--- 1/draft-ietf-lwig-security-protocol-comparison-03.txt 2020-03-09 11:13:32.060036536 -0700 +++ 2/draft-ietf-lwig-security-protocol-comparison-04.txt 2020-03-09 11:13:32.120038059 -0700 @@ -1,18 +1,20 @@ LWIG Working Group J. Mattsson Internet-Draft F. Palombini Intended status: Informational Ericsson AB -Expires: September 12, 2019 March 11, 2019 +Expires: September 10, 2020 M. Vucinic + INRIA + March 09, 2020 Comparison of CoAP Security Protocols - draft-ietf-lwig-security-protocol-comparison-03 + draft-ietf-lwig-security-protocol-comparison-04 Abstract This document analyzes and compares the sizes of key exchange flights and the per-packet message size overheads when using different security protocols to secure CoAP. The analyzed security protocols are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, EDHOC, OSCORE, and Group OSCORE. The DTLS and TLS record layers are analyzed with and without 6LoWPAN-GHC compression. DTLS is analyzed with and without Connection ID. @@ -25,25 +27,25 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 12, 2019. + This Internet-Draft will expire on September 10, 2020. Copyright Notice - Copyright (c) 2019 IETF Trust and the persons identified as the + Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as @@ -61,63 +63,62 @@ 2.2.4. Cached Information . . . . . . . . . . . . . . . . . 12 2.2.5. Resumption . . . . . . . . . . . . . . . . . . . . . 13 2.2.6. Without Connection ID . . . . . . . . . . . . . . . . 14 2.2.7. DTLS Raw Public Keys . . . . . . . . . . . . . . . . 15 2.3. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.3.1. Message Sizes RPK + ECDHE . . . . . . . . . . . . . . 16 2.3.2. Message Sizes PSK + ECDHE . . . . . . . . . . . . . . 22 2.3.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 23 2.4. EDHOC . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.4.1. Message Sizes RPK . . . . . . . . . . . . . . . . . . 24 - 2.4.2. Message Sizes Certificates . . . . . . . . . . . . . 26 - 2.4.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 26 - 2.4.4. message_1 . . . . . . . . . . . . . . . . . . . . . . 26 - 2.4.5. message_2 . . . . . . . . . . . . . . . . . . . . . . 26 - 2.4.6. message_3 . . . . . . . . . . . . . . . . . . . . . . 27 - 2.4.7. Summary . . . . . . . . . . . . . . . . . . . . . . . 27 - 2.5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 27 - 3. Overhead for Protection of Application Data . . . . . . . . . 28 - 3.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 28 - 3.2. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 30 - 3.2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 30 - 3.2.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 30 - 3.2.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 31 - 3.2.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 32 - 3.3. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 32 - 3.3.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 32 - 3.3.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 33 - 3.3.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 33 - 3.3.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 34 - 3.4. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 34 - 3.4.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 34 - 3.4.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 35 - 3.5. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 35 - 3.5.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 35 - 3.5.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 36 - 3.6. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 36 - 3.7. Group OSCORE . . . . . . . . . . . . . . . . . . . . . . 38 - 3.8. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 38 - 4. Security Considerations . . . . . . . . . . . . . . . . . . . 39 - 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 - 6. Informative References . . . . . . . . . . . . . . . . . . . 39 - Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 41 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41 + 2.4.2. Message Sizes PSK . . . . . . . . . . . . . . . . . . 25 + 2.4.3. message_1 . . . . . . . . . . . . . . . . . . . . . . 25 + 2.4.4. message_2 . . . . . . . . . . . . . . . . . . . . . . 25 + 2.4.5. message_3 . . . . . . . . . . . . . . . . . . . . . . 26 + 2.4.6. Summary . . . . . . . . . . . . . . . . . . . . . . . 26 + 2.5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 26 + 3. Overhead for Protection of Application Data . . . . . . . . . 27 + 3.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 27 + 3.2. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 29 + 3.2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 29 + 3.2.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 29 + 3.2.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 30 + 3.2.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 31 + 3.3. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 31 + 3.3.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 31 + 3.3.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 32 + 3.3.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 32 + 3.3.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 33 + 3.4. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 33 + 3.4.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 33 + 3.4.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 34 + 3.5. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 34 + 3.5.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 34 + 3.5.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 35 + + 3.6. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 35 + 3.7. Group OSCORE . . . . . . . . . . . . . . . . . . . . . . 37 + 3.8. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 37 + 4. Security Considerations . . . . . . . . . . . . . . . . . . . 38 + 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 + 6. Informative References . . . . . . . . . . . . . . . . . . . 38 + Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 40 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40 1. Introduction This document analyzes and compares the sizes of key exchange flights and the per-packet message size overheads when using different security protocols to secure CoAP over UPD [RFC7252] and TCP [RFC8323]. The analyzed security protocols are DTLS 1.2 [RFC6347], DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2 [RFC5246], TLS 1.3 [RFC8446], - EDHOC [I-D.selander-ace-cose-ecdhe], OSCORE - [I-D.ietf-core-object-security], and Group OSCORE + EDHOC [I-D.selander-lake-edhoc], OSCORE [RFC8613], and Group OSCORE [I-D.ietf-core-oscore-groupcomm]. The DTLS and TLS record layers are analyzed with and without 6LoWPAN- GHC compression. DTLS is anlyzed with and without Connection ID [I-D.ietf-tls-dtls-connection-id]. Readers are expected to be familiar with some of the terms described in RFC 7925 [RFC7925], such as ICV. Section 2 compares the overhead of key exchange, while Section 3 covers the overhead for protection of application data. 2. Overhead of Key Exchange Protocols @@ -156,33 +157,33 @@ following overheads apply for all Connection IDs of the same length, when Connection ID is used. The EDHOC overhead is dependent on the key identifiers included. The following overheads apply for Sender IDs of the same length. All the overhead are dependent on the tag length. The following overheads apply for tags of the same length. Figure 1 compares the message sizes of EDHOC - [I-D.selander-ace-cose-ecdhe] with the DTLS 1.3 [I-D.ietf-tls-dtls13] - and TLS 1.3 [RFC8446] handshakes with connection ID. + [I-D.selander-lake-edhoc] with the DTLS 1.3 [I-D.ietf-tls-dtls13] and + TLS 1.3 [RFC8446] handshakes with connection ID. ===================================================================== Flight #1 #2 #3 Total --------------------------------------------------------------------- DTLS 1.3 RPK + ECDHE 150 373 213 736 DTLS 1.3 Cached X.509/RPK + ECDHE 182 347 213 742 DTLS 1.3 PSK + ECDHE 184 190 57 431 DTLS 1.3 PSK 134 150 57 341 --------------------------------------------------------------------- - EDHOC RPK + ECDHE 39 114 80 233 - EDHOC PSK + ECDHE 41 45 11 97 + EDHOC RPK + ECDHE 37 46 20 103 + EDHOC PSK + ECDHE 38 44 10 92 ===================================================================== Figure 1: Comparison of message sizes in bytes with Connection ID Figure 2 compares of message sizes of DTLS 1.3 [I-D.ietf-tls-dtls13] and TLS 1.3 [RFC8446] handshakes without connection ID. ===================================================================== Flight #1 #2 #3 Total --------------------------------------------------------------------- @@ -684,21 +685,21 @@ Total of 59 bytes 2.3. TLS 1.3 In this section, the message sizes are calculated for TLS 1.3. The major changes compared to DTLS 1.3 are that the record header is smaller, the handshake headers is smaller, and that Connection ID is not supported. Recently, additional work has taken shape with the goal to further reduce overhead for TLS 1.3 (see - [I-D.schaad-ace-tls-cbor-handshake] ). + [I-D.rescorla-tls-ctls]). TLS Assumptions: o Minimum number of algorithms and cipher suites offered o Curve25519, ECDSA with P-256, AES-CCM_8, SHA-256 o Length of key identifiers: 1 bytes o TLS RPK with point compression (saves 32 bytes) @@ -1019,164 +1020,116 @@ 2.3.3.3. flight_3 There are no differences in overhead compared to Section 2.3.2.3. TLS 1.3 PSK flight_3 gives 57 bytes of overhead. 2.4. EDHOC This section gives an estimate of the message sizes of EDHOC with - different authentication methods. Note that the examples in this - section are not test vectors, the cryptographic parts are just - replaced with byte strings of the same length. All examples are - given in CBOR diagnostic notation and hexadecimal. + different authentication methods. All examples are given in CBOR + diagnostic notation and hexadecimal. 2.4.1. Message Sizes RPK 2.4.1.1. message_1 message_1 = ( - 1, + 13, 0, - h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d - 1e1f', - h'c3' + h'8D3EF56D1B750A4351D68AC250A0E883790EFC80A538A444EE9E2B57E244 + 1A7C', + -2 ) - message_1 (38 bytes): - 01 00 58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F - 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C3 + message_1 (37 bytes): + 0d 00 58 20 8d 3e f5 6d 1b 75 0a 43 51 d6 8a c2 50 a0 e8 83 + 79 0e fc 80 a5 38 a4 44 ee 9e 2b 57 e2 44 1a 7c 21 2.4.1.2. message_2 - plaintext = << - h'a1', - h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d - 1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b - 3c3d3e3f' - >> - - The header map { 4 : h'a1' } is encoded as the two bytes h'a1'. The - length of plaintext is 68 bytes so assuming a 64-bit MAC value the - length of ciphertext is 76 bytes. - message_2 = ( - h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d - 1e1f', - h'c4', - h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d - 1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b - 3c3d3e3f404142434445464748494a4b' + h'52FBA0BDC8D953DD86CE1AB2FD7C05A4658C7C30AFDBFC3301047069451B + AF35', + 8, + h'DCF6FE9C524C22454DEB' ) - message_2 (114 bytes): - 58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 - 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C4 58 51 00 01 - 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 - 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 - 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D - 3E 3F 40 41 42 43 44 45 46 47 48 49 4A 4B + message_2 (46 bytes): + 58 20 52 fb a0 bd c8 d9 53 dd 86 ce 1a b2 fd 7c 05 a4 65 8c + 7c 30 af db fc 33 01 04 70 69 45 1b af 35 08 4a dc f6 fe 9c + 52 4c 22 45 4d eb 2.4.1.3. message_3 - The plaintext and ciphertext in message_3 are assumed to be of equal - sizes as in message_2. - message_3 = ( - h'c4', - h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d - 1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b - 3c3d3e3f404142434445464748494a4b' + 8, + h'53C3991999A5FFB86921E99B607C067770E0' ) - message_3 (80 bytes): - 41 C4 58 51 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F - 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 - 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 - 38 39 3A 3B 3C 3D 3E 3F 40 41 42 43 44 45 46 47 48 49 4A 4B - -2.4.2. Message Sizes Certificates - - When the certificates are distributed out-of-band and identified with - the x5t header parameter and a SHA256/64 hash value, the header map - will be 13 bytes (assuming labels in the range -24...23). - - { TDB1 : [ TDB6, h'0001020304050607' ] } - - When the certificates are identified with the x5chain header - parameter, the message sizes depends on the size of the (truncated) - certificate chains. The header map will be 3 bytes + the size of the - certificate chain (assuming a label in the range -24...23). - - { TDB3 : h'0001020304050607...' } + message_3 (20 bytes): + 08 52 53 c3 99 19 99 a5 ff b8 69 21 e9 9b 60 7c 06 77 70 e0 -2.4.3. Message Sizes PSK +2.4.2. Message Sizes PSK -2.4.4. message_1 +2.4.3. message_1 message_1 = ( - 4, + 17, 0, - h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d - 1e1f', - h'c3', - h'a2' + h'3662C4A71D624E8A4D9DFF879ABC6E2A0E745F82F497F7AFBEBFF3B01A8F + AB57', + 14, + -17 ) - message_1 (40 bytes): - 04 00 58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F - 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C3 41 A2 - -2.4.5. message_2 - - Assuming a 0 byte plaintext and a 64-bit MAC value the ciphertext is - 8 bytes + message_1 (38 bytes): + 11 00 58 20 36 62 c4 a7 1d 62 4e 8a 4d 9d ff 87 9a bc 6e 2a + 0e 74 5f 82 f4 97 f7 af be bf f3 b0 1a 8f ab 57 0e 30 +2.4.4. message_2 message_2 = ( - h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d - 1e1f', - h'c4', - h'0001020304050607' + h'A3967F6CF99B6DDC7E7C219D0D119A383F754001DF33515971EC6C842553 + B776', + -24, + h'4F355451E069226F' ) - message_2 (45 bytes): - 58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 - 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C4 48 61 62 63 - 64 65 66 67 68 - -2.4.6. message_3 + message_2 (44 bytes): + 58 20 a3 96 7f 6c f9 9b 6d dc 7e 7c 21 9d 0d 11 9a 38 3f 75 + 40 01 df 33 51 59 71 ec 6c 84 25 53 b7 76 37 48 4f 35 54 51 + e0 69 22 6f - The plaintext and ciphertext in message_3 are assumed to be of equal - sizes as in message_2. +2.4.5. message_3 message_3 = ( - h'c4', - h'0001020304050607' + -24, + h'763BD2F3C10F0D45' ) - message_3 (11 bytes): - 41 C4 48 00 01 02 03 04 05 06 07 + message_3 (10 bytes): + 37 48 76 3b d2 f3 c1 0f 0d 45 -2.4.7. Summary +2.4.6. Summary The previous examples of typical message sizes are summarized in Figure 5. ===================================================================== PSK RPK x5t x5chain --------------------------------------------------------------------- - message_1 40 38 38 38 - message_2 45 114 126 116 + Certificate chain - message_3 11 80 91 81 + Certificate chain + message_1 38 37 37 37 + message_2 44 46 117 110 + Certificate chain + message_3 10 20 91 84 + Certificate chain --------------------------------------------------------------------- - Total 96 232 255 235 + Certificate chains + Total 92 103 245 231 + Certificate chains ===================================================================== Figure 5: Typical message sizes in bytes 2.5. Conclusion To do a fair comparison, one has to choose a specific deployment and look at the topology, the whole protocol stack, frame sizes (e.g. 51 or 128 bytes), how and where in the protocol stack fragmentation is done, and the expected packet loss. Note that the number of byte in @@ -1250,22 +1203,22 @@ ------------------------------------------------------------- DTLS 1.2 29 30 31 DTLS 1.3 11 12 13 ------------------------------------------------------------- DTLS 1.2 (GHC) 16 17 18 DTLS 1.3 (GHC) 12 13 14 ------------------------------------------------------------- OSCORE request 13 14 15 OSCORE response 11 11 11 - Figure 7: Overhead in bytes as a function of Connection/Sender ID - (Sequence Number = '05') + Figure 7: Overhead in bytes as a function of Connection/Sender + ID (Sequence Number = '05') Protocol Overhead Overhead (GHC) ------------------------------------------------------------- DTLS 1.2 21 8 DTLS 1.3 3 4 ------------------------------------------------------------- TLS 1.2 13 9 TLS 1.3 6 7 ------------------------------------------------------------- OSCORE request 5 @@ -1584,22 +1537,21 @@ Ciphertext (including encrypted content type): ae a0 15 56 67 92 ec ICV: 4d ff 8a 24 e4 cb 35 b9 When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters (epoch, sequence number, length) gives 15 bytes overhead. 3.6. OSCORE - This section analyzes the overhead of OSCORE - [I-D.ietf-core-object-security]. + This section analyzes the overhead of OSCORE [RFC8613]. The below calculation Option Delta = '9', Sender ID = '' (empty string), and Sequence Number = '05', and is only an example. Note that Sender ID = '' (empty string) can only be used by one client per server. OSCORE request (19 bytes, 13 bytes overhead): 92 09 05 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 @@ -1702,51 +1654,46 @@ 4. Security Considerations This document is purely informational. 5. IANA Considerations This document has no actions for IANA. 6. Informative References - [I-D.ietf-core-object-security] - Selander, G., Mattsson, J., Palombini, F., and L. Seitz, - "Object Security for Constrained RESTful Environments - (OSCORE)", draft-ietf-core-object-security-15 (work in - progress), August 2018. - [I-D.ietf-core-oscore-groupcomm] Tiloca, M., Selander, G., Palombini, F., and J. Park, "Group OSCORE - Secure Group Communication for CoAP", - draft-ietf-core-oscore-groupcomm-03 (work in progress), - October 2018. + draft-ietf-core-oscore-groupcomm-06 (work in progress), + November 2019. [I-D.ietf-tls-dtls-connection-id] - Rescorla, E., Tschofenig, H., Fossati, T., and T. Gondrom, - "Connection Identifiers for DTLS 1.2", draft-ietf-tls- - dtls-connection-id-02 (work in progress), October 2018. + Rescorla, E., Tschofenig, H., and T. Fossati, "Connection + Identifiers for DTLS 1.2", draft-ietf-tls-dtls-connection- + id-07 (work in progress), October 2019. [I-D.ietf-tls-dtls13] Rescorla, E., Tschofenig, H., and N. Modadugu, "The Datagram Transport Layer Security (DTLS) Protocol Version - 1.3", draft-ietf-tls-dtls13-30 (work in progress), - November 2018. + 1.3", draft-ietf-tls-dtls13-34 (work in progress), + November 2019. - [I-D.schaad-ace-tls-cbor-handshake] - Schaad, J., "TLS Handshake in CBOR", draft-schaad-ace-tls- - cbor-handshake-00 (work in progress), March 2019. + [I-D.rescorla-tls-ctls] + Rescorla, E., Barnes, R., and H. Tschofenig, "Compact TLS + 1.3", draft-rescorla-tls-ctls-03 (work in progress), + November 2019. - [I-D.selander-ace-cose-ecdhe] + [I-D.selander-lake-edhoc] Selander, G., Mattsson, J., and F. Palombini, "Ephemeral - Diffie-Hellman Over COSE (EDHOC)", draft-selander-ace- - cose-ecdhe-12 (work in progress), February 2019. + Diffie-Hellman Over COSE (EDHOC)", draft-selander-lake- + edhoc-00 (work in progress), November 2019. [IoT-Cert] Forsby, F., "Digital Certificates for the Internet of Things", June 2017, . [OlegHahm-ghc] Hahm, O., "Generic Header Compression", July 2016, . @@ -1783,33 +1730,43 @@ [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained Application Protocol) over TCP, TLS, and WebSockets", RFC 8323, DOI 10.17487/RFC8323, February 2018, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . + [RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, + "Object Security for Constrained RESTful Environments + (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, + . + [Ulfheim-TLS13] Driscoll, M., "Every Byte Explained The Illustrated TLS 1.3 Connection", March 2018, . Acknowledgments The authors want to thank Ari Keraenen, Carsten Bormann, Goeran Selander, and Hannes Tschofenig for comments and suggestions on previous versions of the draft. All 6LoWPAN-GHC compression was done with [OlegHahm-ghc]. Authors' Addresses - John Mattsson + John Preuss Mattsson Ericsson AB Email: john.mattsson@ericsson.com Francesca Palombini Ericsson AB Email: francesca.palombini@ericsson.com + + Malisa Vucinic + INRIA + + Email: malisa.vucinic@inria.fr