a case, the server SHOULD also: Section 10.4). In such a case:
o Encode the Partial IV (Sender Sequence Number in network byte o The server MUST encode the Partial IV (Sender Sequence Number in
order), which is set to the Sender Sequence Number of the server; network byte order), which is set to the Sender Sequence Number of
increment the Sender Sequence Number by one; compute the AEAD the server; increment the Sender Sequence Number by one; compute
nonce from the Sender ID, Common IV, and Partial IV. the AEAD nonce from the Sender ID, Common IV, and Partial IV.
o Include in the respose the 'Partial IV' parameter, which is set to o The server MUST include in the response the 'Partial IV'
the encoded Partial IV value above. parameter, which is set to the encoded Partial IV value above.
o Include in the response the 'kid context' parameter, which is set o The server SHOULD include in the response the 'kid context'
to the ID Context of the new Security Context, i.e. the new Group parameter, which is set to the ID Context of the new Security
Identifier (Gid). Context, i.e. the new Group Identifier (Gid).
7.3.1. Supporting Observe 7.3.1. Supporting Observe
If Observe [RFC7641] is supported, the server may have ongoing If Observe [RFC7641] is supported, the server may have ongoing
observations, started by Observe requests protected with an old observations, started by Observe requests protected with an old
Security Context. Security Context.
After completing the establishment of a new Security Context, the After completing the establishment of a new Security Context, the
server MUST protect the following notifications with its own Sender server MUST protect the following notifications with its own Sender
Context from the new Security Context. Context from the new Security Context.
skipping to change at page 24, line 31 skipping to change at page 26, line 46
9.2.1. Optimized Compressed Response 9.2.1. Optimized Compressed Response
No changes. No changes.
10. Security Considerations 10. Security Considerations
The same threat model discussed for OSCORE in Appendix D.1 of The same threat model discussed for OSCORE in Appendix D.1 of
[RFC8613] holds for Group OSCORE. In addition, source authentication [RFC8613] holds for Group OSCORE. In addition, source authentication
of messages is explicitly ensured by means of counter signatures, as of messages is explicitly ensured by means of counter signatures, as
further discussed in Section 10.1. discussed in Section 10.1.
The same considerations on supporting Proxy operations discussed for The same considerations on supporting Proxy operations discussed for
OSCORE in Appendix D.2 of [RFC8613] hold for Group OSCORE. OSCORE in Appendix D.2 of [RFC8613] hold for Group OSCORE.
The same considerations on protected message fields for OSCORE The same considerations on protected message fields for OSCORE
discussed in Appendix D.3 of [RFC8613] hold for Group OSCORE. discussed in Appendix D.3 of [RFC8613] hold for Group OSCORE.
The same considerations on uniqueness of (key, nonce) pairs for The same considerations on uniqueness of (key, nonce) pairs for
OSCORE discussed in Appendix D.4 of [RFC8613] hold for Group OSCORE. OSCORE discussed in Appendix D.4 of [RFC8613] hold for Group OSCORE.
This is further discussed in Section 10.2. This is further discussed in Section 10.2.
The same considerations on unprotected message fields for OSCORE The same considerations on unprotected message fields for OSCORE
discussed in Appendix D.5 of [RFC8613] hold for Group OSCORE, with discussed in Appendix D.5 of [RFC8613] hold for Group OSCORE, with
the following difference. The countersignature included in a Group the following difference. The countersignature included in a Group
OSCORE message is computed also over the value of the OSCORE option, OSCORE message is computed also over the value of the OSCORE option,
which is part of the Additional Authenticated Data used in the which is part of the Additional Authenticated Data used in the
signing process. This is further discussed in Section 10.6. signing process. This is further discussed in Section 10.6.
As discussed in Section 6.2.3 of [I-D.dijk-core-groupcomm-bis], Group As discussed in Section 6.2.3 of [I-D.ietf-core-groupcomm-bis], Group
OSCORE addresses security attacks against CoAP listed in Sections OSCORE addresses security attacks against CoAP listed in Sections
11.2-11.6 of [RFC7252], especially when mounted over IP multicast. 11.2-11.6 of [RFC7252], especially when mounted over IP multicast.
The rest of this section first discusses security aspects to be taken The rest of this section first discusses security aspects to be taken
into account when using Group OSCORE. Then it goes through aspects into account when using Group OSCORE. Then it goes through aspects
covered in the security considerations of OSCORE (Section 12 of covered in the security considerations of OSCORE (Section 12 of
[RFC8613]), and discusses how they hold when Group OSCORE is used. [RFC8613]), and discusses how they hold when Group OSCORE is used.
10.1. Group-level Security 10.1. Group-level Security
The approach described in this document relies on commonly shared The signature mode described in Section 7 relies on commonly shared
group keying material to protect communication within a group. This group keying material to protect communication within a group. This
has the following implications. has the following implications.
o Messages are encrypted at a group level (group-level data o Messages are encrypted at a group level (group-level data
confidentiality), i.e. they can be decrypted by any member of the confidentiality), i.e. they can be decrypted by any member of the
group, but not by an external adversary or other external group, but not by an external adversary or other external
entities. entities.
o The AEAD algorithm provides only group authentication, i.e. it o The AEAD algorithm provides only group authentication, i.e. it
ensures that a message sent to a group has been sent by a member ensures that a message sent to a group has been sent by a member
of that group, but not by the alleged sender. This is why source of that group, but not by the alleged sender. This is why source
authentication of messages sent to a group is ensured through a authentication of messages sent to a group is ensured through a
counter signature, which is computed by the sender using its own counter signature, which is computed by the sender using its own
private key and then appended to the message payload. private key and then appended to the message payload.
Instead, the pairwise mode described in Appendix G protects messages
by using pairwise symmetric keys, derived from the static-static
Diffie-Hellman shared secret computed from the asymmetric keys of the
sender and recipient endpoint (see Section 3). Therefore, in the
parwise mode, the AEAD algorithm provides both pairwise data-
confidentiality and source authentication of messages, without using
counter signatures.
Note that, even if an endpoint is authorized to be a group member and Note that, even if an endpoint is authorized to be a group member and
to take part in group communications, there is a risk that it behaves to take part in group communications, there is a risk that it behaves
inappropriately. For instance, it can forward the content of inappropriately. For instance, it can forward the content of
messages in the group to unauthorized entities. However, in many use messages in the group to unauthorized entities. However, in many use
cases, the devices in the group belong to a common authority and are cases, the devices in the group belong to a common authority and are
configured by a commissioner (see Appendix B), which results in a configured by a commissioner (see Appendix B), which results in a
practically limited risk and enables a prompt detection/reaction in practically limited risk and enables a prompt detection/reaction in
case of misbehaving. case of misbehaving.
10.2. Uniqueness of (key, nonce) 10.2. Uniqueness of (key, nonce)
skipping to change at page 26, line 50 skipping to change at page 29, line 27
In particular, a server may first get a group request protected with In particular, a server may first get a group request protected with
the old Security Context, then install the new Security Context, and the old Security Context, then install the new Security Context, and
only after that produce a response to send back to the client. Since only after that produce a response to send back to the client. Since
a sender always protects an outgoing message using the latest owned a sender always protects an outgoing message using the latest owned
Security Context, the server discussed above protects the possible Security Context, the server discussed above protects the possible
response using the new Security Context. Then, the client will response using the new Security Context. Then, the client will
process that response using the new Security Context, provided that process that response using the new Security Context, provided that
it has installed the new security parameters and keying material it has installed the new security parameters and keying material
before the message reception. before the message reception.
In case block-wire transfer [RFC7959] is used, the same In case block-wise transfer [RFC7959] is used, the same
considerations from Section 7.2 of [I-D.ietf-ace-key-groupcomm] hold. considerations from Section 7.2 of [I-D.ietf-ace-key-groupcomm] hold.
Furthermore, as described below, a group rekeying may temporarily Furthermore, as described below, a group rekeying may temporarily
result in misaligned Security Contexts between the sender and result in misaligned Security Contexts between the sender and
recipient of a same message. recipient of a same message.
10.4.1. Late Update on the Sender 10.4.1. Late Update on the Sender
In this case, the sender protects a message using the old Security In this case, the sender protects a message using the old Security
Context, i.e. before having installed the new Security Context. Context, i.e. before having installed the new Security Context.
skipping to change at page 28, line 11 skipping to change at page 30, line 35
an updated Security Context according to an application-defined an updated Security Context according to an application-defined
policy, for instance after a given number of unsuccessfully decrypted policy, for instance after a given number of unsuccessfully decrypted
incoming messages. incoming messages.
10.5. Collision of Group Identifiers 10.5. Collision of Group Identifiers
In case endpoints are deployed in multiple groups managed by In case endpoints are deployed in multiple groups managed by
different non-synchronized Group Managers, it is possible for Group different non-synchronized Group Managers, it is possible for Group
Identifiers of different groups to coincide. Identifiers of different groups to coincide.
However, this does not impair the security of the AEAD algorithm. In This does not impair the security of the AEAD algorithm. In fact, as
fact, as long as the Master Secret is different for different groups long as the Master Secret is different for different groups and this
and this condition holds over time, AEAD keys are different among condition holds over time, AEAD keys are different among different
different groups. groups.
The entity assigning an IP multicast address may help limiting the
chances to experience such collisions of Group Identifiers. In
particular, it may allow the Group Managers of groups using the same
IP multicast address to share their respective list of assigned Group
Identifiers currently in use.
10.6. Cross-group Message Injection 10.6. Cross-group Message Injection
A same endpoint is allowed to and would likely use the same signature A same endpoint is allowed to and would likely use the same signature
key in multiple OSCORE groups, possibly administered by different key in multiple OSCORE groups, possibly administered by different
Group Managers. Also, the same endpoint can register several times Group Managers. Also, the same endpoint can register several times
in the same group, getting multiple unique Sender IDs. This requires in the same group, getting multiple unique Sender IDs. This requires
that, when a sender endpoint sends a message to an OSCORE group using that, when a sender endpoint sends a message to an OSCORE group using
a Sender ID, the countersignature included in the message is a Sender ID, the countersignature included in the message is
explicitly bound also to that group and to the used Sender ID. explicitly bound also to that group and to the used Sender ID.
skipping to change at page 29, line 46 skipping to change at page 32, line 30
used to forge a response M2 for a given request is equal to 2^-24, used to forge a response M2 for a given request is equal to 2^-24,
since there are more MAC values (8 bytes in size) than Partial IV since there are more MAC values (8 bytes in size) than Partial IV
values (5 bytes in size). values (5 bytes in size).
Note that, by changing the Partial IV as discussed above, any member Note that, by changing the Partial IV as discussed above, any member
of G1 would also be able to forge a valid signed response message M2 of G1 would also be able to forge a valid signed response message M2
to be injected in G1. to be injected in G1.
10.7. Group OSCORE for Unicast Requests 10.7. Group OSCORE for Unicast Requests
With reference to the processing defined in Section 7.1 and With reference to the processing defined in Section 7.1 for the
Section 9.1.1, it is NOT RECOMMENDED for a client to use Group OSCORE signature mode and in Section 9.1.1 for the optimized mode, it is NOT
for securing a request sent to a single group member over unicast. RECOMMENDED for a client to use Group OSCORE for securing a request
sent to a single group member over unicast.
If the client uses its own Sender Key to protect a unicast request to If the client uses its own Sender Key to protect a unicast request to
a group member, an on-path adversary can, right then or later on, a group member, an on-path adversary can, right then or later on,
redirect that request to one/many different group member(s) over redirect that request to one/many different group member(s) over
unicast, or to the whole OSCORE group over multicast. By doing so, unicast, or to the whole OSCORE group over multicast. By doing so,
the adversary can induce the target group member(s) to perform the adversary can induce the target group member(s) to perform
actions intended to one group member only. Note that the adversary actions intended to one group member only. Note that the adversary
can be external, i.e. (s)he does not need to also be a member of the can be external, i.e. (s)he does not need to also be a member of the
OSCORE group. OSCORE group.
This is due to the fact that the client is not able to indicate the This is due to the fact that the client is not able to indicate the
single intended recipient in a way which is secure and possible to single intended recipient in a way which is secure and possible to
process for Group OSCORE on the server side. In particular, Group process for Group OSCORE on the server side. In particular, Group
OSCORE does not protect network addressing information such as the IP OSCORE does not protect network addressing information such as the IP
address of the intended recipient server. It follows that the address of the intended recipient server. It follows that the
server(s) receiving the redirected request cannot assert whether that server(s) receiving the redirected request cannot assert whether that
was the original intention of the client, and would thus simply was the original intention of the client, and would thus simply
assume so. assume so.
With particular reference to block-wise transfers [RFC7959],
Section 2.3.6 of [I-D.ietf-core-groupcomm-bis] points out that, while
an initial request including the CoAP Block2 option can be sent over
multicast, any other request in a transfer has to occur over unicast,
individually addressing the servers in the group.
Additional considerations are discussed in Appendix E.3, with respect
to requests including an Echo Option [I-D.ietf-core-echo-request-tag]
that has to be sent over unicast, as a challenge-response method for
servers to achieve synchronization of client Sender Sequence Numbers.
The impact of such an attack depends especially on the REST method of The impact of such an attack depends especially on the REST method of
the request, i.e. the Inner CoAP Code of the OSCORE request message. the request, i.e. the Inner CoAP Code of the OSCORE request message.
In particular, safe methods such as GET and FETCH would trigger In particular, safe methods such as GET and FETCH would trigger
(several) unintended responses from the targeted server(s), while not (several) unintended responses from the targeted server(s), while not
resulting in destructive behavior. On the other hand, non safe resulting in destructive behavior. On the other hand, non safe
methods such as PUT, POST and PATCH/iPATCH would result in the target methods such as PUT, POST and PATCH/iPATCH would result in the target
server(s) taking active actions on their resources and possible server(s) taking active actions on their resources and possible
cyber-physical environment, with the risk of destructive consequences cyber-physical environment, with the risk of destructive consequences
and possible implications for safety. and possible implications for safety.
Additional considerations are discussed in Appendix E.3, with respect
to unicast requests including an Echo Option
[I-D.ietf-core-echo-request-tag], as a challenge-response method for
servers to achieve synchronization of client Sender Sequence Numbers.
A client may instead use the pairwise mode defined in Appendix G.2, A client may instead use the pairwise mode defined in Appendix G.2,
in order to protect a request sent to a single group member using in order to protect a request sent to a single group member by using
pairwise keying material. This prevents the attack discussed above pairwise keying material (see Section 3). This prevents the attack
by construction, as only the intended server is able to derive the discussed above by construction, as only the intended server is able
pairwise keying material used by the client to protect the request. to derive the pairwise keying material used by the client to protect
the request. A client supporting the pairwise mode SHOULD use it to
protect requests sent to a single group member over unicast, instead
of using the signature mode.
10.8. End-to-end Protection 10.8. End-to-end Protection
The same considerations from Section 12.1 of [RFC8613] hold for Group The same considerations from Section 12.1 of [RFC8613] hold for Group
OSCORE. OSCORE.
Additionally, (D)TLS and Group OSCORE can be combined for protecting Additionally, (D)TLS and Group OSCORE can be combined for protecting
message exchanges occurring over unicast. Instead, it is not message exchanges occurring over unicast. Instead, it is not
possible to combine DTLS and Group OSCORE for protecting message possible to combine DTLS and Group OSCORE for protecting message
exchanges where messages are (also) sent over multicast. exchanges where messages are (also) sent over multicast.
skipping to change at page 32, line 6 skipping to change at page 34, line 45
generating and distributing a new Master Secret. Randomness generating and distributing a new Master Secret. Randomness
requirements for security are described in [RFC4086]. requirements for security are described in [RFC4086].
10.11. Replay Protection 10.11. Replay Protection
As in OSCORE, also Group OSCORE relies on sender sequence numbers As in OSCORE, also Group OSCORE relies on sender sequence numbers
included in the COSE message field 'Partial IV' and used to build included in the COSE message field 'Partial IV' and used to build
AEAD nonces. AEAD nonces.
Note that the Partial IV of an endpoint does not necessarily grow Note that the Partial IV of an endpoint does not necessarily grow
monotonically. For instance, upon wrap-around of the endpoint Sender monotonically. For instance, upon exhaustion of the endpoint Sender
Sequence Number, the Partial IV also wraps-around, since 0 becomes Sequence Number, the Partial IV also gets exhausted. As discussed in
the next Sender Sequence Number used as Partial IV. As discussed in
Section 2.5, this results either in the endpoint being individually Section 2.5, this results either in the endpoint being individually
rekeyed and getting a new Sender ID, or in the establishment of a new rekeyed and getting a new Sender ID, or in the establishment of a new
Security Context in the group. Therefore, uniqueness of (key, nonce) Security Context in the group. Therefore, uniqueness of (key, nonce)
pairs (see Section 10.2) is preserved also when a new Security pairs (see Section 10.2) is preserved also when a new Security
Context is established. Context is established.
As discussed in Section 6.1, an endpoint that has just joined a group As discussed in Section 6.1, an endpoint that has just joined a group
is exposed to replay attack, as it is not aware of the sender is exposed to replay attack, as it is not aware of the sender
sequence numbers currently used by other group members. Appendix E sequence numbers currently used by other group members. Appendix E
describes how endpoints can synchronize with senders' sequence describes how endpoints can synchronize with senders' sequence
skipping to change at page 32, line 46 skipping to change at page 35, line 36
the server to (re-)synchronize with the client's sequence number, as the server to (re-)synchronize with the client's sequence number, as
well as to ensure that the request is fresh and has not been replayed well as to ensure that the request is fresh and has not been replayed
or (purposely) delayed, if it is the first one received from that or (purposely) delayed, if it is the first one received from that
client after having joined the group or rebooted (see Appendix E.3). client after having joined the group or rebooted (see Appendix E.3).
10.13. Cryptographic Considerations 10.13. Cryptographic Considerations
The same considerations from Section 12.6 of [RFC8613] about the The same considerations from Section 12.6 of [RFC8613] about the
maximum Sender Sequence Number hold for Group OSCORE. maximum Sender Sequence Number hold for Group OSCORE.
As discussed in Section 2.5, an endpoint that experiences a wrap- As discussed in Section 2.5, an endpoint that experiences a
around of its own Sender Sequence Number MUST NOT transmit further exhaustion of its own Sender Sequence Number MUST NOT transmit
messages including a Partial IV, until it has derived a new Sender further messages including a Partial IV, until it has derived a new
Context. This prevents the endpoint to reuse the same AEAD nonces Sender Context. This prevents the endpoint to reuse the same AEAD
with the same Sender key. nonces with the same Sender key.
In order to renew its own Sender Context, the endpoint SHOULD inform In order to renew its own Sender Context, the endpoint SHOULD inform
the Group Manager, which can either renew the whole Security Context the Group Manager, which can either renew the whole Security Context
by means of group rekeying, or provide only that endpoint with a new by means of group rekeying, or provide only that endpoint with a new
Sender ID value. Either case, the endpoint derives a new Sender Sender ID value. In either case, the endpoint derives a new Sender
Context, and in particular a new Sender Key. Context, and in particular a new Sender Key.
Additionally, the same considerations from Section 12.6 of [RFC8613] Additionally, the same considerations from Section 12.6 of [RFC8613]
hold for Group OSCORE, about building the AEAD nonce and the secrecy hold for Group OSCORE, about building the AEAD nonce and the secrecy
of the Security Context parameters. of the Security Context parameters.
The EdDSA signature algorithm Ed25519 [RFC8032] is mandatory to
implement. For many constrained IoT devices, it is problematic to
support more than one signature algorithm or multiple whole cipher
suites. This means that some deployments using, for instance, ECDSA
with NIST P-256 may not support the mandatory signature algorithm.
However, this is not a problem for local deployments.
10.14. Message Segmentation 10.14. Message Segmentation
The same considerations from Section 12.7 of [RFC8613] hold for Group The same considerations from Section 12.7 of [RFC8613] hold for Group
OSCORE. OSCORE.
10.15. Privacy Considerations 10.15. Privacy Considerations
Group OSCORE ensures end-to-end integrity protection and encryption Group OSCORE ensures end-to-end integrity protection and encryption
of the message payload and all options that are not used for proxy of the message payload and all options that are not used for proxy
operations. In particular, options are processed according to the operations. In particular, options are processed according to the
skipping to change at page 34, line 7 skipping to change at page 37, line 5
current Group ID is indicated in the 'kid context' parameter. current Group ID is indicated in the 'kid context' parameter.
Moreover, this parameter explicitly relates two or more Moreover, this parameter explicitly relates two or more
communicating endpoints, as members of the same OSCORE group. communicating endpoints, as members of the same OSCORE group.
Also, using the mechanisms described in Appendix E.3 to achieve Also, using the mechanisms described in Appendix E.3 to achieve
sequence number synchronization with a client may reveal when a sequence number synchronization with a client may reveal when a
server device goes through a reboot. This can be mitigated by the server device goes through a reboot. This can be mitigated by the
server device storing the precise state of the replay window of each server device storing the precise state of the replay window of each
known client on a clean shutdown. known client on a clean shutdown.
Finally, the mechanism described in Section 10.5 to prevent
collisions of Group Identifiers from different Group Managers may
reveal information about events in the respective OSCORE groups. In
particular, a Group Idenfier changes when the corresponding group is
rekeyed. Thus, changes in the shared list of Group Identifiers may
be used to infer about the rate and patterns of group membership
changes triggering a group rekeying, e.g. due to newly joined members
or evicted (compromised) members. In order to alleviate such privacy
concerns, it should be hidden from the Group Managers which exact
Group Manager has currently assigned which Group Identifiers in its
OSCORE groups.
11. IANA Considerations 11. IANA Considerations
Note to RFC Editor: Please replace all occurrences of "[This Note to RFC Editor: Please replace all occurrences of "[This
Document]" with the RFC number of this specification and delete this Document]" with the RFC number of this specification and delete this
paragraph. paragraph.
This document has the following actions for IANA. This document has the following actions for IANA.
11.1. Counter Signature Parameters Registry 11.1. Counter Signature Parameters Registry
skipping to change at page 39, line 31 skipping to change at page 43, line 31
size. size.
o Specifications are recommended. When specifications are not o Specifications are recommended. When specifications are not
provided, the description provided needs to have sufficient provided, the description provided needs to have sufficient
information to verify the points above. information to verify the points above.
12. References 12. References
12.1. Normative References 12.1. Normative References
[I-D.dijk-core-groupcomm-bis] [I-D.ietf-core-groupcomm-bis]
Dijk, E., Wang, C., and M. Tiloca, "Group Communication Dijk, E., Wang, C., and M. Tiloca, "Group Communication
for the Constrained Application Protocol (CoAP)", draft- for the Constrained Application Protocol (CoAP)", draft-
dijk-core-groupcomm-bis-03 (work in progress), March ietf-core-groupcomm-bis-00 (work in progress), March 2020.
2020.
[NIST-800-56A]
Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R.
Davis, "Recommendation for Pair-Wise Key-Establishment
Schemes Using Discrete Logarithm Cryptography - NIST
Special Publication 800-56A, Revision 3", April 2018,
<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-56Ar3.pdf>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC 4086, "Randomness Requirements for Security", BCP 106, RFC 4086,
DOI 10.17487/RFC4086, June 2005, DOI 10.17487/RFC4086, June 2005,
<https://www.rfc-editor.org/info/rfc4086>. <https://www.rfc-editor.org/info/rfc4086>.
skipping to change at page 42, line 30 skipping to change at page 46, line 35
o Application group, i.e. a set of CoAP endpoints that share a o Application group, i.e. a set of CoAP endpoints that share a
common pool of resources. common pool of resources.
o Security group, as defined in Section 1.1 of this specification. o Security group, as defined in Section 1.1 of this specification.
There can be a one-to-one or a one-to-many relation between There can be a one-to-one or a one-to-many relation between
security groups and application groups. Any two application security groups and application groups. Any two application
groups associated to the same security group do not share any same groups associated to the same security group do not share any same
resource. resource.
o CoAP group, as defined in [I-D.dijk-core-groupcomm-bis] i.e. a set o CoAP group, as defined in [I-D.ietf-core-groupcomm-bis] i.e. a set
of CoAP endpoints, where each endpoint is configured to receive of CoAP endpoints, where each endpoint is configured to receive
CoAP multicast requests that are sent to the group's associated IP CoAP multicast requests that are sent to the group's associated IP
multicast address and UDP port. An endpoint may be a member of multicast address and UDP port. An endpoint may be a member of
multiple CoAP groups. There can be a one-to-one or a one-to-many multiple CoAP groups. There can be a one-to-one or a one-to-many
relation between CoAP groups and application groups. Note that a relation between CoAP groups and application groups. Note that a
device sending a CoAP request to a CoAP group is not necessarily device sending a CoAP request to a CoAP group is not necessarily
itself a member of that group: it is a member only if it also has itself a member of that group: it is a member only if it also has
a CoAP server endpoint listening to requests for this CoAP group, a CoAP server endpoint listening to requests for this CoAP group,
sent to the associated IP multicast address and port. In order to sent to the associated IP multicast address and port. In order to
provide secure group communication, all members of a CoAP group as provide secure group communication, all members of a CoAP group as
skipping to change at page 43, line 13 skipping to change at page 47, line 22
senders and multiple recipients) communication topologies. The senders and multiple recipients) communication topologies. The
1-to-N communication topology is the simplest group communication 1-to-N communication topology is the simplest group communication
scenario that would serve the needs of a typical Low-power and scenario that would serve the needs of a typical Low-power and
Lossy Network (LLN). Examples of use cases that benefit from Lossy Network (LLN). Examples of use cases that benefit from
secure group communication are provided in Appendix B. secure group communication are provided in Appendix B.
In a 1-to-N communication model, only a single client transmits In a 1-to-N communication model, only a single client transmits
data to the CoAP group, in the form of request messages; in an data to the CoAP group, in the form of request messages; in an
M-to-N communication model (where M and N do not necessarily have M-to-N communication model (where M and N do not necessarily have
the same value), M clients transmit data to the CoAP group. the same value), M clients transmit data to the CoAP group.
According to [I-D.dijk-core-groupcomm-bis], any possible proxy According to [I-D.ietf-core-groupcomm-bis], any possible proxy
entity is supposed to know about the clients and to not perform entity is supposed to know about the clients and to not perform
aggregation of response messages from multiple servers. Also, aggregation of response messages from multiple servers. Also,
every client expects and is able to handle multiple response every client expects and is able to handle multiple response
messages associated to a same request sent to the CoAP group. messages associated to a same request sent to the CoAP group.
o Group size: security solutions for group communication should be o Group size: security solutions for group communication should be
able to adequately support different and possibly large security able to adequately support different and possibly large security
groups. The group size is the current number of members in a groups. The group size is the current number of members in a
security group. In the use cases mentioned in this document, the security group. In the use cases mentioned in this document, the
number of clients (normally the controlling devices) is expected number of clients (normally the controlling devices) is expected
skipping to change at page 45, line 13 skipping to change at page 49, line 21
group. group.
o Message ordering: it must be possible to determine the ordering of o Message ordering: it must be possible to determine the ordering of
messages coming from a single sender. In accordance with OSCORE messages coming from a single sender. In accordance with OSCORE
[RFC8613], this results in providing relative freshness of group [RFC8613], this results in providing relative freshness of group
requests and absolute freshness of responses. It is not required requests and absolute freshness of responses. It is not required
to determine ordering of messages from different senders. to determine ordering of messages from different senders.
Appendix B. List of Use Cases Appendix B. List of Use Cases
Group Communication for CoAP [I-D.dijk-core-groupcomm-bis] provides Group Communication for CoAP [I-D.ietf-core-groupcomm-bis] provides
the necessary background for multicast-based CoAP communication, with the necessary background for multicast-based CoAP communication, with
particular reference to low-power and lossy networks (LLNs) and particular reference to low-power and lossy networks (LLNs) and
resource constrained environments. The interested reader is resource constrained environments. The interested reader is
encouraged to first read [I-D.dijk-core-groupcomm-bis] to understand encouraged to first read [I-D.ietf-core-groupcomm-bis] to understand
the non-security related details. This section discusses a number of the non-security related details. This section discusses a number of
use cases that benefit from secure group communication, and refers to use cases that benefit from secure group communication, and refers to
the three types of groups from Appendix A. Specific security the three types of groups from Appendix A. Specific security
requirements for these use cases are discussed in Appendix A. requirements for these use cases are discussed in Appendix A.
o Lighting control: consider a building equipped with IP-connected o Lighting control: consider a building equipped with IP-connected
lighting devices, switches, and border routers. The lighting lighting devices, switches, and border routers. The lighting
devices acting as servers are organized into application groups devices acting as servers are organized into application groups
and CoAP groups, according to their physical location in the and CoAP groups, according to their physical location in the
building. For instance, lighting devices in a room or corridor building. For instance, lighting devices in a room or corridor
skipping to change at page 49, line 23 skipping to change at page 53, line 31
considered by server endpoints to synchronize with sender sequence considered by server endpoints to synchronize with sender sequence
numbers of client endpoints sending group requests. numbers of client endpoints sending group requests.
E.1. Best-Effort Synchronization E.1. Best-Effort Synchronization
Upon receiving a group request from a client, a server does not take Upon receiving a group request from a client, a server does not take
any action to synchonize with the sender sequence number of that any action to synchonize with the sender sequence number of that
client. This provides no assurance at all as to message freshness, client. This provides no assurance at all as to message freshness,
which can be acceptable in non-critical use cases. which can be acceptable in non-critical use cases.
With the notable exception of Observe notifications and responses
following a group rekeying, it is optional for the server to use its
own sender sequence number as Partial IV. Instead, for efficiency
reasons, the server may rather use the request's Partial IV when
protecting a response.
Since it provides no assurance as to freshness of requests, it is
thus RECOMMENDED that a server using this synchronization approach
always uses its own sender sequence number as Partial IV when
protecting a response.
E.2. Baseline Synchronization E.2. Baseline Synchronization
Upon receiving a group request from a given client for the first Upon receiving a group request from a given client for the first
time, a server initializes its last-seen sender sequence number in time, a server initializes its last-seen sender sequence number in
its Recipient Context associated to that client. However, the server its Recipient Context associated to that client. This provides a
drops the group request without delivering it to the application reference point to identify if future group requests from the same
layer. This provides a reference point to identify if future group client are fresher than the last one received.
requests from the same client are fresher than the last one received.
A replay time interval exists, between when a possibly replayed or A replay time interval exists, between when a possibly replayed or
delayed message is originally transmitted by a given client and the delayed message is originally transmitted by a given client and the
first authentic fresh message from that same client is received. first authentic fresh message from that same client is received.
This can be acceptable for use cases where servers admit such a This can be acceptable for use cases where servers admit such a
trade-off between performance and assurance of message freshness. trade-off between performance and assurance of message freshness.
With the notable exception of Observe notifications and responses
following a group rekeying, it is optional for the server to use its
own sender sequence number as Partial IV. Instead, for efficiency
reasons, the server may rather use the request's Partial IV when
protecting a response.
In case the baseline synchronization state related to a client is
lost, it is RECOMMENDED that the server uses its own sender sequence
number as Partial IV when protecting a response to that client, until
a new baseline synchronization state for that client is established.
E.3. Challenge-Response Synchronization E.3. Challenge-Response Synchronization
A server performs a challenge-response exchange with a client, by A server performs a challenge-response exchange with a client, by
using the Echo Option for CoAP described in Section 2 of using the Echo Option for CoAP described in Section 2 of
[I-D.ietf-core-echo-request-tag] and according to Appendix B.1.2 of [I-D.ietf-core-echo-request-tag] and according to Appendix B.1.2 of
[RFC8613]. [RFC8613].
That is, upon receiving a group request from a particular client for That is, upon receiving a group request from a particular client for
the first time, the server processes the message as described in the first time, the server processes the message as described in this
Section 7.2 of this specification, but, even if valid, does not specification, but, even if valid, does not deliver it to the
deliver it to the application. Instead, the server replies to the application. Instead, the server replies to the client with an
client with an OSCORE protected 4.01 (Unauthorized) response message, OSCORE protected 4.01 (Unauthorized) response message, including only
including only the Echo Option and no diagnostic payload. The server the Echo Option and no diagnostic payload. The server stores the
stores the option value included therein. option value included therein.
Upon receiving a 4.01 (Unauthorized) response that includes an Echo Upon receiving a 4.01 (Unauthorized) response that includes an Echo
Option and originates from a verified group member, a client sends a Option and originates from a verified group member, a client sends a
request as a unicast message addressed to the same server, echoing request as a unicast message addressed to the same server, echoing
the Echo Option value. In particular, the client does not the Echo Option value. In particular, the client does not
necessarily resend the same group request, but can instead send a necessarily resend the same group request, but can instead send a
more recent one, if the application permits it. This makes it more recent one, if the application permits it. This makes it
possible for the client to not retain previously sent group requests possible for the client to not retain previously sent group requests
for full retransmission, unless the application explicitly requires for full retransmission, unless the application explicitly requires
otherwise. Either case, the client uses the sender sequence number otherwise. In either case, the client uses the sender sequence
value currently stored in its own Sender Context. If the client number value currently stored in its own Sender Context. If the
stores group requests for possible retransmission with the Echo client stores group requests for possible retransmission with the
Option, it should not store a given request for longer than a pre- Echo Option, it should not store a given request for longer than a
configured time interval. Note that the unicast request echoing the pre-configured time interval. Note that the unicast request echoing
Echo Option is correctly treated and processed as a message, since the Echo Option is correctly treated and processed as a message,
the 'kid context' field including the Group Identifier of the OSCORE since the 'kid context' field including the Group Identifier of the
group is still present in the OSCORE Option as part of the COSE OSCORE group is still present in the OSCORE Option as part of the
object (see Section 4). COSE object (see Section 4).
Upon receiving the unicast request including the Echo Option, the Upon receiving the unicast request including the Echo Option, the
server verifies that the option value equals the stored and server verifies that the option value equals the stored and
previously sent value; otherwise, the request is silently discarded. previously sent value. If not, the server MUST NOT process the
Then, the server verifies that the unicast request has been received request further and MAY send a 4.01 (Unauthorized) response including
within a pre-configured time interval, as described in an Echo option.
[I-D.ietf-core-echo-request-tag]. In such a case, the request is
further processed and verified; otherwise, it is silently discarded. In case of positive verification, the request is further processed
Finally, the server updates the Recipient Context associated to that and verified. Finally, the server updates the Recipient Context
client, by setting the Replay Window according to the Sequence Number associated to that client, by setting the Replay Window according to
from the unicast request conveying the Echo Option. The server the Sequence Number from the unicast request conveying the Echo
either delivers the request to the application if it is an actual Option. The server either delivers the request to the application if
retransmission of the original one, or discards it otherwise. it is an actual retransmission of the original one, or discards it
Mechanisms to signal whether the resent request is a full otherwise. Mechanisms to signal whether the resent request is a full
retransmission of the original one are out of the scope of this retransmission of the original one are out of the scope of this
specification. specification.
In case it does not receive a valid unicast request including the
Echo Option within the configured time interval, the server endpoint
should perform the same challenge-response upon receiving the next
group request from that same client.
A server should not deliver group requests from a given client to the A server should not deliver group requests from a given client to the
application until one valid request from that same client has been application until one valid request from that same client has been
verified as fresh, as conveying an echoed Echo Option verified as fresh, as conveying an echoed Echo Option
[I-D.ietf-core-echo-request-tag]. Also, a server may perform the [I-D.ietf-core-echo-request-tag]. Also, a server may perform the
challenge-response described above at any time, if synchronization challenge-response described above at any time, if synchronization
with sender sequence numbers of clients is (believed to be) lost, for with sender sequence numbers of clients is (believed to be) lost, for
instance after a device reboot. It is the role of the application to instance after a device reboot. It is the role of the application to
define under what circumstances sender sequence numbers lose define under what circumstances sender sequence numbers lose
synchronization. This can include a minimum gap between the sender synchronization. This can include a minimum gap between the sender
sequence number of the latest accepted group request from a client sequence number of the latest accepted group request from a client
and the sender sequence number of a group request just received from and the sender sequence number of a group request just received from
the same client. A client has to be always ready to perform the the same client. A client has to be always ready to perform the
challenge-response based on the Echo Option in case a server starts challenge-response based on the Echo Option in case a server starts
it. it.
This approach provides an assurance of absolute message freshness.
However, it can result in an impact on performance which is
undesirable or unbearable, especially in large groups where many
endpoints at the same time might join as new members or lose
synchronization.
Note that endpoints configured as silent servers are not able to Note that endpoints configured as silent servers are not able to
perform the challenge-response described above, as they do not store perform the challenge-response described above, as they do not store
a Sender Context to secure the 4.01 (Unauthorized) response to the a Sender Context to secure the 4.01 (Unauthorized) response to the
client. Therefore, silent servers should adopt alternative client. Therefore, silent servers should adopt alternative
approaches to achieve and maintain synchronization with sender approaches to achieve and maintain synchronization with sender
sequence numbers of clients. sequence numbers of clients.
If this approach is used, it is important that all the group members Since requests including the Echo Option are sent over unicast, a
acting as non-silent servers understand the elective Echo Option. server can be a victim of the attack discussed in Section 10.7, when
This will ensure that those servers cannot be victim of the attack such requests are protected with the signature mode of Group OSCORE,
discussed in Section 10.7, in spite of the fact that the requests as described in Section 7.1.
including the Echo Option are sent over unicast and secured with
Group OSCORE. On the other hand, an internal on-path adversary would
not be able to mix up the Echo Option value of two different unicast
requests, sent by a same client to any two different servers in the
group. In fact, this would require the adversary to forge the
client's counter signature in both such requests. As a consequence,
each of the two servers remains able to selectively accept a request
with the Echo Option only if it is waiting for that exact integrity-
protected Echo Option value, and is thus the intended recipient.
This approach provides an assurance of absolute message freshness. Instead, protecting requests with the Echo Option by using the
However, it can result in an impact on performance which is pairwise mode of Group OSCORE as described in Appendix G.2 prevents
undesirable or unbearable, especially in large groups where many the attack in Section 10.7. In fact, only the exact server involved
endpoints at the same time might join as new members or lose in the Echo exchange is able to derive the correct pairwise key used
synchronization. by the client to protect the request including the Echo Option.
The use of pairwise keys (see Appendix G) for the unicast Echo In either case, an internal on-path adversary would not be able to
messages reduces the message overhead. mix up the Echo Option value of two different unicast requests, sent
by a same client to any two different servers in the group. In fact,
this would require the adversary to forge the client's counter
signature in both such requests. As a consequence, each of the two
servers remains able to selectively accept a request with the Echo
Option only if it is waiting for that exact integrity-protected Echo
Option value, and is thus the intended recipient.
Appendix F. No Verification of Signatures Appendix F. No Verification of Signatures
There are some application scenarios using group communication that There are some application scenarios using group communication that
have particularly strict requirements. One example of this is the have particularly strict requirements. One example of this is the
requirement of low message latency in non-emergency lighting requirement of low message latency in non-emergency lighting
applications [I-D.somaraju-ace-multicast]. For those applications applications [I-D.somaraju-ace-multicast]. For those applications
which have tight performance constraints and relaxed security which have tight performance constraints and relaxed security
requirements, it can be inconvenient for some endpoints to verify requirements, it can be inconvenient for some endpoints to verify
digital signatures in order to assert source authenticity of received digital signatures in order to assert source authenticity of received
skipping to change at page 52, line 35 skipping to change at page 57, line 14
Appendix G. Pairwise Mode Appendix G. Pairwise Mode
For use cases that do not require an intermediary performing For use cases that do not require an intermediary performing
signature verification and that use a compatible signature algorithm, signature verification and that use a compatible signature algorithm,
the pairwise mode defined in this section can be used for unicast the pairwise mode defined in this section can be used for unicast
communication. communication.
This mode uses the derivation process defined in Section 3, and This mode uses the derivation process defined in Section 3, and
allows two group members to protect requests and responses exchanged allows two group members to protect requests and responses exchanged
with each other using pairwise keying material. Senders MUST NOT use with each other using pairwise keying material.
the pairwise mode to protect a message addressed to multiple
recipients or to the whole group. Senders MUST NOT use the pairwise mode to protect a message addressed
to multiple recipients or to the whole group. This prevents a client
that wants to address one specific server from protecting a request
with the pairwise key associated to that server, and then send the
request over multicast.
The pairwise mode results in the same performance and security The pairwise mode results in the same performance and security
improvements displayed by optimized responses (see Section 9.2). improvements displayed by optimized responses (see Section 9.2).
G.1. Pre-Requirements G.1. Pre-Requirements
In order to protect an outgoing message in pairwise mode, a sender In order to protect an outgoing message in pairwise mode, a sender
needs to know the public key and the Recipient ID for the message needs to know the public key and the Recipient ID for the message
recipient, as stored in its own Recipient Context associated to that recipient, as stored in its own Recipient Context associated to that
recipient. recipient.
Furthermore, the sender needs to know the individual address of the Furthermore, the sender needs to know the individual address of the
message recipient. This information may not be known at any given message recipient. This information may not be known at any given
point in time. For instance, right after having joined the group, a point in time. For instance, right after having joined the group, a
client may know the public key and Recipient ID for a given server, client may know the public key and Recipient ID for a given server,
but not the addressing information required to reach it with an but not the addressing information required to reach it with an
individual, one-to-one request. individual, one-to-one request.
To make this information available, servers supporting the pairwise To make this information available, servers MAY provide a resource to
mode MAY provide the following service, enabling the discovery of which a client can send a request for a server identified by its
their own addressing information to the clients in the group. 'kid' value, or a set thereof. The specified set may be empty, hence
identifying all the servers in the group. Further details of such an
o The servers host a well-known address-discovery resource with a interface are out of scope for this document.
common URI path, which can be pre-configured or provided to new
group members by the Group Manager during the joining process.
o A client can send a POST request to the whole group, hence
protected as in Section 7.1 or Section 9.1.1, and addressed to the
address-discovery resource. The request payload includes a CBOR
map, specifying one Recipient ID for every specific server, from
which the client wishes to retrieve individual addressing
information.
o Each server recognizing its own Sender ID within the request
payload replies to the client. The response is protected as in
Section 7.3 or Section 9.2, and its payload includes a CBOR map
specifying the individual addressing information of that server.
G.2. Pairwise Protected Request G.2. Pairwise Protected Request
A request in pairwise mode is protected as defined in Section 7.1, A request in pairwise mode is protected as defined in Section 7.1,
with the following differences. with the following differences.
o The client MUST set to 1 the sixth least significant bit of the o The client MUST set to 1 the sixth least significant bit of the
OSCORE flag bits in the OSCORE option, i.e. the Pairwise Flag. OSCORE flag bits in the OSCORE option, i.e. the Pairwise Flag.
o The COSE_Encrypt0 object included in the request is encrypted o The COSE_Encrypt0 object included in the request is encrypted
skipping to change at page 54, line 21 skipping to change at page 58, line 38
G.3. Pairwise Protected Response G.3. Pairwise Protected Response
When using the pairwise mode, the processing of a response occurs as When using the pairwise mode, the processing of a response occurs as
described in Section 9.2 for an optimized response. described in Section 9.2 for an optimized response.
Appendix H. Document Updates Appendix H. Document Updates
RFC EDITOR: PLEASE REMOVE THIS SECTION. RFC EDITOR: PLEASE REMOVE THIS SECTION.
H.1. Version -06 to -07 H.1. Version -07 to -08
o Clarified relation between pairwise mode and group communication
(Section 1).
o Improved definition of "silent server" (Section 1.1).
o Clarified when a Recipient Context is needed (Section 2).
o Signature checkers as entities supported by the Group Manager
(Section 2.3).
o Clarified that the Group Manager is under exclusive control of Gid
and Sender ID values in a group, with Sender ID values under each
Gid value (Section 2.3).
o Mitigation policies in case of recycled 'kid' values
(Section 2.4).
o More generic exhaustion (not necessarily wrap-around) of sender
sequence numbers (Sections 2.5 and 10.11).
o Pairwise key considerations, as to group rekeying and Sender
Sequence Numbers (Section 3).
o Added reference to static-static Diffie-Hellman shared secret
(Section 3).
o Note for implementation about the external_aad for signing
(Sectino 4.3.2).
o Retransmission by the application for group requests over
multicast as Non-Confirmable (Section 7).
o A server MUST use its own Partial IV in a response, if protecting
it with a different context than the one used for the request
(Section 7.3).
o Security considerations: encryption of pairwise mode as
alternative to group-level security (Section 10.1).
o Security considerations: added approach to reduce the chance of
global collisions of Gid values from different Group Managers
(Section 10.5).
o Security considerations: added implications for block-wise
transfers when using the signature mode for requests over unicast
(Section 10.7).
o Security considerations: (multiple) supported signature algorithms
(Section 10.13).
o Security considerations: added privacy considerations on the
approach for reducing global collisions of Gid values
(Section 10.15).
o Updates to the methods for synchronizing with clients' sequence
number (Appendix E).
o Simplified text on discovery services supporting the pairwise mode
(Appendix G.1).
o Editorial improvements.
H.2. Version -06 to -07
o Updated abstract and introduction. o Updated abstract and introduction.
o Clarifications of what pertains a group rekeying. o Clarifications of what pertains a group rekeying.
o Derivation of pairwise keying material. o Derivation of pairwise keying material.
o Content re-organization for COSE Object and OSCORE header o Content re-organization for COSE Object and OSCORE header
compression. compression.
skipping to change at page 55, line 5 skipping to change at page 60, line 37
o Security considerations on Group OSCORE for unicast requests, also o Security considerations on Group OSCORE for unicast requests, also
as affecting the usage of the Echo option. as affecting the usage of the Echo option.
o Clarification on different types of groups considered o Clarification on different types of groups considered
(application/security/CoAP). (application/security/CoAP).
o New pairwise mode, using pairwise keying material for both o New pairwise mode, using pairwise keying material for both
requests and responses. requests and responses.
H.2. Version -05 to -06 H.3. Version -05 to -06
o Group IDs mandated to be unique under the same Group Manager. o Group IDs mandated to be unique under the same Group Manager.
o Clarifications on parameter update upon group rekeying. o Clarifications on parameter update upon group rekeying.
o Updated external_aad structures. o Updated external_aad structures.
o Dynamic derivation of Recipient Contexts made optional and o Dynamic derivation of Recipient Contexts made optional and
application specific. application specific.
skipping to change at page 55, line 33 skipping to change at page 61, line 16
rekeying. rekeying.
o Added Group Manager responsibility on validating public keys. o Added Group Manager responsibility on validating public keys.
o Updates IANA registries. o Updates IANA registries.
o Reference to RFC 8613. o Reference to RFC 8613.
o Editorial improvements. o Editorial improvements.
H.3. Version -04 to -05 H.4. Version -04 to -05
o Added references to draft-dijk-core-groupcomm-bis. o Added references to draft-dijk-core-groupcomm-bis.
o New parameter Counter Signature Key Parameters (Section 2). o New parameter Counter Signature Key Parameters (Section 2).
o Clarification about Recipient Contexts (Section 2). o Clarification about Recipient Contexts (Section 2).
o Two different external_aad for encrypting and signing o Two different external_aad for encrypting and signing
(Section 3.1). (Section 3.1).
o Updated response verification to handle Observe notifications o Updated response verification to handle Observe notifications
(Section 6.4). (Section 6.4).
o Extended Security Considerations (Section 8). o Extended Security Considerations (Section 8).
o New "Counter Signature Key Parameters" IANA Registry o New "Counter Signature Key Parameters" IANA Registry
(Section 9.2). (Section 9.2).
H.4. Version -03 to -04 H.5. Version -03 to -04
o Added the new "Counter Signature Parameters" in the Common Context o Added the new "Counter Signature Parameters" in the Common Context
(see Section 2). (see Section 2).
o Added recommendation on using "deterministic ECDSA" if ECDSA is o Added recommendation on using "deterministic ECDSA" if ECDSA is
used as counter signature algorithm (see Section 2). used as counter signature algorithm (see Section 2).
o Clarified possible asynchronous retrieval of keying material from o Clarified possible asynchronous retrieval of keying material from
the Group Manager, in order to process incoming messages (see the Group Manager, in order to process incoming messages (see
Section 2). Section 2).
skipping to change at page 57, line 5 skipping to change at page 62, line 32
o Handling of just created Recipient Contexts in case of o Handling of just created Recipient Contexts in case of
unsuccessful message verification (see Sections 6.2 and 6.4). unsuccessful message verification (see Sections 6.2 and 6.4).
o Handling of replied/repeated responses on the client (see o Handling of replied/repeated responses on the client (see
Section 6.4). Section 6.4).
o New IANA Registry "Counter Signature Parameters" (see o New IANA Registry "Counter Signature Parameters" (see
Section 9.1). Section 9.1).
H.5. Version -02 to -03 H.6. Version -02 to -03
o Revised structure and phrasing for improved readability and better o Revised structure and phrasing for improved readability and better
alignment with draft-ietf-core-object-security. alignment with draft-ietf-core-object-security.
o Added discussion on wrap-Around of Partial IVs (see Section 2.2). o Added discussion on wrap-Around of Partial IVs (see Section 2.2).
o Separate sections for the COSE Object (Section 3) and the OSCORE o Separate sections for the COSE Object (Section 3) and the OSCORE
Header Compression (Section 4). Header Compression (Section 4).
o The countersignature is now appended to the encrypted payload of o The countersignature is now appended to the encrypted payload of
skipping to change at page 57, line 39 skipping to change at page 63, line 19
Section 7. Section 7.
o Revised and extended security considerations in Section 8. o Revised and extended security considerations in Section 8.
o Added IANA considerations for the OSCORE Flag Bits Registry in o Added IANA considerations for the OSCORE Flag Bits Registry in
Section 9. Section 9.
o Revised Appendix D, now giving a short high-level description of a o Revised Appendix D, now giving a short high-level description of a
new endpoint set-up. new endpoint set-up.
H.6. Version -01 to -02 H.7. Version -01 to -02
o Terminology has been made more aligned with RFC7252 and draft- o Terminology has been made more aligned with RFC7252 and draft-
ietf-core-object-security: i) "client" and "server" replace the ietf-core-object-security: i) "client" and "server" replace the
old "multicaster" and "listener", respectively; ii) "silent old "multicaster" and "listener", respectively; ii) "silent
server" replaces the old "pure listener". server" replaces the old "pure listener".
o Section 2 has been updated to have the Group Identifier stored in o Section 2 has been updated to have the Group Identifier stored in
the 'ID Context' parameter defined in draft-ietf-core-object- the 'ID Context' parameter defined in draft-ietf-core-object-
security. security.
skipping to change at page 58, line 26 skipping to change at page 64, line 5
implications of possible collisions of group identifiers. implications of possible collisions of group identifiers.
o Updated Appendix D.2, adding a pointer to draft-palombini-ace-key- o Updated Appendix D.2, adding a pointer to draft-palombini-ace-key-
groupcomm about retrieval of nodes' public keys through the Group groupcomm about retrieval of nodes' public keys through the Group
Manager. Manager.
o Minor updates to Appendix E.3 about Challenge-Response o Minor updates to Appendix E.3 about Challenge-Response
synchronization of sequence numbers based on the Echo option from synchronization of sequence numbers based on the Echo option from
draft-ietf-core-echo-request-tag. draft-ietf-core-echo-request-tag.
H.7. Version -00 to -01 H.8. Version -00 to -01
o Section 1.1 has been updated with the definition of group as o Section 1.1 has been updated with the definition of group as
"security group". "security group".
o Section 2 has been updated with: o Section 2 has been updated with:
* Clarifications on etablishment/derivation of Security Contexts. * Clarifications on etablishment/derivation of Security Contexts.
* A table summarizing the the additional context elements * A table summarizing the the additional context elements
compared to OSCORE. compared to OSCORE.
skipping to change at page 59, line 14 skipping to change at page 64, line 41
o Appendix B has been updated with more details on the use cases. o Appendix B has been updated with more details on the use cases.
o Added Appendix C, providing an example of Group Identifier format. o Added Appendix C, providing an example of Group Identifier format.
o Appendix D has been updated to be aligned with draft-palombini- o Appendix D has been updated to be aligned with draft-palombini-
ace-key-groupcomm. ace-key-groupcomm.
Acknowledgments Acknowledgments
The authors sincerely thank Stefan Beck, Rolf Blom, Carsten Bormann, The authors sincerely thank Christian Amsuess, Stefan Beck, Rolf
Esko Dijk, Klaus Hartke, Rikard Hoeglund, Richard Kelsey, John Blom, Carsten Bormann, Esko Dijk, Klaus Hartke, Rikard Hoeglund,
Mattsson, Dave Robin, Jim Schaad, Ludwig Seitz, Peter van der Stok Richard Kelsey, John Mattsson, Dave Robin, Jim Schaad, Ludwig Seitz,
and Erik Thormarker for their feedback and comments. Peter van der Stok and Erik Thormarker for their feedback and
comments.
The work on this document has been partly supported by VINNOVA and The work on this document has been partly supported by VINNOVA and
the Celtic-Next project CRITISEC; and by the EIT-Digital High Impact the Celtic-Next project CRITISEC; and by the EIT-Digital High Impact
Initiative ACTIVE. Initiative ACTIVE.
Authors' Addresses Authors' Addresses
Marco Tiloca Marco Tiloca
RISE AB RISE AB
Isafjordsgatan 22 Isafjordsgatan 22
 End of changes. 87 change blocks. 
307 lines changed or deleted 526 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/