idnits 2.17.1 draft-ietf-core-oscore-edhoc-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 12, 2021) is 1012 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-23) exists of draft-ietf-lake-edhoc-06 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CoRE Working Group F. Palombini 3 Internet-Draft Ericsson 4 Intended status: Standards Track M. Tiloca 5 Expires: January 13, 2022 R. Hoeglund 6 RISE AB 7 S. Hristozov 8 Fraunhofer AISEC 9 G. Selander 10 Ericsson 11 July 12, 2021 13 Combining EDHOC and OSCORE 14 draft-ietf-core-oscore-edhoc-01 16 Abstract 18 This document defines an optimization approach for combining the 19 lightweight authenticated key exchange protocol EDHOC run over CoAP 20 with the first subsequent OSCORE transaction. This combination 21 reduces the number of round trips required to set up an OSCORE 22 Security Context and to complete an OSCORE transaction using that 23 Security Context. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at https://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on January 13, 2022. 42 Copyright Notice 44 Copyright (c) 2021 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (https://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 60 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 61 2. EDHOC Overview . . . . . . . . . . . . . . . . . . . . . . . 3 62 3. EDHOC Combined with OSCORE . . . . . . . . . . . . . . . . . 5 63 3.1. EDHOC Option . . . . . . . . . . . . . . . . . . . . . . 7 64 3.2. Client Processing . . . . . . . . . . . . . . . . . . . . 8 65 3.3. Server Processing . . . . . . . . . . . . . . . . . . . . 9 66 3.4. Example of EDHOC + OSCORE Request . . . . . . . . . . . . 10 67 4. Security Considerations . . . . . . . . . . . . . . . . . . . 11 68 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 69 5.1. CoAP Option Numbers Registry . . . . . . . . . . . . . . 11 70 6. Normative References . . . . . . . . . . . . . . . . . . . . 12 71 Appendix A. Additional OSCORE/EDHOC-related Processing . . . . . 13 72 A.1. From OSCORE to EDHOC Identifier . . . . . . . . . . . . . 13 73 A.2. EDHOC Message Processing . . . . . . . . . . . . . . . . 14 74 A.2.1. Initiator Processing of Message 1 . . . . . . . . . . 14 75 A.2.2. Responder Processing of Message 1 . . . . . . . . . . 14 76 A.2.3. Responder Processing of Message 2 . . . . . . . . . . 15 77 A.2.4. Initiator Processing of Message 2 . . . . . . . . . . 15 78 A.3. Checking CBOR Encoding of Numeric Values . . . . . . . . 15 79 Appendix B. Document Updates . . . . . . . . . . . . . . . . . . 16 80 B.1. Version -00 to -01 . . . . . . . . . . . . . . . . . . . 16 81 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 16 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 84 1. Introduction 86 Ephemeral Diffie-Hellman Over COSE (EDHOC) [I-D.ietf-lake-edhoc] is a 87 lightweight authenticated key exchange protocol, especially intended 88 for use in constrained scenarios. In particular, EDHOC messages can 89 be transported over the Constrained Application Protocol (CoAP) 90 [RFC7252] and used for establishing a Security Context for Object 91 Security for Constrained RESTful Environments (OSCORE) [RFC8613]. 93 This document defines an optimization approach that combines EDHOC 94 run over CoAP with the first subsequent OSCORE transaction. This 95 allows for a minimum number of round trips necessary to setup the 96 OSCORE Security Context and complete an OSCORE transaction, for 97 example when an IoT device gets configured in a network for the first 98 time. 100 This optimization is desirable, since the number of protocol round 101 trips impacts on the minimum number of flights, which in turn can 102 have a substantial impact on the latency of conveying the first 103 OSCORE request, when using certain radio technologies. 105 Without this optimization, it is not possible, not even in theory, to 106 achieve the minimum number of flights. This optimization makes it 107 possible also in practice, since the last message of the EDHOC 108 protocol can be made relatively small (see Section 1 of 109 [I-D.ietf-lake-edhoc]), thus allowing additional OSCORE protected 110 CoAP data within target MTU sizes. 112 1.1. Terminology 114 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 115 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 116 "OPTIONAL" in this document are to be interpreted as described in 117 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 118 capitals, as shown here. 120 The reader is expected to be familiar with terms and concepts defined 121 in CoAP [RFC7252], CBOR [RFC8949], CBOR sequences [RFC8742], OSCORE 122 [RFC8613] and EDHOC [I-D.ietf-lake-edhoc]. 124 2. EDHOC Overview 126 The EDHOC protocol allows two peers to agree on a cryptographic 127 secret, in a mutually-authenticated way and by using Diffie-Hellman 128 ephemeral keys to achieve perfect forward secrecy. The two peers are 129 denoted as Initiator and Responder, as the one sending or receiving 130 the initial EDHOC message_1, respectively. 132 After successful processing of EDHOC message_3, both peers agree on a 133 cryptographic secret that can be used to derive further security 134 material, and especially to establish an OSCORE Security Context 135 [RFC8613]. The Responder can also send an optional EDHOC message_4 136 to achieve key confirmation, e.g., in deployments where no protected 137 application message is sent from the Responder to the Initiator. 139 Appendix A.3 of [I-D.ietf-lake-edhoc] specifies how to transport 140 EDHOC over CoAP. That is, the EDHOC data (referred to as "EDHOC 141 messages") are transported in the payload of CoAP requests and 142 responses. The default message flow consists in the CoAP Client 143 acting as Initiator and the CoAP Server acting as Responder. 145 Alternatively, the two roles can be reversed. In the rest of this 146 document, EDHOC messages are considered to be transported over CoAP. 148 Figure 1 shows a Client and Server running EDHOC as Initiator and 149 Responder, respectively. That is, the Client sends a POST request 150 with payload EDHOC message_1 to a reserved resource at the CoAP 151 Server, by default at Uri-Path "/.well-known/edhoc". This triggers 152 the EDHOC exchange at the Server, which replies with a 2.04 (Changed) 153 Response with payload EDHOC message_2. Finally, the Client sends a 154 CoAP POST request to the same resource used for EDHOC message_1, with 155 payload EDHOC message_3. The Content-Format of these CoAP messages 156 may be set to "application/edhoc". 158 After this exchange takes place, and after successful verifications 159 as specified in the EDHOC protocol, the Client and Server can derive 160 an OSCORE Security Context, as defined in Appendix A.2 of 161 [I-D.ietf-lake-edhoc]. After that, they can use OSCORE to protect 162 their communications. 164 CoAP Client CoAP Server 165 (EDHOC Initiator) (EDHOC Responder) 166 | ------------- EDHOC message_1 ------------> | 167 | Header: POST (Code=0.02) | 168 | Uri-Path: "/.well-known/edhoc" | 169 | Content-Format: application/edhoc | 170 | | 171 | <------------ EDHOC message_2 ------------- | 172 | Header: 2.04 Changed | 173 | Content-Format: application/edhoc | 174 | | 175 EDHOC verification | 176 | | 177 | ------------- EDHOC message_3 ------------> | 178 | Header: POST (Code=0.02) | 179 | Uri-Path: "/.well-known/edhoc" | 180 | Content-Format: application/edhoc | 181 | | 182 | EDHOC verification 183 | + 184 OSCORE Sec Ctx OSCORE Sec Ctx 185 Derivation Derivation 186 | | 187 | ------------- OSCORE Request -------------> | 188 | Header: POST (Code=0.02) | 189 | | 190 | <------------ OSCORE Response ------------- | 191 | Header: 2.04 Changed | 192 | | 194 Figure 1: EDHOC and OSCORE run sequentially 196 As shown in Figure 1, this purely-sequential way of first running 197 EDHOC and then using OSCORE takes three round trips to complete. 199 Section 3 defines an optimization for combining EDHOC with the first 200 subsequent OSCORE transaction. This reduces the number of round 201 trips required to set up an OSCORE Security Context and to complete 202 an OSCORE transaction using that Security Context. 204 3. EDHOC Combined with OSCORE 206 This section defines an optimization for combining the EDHOC exchange 207 with the first subsequent OSCORE transaction, thus minimizing the 208 number of round trips between the two peers. 210 This approach can be used only if the default EDHOC message flow is 211 used, i.e., when the Client acts as Initiator and the Server acts as 212 Responder, while it cannot be used in the case with reversed roles. 214 When running the purely-sequential flow of Section 2, the Client has 215 all the information to derive the OSCORE Security Context already 216 after receiving EDHOC message_2 and before sending EDHOC message_3. 218 Hence, the Client can potentially send both EDHOC message_3 and the 219 subsequent OSCORE Request at the same time. On a semantic level, 220 this requires sending two REST requests at once, as in Figure 2. 222 CoAP Client CoAP Server 223 (EDHOC Initiator) (EDHOC Responder) 224 | ------------- EDHOC message_1 ------------> | 225 | Header: POST (Code=0.02) | 226 | Uri-Path: "/.well-known/edhoc" | 227 | Content-Format: application/edhoc | 228 | | 229 | <------------ EDHOC message_2 ------------- | 230 | Header: 2.04 Changed | 231 | Content-Format: application/edhoc | 232 | | 233 EDHOC verification | 234 + | 235 OSCORE Sec Ctx | 236 Derivation | 237 | | 238 | ---- EDHOC message_3 + OSCORE Request ----> | 239 | Header: POST (Code=0.02) | 240 | | 241 | EDHOC verification 242 | + 243 | OSCORE Sec Ctx 244 | Derivation 245 | | 246 | <------------ OSCORE Response ------------- | 247 | Header: 2.04 Changed | 248 | | 250 Figure 2: EDHOC and OSCORE combined 252 To this end, the specific approach defined in this section consists 253 of sending EDHOC message_3 inside an OSCORE protected CoAP message. 255 The resulting EDHOC + OSCORE request is in practice the OSCORE 256 Request from Figure 1, as still sent to a protected resource and with 257 the correct CoAP method and options, but with the addition that it 258 also transports EDHOC message_3. 260 As EDHOC message_3 may be too large to be included in a CoAP Option, 261 e.g., if containing a large public key certificate chain, it has to 262 be transported in the CoAP payload of the EDHOC + OSCORE request. 264 The rest of this section specifies how to transport the data in the 265 EDHOC + OSCORE request and their processing order. In particular, 266 the use of this approach is explicitly signalled by including an 267 EDHOC Option (see Section 3.1) in the EDHOC + OSCORE request. The 268 processing of the EDHOC + OSCORE request is specified in Section 3.2 269 for the Client side and in Section 3.3 for the Server side. 271 3.1. EDHOC Option 273 This section defines the EDHOC Option. The option is used in a CoAP 274 request, to signal that the request payload conveys both an EDHOC 275 message_3 and OSCORE protected data, combined together. 277 The EDHOC Option has the properties summarized in Figure 3, which 278 extends Table 4 of [RFC7252]. The option is Critical, Safe-to- 279 Forward, and part of the Cache-Key. The option MUST occur at most 280 once and is always empty. If any value is sent, the value is simply 281 ignored. The option is intended only for CoAP requests and is of 282 Class U for OSCORE [RFC8613]. 284 +-------+---+---+---+---+-------+--------+--------+---------+ 285 | No. | C | U | N | R | Name | Format | Length | Default | 286 +-------+---+---+---+---+-------+--------+--------+---------+ 287 | TBD21 | x | | | | EDHOC | Empty | 0 | (none) | 288 +-------+---+---+---+---+-------+--------+--------+---------+ 289 C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable 291 Figure 3: The EDHOC Option. 293 The presence of this option means that the message payload contains 294 also EDHOC data, that must be extracted and processed as defined in 295 Section 3.3, before the rest of the message can be processed. 297 Figure 4 shows the format of a CoAP message containing both the EDHOC 298 data and the OSCORE ciphertext, using the newly defined EDHOC option 299 for signalling. 301 0 1 2 3 302 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 303 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 304 |Ver| T | TKL | Code | Message ID | 305 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 306 | Token (if any, TKL bytes) ... 307 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 308 | OSCORE option | EDHOC option | Other options (if any) ... 309 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 310 |1 1 1 1 1 1 1 1| Payload 311 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 313 Figure 4: CoAP message for EDHOC and OSCORE combined - signalled with 314 the EDHOC Option 316 3.2. Client Processing 318 The Client prepares an EDHOC + OSCORE request as follows. 320 1. Compose EDHOC message_3 as per Section 5.4.2 of 321 [I-D.ietf-lake-edhoc]. 323 Since the Client is the EDHOC Initiator, the EDHOC message_3 324 always includes the connection identifier C_R and CIPHERTEXT_3. 325 Note that C_R is the OSCORE Sender ID of the Client, encoded as 326 per Appendix A.1. 328 2. Encrypt the original CoAP request as per Section 8.1 of 329 [RFC8613], using the new OSCORE Security Context established 330 after receiving EDHOC message_2. 332 Note that the OSCORE ciphertext is not computed over EDHOC 333 message_3, which is not protected by OSCORE. That is, the result 334 of this step is the OSCORE Request as in Figure 1. 336 3. Build a CBOR sequence [RFC8742] composed of two CBOR byte strings 337 in the following order. 339 * The first CBOR byte string is the CIPHERTEXT_3 of the EDHOC 340 message_3 resulting from step 3. 342 * The second CBOR byte string has as value the OSCORE ciphertext 343 of the OSCORE protected CoAP request resulting from step 2. 345 4. Compose the EDHOC + OSCORE request, as the OSCORE protected CoAP 346 request resulting from step 2, where the payload is replaced with 347 the CBOR sequence built at step 3. 349 5. Signal the usage of this approach within the EDHOC + OSCORE 350 request, by including the new EDHOC Option defined in 351 Section 3.1. 353 3.3. Server Processing 355 When receiving a request containing the EDHOC option, i.e., an EDHOC 356 + OSCORE request, the Server MUST perform the following steps. 358 1. Check that the payload of the EDHOC + OSCORE request is a CBOR 359 sequence composed of two CBOR byte strings. If this is not the 360 case, the Server MUST stop processing the request and MUST 361 respond with a 4.00 (Bad Request) error message. 363 2. Extract CIPHERTEXT_3 from the payload of the EDHOC + OSCORE 364 request, as the first CBOR byte string in the CBOR sequence. 366 3. Rebuild EDHOC message_3, as a CBOR sequence composed of two CBOR 367 byte strings in the following order. 369 * The first CBOR byte string is the 'kid' of the Client 370 indicated in the OSCORE option of the EDHOC + OSCORE request 371 (i.e., the OSCORE Sender ID of the Client), encoded as per 372 Appendix A.1. 374 * The second CBOR byte string is the CIPHERTEXT_3 retrieved at 375 step 2. 377 4. Perform the EDHOC processing on the EDHOC message_3 rebuilt at 378 step 3, including verifications as per Section 5.4.3 of 379 [I-D.ietf-lake-edhoc] and the OSCORE Security Context derivation 380 as per Appendix A.2 of [I-D.ietf-lake-edhoc]. 382 If the applicability statement used in the EDHOC session 383 specifies that EDHOC message_4 shall be sent, the Server MUST 384 stop the EDHOC processing and consider it failed, as due to a 385 client error. 387 5. Extract the OSCORE ciphertext from the payload of the EDHOC + 388 OSCORE request, as the value of the second CBOR byte string in 389 the CBOR sequence. 391 6. Rebuild the OSCORE protected CoAP request as the EDHOC + OSCORE 392 request, where the payload is replaced with the OSCORE ciphertext 393 resulting from step 5. 395 7. Decrypt and verify the OSCORE protected CoAP request resulting 396 from step 6, as per Section 8.2 of [RFC8613], by using the new 397 OSCORE Security Context established at step 4. 399 8. Process the CoAP request resulting from step 7. 401 If steps 4 (EDHOC processing) and 7 (OSCORE processing) are both 402 successfully completed, the Server MUST reply with an OSCORE 403 protected response, in order for the Client to achieve key 404 confirmation (see Section 5.4.2 of [I-D.ietf-lake-edhoc]). The usage 405 of EDHOC message_4 as defined in Section 5.5 of [I-D.ietf-lake-edhoc] 406 is not applicable to the approach defined in this document. 408 If step 4 (EDHOC processing) fails, the server discontinues the 409 protocol as per Section 5.4.3 of [I-D.ietf-lake-edhoc] and responds 410 with an EDHOC error message, formatted as defined in Section 6.2 of 411 [I-D.ietf-lake-edhoc]. In particular, the CoAP response conveying 412 the EDHOC error message MUST have Content-Format set to application/ 413 edhoc defined in Section 8.9 of [I-D.ietf-lake-edhoc]. 415 If step 4 (EDHOC processing) is successfully completed but step 7 416 (OSCORE processing) fails, the same OSCORE error handling applies as 417 defined in Section 8.2 of [RFC8613]. 419 3.4. Example of EDHOC + OSCORE Request 421 Figure 5 shows an example of EDHOC + OSCORE Request, based on the 422 OSCORE test vector from Appendix C.4 of [RFC8613] and the EDHOC test 423 vector from Appendix D.2 of [I-D.ietf-lake-edhoc]. In particular, 424 the example assumes that: 426 o The used OSCORE Partial IV is 0, consistently with the first 427 request protected with the new OSCORE Security Context. 429 o The OSCORE Sender ID of the Client is 0x00. This corresponds to 430 the numeric EDHOC connection identifier C_R with value 0, which in 431 EDHOC message_3 is encoded as the CBOR integer 0, hence as 0x00. 433 o The EDHOC option is registered with CoAP option number 21. 435 o OSCORE option value: 0x090020 (3 bytes) 437 o EDHOC option value: - (0 bytes) 439 o C_R: 0x00 (1 byte) 441 o CIPHERTEXT_3: 0x52d5535f3147e85f1cfacd9e78abf9e0a81bbf 442 (19 bytes) 444 o EDHOC message_3: 0x00 52d5535f3147e85f1cfacd9e78abf9e0a81bbf 445 (20 bytes) 447 o OSCORE ciphertext: 0x612f1092f1776f1c1668b3825e (13 bytes) 449 From there: 451 o Protected CoAP request (OSCORE message): 453 0x44025d1f ; CoAP 4-byte header 454 00003974 ; Token 455 39 6c6f63616c686f7374 ; Uri-Host Option: "localhost" 456 63 090020 ; OSCORE Option 457 C0 ; EDHOC Option 458 ff 52d5535f3147e85f1cfacd9e78abf9e0a81bbf 459 4d612f1092f1776f1c1668b3825e 460 (57 bytes) 462 Figure 5: Example of CoAP message with EDHOC and OSCORE combined 464 4. Security Considerations 466 The same security considerations from OSCORE [RFC8613] and EDHOC 467 [I-D.ietf-lake-edhoc] hold for this document. 469 TODO (more considerations) 471 5. IANA Considerations 473 RFC Editor: Please replace "[[this document]]" with the RFC number of 474 this document and delete this paragraph. 476 This document has the following actions for IANA. 478 5.1. CoAP Option Numbers Registry 480 IANA is asked to enter the following option numbers to the "CoAP 481 Option Numbers" registry defined in [RFC7252] within the "CoRE 482 Parameters" registry. 484 [ 486 The CoAP option numbers 13 and 21 are both consistent with the 487 properties of the EDHOC Option defined in Section 3.1, and they both 488 allow the EDHOC Option to always result in an overall size of 1 byte. 489 This is because: 491 o The EDHOC option is always empty, i.e., with zero-length value; 492 and 494 o Since the OSCORE option with option number 9 is always present in 495 the CoAP request, the EDHOC option would be encoded with a maximum 496 delta of 4 or 12, depending on its option number being 13 or 21. 498 At the time of writing, the CoAP option numbers 13 and 21 are both 499 unassigned in the "CoAP Option Numbers" registry, as first available 500 and consistent option numbers for the EDHOC option. 502 This document suggests 21 (TBD21) as option number to be assigned to 503 the new EDHOC option, since both 13 and 21 are consistent for the use 504 case in question, but different use cases or protocols may make 505 better use of the option number 13. 507 ] 509 +--------+-------+-------------------+ 510 | Number | Name | Reference | 511 +--------+-------+-------------------+ 512 | TBD21 | EDHOC | [[this document]] | 513 +--------+-------+-------------------+ 515 6. Normative References 517 [I-D.ietf-lake-edhoc] 518 Selander, G., Mattsson, J. P., and F. Palombini, 519 "Ephemeral Diffie-Hellman Over COSE (EDHOC)", draft-ietf- 520 lake-edhoc-06 (work in progress), April 2021. 522 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 523 Requirement Levels", BCP 14, RFC 2119, 524 DOI 10.17487/RFC2119, March 1997, 525 . 527 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 528 Application Protocol (CoAP)", RFC 7252, 529 DOI 10.17487/RFC7252, June 2014, 530 . 532 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 533 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 534 May 2017, . 536 [RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, 537 "Object Security for Constrained RESTful Environments 538 (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, 539 . 541 [RFC8742] Bormann, C., "Concise Binary Object Representation (CBOR) 542 Sequences", RFC 8742, DOI 10.17487/RFC8742, February 2020, 543 . 545 [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object 546 Representation (CBOR)", STD 94, RFC 8949, 547 DOI 10.17487/RFC8949, December 2020, 548 . 550 Appendix A. Additional OSCORE/EDHOC-related Processing 552 Appendix A.1 in [I-D.ietf-lake-edhoc] defines a rule for converting 553 from EDHOC connection identifier to OSCORE Sender/Recipient ID. 555 This appendix defines the rule for converting from OSCORE Sender/ 556 Recipient ID to EDHOC connection identifier, and related processing. 558 A.1. From OSCORE to EDHOC Identifier 560 The process defined in this section ensures that every OSCORE Sender/ 561 Recipient ID is converted to only one of the two corresponding, 562 equivalent EDHOC connection identifiers, see Appendix A.1 in 563 [I-D.ietf-lake-edhoc]. 565 An OSCORE Sender/Recipient ID, OSCORE_ID, is converted to an EDHOC 566 connection identifier, EDHOC_ID, as follows. 568 o If OSCORE_ID is 0 bytes in size, it is converted to the empty byte 569 string EDHOC_ID (0x40 in CBOR encoding). 571 o If OSCORE_ID is longer than 5 bytes in size, it is converted to a 572 byte-valued EDHOC_ID, i.e., a CBOR byte string with value 573 OSCORE_ID. 575 For example, the OSCORE_ID 0x001122334455 is converted to the 576 byte-valued EDHOC_ID 0x001122334455 (0x46001122334455 in CBOR 577 encoding). 579 o If OSCORE_ID is 1-5 bytes in size, the following applies. 581 * If OSCORE_ID is a valid CBOR encoding for an integer value 582 (i.e., it can be correctly decoded as a CBOR integer), then it 583 is converted to a numeric EDHOC_ID having OSCORE_ID as its CBOR 584 encoded form. 586 For example, the OSCORE_ID 0x01 is converted to the numeric 587 EDHOC_ID 1 (0x01 in CBOR encoding), while the OSCORE_ID 0x2B is 588 converted to the numeric EDHOC_ID -12 (0x2B in CBOR encoding). 590 * If OSCORE_ID is _not_ a valid CBOR encoding for an integer 591 value (i.e., it _cannot_ be correctly decoded as a CBOR 592 integer), then it is converted to a byte-valued EDHOC_ID having 593 OSCORE_ID as its value. 595 For example, the OSCORE_ID 0xFF is converted to the byte-valued 596 EDHOC_ID 0xFF (0x41FF in CBOR encoding). 598 Implementations can easily determine which case holds for a given 599 OSCORE_ID with no need to try to actually CBOR-decode it, e.g., by 600 using the approach in Appendix A.3. 602 A.2. EDHOC Message Processing 604 This section specifies additional EDHOC message processing in 605 addition to what is specified in Section 5 of [I-D.ietf-lake-edhoc]. 607 A.2.1. Initiator Processing of Message 1 609 The Initiator selects C_I as follows. 611 1. The Initiator initializes a set ID_SET as the empty set. 613 2. The Initiator selects an available OSCORE Recipient ID, ID*, 614 which is not included in ID_SET. 616 3. The Initiator converts ID* to the EDHOC connection identifier 617 C_I, as per Appendix A.1. 619 4. If the resulting C_I is already used, the Initiator adds ID* to 620 ID_SET and moves back to step 2. Otherwise, it uses C_I as its 621 EDHOC connection identifier. 623 A.2.2. Responder Processing of Message 1 625 The Responder MUST discontinue the protocol and reply with an EDHOC 626 error message, if C_I is a CBOR byte string and it has as value a 627 valid CBOR encoding of an integer value (e.g., C_I is CBOR encoded as 628 0x4100). 630 In fact, this would mean that the Initiator has not followed the 631 conversion rule in Appendix A.1 when converting its (to be) OSCORE 632 Recipient ID to C_I. 634 A.2.3. Responder Processing of Message 2 636 The Responder selects C_R as follows. 638 1. The Responder initializes a set ID_SET as the empty set. 640 2. The Responder selects an available OSCORE Recipient ID, ID*, 641 which is not included in ID_SET. 643 3. The Responder converts ID* to the EDHOC connection identifier 644 C_R, as per Appendix A.1. 646 4. If the resulting C_R is already used or it is equal byte-by-byte 647 to the C_I specified in EDHOC message_1, the Initiator adds ID* 648 to ID_SET and moves back to step 2. Otherwise, it uses C_R as 649 its EDHOC connection identifier. 651 A.2.4. Initiator Processing of Message 2 653 The Initiator MUST discontinue the protocol and reply with an EDHOC 654 error message, if any of the following conditions holds. 656 o C_R is equal byte-by-byte to the C_I that was specified in EDHOC 657 message_1. 659 o C_R is a CBOR byte string and it has as value a valid CBOR 660 encoding of an integer value (e.g., C_R is CBOR encoded as 661 0x4100). 663 In fact, this would mean that the Responder has not followed the 664 conversion rule in Appendix A.1 when converting its (to be) OSCORE 665 Recipient ID to C_R. 667 A.3. Checking CBOR Encoding of Numeric Values 669 Given a binary string of N bytes in size, it is a valid CBOR encoding 670 of an integer value if and only if, for that size N, its first byte 671 is equal to one of the byte values specified in the "First byte" 672 column of the table below. 674 +---+-----------------------+ 675 | N | First byte | 676 +---+-----------------------+ 677 | 1 | 0x00-0x17 , 0x20-0x37 | 678 +---+-----------------------+ 679 | 2 | 0x18 , 0x38 | 680 +---+-----------------------+ 681 | 3 | 0x19 , 0x39 | 682 +---+-----------------------+ 683 | 4 | 0x1A , 0x3A | 684 +---+-----------------------+ 685 | 5 | 0x1B , 0x3B | 686 +---+-----------------------+ 688 Appendix B. Document Updates 690 RFC Editor: Please remove this section. 692 B.1. Version -00 to -01 694 o Improved background overview of EDHOC. 696 o Added explicit rules for converting OSCORE Sender/Recipient IDs to 697 EDHOC connection identifiers following the removal of 698 bstr_identifier from EDHOC. 700 o Revised section organization. 702 o Recommended number for EDHOC option changed to 21. 704 o Editorial improvements. 706 Acknowledgments 708 The authors sincerely thank Christian Amsuess, Klaus Hartke, Jim 709 Schaad and Malisa Vucinic for their feedback and comments in the 710 discussion leading up to this draft. 712 The work on this document has been partly supported by VINNOVA and 713 the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home 714 (Grant agreement 952652). 716 Authors' Addresses 718 Francesca Palombini 719 Ericsson 721 Email: francesca.palombini@ericsson.com 722 Marco Tiloca 723 RISE AB 724 Isafjordsgatan 22 725 Kista SE-16440 Stockholm 726 Sweden 728 Email: marco.tiloca@ri.se 730 Rikard Hoeglund 731 RISE AB 732 Isafjordsgatan 22 733 Kista SE-16440 Stockholm 734 Sweden 736 Email: rikard.hoglund@ri.se 738 Stefan Hristozov 739 Fraunhofer AISEC 741 Email: stefan.hristozov@aisec.fraunhofer.de 743 Goeran Selander 744 Ericsson 746 Email: goran.selander@ericsson.com