idnits 2.17.1 draft-ietf-core-oscore-edhoc-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (1 April 2021) is 1093 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-23) exists of draft-ietf-lake-edhoc-05 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CoRE Working Group F. Palombini 3 Internet-Draft Ericsson 4 Intended status: Standards Track M. Tiloca 5 Expires: 3 October 2021 R. Hoeglund 6 RISE AB 7 S. Hristozov 8 Fraunhofer AISEC 9 G. Selander 10 Ericsson 11 1 April 2021 13 Combining EDHOC and OSCORE 14 draft-ietf-core-oscore-edhoc-00 16 Abstract 18 This document defines an optimization approach for combining the 19 lightweight authenticated key exchange protocol EDHOC run over CoAP 20 with the first subsequent OSCORE transaction. This combination 21 reduces the number of round trips required to set up an OSCORE 22 Security Context and to complete an OSCORE transaction using that 23 Security Context. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at https://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on 3 October 2021. 42 Copyright Notice 44 Copyright (c) 2021 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 49 license-info) in effect on the date of publication of this document. 50 Please review these documents carefully, as they describe your rights 51 and restrictions with respect to this document. Code Components 52 extracted from this document must include Simplified BSD License text 53 as described in Section 4.e of the Trust Legal Provisions and are 54 provided without warranty as described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 3. EDHOC Option . . . . . . . . . . . . . . . . . . . . . . . . 5 62 4. EDHOC Combined with OSCORE . . . . . . . . . . . . . . . . . 6 63 4.1. Client Processing . . . . . . . . . . . . . . . . . . . . 6 64 4.2. Server Processing . . . . . . . . . . . . . . . . . . . . 7 65 5. Example of EDHOC + OSCORE Request . . . . . . . . . . . . . . 9 66 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 67 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 68 7.1. CoAP Option Numbers Registry . . . . . . . . . . . . . . 10 69 8. Normative References . . . . . . . . . . . . . . . . . . . . 10 70 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11 71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 73 1. Introduction 75 This document defines an optimization approach to combine the 76 lightweight authenticated key exchange protocol EDHOC 77 [I-D.ietf-lake-edhoc], when running over CoAP [RFC7252], with the 78 first subsequent OSCORE [RFC8613] transaction. 80 This allows for a minimum number of round trips necessary to setup 81 the OSCORE Security Context and complete an OSCORE transaction, for 82 example when an IoT device gets configured in a network for the first 83 time. 85 This optimization is desirable, since the number of protocol round 86 trips impacts the minimum number of flights, which in turn can have a 87 substantial impact on the latency of conveying the first OSCORE 88 request, when using certain radio technologies. 90 Without this optimization, it is not possible, not even in theory, to 91 achieve the minimum number of flights. This optimization makes it 92 possible also in practice, since the last message of the EDHOC 93 protocol can be made relatively small (see Section 1 of 94 [I-D.ietf-lake-edhoc]), thus allowing additional OSCORE protected 95 CoAP data within target MTU sizes. 97 1.1. Terminology 99 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 100 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 101 "OPTIONAL" in this document are to be interpreted as described in 102 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 103 capitals, as shown here. 105 The reader is expected to be familiar with terms and concepts defined 106 in CoAP [RFC7252], CBOR [RFC8949], CBOR sequences [RFC8742], OSCORE 107 [RFC8613] and EDHOC [I-D.ietf-lake-edhoc]. 109 2. Background 111 EDHOC is a 3-message key exchange protocol. Section 7.2 of 112 [I-D.ietf-lake-edhoc] specifies how to transport EDHOC over CoAP: the 113 EDHOC data (referred to as "EDHOC messages") are transported in the 114 payload of CoAP requests and responses. 116 This draft deals with the case of the Initiator acting as CoAP Client 117 and the Responder acting as CoAP Server; instead, the case of the 118 Initiator acting as CoAP Server cannot be optimized by using this 119 approach. 121 That is, the CoAP Client sends a POST request containing EDHOC 122 message_1 to a reserved resource at the CoAP Server. This triggers 123 the EDHOC exchange on the CoAP Server, which replies with a 2.04 124 (Changed) Response containing EDHOC message_2. Finally, the CoAP 125 Client sends EDHOC message_3, as a CoAP POST request to the same 126 resource used for EDHOC message_1. The Content-Format of these CoAP 127 messages may be set to "application/edhoc". 129 After this exchange takes place, and after successful verifications 130 specified in the EDHOC protocol, the Client and Server derive the 131 OSCORE Security Context, as specified in Section 7.2.1 of 132 [I-D.ietf-lake-edhoc]. Then, they are ready to use OSCORE. 134 This sequential way of running EDHOC and then OSCORE is specified in 135 Figure 1. As shown in the figure, this mechanism takes 3 round trips 136 to complete. 138 CoAP Client CoAP Server 139 | ------------- EDHOC message_1 ------------> | 140 | | 141 | <------------ EDHOC message_2 ------------- | 142 | | 143 EDHOC verification | 144 | | 145 | ------------- EDHOC message_3 ------------> | 146 | | 147 | EDHOC verification 148 | + 149 OSCORE Sec Ctx OSCORE Sec Ctx 150 Derivation Derivation 151 | | 152 | ------------- OSCORE Request -------------> | 153 | | 154 | <------------ OSCORE Response ------------- | 155 | | 157 Figure 1: EDHOC and OSCORE run sequentially 159 The number of roundtrips can be minimized as follows. Already after 160 receiving EDHOC message_2 and before sending EDHOC message_3, the 161 CoAP Client has all the information needed to derive the OSCORE 162 Security Context. 164 This means that the Client can potentially send at the same time both 165 EDHOC message_3 and the subsequent OSCORE Request. On a semantic 166 level, this approach practically requires to send two separate REST 167 requests at the same time. 169 The high level message flow of running EDHOC and OSCORE combined is 170 shown in Figure 2. 172 Defining the specific details of how to transport the data and of 173 their processing order is the goal of this specification, as defined 174 in Section 4. 176 CoAP Client CoAP Server 177 | ------------- EDHOC message_1 ------------> | 178 | | 179 | <------------ EDHOC message_2 ------------- | 180 | | 181 EDHOC verification | 182 + | 183 OSCORE Sec Ctx | 184 Derivation | 185 | | 186 | ---- EDHOC message_3 + OSCORE Request ----> | 187 | | 188 | EDHOC verification 189 | + 190 | OSCORE Sec Ctx 191 | Derivation 192 | | 193 | <------------ OSCORE Response ------------- | 194 | | 196 Figure 2: EDHOC and OSCORE combined 198 3. EDHOC Option 200 This section defines the EDHOC Option, used in a CoAP request to 201 signal that the request combines EDHOC message_3 and OSCORE protected 202 data. 204 The EDHOC Option has the properties summarized in Figure 3, which 205 extends Table 4 of [RFC7252]. The option is Critical, Safe-to- 206 Forward, and part of the Cache-Key. The option MUST occur at most 207 once and is always empty. If any value is sent, the value is simply 208 ignored. The option is intended only for CoAP requests and is of 209 Class U for OSCORE [RFC8613]. 211 +-------+---+---+---+---+-------+--------+--------+---------+ 212 | No. | C | U | N | R | Name | Format | Length | Default | 213 +-------+---+---+---+---+-------+--------+--------+---------+ 214 | TBD13 | x | | | | EDHOC | Empty | 0 | (none) | 215 +-------+---+---+---+---+-------+--------+--------+---------+ 216 C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable 218 Figure 3: The EDHOC Option. 220 The presence of this option means that the message payload contains 221 also EDHOC data, that must be extracted and processed as defined in 222 Section 4.2, before the rest of the message can be processed. 224 Figure 4 shows the format of a CoAP message containing both the EDHOC 225 data and the OSCORE ciphertext, using the newly defined EDHOC option 226 for signalling. 228 0 1 2 3 229 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 230 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 231 |Ver| T | TKL | Code | Message ID | 232 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 233 | Token (if any, TKL bytes) ... 234 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 235 | OSCORE option | EDHOC option | other options (if any) ... 236 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 237 |1 1 1 1 1 1 1 1| Payload 238 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 240 Figure 4: CoAP message for EDHOC and OSCORE combined - signalled 241 with the EDHOC Option 243 4. EDHOC Combined with OSCORE 245 The approach defined in this specification consists of sending EDHOC 246 message_3 inside an OSCORE protected CoAP message. 248 The resulting EDHOC + OSCORE request is in practice the OSCORE 249 Request from Figure 1, sent to a protected resource and with the 250 correct CoAP method and options, with the addition that it also 251 transports EDHOC message_3. 253 Since EDHOC message_3 may be too large to be included in a CoAP 254 Option, e.g. if containing a large public key certificate chain, it 255 has to be transported through the CoAP payload. 257 The use of this approach is explicitly signalled by including an 258 EDHOC Option (see Section 3) in the EDHOC + OSCORE request. 260 4.1. Client Processing 262 The Client prepares an EDHOC + OSCORE request as follows. 264 1. Compose EDHOC message_3 as per Section 5.4.2 of 265 [I-D.ietf-lake-edhoc]. 267 Since the Client is the EDHOC Initiator and the used Correlation 268 Method is 1 (see Section 3.2.4 of [I-D.ietf-lake-edhoc]), the 269 EDHOC message_3 always includes the Connection Identifier C_R and 270 CIPHERTEXT_3. Note that C_R is the OSCORE Sender ID of the 271 Client, encoded as a bstr_identifier (see Section 5.1 of 272 [I-D.ietf-lake-edhoc]). 274 2. Encrypt the original CoAP request as per Section 8.1 of 275 [RFC8613], using the new OSCORE Security Context established 276 after receiving EDHOC message_2. 278 Note that the OSCORE ciphertext is not computed over EDHOC 279 message_3, which is not protected by OSCORE. That is, the result 280 of this step is the OSCORE Request as in Figure 1. 282 3. Build a CBOR sequence [RFC8742] composed of two CBOR byte strings 283 in the following order. 285 * The first CBOR byte string is the CIPHERTEXT_3 of the EDHOC 286 message_3 resulting from step 3. 288 * The second CBOR byte string has as value the OSCORE ciphertext 289 of the OSCORE protected CoAP request resulting from step 2. 291 4. Compose the EDHOC + OSCORE request, as the OSCORE protected CoAP 292 request resulting from step 2, where the payload is replaced with 293 the CBOR sequence built at step 3. 295 5. Signal the usage of this approach within the EDHOC + OSCORE 296 request, by including the new EDHOC Option defined in Section 3. 298 4.2. Server Processing 300 When receiving an EDHOC + OSCORE request, the Server performs the 301 following steps. 303 1. Check the presence of the EDHOC option defined in Section 3, to 304 determine that the received request is an EDHOC + OSCORE request. 305 If this is the case, the Server continues with the steps defined 306 below. 308 2. Extract CIPHERTEXT_3 from the payload of the EDHOC + OSCORE 309 request, as the first CBOR byte string in the CBOR sequence. 311 3. Rebuild EDHOC message_3, as a CBOR sequence composed of two CBOR 312 byte strings in the following order. 314 * The first CBOR byte string is the 'kid' of the Client 315 indicated in the OSCORE option of the EDHOC + OSCORE request, 316 encoded as a bstr_identifier (see Section 5.1 of 317 [I-D.ietf-lake-edhoc]). 319 * The second CBOR byte string is the CIPHERTEXT_3 retrieved at 320 step 2. 322 4. Perform the EDHOC processing on the EDHOC message_3 rebuilt at 323 step 3, including verifications, and the OSCORE Security Context 324 derivation, as per Section 5.4.3 and Section 7.2.1 of 325 [I-D.ietf-lake-edhoc], respectively. 327 5. Extract the OSCORE ciphertext from the payload of the EDHOC + 328 OSCORE request, as the value of the second CBOR byte string in 329 the CBOR sequence. 331 6. Rebuild the OSCORE protected CoAP request as the EDHOC + OSCORE 332 request, where the payload is replaced with the OSCORE ciphertext 333 resulting from step 5. 335 7. Decrypt and verify the OSCORE protected CoAP request resulting 336 from step 6, as per Section 8.2 of [RFC8613], by using the new 337 OSCORE Security Context established at step 4. 339 8. Process the CoAP request resulting from step 7. 341 If steps 4 (EDHOC processing) and 7 (OSCORE processing) are both 342 successfully completed, the Server MUST reply with an OSCORE 343 protected response, in order for the Client to achieve key 344 confirmation (see Section 5.4.2 of [I-D.ietf-lake-edhoc]). The usage 345 of EDHOC message_4 as defined in Section 7.1 of [I-D.ietf-lake-edhoc] 346 is not applicable to the approach defined in this specification. 348 If step 4 (EDHOC processing) fails, the server discontinues the 349 protocol as per Section 5.4.3 of [I-D.ietf-lake-edhoc] and sends an 350 EDHOC error message, formatted as defined in Section 6.1 of 351 [I-D.ietf-lake-edhoc]. In particular, the CoAP response conveying 352 the EDHOC error message: 354 * MUST have Content-Format set to application/edhoc defined in 355 Section 9.5 of [I-D.ietf-lake-edhoc]. 357 * MUST specify a CoAP error response code, i.e. 4.00 (Bad Request) 358 in case of client error (e.g. due to a malformed EDHOC message_3), 359 or 5.00 (Internal Server Error) in case of server error (e.g. due 360 to failure in deriving EDHOC key material). 362 If step 4 (EDHOC processing) is successfully completed but step 7 363 (OSCORE processing) fails, the same OSCORE error handling applies as 364 defined in Section 8.2 of [RFC8613]. 366 5. Example of EDHOC + OSCORE Request 368 An example based on the OSCORE test vector from Appendix C.4 of 369 [RFC8613] and the EDHOC test vector from Appendix B.2 of 370 [I-D.ietf-lake-edhoc] is given in Figure 5. In particular, the 371 example assumes that: 373 * The used OSCORE Partial IV is 0, consistently with the first 374 request protected with the new OSCORE Security Context. 376 * The OSCORE Sender ID of the Client is 0x20. This corresponds to 377 the EDHOC Connection Identifier C_R, which is encoded as the 378 bstr_identifier 0x08 in EDHOC message_3. 380 * The EDHOC option is registered with CoAP option number 13. 382 o OSCORE option value: 0x090020 (3 bytes) 384 o EDHOC option value: - (0 bytes) 386 o C_R: 0x20 (1 byte) 388 o CIPHERTEXT_3: 0x5253c3991999a5ffb86921e99b607c067770e0 389 (19 bytes) 391 o EDHOC message_3: 0x08 5253c3991999a5ffb86921e99b607c067770e0 392 (20 bytes) 394 o OSCORE ciphertext: 0x612f1092f1776f1c1668b3825e (13 bytes) 396 From there: 398 o Protected CoAP request (OSCORE message): 400 0x44025d1f ; CoAP 4-byte header 401 00003974 ; Token 402 39 6c6f63616c686f7374 ; Uri-Host Option: "localhost" 403 63 090020 ; OSCORE Option 404 40 ; EDHOC Option 405 ff 5253c3991999a5ffb86921e99b607c067770e0 406 4d612f1092f1776f1c1668b3825e 407 (57 bytes) 409 Figure 5: Example of CoAP message with EDHOC and OSCORE combined 411 6. Security Considerations 413 The same security considerations from OSCORE [RFC8613] and EDHOC 414 [I-D.ietf-lake-edhoc] hold for this document. 416 TODO (more considerations) 418 7. IANA Considerations 420 This document has the following actions for IANA. 422 7.1. CoAP Option Numbers Registry 424 IANA is asked to enter the following option numbers to the "CoAP 425 Option Numbers" registry defined in [RFC7252] within the "CoRE 426 Parameters" registry. 428 [ 430 The CoAP option numbers 13 and 21 are both consistent with the 431 properties of the EDHOC Option defined in Section 3, and they both 432 allow the EDHOC Option to always result in an overall size of 1 byte. 433 This is because: 435 * The EDHOC option is always empty, i.e. with zero-length value; and 437 * Since the OSCORE option with option number 9 is always present in 438 the CoAP request, the EDHOC option would be encoded with a maximum 439 delta of 4 or 12, depending on its option number being 13 or 21. 441 At the time of writing, the CoAP option numbers 13 and 21 are both 442 unassigned in the "CoAP Option Numbers" registry, as first available 443 and consistent option numbers for the EDHOC option. 445 ] 447 +--------+-------+-------------------+ 448 | Number | Name | Reference | 449 +--------+-------+-------------------+ 450 | TBD13 | EDHOC | [[this document]] | 451 +--------+-------+-------------------+ 453 8. Normative References 455 [I-D.ietf-lake-edhoc] 456 Selander, G., Mattsson, J. P., and F. Palombini, 457 "Ephemeral Diffie-Hellman Over COSE (EDHOC)", Work in 458 Progress, Internet-Draft, draft-ietf-lake-edhoc-05, 22 459 February 2021, . 462 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 463 Requirement Levels", BCP 14, RFC 2119, 464 DOI 10.17487/RFC2119, March 1997, 465 . 467 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 468 Application Protocol (CoAP)", RFC 7252, 469 DOI 10.17487/RFC7252, June 2014, 470 . 472 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 473 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 474 May 2017, . 476 [RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, 477 "Object Security for Constrained RESTful Environments 478 (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, 479 . 481 [RFC8742] Bormann, C., "Concise Binary Object Representation (CBOR) 482 Sequences", RFC 8742, DOI 10.17487/RFC8742, February 2020, 483 . 485 [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object 486 Representation (CBOR)", STD 94, RFC 8949, 487 DOI 10.17487/RFC8949, December 2020, 488 . 490 Acknowledgments 492 The authors sincerely thank Christian Amsuess, Klaus Hartke, Jim 493 Schaad and Malisa Vucinic for their feedback and comments in the 494 discussion leading up to this draft. 496 The work on this document has been partly supported by VINNOVA and 497 the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home 498 (Grant agreement 952652). 500 Authors' Addresses 501 Francesca Palombini 502 Ericsson 504 Email: francesca.palombini@ericsson.com 506 Marco Tiloca 507 RISE AB 508 Isafjordsgatan 22 509 SE-16440 Stockholm Kista 510 Sweden 512 Email: marco.tiloca@ri.se 514 Rikard Hoeglund 515 RISE AB 516 Isafjordsgatan 22 517 SE-16440 Stockholm Kista 518 Sweden 520 Email: rikard.hoglund@ri.se 522 Stefan Hristozov 523 Fraunhofer AISEC 525 Email: stefan.hristozov@aisec.fraunhofer.de 527 Goeran Selander 528 Ericsson 530 Email: goran.selander@ericsson.com