draft-ietf-core-oscore-groupcomm-08.txt   draft-ietf-core-oscore-groupcomm-09.txt 
CoRE Working Group M. Tiloca CoRE Working Group M. Tiloca
Internet-Draft RISE AB Internet-Draft RISE AB
Intended status: Standards Track G. Selander Intended status: Standards Track G. Selander
Expires: October 8, 2020 F. Palombini Expires: December 25, 2020 F. Palombini
Ericsson AB Ericsson AB
J. Park J. Park
Universitaet Duisburg-Essen Universitaet Duisburg-Essen
April 06, 2020 June 23, 2020
Group OSCORE - Secure Group Communication for CoAP Group OSCORE - Secure Group Communication for CoAP
draft-ietf-core-oscore-groupcomm-08 draft-ietf-core-oscore-groupcomm-09
Abstract Abstract
This document defines Group Object Security for Constrained RESTful This document defines Group Object Security for Constrained RESTful
Environments (Group OSCORE), providing end-to-end security of CoAP Environments (Group OSCORE), providing end-to-end security of CoAP
messages exchanged between members of a group, e.g. using IP messages exchanged between members of a group, e.g. sent over IP
multicast. In particular, the described approach defines how OSCORE multicast. In particular, the described approach defines how OSCORE
should be used in a group communication setting to provide source is used in a group communication setting to provide source
authentication for CoAP group requests, sent by a client to multiple authentication for CoAP group requests, sent by a client to multiple
servers, and the corresponding CoAP responses. servers, and for protection of the corresponding CoAP responses.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 8, 2020. This Internet-Draft will expire on December 25, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
2. Security Context . . . . . . . . . . . . . . . . . . . . . . 7 2. Security Context . . . . . . . . . . . . . . . . . . . . . . 7
2.1. Common Context . . . . . . . . . . . . . . . . . . . . . 7 2.1. Common Context . . . . . . . . . . . . . . . . . . . . . 8
2.2. Sender Context and Recipient Context . . . . . . . . . . 8 2.1.1. ID Context . . . . . . . . . . . . . . . . . . . . . 8
2.3. The Group Manager . . . . . . . . . . . . . . . . . . . . 9 2.1.2. Counter Signature Algorithm . . . . . . . . . . . . . 9
2.4. Management of Group Keying Material . . . . . . . . . . . 10 2.1.3. Counter Signature Parameters . . . . . . . . . . . . 9
2.5. Exhaustion of Partial IV Values . . . . . . . . . . . . . 11 2.1.4. Counter Signature Key Parameters . . . . . . . . . . 10
3. Pairwise Keys . . . . . . . . . . . . . . . . . . . . . . . . 12 2.2. Sender Context and Recipient Context . . . . . . . . . . 10
3.1. Key Derivation . . . . . . . . . . . . . . . . . . . . . 12 2.3. Pairwise Keys . . . . . . . . . . . . . . . . . . . . . . 11
3.2. Usage of Sequence Numbers . . . . . . . . . . . . . . . . 13 2.3.1. Derivation of Pairwise Keys . . . . . . . . . . . . . 11
3.3. Note on Implementation . . . . . . . . . . . . . . . . . 13 2.3.2. Usage of Sequence Numbers . . . . . . . . . . . . . . 12
4. The COSE Object . . . . . . . . . . . . . . . . . . . . . . . 14 2.3.3. Security Context for Pairwise Mode . . . . . . . . . 12
4.1. Counter Signature . . . . . . . . . . . . . . . . . . . . 14 2.4. Update of Security Context . . . . . . . . . . . . . . . 13
4.2. The 'kid' and 'kid context' parameters . . . . . . . . . 14 2.4.1. Loss of Mutable Security Context . . . . . . . . . . 13
4.3. external_aad . . . . . . . . . . . . . . . . . . . . . . 15 2.4.2. Exhaustion of Sender Sequence Numbers . . . . . . . . 13
4.3.1. external_aad for Encryption . . . . . . . . . . . . . 15 2.4.3. Retrieving New Security Context Parameters . . . . . 14
4.3.2. external_aad for Signing . . . . . . . . . . . . . . 16 3. The Group Manager . . . . . . . . . . . . . . . . . . . . . . 15
5. OSCORE Header Compression . . . . . . . . . . . . . . . . . . 17 3.1. Management of Group Keying Material . . . . . . . . . . . 16
5.1. Examples of Compressed COSE Objects . . . . . . . . . . . 17 3.2. Responsibilities of the Group Manager . . . . . . . . . . 17
4. The COSE Object . . . . . . . . . . . . . . . . . . . . . . . 18
4.1. Counter Signature . . . . . . . . . . . . . . . . . . . . 18
4.2. The 'kid' and 'kid context' parameters . . . . . . . . . 19
4.3. external_aad . . . . . . . . . . . . . . . . . . . . . . 19
4.3.1. external_aad for Encryption . . . . . . . . . . . . . 19
4.3.2. external_aad for Signing . . . . . . . . . . . . . . 20
5. OSCORE Header Compression . . . . . . . . . . . . . . . . . . 21
5.1. Examples of Compressed COSE Objects . . . . . . . . . . . 21
5.1.1. Examples in Group Mode . . . . . . . . . . . . . . . 22
5.1.2. Examples in Pairwise Mode . . . . . . . . . . . . . . 23
6. Message Binding, Sequence Numbers, Freshness and Replay 6. Message Binding, Sequence Numbers, Freshness and Replay
Protection . . . . . . . . . . . . . . . . . . . . . . . . . 19 Protection . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.1. Synchronization of Sender Sequence Numbers . . . . . . . 19 6.1. Update of Replay Window . . . . . . . . . . . . . . . . . 24
7. Message Processing . . . . . . . . . . . . . . . . . . . . . 19 7. Message Reception . . . . . . . . . . . . . . . . . . . . . . 24
7.1. Protecting the Request . . . . . . . . . . . . . . . . . 20 8. Message Processing in Group Mode . . . . . . . . . . . . . . 25
7.1.1. Supporting Observe . . . . . . . . . . . . . . . . . 21 8.1. Protecting the Request . . . . . . . . . . . . . . . . . 26
7.2. Verifying the Request . . . . . . . . . . . . . . . . . . 21 8.1.1. Supporting Observe . . . . . . . . . . . . . . . . . 26
7.2.1. Supporting Observe . . . . . . . . . . . . . . . . . 22 8.2. Verifying the Request . . . . . . . . . . . . . . . . . . 26
7.3. Protecting the Response . . . . . . . . . . . . . . . . . 22 8.2.1. Supporting Observe . . . . . . . . . . . . . . . . . 27
7.3.1. Supporting Observe . . . . . . . . . . . . . . . . . 23
7.4. Verifying the Response . . . . . . . . . . . . . . . . . 23 8.3. Protecting the Response . . . . . . . . . . . . . . . . . 28
7.4.1. Supporting Observe . . . . . . . . . . . . . . . . . 24 8.3.1. Supporting Observe . . . . . . . . . . . . . . . . . 28
8. Responsibilities of the Group Manager . . . . . . . . . . . . 24 8.4. Verifying the Response . . . . . . . . . . . . . . . . . 29
9. Optimized Mode . . . . . . . . . . . . . . . . . . . . . . . 25 8.4.1. Supporting Observe . . . . . . . . . . . . . . . . . 30
9.1. Optimized Request . . . . . . . . . . . . . . . . . . . . 25 9. Message Processing in Pairwise Mode . . . . . . . . . . . . . 30
9.1.1. Optimized Compressed Request . . . . . . . . . . . . 25 9.1. Pre-Conditions . . . . . . . . . . . . . . . . . . . . . 31
9.2. Optimized Response . . . . . . . . . . . . . . . . . . . 26 9.2. Protecting the Request . . . . . . . . . . . . . . . . . 31
9.2.1. Optimized Compressed Response . . . . . . . . . . . . 26 9.3. Verifying the Request . . . . . . . . . . . . . . . . . . 32
10. Security Considerations . . . . . . . . . . . . . . . . . . . 26 9.4. Protecting the Response . . . . . . . . . . . . . . . . . 32
10.1. Group-level Security . . . . . . . . . . . . . . . . . . 27 9.5. Verifying the Response . . . . . . . . . . . . . . . . . 33
10.2. Uniqueness of (key, nonce) . . . . . . . . . . . . . . . 28 10. Security Considerations . . . . . . . . . . . . . . . . . . . 33
10.3. Management of Group Keying Material . . . . . . . . . . 28 10.1. Group-level Security . . . . . . . . . . . . . . . . . . 34
10.4. Update of Security Context and Key Rotation . . . . . . 29 10.2. Uniqueness of (key, nonce) . . . . . . . . . . . . . . . 35
10.4.1. Late Update on the Sender . . . . . . . . . . . . . 29 10.3. Management of Group Keying Material . . . . . . . . . . 35
10.4.2. Late Update on the Recipient . . . . . . . . . . . . 30 10.4. Update of Security Context and Key Rotation . . . . . . 36
10.5. Collision of Group Identifiers . . . . . . . . . . . . . 30 10.4.1. Late Update on the Sender . . . . . . . . . . . . . 36
10.6. Cross-group Message Injection . . . . . . . . . . . . . 30 10.4.2. Late Update on the Recipient . . . . . . . . . . . . 37
10.7. Group OSCORE for Unicast Requests . . . . . . . . . . . 32 10.5. Collision of Group Identifiers . . . . . . . . . . . . . 37
10.8. End-to-end Protection . . . . . . . . . . . . . . . . . 33 10.6. Cross-group Message Injection . . . . . . . . . . . . . 38
10.9. Security Context Establishment . . . . . . . . . . . . . 33 10.6.1. Attack Description . . . . . . . . . . . . . . . . . 38
10.10. Master Secret . . . . . . . . . . . . . . . . . . . . . 34 10.6.2. Attack Prevention in Group Mode . . . . . . . . . . 39
10.11. Replay Protection . . . . . . . . . . . . . . . . . . . 34 10.7. Group OSCORE for Unicast Requests . . . . . . . . . . . 40
10.12. Client Aliveness . . . . . . . . . . . . . . . . . . . . 35 10.8. End-to-end Protection . . . . . . . . . . . . . . . . . 41
10.13. Cryptographic Considerations . . . . . . . . . . . . . . 35 10.9. Master Secret . . . . . . . . . . . . . . . . . . . . . 41
10.14. Message Segmentation . . . . . . . . . . . . . . . . . . 36 10.10. Replay Protection . . . . . . . . . . . . . . . . . . . 42
10.15. Privacy Considerations . . . . . . . . . . . . . . . . . 36 10.11. Client Aliveness . . . . . . . . . . . . . . . . . . . . 43
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37 10.12. Cryptographic Considerations . . . . . . . . . . . . . . 43
11.1. Counter Signature Parameters Registry . . . . . . . . . 37 10.13. Message Segmentation . . . . . . . . . . . . . . . . . . 44
11.2. Counter Signature Key Parameters Registry . . . . . . . 40 10.14. Privacy Considerations . . . . . . . . . . . . . . . . . 44
11.3. OSCORE Flag Bits Registry . . . . . . . . . . . . . . . 42 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 45
11.4. Expert Review Instructions . . . . . . . . . . . . . . . 42 11.1. OSCORE Flag Bits Registry . . . . . . . . . . . . . . . 45
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 45
12.1. Normative References . . . . . . . . . . . . . . . . . . 43 12.1. Normative References . . . . . . . . . . . . . . . . . . 45
12.2. Informative References . . . . . . . . . . . . . . . . . 44 12.2. Informative References . . . . . . . . . . . . . . . . . 47
Appendix A. Assumptions and Security Objectives . . . . . . . . 46 Appendix A. Assumptions and Security Objectives . . . . . . . . 49
A.1. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 47 A.1. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 49
A.2. Security Objectives . . . . . . . . . . . . . . . . . . . 48 A.2. Security Objectives . . . . . . . . . . . . . . . . . . . 51
Appendix B. List of Use Cases . . . . . . . . . . . . . . . . . 49 Appendix B. List of Use Cases . . . . . . . . . . . . . . . . . 52
Appendix C. Example of Group Identifier Format . . . . . . . . . 51 Appendix C. Example of Group Identifier Format . . . . . . . . . 54
Appendix D. Set-up of New Endpoints . . . . . . . . . . . . . . 52 Appendix D. Set-up of New Endpoints . . . . . . . . . . . . . . 55
Appendix E. Examples of Synchronization Approaches . . . . . . . 53 Appendix E. Examples of Synchronization Approaches . . . . . . . 56
E.1. Best-Effort Synchronization . . . . . . . . . . . . . . . 53 E.1. Best-Effort Synchronization . . . . . . . . . . . . . . . 56
E.2. Baseline Synchronization . . . . . . . . . . . . . . . . 53 E.2. Baseline Synchronization . . . . . . . . . . . . . . . . 56
E.3. Challenge-Response Synchronization . . . . . . . . . . . 54 E.3. Challenge-Response Synchronization . . . . . . . . . . . 57
Appendix F. No Verification of Signatures . . . . . . . . . . . 56 Appendix F. No Verification of Signatures in Group Mode . . . . 60
Appendix G. Pairwise Mode . . . . . . . . . . . . . . . . . . . 57 Appendix G. Optimized Request . . . . . . . . . . . . . . . . . 60
G.1. Pre-Requirements . . . . . . . . . . . . . . . . . . . . 57 Appendix H. Example Values of Parameters for Countersignatures . 61
G.2. Pairwise Protected Request . . . . . . . . . . . . . . . 57 Appendix I. Document Updates . . . . . . . . . . . . . . . . . . 61
G.3. Pairwise Protected Response . . . . . . . . . . . . . . . 58 I.1. Version -08 to -09 . . . . . . . . . . . . . . . . . . . 62
Appendix H. Document Updates . . . . . . . . . . . . . . . . . . 58 I.2. Version -07 to -08 . . . . . . . . . . . . . . . . . . . 62
H.1. Version -07 to -08 . . . . . . . . . . . . . . . . . . . 58 I.3. Version -06 to -07 . . . . . . . . . . . . . . . . . . . 64
H.2. Version -06 to -07 . . . . . . . . . . . . . . . . . . . 60 I.4. Version -05 to -06 . . . . . . . . . . . . . . . . . . . 64
H.3. Version -05 to -06 . . . . . . . . . . . . . . . . . . . 60 I.5. Version -04 to -05 . . . . . . . . . . . . . . . . . . . 65
H.4. Version -04 to -05 . . . . . . . . . . . . . . . . . . . 61 I.6. Version -03 to -04 . . . . . . . . . . . . . . . . . . . 65
H.5. Version -03 to -04 . . . . . . . . . . . . . . . . . . . 61 I.7. Version -02 to -03 . . . . . . . . . . . . . . . . . . . 66
H.6. Version -02 to -03 . . . . . . . . . . . . . . . . . . . 62 I.8. Version -01 to -02 . . . . . . . . . . . . . . . . . . . 67
H.7. Version -01 to -02 . . . . . . . . . . . . . . . . . . . 63 I.9. Version -00 to -01 . . . . . . . . . . . . . . . . . . . 68
H.8. Version -00 to -01 . . . . . . . . . . . . . . . . . . . 64 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 69
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 69
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 65
1. Introduction 1. Introduction
The Constrained Application Protocol (CoAP) [RFC7252] is a web The Constrained Application Protocol (CoAP) [RFC7252] is a web
transfer protocol specifically designed for constrained devices and transfer protocol specifically designed for constrained devices and
networks [RFC7228]. Group communication for CoAP networks [RFC7228]. Group communication for CoAP
[I-D.ietf-core-groupcomm-bis] addresses use cases where deployed [I-D.ietf-core-groupcomm-bis] addresses use cases where deployed
devices benefit from a group communication model, for example to devices benefit from a group communication model, for example to
reduce latencies, improve performance and reduce bandwidth reduce latencies, improve performance and reduce bandwidth
utilization. Use cases include lighting control, integrated building utilization. Use cases include lighting control, integrated building
control, software and firmware updates, parameter and configuration control, software and firmware updates, parameter and configuration
updates, commissioning of constrained networks, and emergency updates, commissioning of constrained networks, and emergency
multicast (see Appendix B). This specification defines the security multicast (see Appendix B). This specification defines the security
protocol for Group communication for CoAP protocol for Group communication for CoAP
[I-D.ietf-core-groupcomm-bis]. [I-D.ietf-core-groupcomm-bis].
Object Security for Constrained RESTful Environments (OSCORE) Object Security for Constrained RESTful Environments (OSCORE)
[RFC8613] describes a security protocol based on the exchange of [RFC8613] describes a security protocol based on the exchange of
protected CoAP messages. OSCORE builds on CBOR Object Signing and protected CoAP messages. OSCORE builds on CBOR Object Signing and
Encryption (COSE) [RFC8152] and provides end-to-end encryption, Encryption (COSE)
integrity, replay protection and binding of response to request [I-D.ietf-cose-rfc8152bis-struct][I-D.ietf-cose-rfc8152bis-algs] and
between a sender and a recipient, independent of transport also in provides end-to-end encryption, integrity, replay protection and
the presence of intermediaries. To this end, a CoAP message is binding of response to request between a sender and a recipient,
protected by including its payload (if any), certain options, and independent of transport also in the presence of intermediaries. To
header fields in a COSE object, which replaces the authenticated and this end, a CoAP message is protected by including its payload (if
encrypted fields in the protected message. any), certain options, and header fields in a COSE object, which
replaces the authenticated and encrypted fields in the protected
message.
This document defines Group OSCORE, providing the same end-to-end This document defines Group OSCORE, providing the same end-to-end
security properties as OSCORE in the case where CoAP requests have security properties as OSCORE in the case where CoAP requests have
multiple recipients. In particular, the described approach defines multiple recipients. In particular, the described approach defines
how OSCORE should be used in a group communication setting to provide how OSCORE is used in a group communication setting to provide source
source authentication for CoAP group requests, sent by a client to authentication for CoAP group requests, sent by a client to multiple
multiple servers, and the corresponding CoAP responses. servers, and for protection of the corresponding CoAP responses.
Group OSCORE provides source authentication of CoAP messages, by
means of two possible methods. The first method relies on a digital
signature produced with the private key of the sender and embedded in
the protected CoAP message. The second method relies on a symmetric
key, which is derived from a pairwise shared secred computed from the
asymmetric keys of the message sender and recipient.
The second method is intended for one-to-one messages sent in the
group. These include all responses, as individually sent by servers,
as well as requests addressed to an individual server. For instance,
such requests are sent as part of an exchange using the CoAP Echo
option [I-D.ietf-core-echo-request-tag], or as part of a block-wise
transfer [RFC7959] in the group, after the first block-wise request
possibly targeting all servers in the group and including the CoAP
Block2 option (see Section 2.3.6 of [I-D.ietf-core-groupcomm-bis]).
Just like OSCORE, Group OSCORE is independent of transport layer and Just like OSCORE, Group OSCORE is independent of transport layer and
works wherever CoAP does. Group communication for CoAP works wherever CoAP does. Group communication for CoAP
[I-D.ietf-core-groupcomm-bis] uses UDP/IP multicast as the underlying [I-D.ietf-core-groupcomm-bis] uses UDP/IP multicast as the underlying
data transport. data transport.
As with OSCORE, it is possible to combine Group OSCORE with As with OSCORE, it is possible to combine Group OSCORE with
communication security on other layers. One example is the use of communication security on other layers. One example is the use of
transport layer security, such as DTLS [RFC6347], between one client transport layer security, such as DTLS [RFC6347], between one client
and one proxy (and vice versa), or between one proxy and one server and one proxy (and vice versa), or between one proxy and one server
(and vice versa), in order to protect the routing information of (and vice versa), in order to protect the routing information of
packets from observers. Note that DTLS cannot be used to secure packets from observers. Note that DTLS [RFC6347] does not define how
messages sent over IP multicast. to secure messages sent over IP multicast.
Group OSCORE defines different modes of operation: Group OSCORE defines two modes of operation:
o In the signature mode, Group OSCORE requests and responses are o In the group mode, Group OSCORE requests and responses are
digitally signed. The signature mode supports all COSE algorithms digitally signed with the private key of the sender and the
as well as signature verification by intermediaries. signature is embedded in the protected CoAP message. The group
mode supports all COSE algorithms as well as signature
verification by intermediaries. This mode is defined in Section 8
and MUST be supported.
o The pairwise mode allows two group members to exchange unicast o In the pairwise mode, two group members exchange Group OSCORE
OSCORE requests and responses protected with symmetric keys. requests and responses over unicast, and the messages are
These symmetric keys are derived from Diffie-Hellman shared protected with symmetric keys. These symmetric keys are derived
secrets, calculated with the asymmetric keys of the two group from Diffie-Hellman shared secrets, calculated with the asymmetric
members. This allows for shorter integrity tags and therefore keys of the sender and recipient, allowing for shorter integrity
lower message overhead. tags and therefore lower message overhead. This mode is OPTIONAL
to support as defined in Section 9.
o In the (hybrid) optimized mode, the CoAP requests are digitally Both modes provide source authentication of CoAP messages. The
signed as in the signature mode, and the CoAP responses are application decides what mode to use, potentially on a per-message
integrity protected with the symmetric key of the pairwise mode. basis. Such decision can be based, for instance, on pre-configured
policies or dynamic assessing of the target recipient and/or
resource, among other things. One important case is when requests
are protected with the group mode, and responses with the pairwise
mode, since this significantly reduces the overhead in case of many
responses to one request.
The signature and optimized modes are detailed in the body of this A special deployment of Group OSCORE is to use pairwise mode only.
document. The pairwise mode is detailed in Appendix G. Unless For example, consider the case of a constrained-node network
otherwise stated, this specification refers to the signature mode. [RFC7228] with a large number of CoAP endpoints and the objective to
establish secure communication between any pair of endpoints with a
small provisioning effort and message overhead. Since the total
number of security associations that needs to be established grows
with the square of the number of nodes, it is desirable to restrict
the provisioned keying material. Moreover, a key establishment
protocol would need to be executed for each security association.
One solution to this is to deploy Group OSCORE with the endpoints
being part of a group and use the pairwise mode. This solution
assumes a trusted third party called Group Manager (see Section 3),
but has the benefit of restricting the symmetric keying material
while distributing only the public key of each group member. After
that, a CoAP endpoint can locally derive the OSCORE Security Context
for the other endpoint and protect the CoAP communication with very
low overhead [I-D.ietf-lwig-security-protocol-comparison].
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Readers are expected to be familiar with the terms and concepts Readers are expected to be familiar with the terms and concepts
described in CoAP [RFC7252] including "endpoint", "client", "server", described in CoAP [RFC7252] including "endpoint", "client", "server",
"sender" and "recipient"; group communication for CoAP "sender" and "recipient"; group communication for CoAP
[I-D.ietf-core-groupcomm-bis]; COSE and counter signatures [RFC8152]. [I-D.ietf-core-groupcomm-bis]; COSE and counter signatures
[I-D.ietf-cose-rfc8152bis-struct][I-D.ietf-cose-rfc8152bis-algs].
Readers are also expected to be familiar with the terms and concepts Readers are also expected to be familiar with the terms and concepts
for protection and processing of CoAP messages through OSCORE, such for protection and processing of CoAP messages through OSCORE, such
as "Security Context" and "Master Secret", defined in [RFC8613]. as "Security Context" and "Master Secret", defined in [RFC8613].
Terminology for constrained environments, such as "constrained Terminology for constrained environments, such as "constrained
device", "constrained-node network", is defined in [RFC7228]. device" and "constrained-node network", is defined in [RFC7228].
This document refers also to the following terminology. This document refers also to the following terminology.
o Keying material: data that is necessary to establish and maintain o Keying material: data that is necessary to establish and maintain
secure communication among endpoints. This includes, for secure communication among endpoints. This includes, for
instance, keys and IVs [RFC4949]. instance, keys and IVs [RFC4949].
o Group: a set of endpoints that share group keying material and o Group: a set of endpoints that share group keying material and
security parameters (Common Context, see Section 2). Unless security parameters (Common Context, see Section 2). Unless
specified otherwise, the term group used in this specification specified otherwise, the term group used in this specification
refers thus to a "security group", not to be confused with refers thus to a "security group" (see Section 2.1 of
CoAP/network/multicast group or application group. [I-D.ietf-core-groupcomm-bis]), not to be confused with "CoAP
group" or "application group".
o Group Manager: entity responsible for a group. Each endpoint in a o Group Manager: entity responsible for a group. Each endpoint in a
group communicates securely with the respective Group Manager, group communicates securely with the respective Group Manager,
which is neither required to be an actual group member nor to take which is neither required to be an actual group member nor to take
part in the group communication. The full list of part in the group communication. The full list of
responsibilities of the Group Manager is provided in Section 8. responsibilities of the Group Manager is provided in Section 3.2.
o Silent server: member of a group that never responds to requests. o Silent server: member of a group that never sends protected
Given that, for CoAP group communications, messages are normally responses in reply to requests. For CoAP group communications,
sent without requesting a confirmation, the idea of a server requests are normally sent without necessarily expecting a
silently acting on a message is not unreasonable. Note that an response. A silent server may send unprotected responses, as
endpoint can implement both a silent server and a client, the two error responses reporting an OSCORE error. Note that an endpoint
roles are independent. An endpoint implementing only a silent can implement both a silent server and a client, i.e. the two
server processes only incoming requests, and, in case it supports roles are independent. An endpoint acting only as a silent server
only the signature mode, it maintains less keying material and performs only Group OSCORE processing on incoming requests.
especially does not have a Sender Context for the group. Silent servers maintain less keying material and in particular do
not have a Sender Context for the group. Since silent servers do
not have a Sender ID they cannot support pairwise mode.
o Group Identifier (Gid): identifier assigned to the group. Group o Group Identifier (Gid): identifier assigned to the group, unique
Identifiers must be unique within the set of groups of a given within the set of groups of a given Group Manager.
Group Manager.
o Group request: CoAP request message sent by a client in the group o Group request: CoAP request message sent by a client in the group
to all servers in that group. to all servers in that group.
o Source authentication: evidence that a received message in the o Source authentication: evidence that a received message in the
group originated from a specific identified group member. This group originated from a specific identified group member. This
also provides assurance that the message was not tampered with by also provides assurance that the message was not tampered with by
anyone, be it a different legitimate group member or an endpoint anyone, be it a different legitimate group member or an endpoint
which is not a group member. which is not a group member.
2. Security Context 2. Security Context
Each endpoint registered as member of a group maintains a Security This specification refers to a group as a set of endpoints sharing
Context as defined in Section 3 of [RFC8613], extended as follows keying material and security parameters for executing the Group
(see Figure 1): OSCORE protocol (see Section 1.1). Each endpoint which is member of
a group maintains a Security Context as defined in Section 3 of
[RFC8613], extended as follows (see Figure 1):
o One Common Context, shared by all the endpoints in the group. o One Common Context, shared by all the endpoints in the group.
Three new parameters are included in the Common Context: Counter Three new parameters are included in the Common Context: Counter
Signature Algorithm, Counter Signature Parameters and Counter Signature Algorithm, Counter Signature Parameters and Counter
Signature Key Parameters. Signature Key Parameters, which all relate to the signature of the
message included in group mode (see Section 8).
o One Sender Context, extended with the endpoint's private key. The o One Sender Context, extended with the endpoint's private key. The
Sender Context is omitted if the endpoint is configured private key is used to sign the message in group mode, and for
exclusively as silent server. calculating the pairwise keys in pairwise mode (see Section 2.3).
If the pairwise mode is supported, the Sender Context is also
extended with the Pairwise Sender Keys associated to the other
endpoints (see Section 2.3). The Sender Context is omitted if the
endpoint is configured exclusively as silent server.
o One Recipient Context for each endpoint from which messages are o One Recipient Context for each endpoint from which messages are
received. No Recipient Contexts are maintained as associated to received. It is not necessary to maintain Recipient Contexts
endpoints from which messages are not (expected to be) received. associated to endpoints from which messages are not (expected to
The Recipient Context is extended with the public key of the be) received. The Recipient Context is extended with the public
associated endpoint. key of the associated endpoint, used to verify the signature in
group mode and for calculating the pairwise keys in pairwise mode
(see Section 2.3). If the pairwise mode is supported, then the
Recipient Context is also extended with the Pairwise Recipient Key
associated to the other endpoint (see Section 2.3).
+---------------------------+----------------------------------+ +-------------------+-----------------------------------------------+
| Context Component | New Information Elements | | Context Component | New Information Elements |
+---------------------------+----------------------------------+ +-------------------+-----------------------------------------------+
| | Counter Signature Algorithm | | | Counter Signature Algorithm |
| Common Context | Counter Signature Parameters | | Common Context | Counter Signature Parameters |
| | Counter Signature Key Parameters | | | Counter Signature Key Parameters |
+---------------------------+----------------------------------+ +-------------------+-----------------------------------------------+
| Sender Context | Endpoint's own private key | | Sender Context | Endpoint's own private key |
+---------------------------+----------------------------------+ | | *Pairwise Sender Keys for the other endpoints |
| Each Recipient Context | Public key of the other endpoint | +-------------------+-----------------------------------------------+
+---------------------------+----------------------------------+ | Each | Public key of the other endpoint |
| Recipient Context | *Pairwise Recipient Key of the other endpoint |
+-------------------+-----------------------------------------------+
Figure 1: Additions to the OSCORE Security Context Figure 1: Additions to the OSCORE Security Context. Optional
additions are labeled with an asterisk.
Further details about the Security Context of Group OSCORE are
provided in the remainder of this section. How the Security Context
is established by the group members is out of scope for this
specification, but if there is more than one Security Context
applicable to a message, then the endpoints MUST be able to tell
which Security Context was latest established.
The default setting for how to manage information about the group is
described in terms of a Group Manager (see Section 3).
2.1. Common Context 2.1. Common Context
The Common Context may be acquired from the Group Manager (see
Section 3). The following sections define how the Common Context is
extended, compared to [RFC8613].
2.1.1. ID Context
The ID Context parameter (see Sections 3.3 and 5.1 of [RFC8613]) in The ID Context parameter (see Sections 3.3 and 5.1 of [RFC8613]) in
the Common Context SHALL contain the Group Identifier (Gid) of the the Common Context SHALL contain the Group Identifier (Gid) of the
group. The choice of the Gid is application specific. An example of group. The choice of the Gid format is application specific. An
specific formatting of the Gid is given in Appendix C. The example of specific formatting of the Gid is given in Appendix C.
application needs to specify how to handle possible collisions
between Gids, see Section 10.5.
The Counter Signature Algorithm identifies the digital signature The application needs to specify how to handle potential collisions
between Gids (see Section 10.5).
2.1.2. Counter Signature Algorithm
Counter Signature Algorithm identifies the digital signature
algorithm used to compute a counter signature on the COSE object (see algorithm used to compute a counter signature on the COSE object (see
Section 4.5 of [RFC8152]). Its value is immutable once the Common Section 5.2 of [I-D.ietf-cose-rfc8152bis-struct]).
Context is established. The used Counter Signature Algorithm MUST be
selected among the signing ones defined in the COSE Algorithms
Registry (see section 16.4 of [RFC8152]). The EdDSA signature
algorithm Ed25519 [RFC8032] is mandatory to implement. If Elliptic
Curve Digital Signature Algorithm (ECDSA) is used, it is RECOMMENDED
that implementations implement "deterministic ECDSA" as specified in
[RFC6979].
The Counter Signature Parameters identifies the parameters associated This parameter is immutable once the Common Context is established.
to the digital signature algorithm specified in the Counter Signature Counter Signature Algorithm MUST take value from the "Value" column
Algorithm. This parameter MAY be empty and is immutable once the of the "COSE Algorithms" Registry [COSE.Algorithms]. The value is
Common Context is established. The exact structure of this parameter associated to a COSE key type, specified in the "Capabilities" column
depends on the value of Counter Signature Algorithm, and is defined of the Registry. COSE capabilities for algorithms are defined in
in the Counter Signature Parameters Registry (see Section 11.1), Section 8 of [I-D.ietf-cose-rfc8152bis-algs].
where each entry indicates a specified structure of the Counter
Signature Parameters.
The Counter Signature Key Parameters identifies the parameters The EdDSA signature algorithm Ed25519 [RFC8032] is mandatory to
associated to the keys used with the digital signature algorithm implement. For endpoints that support the pairwise mode of Group
specified in the Counter Signature Algorithm. This parameter MAY be OSCORE, the X25519 function [RFC7748] is also mandatory to implement.
empty and is immutable once the Common Context is established. The If elliptic curve signatures are used, it is RECOMMENDED to implement
exact structure of this parameter depends on the value of Counter deterministic signatures with additional randomness as specified in
Signature Algorithm, and is defined in the Counter Signature Key [I-D.mattsson-cfrg-det-sigs-with-noise].
Parameters Registry (see Section 11.2), where each entry indicates a
specified structure of the Counter Signature Key Parameters. 2.1.3. Counter Signature Parameters
Counter Signature Parameters identifies the parameters associated to
the digital signature algorithm specified in Counter Signature
Algorithm. This parameter is immutable once the Common Context is
established.
This parameter is a CBOR array including the following two elements,
whose exact structure and value depend on the value of Counter
Signature Algorithm:
o The first element is the array of COSE capabilities for Counter
Signature Algorithm, as specified for that algorithm in the
"Capabilities" column of the "COSE Algorithms" Registry
[COSE.Algorithms] (see Section 8.2 of
[I-D.ietf-cose-rfc8152bis-algs]).
o The second element is the array of COSE capabilities for the COSE
key type associated to Counter Signature Algorithm, as specified
for that key type in the "Capabilities" column of the "COSE Key
Types" Registry [COSE.Key.Types] (see Section 8.1 of
[I-D.ietf-cose-rfc8152bis-algs]).
Examples of Counter Signature Parameters are in Appendix H.
2.1.4. Counter Signature Key Parameters
Counter Signature Key Parameters identifies the parameters associated
to the keys used with the digital signature algorithm specified in
Counter Signature Algorithm. This parameter is immutable once the
Common Context is established.
The exact structure and value of this parameter depends on the value
of Counter Signature Algorithm. In particular, this parameter takes
the same structure and value of the array of COSE capabilities for
the COSE key type associated to Counter Signature Algorithm, as
specified for that key type in the "Capabilities" column of the "COSE
Key Types" Registry [COSE.Key.Types] (see Section 8.1 of
[I-D.ietf-cose-rfc8152bis-algs]).
Examples of Counter Signature Key Parameters are in Appendix H.
2.2. Sender Context and Recipient Context 2.2. Sender Context and Recipient Context
OSCORE specifies the derivation of Sender Context and Recipient OSCORE specifies the derivation of Sender Context and Recipient
Context, specifically Sender/Recipient Keys and Common IV, from a set Context, specifically of Sender/Recipient Keys and Common IV, from a
of input parameters (see Section 3.2 of [RFC8613]). This derivation set of input parameters (see Section 3.2 of [RFC8613]). This
applies also to Group OSCORE, and the mandatory-to-implement HKDF and derivation applies also to Group OSCORE, and the mandatory-to-
AEAD algorithms are the same as in [RFC8613]. However, for Group implement HKDF and AEAD algorithms are the same as in [RFC8613]. The
OSCORE the Sender Context and Recipient Context additionally contain Sender ID SHALL be unique for each endpoint in a group with a fixed
asymmetric keys. Master Secret, Master Salt and Group Identifier (see Section 3.3 of
[RFC8613]).
The Sender Context needs to be configured with the private key of the
endpoint. The private key is used to generate a signature (see
Section 4) included in the sent OSCORE message. How the private key
is established is out of scope for this specification.
Each Recipient Context needs to be configured with the public key of For Group OSCORE the Sender Context and Recipient Context
the associated endpoint. The public key is used to verify a additionally contain asymmetric keys, as described previously in
signature (see Section 4) included in the received OSCORE message. Section 2. The private/public key pair of the sender can, for
example, be generated by the endpoint or provisioned during
manufacturing.
The input parameters for deriving the Recipient Context parameters With the exception of the public key of the sending endpoint, a
and the public key of the associated endpoint may be provided to the receiving endpoint can derive a complete security context from a
recipient endpoint upon joining the group. These parameters may received Group OSCORE message and the Common Context. The public
alternatively be acquired at a later time, for example the first time keys in the Recipient Contexts can be accessed from the Group Manager
a message is received from this particular endpoint in the group (see (see Section 3) upon joining the group. A public key can
Section 7.2 and Section 7.4). The received message together with the alternatively be acquired from the Group Manager at a later time, for
Common Context contains the necessary information to derive a example the first time a message is received from a particular
security context for verifying a message, except for the public key endpoint in the group (see Section 8.2 and Section 8.4).
of the associated endpoint.
For severely constrained devices, it may be not feasible to For severely constrained devices, it may be not feasible to
simultaneously handle the ongoing processing of a recently received simultaneously handle the ongoing processing of a recently received
message in parallel with the retrieval of the associated endpoint's message in parallel with the retrieval of the associated endpoint's
public key. Such devices can be configured to drop a received public key. Such devices can be configured to drop a received
message for which there is no Recipient Context, and retrieve the message for which there is no (complete) Recipient Context, and
public key in order to have it available to verify subsequent retrieve the public key in order to have it available to verify
messages from that endpoint. subsequent messages from that endpoint.
2.3. The Group Manager 2.3. Pairwise Keys
Endpoints communicating with Group OSCORE need, in addition to the Certain signature schemes, such as EdDSA and ECDSA, support a secure
OSCORE input parameters, also to be provisioned with information combined signature and encryption scheme. This section specifies the
about the group(s) and other endpoints in the group(s). derivation of "pairwise keys", for use in the pairwise mode of Group
OSCORE defined in Section 9.
The Group Manager is an entity responsible for the group, including 2.3.1. Derivation of Pairwise Keys
the Group Identifier (Gid) used as ID Context, as well as the Sender
ID and Recipient ID of the group members (see Section 8).
The Group Manager is exclusively in control of the Gid values Using the Group OSCORE Security Context (see Section 2), a group
uniquely assigned to the different groups under its control, as well member can derive AEAD keys to protect point-to-point communication
as of the Sender ID and Recipient ID values uniquely assigned to the between itself and any other endpoint in the group. The same AEAD
members of each of those groups. According to a hierarchical algorithm as in the group mode is used. The key derivation of these
approach, the Gid value assigned to a group is associated to a so-called pairwise keys follows the same construction as in
dedicated space for the values of Sender ID and Recipient ID of the Section 3.2.1 of [RFC8613]:
members of that group. In addition, the Group Manager records the
public keys of endpoints joining a group, and provides information
about the group and its members to other members.
An endpoint receives the Group Identifier and OSCORE input Pairwise Recipient Key = HKDF(Recipient Key, Shared Secret, info, L)
parameters, including its own Sender ID, from the Group Manager upon Pairwise Sender Key = HKDF(Sender Key, Shared Secret, info, L)
joining the group. That Sender ID is valid only within that group,
and is unique within the group. Endpoints which are configured only
as silent servers do not have a Sender ID.
A group member can retrieve from the Group Manager the public key and where:
other information associated to another group member, with which it
can generate the corresponding Recipient Context. An application can
configure a group member to asynchronously retrieve information about
Recipient Contexts, e.g. by Observing [RFC7641] the Group Manager to
get updates on the group membership.
According to this specification, it is RECOMMENDED to use a Group o The Pairwise Recipient Key is the AEAD key for receiving from
Manager as described in [I-D.ietf-ace-key-groupcomm-oscore], where endpoint X.
the join process is based on the ACE framework for authentication and
authorization in constrained environments [I-D.ietf-ace-oauth-authz].
Further details about how public keys can be handled and retrieved in
the group is out of the scope of this document.
The Group Manager may serve additional entities acting as signature o The Pairwise Sender Key is the AEAD key for sending to endpoint X.
checkers, e.g. intermediary gateways. These entities do not join a
group as members, but can retrieve public keys of group members from
the Group Manager, in order to verify counter signatures of group
messages. A signature checker is required to be authorized for
retrieving public keys of members in a specific group from the Group
Manager. To this end, the same method mentioned above and based on
the ACE framework can be used.
2.4. Management of Group Keying Material o The Shared Secret is computed as a static-static Diffie-Hellman
shared secret [NIST-800-56A], where the endpoint uses its private
key and the public key of the other endpoint X.
In order to establish a new Security Context in a group, a new Group o The Recipient Key and the public key are from the Recipient
Identifier (Gid) for that group and a new value for the Master Secret Context associated to endpoint X.
parameter MUST be distributed. An example of Gid format supporting
this operation is provided in Appendix C. When distributing the new
Gid and Master Secret, the Group Manager MAY distribute also a new
value for the Master Salt parameter, and SHOULD preserve the current
value of the Sender ID of each group member.
Then, each group member re-derives the keying material stored in its o The Sender Key and private key are from the Sender Context.
own Sender Context and Recipient Contexts as described in Section 2,
using the updated Gid and Master Secret parameter. The Master Salt
used for the re-derivations is the updated Master Salt parameter if
provided by the Group Manager, or the empty byte string otherwise.
From then on, each group member MUST use its latest installed Sender
Context to protect outgoing messages.
After a new Gid has been distributed, a same Recipient ID ('kid') o info and L are defined as in Section 3.2.1 of [RFC8613].
should not be considered as a persistent and reliable indicator of
the same group member. Such an indication can be actually achieved If EdDSA asymmetric keys are used, the Edward coordinates are mapped
only by using that members's public key. This occurs when verifying to Montgomery coordinates using the maps defined in Sections 4.1 and
countersignatures of received messages (in signature mode), or when 4.2 of [RFC7748], before using the X25519 and X448 functions defined
in Section 5 of [RFC7748].
After establishing a partially or completely new Security Context
(see Section 3.1 and Section 2.4), the old pairwise keys MUST be
deleted. Since new Sender/Recipient Keys are derived from the new
group keying material (see Section 2.2), every group member MUST use
the new Sender/Recipient Keys when deriving new pairwise keys.
As long as any two group members preserve the same asymmetric keys,
their Diffie-Hellman shared secret does not change across updates of
the group keying material.
2.3.2. Usage of Sequence Numbers
When using any of its Pairwise Sender Keys, a sender endpoint
including the 'Partial IV' parameter in the protected message MUST
use the current fresh value of the Sender Sequence Number from its
Sender Context (see Section 2.2). That is, the same Sender Sequence
Number space is used for all outgoing messages protected with Group
OSCORE, thus limiting both storage and complexity.
On the other hand, when combining group and pairwise communication
modes, this may result in the Partial IV values moving forward more
often. This can happen when a client engages in frequent or long
sequences of one-to-one exchanges with servers in the group, by
sending requests over unicast.
As a consequence, replay checks may be invoked more often on the
recipient side, where larger replay windows should be considered.
2.3.3. Security Context for Pairwise Mode
If the pairwise mode is supported, the pairwise keys are added to the
Security Context, as described at the beginning of Section 2.
The pairwise keys as well as the shared secrets used in their
derivation (see Section 2.3.1) may be stored in memory or recomputed
each time they are needed. The shared secret changes only when a
public/private key pair used for its derivation changes, which
results in the pairwise keys also changing. Additionally, the
pairwise keys change if the Sender ID changes or if a new Security
Context is established for the group (see Section 2.4.3). In order
to optimize protocol performance, an endpoint may store the derived
pairwise keys for easy retrieval.
In the pairwise mode, the Sender Context includes the Pairwise Sender
Keys for the other endpoints (see Figure 1). In order to identify
the right key to use, the Pairwise Sender Key for endpoint X may be
associated to the Recipient ID of endpoint X, as defined in the
Recipient Context (i.e. the Sender ID from the point of view of
endpoint X). In this way, the Recipient ID can be used to lookup for
the right Pairwise Sender Key. This association may be implemented in
different ways, e.g. by storing the pair (Recipient ID, Pairwise
Sender Key), or linking a Pairwise Sender Key to a Recipient Context.
2.4. Update of Security Context
The mutable parts of the Security Context are updated by the endpoint
when executing the security protocol, but may nevertheless become
outdated, e.g. due to loss of the mutable Security Context (see
Section 2.4.1) or exhaustion of Sender Sequence Numbers (see
Section 2.4.2). The endpoint MUST be able to detect a loss of
mutable security context (see Section 2.4.1). If an endpoint detects
a loss of mutable Sender Security Context, it MUST NOT protect
further messages using this Security Context to avoid reusing a nonce
with the same AEAD key.
It is RECOMMENDED that the immutable part of the Security Context is
stored in non-volatile memory, or that it can otherwise be reliably
accessed throughout the operation of the group, e.g. after device
reboot. However, also immutable parts of the Security Context may
need to be updated, for example due to scheduled key renewal, new or
re-joining members in the group, or the fact that the endpoint
changes Sender ID (see Section 2.4.3).
2.4.1. Loss of Mutable Security Context
An endpoint losing its mutable Security Context, e.g., due to reboot,
needs to prevent the re-use of Sender Sequence Numbers, and to handle
incoming replayed messages. Appendix B.1 of [RFC8613] describes
secure procedures for handling the loss of Sender Sequence Number and
the update of Replay Window. The procedure in Appendix B.1.1 of
[RFC8613] applies also to servers in Group OSCORE and is RECOMMENDED
to use. A variant of Appendix B.1.2 of [RFC8613] applicable to Group
OSCORE is specified in Appendix E.3 of this specification.
If an endpoint is not able to establish an updated Sender Security
Context, e.g. because of lack of connectivity with the Group Manager,
it MUST NOT protect further messages using this Security Context.
The endpoint SHOULD inform the Group Manager and retrieve new
Security Context parameters from the Group Manager (see
Section 2.4.3).
2.4.2. Exhaustion of Sender Sequence Numbers
An endpoint can eventually exhaust the Sender Sequence Numbers, which
are incremented for each new outgoing message including a Partial IV.
This is the case for group requests, Observe notifications [RFC7641]
and, optionally, any other response.
If an implementation's integers support wrapping addition, when a
wrap-around is detected the implementation MUST treat Sender Sequence
Numbers as exhausted.
Upon exhausting the Sender Sequence Numbers, the endpoint MUST NOT
protect further messages using this Security Context. The endpoint
SHOULD inform the Group Manager and retrieve new Security Context
parameters from the Group Manager (see Section 2.4.3).
2.4.3. Retrieving New Security Context Parameters
The Group Manager can assist an endpoint with an incomplete Sender
Security Context to retrieve missing data of the Security Context and
thereby become fully operational in the group again. The two main
options are described in this section: i) assignment of a new Sender
ID (see Section 2.4.3.1); and ii) establishment of a new Security
Context for the group (see Section 2.4.3.2). Update of Replay Window
in Recipient Contexts is discussed in Section 6.1.
As group membership changes, or as group members get new Sender IDs
(see Section 2.4.3.1) so do the relevant Recipient IDs that the other
endpoints need to keep track of. As a consequence, group members may
end up retaining stale Recipient Contexts, that are no longer useful
to verify incoming secure messages.
The Recipient ID ('kid') SHOULD NOT be considered as a persistent and
reliable indicator of a group member. Such an indication can be
achieved only by using that member's public key, when verifying
countersignatures of received messages (in group mode), or when
verifying messages integrity-protected with pairwise keying material verifying messages integrity-protected with pairwise keying material
derived from asymmetric keys (in pairwise mode). As a consequence, derived from asymmetric keys (in pairwise mode).
group members may end up retaining stale Recipient Contexts, that are
no longer useful to verify incoming secure messages.
In order to alleviate this issue, the Group Manager SHOULD NOT Furthermore, applications MAY define policies to: i) delete
recycle 'kid' values within a same group, especially in the short
term. Furthermore, applications may define policies to: i) delete
(long-)unused Recipient Contexts and reduce the impact on storage (long-)unused Recipient Contexts and reduce the impact on storage
space; as well as ii) check with the Group Manager that an owned space; as well as ii) check with the Group Manager that a public key
public key is currently the one associated to a 'kid' value, after a is currently the one associated to a 'kid' value, after a number of
number of consecutive failed verifications. consecutive failed verifications.
The distribution of a new Gid and Master Secret may result in
temporarily misaligned Security Contexts among group members. In
particular, this may result in a group member not able to process
messages received right after a new Gid and Master Secret have been
distributed. A discussion on practical consequences and possible
ways to address them is provided in Section 10.4.
If required by the application (see Appendix A.1), it is RECOMMENDED 2.4.3.1. New Sender ID for the Endpoint
to adopt a group key management scheme, and securely distribute a new
value for the Gid and for the Master Secret parameter of the group's
Security Context, before a new joining endpoint is added to the group
or after a currently present endpoint leaves the group. This is
necessary to preserve backward security and forward security in the
group, if the application requires it.
The specific approach used to distribute the new Gid and Master The Group Manager may assign the endpoint a new Sender ID, leaving
Secret parameter to the group is out of the scope of this document. the Gid, Master Secret and Master Salt unchanged. In this case the
However, it is RECOMMENDED that the Group Manager supports the Group Manager MUST assign an unused Sender ID. Having retrieved the
distribution of the new Gid and Master Secret parameter to the group new Sender ID, and potentially other missing data of the immutable
according to the Group Rekeying Process described in Security Context, the endpoint can derive a new Sender Context (see
[I-D.ietf-ace-key-groupcomm-oscore]. Section 2.2). The Sender Sequence Number is initialized to 0.
2.5. Exhaustion of Partial IV Values The assignment of a new Sender ID may be the result of different
processes. The endpoint may request a new Sender ID, e.g. because of
exhaustion of Sender Sequence Numbers (see Section 2.4.2). An
endpoint may request to re-join the group, e.g. because of losing its
mutable Security Context (see Section 2.4.1), and receive as response
a new Sender ID together with the latest immutable Security Context.
An endpoint can eventually exhaust its own Sender Sequence Number, The Recipient Context of the other group members corresponding to the
which is incremented after sending each new message including a old Sender ID becomes stale (see Section 3.1).
Partial IV. This is the case for all group requests, all Observe
notifications [RFC7641] and, optionally, any other response.
If an implementation's integers only support wrapping addition, the 2.4.3.2. New Security Context for the Group
implementation MUST detect a wrap-around of the Sender Sequence
Number value and treat that as exhausted instead.
Upon exhausting its own Sender Sequence Number, the endpoint MUST NOT The Group Manager may establish a new Security Context for the group
transmit further messages for that group until it has derived a new (see Section 3.1). The Group Manager does not necessarily establish
Sender Context, in order to avoid reusing nonces with the same keys. a new Security Context for the group if one member has an outdated
Security Context (see Section 2.4.3.1), unless that was already
planned or required for other reasons. All endpoints in the group
need to acquire new Security Context parameters from the Group
Manager.
Furthermore, the endpoint SHOULD inform the Group Manager, that can Having acquired new Security Context parameters, each member can re-
take one of the following actions: derive the keying material stored in its Sender Context and Recipient
Contexts (see Section 2.2). The Master Salt used for the re-
derivations is the updated Master Salt parameter if provided by the
Group Manager, or the empty byte string otherwise. Unless otherwise
specified by the application, a group member does not reset the
Sender Sequence Number in its Sender Context, and does not reset the
Replay Windows in its Recipient Contexts. From then on, each group
member MUST use its latest installed Sender Context to protect
outgoing messages.
o The Group Manager renews the Security Context in the group (see The distribution of a new Gid and Master Secret may result in
Section 2.4). temporarily misaligned Security Contexts among group members. In
particular, this may result in a group member not being able to
process messages received right after a new Gid and Master Secret
have been distributed. A discussion on practical consequences and
possible ways to address them, as well as on how to handle the old
Security Context, is provided in Section 10.4.
o The Group Manager provides a new Sender ID value to the endpoint 3. The Group Manager
that has experienced the exhaustion. Then, the endpoint derives a
new Sender Context using the new Sender ID, as described in
Section 3.2 of [RFC8613].
In either case, same considerations from Section 2.4 hold about As with OSCORE, endpoints communicating with Group OSCORE need to
possible retaining of stale Recipient Contexts. establish the relevant Security Context. Group OSCORE endpoints need
to acquire OSCORE input parameters, information about the group(s)
and about other endpoints in the group(s). This specification is
based on the existence of an entity called Group Manager which is
responsible for the group, but does not mandate how the Group Manager
interacts with the group members. The responsibilities of the Group
Manager are compiled in Section 3.2.
3. Pairwise Keys It is RECOMMENDED to use a Group Manager as described in
[I-D.ietf-ace-key-groupcomm-oscore], where the join process is based
on the ACE framework for authentication and authorization in
constrained environments [I-D.ietf-ace-oauth-authz].
Certain signature schemes, such as EdDSA and ECDSA, support a secure The Group Manager assigns unique Group Identifiers (Gids) to
combined signature and encryption scheme. This section specifies the different groups under its control, as well as unique Sender IDs (and
derivation of pairwise encryption keys for use in the pairwise and thereby Recipient IDs) to the members of those groups. According to
optimized modes of Group OSCORE. a hierarchical approach, the Gid value assigned to a group is
associated to a dedicated space for the values of Sender ID and
Recipient ID of the members of that group. In addition, the Group
Manager maintains records of the public keys of endpoints in a group,
and provides information about the group and its members to other
members and selected roles. Upon nodes' joining, the Group Manager
collects such public keys and MUST verify proof-of-possession of the
respective private key.
3.1. Key Derivation An endpoint acquires group data such as the Gid and OSCORE input
parameters including its own Sender ID from the Group Manager, and
provides information about its public key to the Group Manager, for
example upon joining the group.
Two group members can derive a symmetric pairwise key, from their A group member can retrieve from the Group Manager the public key and
Sender/Recipient Key and a static-static Diffe-Hellman shared secret other information associated to another group member, with which it
[NIST-800-56A]. The key derivation is as follows, and uses the same can generate the corresponding Recipient Context. An application can
construction used in Section 3.2.1 of [RFC8613]. configure a group member to asynchronously retrieve information about
Recipient Contexts, e.g. by Observing [RFC7641] the Group Manager to
get updates on the group membership.
Pairwise key = HKDF(Sender/Recipient Key, Shared Secret, info, L) The Group Manager MAY serve additional entities acting as signature
checkers, e.g. intermediary gateways. These entities do not join a
group as members, but can retrieve public keys of group members from
the Group Manager, in order to verify counter signatures of group
messages. A signature checker MUST be authorized for retrieving
public keys of members in a specific group from the Group Manager.
To this end, the same method mentioned above based on the ACE
framework [I-D.ietf-ace-oauth-authz] can be used.
where: 3.1. Management of Group Keying Material
o The Sender/Recipient key is the Sender Key of the sender, i.e. the In order to establish a new Security Context for a group, a new Group
Recipient Key that the recipient stores in its own Recipient Identifier (Gid) for that group and a new value for the Master Secret
Context corresponding to the sender. parameter MUST be generated. An example of Gid format supporting
this operation is provided in Appendix C. When distributing the new
Gid and Master Secret, the Group Manager MAY distribute also a new
value for the Master Salt parameter, and SHOULD preserve the current
value of the Sender ID of each group member.
o The Shared Secret is computed as a static-static Diffie-Hellman The Group Manager MUST NOT reassign a previously used Sender ID
shared secret [NIST-800-56A], where the sender uses its own ('kid') with the same Gid, Master Secret and Master Salt. Even if
private key and the recipient's public key, while the recipient Gid and Master Secret are renewed as described in this section, the
uses its own private key and the senders's public key. The Shared Group Manager SHOULD NOT reassign an endpoint's Sender ID ('kid')
Secret may be stored in memory, rather than recomputed each time within a same group, especially in the short term.
it is needed.
o info and L are defined as in Section 3.2.1 of [RFC8613]. If required by the application (see Appendix A.1), it is RECOMMENDED
to adopt a group key management scheme, and securely distribute a new
value for the Gid and for the Master Secret parameter of the group's
Security Context, before a new joining endpoint is added to the group
or after a currently present endpoint leaves the group. This is
necessary to preserve backward security and forward security in the
group, if the application requires it.
The security of using the same key pair for Diffie-Hellman and for The specific approach used to distribute new group data is out of the
signing is proven in [Degabriele]. The derivation of pairwise keys scope of this document. However, it is RECOMMENDED that the Group
defined above is compatible with ECDSA and EdDSA asymmetric keys, but Manager supports the distribution of the new Gid and Master Secret
is not compatible with RSA asymmetric keys. parameter to the group according to the Group Rekeying Process
described in [I-D.ietf-ace-key-groupcomm-oscore].
If EdDSA asymmetric keys are used, the Edward coordinates are mapped 3.2. Responsibilities of the Group Manager
to Montgomery coordinates using the maps defined in Sections 4.1 and
4.2 of [RFC7748], before using the X25519 and X448 functions defined
in Section 5 of [RFC7748].
After completing the establishment of a new Security Context (see The Group Manager is responsible for performing the following tasks:
Section 2.4), every group member MUST delete all its pairwise keys.
Since new Sender/Recipient keys are derived from the new group keying
material (see Section 2.2), every group member MUST use such new
Sender/Recipient keys when possibly deriving new pairwise keys.
As long as any two group members preserve the same asymmetric keys, 1. Creating and managing OSCORE groups. This includes the
the Diffie-Hellman shared secret does not change across updates of assignment of a Gid to every newly created group, as well as
the group keying material. ensuring uniqueness of Gids within the set of its OSCORE groups.
3.2. Usage of Sequence Numbers 2. Defining policies for authorizing the joining of its OSCORE
groups.
When using any of its pairwise keys, a sender endpoint MUST use the 3. Handling the join process to add new endpoints as group members.
current fresh value of its own Sender Sequence Number, from its own
Sender Context (see Section 2.2). That is, the same Sender Sequence
Number space is used for all outgoing messages sent to the group and
protected with Group OSCORE, thus limiting both storage and
complexity.
On the other hand, when combining one-to-many and one-to-one 4. Establishing the Common Context part of the Security Context,
communication in the group, this may result in the Partial IV values and providing it to authorized group members during the join
moving forward more often. Fundamentally, this is due to the fact process, together with the corresponding Sender Context.
that not all the recipients receive all messages from a given sender.
For instance, requests sent over multicast (in signature mode) are
addressed to the whole group, while requests sent over unicast (in
signature mode or pairwise mode) are not.
As a consequence, replay checks may be invoked more often on the 5. Generating and managing Sender IDs within its OSCORE groups, as
recipient side, where larger replay windows should be considered. well as assigning and providing them to new endpoints during the
join process. This includes ensuring uniqueness of Sender IDs
within each of its OSCORE groups.
3.3. Note on Implementation 6. Defining communication policies for each of its OSCORE groups,
and signalling them to new endpoints during the join process.
In order to optimize performance, an endpoint A may derive a pairwise 7. Renewing the Security Context of an OSCORE group upon membership
key used with an endpoint B in the OSCORE group only once, and then change, by revoking and renewing common security parameters and
store it in its own Security Context for future retrieval. This can keying material (rekeying).
work as follows.
Endpoint A can have a Pairwise Sender Context associated to B, within 8. Providing the management keying material that a new endpoint
its own Sender Context. This Pairwise Sender Context includes: requires to participate in the rekeying process, consistent with
the key management scheme used in the group joined by the new
endpoint.
o The Recipient ID of B for A, i.e. the Sender ID of B. 9. Updating the Gid of its OSCORE groups, upon renewing the
respective Security Context.
o The Pairwise Key derived as defined in Section 3, with A acting as 10. Acting as key repository, in order to handle the public keys of
sender and B acting as recipient. the members of its OSCORE groups, and providing such public keys
to other members of the same group upon request. The actual
storage of public keys may be entrusted to a separate secure
storage device.
More generally, A has one of such Paiwise Sender Contexts within its 11. Validating that the format and parameters of public keys of
own Sender Context, for each different intended recipient. group members are consistent with the countersignature algorithm
and related parameters used in the respective OSCORE group.
Furthermore, A can additionally store in its own Recipient Context The Group Manager described in [I-D.ietf-ace-key-groupcomm-oscore]
associated to B the Pairwise Key to use for incoming traffic from B. provides these functionalities.
That is, this Pairwise Key is derived as defined in Section 3, with A
acting as recipient and B acting as sender.
4. The COSE Object 4. The COSE Object
Building on Section 5 of [RFC8613], this section defines how to use Building on Section 5 of [RFC8613], this section defines how to use
COSE [RFC8152] to wrap and protect data in the original message. COSE [I-D.ietf-cose-rfc8152bis-struct] to wrap and protect data in
OSCORE uses the untagged COSE_Encrypt0 structure with an the original message. OSCORE uses the untagged COSE_Encrypt0
Authenticated Encryption with Associated Data (AEAD) algorithm. For structure with an Authenticated Encryption with Associated Data
the signature mode of Group OSCORE the following modifications apply. (AEAD) algorithm. Unless otherwise specified, the following
modifications apply for both the group mode and the pairwise mode of
Group OSCORE.
4.1. Counter Signature 4.1. Counter Signature
The 'unprotected' field MUST additionally include the following For the group mode only, the 'unprotected' field MUST additionally
parameter: include the following parameter:
o CounterSignature0 : its value is set to the counter signature of o CounterSignature0: its value is set to the counter signature of
the COSE object, computed by the sender as described in the COSE object, computed by the sender as described in
Appendix A.2 of [RFC8152], by using its own private key and Section 5.2 of [I-D.ietf-cose-rfc8152bis-struct], by using the
according to the Counter Signature Algorithm and Counter Signature private key and according to the Counter Signature Algorithm and
Parameters in the Security Context. In particular, the Counter Signature Parameters in the Security Context. In
Sig_structure contains the external_aad as defined in particular, the Sig_structure contains the external_aad as defined
Section 4.3.2 and the ciphertext of the COSE_Encrypt0 object as in Section 4.3.2 and the ciphertext of the COSE_Encrypt0 object as
payload. payload.
4.2. The 'kid' and 'kid context' parameters 4.2. The 'kid' and 'kid context' parameters
The value of the 'kid' parameter in the 'unprotected' field of The value of the 'kid' parameter in the 'unprotected' field of
response messages MUST be set to the Sender ID of the endpoint response messages MUST be set to the Sender ID of the endpoint
transmitting the message. That is, unlike in [RFC8613], the 'kid' transmitting the message. That is, unlike in [RFC8613], the 'kid'
parameter is always present in all messages, i.e. both requests and parameter is always present in all messages, both requests and
responses. responses.
The value of the 'kid context' parameter in the 'unprotected' field The value of the 'kid context' parameter in the 'unprotected' field
of requests messages MUST be set to the ID Context, i.e. the Group of requests messages MUST be set to the ID Context, i.e. the Group
Identifier value (Gid) of the group's Security Context. That is, Identifier value (Gid) of the group. That is, unlike in [RFC8613],
unlike in [RFC8613], the 'kid context' parameter is always present in the 'kid context' parameter is always present in requests.
requests.
4.3. external_aad 4.3. external_aad
The external_aad of the Additional Authenticated Data (AAD) is built The external_aad of the Additional Authenticated Data (AAD) is
differently. In particular, it has one structure used for the different compared to OSCORE. In particular, there is one
encryption process producing the ciphertext, and a second structure external_aad used for encryption (both in group mode and pairwise
used for the signing process producing the counter signature. mode), and another external_aad used for signing (only in group
mode).
4.3.1. external_aad for Encryption 4.3.1. external_aad for Encryption
The first external_aad structure used for the encryption process The external_aad for encryption (see Section 6.3 of
producing the ciphertext (see Section 5.3 of [RFC8152]) includes also [I-D.ietf-cose-rfc8152bis-struct]), used both in group mode and
the counter signature algorithm and related parameters used to sign pairwise mode, includes also the counter signature algorithm and
messages. In particular, compared with Section 5.4 of [RFC8613], the related signature parameters, see Figure 2.
'algorithms' array in the aad_array MUST also include:
o 'alg_countersign', which contains the Counter Signature Algorithm external_aad = bstr .cbor aad_array
from the Common Context (see Section 2). This parameter has the
value specified in the "Value" field of the Counter Signature
Parameters Registry (see Section 11.1) for this counter signature
algorithm.
o 'par_countersign', which contains the Counter Signature Parameters aad_array = [
from the Common Context (see Section 2). This parameter contains oscore_version : uint,
the counter signature parameters encoded as specified in the algorithms : [alg_aead : int / tstr,
"Parameters" field of the Counter Signature Parameters Registry alg_countersign : int / tstr,
(see Section 11.1), for the used counter signature algorithm. If par_countersign : [countersign_alg_capab,
the Counter Signature Parameters in the Common Context is empty, countersign_key_type_capab],
'par_countersign' MUST be encoding the CBOR simple value Null. par_countersign_key : countersign_key_type_capab],
request_kid : bstr,
request_piv : bstr,
options : bstr
]
o 'par_countersign_key', which contains the Counter Signature Key Figure 2: external_aad for Encryption
Parameters from the Common Context (see Section 2). This
parameter contains the counter signature key parameters encoded as
specified in the "Parameters" field of the Counter Signature Key
Parameters Registry (see Section 11.2), for the used counter
signature algorithm. If the Counter Signature Key Parameters in
the Common Context is empty, 'par_countersign_key' MUST be
encoding the CBOR simple value Null.
Thus, the following external_aad structure is used for the encryption Compared with Section 5.4 of [RFC8613], the 'algorithms' array in the
process producing the ciphertext (see Section 5.3 of [RFC8152]). aad_array additionally includes:
external_aad = bstr .cbor aad_array o 'alg_countersign', which specifies Counter Signature Algorithm
from the Common Context (see Section 2.1.2). This parameter MUST
encode the value of Counter Signature Algorithm as a CBOR integer
or text string, consistently with the "Value" field in the "COSE
Algorithms" Registry for this counter signature algorithm.
aad_array = [ o 'par_countersign', which specifies the CBOR array Counter
oscore_version : uint, Signature Parameters from the Common Context (see Section 2.1.3).
algorithms : [alg_aead : int / tstr, In particular:
alg_countersign : int / tstr,
par_countersign : any / nil, * 'countersign_alg_capab' is the array of COSE capabilities for
par_countersign_key : any / nil], the countersignature algorithm indicated in 'alg_countersign'.
request_kid : bstr,
request_piv : bstr, * 'countersign_key_type_capab' is the array of COSE capabilities
options : bstr for the COSE key type used by the countersignature algorithm
] indicated in 'alg_countersign'.
o 'par_countersign_key', which specifies Counter Signature Key
Parameters from the Common Context (see Section 2.1.4). In
particular, 'countersign_key_type_capab' is the array of COSE
capabilities for the COSE key type used by the countersignature
algorithm indicated in 'alg_countersign'.
4.3.2. external_aad for Signing 4.3.2. external_aad for Signing
The second external_aad structure used for the signing process The external_aad for signing (see Section 4.4 of
producing the counter signature as defined below includes also: [I-D.ietf-cose-rfc8152bis-struct]) used in group mode is identical to
the external_aad for encryption (see Section 4.3.1) with the addition
of the OSCORE option, see Figure 3.
o the counter signature algorithm and related parameters used to external_aad = bstr .cbor aad_array
sign messages, encoded as in the external_aad structure defined in
Section 4.3.1;
o the value of the OSCORE Option included in the OSCORE message, aad_array = [
encoded as a binary string. oscore_version : uint,
algorithms : [alg_aead : int / tstr,
alg_countersign : int / tstr,
par_countersign : [countersign_alg_capab,
countersign_key_type_capab],
par_countersign_key : countersign_key_type_capab],
request_kid : bstr,
request_piv : bstr,
options : bstr,
OSCORE_option: bstr
]
Thus, the following external_aad structure is used for the signing Figure 3: external_aad for Signing
process producing the counter signature, as defined below.
external_aad = bstr .cbor aad_array Compared with Section 5.4 of [RFC8613] the aad_array additionally
includes:
aad_array = [ o the 'algorithms' array as defined in the external_aad for
oscore_version : uint, encryption, see Section 4.3.1;
algorithms : [alg_aead : int / tstr,
alg_countersign : int / tstr,
par_countersign : any / nil,
par_countersign_key : any / nil],
request_kid : bstr,
request_piv : bstr,
options : bstr,
OSCORE_option: bstr
]
Note for implementation: this requires the value of the OSCORE option o the value of the OSCORE Option encoded as a binary string.
to be fully ready, before starting the signing process. Also, this
requires that the aad_array is long enough to contain the longest Note for implementation: this construction requires the OSCORE option
of the message to be generated before calculating the signature.
Also, the aad_array needs to be large enough to contain the largest
possible OSCORE option. possible OSCORE option.
5. OSCORE Header Compression 5. OSCORE Header Compression
The OSCORE header compression defined in Section 6 of [RFC8613] is The OSCORE header compression defined in Section 6 of [RFC8613] is
used, with the following differences. used, with the following differences.
o The payload of the OSCORE message SHALL encode the ciphertext of o The payload of the OSCORE message SHALL encode the ciphertext of
the COSE object. In the signature mode as well as in the the COSE object. In the group mode, the ciphertext above is
optimized compressed requests of the optimized mode (see concatenated with the value of the CounterSignature0 of the COSE
Section 9.1.1), the ciphertext above is concatenated with the object, computed as described in Section 4.1.
value of the CounterSignature0 of the COSE object, computed as
described in Section 4.1.
o This specification defines the usage of the sixth least o This specification defines the usage of the sixth least
significant bit, namely the Pairwise Flag bit, in the first byte significant bit, called the "Group Flag", in the first byte of the
of the OSCORE option containing the OSCORE flag bits. This flag OSCORE option containing the OSCORE flag bits. This flag bit is
bit is registered in Section 11.3 of this specification. specified in Section 11.1.
o The Pairwise Flag bit is set to 1 if the OSCORE message is
protected using pairwise keying material, which is shared with a
single group member as single intended recipient and derived as
defined in Section 3. This is used, for instance, to send
responses with the optimized mode defined in Section 9. In any
other case, especially when the OSCORE message is protected as per
Section 7.1 and Section 7.3, this bit MUST be set to 0.
If any of the following conditions holds, a recipient MUST discard
an incoming OSCORE message with the Pairwise Flag bit set to 1:
* The recipient does not support this feature, i.e. it is not o The Group Flag MUST be set to 1 if the OSCORE message is protected
capable or willing to process OSCORE messages protected using using the group mode (see Section 8).
pairwise keying material.
* The recipient can not retrieve a Security Context which is both o The Group Flag MUST be set to 0 if the OSCORE message is protected
valid to process the message and also associated to an OSCORE using the pairwise mode (see Section 9). The Group Flag MUST also
group. be set to 0 for ordinary OSCORE messages processed according to
[RFC8613].
5.1. Examples of Compressed COSE Objects 5.1. Examples of Compressed COSE Objects
This section covers a list of OSCORE Header Compression examples for This section covers a list of OSCORE Header Compression examples of
group requests and responses, with Group OSCORE used in signature Group OSCORE used in group mode (see Section 5.1.1) or in pairwise
mode. mode (see Section 5.1.2).
The examples assume that the COSE_Encrypt0 object is set (which means The examples assume that the COSE_Encrypt0 object is set (which means
the CoAP message and cryptographic material is known). Note that the the CoAP message and cryptographic material is known). Note that the
examples do not include the full CoAP unprotected message or the full examples do not include the full CoAP unprotected message or the full
Security Context, but only the input necessary to the compression Security Context, but only the input necessary to the compression
mechanism, i.e. the COSE_Encrypt0 object. The output is the mechanism, i.e. the COSE_Encrypt0 object. The output is the
compressed COSE object as defined in Section 5 and divided into two compressed COSE object as defined in Section 5 and divided into two
parts, since the object is transported in two CoAP fields: OSCORE parts, since the object is transported in two CoAP fields: OSCORE
option and payload. option and payload.
The examples assume that the label for the new kid context defined in The examples assume that the plaintext (see Section 5.3 of [RFC8613])
[RFC8613] has value 10. The examples also assume that the plaintext is 6 bytes long, and that the AEAD tag is 8 bytes long, hence
(see Section 5.3 of [RFC8613]) is 6 bytes long, and that the AEAD tag resulting in a ciphertext which is 14 bytes long. When using the
is 8 bytes long, hence resulting in a ciphertext which is 14 bytes group mode, COUNTERSIGN denotes the CounterSignature0 byte string as
long. Finally, COUNTERSIGN is the CounterSignature0 byte string as described in Section 4, and is 64 bytes long.
described in Section 4 and is 64 bytes long.
1. Request with ciphertext = 0xaea0155667924dff8a24e4cb35b9, kid = 5.1.1. Examples in Group Mode
0x25, Partial IV = 5 and kid context = 0x44616c
o Request with ciphertext = 0xaea0155667924dff8a24e4cb35b9, kid =
0x25, Partial IV = 5 and kid context = 0x44616c
Before compression (96 bytes): Before compression (96 bytes):
[ [
h'', h'',
{ 4:h'25', 6:h'05', 10:h'44616c', 9:COUNTERSIGN }, { 4:h'25', 6:h'05', 10:h'44616c', 9:COUNTERSIGN },
h'aea0155667924dff8a24e4cb35b9' h'aea0155667924dff8a24e4cb35b9'
] ]
After compression (85 bytes): After compression (85 bytes):
Flag byte: 0b00011001 = 0x19 Flag byte: 0b00111001 = 0x39
Option Value: 19 05 03 44 61 6c 25 (7 bytes) Option Value: 39 05 03 44 61 6c 25 (7 bytes)
Payload: ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 COUNTERSIGN Payload: ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 COUNTERSIGN
(14 bytes + size of COUNTERSIGN) (14 bytes + size of COUNTERSIGN)
1. Response with ciphertext = 0x60b035059d9ef5667c5a0710823b, kid = o Response with ciphertext = 0x60b035059d9ef5667c5a0710823b, kid =
0x52 and no Partial IV. 0x52 and no Partial IV.
Before compression (88 bytes): Before compression (88 bytes):
[ [
h'', h'',
{ 4:h'52', 9:COUNTERSIGN }, { 4:h'52', 9:COUNTERSIGN },
h'60b035059d9ef5667c5a0710823b' h'60b035059d9ef5667c5a0710823b'
] ]
After compression (80 bytes): After compression (80 bytes):
Flag byte: 0b00001000 = 0x08 Flag byte: 0b00101000 = 0x28
Option Value: 08 52 (2 bytes) Option Value: 28 52 (2 bytes)
Payload: 60 b0 35 05 9d 9e f5 66 7c 5a 07 10 82 3b COUNTERSIGN Payload: 60 b0 35 05 9d 9e f5 66 7c 5a 07 10 82 3b COUNTERSIGN
(14 bytes + size of COUNTERSIGN) (14 bytes + size of COUNTERSIGN)
5.1.2. Examples in Pairwise Mode
o Request with ciphertext = 0xaea0155667924dff8a24e4cb35b9, kid =
0x25, Partial IV = 5 and kid context = 0x44616c
Before compression (32 bytes):
[
h'',
{ 4:h'25', 6:h'05', 10:h'44616c' },
h'aea0155667924dff8a24e4cb35b9'
]
After compression (21 bytes):
Flag byte: 0b00011001 = 0x19
Option Value: 19 05 03 44 61 6c 25 (7 bytes)
Payload: ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 (14 bytes)
o Response with ciphertext = 0x60b035059d9ef5667c5a0710823b, kid =
0x52 and no Partial IV.
Before compression (24 bytes):
[
h'',
{ 4:h'52'},
h'60b035059d9ef5667c5a0710823b'
]
After compression (16 bytes):
Flag byte: 0b00001000 = 0x08
Option Value: 08 52 (2 bytes)
Payload: 60 b0 35 05 9d 9e f5 66 7c 5a 07 10 82 3b (14 bytes)
6. Message Binding, Sequence Numbers, Freshness and Replay Protection 6. Message Binding, Sequence Numbers, Freshness and Replay Protection
The requirements and properties described in Section 7 of [RFC8613] The requirements and properties described in Section 7 of [RFC8613]
also apply to OSCORE used in group communication. In particular, also apply to OSCORE used in group communication. In particular,
group OSCORE provides message binding of responses to requests, which Group OSCORE provides message binding of responses to requests, which
provides relative freshness of responses, and replay protection of enables absolute freshness of responses that are not notifications,
requests. relative freshness of requests and notification responses, and replay
protection of requests.
6.1. Synchronization of Sender Sequence Numbers 6.1. Update of Replay Window
Upon joining the group, new servers are not aware of the Sender A new server joining a group may not be aware of the current Partial
Sequence Number values currently used by different clients to IVs (Sender Sequence Numbers of the clients). The first time the new
transmit group requests. This means that, when such servers receive server receives a request from a particular client, it is not able to
a secure group request from a given client for the first time, they verify if that request is a replay. The same holds when a server
are not able to verify if that request is fresh and has not been loses its mutable Security Context (see Section 2.4.1), for instance
replayed or (purposely) delayed. The same holds when a server loses
synchronization with Sender Sequence Numbers of clients, for instance
after a device reboot. after a device reboot.
The exact way to address this issue is application specific, and The exact way to address this issue is application specific, and
depends on the particular use case and its synchronization depends on the particular use case and its replay requirements. The
requirements. The list of methods to handle synchronization of list of methods to handle the update of a Replay Window is part of
Sender Sequence Numbers is part of the group communication policy, the group communication policy, and different servers can use
and different servers can use different methods. different methods.
Appendix E describes three possible approaches that can be considered Appendix E describes three possible approaches that can be considered
for synchronization of sequence numbers. to update a Replay Window.
7. Message Processing 7. Message Reception
Each request message and response message is protected and processed Upon receiving a protected message, a recipient endpoint retrieves a
as specified in [RFC8613], with the modifications described in the Security Context as in [RFC8613]. An endpoint MUST be able to
following sections. In particular, the following sections refer to distinguish between a Security Context to process OSCORE messages as
the signature mode of Group OSCORE, while the optimized mode and the in [RFC8613] and a Security Context to process Group OSCORE messages
pairwise mode are described in Section 9 and Appendix G, as defined in this specification.
respectively.
The following security objectives are fulfilled, as further discussed To this end, an endpoint can take into account the different
in Appendix A.2: data replay protection, group-level data structure of the Security Context defined in Section 2, for example
confidentiality, source authentication and message integrity. based on the presence of Counter Signature Algorithm in the Common
Context. Alternatively implementations can use an additional
parameter in the Security Context, to explicitly signal that it is
intended for processing Group OSCORE messages.
If any of the following two conditions holds, a recipient endpoint
MUST discard the incoming protected message:
o The Group Flag is set to 1, and the recipient endpoint can not
retrieve a Security Context which is both valid to process the
message and also associated to an OSCORE group.
o The Group Flag is set to 0, and the recipient endpoint retrieves a
Security Context which is both valid to process the message and
also associated to an OSCORE group, but the endpoint does not
support the pairwise mode.
Otherwise, if a Security Context associated to an OSCORE group and
valid to process the message is retrieved, the recipient endpoint
processes the message with Group OSCORE, using the group mode (see
Section 8) if the Group Flag is set to 1, or the pairwise mode (see
Section 9) if the Group Flag is set to 0.
Note that, if the Group Flag is set to 0, and the recipient endpoint
retrieves a Security Context which is valid to process the message
but is not associated to an OSCORE group, then the message is
processed according to [RFC8613].
8. Message Processing in Group Mode
When using the group mode, messages are protected and processed as
specified in [RFC8613], with the modifications described in this
section. The security objectives of the group mode are discussed in
Appendix A.2. The group mode MUST be supported.
The group mode MUST be used to protect group requests intended for
multiple recipients or for the whole group. This includes both
requests directly addressed to multiple recipients, e.g. sent by the
client over multicast, as well as requests sent by the client over
unicast to a proxy, that forwards them to the intended recipients
over multicast [I-D.ietf-core-groupcomm-bis].
As per [RFC7252][I-D.ietf-core-groupcomm-bis], group requests sent As per [RFC7252][I-D.ietf-core-groupcomm-bis], group requests sent
over multicast MUST be Non-Confirmable, and thus cannot be over multicast MUST be Non-Confirmable, and thus cannot be
retransmitted by the CoAP messaging layer. Instead, applications retransmitted by the CoAP messaging layer. Instead, applications
should store such outgoing messages for a pre-defined, sufficient should store such outgoing messages for a pre-defined, sufficient
amount of time, in order to correctly perform possible amount of time, in order to correctly perform possible
retransmissions at the application layer. However, this does not retransmissions at the application layer. According to Section 5.2.3
prevent the acknowledgment of Confirmable group requests in non- of [RFC7252], responses to Non-Confirmable group requests SHOULD also
multicast environments. Besides, according to Section 5.2.3 of be Non-Confirmable, but endpoints MUST be prepared to receive
[RFC7252], responses to Non-Confirmable group requests SHOULD be also
Non-Confirmable. However, endpoints MUST be prepared to receive
Confirmable responses in reply to a Non-Confirmable group request. Confirmable responses in reply to a Non-Confirmable group request.
Confirmable group requests are acknowledged in non-multicast
environments, as specified in [RFC7252].
Furthermore, endpoints in the group locally perform error handling Furthermore, endpoints in the group locally perform error handling
and processing of invalid messages according to the same principles and processing of invalid messages according to the same principles
adopted in [RFC8613]. However, a recipient MUST stop processing and adopted in [RFC8613]. However, a recipient MUST stop processing and
silently reject any message which is malformed and does not follow silently reject any message which is malformed and does not follow
the format specified in Section 4, or which is not cryptographically the format specified in Section 4, or which is not cryptographically
validated in a successful way. In either case, it is RECOMMENDED validated in a successful way. In either case, it is RECOMMENDED
that the recipient does not send back any error message. This that the recipient does not send back any error message. This
prevents servers from replying with multiple error messages to a prevents servers from replying with multiple error messages to a
client sending a group request, so avoiding the risk of flooding and client sending a group request, so avoiding the risk of flooding and
possibly congesting the group. possibly congesting the network.
7.1. Protecting the Request 8.1. Protecting the Request
A client transmits a secure group request as described in Section 8.1 A client transmits a secure group request as described in Section 8.1
of [RFC8613], with the following modifications. of [RFC8613], with the following modifications.
o In step 2, the 'algorithms' array in the Additional Authenticated o In step 2, the Additional Authenticated Data is modified as
Data is modified as described in Section 4 of this specification. described in Section 4.
o In step 4, the encryption of the COSE object is modified as o In step 4, the encryption of the COSE object is modified as
described in Section 4 of this specification. The encoding of the described in Section 4. The encoding of the compressed COSE
compressed COSE object is modified as described in Section 5 of object is modified as described in Section 5. In particular, the
this specification. Group Flag MUST be set to 1.
o In step 5, the counter signature is computed and the format of the o In step 5, the counter signature is computed and the format of the
OSCORE message is modified as described in Section 4 and Section 5 OSCORE message is modified as described in Section 4 and
of this specification. In particular, the payload of the OSCORE Section 5. In particular, the payload of the OSCORE message
message includes also the counter signature. includes also the counter signature.
7.1.1. Supporting Observe 8.1.1. Supporting Observe
If Observe [RFC7641] is supported, for each newly started If Observe [RFC7641] is supported, for each newly started
observation, the client MUST store the value of the 'kid' parameter observation, the client MUST store the value of the 'kid' parameter
from the original Observe request. from the original Observe request.
The client MUST NOT update the stored value, even in case it is The client MUST NOT update the stored value, even in case it is
individually rekeyed and receives a new Sender ID from the Group individually rekeyed and receives a new Sender ID from the Group
Manager (see Section 2.5). Manager (see Section 2.4.3.1).
7.2. Verifying the Request 8.2. Verifying the Request
Upon receiving a secure group request, a server proceeds as described Upon receiving a secure group request with the Group Flag set to 1,
following the procedure in Section 7, a server proceeds as described
in Section 8.2 of [RFC8613], with the following modifications. in Section 8.2 of [RFC8613], with the following modifications.
o In step 2, the decoding of the compressed COSE object follows o In step 2, the decoding of the compressed COSE object follows
Section 5 of this specification. In particular: Section 5. In particular:
* If the Pairwise Flag bit is set to 1, and the server discards * If the server discards the request due to not retrieving a
the request due to not supporting this feature or not Security Context associated to the OSCORE group, the server MAY
retrieving a Security Context associated to the OSCORE group, respond with a 4.02 (Bad Option) error. When doing so, the
the server MAY respond with a 4.02 (Bad Option) error. When server MAY set an Outer Max-Age option with value zero, and MAY
doing so, the server MAY set an Outer Max-Age option with value include a descriptive string as diagnostic payload.
zero, and MAY include a descriptive string as diagnostic
payload.
* If the received Recipient ID ('kid') does not match with any * If the received 'kid context' matches an existing ID Context
Recipient Context for the retrieved Gid ('kid context'), then (Gid) but the received 'kid' does not match any Recipient ID in
the server MAY create a new Recipient Context and initializes this Security Context, then the server MAY create a new
it according to Section 3 of [RFC8613], also retrieving the Recipient Context for this Recipient ID and initialize it
client's public key. Such a configuration is application according to Section 3 of [RFC8613], and also retrieve the
associated public key. Such a configuration is application
specific. If the application does not specify dynamic specific. If the application does not specify dynamic
derivation of new Recipient Contexts, then the server SHALL derivation of new Recipient Contexts, then the server SHALL
stop processing the request. stop processing the request.
o In step 4, the 'algorithms' array in the Additional Authenticated o In step 4, the Additional Authenticated Data is modified as
Data is modified as described in Section 4 of this specification. described in Section 4.
o In step 6, the server also verifies the counter signature using o In step 6, the server also verifies the counter signature using
the public key of the client from the associated Recipient the public key of the client from the associated Recipient
Context. If the signature verification fails, the server MAY Context. If the signature verification fails, the server SHALL
reply with a 4.00 (Bad Request) response. stop processing the request and MAY respond with a 4.00 (Bad
Request) response. If the verification fails, the same steps are
taken as if the decryption had failed. In particular, the Replay
Window is only updated if both the signature verification and the
decryption succeed.
o Additionally, if the used Recipient Context was created upon o Additionally, if the used Recipient Context was created upon
receiving this group request and the message is not verified receiving this group request and the message is not verified
successfully, the server MAY delete that Recipient Context. Such successfully, the server MAY delete that Recipient Context. Such
a configuration, which is specified by the application, would a configuration, which is specified by the application, mitigates
prevent attackers from overloading the server's storage and attacks that aim at overloading the server's storage.
creating processing overhead on the server.
A server SHOULD NOT process a request if the received Recipient ID A server SHOULD NOT process a request if the received Recipient ID
('kid') is equal to its own Sender ID in its own Sender Context. ('kid') is equal to its own Sender ID in its own Sender Context. For
an example where this is not fulfilled, see Section 5.2.1 in
[I-D.tiloca-core-observe-multicast-notifications].
7.2.1. Supporting Observe 8.2.1. Supporting Observe
If Observe [RFC7641] is supported, for each newly started If Observe [RFC7641] is supported, for each newly started
observation, the server MUST store the value of the 'kid' parameter observation, the server MUST store the value of the 'kid' parameter
from the original Observe request. from the original Observe request.
The server MUST NOT update the stored value, even in case the The server MUST NOT update the stored value of a 'kid' parameter
observer client is individually rekeyed and starts using a new Sender associated to a particular Observe request, even in case the observer
ID received from the Group Manager (see Section 2.5). client is individually rekeyed and starts using a new Sender ID
received from the Group Manager (see Section 2.4.3.1).
7.3. Protecting the Response
A server that has received a secure group request may reply with a
secure response, which is protected as described in Section 8.3 of
[RFC8613], with the following modifications.
o In step 2, the 'algorithms' array in the Additional Authenticated
Data is modified as described in Section 4 of this specification.
o In step 4, the encryption of the COSE object is modified as 8.3. Protecting the Response
described in Section 4 of this specification. The encoding of the
compressed COSE object is modified as described in Section 5 of
this specification.
o In step 5, the counter signature is computed and the format of the If a server generates a CoAP message in response to a Group OSCORE
OSCORE mesage is modified as described in Section 5 of this request, then the server SHALL follow the description in Section 8.3
specification. In particular, the payload of the OSCORE message of [RFC8613], with the modifications described in this section.
includes also the counter signature.
Note that the server MUST always protect a response by using its own Note that the server always protects a response with the Sender
Sender Context from the latest owned Security Context. Context from its latest Security Context, and that a new Security
Context does not reset the Sender Sequence Number unless otherwise
specified by the application (see Section 3.1).
Consistently, upon the establishment of a new Security Context, the o In step 2, the Additional Authenticated Data is modified as
server may end up protecting a response by using a Security Context described in Section 4.
different from the one used to protect the group request (see
Section 10.4). In such a case:
o The server MUST encode the Partial IV (Sender Sequence Number in o In step 3, if the server is using a different Security Context for
network byte order), which is set to the Sender Sequence Number of the response compared to what was used to verify the request (see
the server; increment the Sender Sequence Number by one; compute Section 3.1), then the AEAD nonce from the request MUST NOT be
the AEAD nonce from the Sender ID, Common IV, and Partial IV. used.
o The server MUST include in the response the 'Partial IV' o In step 4, the encryption of the COSE object is modified as
parameter, which is set to the encoded Partial IV value above. described in Section 4. The encoding of the compressed COSE
object is modified as described in Section 5. In particular, the
Group Flag MUST be set to 1. If the server is using a different
ID Context (Gid) for the response compared to what was used to
verify the request (see Section 3.1), then the new ID Context MUST
be included in the 'kid context' parameter of the response.
o The server SHOULD include in the response the 'kid context' o In step 5, the counter signature is computed and the format of the
parameter, which is set to the ID Context of the new Security OSCORE message is modified as described in Section 5. In
Context, i.e. the new Group Identifier (Gid). particular, the payload of the OSCORE message includes also the
counter signature.
7.3.1. Supporting Observe 8.3.1. Supporting Observe
If Observe [RFC7641] is supported, the server may have ongoing If Observe [RFC7641] is supported, the server may have ongoing
observations, started by Observe requests protected with an old observations, started by Observe requests protected with an old
Security Context. Security Context.
After completing the establishment of a new Security Context, the After completing the establishment of a new Security Context, the
server MUST protect the following notifications with its own Sender server MUST protect the following notifications with the Sender
Context from the new Security Context. Context of the new Security Context.
For each ongoing observation, the server SHOULD include in the first For each ongoing observation, the server MUST include in the first
notification protected with the new Security Context also the 'kid notification protected with the new Security Context also the 'kid
context' parameter, which is set to the ID Context of the new context' parameter, which is set to the ID Context (Gid) of the new
Security Context, i.e. the new Group Identifier (Gid). It is Security Context. It is OPTIONAL for the server to include the ID
OPTIONAL for the server to include the 'kid context' parameter, as Context (Gid) in the 'kid context' parameter also in further
set to the new Gid, also in further following notifications for those following notifications for those observations.
observations.
Furthermore, for each ongoing observation, the server MUST use the Furthermore, for each ongoing observation, the server MUST use the
stored value of the 'kid' parameter from the original Observe stored value of the 'kid' parameter from the original Observe
request, as value for the 'request_kid' parameter in the two request, as value for the 'request_kid' parameter in the two
external_aad structures (see Section 4.3.1 and Section 4.3.2), when external_aad structures (see Section 4.3.1 and Section 4.3.2), when
protecting notifications for that observation. protecting notifications for that observation.
7.4. Verifying the Response 8.4. Verifying the Response
Upon receiving a secure response message, the client proceeds as Upon receiving a secure response message with the Group Flag set to
1, following the procedure in Section 7, the client proceeds as
described in Section 8.4 of [RFC8613], with the following described in Section 8.4 of [RFC8613], with the following
modifications. modifications.
Note that a client may receive a response protected with a Security
Context different from the one used to protect the corresponding
group request, and that, upon the establishment of a new Security
Context, the client does not reset its own replay windows in its
Recipient Contexts, unless otherwise specified by the application
(see Section 3.1).
o In step 2, the decoding of the compressed COSE object is modified o In step 2, the decoding of the compressed COSE object is modified
as described in Section 4 of this specification. If the received as described in Section 5. If the received 'kid context' matches
Recipient ID ('kid') does not match with any Recipient Context for an existing ID Context (Gid) but the received 'kid' does not match
the retrieved Gid ('kid context'), then the client MAY create a any Recipient ID in this Security Context, then the client MAY
new Recipient Context and initializes it according to Section 3 of create a new Recipient Context for this Recipient ID and
[RFC8613], also retrieving the server's public key. If the initialize it according to Section 3 of [RFC8613], and also
application does not specify dynamic derivation of new Recipient retrieve the associated public key. If the application does not
Contexts, then the client SHALL stop processing the response. specify dynamic derivation of new Recipient Contexts, then the
client SHALL stop processing the response.
o In step 3, the 'algorithms' array in the Additional Authenticated o In step 3, the Additional Authenticated Data is modified as
Data is modified as described in Section 4 of this specification. described in Section 4.
o In step 5, the client also verifies the counter signature using o In step 5, the client also verifies the counter signature using
the public key of the server from the associated Recipient the public key of the server from the associated Recipient
Context. Context. If the verification fails, the same steps are taken as
if the decryption had failed.
o Additionally, if the used Recipient Context was created upon o Additionally, if the used Recipient Context was created upon
receiving this response and the message is not verified receiving this response and the message is not verified
successfully, the client MAY delete that Recipient Context. Such successfully, the client MAY delete that Recipient Context. Such
a configuration, which is specified by the application, would a configuration, which is specified by the application, mitigates
prevent attackers from overloading the client's storage and attacks that aim at overloading the client's storage.
creating processing overhead on the client.
Note that, as discussed in Section 10.4, a client may receive a
response protected with a Security Context different from the one
used to protect the corresponding group request.
7.4.1. Supporting Observe 8.4.1. Supporting Observe
If Observe [RFC7641] is supported, for each ongoing observation, the If Observe [RFC7641] is supported, for each ongoing observation, the
client MUST use the stored value of the 'kid' parameter from the client MUST use the stored value of the 'kid' parameter from the
original Observe request, as value for the 'request_kid' parameter in original Observe request, as value for the 'request_kid' parameter in
the two external_aad structures (see Section 4.3.1 and the two external_aad structures (see Section 4.3.1 and
Section 4.3.2), when verifying notifications for that observation. Section 4.3.2), when verifying notifications for that observation.
This ensures that the client can correctly verify notifications, even This ensures that the client can correctly verify notifications, even
in case it is individually rekeyed and starts using a new Sender ID in case it is individually rekeyed and starts using a new Sender ID
received from the Group Manager (see Section 2.5). received from the Group Manager (see Section 2.4.3.1).
8. Responsibilities of the Group Manager 9. Message Processing in Pairwise Mode
The Group Manager is responsible for performing the following tasks: When using the pairwise mode of Group OSCORE, messages are protected
and processed as in Section 8, with the modifications described in
this section. The security objectives of the pairwise mode are
discussed in Appendix A.2.
1. Creating and managing OSCORE groups. This includes the The pairwise mode takes advantage of an existing Security Context for
assignment of a Gid to every newly created group, as well as the group mode to establish a Security Context shared exclusively
ensuring uniqueness of Gids within the set of its OSCORE groups. with any other member. In order to use the pairwise mode, the
signature scheme of the group mode MUST support a combined signature
and encryption scheme. This can be, for example, signature using
ECDSA, and encryption using AES-CCM with a key derived with ECDH.
The pairwise mode does not support intermediary verification of
source authentication or integrity.
2. Defining policies for authorizing the joining of its OSCORE The pairwise mode MAY be supported. The pairwise mode MUST be
groups. supported by endpoints that use the CoAP Echo Option
[I-D.ietf-core-echo-request-tag] and/or block-wise transfers
[RFC7959], for instance for responses after the first block-wise
request, possibly targeting all servers in the group and including
the CoAP Block2 option (see Section 2.3.6 of
[I-D.ietf-core-groupcomm-bis]). An endpoint implementing only a
silent server does not support the pairwise mode.
3. Handling the join process to add new endpoints as group members. The pairwise mode protects messages between two members of a group,
essentially following [RFC8613], but with the following notable
differences:
4. Establishing the Common Context part of the Security Context, o The 'kid' and 'kid context' parameters of the COSE object are used
and providing it to authorized group members during the join as defined in Section 4.2.
process, together with the corresponding Sender Context.
5. Generating and managing Sender IDs within its OSCORE groups, as o The external_aad defined in Section 4.3.1 is used for the
well as assigning and providing them to new endpoints during the encryption process.
join process. This includes ensuring uniqueness of Sender IDs
within each of its OSCORE groups.
6. Defining a communication policy for each of its OSCORE groups, o The Sender/Recipient Keys used in the pairwise mode are derived as
and signalling it to new endpoints during the join process. defined in Section 2.3.
7. Renewing the Security Context of an OSCORE group upon membership Senders MUST NOT use the pairwise mode to protect a message intended
change, by revoking and renewing common security parameters and for multiple recipients. The pairwise mode is defined only between
keying material (rekeying). two endpoints and the keying material is thus only available to one
recipient.
8. Providing the management keying material that a new endpoint The Group Manager MAY indicate that the group uses also the pairwise
requires to participate in the rekeying process, consistent with mode, as part of the group communication policies signalled to
the key management scheme used in the group joined by the new candidate group members when joining the group.
endpoint.
9. Updating the Gid of its OSCORE groups, upon renewing the 9.1. Pre-Conditions
respective Security Context.
10. Acting as key repository, in order to handle the public keys of In order to protect an outgoing message in pairwise mode, the sender
the members of its OSCORE groups, and providing such public keys needs to know the public key and the Recipient ID for the recipient
to other members of the same group upon request. The actual endpoint, as stored in the Recipient Context associated to that
storage of public keys may be entrusted to a separate secure endpoint (see Pairwise Sender Context of Section 2.3.3).
storage device.
11. Validating that the format and parameters of public keys of Furthermore, the sender needs to know the individual address of the
group members are consistent with the countersignature algorithm recipient endpoint. This information may not be known at any given
and related parameters used in the respective OSCORE group. point in time. For instance, right after having joined the group, a
client may know the public key and Recipient ID for a given server,
but not the addressing information required to reach it with an
individual, one-to-one request.
9. Optimized Mode To make addressing information of individual endpoints available,
servers in the group MAY expose a resource to which a client can send
a group request targeting a server or a set of servers, identified by
their 'kid' value(s). The specified set may be empty, hence
identifying all the servers in the group. Further details of such an
interface are out of scope for this document.
For use cases that do not require an intermediary performing 9.2. Protecting the Request
signature verification and that use a compatible signature algorithm,
the optimized mode defined in this section provides significant
smaller message sizes and increases the security by making responses
confidential to other group members than the intended recipient.
9.1. Optimized Request When using the pairwise mode, the request is protected as defined in
Section 8.1, with the following differences.
No changes. o The Group Flag MUST be set to 0.
9.1.1. Optimized Compressed Request o The Sender Key used is the Pairwise Sender Key (see Section 2.3).
The OSCORE header compression defined in Section 5 is used, with the o The counter signature is not computed and therefore not included
following difference: the payload of the OSCORE message SHALL encode in the message. The payload of the protected request thus
the ciphertext without the tag, concatenated with the value of the terminates with the encoded ciphertext of the COSE object, just as
CounterSignature0 of the COSE object computed as described in in [RFC8613].
Section 4.1.
The optimized compressed request is compatible with all AEAD Note that, just as in the group mode, the external_aad for encryption
algorithms defined in [RFC8152], but would not be compatible with is generated as in Section 4.3.1, and the Partial IV is the current
AEAD algorithms that do not have a well-defined tag. fresh value of the Sender Sequence Number (see Section 2.3.2).
9.2. Optimized Response 9.3. Verifying the Request
An optimized response is protected as defined in Section 7.3, with Upon receiving a request with the Group Flag set to 0, following the
the following differences. procedure in Section 7, the server MUST process it as defined in
Section 8.2, with the following differences.
o The server MUST set to 1 the sixth least significant bit of the o If the server discards the request due to not retrieving a
OSCORE flag bits in the OSCORE option, i.e. the Pairwise Flag. Security Context associated to the OSCORE group or to not
supporting the pairwise mode, the server MAY respond with a 4.02
(Bad Option) error. When doing so, the server MAY set an Outer
Max-Age option with value zero, and MAY include a descriptive
string as diagnostic payload.
o The COSE_Encrypt0 object included in the optimized response is o If a new Recipient Context is created for this Recipient ID, new
encrypted using a symmetric pairwise key K, that the server Pairwise Sender/Recipient Keys are also derived (see
derives as defined in Section 3. In particular, the Sender/ Section 2.3.1). The new Pairwise Sender/Recipient Keys are
Recipient Key is the Sender Key of the server from its own Sender deleted if the Recipient Context is deleted as a result of the
Context, i.e. the Recipient Key that the client stores in its own message not being successfully verified.
Recipient Context corresponding to the server.
o The Counter Signature is not computed. That is, unlike defined in o The Recipient Key used is the Pairwise Recipient Key (see
Section 5, the payload of the OSCORE message terminates with the Section 2.3).
encoded ciphertext of the COSE object.
Note that no changes are made to the AEAD nonce and AAD. o No verification of counter signature occurs, as there is none
included in the message.
Upon receiving a response with the Pairwise Flag set to 1, the client 9.4. Protecting the Response
MUST process it as defined in Section 7.4, with the following
differences.
o No countersignature to verify is included. When using the pairwise mode, a response is protected as defined in
Section 8.3, with the following differences.
o The COSE_Encrypt0 object included in the optimized response is o The Group Flag MUST be set to 0.
decrypted and verified using the same symmetric pairwise key K,
that the client derives as described above for the server side and
as defined in Section 3.
9.2.1. Optimized Compressed Response o The Sender Key used is the Pairwise Sender Key (see Section 2.3).
No changes. o The counter signature is not computed and therefore not included
in the message. The payload of the protected response thus
terminates with the encoded ciphertext of the COSE object, just as
in [RFC8613].
9.5. Verifying the Response
Upon receiving a response with the Group Flag set to 0, following the
procedure in Section 7, the client MUST process it as defined in
Section 8.4, with the following differences.
o If a new Recipient Context is created for this Recipient ID, new
Pairwise Sender/Recipient Keys are also derived (see
Section 2.3.1). The new Pairwise Sender/Recipient Keys are
deleted if the Recipient Context is deleted as a result of the
message not being successfully verified.
o The Recipient Key used is the Pairwise Recipient Key (see
Section 2.3).
o No verification of counter signature occurs, as there is none
included in the message.
10. Security Considerations 10. Security Considerations
The same threat model discussed for OSCORE in Appendix D.1 of The same threat model discussed for OSCORE in Appendix D.1 of
[RFC8613] holds for Group OSCORE. In addition, source authentication [RFC8613] holds for Group OSCORE. In addition, when using the group
of messages is explicitly ensured by means of counter signatures, as mode, source authentication of messages is explicitly ensured by
discussed in Section 10.1. means of counter signatures, as discussed in Section 10.1.
The same considerations on supporting Proxy operations discussed for The same considerations on supporting Proxy operations discussed for
OSCORE in Appendix D.2 of [RFC8613] hold for Group OSCORE. OSCORE in Appendix D.2 of [RFC8613] hold for Group OSCORE.
The same considerations on protected message fields for OSCORE The same considerations on protected message fields for OSCORE
discussed in Appendix D.3 of [RFC8613] hold for Group OSCORE. discussed in Appendix D.3 of [RFC8613] hold for Group OSCORE.
The same considerations on uniqueness of (key, nonce) pairs for The same considerations on uniqueness of (key, nonce) pairs for
OSCORE discussed in Appendix D.4 of [RFC8613] hold for Group OSCORE. OSCORE discussed in Appendix D.4 of [RFC8613] hold for Group OSCORE.
This is further discussed in Section 10.2. This is further discussed in Section 10.2.
The same considerations on unprotected message fields for OSCORE The same considerations on unprotected message fields for OSCORE
discussed in Appendix D.5 of [RFC8613] hold for Group OSCORE, with discussed in Appendix D.5 of [RFC8613] hold for Group OSCORE, with
the following difference. The countersignature included in a Group the following difference. The counter signature included in a Group
OSCORE message is computed also over the value of the OSCORE option, OSCORE message protected in group mode is computed also over the
which is part of the Additional Authenticated Data used in the value of the OSCORE option, which is part of the Additional
signing process. This is further discussed in Section 10.6. Authenticated Data used in the signing process. This is further
discussed in Section 10.6.
As discussed in Section 6.2.3 of [I-D.ietf-core-groupcomm-bis], Group As discussed in Section 6.2.3 of [I-D.ietf-core-groupcomm-bis], Group
OSCORE addresses security attacks against CoAP listed in Sections OSCORE addresses security attacks against CoAP listed in Sections
11.2-11.6 of [RFC7252], especially when mounted over IP multicast. 11.2-11.6 of [RFC7252], especially when run over IP multicast.
The rest of this section first discusses security aspects to be taken The rest of this section first discusses security aspects to be taken
into account when using Group OSCORE. Then it goes through aspects into account when using Group OSCORE. Then it goes through aspects
covered in the security considerations of OSCORE (Section 12 of covered in the security considerations of OSCORE (Section 12 of
[RFC8613]), and discusses how they hold when Group OSCORE is used. [RFC8613]), and discusses how they hold when Group OSCORE is used.
10.1. Group-level Security 10.1. Group-level Security
The signature mode described in Section 7 relies on commonly shared The group mode described in Section 8 relies on commonly shared group
group keying material to protect communication within a group. This keying material to protect communication within a group. This has
has the following implications. the following implications.
o Messages are encrypted at a group level (group-level data o Messages are encrypted at a group level (group-level data
confidentiality), i.e. they can be decrypted by any member of the confidentiality), i.e. they can be decrypted by any member of the
group, but not by an external adversary or other external group, but not by an external adversary or other external
entities. entities.
o The AEAD algorithm provides only group authentication, i.e. it o The AEAD algorithm provides only group authentication, i.e. it
ensures that a message sent to a group has been sent by a member ensures that a message sent to a group has been sent by a member
of that group, but not by the alleged sender. This is why source of that group, but not by the alleged sender. This is why source
authentication of messages sent to a group is ensured through a authentication of messages sent to a group is ensured through a
counter signature, which is computed by the sender using its own counter signature, which is computed by the sender using its own
private key and then appended to the message payload. private key and then appended to the message payload.
Instead, the pairwise mode described in Appendix G protects messages Instead, the pairwise mode described in Section 9 protects messages
by using pairwise symmetric keys, derived from the static-static by using pairwise symmetric keys, derived from the static-static
Diffie-Hellman shared secret computed from the asymmetric keys of the Diffie-Hellman shared secret computed from the asymmetric keys of the
sender and recipient endpoint (see Section 3). Therefore, in the sender and recipient endpoint (see Section 2.3). Therefore, in the
parwise mode, the AEAD algorithm provides both pairwise data- parwise mode, the AEAD algorithm provides both pairwise data-
confidentiality and source authentication of messages, without using confidentiality and source authentication of messages, without using
counter signatures. counter signatures.
The long-term storing of the Diffie-Hellman shared secret is a
potential security issue. In fact, if the shared secret of two group
members is leaked, a third group member can exploit it to impersonate
any of those two group members, by deriving and using their pairwise
key. The possibility of such leakage should be contemplated, as more
likely to happen than the leakage of a private key, which could be
rather protected at a significantly higher level than generic memory,
e.g. by using a Trusted Platform Module. Therefore, there is a
trade-off between the maximum amount of time a same shared secret is
stored and the frequency of its re-computing.
Note that, even if an endpoint is authorized to be a group member and Note that, even if an endpoint is authorized to be a group member and
to take part in group communications, there is a risk that it behaves to take part in group communications, there is a risk that it behaves
inappropriately. For instance, it can forward the content of inappropriately. For instance, it can forward the content of
messages in the group to unauthorized entities. However, in many use messages in the group to unauthorized entities. However, in many use
cases, the devices in the group belong to a common authority and are cases, the devices in the group belong to a common authority and are
configured by a commissioner (see Appendix B), which results in a configured by a commissioner (see Appendix B), which results in a
practically limited risk and enables a prompt detection/reaction in practically limited risk and enables a prompt detection/reaction in
case of misbehaving. case of misbehaving.
10.2. Uniqueness of (key, nonce) 10.2. Uniqueness of (key, nonce)
skipping to change at page 28, line 44 skipping to change at page 35, line 40
nonce) pair. nonce) pair.
10.3. Management of Group Keying Material 10.3. Management of Group Keying Material
The approach described in this specification should take into account The approach described in this specification should take into account
the risk of compromise of group members. In particular, this the risk of compromise of group members. In particular, this
document specifies that a key management scheme for secure revocation document specifies that a key management scheme for secure revocation
and renewal of Security Contexts and group keying material should be and renewal of Security Contexts and group keying material should be
adopted. adopted.
Especially in dynamic, large-scale, groups where endpoints can join [I-D.ietf-ace-key-groupcomm-oscore] provides a simple rekeying scheme
and leave at any time, it is important that the considered group key for renewing the Security Context in a group.
management scheme is efficient and highly scalable with the group
size, in order to limit the impact on performance due to the Security Alternative rekeying schemes which are more scalable with the group
Context and keying material update. size may be needed in dynamic, large-scale, groups where endpoints
can join and leave at any time, in order to limit the impact on
performance due to the Security Context and keying material update.
10.4. Update of Security Context and Key Rotation 10.4. Update of Security Context and Key Rotation
A group member can receive a message shortly after the group has been A group member can receive a message shortly after the group has been
rekeyed, and new security parameters and keying material have been rekeyed, and new security parameters and keying material have been
distributed by the Group Manager. distributed by the Group Manager.
This may result in a client using an old Security Context to protect This may result in a client using an old Security Context to protect
a group request, and a server using a different new Security Context a group request, and a server using a different new Security Context
to protect a corresponding response. That is, clients may receive a to protect a corresponding response. As a consequence, clients may
response protected with a Security Context different from the one receive a response protected with a Security Context different from
used to protect the corresponding group request. the one used to protect the corresponding group request.
In particular, a server may first get a group request protected with In particular, a server may first get a group request protected with
the old Security Context, then install the new Security Context, and the old Security Context, then install the new Security Context, and
only after that produce a response to send back to the client. Since only after that produce a response to send back to the client. In
a sender always protects an outgoing message using the latest owned such a case, as specified in Section 8.3, the server MUST protect the
Security Context, the server discussed above protects the possible potential response using the new Security Context. Specifically, the
response using the new Security Context. Then, the client will server MUST use its own Sender Sequence Number as Partial IV to
process that response using the new Security Context, provided that protect that response, and not the Partial IV from the request, in
it has installed the new security parameters and keying material order to prevent reuse of AEAD nonces in the new Security Context.
before the message reception.
The client will process that response using the new Security Context,
provided that it has installed the new security parameters and keying
material before the message reception.
In case block-wise transfer [RFC7959] is used, the same In case block-wise transfer [RFC7959] is used, the same
considerations from Section 7.2 of [I-D.ietf-ace-key-groupcomm] hold. considerations from Section 7.2 of [I-D.ietf-ace-key-groupcomm] hold.
Furthermore, as described below, a group rekeying may temporarily Furthermore, as described below, a group rekeying may temporarily
result in misaligned Security Contexts between the sender and result in misaligned Security Contexts between the sender and
recipient of a same message. recipient of a same message.
10.4.1. Late Update on the Sender 10.4.1. Late Update on the Sender
skipping to change at page 30, line 48 skipping to change at page 38, line 7
groups. groups.
The entity assigning an IP multicast address may help limiting the The entity assigning an IP multicast address may help limiting the
chances to experience such collisions of Group Identifiers. In chances to experience such collisions of Group Identifiers. In
particular, it may allow the Group Managers of groups using the same particular, it may allow the Group Managers of groups using the same
IP multicast address to share their respective list of assigned Group IP multicast address to share their respective list of assigned Group
Identifiers currently in use. Identifiers currently in use.
10.6. Cross-group Message Injection 10.6. Cross-group Message Injection
A same endpoint is allowed to and would likely use the same signature A same endpoint is allowed to and would likely use the same public/
key in multiple OSCORE groups, possibly administered by different private key pair in multiple OSCORE groups, possibly administered by
Group Managers. Also, the same endpoint can register several times different Group Managers.
in the same group, getting multiple unique Sender IDs. This requires
that, when a sender endpoint sends a message to an OSCORE group using
a Sender ID, the countersignature included in the message is
explicitly bound also to that group and to the used Sender ID.
To this end, the countersignature of each message protected with When a sender endpoint sends a message protected in pairwise mode to
Group OSCORE is computed also over the value of the OSCORE option, a recipient endpoint in an OSCORE group, a malicious group member may
which is part of the Additional Authenticated Data used in the attempt to inject the message to a different OSCORE group also
signing process (see Section 4.3.2). That is, the countersignature including the same endpoints (see Section 10.6.1).
is computed also over: the ID Context (Group ID) and the Partial IV,
which are always present in group requests; as well as the Sender ID
of the message originator, which is always present in all group
requests and responses.
Since the signing process takes as input also the ciphertext of the This practically relies on altering the content of the OSCORE option,
COSE_Encrypt0 object, the countersignature is bound not only to the and having the same MAC in the ciphertext still correctly validating,
intended OSCORE group, hence to the triplet (Master Secret, Master which has a success probability depending on the size of the MAC.
Salt, ID Context), but also to a specific Sender ID in that group and
to its specific symmetric key used for AEAD encryption, hence to the
quartet (Master Secret, Master Salt, ID Context, Sender ID).
This makes it practically infeasible to perform the attack described As discussed in Section 10.6.2, the attack is practically infeasible
below, where a malicious group member injects forged messages to a if the message is protected in group mode, since the counter
different OSCORE group than the originally intended one. Let us signature is bound also to the OSCORE option, through the Additional
consider: Authenticated Data used in the signing process (see Section 4.3.2).
10.6.1. Attack Description
Let us consider:
o Two OSCORE groups G1 and G2, with ID Context (Group ID) Gid1 and o Two OSCORE groups G1 and G2, with ID Context (Group ID) Gid1 and
Gid2, respectively. Both G1 and G2 use the AEAD cipher AES-CCM- Gid2, respectively. Both G1 and G2 use the AEAD cipher AES-CCM-
16-64-128, i.e. the MAC of the ciphertext is 8 bytes in size. 16-64-128, i.e. the MAC of the ciphertext is 8 bytes in size.
o A victim endpoint V which is member of both G1 and G2, and uses o A sender endpoint X which is member of both G1 and G2, and uses
the same signature key in both groups. The endpoint V has Sender the same public/private key pair in both groups. The endpoint X
ID Sid1 in G1 and Sender ID Sid2 in G2. The pairs (Sid1, Gid1) has Sender ID Sid1 in G1 and Sender ID Sid2 in G2. The pairs
and (Sid2, Gid2) identify the same public key of V in G1 and G2, (Sid1, Gid1) and (Sid2, Gid2) identify the same public key of X in
respectively. G1 and G2, respectively.
o A recipient endpoint Y which is member of both G1 and G2, and uses
the same public/private key pair in both groups. The endpoint Y
has Sender ID Sid3 in G1 and Sender ID Sid4 in G2. The pairs
(Sid3, Gid1) and (Sid4, Gid2) identify the same public key of Y in
G1 and G2, respectively.
o A malicious endpoint Z is also member of both G1 and G2. Hence, Z o A malicious endpoint Z is also member of both G1 and G2. Hence, Z
is able to derive the symmetric keys associated to V in G1 and G2. is able to derive the symmetric keys associated to X in G1 and G2.
If countersignatures were not computed also over the value of the When X sends a message M1 addressed to Y in G1 and protected in
OSCORE option as discussed above, Z can intercept a group message M1 pairwise mode, Z can intercept M1, and forge a valid message M2 to be
sent by V to G1, and forge a valid signed message M2 to be injected injected in G2, making it appear as still sent by X to Y and valid to
in G2, making it appear as sent by V and valid to be accepted. be accepted.
More in detail, Z first intercepts a message M1 sent by V in G1, and More in detail, Z intercepts and stops message M1, and forges a
tries to forge a message M2, by changing the value of the OSCORE message M2 by changing the value of the OSCORE option from M1 as
option from M1 as follows: the 'kid context' is changed from G1 to follows: the 'kid context' is changed from G1 to G2; and the 'kid' is
G2; and the 'kid' is changed from Sid1 to Sid2. changed from Sid1 to Sid2. Then, Z injects message M2 as addressed
to Y in G2.
If M2 is used as a request message, there is a probability equal to Upon receiving M2, there is a probability equal to 2^-64 that Y
2^-64 that the same unchanged MAC is successfully verified by using successfully verifies the same unchanged MAC by using Sid2 as
Sid2 as 'request_kid' and the symmetric key associated to V in G2. 'request_kid' and using the Pairwise Recipient Key associated to X in
In such a case, the same unchanged signature would be also valid. G2.
Note that Z can check offline if a performed forgery is actually
valid before sending the forged message to G2. That is, this attack
has a complexity of 2^64 offline calculations.
If M2 is used as a response, Z can also change the response Partial Note that Z does not know the pairwise keys of X and Y, since it does
IV, until the same unchanged MAC is successfully verified by using not know and is not able to compute their shared Diffie-Hellman
Sid2 as 'request_kid' and the symmetric key associated to V in G2. secret. Therefore, Z is not able to check offline if a performed
In such a case, the same unchanged signature would be also valid. forgery is actually valid, before sending the forged message to G2.
Since the Partial IV is 5 bytes in size, this requires 2^40
operations to test all the Partial IVs, which can be done in real-
time. Also, the probability that a single given message M1 can be
used to forge a response M2 for a given request is equal to 2^-24,
since there are more MAC values (8 bytes in size) than Partial IV
values (5 bytes in size).
Note that, by changing the Partial IV as discussed above, any member 10.6.2. Attack Prevention in Group Mode
of G1 would also be able to forge a valid signed response message M2
to be injected in G1. When a Group OSCORE message is protected with the group mode, the
counter signature is computed also over the value of the OSCORE
option, which is part of the Additional Authenticated Data used in
the signing process (see Section 4.3.2).
That is, the countersignature is computed also over: the ID Context
(Group ID) and the Partial IV, which are always present in group
requests; as well as the Sender ID of the message originator, which
is always present in all group requests and responses.
Since the signing process takes as input also the ciphertext of the
COSE_Encrypt0 object, the countersignature is bound not only to the
intended OSCORE group, hence to the triplet (Master Secret, Master
Salt, ID Context), but also to a specific Sender ID in that group and
to its specific symmetric key used for AEAD encryption, hence to the
quartet (Master Secret, Master Salt, ID Context, Sender ID).
This makes it practically infeasible to perform the attack described
in Section 10.6.1, since it would require the adversary to
additionally forge a valid countersignature that replaces the
original one in the forged message M2.
If the countersignature did not cover the OSCORE option, the attack
would be possible also in group mode, since the same unchanged
countersignature from messsage M1 would be also valid in message M2.
Also, the following attack simplifications would hold, since Z is
able to derive the Sender/Recipient Keys of X and Y in G1 and G2.
o If M2 is used as a request, Z can check offline if a performed
forgery is actually valid before sending the forged message to G2.
That is, this attack would have a complexity of 2^64 offline
calculations.
o If M2 is used as a response, Z can also change the response
Partial IV, until the same unchanged MAC is successfully verified
by using Sid2 as 'request_kid' and the symmetric key associated to
X in G2. Since the Partial IV is 5 bytes in size, this requires
2^40 operations to test all the Partial IVs, which can be done in
real-time. Also, the probability that a single given message M1
can be used to forge a response M2 for a given request would be
equal to 2^-24, since there are more MAC values (8 bytes in size)
than Partial IV values (5 bytes in size).
Note that, by changing the Partial IV as discussed above, any
member of G1 would also be able to forge a valid signed response
message M2 to be injected in G1.
10.7. Group OSCORE for Unicast Requests 10.7. Group OSCORE for Unicast Requests
With reference to the processing defined in Section 7.1 for the With reference to the processing defined in Section 8.1 for the group
signature mode and in Section 9.1.1 for the optimized mode, it is NOT mode and in Appendix G for the optimized request, it is NOT
RECOMMENDED for a client to use Group OSCORE for securing a request RECOMMENDED for a client to use the group mode for securing a request
sent to a single group member over unicast. intended for a single group member and sent over unicast.
If the client uses its own Sender Key to protect a unicast request to This does not include the case where the client sends a request over
a group member, an on-path adversary can, right then or later on, unicast to a proxy, to be forwarded to multiple intended recipients
redirect that request to one/many different group member(s) over over multicast [I-D.ietf-core-groupcomm-bis]. In this case, the
unicast, or to the whole OSCORE group over multicast. By doing so, client MUST protect the request with the group mode, even though it
the adversary can induce the target group member(s) to perform is sent to the proxy over unicast (see Section 8).
actions intended to one group member only. Note that the adversary
can be external, i.e. (s)he does not need to also be a member of the If the client uses the group mode with its own Sender Key to protect
OSCORE group. a unicast request to a group member, an on-path adversary can, right
then or later on, redirect that request to one/many different group
member(s) over unicast, or to the whole OSCORE group over multicast.
By doing so, the adversary can induce the target group member(s) to
perform actions intended for one group member only. Note that the
adversary can be external, i.e. (s)he does not need to also be a
member of the OSCORE group.
This is due to the fact that the client is not able to indicate the This is due to the fact that the client is not able to indicate the
single intended recipient in a way which is secure and possible to single intended recipient in a way which is secure and possible to
process for Group OSCORE on the server side. In particular, Group process for Group OSCORE on the server side. In particular, Group
OSCORE does not protect network addressing information such as the IP OSCORE does not protect network addressing information such as the IP
address of the intended recipient server. It follows that the address of the intended recipient server. It follows that the
server(s) receiving the redirected request cannot assert whether that server(s) receiving the redirected request cannot assert whether that
was the original intention of the client, and would thus simply was the original intention of the client, and would thus simply
assume so. assume so.
With particular reference to block-wise transfers [RFC7959],
Section 2.3.6 of [I-D.ietf-core-groupcomm-bis] points out that, while
an initial request including the CoAP Block2 option can be sent over
multicast, any other request in a transfer has to occur over unicast,
individually addressing the servers in the group.
Additional considerations are discussed in Appendix E.3, with respect
to requests including an Echo Option [I-D.ietf-core-echo-request-tag]
that has to be sent over unicast, as a challenge-response method for
servers to achieve synchronization of client Sender Sequence Numbers.
The impact of such an attack depends especially on the REST method of The impact of such an attack depends especially on the REST method of
the request, i.e. the Inner CoAP Code of the OSCORE request message. the request, i.e. the Inner CoAP Code of the OSCORE request message.
In particular, safe methods such as GET and FETCH would trigger In particular, safe methods such as GET and FETCH would trigger
(several) unintended responses from the targeted server(s), while not (several) unintended responses from the targeted server(s), while not
resulting in destructive behavior. On the other hand, non safe resulting in destructive behavior. On the other hand, non safe
methods such as PUT, POST and PATCH/iPATCH would result in the target methods such as PUT, POST and PATCH/iPATCH would result in the target
server(s) taking active actions on their resources and possible server(s) taking active actions on their resources and possible
cyber-physical environment, with the risk of destructive consequences cyber-physical environment, with the risk of destructive consequences
and possible implications for safety. and possible implications for safety.
A client may instead use the pairwise mode defined in Appendix G.2, A client can instead use the pairwise mode defined in Section 9.2, in
in order to protect a request sent to a single group member by using order to protect a request sent to a single group member by using
pairwise keying material (see Section 3). This prevents the attack pairwise keying material (see Section 2.3). This prevents the attack
discussed above by construction, as only the intended server is able discussed above by construction, as only the intended server is able
to derive the pairwise keying material used by the client to protect to derive the pairwise keying material used by the client to protect
the request. A client supporting the pairwise mode SHOULD use it to the request. A client supporting the pairwise mode SHOULD use it to
protect requests sent to a single group member over unicast, instead protect requests sent to a single group member over unicast, instead
of using the signature mode. of using the group mode. For an example where this is not fulfilled,
see Section 5.2.1 in
[I-D.tiloca-core-observe-multicast-notifications].
With particular reference to block-wise transfers [RFC7959],
Section 2.3.6 of [I-D.ietf-core-groupcomm-bis] points out that, while
an initial request including the CoAP Block2 option can be sent over
multicast, any other request in a transfer has to occur over unicast,
individually addressing the servers in the group.
Additional considerations are discussed in Appendix E.3, with respect
to requests including a CoAP Echo Option
[I-D.ietf-core-echo-request-tag] that has to be sent over unicast, as
a challenge-response method for servers to achieve synchronization of
client Sender Sequence Numbers.
10.8. End-to-end Protection 10.8. End-to-end Protection
The same considerations from Section 12.1 of [RFC8613] hold for Group The same considerations from Section 12.1 of [RFC8613] hold for Group
OSCORE. OSCORE.
Additionally, (D)TLS and Group OSCORE can be combined for protecting Additionally, (D)TLS and Group OSCORE can be combined for protecting
message exchanges occurring over unicast. Instead, it is not message exchanges occurring over unicast. However, it is not
possible to combine DTLS and Group OSCORE for protecting message possible to combine DTLS and Group OSCORE for protecting message
exchanges where messages are (also) sent over multicast. exchanges where messages are (also) sent over multicast.
10.9. Security Context Establishment 10.9. Master Secret
The use of COSE_Encrypt0 and AEAD to protect messages as specified in
this document requires an endpoint to be a member of an OSCORE group.
That is, upon joining the group, the endpoint securely receives from
the Group Manager the necessary input parameters, which are used to
derive the Common Context and the Sender Context (see Section 2).
The Group Manager ensures uniqueness of Sender IDs in the same group.
Each different Recipient Context for decrypting messages from a
particular sender can be derived at runtime, at the latest upon
receiving a message from that sender for the first time.
Countersignatures of group messages are verified by means of the
public key of the respective sender endpoint. Upon nodes' joining,
the Group Manager collects such public keys and MUST verify proof-of-
possession of the respective private key. Later on, a group member
can request from the Group Manager the public keys of other group
members.
The joining process can occur, for instance, as defined in
[I-D.ietf-ace-key-groupcomm-oscore].
10.10. Master Secret
Group OSCORE derives the Security Context using the same construction Group OSCORE derives the Security Context using the same construction
as OSCORE, and by using the Group Identifier of a group as the as OSCORE, and by using the Group Identifier of a group as the
related ID Context. Hence, the same required properties of the related ID Context. Hence, the same required properties of the
Security Context parameters discussed in Section 3.3 of [RFC8613] Security Context parameters discussed in Section 3.3 of [RFC8613]
hold for this document. hold for this document.
With particular reference to the OSCORE Master Secret, it has to be With particular reference to the OSCORE Master Secret, it has to be
kept secret among the members of the respective OSCORE group and the kept secret among the members of the respective OSCORE group and the
Group Manager responsible for that group. Also, the Master Secret Group Manager responsible for that group. Also, the Master Secret
must have a good amount of randomness, and the Group Manager can must have a good amount of randomness, and the Group Manager can
generate it offline using a good random number generator. This generate it offline using a good random number generator. This
includes the case where the Group Manager rekeys the group by includes the case where the Group Manager rekeys the group by
generating and distributing a new Master Secret. Randomness generating and distributing a new Master Secret. Randomness
requirements for security are described in [RFC4086]. requirements for security are described in [RFC4086].
10.11. Replay Protection 10.10. Replay Protection
As in OSCORE, also Group OSCORE relies on sender sequence numbers As in OSCORE, also Group OSCORE relies on sender sequence numbers
included in the COSE message field 'Partial IV' and used to build included in the COSE message field 'Partial IV' and used to build
AEAD nonces. AEAD nonces.
Note that the Partial IV of an endpoint does not necessarily grow Note that the Partial IV of an endpoint does not necessarily grow
monotonically. For instance, upon exhaustion of the endpoint Sender monotonically. For instance, upon exhaustion of the endpoint Sender
Sequence Number, the Partial IV also gets exhausted. As discussed in Sequence Number, the Partial IV also gets exhausted. As discussed in
Section 2.5, this results either in the endpoint being individually Section 2.4.3, this results either in the endpoint being individually
rekeyed and getting a new Sender ID, or in the establishment of a new rekeyed and getting a new Sender ID, or in the establishment of a new
Security Context in the group. Therefore, uniqueness of (key, nonce) Security Context in the group. Therefore, uniqueness of (key, nonce)
pairs (see Section 10.2) is preserved also when a new Security pairs (see Section 10.2) is preserved also when a new Security
Context is established. Context is established.
As discussed in Section 6.1, an endpoint that has just joined a group As discussed in Section 6.1, an endpoint that has just joined a group
is exposed to replay attack, as it is not aware of the sender is exposed to replay attack, as it is not aware of the sender
sequence numbers currently used by other group members. Appendix E sequence numbers currently used by other group members. Appendix E
describes how endpoints can synchronize with senders' sequence describes how endpoints can synchronize with senders' sequence
numbers. numbers.
Unless exchanges in a group rely only on unicast messages, Group Unless exchanges in a group rely only on unicast messages, Group
OSCORE cannot be used with reliable transport. Thus, unless only OSCORE cannot be used with reliable transport. Thus, unless only
unicast messages are sent in the group, it cannot be defined that unicast messages are sent in the group, it cannot be defined that
only messages with sequence numbers that are equal to the previous only messages with sequence numbers that are equal to the previous
sequence number + 1 are accepted. sequence number + 1 are accepted.
The processing of response messages described in Section 7.4 also The processing of response messages described in Section 2.3.1 of
ensures that a client accepts a single valid response to a given [I-D.ietf-core-groupcomm-bis] also ensures that a client accepts a
request from each replying server, unless CoAP observation is used. single valid response to a given request from each replying server,
unless CoAP observation is used.
10.12. Client Aliveness 10.11. Client Aliveness
As discussed in Section 12.5 of [RFC8613], a server may use the Echo As discussed in Section 12.5 of [RFC8613], a server may use the CoAP
option [I-D.ietf-core-echo-request-tag] to verify the aliveness of Echo Option [I-D.ietf-core-echo-request-tag] to verify the aliveness
the client that originated a received request. This would also allow of the client that originated a received request. This would also
the server to (re-)synchronize with the client's sequence number, as allow the server to (re-)synchronize with the client's sequence
well as to ensure that the request is fresh and has not been replayed number, as well as to ensure that the request is fresh and has not
or (purposely) delayed, if it is the first one received from that been replayed or (purposely) delayed, if it is the first one received
client after having joined the group or rebooted (see Appendix E.3). from that client after having joined the group or rebooted (see
Appendix E.3).
10.13. Cryptographic Considerations 10.12. Cryptographic Considerations
The same considerations from Section 12.6 of [RFC8613] about the The same considerations from Section 12.6 of [RFC8613] about the
maximum Sender Sequence Number hold for Group OSCORE. maximum Sender Sequence Number hold for Group OSCORE.
As discussed in Section 2.5, an endpoint that experiences a As discussed in Section 2.4.2, an endpoint that experiences an
exhaustion of its own Sender Sequence Number MUST NOT transmit exhaustion of its own Sender Sequence Number MUST NOT transmit
further messages including a Partial IV, until it has derived a new further messages including a Partial IV, until it has derived a new
Sender Context. This prevents the endpoint to reuse the same AEAD Sender Context. This prevents the endpoint to reuse the same AEAD
nonces with the same Sender key. nonces with the same Sender Key.
In order to renew its own Sender Context, the endpoint SHOULD inform In order to renew its own Sender Context, the endpoint SHOULD inform
the Group Manager, which can either renew the whole Security Context the Group Manager, which can either renew the whole Security Context
by means of group rekeying, or provide only that endpoint with a new by means of group rekeying, or provide only that endpoint with a new
Sender ID value. In either case, the endpoint derives a new Sender Sender ID value. In either case, the endpoint derives a new Sender
Context, and in particular a new Sender Key. Context, and in particular a new Sender Key.
Additionally, the same considerations from Section 12.6 of [RFC8613] Additionally, the same considerations from Section 12.6 of [RFC8613]
hold for Group OSCORE, about building the AEAD nonce and the secrecy hold for Group OSCORE, about building the AEAD nonce and the secrecy
of the Security Context parameters. of the Security Context parameters.
The EdDSA signature algorithm Ed25519 [RFC8032] is mandatory to The EdDSA signature algorithm Ed25519 [RFC8032] is mandatory to
implement. For many constrained IoT devices, it is problematic to implement. For endpoints that support the pairwise mode of Group
support more than one signature algorithm or multiple whole cipher OSCORE, the X25519 function [RFC7748] is also mandatory to implement.
suites. This means that some deployments using, for instance, ECDSA Montgomery curves and (twisted) Edwards curves [RFC7748] can be
with NIST P-256 may not support the mandatory signature algorithm. alternatively represented in short-Weierstrass form as described in
However, this is not a problem for local deployments. [I-D.ietf-lwig-curve-representations].
10.14. Message Segmentation For many constrained IoT devices, it is problematic to support more
than one signature algorithm or multiple whole cipher suites. As a
consequence, some deployments using, for instance, ECDSA with NIST
P-256 may not support the mandatory signature algorithm but that
should not be an issue for local deployments.
The derivation of pairwise keys defined in Section 2.3.1 is
compatible with ECDSA and EdDSA asymmetric keys, but is not
compatible with RSA asymmetric keys. The security of using the same
key pair for Diffie-Hellman and for signing is demonstrated in
[Degabriele].
10.13. Message Segmentation
The same considerations from Section 12.7 of [RFC8613] hold for Group The same considerations from Section 12.7 of [RFC8613] hold for Group
OSCORE. OSCORE.
10.15. Privacy Considerations 10.14. Privacy Considerations
Group OSCORE ensures end-to-end integrity protection and encryption Group OSCORE ensures end-to-end integrity protection and encryption
of the message payload and all options that are not used for proxy of the message payload and all options that are not used for proxy
operations. In particular, options are processed according to the operations. In particular, options are processed according to the
same class U/I/E that they have for OSCORE. Therefore, the same same class U/I/E that they have for OSCORE. Therefore, the same
privacy considerations from Section 12.8 of [RFC8613] hold for Group privacy considerations from Section 12.8 of [RFC8613] hold for Group
OSCORE. OSCORE.
Furthermore, the following privacy considerations hold, about the Furthermore, the following privacy considerations hold, about the
OSCORE option that may reveal information on the communicating OSCORE option that may reveal information on the communicating
skipping to change at page 36, line 43 skipping to change at page 44, line 38
responses always include the 'kid' parameter, this may reveal responses always include the 'kid' parameter, this may reveal
information about both a client sending a group request and all information about both a client sending a group request and all
the possibly replying servers sending their own individual the possibly replying servers sending their own individual
response. response.
o The 'kid context' parameter, which is intended to help a recipient o The 'kid context' parameter, which is intended to help a recipient
endpoint to find the right Recipient Context, reveals information endpoint to find the right Recipient Context, reveals information
about the sender endpoint. In particular, it reveals that the about the sender endpoint. In particular, it reveals that the
sender endpoint is a member of a particular OSCORE group, whose sender endpoint is a member of a particular OSCORE group, whose
current Group ID is indicated in the 'kid context' parameter. current Group ID is indicated in the 'kid context' parameter.
Moreover, this parameter explicitly relates two or more
communicating endpoints, as members of the same OSCORE group.
Also, using the mechanisms described in Appendix E.3 to achieve When receiving a group request, each of the recipient endpoints can
sequence number synchronization with a client may reveal when a reply with a response that includes its Sender ID as 'kid' parameter.
server device goes through a reboot. This can be mitigated by the All these responses will be matchable with the request through the
Token. Thus, even if these responses do not include a 'kid context'
parameter, it becomes possible to understand that the responder
endpoints are in the same group of the requester endpoint.
Furthermore, using the mechanisms described in Appendix E.3 to
achieve sequence number synchronization with a client may reveal when
a server device goes through a reboot. This can be mitigated by the
server device storing the precise state of the replay window of each server device storing the precise state of the replay window of each
known client on a clean shutdown. known client on a clean shutdown.
Finally, the mechanism described in Section 10.5 to prevent Finally, the mechanism described in Section 10.5 to prevent
collisions of Group Identifiers from different Group Managers may collisions of Group Identifiers from different Group Managers may
reveal information about events in the respective OSCORE groups. In reveal information about events in the respective OSCORE groups. In
particular, a Group Idenfier changes when the corresponding group is particular, a Group Identifier changes when the corresponding group
rekeyed. Thus, changes in the shared list of Group Identifiers may is rekeyed. Thus, Group Managers might use the shared list of Group
be used to infer about the rate and patterns of group membership Identifiers to infer the rate and patterns of group membership
changes triggering a group rekeying, e.g. due to newly joined members changes triggering a group rekeying, e.g. due to newly joined members
or evicted (compromised) members. In order to alleviate such privacy or evicted (compromised) members. In order to alleviate this privacy
concerns, it should be hidden from the Group Managers which exact concern, it should be hidden from the Group Managers which exact
Group Manager has currently assigned which Group Identifiers in its Group Manager has currently assigned which Group Identifiers in its
OSCORE groups. OSCORE groups.
11. IANA Considerations 11. IANA Considerations
Note to RFC Editor: Please replace all occurrences of "[This Note to RFC Editor: Please replace all occurrences of "[This
Document]" with the RFC number of this specification and delete this Document]" with the RFC number of this specification and delete this
paragraph. paragraph.
This document has the following actions for IANA. This document has the following actions for IANA.
11.1. Counter Signature Parameters Registry 11.1. OSCORE Flag Bits Registry
This specification establishes the IANA "Counter Signature
Parameters" Registry. The Registry has been created to use the
"Expert Review Required" registration procedure [RFC8126]. Expert
review guidelines are provided in Section 11.4.
This registry specifies the parameters of each admitted
countersignature algorithm, as well as the possible structure they
are organized into. This information is used to populate the
parameter Counter Signature Parameters of the Common Context (see
Section 2).
The columns of this table are:
o Name: A value that can be used to identify an algorithm in
documents for easier comprehension. Its value is taken from the
'Name' column of the "COSE Algorithms" Registry.
o Value: The value to be used to identify this algorithm. Its
content is taken from the 'Value' column of the "COSE Algorithms"
Registry. The value MUST be the same one used in the "COSE
Algorithms" Registry for the entry with the same 'Name' field.
o Parameters: This indicates the CBOR encoding of the parameters (if
any) for the counter signature algorithm indicated by the 'Value'
field.
o Description: A short description of the parameters encoded in the
'Parameters' field (if any).
o Reference: This contains a pointer to the public specification for
the field, if one exists.
Initial entries in the registry are as follows.
+-------------+-------+--------------+-----------------+-----------+
| Name | Value | Parameters | Description | Reference |
+-------------+-------+--------------+-----------------+-----------+
| | | | | |
| EdDSA | -8 | crv : int | crv value taken | [This |
| | | | from the COSE | Document] |
| | | | Elliptic Curve | |
| | | | Registry | |
| | | | | |
+-------------+-------+--------------+-----------------+-----------+
| | | | | |
| ES256 | -7 | crv : int | crv value taken | [This |
| | | | from the COSE | Document] |
| | | | Elliptic Curve | |
| | | | Registry | |
| | | | | |
+-------------+-------+--------------+-----------------+-----------+
| | | | | |
| ES384 | -35 | crv : int | crv value taken | [This |
| | | | from the COSE | Document] |
| | | | Elliptic Curve | |
| | | | Registry | |
| | | | | |
+-------------+-------+--------------+-----------------+-----------+
| | | | | |
| ES512 | -36 | crv : int | crv value taken | [This |
| | | | from the COSE | Document] |
| | | | Elliptic Curve | |
| | | | Registry | |
| | | | | |
+-------------+-------+--------------+-----------------+-----------+
| | | | | |
| PS256 | -37 | | Parameters not | [This |
| | | | present | Document] |
| | | | | |
+-------------+-------+--------------+-----------------+-----------+
| | | | | |
| PS384 | -38 | | Parameters not | [This |
| | | | present | Document] |
| | | | | |
+-------------+-------+--------------+-----------------+-----------+
| | | | | |
| PS512 | -39 | | Parameters not | [This |
| | | | present | Document] |
| | | | | |
+-------------+-------+--------------+-----------------+-----------+
11.2. Counter Signature Key Parameters Registry
This specification establishes the IANA "Counter Signature Key
Parameters" Registry. The Registry has been created to use the
"Expert Review Required" registration procedure [RFC8126]. Expert
review guidelines are provided in Section 11.4.
This registry specifies the parameters of countersignature keys for
each admitted countersignature algorithm, as well as the possible
structure they are organized into. This information is used to
populate the parameter Counter Signature Key Parameters of the Common
Context (see Section 2).
The columns of this table are:
o Name: A value that can be used to identify an algorithm in
documents for easier comprehension. Its value is taken from the
'Name' column of the "COSE Algorithms" Registry.
o Value: The value to be used to identify this algorithm. Its
content is taken from the 'Value' column of the "COSE Algorithms"
Registry. The value MUST be the same one used in the "COSE
Algorithms" Registry for the entry with the same 'Name' field.
o Parameters: This indicates the CBOR encoding of the key parameters
(if any) for the counter signature algorithm indicated by the
'Value' field.
o Description: A short description of the parameters encoded in the
'Parameters' field (if any).
o Reference: This contains a pointer to the public specification for
the field, if one exists.
Initial entries in the registry are as follows.
+-------------+-------+--------------+-------------------+-----------+
| Name | Value | Parameters | Description | Reference |
+-------------+-------+--------------+-------------------+-----------+
| | | | | |
| EdDSA | -8 | [kty : int , | kty value is 1, | [This |
| | | | as Key Type "OKP" | Document] |
| | | | from the COSE Key | |
| | | | Types Registry | |
| | | | | |
| | | | | |
| | | crv : int] | crv value taken | |
| | | | from the COSE | |
| | | | Elliptic Curve | |
| | | | Registry | |
| | | | | |
+-------------+-------+--------------+-------------------+-----------+
| | | | | |
| ES256 | -7 | [kty : int , | kty value is 2, | [This |
| | | | as Key Type "EC2" | Document] |
| | | | from the COSE Key | |
| | | | Types Registry | |
| | | | | |
| | | | | |
| | | crv : int] | crv value taken | |
| | | | from the COSE | |
| | | | Elliptic Curve | |
| | | | Registry | |
| | | | | |
+-------------+-------+--------------+-------------------+-----------+
| | | | | |
| ES384 | -35 | [kty : int , | kty value is 2, | [This |
| | | | as Key Type "EC2" | Document] |
| | | | from the COSE Key | |
| | | | Types Registry | |
| | | | | |
| | | crv : int] | crv value taken | |
| | | | from the COSE | |
| | | | Elliptic Curve | |
| | | | Registry | |
| | | | | |
+-------------+-------+--------------+-------------------+-----------+
| | | | | |
| ES512 | -36 | [kty : int , | kty value is 2, | [This |
| | | | as Key Type "EC2" | Document] |
| | | | from the COSE Key | |
| | | | Types Registry | |
| | | | | |
| | | crv : int] | crv value taken | |
| | | | from the COSE | |
| | | | Elliptic Curve | |
| | | | Registry | |
| | | | | |
+-------------+-------+--------------+-------------------+-----------+
| | | | | |
| PS256 | -37 | kty : int | kty value is 3, | [This |
| | | | as Key Type "RSA" | Document] |
| | | | from the COSE Key | |
| | | | Types Registry | |
| | | | | |
+-------------+-------+--------------+-------------------+-----------+
| | | | | |
| PS384 | -38 | kty : int | kty value is 3, | [This |
| | | | as Key Type "RSA" | Document] |
| | | | from the COSE Key | |
| | | | Types Registry | |
| | | | | |
+-------------+-------+--------------+-------------------+-----------+
| | | | | |
| PS512 | -39 | kty : int | kty value is 3, | [This |
| | | | as Key Type "RSA" | Document] |
| | | | from the COSE Key | |
| | | | Types Registry | |
| | | | | |
+-------------+-------+--------------+-------------------+-----------+
11.3. OSCORE Flag Bits Registry
IANA is asked to add the following value entry to the "OSCORE Flag IANA is asked to add the following value entry to the "OSCORE Flag
Bits" subregistry defined in Section 13.7 of [RFC8613] as part of the Bits" subregistry defined in Section 13.7 of [RFC8613] as part of the
"CoRE Parameters" registry. "CoRE Parameters" registry.
+--------------+-------------+--------------------------+-----------+ +--------------+------------+-------------------------------+-----------+
| Bit Position | Name | Description | Reference | | Bit Position | Name | Description | Reference |
+--------------+-------------+--------------------------+-----------+ +--------------+------------+-------------------------------+-----------+
| 2 | Pairwise | Set to 1 if the message | [This | | 2 | Group Flag | Set to 1 if the message is | [This |
| | Protection | is protected with | Document] | | | | protected with the group mode | Document] |
| | Flag | pairwise keying material | | | | | of Group OSCORE | |
+--------------+-------------+--------------------------+-----------+ +--------------+------------+-------------------------------+-----------+
11.4. Expert Review Instructions
The IANA Registries established in this document are defined as
"Expert Review". This section gives some general guidelines for what
the experts should be looking for, but they are being designated as
experts for a reason so they should be given substantial latitude.
Expert reviewers should take into consideration the following points:
o Clarity and correctness of registrations. Experts are expected to
check the clarity of purpose and use of the requested entries.
Experts should inspect the entry for the algorithm considered, to
verify the conformity of the encoding proposed against the
theoretical algorithm, including completeness of the 'Parameters'
column. Expert needs to make sure values are taken from the right
registry, when that's required. Expert should consider requesting
an opinion on the correctness of registered parameters from the
CBOR Object Signing and Encryption Working Group (COSE).
Encodings that do not meet these objective of clarity and
completeness should not be registered.
o Duplicated registration and point squatting should be discouraged.
Reviewers are encouraged to get sufficient information for
registration requests to ensure that the usage is not going to
duplicate one that is already registered and that the point is
likely to be used in deployments.
o Experts should take into account the expected usage of fields when
approving point assignment. The length of the 'Parameters'
encoding should be weighed against the usage of the entry,
considering the size of device it will be used on. Additionally,
the length of the encoded value should be weighed against how many
code points of that length are left, the size of device it will be
used on, and the number of code points left that encode to that
size.
o Specifications are recommended. When specifications are not
provided, the description provided needs to have sufficient
information to verify the points above.
12. References 12. References
12.1. Normative References 12.1. Normative References
[COSE.Algorithms]
IANA, "COSE Algorithms",
<https://www.iana.org/assignments/cose/
cose.xhtml#algorithms>.
[COSE.Key.Types]
IANA, "COSE Key Types",
<https://www.iana.org/assignments/cose/
cose.xhtml#key-type>.
[I-D.ietf-core-groupcomm-bis] [I-D.ietf-core-groupcomm-bis]
Dijk, E., Wang, C., and M. Tiloca, "Group Communication Dijk, E., Wang, C., and M. Tiloca, "Group Communication
for the Constrained Application Protocol (CoAP)", draft- for the Constrained Application Protocol (CoAP)", draft-
ietf-core-groupcomm-bis-00 (work in progress), March 2020. ietf-core-groupcomm-bis-00 (work in progress), March 2020.
[I-D.ietf-cose-rfc8152bis-algs]
Schaad, J., "CBOR Object Signing and Encryption (COSE):
Initial Algorithms", draft-ietf-cose-rfc8152bis-algs-09
(work in progress), June 2020.
[I-D.ietf-cose-rfc8152bis-struct]
Schaad, J., "CBOR Object Signing and Encryption (COSE):
Structures and Process", draft-ietf-cose-rfc8152bis-
struct-10 (work in progress), June 2020.
[NIST-800-56A] [NIST-800-56A]
Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R. Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R.
Davis, "Recommendation for Pair-Wise Key-Establishment Davis, "Recommendation for Pair-Wise Key-Establishment
Schemes Using Discrete Logarithm Cryptography - NIST Schemes Using Discrete Logarithm Cryptography - NIST
Special Publication 800-56A, Revision 3", April 2018, Special Publication 800-56A, Revision 3", April 2018,
<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-56Ar3.pdf>. NIST.SP.800-56Ar3.pdf>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC 4086, "Randomness Requirements for Security", BCP 106, RFC 4086,
DOI 10.17487/RFC4086, June 2005, DOI 10.17487/RFC4086, June 2005,
<https://www.rfc-editor.org/info/rfc4086>. <https://www.rfc-editor.org/info/rfc4086>.
[RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature
Algorithm (DSA) and Elliptic Curve Digital Signature
Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August
2013, <https://www.rfc-editor.org/info/rfc6979>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014, DOI 10.17487/RFC7252, June 2014,
<https://www.rfc-editor.org/info/rfc7252>. <https://www.rfc-editor.org/info/rfc7252>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>. 2016, <https://www.rfc-editor.org/info/rfc7748>.
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032, Signature Algorithm (EdDSA)", RFC 8032,
DOI 10.17487/RFC8032, January 2017, DOI 10.17487/RFC8032, January 2017,
<https://www.rfc-editor.org/info/rfc8032>. <https://www.rfc-editor.org/info/rfc8032>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
[RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)",
RFC 8152, DOI 10.17487/RFC8152, July 2017,
<https://www.rfc-editor.org/info/rfc8152>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, [RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security for Constrained RESTful Environments "Object Security for Constrained RESTful Environments
(OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019,
<https://www.rfc-editor.org/info/rfc8613>. <https://www.rfc-editor.org/info/rfc8613>.
12.2. Informative References 12.2. Informative References
[Degabriele] [Degabriele]
Degabriele, J., Lehmann, A., Paterson, K., Smart, N., and Degabriele, J., Lehmann, A., Paterson, K., Smart, N., and
M. Strefler, "On the Joint Security of Encryption and M. Strefler, "On the Joint Security of Encryption and
Signature in EMV", December 2011, Signature in EMV", December 2011,
<https://eprint.iacr.org/2011/615>. <https://eprint.iacr.org/2011/615>.
[I-D.ietf-ace-key-groupcomm] [I-D.ietf-ace-key-groupcomm]
Palombini, F. and M. Tiloca, "Key Provisioning for Group Palombini, F. and M. Tiloca, "Key Provisioning for Group
Communication using ACE", draft-ietf-ace-key-groupcomm-05 Communication using ACE", draft-ietf-ace-key-groupcomm-07
(work in progress), March 2020. (work in progress), June 2020.
[I-D.ietf-ace-key-groupcomm-oscore] [I-D.ietf-ace-key-groupcomm-oscore]
Tiloca, M., Park, J., and F. Palombini, "Key Management Tiloca, M., Park, J., and F. Palombini, "Key Management
for OSCORE Groups in ACE", draft-ietf-ace-key-groupcomm- for OSCORE Groups in ACE", draft-ietf-ace-key-groupcomm-
oscore-05 (work in progress), March 2020. oscore-07 (work in progress), June 2020.
[I-D.ietf-ace-oauth-authz] [I-D.ietf-ace-oauth-authz]
Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and
H. Tschofenig, "Authentication and Authorization for H. Tschofenig, "Authentication and Authorization for
Constrained Environments (ACE) using the OAuth 2.0 Constrained Environments (ACE) using the OAuth 2.0
Framework (ACE-OAuth)", draft-ietf-ace-oauth-authz-33 Framework (ACE-OAuth)", draft-ietf-ace-oauth-authz-34
(work in progress), February 2020. (work in progress), June 2020.
[I-D.ietf-core-echo-request-tag] [I-D.ietf-core-echo-request-tag]
Amsuess, C., Mattsson, J., and G. Selander, "CoAP: Echo, Amsuess, C., Mattsson, J., and G. Selander, "CoAP: Echo,
Request-Tag, and Token Processing", draft-ietf-core-echo- Request-Tag, and Token Processing", draft-ietf-core-echo-
request-tag-09 (work in progress), March 2020. request-tag-09 (work in progress), March 2020.
[I-D.ietf-lwig-curve-representations]
Struik, R., "Alternative Elliptic Curve Representations",
draft-ietf-lwig-curve-representations-10 (work in
progress), April 2020.
[I-D.ietf-lwig-security-protocol-comparison]
Mattsson, J., Palombini, F., and M. Vucinic, "Comparison
of CoAP Security Protocols", draft-ietf-lwig-security-
protocol-comparison-04 (work in progress), March 2020.
[I-D.mattsson-cfrg-det-sigs-with-noise]
Mattsson, J., Thormarker, E., and S. Ruohomaa,
"Deterministic ECDSA and EdDSA Signatures with Additional
Randomness", draft-mattsson-cfrg-det-sigs-with-noise-02
(work in progress), March 2020.
[I-D.somaraju-ace-multicast] [I-D.somaraju-ace-multicast]
Somaraju, A., Kumar, S., Tschofenig, H., and W. Werner, Somaraju, A., Kumar, S., Tschofenig, H., and W. Werner,
"Security for Low-Latency Group Communication", draft- "Security for Low-Latency Group Communication", draft-
somaraju-ace-multicast-02 (work in progress), October somaraju-ace-multicast-02 (work in progress), October
2016. 2016.
[I-D.tiloca-core-observe-multicast-notifications]
Tiloca, M., Hoeglund, R., Amsuess, C., and F. Palombini,
"Observe Notifications as CoAP Multicast Responses",
draft-tiloca-core-observe-multicast-notifications-02 (work
in progress), March 2020.
[RFC4944] Montenegro, G., Kushalnagar, N., Hui, J., and D. Culler, [RFC4944] Montenegro, G., Kushalnagar, N., Hui, J., and D. Culler,
"Transmission of IPv6 Packets over IEEE 802.15.4 "Transmission of IPv6 Packets over IEEE 802.15.4
Networks", RFC 4944, DOI 10.17487/RFC4944, September 2007, Networks", RFC 4944, DOI 10.17487/RFC4944, September 2007,
<https://www.rfc-editor.org/info/rfc4944>. <https://www.rfc-editor.org/info/rfc4944>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>. <https://www.rfc-editor.org/info/rfc4949>.
[RFC6282] Hui, J., Ed. and P. Thubert, "Compression Format for IPv6 [RFC6282] Hui, J., Ed. and P. Thubert, "Compression Format for IPv6
skipping to change at page 46, line 31 skipping to change at page 49, line 21
This section presents a set of assumptions and security objectives This section presents a set of assumptions and security objectives
for the approach described in this document. The rest of this for the approach described in this document. The rest of this
section refers to three types of groups: section refers to three types of groups:
o Application group, i.e. a set of CoAP endpoints that share a o Application group, i.e. a set of CoAP endpoints that share a
common pool of resources. common pool of resources.
o Security group, as defined in Section 1.1 of this specification. o Security group, as defined in Section 1.1 of this specification.
There can be a one-to-one or a one-to-many relation between There can be a one-to-one or a one-to-many relation between
security groups and application groups. Any two application security groups and application groups, and vice versa. Any two
groups associated to the same security group do not share any same application groups associated to the same security group do not
resource. share any same resource.
o CoAP group, as defined in [I-D.ietf-core-groupcomm-bis] i.e. a set o CoAP group, as defined in [I-D.ietf-core-groupcomm-bis] i.e. a set
of CoAP endpoints, where each endpoint is configured to receive of CoAP endpoints, where each endpoint is configured to receive
CoAP multicast requests that are sent to the group's associated IP CoAP multicast requests that are sent to the group's associated IP
multicast address and UDP port. An endpoint may be a member of multicast address and UDP port. An endpoint may be a member of
multiple CoAP groups. There can be a one-to-one or a one-to-many multiple CoAP groups. There can be a one-to-one or a one-to-many
relation between CoAP groups and application groups. Note that a relation between application groups and CoAP groups. Note that a
device sending a CoAP request to a CoAP group is not necessarily device sending a CoAP request to a CoAP group is not necessarily
itself a member of that group: it is a member only if it also has itself a member of that group: it is a member only if it also has
a CoAP server endpoint listening to requests for this CoAP group, a CoAP server endpoint listening to requests for this CoAP group,
sent to the associated IP multicast address and port. In order to sent to the associated IP multicast address and port. In order to
provide secure group communication, all members of a CoAP group as provide secure group communication, all members of a CoAP group as
well as all further endpoints configured only as clients sending well as all further endpoints configured only as clients sending
CoAP (multicast) requests to the CoAP group have to be member of a CoAP (multicast) requests to the CoAP group have to be member of a
security group. security group. There can be a one-to-one or a one-to-many
relation between security groups and CoAP groups, and vice versa.
A.1. Assumptions A.1. Assumptions
The following assumptions are assumed to be already addressed and are The following assumptions are assumed to be already addressed and are
out of the scope of this document. out of the scope of this document.
o Multicast communication topology: this document considers both o Multicast communication topology: this document considers both
1-to-N (one sender and multiple recipients) and M-to-N (multiple 1-to-N (one sender and multiple recipients) and M-to-N (multiple
senders and multiple recipients) communication topologies. The senders and multiple recipients) communication topologies. The
1-to-N communication topology is the simplest group communication 1-to-N communication topology is the simplest group communication
skipping to change at page 47, line 49 skipping to change at page 50, line 36
divided into smaller independent groups. divided into smaller independent groups.
o Communication with the Group Manager: an endpoint must use a o Communication with the Group Manager: an endpoint must use a
secure dedicated channel when communicating with the Group secure dedicated channel when communicating with the Group
Manager, also when not registered as a member of the security Manager, also when not registered as a member of the security
group. group.
o Provisioning and management of Security Contexts: a Security o Provisioning and management of Security Contexts: a Security
Context must be established among the members of the security Context must be established among the members of the security
group. A secure mechanism must be used to generate, revoke and group. A secure mechanism must be used to generate, revoke and
(re-)distribute keying material, multicast security policies and (re-)distribute keying material, communication policies and
security parameters in the security group. The actual security parameters in the security group. The actual
provisioning and management of the Security Context is out of the provisioning and management of the Security Context is out of the
scope of this document. scope of this document.
o Multicast data security ciphersuite: all members of a security o Multicast data security ciphersuite: all members of a security
group must agree on a ciphersuite to provide authenticity, group must agree on a ciphersuite to provide authenticity,
integrity and confidentiality of messages in the group. The integrity and confidentiality of messages in the group. The
ciphersuite is specified as part of the Security Context. ciphersuite is specified as part of the Security Context.
o Backward security: a new device joining the security group should o Backward security: a new device joining the security group should
skipping to change at page 48, line 27 skipping to change at page 51, line 14
Context and renew the group keying material in the security group Context and renew the group keying material in the security group
upon a new member's joining has to be defined as part of the group upon a new member's joining has to be defined as part of the group
key management scheme. key management scheme.
o Forward security: entities that leave the security group should o Forward security: entities that leave the security group should
not have access to any future Security Contexts or message not have access to any future Security Contexts or message
exchanged within the security group after their leaving. This exchanged within the security group after their leaving. This
ensures that a former member of the security group is not able to ensures that a former member of the security group is not able to
decrypt confidential data sent within the security group anymore. decrypt confidential data sent within the security group anymore.
Also, it ensures that a former member is not able to send Also, it ensures that a former member is not able to send
encrypted and/or integrity protected messages to the security protected messages to the security group anymore. The actual
group anymore. The actual mechanism to update the Security mechanism to update the Security Context and renew the group
Context and renew the group keying material in the security group keying material in the security group upon a member's leaving has
upon a member's leaving has to be defined as part of the group key to be defined as part of the group key management scheme.
management scheme.
A.2. Security Objectives A.2. Security Objectives
The approach described in this document aims at fulfilling the The approach described in this document aims at fulfilling the
following security objectives: following security objectives:
o Data replay protection: group request messages or response o Data replay protection: group request messages or response
messages replayed within the security group must be detected. messages replayed within the security group must be detected.
o Group-level data confidentiality: messages sent within the o Data confidentiality: messages sent within the security group
security group shall be encrypted if privacy sensitive data is shall be encrypted.
exchanged within the security group. This document considers
group-level data confidentiality since messages are encrypted at a
group level, i.e. in such a way that they can be decrypted by any
member of the security group, but not by an external adversary or
other external entities.
o Source authentication: messages sent within the security group o Group-level data confidentiality: the group mode provides group-
shall be authenticated. That is, it is essential to ensure that a level data confidentiality since messages are encrypted at a group
message is originated by a member of the security group in the level, i.e. in such a way that they can be decrypted by any member
first place, and in particular by a specific member of the of the security group, but not by an external adversary or other
security group. external entities.
o Pairwise data confidentiality: the pairwise mode especially
provides pairwise data confidentiality, since messages are
encrypted using pairwise keying material shared between any two
group members, hence they can be decrypted only by the intended
single recipient.
o Source message authentication: messages sent within the security
group shall be authenticated. That is, it is essential to ensure
that a message is originated by a member of the security group in
the first place, and in particular by a specific, identifiable
member of the security group.
o Message integrity: messages sent within the security group shall o Message integrity: messages sent within the security group shall
be integrity protected. That is, it is essential to ensure that a be integrity protected. That is, it is essential to ensure that a
message has not been tampered with by an external adversary or message has not been tampered with, either by a group member, or
other external entities which are not members of the security by an external adversary or other external entities which are not
group. members of the security group.
o Message ordering: it must be possible to determine the ordering of o Message ordering: it must be possible to determine the ordering of
messages coming from a single sender. In accordance with OSCORE messages coming from a single sender. In accordance with OSCORE
[RFC8613], this results in providing relative freshness of group [RFC8613], this results in providing absolute freshness of
requests and absolute freshness of responses. It is not required responses that are not notifications, as well as relative
to determine ordering of messages from different senders. freshness of group requests and notification responses. It is not
required to determine ordering of messages from different senders.
Appendix B. List of Use Cases Appendix B. List of Use Cases
Group Communication for CoAP [I-D.ietf-core-groupcomm-bis] provides Group Communication for CoAP [I-D.ietf-core-groupcomm-bis] provides
the necessary background for multicast-based CoAP communication, with the necessary background for multicast-based CoAP communication, with
particular reference to low-power and lossy networks (LLNs) and particular reference to low-power and lossy networks (LLNs) and
resource constrained environments. The interested reader is resource constrained environments. The interested reader is
encouraged to first read [I-D.ietf-core-groupcomm-bis] to understand encouraged to first read [I-D.ietf-core-groupcomm-bis] to understand
the non-security related details. This section discusses a number of the non-security related details. This section discusses a number of
use cases that benefit from secure group communication, and refers to use cases that benefit from secure group communication, and refers to
skipping to change at page 51, line 51 skipping to change at page 54, line 45
two parts, namely a Group Prefix and a Group Epoch. two parts, namely a Group Prefix and a Group Epoch.
For each group, the Group Prefix is constant over time and is For each group, the Group Prefix is constant over time and is
uniquely defined in the set of all the groups associated to the same uniquely defined in the set of all the groups associated to the same
Group Manager. The choice of the Group Prefix for a given group's Group Manager. The choice of the Group Prefix for a given group's
Security Context is application specific. The size of the Group Security Context is application specific. The size of the Group
Prefix directly impact on the maximum number of distinct groups under Prefix directly impact on the maximum number of distinct groups under
the same Group Manager. the same Group Manager.
The Group Epoch is set to 0 upon the group's initialization, and is The Group Epoch is set to 0 upon the group's initialization, and is
incremented by 1 upon completing each renewal of the Security Context incremented by 1 each time new keying material, including a new Gid,
and keying material in the group (see Section 2.4). In particular, is distributed to the group in order to establish a new Security
once a new Master Secret has been distributed to the group, all the Context (see Section 3.1).
group members increment by 1 the Group Epoch in the Group Identifier
of that group.
As an example, a 3-byte Group Identifier can be composed of: i) a As an example, a 3-byte Gid can be composed of: i) a 1-byte Group
1-byte Group Prefix '0xb1' interpreted as a raw byte string; and ii) Prefix '0xb1' interpreted as a raw byte string; and ii) a 2-byte
a 2-byte Group Epoch interpreted as an unsigned integer ranging from Group Epoch interpreted as an unsigned integer ranging from 0 to
0 to 65535. Then, after having established the Common Context 61532 65535. Then, after having established the Common Context 61532 times
times in the group, its Group Identifier will assume value in the group, its Gid will assume value '0xb1f05c'.
'0xb1f05c'.
Using an immutable Group Prefix for a group assumes that enough time Using an immutable Group Prefix for a group assumes that enough time
elapses between two consecutive usages of the same Group Epoch value elapses between two consecutive usages of the same Group Epoch value
in that group. This ensures that the Gid value is temporally unique in that group. This ensures that the Gid value is temporally unique
during the lifetime of a given message. Thus, the expected highest during the lifetime of a given message. Thus, the expected highest
rate for addition/removal of group members and consequent group rate for addition/removal of group members and consequent group
rekeying should be taken into account for a proper dimensioning of rekeying should be taken into account for a proper dimensioning of
the Group Epoch size. the Group Epoch size.
As discussed in Section 10.5, if endpoints are deployed in multiple As discussed in Section 10.5, if endpoints are deployed in multiple
skipping to change at page 53, line 21 skipping to change at page 56, line 13
endpoint is out of the scope of this document. endpoint is out of the scope of this document.
It is RECOMMENDED that the join process adopts the approach described It is RECOMMENDED that the join process adopts the approach described
in [I-D.ietf-ace-key-groupcomm-oscore] and based on the ACE framework in [I-D.ietf-ace-key-groupcomm-oscore] and based on the ACE framework
for Authentication and Authorization in constrained environments for Authentication and Authorization in constrained environments
[I-D.ietf-ace-oauth-authz]. [I-D.ietf-ace-oauth-authz].
Appendix E. Examples of Synchronization Approaches Appendix E. Examples of Synchronization Approaches
This section describes three possible approaches that can be This section describes three possible approaches that can be
considered by server endpoints to synchronize with sender sequence considered by server endpoints to synchronize with Sender Sequence
numbers of client endpoints sending group requests. Numbers of client endpoints sending group requests.
The Group Manager MAY indicate which of such approaches are used in
the group, as part of the group communication policies signalled to
candidate group members upon their group joining.
E.1. Best-Effort Synchronization E.1. Best-Effort Synchronization
Upon receiving a group request from a client, a server does not take Upon receiving a group request from a client, a server does not take
any action to synchonize with the sender sequence number of that any action to synchronize with the sender sequence number of that
client. This provides no assurance at all as to message freshness, client. This provides no assurance at all as to message freshness,
which can be acceptable in non-critical use cases. which can be acceptable in non-critical use cases.
With the notable exception of Observe notifications and responses With the notable exception of Observe notifications and responses
following a group rekeying, it is optional for the server to use its following a group rekeying, it is optional for the server to use the
own sender sequence number as Partial IV. Instead, for efficiency sender sequence number as Partial IV. Instead, for efficiency
reasons, the server may rather use the request's Partial IV when reasons, the server may rather use the request's Partial IV when
protecting a response. protecting a response.
Since it provides no assurance as to freshness of requests, it is
thus RECOMMENDED that a server using this synchronization approach
always uses its own sender sequence number as Partial IV when
protecting a response.
E.2. Baseline Synchronization E.2. Baseline Synchronization
Upon receiving a group request from a given client for the first Upon receiving a group request from a given client for the first
time, a server initializes its last-seen sender sequence number in time, a server initializes its last-seen Sender Sequence Number in
its Recipient Context associated to that client. This provides a its Recipient Context associated to that client. The server may also
reference point to identify if future group requests from the same drop the group request without delivering it to the application.
client are fresher than the last one received. This method provides a reference point to identify if future group
requests from the same client are fresher than the last one received.
A replay time interval exists, between when a possibly replayed or A replay time interval exists, between when a possibly replayed or
delayed message is originally transmitted by a given client and the delayed message is originally transmitted by a given client and the
first authentic fresh message from that same client is received. first authentic fresh message from that same client is received.
This can be acceptable for use cases where servers admit such a This can be acceptable for use cases where servers admit such a
trade-off between performance and assurance of message freshness. trade-off between performance and assurance of message freshness.
With the notable exception of Observe notifications and responses With the notable exception of Observe notifications and responses
following a group rekeying, it is optional for the server to use its following a group rekeying, it is optional for the server to use its
own sender sequence number as Partial IV. Instead, for efficiency own Sender Sequence Number as Partial IV. Instead, for efficiency
reasons, the server may rather use the request's Partial IV when reasons, the server may rather use the request's Partial IV when
protecting a response. protecting a response.
In case the baseline synchronization state related to a client is
lost, it is RECOMMENDED that the server uses its own sender sequence
number as Partial IV when protecting a response to that client, until
a new baseline synchronization state for that client is established.
E.3. Challenge-Response Synchronization E.3. Challenge-Response Synchronization
A server performs a challenge-response exchange with a client, by A server performs a challenge-response exchange with a client, by
using the Echo Option for CoAP described in Section 2 of using the Echo Option for CoAP described in Section 2 of
[I-D.ietf-core-echo-request-tag] and according to Appendix B.1.2 of [I-D.ietf-core-echo-request-tag] and according to Appendix B.1.2 of
[RFC8613]. [RFC8613].
That is, upon receiving a group request from a particular client for That is, upon receiving a group request from a particular client for
the first time, the server processes the message as described in this the first time, the server processes the message as described in this
specification, but, even if valid, does not deliver it to the specification, but, even if valid, does not deliver it to the
application. Instead, the server replies to the client with an application. Instead, the server replies to the client with an
OSCORE protected 4.01 (Unauthorized) response message, including only OSCORE protected 4.01 (Unauthorized) response message, including only
the Echo Option and no diagnostic payload. The server stores the the Echo Option and no diagnostic payload. Since this response is
option value included therein. protected with the Security Context used in the group, the client
will consider the response valid upon successfully decrypting and
verifying it.
The server stores the Echo Option value included therein, together
with the pair (gid,kid), where 'gid' is the Group Identifier of the
OSCORE group and 'kid' is the Sender ID of the client in the group,
as specified in the 'kid context' and 'kid' fields of the OSCORE
Option of the group request, respectively. After a group rekeying
has been completed and a new Security Context has been established in
the group, which results also in a new Group Identifier (see
Section 3.1), the server MUST delete all the stored Echo values
associated to members of that group.
Upon receiving a 4.01 (Unauthorized) response that includes an Echo Upon receiving a 4.01 (Unauthorized) response that includes an Echo
Option and originates from a verified group member, a client sends a Option and originates from a verified group member, a client sends a
request as a unicast message addressed to the same server, echoing request as a unicast message addressed to the same server, echoing
the Echo Option value. In particular, the client does not the Echo Option value. The client MUST NOT send the request
necessarily resend the same group request, but can instead send a including the Echo Option over multicast.
more recent one, if the application permits it. This makes it
possible for the client to not retain previously sent group requests In particular, the client does not necessarily resend the same group
for full retransmission, unless the application explicitly requires request, but can instead send a more recent one, if the application
otherwise. In either case, the client uses the sender sequence permits it. This makes it possible for the client to not retain
number value currently stored in its own Sender Context. If the previously sent group requests for full retransmission, unless the
client stores group requests for possible retransmission with the application explicitly requires otherwise. In either case, the
Echo Option, it should not store a given request for longer than a client uses the Sender Sequence Number value currently stored in its
pre-configured time interval. Note that the unicast request echoing own Sender Context. If the client stores group requests for possible
the Echo Option is correctly treated and processed as a message, retransmission with the Echo Option, it should not store a given
since the 'kid context' field including the Group Identifier of the request for longer than a pre-configured time interval. Note that
OSCORE group is still present in the OSCORE Option as part of the the unicast request echoing the Echo Option is correctly treated and
COSE object (see Section 4). processed as a message, since the 'kid context' field including the
Group Identifier of the OSCORE group is still present in the OSCORE
Option as part of the COSE object (see Section 4).
Upon receiving the unicast request including the Echo Option, the Upon receiving the unicast request including the Echo Option, the
server verifies that the option value equals the stored and server performs the following verifications.
previously sent value. If not, the server MUST NOT process the
o If the server does not store an Echo Option value for the pair
(gid,kid), it considers: i) the time t1 when it has established
the Security Context used to protect the received request; and ii)
the time t2 when the request has been received. Since a valid
request cannot be older than the Security Context used to protect
it, the server verifies that (t2 - t1) is less than the largest
amount of time acceptable to consider the request fresh.
o If the server stores an Echo Option value for the pair (gid,kid)
associated to that same client in the same group, the server
verifies that the option value equals that same stored value
previously sent by that client.
If the verifications above fail, the server MUST NOT process the
request further and MAY send a 4.01 (Unauthorized) response including request further and MAY send a 4.01 (Unauthorized) response including
an Echo option. an Echo Option.
In case of positive verification, the request is further processed In case of positive verification, the request is further processed
and verified. Finally, the server updates the Recipient Context and verified. Finally, the server updates the Recipient Context
associated to that client, by setting the Replay Window according to associated to that client, by setting the Replay Window according to
the Sequence Number from the unicast request conveying the Echo the Sequence Number from the unicast request conveying the Echo
Option. The server either delivers the request to the application if Option. The server either delivers the request to the application if
it is an actual retransmission of the original one, or discards it it is an actual retransmission of the original one, or discards it
otherwise. Mechanisms to signal whether the resent request is a full otherwise. Mechanisms to signal whether the resent request is a full
retransmission of the original one are out of the scope of this retransmission of the original one are out of the scope of this
specification. specification.
A server should not deliver group requests from a given client to the A server should not deliver group requests from a given client to the
application until one valid request from that same client has been application until one valid request from that same client has been
verified as fresh, as conveying an echoed Echo Option verified as fresh, as conveying an echoed Echo Option
[I-D.ietf-core-echo-request-tag]. Also, a server may perform the [I-D.ietf-core-echo-request-tag]. Also, a server may perform the
challenge-response described above at any time, if synchronization challenge-response described above at any time, if synchronization
with sender sequence numbers of clients is (believed to be) lost, for with Sender Sequence Numbers of clients is (believed to be) lost, for
instance after a device reboot. It is the role of the application to instance after a device reboot. A client has to be always ready to
define under what circumstances sender sequence numbers lose perform the challenge-response based on the Echo Option in case a
synchronization. This can include a minimum gap between the sender server starts it.
sequence number of the latest accepted group request from a client
and the sender sequence number of a group request just received from
the same client. A client has to be always ready to perform the
challenge-response based on the Echo Option in case a server starts
it.
This approach provides an assurance of absolute message freshness. It is the role of the server application to define under what
However, it can result in an impact on performance which is circumstances Sender Sequence Numbers lose synchronization. This can
undesirable or unbearable, especially in large groups where many include experiencing a "large enough" gap D = (SN2 - SN1), between
endpoints at the same time might join as new members or lose the Sender Sequence Number SN1 of the latest accepted group request
synchronization. from a client and the Sender Sequence Number SN2 of a group request
just received from that client. However, a client may send several
unicast requests to different group members as protected with the
pairwise mode (see Section 9.2), which may consume the gap D at the
server relatively fast. This would induce the server to perform more
challenge-response exchanges than actually needed.
To ameliorate this, the server may rather rely on a trade-off between
the Sender Sequence Number gap D and a time gap T = (t2 - t1), where
t1 is the time when the latest group request from a client was
accepted and t2 is the time when the latest group request from that
client has been received, respectively. Then, the server can start a
challenge-response when experiencing a time gap T larger than a
given, pre-configured threshold. Also, the server can start a
challenge-response when experiencing a Sender Sequence Number gap D
greater than a different threshold, computed as a monotonically
increasing function of the currently experienced time gap T.
The challenge-response approach described in this appendix provides
an assurance of absolute message freshness. However, it can result
in an impact on performance which is undesirable or unbearable,
especially in large groups where many endpoints at the same time
might join as new members or lose synchronization.
Note that endpoints configured as silent servers are not able to Note that endpoints configured as silent servers are not able to
perform the challenge-response described above, as they do not store perform the challenge-response described above, as they do not store
a Sender Context to secure the 4.01 (Unauthorized) response to the a Sender Context to secure the 4.01 (Unauthorized) response to the
client. Therefore, silent servers should adopt alternative client. Therefore, silent servers should adopt alternative
approaches to achieve and maintain synchronization with sender approaches to achieve and maintain synchronization with sender
sequence numbers of clients. sequence numbers of clients.
Since requests including the Echo Option are sent over unicast, a Since requests including the Echo Option are sent over unicast, a
server can be a victim of the attack discussed in Section 10.7, when server can be a victim of the attack discussed in Section 10.7, when
such requests are protected with the signature mode of Group OSCORE, such requests are protected with the group mode of Group OSCORE, as
as described in Section 7.1. described in Section 8.1.
Instead, protecting requests with the Echo Option by using the Instead, protecting requests with the Echo Option by using the
pairwise mode of Group OSCORE as described in Appendix G.2 prevents pairwise mode of Group OSCORE as described in Section 9.2 prevents
the attack in Section 10.7. In fact, only the exact server involved the attack in Section 10.7. In fact, only the exact server involved
in the Echo exchange is able to derive the correct pairwise key used in the Echo exchange is able to derive the correct pairwise key used
by the client to protect the request including the Echo Option. by the client to protect the request including the Echo Option.
In either case, an internal on-path adversary would not be able to In either case, an internal on-path adversary would not be able to
mix up the Echo Option value of two different unicast requests, sent mix up the Echo Option value of two different unicast requests, sent
by a same client to any two different servers in the group. In fact, by a same client to any two different servers in the group. In fact,
this would require the adversary to forge the client's counter if the group mode was used, this would require the adversary to forge
signature in both such requests. As a consequence, each of the two the client's counter signature in both such requests. As a
servers remains able to selectively accept a request with the Echo consequence, each of the two servers remains able to selectively
Option only if it is waiting for that exact integrity-protected Echo accept a request with the Echo Option only if it is waiting for that
Option value, and is thus the intended recipient. exact integrity-protected Echo Option value, and is thus the intended
recipient.
Appendix F. No Verification of Signatures Appendix F. No Verification of Signatures in Group Mode
There are some application scenarios using group communication that There are some application scenarios using group communication that
have particularly strict requirements. One example of this is the have particularly strict requirements. One example of this is the
requirement of low message latency in non-emergency lighting requirement of low message latency in non-emergency lighting
applications [I-D.somaraju-ace-multicast]. For those applications applications [I-D.somaraju-ace-multicast]. For those applications
which have tight performance constraints and relaxed security which have tight performance constraints and relaxed security
requirements, it can be inconvenient for some endpoints to verify requirements, it can be inconvenient for some endpoints to verify
digital signatures in order to assert source authenticity of received digital signatures in order to assert source authenticity of received
messages. In other cases, the signature verification can be deferred messages protected with the group mode. In other cases, the
or only checked for specific actions. For instance, a command to signature verification can be deferred or only checked for specific
turn a bulb on where the bulb is already on does not need the actions. For instance, a command to turn a bulb on where the bulb is
signature to be checked. In such situations, the counter signature already on does not need the signature to be checked. In such
needs to be included anyway as part of the message, so that an situations, the counter signature needs to be included anyway as part
endpoint that needs to validate the signature for any reason has the of a message protected with the group mode, so that an endpoint that
ability to do so. needs to validate the signature for any reason has the ability to do
so.
In this specification, it is NOT RECOMMENDED that endpoints do not In this specification, it is NOT RECOMMENDED that endpoints do not
verify the counter signature of received messages. However, it is verify the counter signature of received messages protected with the
recognized that there may be situations where it is not always group mode. However, it is recognized that there may be situations
required. The consequence of not doing the signature validation is where it is not always required. The consequence of not doing the
signature validation in messages protected with the group mode is
that security in the group is based only on the group-authenticity of that security in the group is based only on the group-authenticity of
the shared keying material used for encryption. That is, endpoints the shared keying material used for encryption. That is, endpoints
in the group have evidence that a received message has been in the group would have evidence that the received message has been
originated by a group member, although not specifically identifiable originated by a group member, although not specifically identifiable
in a secure way. This can violate a number of security requirements, in a secure way. This can violate a number of security requirements,
as the compromise of any element in the group means that the attacker as the compromise of any element in the group means that the attacker
has the ability to control the entire group. Even worse, the group has the ability to control the entire group. Even worse, the group
may not be limited in scope, and hence the same keying material might may not be limited in scope, and hence the same keying material might
be used not only for light bulbs but for locks as well. Therefore, be used not only for light bulbs but for locks as well. Therefore,
extreme care must be taken in situations where the security extreme care must be taken in situations where the security
requirements are relaxed, so that deployment of the system will requirements are relaxed, so that deployment of the system will
always be done safely. always be done safely.
Appendix G. Pairwise Mode Appendix G. Optimized Request
For use cases that do not require an intermediary performing An optimized request is processed as a request in group mode
signature verification and that use a compatible signature algorithm, (Section 8.1) and uses the OSCORE header compression defined in
the pairwise mode defined in this section can be used for unicast Section 5 for the group mode, with the following difference: the
communication. payload of the OSCORE message SHALL encode the ciphertext without the
tag, concatenated with the value of the CounterSignature0 of the COSE
object computed as described in Section 4.1.
This mode uses the derivation process defined in Section 3, and The optimized request is compatible with all AEAD algorithms defined
allows two group members to protect requests and responses exchanged in [I-D.ietf-cose-rfc8152bis-algs], but would not be compatible with
with each other using pairwise keying material. AEAD algorithms that do not have a well-defined tag.
Senders MUST NOT use the pairwise mode to protect a message addressed Appendix H. Example Values of Parameters for Countersignatures
to multiple recipients or to the whole group. This prevents a client
that wants to address one specific server from protecting a request
with the pairwise key associated to that server, and then send the
request over multicast.
The pairwise mode results in the same performance and security The table below provides examples of values for Counter Signature
improvements displayed by optimized responses (see Section 9.2). Parameters in the Common Context (see Section 2.1.3), for different
values of Counter Signature Algorithm.
G.1. Pre-Requirements +-------------------+---------------------------------------------+
| Counter Signature | Example Values for Counter |
| Algorithm | Signature Parameters |
+-------------------+---------------------------------------------+
| (-8) // EdDSA | [1], [1, 6] // 1: OKP ; 1: OKP, 6: Ed25519 |
| (-7) // ES256 | [2], [2, 1] // 2: EC2 ; 2: EC2, 1: P-256 |
| (-35) // ES384 | [2], [2, 2] // 2: EC2 ; 2: EC2, 2: P-384 |
| (-36) // ES512 | [2], [2, 3] // 2: EC2 ; 2: EC2, 3: P-512 |
| (-37) // PS256 | [], [3] // empty ; 3: RSA |
| (-38) // PS384 | [], [3] // empty ; 3: RSA |
| (-39) // PS512 | [], [3] // empty ; 3: RSA |
+-------------------+---------------------------------------------+
In order to protect an outgoing message in pairwise mode, a sender Figure 4: Examples of Counter Signature Parameters
needs to know the public key and the Recipient ID for the message
recipient, as stored in its own Recipient Context associated to that
recipient.
Furthermore, the sender needs to know the individual address of the The table below provides examples of values for Counter Signature Key
message recipient. This information may not be known at any given Parameters in the Common Context (see Section 2.1.4), for different
point in time. For instance, right after having joined the group, a values of Counter Signature Algorithm.
client may know the public key and Recipient ID for a given server,
but not the addressing information required to reach it with an
individual, one-to-one request.
To make this information available, servers MAY provide a resource to +-------------------+---------------------------------+
which a client can send a request for a server identified by its | Counter Signature | Example Values for Counter |
'kid' value, or a set thereof. The specified set may be empty, hence | Algorithm | Signature Key Parameters |
identifying all the servers in the group. Further details of such an +-------------------+---------------------------------+
interface are out of scope for this document. | (-8) // EdDSA | [1, 6] // 1: OKP , 6: Ed25519 |
| (-7) // ES256 | [2, 1] // 2: EC2 , 1: P-256 |
| (-35) // ES384 | [2, 2] // 2: EC2 , 2: P-384 |
| (-36) // ES512 | [2, 3] // 2: EC2 , 3: P-512 |
| (-37) // PS256 | [3] // 3: RSA |
| (-38) // PS384 | [3] // 3: RSA |
| (-39) // PS512 | [3] // 3: RSA |
+-------------------+---------------------------------+
G.2. Pairwise Protected Request Figure 5: Examples of Counter Signature Key Parameters
A request in pairwise mode is protected as defined in Section 7.1, Appendix I. Document Updates
with the following differences.
o The client MUST set to 1 the sixth least significant bit of the RFC EDITOR: PLEASE REMOVE THIS SECTION.
OSCORE flag bits in the OSCORE option, i.e. the Pairwise Flag.
o The COSE_Encrypt0 object included in the request is encrypted I.1. Version -08 to -09
using a symmetric pairwise key K, that the client derives as
defined in Section 3. In particular, the Sender/Recipient Key is
the Sender Key of the client from its own Sender Context, i.e. the
Recipient Key that the server stores in its own Recipient Context
corresponding to the client.
o The Counter Signature is not computed. That is, unlike defined in o Pairwise keys are discarded after group rekeying.
Section 5, the payload of the OSCORE message terminates with the
encoded ciphertext of the COSE object.
Note that no changes are made to the AEAD nonce and AAD. o Signature mode renamed to group mode.
Upon receiving a request with the Pairwise Flag set to 1, the server o The parameters for countersignatures use the updated COSE
MUST process it as defined in Section 7.2, with the following registries. Newly defined IANA registries have been removed.
differences.
o No countersignature to verify is included. o Pairwise Flag bit renamed as Group Flag bit, set to 1 in group
mode and set to 0 in pairwise mode.
o The COSE_Encrypt0 object included in the request is decrypted and o Dedicated section on updating the Security Context.
verified using the same symmetric pairwise key K, that the server
derives as described above for the client side and as defined in
Section 3.
G.3. Pairwise Protected Response o By default, sender sequence numbers and replay windows are not
reset upon group rekeying.
When using the pairwise mode, the processing of a response occurs as o An endpoint implementing only a silent server does not support the
described in Section 9.2 for an optimized response. pairwise mode.
Appendix H. Document Updates o Separate section on general message reception.
RFC EDITOR: PLEASE REMOVE THIS SECTION. o Pairwise mode moved to the document body.
H.1. Version -07 to -08 o Considerations on using the pairwise mode in non-multicast
settings.
o Optimized requests are moved as an appendix.
o Normative support for the signature and pairwise mode.
o Revised methods for synchronization with clients' sender sequence
number.
o Appendix with example values of parameters for countersignatures.
o Clarifications and editorial improvements.
I.2. Version -07 to -08
o Clarified relation between pairwise mode and group communication o Clarified relation between pairwise mode and group communication
(Section 1). (Section 1).
o Improved definition of "silent server" (Section 1.1). o Improved definition of "silent server" (Section 1.1).
o Clarified when a Recipient Context is needed (Section 2). o Clarified when a Recipient Context is needed (Section 2).
o Signature checkers as entities supported by the Group Manager o Signature checkers as entities supported by the Group Manager
(Section 2.3). (Section 2.3).
skipping to change at page 60, line 5 skipping to change at page 64, line 13
(Section 10.15). (Section 10.15).
o Updates to the methods for synchronizing with clients' sequence o Updates to the methods for synchronizing with clients' sequence
number (Appendix E). number (Appendix E).
o Simplified text on discovery services supporting the pairwise mode o Simplified text on discovery services supporting the pairwise mode
(Appendix G.1). (Appendix G.1).
o Editorial improvements. o Editorial improvements.
H.2. Version -06 to -07 I.3. Version -06 to -07
o Updated abstract and introduction. o Updated abstract and introduction.
o Clarifications of what pertains a group rekeying. o Clarifications of what pertains a group rekeying.
o Derivation of pairwise keying material. o Derivation of pairwise keying material.
o Content re-organization for COSE Object and OSCORE header o Content re-organization for COSE Object and OSCORE header
compression. compression.
skipping to change at page 60, line 37 skipping to change at page 64, line 45
o Security considerations on Group OSCORE for unicast requests, also o Security considerations on Group OSCORE for unicast requests, also
as affecting the usage of the Echo option. as affecting the usage of the Echo option.
o Clarification on different types of groups considered o Clarification on different types of groups considered
(application/security/CoAP). (application/security/CoAP).
o New pairwise mode, using pairwise keying material for both o New pairwise mode, using pairwise keying material for both
requests and responses. requests and responses.
H.3. Version -05 to -06 I.4. Version -05 to -06
o Group IDs mandated to be unique under the same Group Manager. o Group IDs mandated to be unique under the same Group Manager.
o Clarifications on parameter update upon group rekeying. o Clarifications on parameter update upon group rekeying.
o Updated external_aad structures. o Updated external_aad structures.
o Dynamic derivation of Recipient Contexts made optional and o Dynamic derivation of Recipient Contexts made optional and
application specific. application specific.
skipping to change at page 61, line 16 skipping to change at page 65, line 25
rekeying. rekeying.
o Added Group Manager responsibility on validating public keys. o Added Group Manager responsibility on validating public keys.
o Updates IANA registries. o Updates IANA registries.
o Reference to RFC 8613. o Reference to RFC 8613.
o Editorial improvements. o Editorial improvements.
H.4. Version -04 to -05 I.5. Version -04 to -05
o Added references to draft-dijk-core-groupcomm-bis. o Added references to draft-dijk-core-groupcomm-bis.
o New parameter Counter Signature Key Parameters (Section 2). o New parameter Counter Signature Key Parameters (Section 2).
o Clarification about Recipient Contexts (Section 2). o Clarification about Recipient Contexts (Section 2).
o Two different external_aad for encrypting and signing o Two different external_aad for encrypting and signing
(Section 3.1). (Section 3.1).
o Updated response verification to handle Observe notifications o Updated response verification to handle Observe notifications
(Section 6.4). (Section 6.4).
o Extended Security Considerations (Section 8). o Extended Security Considerations (Section 8).
o New "Counter Signature Key Parameters" IANA Registry o New "Counter Signature Key Parameters" IANA Registry
(Section 9.2). (Section 9.2).
H.5. Version -03 to -04 I.6. Version -03 to -04
o Added the new "Counter Signature Parameters" in the Common Context o Added the new "Counter Signature Parameters" in the Common Context
(see Section 2). (see Section 2).
o Added recommendation on using "deterministic ECDSA" if ECDSA is o Added recommendation on using "deterministic ECDSA" if ECDSA is
used as counter signature algorithm (see Section 2). used as counter signature algorithm (see Section 2).
o Clarified possible asynchronous retrieval of keying material from o Clarified possible asynchronous retrieval of keying material from
the Group Manager, in order to process incoming messages (see the Group Manager, in order to process incoming messages (see
Section 2). Section 2).
skipping to change at page 62, line 32 skipping to change at page 66, line 41
o Handling of just created Recipient Contexts in case of o Handling of just created Recipient Contexts in case of
unsuccessful message verification (see Sections 6.2 and 6.4). unsuccessful message verification (see Sections 6.2 and 6.4).
o Handling of replied/repeated responses on the client (see o Handling of replied/repeated responses on the client (see
Section 6.4). Section 6.4).
o New IANA Registry "Counter Signature Parameters" (see o New IANA Registry "Counter Signature Parameters" (see
Section 9.1). Section 9.1).
H.6. Version -02 to -03 I.7. Version -02 to -03
o Revised structure and phrasing for improved readability and better o Revised structure and phrasing for improved readability and better
alignment with draft-ietf-core-object-security. alignment with draft-ietf-core-object-security.
o Added discussion on wrap-Around of Partial IVs (see Section 2.2). o Added discussion on wrap-Around of Partial IVs (see Section 2.2).
o Separate sections for the COSE Object (Section 3) and the OSCORE o Separate sections for the COSE Object (Section 3) and the OSCORE
Header Compression (Section 4). Header Compression (Section 4).
o The countersignature is now appended to the encrypted payload of o The countersignature is now appended to the encrypted payload of
skipping to change at page 63, line 19 skipping to change at page 67, line 29
Section 7. Section 7.
o Revised and extended security considerations in Section 8. o Revised and extended security considerations in Section 8.
o Added IANA considerations for the OSCORE Flag Bits Registry in o Added IANA considerations for the OSCORE Flag Bits Registry in
Section 9. Section 9.
o Revised Appendix D, now giving a short high-level description of a o Revised Appendix D, now giving a short high-level description of a
new endpoint set-up. new endpoint set-up.
H.7. Version -01 to -02 I.8. Version -01 to -02
o Terminology has been made more aligned with RFC7252 and draft- o Terminology has been made more aligned with RFC7252 and draft-
ietf-core-object-security: i) "client" and "server" replace the ietf-core-object-security: i) "client" and "server" replace the
old "multicaster" and "listener", respectively; ii) "silent old "multicaster" and "listener", respectively; ii) "silent
server" replaces the old "pure listener". server" replaces the old "pure listener".
o Section 2 has been updated to have the Group Identifier stored in o Section 2 has been updated to have the Group Identifier stored in
the 'ID Context' parameter defined in draft-ietf-core-object- the 'ID Context' parameter defined in draft-ietf-core-object-
security. security.
skipping to change at page 64, line 5 skipping to change at page 68, line 16
implications of possible collisions of group identifiers. implications of possible collisions of group identifiers.
o Updated Appendix D.2, adding a pointer to draft-palombini-ace-key- o Updated Appendix D.2, adding a pointer to draft-palombini-ace-key-
groupcomm about retrieval of nodes' public keys through the Group groupcomm about retrieval of nodes' public keys through the Group
Manager. Manager.
o Minor updates to Appendix E.3 about Challenge-Response o Minor updates to Appendix E.3 about Challenge-Response
synchronization of sequence numbers based on the Echo option from synchronization of sequence numbers based on the Echo option from
draft-ietf-core-echo-request-tag. draft-ietf-core-echo-request-tag.
H.8. Version -00 to -01 I.9. Version -00 to -01
o Section 1.1 has been updated with the definition of group as o Section 1.1 has been updated with the definition of group as
"security group". "security group".
o Section 2 has been updated with: o Section 2 has been updated with:
* Clarifications on etablishment/derivation of Security Contexts. * Clarifications on etablishment/derivation of Security Contexts.
* A table summarizing the the additional context elements * A table summarizing the the additional context elements
compared to OSCORE. compared to OSCORE.
skipping to change at page 64, line 48 skipping to change at page 69, line 14
Acknowledgments Acknowledgments
The authors sincerely thank Christian Amsuess, Stefan Beck, Rolf The authors sincerely thank Christian Amsuess, Stefan Beck, Rolf
Blom, Carsten Bormann, Esko Dijk, Klaus Hartke, Rikard Hoeglund, Blom, Carsten Bormann, Esko Dijk, Klaus Hartke, Rikard Hoeglund,
Richard Kelsey, John Mattsson, Dave Robin, Jim Schaad, Ludwig Seitz, Richard Kelsey, John Mattsson, Dave Robin, Jim Schaad, Ludwig Seitz,
Peter van der Stok and Erik Thormarker for their feedback and Peter van der Stok and Erik Thormarker for their feedback and
comments. comments.
The work on this document has been partly supported by VINNOVA and The work on this document has been partly supported by VINNOVA and
the Celtic-Next project CRITISEC; and by the EIT-Digital High Impact the Celtic-Next project CRITISEC; the SSF project SEC4Factory under
Initiative ACTIVE. the grant RIT17-0032; and the EIT-Digital High Impact Initiative
ACTIVE.
Authors' Addresses Authors' Addresses
Marco Tiloca Marco Tiloca
RISE AB RISE AB
Isafjordsgatan 22 Isafjordsgatan 22
Kista SE-16440 Stockholm Kista SE-16440 Stockholm
Sweden Sweden
Email: marco.tiloca@ri.se Email: marco.tiloca@ri.se
 End of changes. 319 change blocks. 
1363 lines changed or deleted 1595 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/