idnits 2.17.1 draft-palombini-core-oscore-edhoc-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (2 November 2020) is 1271 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-cbor-7049bis' == Outdated reference: A later version (-23) exists of draft-ietf-lake-edhoc-01 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CoRE Working Group F. Palombini 3 Internet-Draft Ericsson 4 Intended status: Standards Track M. Tiloca 5 Expires: 6 May 2021 R. Hoeglund 6 RISE AB 7 S. Hristozov 8 Fraunhofer AISEC 9 G. Selander 10 Ericsson 11 2 November 2020 13 Combining EDHOC and OSCORE 14 draft-palombini-core-oscore-edhoc-01 16 Abstract 18 This document defines possible optimization approaches for combining 19 the lightweight authenticated key exchange protocol EDHOC run over 20 CoAP with the first subsequent OSCORE transaction. This combination 21 reduces the number of round trips required to set up an OSCORE 22 Security Context and complete an OSCORE transaction using that 23 context. 25 Discussion Venues 27 This note is to be removed before publishing as an RFC. 29 Source for this draft and an issue tracker can be found at 30 https://github.com/EricssonResearch/oscore-edhoc 31 (https://github.com/EricssonResearch/oscore-edhoc). 33 Status of This Memo 35 This Internet-Draft is submitted in full conformance with the 36 provisions of BCP 78 and BCP 79. 38 Internet-Drafts are working documents of the Internet Engineering 39 Task Force (IETF). Note that other groups may also distribute 40 working documents as Internet-Drafts. The list of current Internet- 41 Drafts is at https://datatracker.ietf.org/drafts/current/. 43 Internet-Drafts are draft documents valid for a maximum of six months 44 and may be updated, replaced, or obsoleted by other documents at any 45 time. It is inappropriate to use Internet-Drafts as reference 46 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on 6 May 2021. 50 Copyright Notice 52 Copyright (c) 2020 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 57 license-info) in effect on the date of publication of this document. 58 Please review these documents carefully, as they describe your rights 59 and restrictions with respect to this document. Code Components 60 extracted from this document must include Simplified BSD License text 61 as described in Section 4.e of the Trust Legal Provisions and are 62 provided without warranty as described in the Simplified BSD License. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 67 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 68 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 69 3. EDHOC in OSCORE . . . . . . . . . . . . . . . . . . . . . . . 5 70 3.1. Signalling in a New EDHOC Option . . . . . . . . . . . . 6 71 3.2. Signalling in the OSCORE Option . . . . . . . . . . . . . 8 72 4. Security Considerations . . . . . . . . . . . . . . . . . . . 9 73 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 74 6. Normative References . . . . . . . . . . . . . . . . . . . . 9 75 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 10 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 78 1. Introduction 80 This document presents possible optimization approaches to combine 81 the lightweight authenticated key exchange protocol EDHOC 82 [I-D.ietf-lake-edhoc], when running over CoAP [RFC7252], with the 83 first subsequent OSCORE [RFC8613] transaction. 85 This allows for a minimum number of round trips necessary to setup 86 the OSCORE Security Context and complete an OSCORE transaction, for 87 example when an IoT device gets configured in a network for the first 88 time. 90 The number of protocol round trips impacts the minimum number of 91 flights, which can have a substantial impact on performance with 92 certain radio technologies. 94 Without this optimization, it is not possible, not even in theory, to 95 achieve the minimum number of flights. This optimization makes it 96 possible also in practice, since the last message of the EDHOC 97 protocol can be made relatively small (see Section 1 of 98 [I-D.ietf-lake-edhoc]), thus allowing additional OSCORE protected 99 CoAP data within target MTU sizes. 101 The goal of this document is to provide details on different 102 alternatives for transporting and processing the necessary data, 103 gather opinions on the different approaches, and select only one of 104 those. 106 1.1. Terminology 108 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 109 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 110 "OPTIONAL" in this document are to be interpreted as described in 111 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 112 capitals, as shown here. 114 The reader is expected to be familiar with terms and concepts defined 115 in CoAP [RFC7252], CBOR [I-D.ietf-cbor-7049bis], OSCORE [RFC8613] and 116 EDHOC [I-D.ietf-lake-edhoc]. 118 2. Background 120 EDHOC is a 3-message key exchange protocol. Section 7.1 of 121 [I-D.ietf-lake-edhoc] specifies how to transport EDHOC over CoAP: the 122 EDHOC data (referred to as "EDHOC messages") are transported in the 123 payload of CoAP requests and responses. 125 This draft deals with the case of the Initiator acting as CoAP Client 126 and the Responder acting as CoAP Server. (The case of the Initiator 127 acting as CoAP server cannot be optimized in this way.) That is, the 128 CoAP Client sends a POST request containing the EDHOC message 1 to a 129 reserved resource at the CoAP Server. This triggers the EDHOC 130 exchange on the CoAP Server, which replies with a 2.04 (Changed) 131 Response containing the EDHOC message 2. Finally, the EDHOC message 132 3 is sent by the CoAP Client in a CoAP POST request to the same 133 resource used for the EDHOC message 1. The Content-Format of these 134 CoAP messages is set to "application/edhoc". 136 After this exchange takes place, and after successful verifications 137 specified in the EDHOC protocol, the Client and Server derive the 138 OSCORE Security Context, as specified in Section 7.1.1 of 139 [I-D.ietf-lake-edhoc]. Then, they are ready to use OSCORE. 141 This sequential way of running EDHOC and then OSCORE is specified in 142 Figure 1. As shown in the figure, this mechanism is executed in 3 143 round trips. 145 CoAP Client CoAP Server 146 | ------------- EDHOC message_1 ------------> | 147 | | 148 | <------------ EDHOC message_2 ------------- | 149 | | 150 EDHOC verification | 151 | | 152 | ------------- EDHOC message_3 ------------> | 153 | | 154 | EDHOC verification 155 | | 156 OSCORE Sec Ctx OSCORE Sec Ctx 157 Derivation Derivation 158 | | 159 | -------------- OSCORE Request ------------> | 160 | | 161 | <------------ OSCORE Response ------------- | 162 | | 164 Figure 1: EDHOC and OSCORE run sequentially 166 The number of roundtrips can be minimized: after receiving the EDHOC 167 message 2, the CoAP Client has all the information needed to derive 168 the OSCORE Security Context before sending the EDHOC message 3. 170 This means that the Client can potentially send at the same time both 171 the EDHOC message 3 and the subsequent OSCORE Request. On a semantic 172 level, this approach practically requires to send two separate REST 173 requests at the same time. 175 The high level message flow of running EDHOC and OSCORE combined is 176 shown in Figure 2. 178 Defining the specific details of how to transport the data and of 179 their processing order is the goal of this specification. 181 CoAP Client CoAP Server 182 | ------------- EDHOC message_1 ------------> | 183 | | 184 | <------------ EDHOC message_2 ------------- | 185 | | 186 EDHOC verification + | 187 OSCORE Sec Ctx | 188 Derivation | 189 | | 190 | ------------- EDHOC message_3 ------------> | 191 | + OSCORE Request | 192 | | 193 | EDHOC verification + 194 | OSCORE Sec Ctx 195 | Derivation 196 | | 197 | <------------ OSCORE Response ------------- | 198 | | 200 Figure 2: EDHOC and OSCORE combined 202 3. EDHOC in OSCORE 204 This approach consists in sending the EDHOC message 3 inside an 205 OSCORE message (i.e., an OSCORE protected CoAP message). 207 The resulting OSCORE + EDHOC request is in practice the OSCORE 208 Request from Figure 1, sent to a protected resource and with the 209 correct CoAP method and options, with the addition that it also 210 transports the EDHOC message 3. 212 As the EDHOC message 3 may be too large to be included in a CoAP 213 Option, e.g. if containing a large public key certificate chain, it 214 would have to be transported in the CoAP payload. 216 In particular, the payload of the OSCORE + EDHOC request is formatted 217 as a CBOR sequence of two CBOR byte strings: the EDHOC message 3 and 218 the OSCORE ciphertext of the original OSCORE Request, in this order, 219 both encoded as CBOR byte strings. 221 Note that the OSCORE ciphertext is not computed over the EDHOC 222 message 3, which is not protected by OSCORE. That is, the client 223 first prepares the OSCORE Request as in Figure 1. Then, it reformats 224 the payload to include also the EDHOC message 3, as defined above. 225 The result is the OSCORE + EDHOC request to send. 227 The usage of this approach is indicated by a signalling information 228 in the OSCORE + EDHOC request, which can be either a new EDHOC Option 229 (see Section 3.1) or the OSCORE Option with a particular Flag Bit set 230 (see Section 3.2). 232 When receiving such a request, the Server needs to perform the 233 following processing, in addition to the EDHOC, OSCORE and CoAP 234 processing: 236 1. Check the signalling information to identify that this is an 237 OSCORE + EDHOC request. 239 2. Extract the EDHOC message 3 from the payload of the OSCORE + 240 EDHOC request, as the value of the first CBOR byte string in the 241 CBOR sequence. 243 3. Execute the EDHOC processing on the EDHOC message 3, including 244 verifications and the OSCORE Security Context derivation. 246 4. Extract the OSCORE ciphertext from the payload of the OSCORE + 247 EDHOC request, as the value of the second CBOR byte string in the 248 CBOR sequence. Then, set the CoAP payload of the request to the 249 extracted ciphertext. 251 5. Decrypt and verify the OSCORE protected CoAP request resulting 252 from step 4, as defined by OSCORE. 254 6. Process the CoAP request resulting from step 5. 256 The following sections expand on the two ways of signalling that the 257 EDHOC message is transported in the OSCORE message. 259 3.1. Signalling in a New EDHOC Option 261 One way to signal that the Server has to extract and process the 262 EDHOC message 3 before processing the OSCORE protected CoAP request 263 is to define a new CoAP Option, called the EDHOC Option. 265 The presence of this option means that the message contains EDHOC 266 data in the payload, that must be extracted and processed before the 267 rest of the message can be processed. 269 In particular, the EDHOC message 3 has to be extracted from the CoAP 270 payload, as the first element of a CBOR sequence wrapped in a CBOR 271 byte string. 273 The Option is critical, Safe-to-Forward, and part of the Cache-Key. 275 The Option value is always empty. If any value is sent, the value is 276 simply ignored. 278 The Option MUST occur at most once. 280 The Option is of Class U for OSCORE. 282 Figure 3 shows the format for a CoAP message containing both the 283 OSCORE ciphertext and EDHOC message 3, using the newly defined EDHOC 284 option for signaling. 286 0 1 2 3 287 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 288 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 289 |Ver| T | TKL | Code | Message ID | 290 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 291 | Token (if any, TKL bytes) ... 292 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 293 | OSCORE option | EDHOC option | other options (if any) ... 294 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 295 |1 1 1 1 1 1 1 1| Payload 296 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 298 Figure 3: CoAP message for EDHOC and OSCORE combined - signaled 299 with the EDHOC Option 301 An example based on the OSCORE test vector from Appendix C.4 of 302 [RFC8613] and the EDHOC test vector from Appendix B.2 of 303 [I-D.ietf-lake-edhoc] is given in Figure 4. The example assumes that 304 the EDHOC option is registered with CoAP option number 13. 306 o OSCORE option value: 0x0914 (2 bytes) 308 o ciphertext: 0x612f1092f1776f1c1668b3825e (13 bytes) 310 o EDHOC option value: - (0 bytes) 312 o EDHOC message 3: 085253c3991999a5ffb86921e99b607c067770e0 313 (20 bytes) 315 From there: 317 o Protected CoAP request (OSCORE message): 0x44025d1f0000397439 318 6c6f63616c686f737462 0914 04 ff 54085253C3991999A5FFB86921E99 319 B607C067770E0 4d612f1092f1776f1c1668b3825e (58 bytes) 321 Figure 4: CoAP message for EDHOC and OSCORE combined - signaled 322 with the EDHOC Option 324 3.2. Signalling in the OSCORE Option 326 Another way to signal that the EDHOC message 3 is to be extracted 327 from the CoAP payload as the first element of a CBOR sequence wrapped 328 in a CBOR byte string, and that the processing defined in Section 3 329 is to be executed, is to use one of the OSCORE Flag Bits of the 330 OSCORE Option. 332 Bit Position: 1 334 Name: EDHOC 336 Description: Set to 1 if the payload is a sequence of EDHOC message 3 337 and OSCORE ciphertext. 339 Reference: this document 341 The OSCORE Option value with the EDHOC bit set is given in Figure 5. 343 0 1 2 3 4 5 6 7 <------------- n bytes --------------> 344 +-+-+-+-+-+-+-+-+-------------------------------------- 345 |0|1|0|h|k| n | Partial IV (if any) ... 346 +-+-+-+-+-+-+-+-+-------------------------------------- 348 <- 1 byte -> <----- s bytes ------> 349 +------------+----------------------+------------------+ 350 | s (if any) | kid context (if any) | kid (if any) ... | 351 +------------+----------------------+------------------+ 353 Figure 5: The OSCORE Option Value with the EDHOC bit set 355 Figure 6 shows the format for a CoAP message containing both the 356 OSCORE ciphertext and EDHOC message 3, using the Flag Bit 1 in the 357 OSCORE Option for signaling. 359 0 1 2 3 360 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 361 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 362 |Ver| T | TKL | Code | Message ID | 363 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 364 | Token (if any, TKL bytes) ... 365 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 366 | OSCORE opt (with EDHOC bit set) | other options (if any) ... 367 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 368 |1 1 1 1 1 1 1 1| Payload 369 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 370 Figure 6: CoAP message for EDHOC and OSCORE combined - signaled 371 within the OSCORE option 373 An example based on the OSCORE test vector from Appendix C.4 of 374 [RFC8613] and the EDHOC test vector from Appendix B.2 of 375 [I-D.ietf-lake-edhoc] is given in Figure 7. 377 o OSCORE option value without EDHOC bit set: 0x0914 (2 bytes) 379 o OSCORE option value with EDHOC bit set: 0x4914 (2 bytes) 381 o ciphertext: 0x612f1092f1776f1c1668b3825e (13 bytes) 383 o EDHOC message 3: 085253c3991999a5ffb86921e99b607c067770e0 384 (20 bytes) 386 From there: 388 o Protected CoAP request (OSCORE message): 0x44025d1f000039743 389 96c6f63616c686f737462 4914 ff 54085253C3991999A5FFB86921E99B 390 607C067770E0 4d612f1092f1776f1c1668b3825e (58 bytes) 392 Figure 7: CoAP message for EDHOC and OSCORE combined - signaled 393 within the OSCORE Option 395 4. Security Considerations 397 The same security considerations from OSCORE [RFC8613] and EDHOC 398 [I-D.ietf-lake-edhoc] hold for this document. 400 TODO (more considerations) 402 5. IANA Considerations 404 Depending on the option chosen, this document will either register a 405 new CoAP Option number to the CoAP Option Number registry, or a new 406 bit to the OSCORE Flag Bits registry. 408 6. Normative References 410 [I-D.ietf-cbor-7049bis] 411 Bormann, C. and P. Hoffman, "Concise Binary Object 412 Representation (CBOR)", Work in Progress, Internet-Draft, 413 draft-ietf-cbor-7049bis-16, 30 September 2020, 414 . 417 [I-D.ietf-lake-edhoc] 418 Selander, G., Mattsson, J., and F. Palombini, "Ephemeral 419 Diffie-Hellman Over COSE (EDHOC)", Work in Progress, 420 Internet-Draft, draft-ietf-lake-edhoc-01, 2 August 2020, 421 . 424 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 425 Requirement Levels", BCP 14, RFC 2119, 426 DOI 10.17487/RFC2119, March 1997, 427 . 429 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 430 Application Protocol (CoAP)", RFC 7252, 431 DOI 10.17487/RFC7252, June 2014, 432 . 434 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 435 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 436 May 2017, . 438 [RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, 439 "Object Security for Constrained RESTful Environments 440 (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, 441 . 443 Acknowledgments 445 The authors sincerely thank Christian Amsuess, Klaus Hartke, Jim 446 Schaad and Malisa Vucinic for their feedback and comments in the 447 discussion leading up to this draft. 449 The work on this document has been partly supported by VINNOVA and 450 the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home 451 (Grant agreement 952652). 453 Authors' Addresses 455 Francesca Palombini 456 Ericsson 458 Email: francesca.palombini@ericsson.com 459 Marco Tiloca 460 RISE AB 461 Isafjordsgatan 22 462 SE-16440 Stockholm Kista 463 Sweden 465 Email: marco.tiloca@ri.se 467 Rikard Hoeglund 468 RISE AB 469 Isafjordsgatan 22 470 SE-16440 Stockholm Kista 471 Sweden 473 Email: rikard.hoglund@ri.se 475 Stefan Hristozov 476 Fraunhofer AISEC 478 Email: stefan.hristozov@aisec.fraunhofer.de 480 Goeran Selander 481 Ericsson 483 Email: goran.selander@ericsson.com