draft-ietf-drip-auth-00.txt   draft-ietf-drip-auth-01.txt 
DRIP Working Group A. Wiethuechter DRIP Working Group A. Wiethuechter
Internet-Draft S. Card Internet-Draft S. Card
Intended status: Standards Track AX Enterprize, LLC Intended status: Standards Track AX Enterprize, LLC
Expires: 21 June 2021 R. Moskowitz Expires: 20 December 2021 R. Moskowitz
HTT Consulting HTT Consulting
18 December 2020 18 June 2021
DRIP Authentication Formats DRIP Authentication Formats
draft-ietf-drip-auth-00 draft-ietf-drip-auth-01
Abstract Abstract
This document describes how to include trust into the ASTM Remote ID This document describes how to include trust into the ASTM Remote ID
specification defined in ASTM F3411-19 under a Broadcast Remote ID specification defined in ASTM F3411-19 under a Broadcast Remote ID
(RID) scenario. It defines a few different message schemes (based on (RID) scenario. It defines a few different message schemes (based on
the Authentication Message) that can be used to assure past messages the Authentication Message) that can be used to assure past messages
sent by a UA and also act as an assurance for UA trustworthiness in sent by a UA and also act as an assurance for UA trustworthiness in
the absence of Internet connectivity at the receiving node. the absence of Internet connectivity at the receiving node.
skipping to change at page 1, line -342 skipping to change at page 1, line -1223
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 21 June 2021. This Internet-Draft will expire on 20 December 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. DRIP Requirements Addressed . . . . . . . . . . . . . . . 3 1.1. DRIP Requirements Addressed . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Required Terminology . . . . . . . . . . . . . . . . . . 3 2.1. Required Terminology . . . . . . . . . . . . . . . . . . 4
2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
3. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. Problem Space and Focus . . . . . . . . . . . . . . . . . 4 3.1. Problem Space and Focus . . . . . . . . . . . . . . . . . 4
3.2. ASTM Authentication Message . . . . . . . . . . . . . . . 4 3.2. Reasoning for IETF DRIP Authentication . . . . . . . . . 4
4. DRIP Authentication Framing Formats . . . . . . . . . . . . . 6 3.3. ASTM Authentication Message . . . . . . . . . . . . . . . 5
4.1. DRIP General Frame . . . . . . . . . . . . . . . . . . . 6 4. DRIP Authentication Formats . . . . . . . . . . . . . . . . . 6
4.1.1. DRIP Header . . . . . . . . . . . . . . . . . . . . . 8 4.1. UAS ID Signature . . . . . . . . . . . . . . . . . . . . 6
4.1.2. DRIP Authentication Data . . . . . . . . . . . . . . 8 4.2. Operator ID Signature . . . . . . . . . . . . . . . . . . 7
4.1.3. Forward Error Correction . . . . . . . . . . . . . . 9 4.3. Message Set Signature . . . . . . . . . . . . . . . . . . 8
4.2. DRIP Wrapper Frame . . . . . . . . . . . . . . . . . . . 10 4.4. Specific Method . . . . . . . . . . . . . . . . . . . . . 9
4.2.1. UA Hierarchical Host Identity Tag . . . . . . . . . . 11 4.4.1. DRIP Frame Format . . . . . . . . . . . . . . . . . . 9
4.2.2. Trust Timestamp . . . . . . . . . . . . . . . . . . . 11 4.4.2. DRIP Wrapper Format . . . . . . . . . . . . . . . . . 11
4.2.3. Wrapped Authentication Data . . . . . . . . . . . . . 12 4.4.3. DRIP Manifest Format . . . . . . . . . . . . . . . . 11
4.2.4. Wrapper Signature . . . . . . . . . . . . . . . . . . 16 4.4.4. DRIP Link Format . . . . . . . . . . . . . . . . . . 13
4.3. DRIP Attestation Frame . . . . . . . . . . . . . . . . . 16 5. Transport Methods & Recommendations . . . . . . . . . . . . . 13
4.3.1. Attestation Data . . . . . . . . . . . . . . . . . . 17 5.1. Legacy Advertisements (Bluetooth 4.X) . . . . . . . . . . 13
4.3.2. Expiration Timestamp . . . . . . . . . . . . . . . . 18 5.2. Extended Advertisements (Bluetooth 5.X, WiFi NaN, WiFi
4.3.3. Attestation Signature . . . . . . . . . . . . . . . . 18 Beacon) . . . . . . . . . . . . . . . . . . . . . . . . . 14
5. Transport Methods & Recommendations . . . . . . . . . . . . . 18 5.3. DRIP Recommendations . . . . . . . . . . . . . . . . . . 14
5.1. Legacy Advertisements (Bluetooth 4.X) . . . . . . . . . . 18 6. ICAO Considerations . . . . . . . . . . . . . . . . . . . . . 14
5.2. Extended Advertisements (Bluetooth 5.X and Wifi NaN) . . 19 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
6. ASTM Considerations . . . . . . . . . . . . . . . . . . . . . 19 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 8.1. Manifest Hash Length . . . . . . . . . . . . . . . . . . 15
8. Security Considerations . . . . . . . . . . . . . . . . . . . 20 8.2. Replay Attacks . . . . . . . . . . . . . . . . . . . . . 15
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20 8.3. Trust Timestamp Offsets . . . . . . . . . . . . . . . . . 16
10. Appendix A: Thoughts on ASTM Authentication Message . . . . . 20 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 10. Appendix A: Thoughts on ASTM Authentication Message . . . . . 16
11.1. Normative References . . . . . . . . . . . . . . . . . . 21 11. Appendix B: DRIP Attestations . . . . . . . . . . . . . . . . 17
11.2. Informative References . . . . . . . . . . . . . . . . . 21 11.1. Self-Attestation (Axx) . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 11.2. Attestation (Axy) . . . . . . . . . . . . . . . . . . . 18
11.3. Concise Attestation (C-Axy) . . . . . . . . . . . . . . 19
11.4. Mutual Attestation (M-Axy) . . . . . . . . . . . . . . . 20
11.5. Link Attestation (L-Axy) . . . . . . . . . . . . . . . . 21
11.6. Broadcast Attestation (B-Axy) . . . . . . . . . . . . . 22
11.7. Link Certificate (L-Cxy) . . . . . . . . . . . . . . . . 24
11.8. Mutual Certificate (M-Cxy) . . . . . . . . . . . . . . . 24
11.9. Example Registration with Attestation . . . . . . . . . 25
12. Appendix C: DRIP Broadcast Attestation Structure . . . . . . 26
12.1. Attestor Hierarchical Host Identity Tag . . . . . . . . 27
12.2. Attestation Data . . . . . . . . . . . . . . . . . . . . 27
12.3. Trust Timestamp . . . . . . . . . . . . . . . . . . . . 27
12.4. Signing Timestamp . . . . . . . . . . . . . . . . . . . 27
12.5. Attestor Signature . . . . . . . . . . . . . . . . . . . 28
13. Appendix D: Forward Error Correction . . . . . . . . . . . . 28
13.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 28
13.1.1. Single Page FEC . . . . . . . . . . . . . . . . . . 28
13.1.2. Multi Page FEC . . . . . . . . . . . . . . . . . . . 29
13.2. Decoding . . . . . . . . . . . . . . . . . . . . . . . . 29
13.2.1. Single Page FEC . . . . . . . . . . . . . . . . . . 29
13.2.2. Multi Page FEC . . . . . . . . . . . . . . . . . . . 29
13.3. FEC Limitations . . . . . . . . . . . . . . . . . . . . 29
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 29
14.1. Normative References . . . . . . . . . . . . . . . . . . 29
14.2. Informative References . . . . . . . . . . . . . . . . . 30
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30
1. Introduction 1. Introduction
UA Systems (UAS) are usually in a volatile environment when it comes UA Systems (UAS) are usually in a volatile environment when it comes
to communication. UA are generally small with little computational to communication. UA are generally small with little computational
(or flying) horsepower to carry standard communication equipment. (or flying) horsepower to carry standard communication equipment.
This limits the mediums of communication to few viable options. This limits the mediums of communication to few viable options.
Observer systems (e.g. smartphones and tablets) place further Observer systems (e.g. smartphones and tablets) place further
constraints on the communication options. The Remote ID Broadcast constraints on the communication options. The Remote ID Broadcast
skipping to change at page 3, line 20 skipping to change at page 3, line 49
The ASTM standard [F3411-19] focuses on two ways of communicating to The ASTM standard [F3411-19] focuses on two ways of communicating to
a UAS for RID: Broadcast and Network. a UAS for RID: Broadcast and Network.
This document will focus on adding trust to Broadcast RID in the This document will focus on adding trust to Broadcast RID in the
current (and an expanded) Authentication Message format. current (and an expanded) Authentication Message format.
1.1. DRIP Requirements Addressed 1.1. DRIP Requirements Addressed
The following [drip-requirements] will be addressed: The following [drip-requirements] will be addressed:
GEN 1: Provable Ownership This will be addressed using the GEN 1: Provable Ownership This will be addressed using the DRIP
Certificate Message type (Section 4.3.1.1). Link.
GEN 2: Provable Binding This requirement is addressed using the GEN 2: Provable Binding This requirement is addressed using the DRIP
Wrapped ASTM Message (Section 4.2.3.1.2), Manifest Message Link, Manifest.
(Section 4.2.3.2) and Message Pack Signature (Section 4.2.3.1.1)
types.
GEN 3: Provable Registration This requirement is addressed using the GEN 3: Provable Registration This requirement is addressed using the
Certificate Message type (Section 4.3.1.1). DRIP Link.
2. Terminology 2. Terminology
2.1. Required Terminology 2.1. Required Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
skipping to change at page 4, line 16 skipping to change at page 4, line 42
The current standard for Remote ID (RID) does not, in any meaningful The current standard for Remote ID (RID) does not, in any meaningful
capacity, address the concerns of trust in the UA space with capacity, address the concerns of trust in the UA space with
communication in the Broadcast RID environment. This is a communication in the Broadcast RID environment. This is a
requirement that will need to be addressed eventually for various requirement that will need to be addressed eventually for various
different parties that have a stake in the UA industry. different parties that have a stake in the UA industry.
The following subsections will provide a high level reference to the The following subsections will provide a high level reference to the
ASTM standard for Authentication Messages and how their current ASTM standard for Authentication Messages and how their current
limitations effect trust in the Broadcast RID environment. limitations effect trust in the Broadcast RID environment.
3.2. ASTM Authentication Message 3.2. Reasoning for IETF DRIP Authentication
The ASTM Authentication Message has provisions in [F3411-19] to allow
for other organizations to define (and standardize) Authentication
formats. The standardization of special formats to support the DRIP
requirements in UAS RID for trustworthy communications over Broadcast
RID is an important part of the chain of trust for a UAS ID. No
existing formats (defined by ASTM or others) was flexible enough to
satisfy this goal resulting in the work reflected in this document.
3.3. ASTM Authentication Message
Page 0: Page 0:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+-----------------------------------------------+ +---------------+-----------------------------------------------+
| Auth Header | | | Auth Header | |
+---------------+ ASTM Authentication Headers +---------------+ +---------------+ ASTM Authentication Headers +---------------+
| | | | | |
+-----------------------------------------------+ | +-----------------------------------------------+ |
| | | |
| | | |
| | | |
| Authentication Data / Signature | | Authentication Data / Signature |
| | | |
| | | |
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Page 1 - 4: Page 1 - 15:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+-----------------------------------------------+ +---------------+-----------------------------------------------+
| Auth Header | | | Auth Header | |
+---------------+ | +---------------+ |
| | | |
| | | |
| | | |
| | | |
| Authentication Data / Signature | | Authentication Data / Signature |
| | | |
| | | |
| | | |
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Auth Header (1 byte): Auth Header (1 byte):
Contains Authentication Type (AuthType) and Page Number. For Contains Authentication Type (AuthType) and Page Number.
DRIP Authentication AuthType is a value of 0x5.
ASTM Authentication Headers: (6 bytes) ASTM Authentication Headers: (6 bytes)
Contains other header information for the Authentication Contains other header information for the Authentication
Message from ASTM UAS RID Standard. Message from ASTM UAS RID Standard.
Authentication Data / Signature: (109 bytes: 17+23*4) Authentication Data / Signature: (0 to 255 bytes)
Opaque authentication data. Opaque authentication data.
Figure 1: Standard ASTM Authentication Message format Figure 1: Standard ASTM Authentication Message format
The above diagram is the format defined by ASTM [F3411-19] that is The above diagram is the format defined by ASTM [F3411-19] that is
the frame which everything this document fits into. The specific the frame which everything this document fits into. The specific
details of the ASTM headers are abstracted away as they are not details of the ASTM headers are abstracted away as they are not
necessarily required for this document. necessarily required for this document.
There is a 25th byte exclude in the diagrams that comes before the There is a 25th byte exclude in the diagrams that comes before the
Auth Header. This is the ASTM Header and consists of the Protocol Auth Header. This is the ASTM Header and consists of the Protocol
Version and Message Type of the given message frame/page. Version and Message Type of the given message frame/page.
4. DRIP Authentication Framing Formats 4. DRIP Authentication Formats
Currently the ASTM AuthType of 0x5 should be used to denote DRIP
based Authentication. The max page count of the Authentication
Message is increased to 10, instead of being capped at 5.
To keep consistent formatting across the different mediums (Bluetooth To keep consistent formatting across the different mediums (Bluetooth
4, Bluetooth 5 and Wifi NaN) and their independent restrictions the 4, Bluetooth 5 and WiFi NaN) and their independent restrictions the
authentication data being sent is REQUIRED to fit within the first 9 authentication data being sent is REQUIRED to fit within the first 9
pages of the Authentication Message. The final (10th) page of the pages (Page 0 through Page 8) of the Authentication Message (giving a
message is reserved exclusively for Forward Error Correction bytes max of 201 bytes). The rest of the pages of the message is reserved
and is only present on Bluetooth 4. exclusively for Forward Error Correction bytes and is only present on
Bluetooth 4.
4.1. DRIP General Frame 4.1. UAS ID Signature
The existing ASTM [F3411-19] Authentication Type 0x1 can be used to
send a fresh Self-Attestation of the UA over 7 pages.
Page 0:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+-----------------------------------------------+ +---------------+---------------+---------------+---------------+
| Auth Header | |
+---------------+ ASTM Authentication Headers +---------------+
| | DRIP Header |
+-----------------------------------------------+---------------+
| | | |
| UA Hierarchical |
| Host Identity Tag |
| | | |
+---------------+---------------+---------------+---------------+
| | | |
| DRIP Authentication Data |
| | | |
| | | |
| UA Host Identity |
| | | |
+---------------------------------------------------------------+
Page 1 - Page N-1:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+-----------------------------------------------+
| Auth Header | |
+---------------+ |
| | | |
| | | |
| | | |
| DRIP Authentication Data | +---------------+---------------+---------------+---------------+
| Trust Timestamp |
+---------------+---------------+---------------+---------------+
| Signing Timestamp |
+---------------+---------------+---------------+---------------+
| | | |
| | | |
| | | |
| | | |
| | | |
+---------------------------------------------------------------+
Page N:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+-----------------------------------------------+
| Auth Header | |
+---------------+ |
| | | |
| | | |
| UA Signature |
| | | |
| Forward Error Correction |
| | | |
| | | |
| | | |
| | | |
| | | |
+---------------------------------------------------------------+ | |
| |
DRIP Header (1 byte): +---------------+---------------+---------------+---------------+
7 6 5 4 3 2 1 0
+-----+-----+-----+-----+-----+-----+-----+-----+
| FEC | DRIP AuthType |
+-----+-----+-----+-----+-----+-----+-----+-----+
FEC (1 bit):
Enabled [1] or Disabled [0]. Signals if Page N is
filled with XOR FEC.
DRIP AuthType (7 bits):
DRIP AuthType Values
------------- ------
0 Wrapped ASTM Message(s) 0
1 Wrapped ASTM Message(s) 1
2 Wrapped ASTM Message(s) 2
3 Wrapped ASTM Message(s) 3
4 Wrapped ASTM Message(s) 4
5 Wrapped ASTM Message(s) 5
8 Byte Manifest 6
4 Byte Manifest 7
Reserved (Wrapped Messages) 8-15
Certificate: Registry on Aircraft 16
Reserved (Certificates) 17-31
Private Use 32-63
Reserved 64-111
Experimental Use 112-127
DRIP Authentication Data (200 bytes):
DRIP Authentication data. 0 to 200 bytes.
Forward Error Correction (23 bytes):
Optional and signaled using DRIP Header. Always last
Authentication page.
Figure 2: DRIP General Frame Format
4.1.1. DRIP Header
The DRIP Header is used to signal what kind of Authentication under
DRIP that the message is using and consists of two fields.
4.1.1.1. Forward Error Correction (Bit 8)
The Most Significant Bit is used to signal if FEC is present in the
final page of the Authentication Message. It MUST be set to 1 if FEC
is being used. This is only enabled under Bluetooth 4 and MUST be
set to 0 on Bluetooth 5 or Wifi NaN.
4.1.1.2. DRIP AuthType (Bits 1-7)
The lower 7 bits are used as the DRIP AuthType field denoting what
Authentication type is being used. There are 5 major areas carved
out of the DRIP AuthType defined by the following bitmaps:
000 xxxx (0x00-0x0F): Wrapped Messages (16)
001 xxxx (0x10-0x1F): Certificates (16)
01x xxxx (0x20-0x3F): Private Use (32)
1xx xxxx (0x40-0x6F): Reserved (48)
111 xxxx (0x70-0x7F): Experimental Use (16)
Figure 3: DRIP Header Bitmasks
4.1.2. DRIP Authentication Data
This field has a maximum size of 200 bytes. If the data is less than
the max and a page is only partially filled then the rest of the
partially filled page must be null padded.
This section is generally filled with either the Wrapper Frame
(Section 4.2) or the Attestation Frame (Section 4.3).
4.1.3. Forward Error Correction
To help Bluetooth (specifically Bluetooth 4) achieve the goal of
reliable receipt of paged messages a Forward Error Correction (FEC)
scheme is introduced and MUST be used for Legacy Advertising
(Bluetooth 4) and MUST NOT be used for Extended Advertising
(Bluetooth 5, Wifi NaN) under DRIP.
4.1.3.1. Encoding
A compliant implementation of this standard MUST use XOR for the FEC.
When generating the parity the first byte of every Authentication
Page MUST be exclude from the XOR operation. For pages 1 through N
this leaves the data portion of the page while page 0 will include a
number of headers along with 17 bytes of data.
To generate the parity a simple XOR operation using the previous and
current page is used. For page 0, a 23 byte null pad is used for the
previous page. The resulting 23 bytes of parity is appended in one
full page (always the last) allowing for recovery when any single
page is lost in transmission.
4.1.3.2. Decoding
Due to the nature of Bluetooth 4 and the existing ASTM paging
structure an optimization can be used. If a Bluetooth frame fails
its CRC check, then the frame is dropped without notification to the
upper protocol layers. From the Remote ID perspective this means the
loss of a complete frame/message/page. In Authentication Messages,
each page is already numbered so the loss of a page allows the
receiving application to build a "dummy" page filling the
Authentication Data field (and ASTM Authentication Headers fields if
page 0) with nulls.
Using the same methods as encoding, an XOR operation is used between Figure 2: DRIP UAS ID Signature
is the current page). The resulting 23 bytes is the data of the
missing page.
If page 0 is being reconstructed an additional check of the Page 4.2. Operator ID Signature
Count, to check against how many pages are actually present, MUST be
performed for sanity. An additional check on the Data Length field
can also be performed, but is not required.
4.1.3.3. Limitations & Recommendations The existing ASTM [F3411-19] Authentication Type 0x2 can be used to
send a static Self-Attestation of the Operator over 7 pages.
If more than one page is lost (>1/5 for 5 page messages, >1/10 for 10 0 1 2 3
page messages) than the error rate of the link is already beyond 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
saving and the application has more issues to deal with. +---------------+---------------+---------------+---------------+
| |
| Operator Hierarchical |
| Host Identity Tag |
| |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| Operator Host Identity |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
| Trust Timestamp |
+---------------+---------------+---------------+---------------+
| Signing Timestamp |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| |
| |
| |
| |
| Operator Signature |
| |
| |
| |
| |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
In theory under Bluetooth 4 up to 15 pages Authentication could be Figure 3: DRIP Operator ID Signature
sent (9 pages reserved to Authentication and 6 pages reserved for
Forward Error Correction). It is currently recommended however for a
max of 10 pages total.
4.2. DRIP Wrapper Frame 4.3. Message Set Signature
This format MUST be encapsulated by the General Frame (Section 4.1) When running under Extended Advertisements, the existing ASTM
and reside in its data field (Section 4.1.2). [F3411-19] Authentication Type 0x3 can be used to sign over the
adjacent ASTM Messages in the Message Pack (0xF).
Typically the DRIP Header is set in the range of 0x00 through 0x0F The concatenation of all messages in the Message Pack (excluding
(FEC disabled) or 0x80 through 0x8F (FEC enabled). Authentication) before signing MUST be in Message Type order and be
placed between the UA HHIT and Signing Timestamp field.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| | | |
| UA Hierarchical | | UA Hierarchical |
| Host Identity Tag | | Host Identity Tag |
| | | |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| Trust Timestamp | | Trust Timestamp |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| | | Signing Timestamp |
. .
. Authentication Data .
. .
| |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| Signature | | UA Signature |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
UA Hierarchial Host Identity Tag (16 bytes): Figure 4: DRIP Message Set Signature
The UAs HHIT in byte form. Hashed from the EdDSA25519
public key.
Trust Timestamp (4 bytes):
Timestamp denoting current time plus an offset to trust
message to.
Authentication Data (116 bytes):
Opaque authentication data using DRIP format specified in
the DRIP Header. 0 to 116 bytes.
Signature (64 bytes):
Signature over preceding fields using the EdDSA25519
keypair of the UA.
Figure 4: DRIP Wrapper Frame Format
4.2.1. UA Hierarchical Host Identity Tag
To avoid needing the UAs HHIT via the ASTM Basic ID in a detached
fashion the 16 byte HHIT of the UA is included in the wrapper frame.
The HHIT for the UA (and other entities in the RID and greater UTM
system under DRIP) is an enhancement of the Host Identity Tag (HIT)
[RFC7401] introducing hierarchy (and how they are used in UAS RID) as
defined in [drip-rid].
4.2.2. Trust Timestamp 4.4. Specific Method
The Trust Timestamp is of the format defined in [F3411-19]. That is Under Specific Method (Authentication Type 0x5) is where the main set
a UNIX timestamp offset by 01/01/2019 00:00:00. An additional offset of DRIP Authentication Formats are defined. These formats unlike the
is then added to push the timestamp a short time into the future to previous ones are more well defined and can include Forward Error
avoid replay attacks. Correction data.
When wrapping a Vector (Position/Location) Message the payload WILL 4.4.1. DRIP Frame Format
contain (by ASTM rules) constantly changing data, this includes its
own timestamp. This timestamp is only 2 bytes, which is easily
attacked and only expresses the 1/10th of seconds since the last
hour.
Other ASTM message types, such as Basic ID and Self-ID are static This is specified when the SAM ID is DRIP Frame. It is encapsulated
messages with no changing data. To protect a replay of these signed by the ASTM Authentication Message (Section 3.3) and fills the
messages the Trust Timestamp is the field during signing to be Authentication Data / Signature field in Figure 1.
guaranteed to change.
The offset used against the UNIX timestamp is not defined in this 0 1 2 3
document. Best practices to identify a acceptable offset should be 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
used taking into consideration the UA environment, and propagation +---------------+---------------+---------------+---------------+
characteristics of the messages being sent. | SAM ID | |
+---------------+ |
. .
. DRIP Authentication Data .
. .
| |
+---------------+---------------+---------------+---------------+
| |
. .
. Forward Error Correction .
. .
| |
+---------------+---------------+---------------+---------------+
4.2.3. Wrapped Authentication Data SAM ID (1 byte):
The SAM ID (Specific Authentication Method ID) is
defined by ASTM under AuthType 0x5 and values allocated
by ICAO.
This field has a maximum of 116 bytes in length. For DRIP there are four SAM IDs allocated:
4.2.3.1. Wrapped ASTM Message Formats SAM ID | Value
-----------------------------+-------
DRIP Frame | 0
DRIP Wrapper | 1
DRIP Manifest | 2
DRIP Link | 3
When wrapping any ASTM Messages and filling the Wrapped DRIP Authentication Data (0 to 200 bytes):
Authentication Data field under DRIP the messages MUST be in Message DRIP Authentication data.
Type order as defined by ASTM. All message types except
Authentication (0x2) and Message Pack (0xF) are allowed.
4.2.3.1.1. 0 Wrapped ASTM Message(s) Forward Error Correction (0 to 161 bytes):
Forward Error Correction data.
This payload type MUST only be used under Extended Advertisement Figure 5: DRIP Frame Format
(Bluetooth 5.X and Wifi NaN).
The Wrapped Authentication Data is the concatenation of all messages 4.4.1.1. Specific Authentication Method ID (SAM ID)
in the Message Pack (excluding Authentication) in Message Type order.
No actual data payload is present in this format as the data is found
outside the Authentication Message in the same Message Pack.
The DRIP Header is set to 0x00 (0). Defined by ASTM (only under AuthType 0x5), values are allocated by
ICAO. For DRIP there are four SAM IDs: DRIP Frame, DRIP Wrapper,
DRIP Manifest and DRIP Link.
4.2.3.1.2. 1 to 4 Wrapped ASTM Message(s) 4.4.1.2. DRIP Authentication Data
This payload type can be used on either Legacy or Extended This field has a maximum size of 200 bytes. If the data is less than
Advertisements. the max and a page is only partially filled then the rest of the
partially filled page must be null padded. Note that the Length
field in the Authentication Message is set to the length of the DRIP
Authentication Data and MUST NOT include the Forward Error
Correction.
The DRIP Header is set to 0x81-0x84 (129-134) when using Legacy When possible the DRIP Broadcast Attestation Structure (Section 12)
Advertisements (FEC is enabled) and 0x01-0x04 (1-4) when using should be used in this space.
Extended Advertisements (FEC is disabled).
4.2.3.1.3. 5 Wrapped ASTM Message(s) 4.4.1.3. Forward Error Correction
Editors Note: This payload type does not currently fit in the 116 This field has a maximum size of 161 bytes and SHOULD be page aligned
byte limit of the Wrapper Frame. If the ASTM relaxes the Max Page at start. The number of pages present after the data indicate the
Count limit for Legacy Advertisements to use all 15 pages then this FEC scheme. When a single page of FEC is present an XOR operation
is possible. MUST be used. When there are multiple pages of FEC (2 or more) a
Reed Solomon method MUST be used.
This payload type MUST only be used on Legacy Advertisements See Section 13 for more.
(Bluetooth 4.X). It requires 11 pages to complete.
The DRIP Header is set to 0x85 (133). 4.4.2. DRIP Wrapper Format
This payload type allows in Legacy Advertisements to have a pseudo- This is specified when the SAM ID is DRIP Wrapper. It is
Message Pack like what is found in Extended Advertisements. encapsulated by the DRIP Frame (Section 4.4.1) and Broadcast
Attestation Structure (Section 12); filling the Attestation Data
(Section 12.2) field with full (25-byte) ASTM Messages. The minimum
number of ASTM Messages being 1 (Editors Note: Is this minimum 1 or
0?) and the max being 4. The encapsulated ASTM Messages MUST be in
Message Type order as defined by ASTM. All message types except
Authentication (0x2) and Message Pack (0xF) are allowed.
4.2.3.1.4. Limitations To determine the number of messages wrapped the receiver can check
that the length of the Attestation Data (Section 12.2) field of the
DRIP Broadcast Attestation (Section 12) is a multiple of 25-bytes.
When wrapping a single ASTM Message the 25 byte payload actually 4.4.2.1. Wrapper Limitations
causes an inefficiency in the framing format, create a whole page
unused except for a single byte. This can be optimized by removing a
single byte out of the wrapped message but creates an issue on the
receiver of knowing which byte was removed.
When sending a Location Message (Message Type 0x1) a single byte can TODO
be removed at the end of the message as it is currently unused. Many
other messages in the ASTM Message set however do not have this
ability. The first byte can not be removed as it is the key to know
how to decode the message.
4.2.3.2. Manifests 4.4.3. DRIP Manifest Format
Manifests fill the Wrapped Authentication Data field with hashes of This format is specified when SAM ID is set to DRIP Manifest. It is
previously send messages. encapsulated by the DRIP Frame (Section 4.4.1) and Broadcast
Attestation Structure (Section 12); filling the Attestation Data
(Section 12.2) field with 8-byte hashes of previous ASTM Messages.
By hashing previously sent messages and signing them we gain trust in By hashing previously sent messages and signing them we gain trust in
UAs previous reports. An observer who has been listening for any UAs previous reports. An observer who has been listening for any
considerable length of time can hash received messages and cross considerable length of time can hash received messages and cross
check against listed hashes. check against listed hashes. This is a way to evade the limitation
of a maximum of 4 messages in the Wrapper Format and reduce overhead.
4.2.3.2.1. Hash Algorithm and Operation (Editors Note: Manifests MUST NOT be of a length multiple of 25-bytes
or 48-bytes.)
4.4.3.1. Hash Algorithms and Operation
The hash algorithm used for the Manifest Message is the same hash The hash algorithm used for the Manifest Message is the same hash
algorithm used in creation of the HHIT that is signing the Manifest. algorithm used in creation of the HHIT that is signing the Manifest.
A standard HHIT would be using cSHAKE128 from [NIST.SP.800-185]. A standard HHIT would be using cSHAKE128 from [NIST.SP.800-185].
With cSHAKE128, the hash is computed as follows: With cSHAKE128, the hash is computed as follows:
cSHAKE128(MAC Address|Message, 8*H-Len, "", "RemoteID Auth Hash") cSHAKE128(Message, 128, "", "Remote ID Auth Hash")
The message MAC Address of the transmitter is prepended to the
message, as the MAC Address is the only information that links UA
messages from a specific UA.
Editors Note: It should be noted that for Bluetooth mediums this is
valid - however Wifi NaN does not give the receiver device the
transmitters MAC Address - making this impossible. Either MAC
Address should be removed entirely or something different be used in
its place to link to a given UA. Thanks Soren Friis for pointing
this out.
4.2.3.2.2. 8 Byte
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| Hash of Previous Manifest |
| |
+---------------+---------------+---------------+---------------+
| Hash of Current Manifest |
| |
+---------------+---------------+---------------+---------------+
| Message Hash 1 |
| |
+---------------+---------------+---------------+---------------+
| Message Hash 2 |
| |
+---------------+---------------+---------------+---------------+
. .
. .
. .
+---------------+---------------+---------------+---------------+
| Message Hash 12 |
| |
+---------------+---------------+---------------+---------------+
DRIP Header:
With FEC: 0x87 [135] (RECOMMENDED)
Without FEC: 0x07 [7]
Hash of Previous Manifest: (8 bytes)
A hash of the previously sent Authentication message.
Hash of Current Manifest: (8 bytes)
A hash of the current Authentication message.
Message Hash: (8 bytes)
A hash of a previously sent message. 12 max.
Figure 5: 4 Byte Manifest
4.2.3.2.3. 4 Byte
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| Hash of Previous Manifest |
+---------------+---------------+---------------+---------------+
| Hash of Current Manifest |
+---------------+---------------+---------------+---------------+
| Message Hash 1 |
+---------------+---------------+---------------+---------------+
| Message Hash 2 |
+---------------+---------------+---------------+---------------+
. .
. .
. .
+---------------+---------------+---------------+---------------+
| Message Hash 27 |
+---------------+---------------+---------------+---------------+
DRIP Header:
With FEC: 0x86 [132] (RECOMMENDED)
Without FEC: 0x06 [6]
Hash of Previous Manifest: (4 bytes)
A hash of the previously sent Authentication message.
Hash of Current Manifest: (4 bytes)
A hash of the current Authentication message.
Message Hash: (4 bytes)
A hash of a previously sent message. 27 max.
Figure 6: 4 Byte Manifest
4.2.3.2.4. Pseudo-Blockchain Hashes 4.4.3.2. Pseudo-Blockchain Hashes
Two special hashes are included in all Manifest messages; a previous Two special hashes are included in all Manifest messages; a previous
manifest hash, which links to the previous manifest message, as well manifest hash, which links to the previous manifest message, as well
as a current manifest hash. This gives a pseudo-blockchain as a current manifest hash. This gives a pseudo-blockchain
provenance to the manifest message that could be traced back if the provenance to the manifest message that could be traced back if the
observer was present for extended periods of time. observer was present for extended periods of time.
Creation: During creation and signing of this message format this Creation: During creation and signing of this message format this
field MUST be set to 0. So the signature will be based on this field MUST be set to 0. So the signature will be based on this
field being 0, as well as its own hash. It is an open question of field being 0, as well as its own hash. It is an open question of
if we compute the hash, then sign or sign then compute. if we compute the hash, then sign or sign then compute.
Cycling: There a few different ways to cycle this message. We can Cycling: There a few different ways to cycle this message. We can
"roll up" the hash of 'current' to 'previous' when needed or to "roll up" the hash of 'current' to 'previous' when needed or to
completely recompute the hash. This mostly depends on the completely recompute the hash. This mostly depends on the
previous note. previous note.
4.2.3.2.5. Manifest Limitation 4.4.3.3. Manifest Limitations
A potential limitation to this format is dwell time of the UA. If A potential limitation to this format is dwell time of the UA. If
the UA is not sticking to a general area then most likely the the UA is not sticking to a general area then most likely the
Observer will not obtain many (if not all) of the messages in the Observer will not obtain many (if not all) of the messages in the
manifest. Without the original messages received no verification can manifest. Without the original messages received no verification can
be done. Examples of such scenarios include delivery or survey UA. be done. Examples of such scenarios include delivery or survey UA.
4.2.4. Wrapper Signature Another limitation is the length of hash, which is discussed in
Section 8.
The wrapper signature is generated using the private key half of the
the UAs Host Identity (HI) and is done over all preceding data.
ASTM/DRIP Headers are exclude from this operation only information
within the Wrapper Fame (Section 4.2) is signed.
4.3. DRIP Attestation Frame
This format MUST be encapsulated by the General Frame (Section 4.1)
and reside in its data field (Section 4.1.2).
This format is typically used to form a complete certificate using
attestation data from a Registry defined in [identity-claims]. The
DRIP Header is normally in the range of 0x10 through 0x1F (FEC
disable) or 0x90 through 0x9F (FEC enabled).
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| |
. .
. Attestation Data .
. .
| |
+---------------+---------------+---------------+---------------+
| Expiration Timestamp |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| |
| |
| |
| |
| Signature |
| |
| |
| |
| |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
Attestation Data: (up to 132 bytes):
Data the UA asserts claim to.
Up to 132 bytes in length.
Expiration Timestamp (4 bytes):
Generated by the UA to protect against replay attacks.
Signature (64 bytes):
Signature over preceding fields using the EdDSA25519
keypair of the UA.
Figure 7: DRIP Attestation Format
4.3.1. Attestation Data
Any data up to 132 bytes in length that the UA wishes to assert truth
to.
4.3.1.1. DRIP Certificate
This payload type can be used in either Legacy or Extended
Advertising. It is used to grant the ability to authenticate UA
Remote ID when the receiving device of the observer (e.g. a
smartphone with a dedicated RID application) has no Internet service
(e.g. LTE signal).
The DRIP Header is set to 0x90 (144) when used for Legacy
Advertisements and 0x10 (16) for Extended Advertisements.
The Attestation Data field is filled with the Attestation: Registry
on Aircraft (Section 3.2.2 Attestation: X on Y (Offline Form) from
[identity-claims]). This is binding claim between the Registry and
the Aircraft, asserting the relationship between the two entities.
It also provides the UA Host Identity to allow signature verification
of messages signed by the UA. Also included in its structure is the
HHIT of the Registry to check the local shortlist of Registries that
the Observer device trusts (mapping HHITs to HIs).
More details about this Attestation and other certificates and the
provisioning process can be found in [identity-claims].
4.3.2. Expiration Timestamp 4.4.4. DRIP Link Format
Generated by the UA during the creation of the Authentication This format is specified when SAM ID is set to DRIP Link. It is
message. It is set a short time into the future to protect against encapsulated by the DRIP Frame (Section 4.4.1) and Broadcast
replay attacks of this DRIP format. Attestation Structure (Section 12) but the attestation has already
taken place, thus the UA need not dynamically sign the structure.
It shares the same format as the Trust Timestamp (Section 4.2.2). See Broadcast Attestation as defined in [drip-rid] and Section 11.6.
4.3.3. Attestation Signature 4.4.4.1. Link Limitations
Performed by the UA using the onboard keypair which matches the HHIT TODO
in the Basic ID Message (0x0).
5. Transport Methods & Recommendations 5. Transport Methods & Recommendations
5.1. Legacy Advertisements (Bluetooth 4.X) 5.1. Legacy Advertisements (Bluetooth 4.X)
With Legacy Advertisements the goal is to attempt to bring reliable With Legacy Advertisements the goal is to attempt to bring reliable
receipt of the paged Authentication Message. Forward Error receipt of the paged Authentication Message. Forward Error
Correction (Section 4.1.3) MUST be enabled when using Legacy Correction (Section 4.4.1.3) MUST be enabled when using Legacy
Advertising methods (such as Bluetooth 4.X). Advertising methods (such as Bluetooth 4.X).
Under ASTM Bluetooth 4.X rules, transmission of dynamic messages are Under ASTM Bluetooth 4.X rules, transmission of dynamic messages are
at least every 1 second while static messages (which is what at least every 1 second while static messages (which is what
Authentication is classified under) are sent at least every 3 Authentication is classified under) are sent at least every 3
seconds. seconds.
Under DRIP the Certificate Message MUST be transmitted to properly Under DRIP the Certificate Message MUST be transmitted to properly
meet the GEN 1 and GEN 3 requirement. meet the GEN 1 and GEN 3 requirement.
skipping to change at page 19, line 27 skipping to change at page 14, line 5
data being transmitted over Bluetooth. data being transmitted over Bluetooth.
In comparison the Message Wrapper sends 6 pages (each a single frame) In comparison the Message Wrapper sends 6 pages (each a single frame)
for each wrapped message. For backwards compatibility the for each wrapped message. For backwards compatibility the
implementation should also send the standard ASTM message that was implementation should also send the standard ASTM message that was
wrapped for non-DRIP compliant receivers to obtain. This method wrapped for non-DRIP compliant receivers to obtain. This method
results in 84 total Bluetooth frames (12 + (12 * 6)) sent. results in 84 total Bluetooth frames (12 + (12 * 6)) sent.
The question of which is better suited is up to the implementation. The question of which is better suited is up to the implementation.
5.2. Extended Advertisements (Bluetooth 5.X and Wifi NaN) 5.2. Extended Advertisements (Bluetooth 5.X, WiFi NaN, WiFi Beacon)
Under the ASTM specification, Bluetooth 5 or Wifi NaN transport of Under the ASTM specification, Bluetooth 5 or WiFi NaN transport of
Remote ID is to use the Message Pack (Type 0xF) format for all Remote ID is to use the Message Pack (Type 0xF) format for all
transmissions. Under Message Pack all messages are sent together (in transmissions. Under Message Pack all messages are sent together (in
Message Type order) in a single Bluetooth frame (up to 9 single frame Message Type order) in a single Bluetooth frame (up to 9 single frame
equivalent messages). Message Packs are required by ASTM to be sent equivalent messages). Message Packs are required by ASTM to be sent
at a rate of 1 per second (like dynamic messages). at a rate of 1 per second (like dynamic messages).
Without any fragmentation or loss of pages with transmission Forward Without any fragmentation or loss of pages with transmission Forward
Error Correction (Section 4.1.3) MUST NOT be used as it is Error Correction (Section 4.4.1.3) MUST NOT be used as it is
impractical. impractical.
6. ASTM Considerations 5.3. DRIP Recommendations
* Increase Authentication Max Page Count from 5 to 10. Legacy For DRIP it is RECOMMENDED the following Authentication Formats are
Advertising can use all 10 while Extended Advertising has a sent:
maximum of 9 due to Bluetooth 5 limitations.
* Allocate Authentication Type 0x5 for DRIP from ASTM AuthType 1. DRIP Link using the Broadcast Attestation of HID Root and the CAA
field.
2. DRIP Link using the Broadcast Attestation of CAA and the USS
3. DRIP Link using the Broadcast Attestation of USS and the UA
4. Any other DRIP Authentication Format where the UA is dynamically
signing data
6. ICAO Considerations
DRIP requests the following SAM IDs to be allocated:
1. DRIP Frame
2. DRIP Wrapper
3. DRIP Manifest
4. DRIP Link
7. IANA Considerations 7. IANA Considerations
This document does not require any actions by IANA. This document does not require any actions by IANA.
8. Security Considerations 8. Security Considerations
8.1. Manifest Hash Length
TODO For DRIP Manifest an 8-byte hash length has been selected by the
authors for a number of reasons.
(Ed. Note: Hash lengths (length vs strength/collision rate); replay 1. Hash lengths smaller than 8-bytes (for example 4-bytes) were
attacks with timestamps; static Cra (issue but nulled if UA signing originally contemplated but ruled out by comments by various
other stuff dynamically meaning signatures will fail as HI won't cryptographers. The main concern raised in this forum was that
match - this is probably a deeper discussion topic for provisioning the length of hash would not provide strong resistance against
security considerations when we get to there)) collision rate. The authors also after further review agreed
with this and also realized operationally it was not necessarily
viable. While 4-byte hashes would allow more messages to be
filled into a single DRIP Manifest payload (up to 22 individual
hashes) the length of time for the UA to stay in a single place
where the Observer would receive all the originally messages to
rehash to verify such a message was impractical.
2. Hash lengths larger than 8-bytes (for example 16-bytes) were also
considered by the authors. These got the approval of the
cryptographers but the number of hashes to send became much lower
(only 5 individual hashes). While this lower number is a more
reasonable number of original messages the Observer would have to
capture it would also mean that potentially more DRIP Manifests
would need to be sent. Overall the increase length of the hash
did not operationally justify the cost.
3. Simplifying the current design and locking it into using the same
hash as the HHIT instead of allowing for agility in either hash
algorithm or length seemed more realistic to the authors today.
8.2. Replay Attacks
The astute reader may note that the DRIP Link messages, which are
recommended to be sent under DRIP, are static in nature and contain
various timestamps. These Attestation Link message can easily be
replayed by an attacker who has copied them from previous broadcasts.
There are two things to mitigate this in DRIP:
1. If an attacker (who is smart and spoofs more than just the UAS
ID/data payloads) willing replays an Attestation Link message
they have in principle actually helped by ensuring the message is
sent more frequently and be received by potential Observers.
2. Under DRIP it is RECOMMENDED to send more than just DRIP Link
messages, specifically those that sign over changing data using
the current session keypair, and those messages are sent more
frequently. An aircraft beaconing these messages then actually
signing other messages using the keypair validates the data
receiver by an Observer. An UA who does not either run DRIP
themselves or does not have possession of the same private key,
would be clearly exposed upon signature verification.
8.3. Trust Timestamp Offsets
Note the discussion of Trust Timestamp Offsets here is in context of
the DRIP Wrapper (Section 4.4.2) and DRIP Manifest (Section 4.4.3)
messages. For DRIP Link (Section 4.4.4) messages these offsets are
set by the Attestor (typically a registry) and have their own set of
considerations as seen in (TODO: link to registry draft security
considerations here).
The offset of the Trust Timestamp (defined as a very short Expiration
Timestamp) is one that needs careful consideration for any
implementation. The offset should be shorter than any given flight
duration (typically less than an hour) but be long enough to be
received and processed by Observers (larger than a few seconds). It
recommended that 3-5 minutes should be sufficient to serve this
purpose in any scenario, but is not limited by design.
9. Acknowledgments 9. Acknowledgments
Ryan Quigley and James Mussi of AX Enterprize, LLC for early Ryan Quigley and James Mussi of AX Enterprize, LLC for early
prototyping to find holes in the draft specifications. prototyping to find holes in the draft specifications.
Soren Friis for pointing out that WiFi protocols would not give
access to the MAC Address, originally used in calculation of the
hashes for DRIP Manifest. Also for confirming that Message Packs
(0xF) can only carry up to 9 ASTM frames worth of data (9
Authentication pages) - this drove the requirement for max page
length of Authentication Data itself.
10. Appendix A: Thoughts on ASTM Authentication Message 10. Appendix A: Thoughts on ASTM Authentication Message
(Editor Note: is this valid anymore to keep?)
The format standardized by the ASTM is designed with a few major The format standardized by the ASTM is designed with a few major
considerations in mind, which the authors of this document feel put considerations in mind, which the authors of this document feel put
significant limitations on the expansion of the standard. significant limitations on the expansion of the standard.
The primary consideration (in this context) is the use of the The primary consideration (in this context) is the use of the
Bluetooth 5.X Extended Frame format. This method allows for a 255 Bluetooth 5.X Extended Frame format. This method allows for a 255
byte payload to be sent in what the ASTM refers to as a "Message byte payload to be sent in what the ASTM refers to as a "Message
Pack". Pack".
The idea is to include up to five standard ASTM Broadcast RID The idea is to include up to five standard ASTM Broadcast RID
skipping to change at page 21, line 20 skipping to change at page 17, line 38
All these problems are further amplified by the speed at which UA fly All these problems are further amplified by the speed at which UA fly
and the Observer's position to receive transmissions. There is no and the Observer's position to receive transmissions. There is no
guarantee that the Observer will receive all the pages of even a 5 guarantee that the Observer will receive all the pages of even a 5
page Authentication Message in the time it takes a UA to traverse page Authentication Message in the time it takes a UA to traverse
across their line of sight. Worse still is that is not including across their line of sight. Worse still is that is not including
other UA in the area, which congests the spectrum and could cause other UA in the area, which congests the spectrum and could cause
further confusion attempting to collate messages from various UA. further confusion attempting to collate messages from various UA.
This specific problem is out of scope for this document and our This specific problem is out of scope for this document and our
solutions in general, but should be noted as a design consideration. solutions in general, but should be noted as a design consideration.
11. References 11. Appendix B: DRIP Attestations
11.1. Normative References 11.1. Self-Attestation (Axx)
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| |
| Hierarchical |
| Host Identity Tag |
| |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| Host Identity |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
| Trust Timestamp |
+---------------+---------------+---------------+---------------+
| Signing Timestamp |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| |
| |
| |
| |
| Signature |
| |
| |
| |
| |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
Length = 120-bytes
Figure 6: DRIP Self-Attestation
11.2. Attestation (Axy)
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| |
. .
. Axx .
. .
| |
+---------------+---------------+---------------+---------------+
| |
. .
. Ayy .
. .
| |
+---------------+---------------+---------------+---------------+
| Trust Timestamp by X |
+---------------+---------------+---------------+---------------+
| Signing Timestamp by X |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| |
| |
| |
| |
| Signature by X |
| |
| |
| |
| |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
Length = 312-bytes
Figure 7: DRIP Attestation
11.3. Concise Attestation (C-Axy)
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| |
| Hierarchical |
| Host Identity Tag of X |
| |
+---------------+---------------+---------------+---------------+
| |
| Hierarchical |
| Host Identity Tag of Y |
| |
+---------------+---------------+---------------+---------------+
| Trust Timestamp by X |
+---------------+---------------+---------------+---------------+
| Signing Timestamp by X |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| |
| |
| |
| |
| Signature by X |
| |
| |
| |
| |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
Length = 104-bytes
Figure 8: DRIP Concise Attestation
11.4. Mutual Attestation (M-Axy)
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| |
. .
. Axy .
. .
| |
+---------------+---------------+---------------+---------------+
| Trust Timestamp by Y |
+---------------+---------------+---------------+---------------+
| Signing Timestamp by Y |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| |
| |
| |
| |
| Signature by Y |
| |
| |
| |
| |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
Length = 384-bytes
Figure 9: DRIP Mutual Attestation
11.5. Link Attestation (L-Axy)
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| |
. .
. C-Axy .
. .
| |
+---------------+---------------+---------------+---------------+
| Trust Timestamp by Y |
+---------------+---------------+---------------+---------------+
| Signing Timestamp by Y |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| |
| |
| |
| |
| Signature by Y |
| |
| |
| |
| |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
Length = 176-bytes
Figure 10: DRIP Link Attestation
11.6. Broadcast Attestation (B-Axy)
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| |
| Hierarchical |
| Host Identity Tag of X |
| |
+---------------+---------------+---------------+---------------+
| |
| Hierarchical |
| Host Identity Tag of Y |
| |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| Host Identity of Y |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
| Trust Timestamp by X |
+---------------+---------------+---------------+---------------+
| Signing Timestamp by X |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| |
| |
| |
| |
| Signature by X |
| |
| |
| |
| |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
Length = 136-bytes
Figure 11: DRIP Broadcast Attestation
11.7. Link Certificate (L-Cxy)
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| |
| Hierarchical |
| Host Identity Tag of Z |
| |
+---------------+---------------+---------------+---------------+
| |
. .
. L-Axy .
. .
| |
+---------------+---------------+---------------+---------------+
| Trust Timestamp by Z |
+---------------+---------------+---------------+---------------+
| Signing Timestamp by Z |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| |
| |
| |
| |
| Signature by Z |
| |
| |
| |
| |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
Length = 264-bytes
Figure 12: DRIP Link Certificate
11.8. Mutual Certificate (M-Cxy)
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| |
. .
. Azz .
. .
| |
+---------------+---------------+---------------+---------------+
| |
. .
. M-Axy .
. .
| |
+---------------+---------------+---------------+---------------+
| Trust Timestamp by Z |
+---------------+---------------+---------------+---------------+
| Signing Timestamp by Z |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| |
| |
| |
| |
| Signature by Z |
| |
| |
| |
| |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
Length = 264-bytes
Figure 13: DRIP Mutual Certificate
11.9. Example Registration with Attestation
1. X generates Axx and Y generates Ayy
2. Y sends Ayy to X
3. X verified Ayy; composes Axy, C-Axy, B-Axy; sends Axy, C-Axy,
B-Axy and B-Axy's from parents
4. Y composes M-Axy and L-Axy
5. Y broadcasts B-Axy's
12. Appendix C: DRIP Broadcast Attestation Structure
When possible the following format should be used in the DRIP
Authentication Data (Section 4.4.1.2) field.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| |
| Attestor Hierarchical |
| Host Identity Tag |
| |
+---------------+---------------+---------------+---------------+
| |
. .
. Attestation Data .
. .
| |
+---------------+---------------+---------------+---------------+
| Trust Timestamp |
+---------------+---------------+---------------+---------------+
| Signing Timestamp |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| |
| |
| |
| |
| Attestor Signature |
| |
| |
| |
| |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
Attestor Hierarchial Host Identity Tag (16 bytes):
The Attestors HHIT in byte form (network byte order).
Attestation Data (0 to 112 bytes):
Opaque attestation data.
Trust Timestamp (4 bytes):
Timestamp denoting recommended time to trust data to.
Signing Timestamp (4 bytes):
Current time at signing.
Attestor Signature (64 bytes):
Signature over preceding fields using the keypair of
the Attestor.
Figure 14: DRIP Broadcast Attestation Data Structure
12.1. Attestor Hierarchical Host Identity Tag
The HHIT is an enhancement of the Host Identity Tag (HIT) [RFC7401]
introducing hierarchy and how they are used in UAS RID as defined in
[drip-rid].
12.2. Attestation Data
This field has a maximum of 112 bytes in length. It is nominally
filled with data as defined by the SAM ID being set or other sub-
multiplexer in the authentication payload.
12.3. Trust Timestamp
The Trust Timestamp is of the format defined in [F3411-19]. That is
a UNIX timestamp offset by 01/01/2019 00:00:00. An additional offset
is then added to push the timestamp a short time into the future to
avoid replay attacks.
The offset used against the UNIX timestamp is not defined in this
document. Best practices to identify a acceptable offset should be
used taking into consideration the UA environment, and propagation
characteristics of the messages being sent.
12.4. Signing Timestamp
Follows the format defined in [F3411-19]. That is a UNIX timestamp
offset by 01/01/2019 00:00:00.
12.5. Attestor Signature
The signature is generated over all the preceding data. ASTM/DRIP
Headers are exclude from this operation only information within the
Broadcast Attestation Structure (Section 12) is signed.
13. Appendix D: Forward Error Correction
(Editors Note: move specifics of FEC (everything below) into its own
draft for titled Integrity Protection)
Remote ID data can be sent across many different broadcast link
media, all with different characteristics. To enable robustness in
Remote ID transmission media that has Forward Error Correction
capability SHOULD be used.
In cases where FEC is not available below the equivalent of the
transport layer (known as Legacy Advertisements) DRIP Authentication
REQUIRES that an application level FEC scheme is used. In cases
where FEC is available below the equivalent of the transport layer
(known as Extended Advertisements) DRIP MUST NOT use any application
level FEC and instead SHALL rely on the lower layers FEC
functionality.
For current Remote ID the media options are the following:
Legacy Advertisements: Bluetooth 4.X
Extended Advertisements: WiFi NAN, WiFi Beacon, Bluetooth 5.X
(Editors Note: add in self-protecting and more-than-self-protecting
options, with their justifications)
13.1. Encoding
13.1.1. Single Page FEC
When generating the parity the first byte of every Authentication
Page MUST be exclude from the XOR operation. For pages 1 through N
this leaves the data portion of the page while page 0 will include a
number of headers along with 17 bytes of data.
To generate the parity a simple XOR operation using the previous and
current page is used. For page 0, a 23 byte null pad is used for the
previous page. The resulting 23 bytes of parity is appended in one
full page (always the last) allowing for recovery when any single
page is lost in transmission.
13.1.2. Multi Page FEC
TODO (Reed Solomon)
13.2. Decoding
Due to the nature of Bluetooth 4 and the existing ASTM paging
structure an optimization can be used. If a Bluetooth frame fails
its CRC check, then the frame is dropped without notification to the
upper protocol layers. From the Remote ID perspective this means the
loss of a complete frame/message/page. In Authentication Messages,
each page is already numbered so the loss of a page allows the
receiving application to build a "dummy" page filling the
Authentication Data field (and ASTM Authentication Headers fields if
page 0) with nulls.
If page 0 is being reconstructed an additional check of the Page
Count, to check against how many pages are actually present, MUST be
performed for sanity. An additional check on the Data Length field
SHOULD also be performed.
13.2.1. Single Page FEC
Using the same methods as encoding, an XOR operation is used between
is the current page). The resulting 23 bytes is the data of the
missing page.
13.2.2. Multi Page FEC
TODO (Reed Solomon)
13.3. FEC Limitations
If more than one page is lost (>1/5 for 5 page messages, >1/10 for 10
page messages) than the error rate of the link is already beyond
saving and the application has more issues to deal with.
(Editors Note: Is this valid anymore, for XOR yes but for multi-page
FEC?)
14. References
14.1. Normative References
[F3411-19] "Standard Specification for Remote ID and Tracking", [F3411-19] "Standard Specification for Remote ID and Tracking",
February 2020. February 2020.
[NIST.SP.800-185] [NIST.SP.800-185]
Kelsey, J., Change, S., and R. Perlner, "SHA-3 Derived Kelsey, J., Change, S., and R. Perlner, "SHA-3 Derived
Functions: cSHAKE, KMAC, TupleHash and ParallelHash", Functions: cSHAKE, KMAC, TupleHash and ParallelHash", NIST
DOI 10.6028/nist.sp.800-185, NIST Special Publication SP Special Publication SP 800-185,
800-185, December 2016, DOI 10.6028/nist.sp.800-185, December 2016,
<http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-185.pdf>. NIST.SP.800-185.pdf>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
11.2. Informative References 14.2. Informative References
[drip-requirements] [drip-requirements]
Card, S., Wiethuechter, A., Moskowitz, R., and A. Gurtov, Card, S. W., Wiethuechter, A., Moskowitz, R., and A.
"Drone Remote Identification Protocol (DRIP) Gurtov, "Drone Remote Identification Protocol (DRIP)
Requirements", Work in Progress, Internet-Draft, draft- Requirements", Work in Progress, Internet-Draft, draft-
ietf-drip-reqs-06, 1 November 2020, <http://www.ietf.org/ ietf-drip-reqs-13, 14 June 2021,
internet-drafts/draft-ietf-drip-reqs-06.txt>. <https://www.ietf.org/archive/id/draft-ietf-drip-reqs-
13.txt>.
[drip-rid] Moskowitz, R., Card, S., Wiethuechter, A., and A. Gurtov, [drip-rid] Moskowitz, R., Card, S. W., Wiethuechter, A., and A.
"UAS Remote ID", Work in Progress, Internet-Draft, draft- Gurtov, "UAS Remote ID", Work in Progress, Internet-Draft,
ietf-drip-uas-rid-01, 9 September 2020, draft-ietf-drip-uas-rid-01, 9 September 2020,
<http://www.ietf.org/internet-drafts/draft-ietf-drip-uas- <https://www.ietf.org/archive/id/draft-ietf-drip-uas-rid-
rid-01.txt>. 01.txt>.
[identity-claims] [identity-claims]
Wiethuechter, A., Card, S., and R. Moskowitz, "DRIP Wiethuechter, A., Card, S., and R. Moskowitz, "DRIP
Identity Claims", Work in Progress, Internet-Draft, draft- Identity Claims", Work in Progress, Internet-Draft, draft-
wiethuechter-drip-identity-claims-03, 2 November 2020, wiethuechter-drip-identity-claims-03, 2 November 2020,
<http://www.ietf.org/internet-drafts/draft-wiethuechter- <https://www.ietf.org/archive/id/draft-wiethuechter-drip-
drip-identity-claims-03.txt>. identity-claims-03.txt>.
[RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T. [RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T.
Henderson, "Host Identity Protocol Version 2 (HIPv2)", Henderson, "Host Identity Protocol Version 2 (HIPv2)",
RFC 7401, DOI 10.17487/RFC7401, April 2015, RFC 7401, DOI 10.17487/RFC7401, April 2015,
<https://www.rfc-editor.org/info/rfc7401>. <https://www.rfc-editor.org/info/rfc7401>.
Authors' Addresses Authors' Addresses
Adam Wiethuechter Adam Wiethuechter
AX Enterprize, LLC AX Enterprize, LLC
4947 Commercial Drive 4947 Commercial Drive
Yorkville, NY 13495 Yorkville, NY 13495
United States of America United States of America
Email: adam.wiethuechter@axenterprize.com Email: adam.wiethuechter@axenterprize.com
Stuart Card Stuart Card
AX Enterprize, LLC AX Enterprize, LLC
 End of changes. 100 change blocks. 
525 lines changed or deleted 898 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/