idnits 2.17.1 draft-urien-uta-tls-dtls-security-module-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 2017) is 2321 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Outdated reference: A later version (-38) exists of draft-urien-eap-smartcard-30 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 UTA Working Group P. Urien 3 Internet Draft Telecom ParisTech 4 Intended status: Experimental 6 December 2017 7 Expires: June 2018 9 TLS and DTLS Security Modules 10 draft-urien-uta-tls-dtls-security-module-05.txt 12 Abstract 14 Security and trust are very critical topics in the context of the 15 anywhere, anytime, anything internet connectivity. TLS and DTLS are 16 two major IETF protocols widely used to secure IP exchanges. 17 According to CoAP, DTLS is the protocol used by constraint nodes in 18 the Internet of Things (IoT) context. 20 In this draft we specify an ISO7816 interface for TLS and DTLS 21 secure modules based on ISO7816 secure chips, which are today 22 manufactured per billions every year. 24 Secure elements are cheap secure microcontrollers whose size is 25 about 25mm2 and whose security is ranked by evaluations typically 26 according to Common Criteria (CC) standards. 28 The support of TLS and DTLS is based on the EAP-TLS protocol, and 29 the IETF draft "EAP Support in smartcard" describing EAP-TLS support 30 for secure elements. First implementation demonstrates that such low 31 cost security modules are realistic, with a setup time for handshake 32 completion under the second. 34 Requirements Language 36 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 37 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 38 document are to be interpreted as described in RFC 2119. 40 TLS and DTLS Security Modules December 2017 42 Status of this Memo 44 This Internet-Draft is submitted in full conformance with the 45 provisions of BCP 78 and BCP 79. 47 Internet-Drafts are working documents of the Internet Engineering 48 Task Force (IETF). Note that other groups may also distribute 49 working documents as Internet-Drafts. The list of current Internet- 50 Drafts is at http://datatracker.ietf.org/drafts/current/. 52 Internet-Drafts are draft documents valid for a maximum of six 53 months and may be updated, replaced, or obsoleted by other documents 54 at any time. It is inappropriate to use Internet-Drafts as reference 55 material or to cite them other than as "work in progress." 57 This Internet-Draft will expire on June 2018. 59 Copyright Notice 61 Copyright (c) 2017 IETF Trust and the persons identified as the 62 document authors. All rights reserved. 64 This document is subject to BCP 78 and the IETF Trust's Legal 65 Provisions Relating to IETF Documents 66 (http://trustee.ietf.org/license-info) in effect on the date of 67 publication of this document. Please review these documents 68 carefully, as they describe your rights and restrictions with 69 respect to this document. Code Components extracted from this 70 document must include Simplified BSD License text as described in 71 Section 4.e of the Trust Legal Provisions and are provided without 72 warranty as described in the Simplified BSD License. 74 TLS and DTLS Security Modules December 2017 76 Table of Contents 78 Abstract........................................................... 1 79 Requirements Language.............................................. 1 80 Status of this Memo................................................ 2 81 Copyright Notice................................................... 2 82 1 Overview......................................................... 4 83 2 The EAP-TLS Smartcard............................................ 4 84 2.1 The EAP-TLS protocol........................................ 4 85 2.2 The EAP-TLS Smartcard....................................... 6 86 4 The TLS Security Module.......................................... 6 87 4.1 EAP-TLS for TLS Security Module............................. 6 88 4.2 The TLS / EAP-TLS Software Bridge........................... 8 89 4.3 The TLS Security Module Encryption and Decryption procedures 8 90 5 The DTLS Security Module........................................ 10 91 5.1 EAP-TLS for DTLS Security Module........................... 10 92 5.2 The DTLS / EAP-TLS Software Bridge......................... 11 93 5.3 The DTLS Security Module Encryption and Decryption procedures 94 ............................................................... 12 95 6 Example of TLS processing by the TLS security module............ 14 96 7 Example of DTLS processing by the DTLS security module.......... 16 97 8 Security Considerations......................................... 22 98 9 IANA Considerations............................................. 22 99 10 References..................................................... 22 100 10.1 Normative References...................................... 22 101 10.2 Informative References.................................... 23 102 11 Authors' Addresses............................................. 23 103 TLS and DTLS Security Modules December 2017 105 1 Overview 107 Security and trust are very critical topics in the context of the 108 anywhere, anytime, anything internet connectivity. TLS [TLS 1.0] 109 [TLS 1.1], [TLS 1.2] and DTLS [DTLS 1.0] [DTLS 1.2] are two major 110 IETF protocols widely used to secure IP exchanges. According to 111 [COAP], DTLS is the protocol used by constraint nodes in the 112 Internet of Things (IoT) context. In this draft we specify an 113 interface for TLS and DTLS secure modules based on [ISO7816] secure 114 chips, which are today manufactured per billions every year. Secure 115 elements are cheap secure microcontrollers whose size is about 25mm2 116 and whose security is ranked by evaluations typically according to 117 Common Criteria (CC) standards. The support of TLS and DTLS is based 118 on the EAP-TLS [EAP-TLS] protocol, and the IETF draft [EAP SC] "EAP 119 Support for Smartcards" describing EAP-TLS support for secure 120 elements. First implementation demonstrate that such low cost 121 security modules are realistic, with a setup time for handshake 122 completion, under the second. 124 2 The EAP-TLS Smartcard 126 2.1 The EAP-TLS protocol 128 The EAP-TLS [EAP-TLS] protocol (as illustrated by figure 1)defines a 129 transparent transport of the TLS protocol until the exchange 130 finished messages (both for server and client). According to EAP- 131 TLS, and similarly to DTLS [DTLS 1.0] [DTLS 1.2], messages are 132 grouped into a series of flights (four for the TLS full mode, and 133 three for the TLS Session Resumption. 135 The EAP-TLS protocol supports segmentation and reassembly operations 136 managed via the "Flags" byte, which is detailed below: 138 0 1 2 3 4 5 6 7 139 +-+-+-+-+-+-+-+-+ 140 |L M S R R R R R| 141 +-+-+-+-+-+-+-+-+ 143 L = Length included 144 M = More fragments 145 S = Start bit 146 R = Reserved 148 - The L bit (length included) is set to indicate the presence of the 149 four-octet TLS Message Length field, and MUST be set for the first 150 fragment of a fragmented TLS message or set of messages. 151 - The M bit (more fragments) is set on all but the last fragment. 152 - The S bit (EAP-TLS start) is set in an EAP-TLS Start message. 154 TLS and DTLS Security Modules December 2017 156 When an EAP-TLS peer receives an EAP-Request packet with the M bit 157 set, it MUST respond with an EAP-Response with EAP-Type=EAP-TLS and 158 no data. This serves as a fragment ACK. 160 Authenticating Peer Authenticator 161 EAP-TLS Smartcard (SC) SC User 162 ------------------- ------------- 163 <- EAP-Request/ 164 Identity 165 EAP-Response/ 166 Identity (MyID) -> 167 <- EAP-Request/ 168 EAP-Type=EAP-TLS 169 Flags 170 (TLS Start) 171 EAP-Response/ 172 EAP-Type=EAP-TLS 173 Flags 174 (TLS client-hello)-> Flight 1 175 <- EAP-Request/ 176 EAP-Type=EAP-TLS 177 Flags 178 (TLS server-hello, Flight 2 179 TLS certificate, 180 [TLS server-key-exchange,] 181 TLS certificate-request, 182 TLS server-hello-done) 183 EAP-Response/ 184 EAP-Type=EAP-TLS 185 Flags 186 (TLS certificate, Flight 3 187 TLS client-key-exchange, 188 TLS certificate-verify, 189 TLS change-cipher-spec, 190 TLS finished) -> 191 <- EAP-Request/ 192 EAP-Type=EAP-TLS 193 Flags 194 (TLS change-cipher-spec, Flight 4 195 TLS finished) 196 EAP-Response/ 197 EAP-Type=EAP-TLS 198 Flags -> 200 <- EAP-Success 202 Figure 1. The EAP-TLS protocol 203 TLS and DTLS Security Modules December 2017 205 2.2 The EAP-TLS Smartcard 207 The "EAP Support in Smartcard" draft [EAP SC] specifies an ISO7816 208 interface for a secure element (named EAP-TLS smartcard, in figure 209 1) that fully processes the EAP-TLS protocol until the reception of 210 the EAP-Success message. 212 The two main commands are detailed in figure 2: 213 - Reset-State, which resets the EAP-TLS state machine , 214 - Process-EAP that transports TLS flights encapsulated in EAP-TLS 215 messages. 217 +------------------------+-----+-----+----+----+----+----+ 218 | Command |Class| INS | P1 | P2 | Lc | Le | 219 +------------------------+-----+-----+----+----+----+----+ 220 | Process-EAP | A0 |80-88| 00 | 00 | xx | yy | 221 +------------------------+-----+-----+----+----+----+----+ 222 | Reset-State | A0 | 19 | 10 | 00 | 00 | 01 | 223 +------------------------+-----+-----+----+----+----+----+ 224 Figure 2 226 4 The TLS Security Module 228 4.1 EAP-TLS for the TLS Security Module 230 TLS security modules are based on EAP-TLS devices, performing, as 231 illustrated by figure 3, a transparent encapsulation of TLS packets. 233 The EAP-Request-Identity message and EAP-Success message are not 234 used by the TLS secure modules. 236 TLS and DTLS Security Modules December 2017 238 Security Module (SM) SM User 239 ------------------- ------------- 241 <- EAP-Request/ 242 EAP-Type=EAP-TLS 243 Flags 244 (TLS Start) 245 EAP-Response/ 246 EAP-Type=EAP-TLS 247 Flags 248 (TLS client-hello)-> 249 <- EAP-Request/ 250 EAP-Type=EAP-TLS 251 Flags 252 (TLS server-hello, 253 TLS certificate, 254 [TLS server-key-exchange,] 255 TLS certificate-request, 256 TLS server-hello-done) 257 EAP-Response/ 258 EAP-Type=EAP-TLS 259 Flags 260 (TLS certificate, 261 TLS client-key-exchange, 262 TLS certificate-verify, 263 TLS change-cipher-spec, 264 TLS finished) -> 265 <- EAP-Request/ 266 EAP-Type=EAP-TLS 267 Flags 268 (TLS change-cipher-spec, 269 TLS finished) 270 EAP-Response/ 271 EAP-Type=EAP-TLS 272 Flags -> 274 ======================================================= 275 Four ways TLS Handshake Completion 276 ======================================================= 278 Figure 2. The TLS Handshake Completion with the Security Module 279 TLS and DTLS Security Modules December 2017 281 4.2 The TLS / EAP-TLS Software Bridge 283 A software bridge, illustrated by figure 3 extracts TLS flights from 284 TLS packets, and manages EAP-TLS messages exchanged with the 285 Security Module. 287 +----------+ +-----------+ 288 TLS | TLS | EAP-TLS | TLS | 289 packet | EAP-TLS | Packet | Security | 290 <=======> | Bridge | <========> | Module | 291 +----------+ +-----------+ 293 Figure 3. The TLS / EAP-TLS Software Bridge 295 4.3 The TLS Security Module Encryption and Decryption procedures 297 After the completion of the TLS four ways or three ways handshake 298 (notified by the delivery of EAP-Success message in EAP-TLS) the 299 Security Module supports two procedures, Process-EAP-Encrypt and 300 Process-EAP-Decrypt, in order to respectively compute TLS encrypted 301 packets (see figure 4) or to check and decrypt the payload of TLS 302 ciphered packets (see figure 5). 304 Process-EAP-Encrypt(Type) 305 <- EAP-Request/ 306 EAP-Type=EAP-TLS 307 Flags 308 (Payload= Clear Text) 309 EAP-Response/ 310 EAP-Type=EAP-TLS 311 Flags 312 (Payload= TLS Encrypted 313 Record Layer Message)-> 315 Figure 4. Generation of TLS encrypted packet by TLS Security module 317 Process-EAP-Decrypt 318 <- EAP-Request/ 319 EAP-Type=EAP-TLS 320 Flags 321 (Payload= TLS Encrypted 322 Record Layer Message)-> 323 EAP-Response/ 324 EAP-Type=EAP-TLS 325 Flags 326 (Payload= TLS Clear 327 Record Layer payload)-> 329 Figure 5. Generation of TLS decrypted packets 330 TLS and DTLS Security Modules December 2017 332 In the case of the Process-EAP-Encrypt(Type) procedure the payload 333 of the EAP-TLS packet (see figure 4) is the clear text to be 334 encrypted in the TLS Record Layer packet. The SM adds the Type field 335 indicated in the Process-EAP-Encrypt command, and performs all 336 needed operations in order to compute the TLS encrypted packet 337 (including HMAC and optional padding bytes see figure 6), 338 encapsulated in the EAP-Response message (depicted in figure 4). 340 In the case of the Process-EAP-Decrypt() procedure, the payload of 341 the EAP-TLS packet (see figure 5) is the received TLS Record Layer 342 encrypted packet, as showed by figure 6. The Security Module checks 343 the HMAC, and upon success deciphers the encrypted payload; the 344 resulting data is returned encapsulated in the EAP-Response message. 346 +------+---------+--------+----------------------------+ 347 | Type | Version | Length | Encrypted | 348 +------+---------+--------+ Payload | 349 + | 350 + +------+-----+------------+----------------+ 351 + | HMAC | Pad | Pad Length | 352 +-----------+------+-----+------------+ 354 Figure 6. A TLS (Record Layer) encrypted packet. 356 The figure 7 details the structure of the Security Module command 357 needed for the encryption and decryption of TLS packets. 359 +-------------+-----+-----+----+------------+----+----+---------+ 360 | Command |Class| INS | P1 | P2 | Lc | Le | SW | 361 +-------------+-----+-----+----+------------+----+----+---------+ 362 | Process-EAP | A0 |80-88| 00 | 80 || Type | xx | yy | 9000 OK | 363 | Encrypt | | | | | | | 6985 ERR| 364 +-------------+-----+-----+----+------------+----+----+---------+ 365 | Process-EAP | A0 |80-88| 00 | 00 | xx | yy | 9000 OK | 366 | Decrypt | | | | | | | 6985 ERR| 367 +-------------+-----+-----+----+------------+----+----+---------+ 369 Figure 7. The Security Module ISO7816 commands 370 TLS and DTLS Security Modules December 2017 372 5 The DTLS Security Module 374 5.1 EAP-TLS for the DTLS Security Module 376 Security Module (SM) SM User 377 ------------------- ------------- 378 <- EAP-Request/ 379 EAP-Type=EAP-TLS 380 Flags 381 (TLS Start) 382 EAP-Response/ 383 EAP-Type=EAP-TLS 384 Flags 385 (DTLS client-hello) -> Flight 1 386 <- EAP-Request/ 387 DTLS Hello-Verify-Request Flight 2 388 (contains cookie) 389 EAP-Response/ 390 EAP-Type=EAP-TLS 391 Flags 392 (DTLS client-hello 393 with cookie) -> Flight 3 394 <- EAP-Request/ 395 EAP-Type=EAP-TLS 396 Flags 397 (DTLS server-hello, 398 DTLS certificate, Flight 4 399 [DTLS server-key-exchange,] 400 DTLS certificate-request, 401 DTLS server-hello-done) 402 EAP-Response/ 403 EAP-Type=EAP-TLS 404 Flags 405 (DTLS certificate, 406 DTLS client-key-exchange, 407 DTLS certificate-verify, Flight 5 408 DTLS change-cipher-spec, 409 DTLS finished) -> 410 <- EAP-Request/ 411 Flags 412 EAP-Type=EAP-TLS 413 (DTLS change-cipher-spec, Flight 6 414 DTLS finished) 415 EAP-Response/ 416 EAP-Type=EAP-TLS 417 Flags -> 418 ======================================================= 419 Four ways DTLS Handshake Completion 420 ======================================================= 422 Figure 8. The DTLS handshake completion with the Security Module 423 TLS and DTLS Security Modules December 2017 425 In a way similar to TLS (see figure 8), DTLS messages are 426 encapsulated in EAP-TLS messages. 428 5.2 The DTLS / EAP-TLS Software Bridge 430 A software bridge, illustrated by figure 9 extracts DTLS flights 431 from DTLS packets, and manages EAP-TLS exchanges with the Security 432 Module. 434 +----------+ +-----------+ 435 DTLS | DTLS | EAP-TLS | DTLS | 436 packets | EAP-TLS | Packets | Security | 437 <=======> | Bridge | <========> | Module | 438 +----------+ +-----------+ 440 Figure 9. DTLS / EAP-TLS software bridge 442 The DTLS security module doesn't manage handshake messages 443 fragmentation and reassembly. These operations are handled by the 444 software bridge during the DTLS three ways or four ways handshake. 445 Timeout and retransmission are also managed by the bridge entity. 447 According to [DTLS 1.0] finished messages have no sensitivity to 448 fragmentation. There are computed as if each handshake message had 449 been sent as a single fragment. The security module (see figure 10) 450 deals with handshake message with the fields fragment-offset set to 451 zero, and fragment-length equal to length. Because the handshake 452 sequence in not used in cryptographic calculations, it is fully 453 managed by the bridge. The security module does not take into 454 account the received messages sequences, and produces handshake 455 messages starting from zero (at the DTLS first hello message 456 generation) and incremented for every message. 458 HandshakeType msgtype; 459 uint24 length; 460 uint16 message-sequence; 461 uint24 fragment-offset; 462 uint24 fragment-length; 463 [Handshake Message] 465 Figure 10. Structure of the DTLS Handshake message. 467 It also should be noted that according to the DTLS protocol [DTLS 468 1.0] in cases where the cookie exchange is used, the initial 469 ClientHello and HelloVerifyRequest are NOT included in the Finished 470 MAC. 472 When the Security Module builds the client finished message it sets 473 the EPOCH field to one and resets the sequence number used by the 474 TLS and DTLS Security Modules December 2017 476 record layer. The record layer packet structure is detailed by 477 figure 11. 479 struct { 480 ContentType type; 481 ProtocolVersion version; 482 uint16 epoch; 483 uint48 sequence-number; 484 uint16 length; 485 opaque fragment[DTLSPlaintext.length]; 486 } DTLSPlaintext; 488 Figure 11. DTLS Record Layer packet structure 490 According to [DTLS 1.0] the DTLS MAC is the same as that of TLS 1.1. 491 However, rather than using TLS's implicit sequence number, the 492 sequence number used to compute the MAC is the 64-bit value formed 493 by concatenating the epoch and the sequence number in the order they 494 appear on the wire. TLS MAC calculation is parameterized on the 495 protocol version number, which, in the case of DTLS, is the on-the- 496 wire version, i.e., {254,255 } for DTLS 1.0. 498 5.3 The DTLS Security Module Encryption and Decryption procedures 500 Upon the completion of the DTLS handshake, i.e. after the generation 501 of finished messages (both and on client and server side) the record 502 layer is fully handle by the security module, which checks and 503 decrypts all incoming packets (see figure 13), and produces 504 encrypted and HMACed packets (see figure 12). 506 Process-EAP-Encrypt(Type) 507 <- EAP-Request/ 508 EAP-Type=EAP-TLS 509 Flags 510 (Payload= Clear Text) 511 EAP-Response/ 512 EAP-Type=EAP-TLS 513 Flags 514 (Payload= DTLS Encrypted 515 Record Layer Message)-> 517 Figure 12. Generation of DTLS encrypted packet by the DTLS Security 518 module 519 TLS and DTLS Security Modules December 2017 521 Process-EAP-Decrypt 522 <- EAP-Request/ 523 EAP-Type=EAP-TLS 524 Flags 525 (Payload= DTLS Encrypted 526 Record Layer Message)-> 527 EAP-Response/ 528 EAP-Type=EAP-TLS 529 Flags 530 (Payload= DTLS Clear 531 Record Layer payload)-> 533 Figure 13. Generation of TLS decrypted packets 534 TLS and DTLS Security Modules December 2017 536 6 Example of TLS processing by the TLS security module 538 The following choreography illustrates the processing of a TLS (1.0) 539 resume session by the TLS security module. The CipherSuite is AES- 540 SHA1. 542 // RESET the Security Module 543 >> A0 19 10 00 00 544 << 90 00 546 // Send EAP-TLS-Start in EAP-Request 547 // last four bytes represent the time 548 >> A0 80 00 00 0A 01 14 00 06 0D 20 55 82 E9 D1 550 // Flight 1 551 // Client Hello in EAP-Response 552 << 02 14 00 5C 0D 80 00 00 00 52 16 03 01 00 4D 01 00 00 49 03 553 01 55 82 E9 D1 BE 21 DF 71 68 C3 14 BB DC 09 57 24 DA 77 F1 554 EA C1 9F 54 AF 0F E4 61 C9 5A 3F 06 93 20 34 1A 3F 0A E5 6C 555 C0 39 F1 E2 9A F7 D3 D6 6E C0 91 CC EB 77 61 7D 88 FF C7 00 556 F9 C3 6D 1F 1F 8C 00 02 00 2F 01 00 557 90 00 559 // Flight 2 560 // Server Hello + CCS + Finished in EAP-Request 561 // 1st fragment 563 >> A0 80 00 00 8A 01 0D 00 8A 0D C0 00 00 00 8A 16 03 01 00 4A 564 02 00 00 46 03 01 55 82 EA 66 4D ED 28 C0 E2 4F 22 12 01 35 565 49 82 61 5A FC 29 64 3B 20 1D 3A D4 00 39 91 27 07 06 20 34 566 1A 3F 0A E5 6C C0 39 F1 E2 9A F7 D3 D6 6E C0 91 CC EB 77 61 567 7D 88 FF C7 00 F9 C3 6D 1F 1F 8C 00 2F 00 14 03 01 00 01 01 568 16 03 01 00 30 85 D5 76 49 D3 58 C9 93 D8 03 B1 91 19 78 3F 569 16 A1 3A DF 03 54 53 63 B6 42 A5 5A 8A 23 C2 C5 AD 84 75 30 570 85 BE 75 572 // EAP-TLS ACK 573 << 02 0D 00 06 0D 00 574 90 00 576 // 2nd fragment 577 >> A0 80 00 00 10 01 0E 00 10 0D 00 26 92 99 2A 9E 7F FF 2E 578 BC CB 580 // Flight 3 581 // Client CCS + Finished in EAP-Response 582 << 02 0E 00 45 0D 80 00 00 00 3B 14 03 01 00 01 01 16 03 01 00 583 30 86 8A 10 A2 85 5F DA D8 52 16 D6 57 12 75 A6 57 A2 20 1B 584 A5 5B F0 0A E5 34 62 FF 92 28 BC DD 72 5E D7 6E C0 D4 A5 52 585 1F AA F5 6D 7C 8A 37 02 54 586 90 00 587 TLS and DTLS Security Modules December 2017 589 // TLS handshake completion 591 // Process-EAP-Decrypt 592 >> A0 80 00 00 2B 01 0F 00 2B 0D 00 17 03 01 00 20 75 1A 28 2D 593 F3 E1 12 D5 19 7C 3E 38 CB 49 D6 43 CF B0 F3 E5 A3 1A BF A1 594 E0 75 AE A8 07 89 B0 45 596 // Empty Record Layer Payload 597 << 02 0F 00 0A 0D 80 00 00 00 00 598 90 00 600 //Process-EAP-Decrypt 602 >> A0 80 00 00 2B 01 10 00 2B 0D 00 17 03 01 00 20 A0 65 57 15 603 17 D2 DA 92 FF A3 7F 07 F4 95 53 86 4C 55 F3 2C 87 6B A8 CB 604 2F 36 F3 71 D2 AD A3 F7 606 // Record Layer Clear Payload = 31 32 33 34 0D OA 607 << 02 10 00 10 0D 80 00 00 00 06 31 32 33 34 0D 0A 608 90 00 610 // Process-EAP-Encrypt type=17h, payload = 31 32 33 34 0D 0A 611 >> A0 80 00 97 0C 01 11 00 0C 0D 00 31 32 33 34 0D 0A 613 // Encrypted TLS Record Layer packet in EAP-Response 614 << 02 11 00 2F 0D 80 00 00 00 25 17 03 01 00 20 15 06 B7 7D 1F 615 1E F3 51 4A 8E 70 3C AE B2 EF EF D0 45 A7 1E 3F 68 92 AF 0C 616 09 C7 91 97 F7 C2 E6 617 90 00 618 TLS and DTLS Security Modules December 2017 620 7 Example of DTLS processing by the DTLS security module 622 The following choreography illustrates the processing of a DTLS full 623 session the DTLS security module. The CipherSuite is AES-SHA1. 625 // RESET the Security Module 626 >> A0 19 10 00 00 627 << 90 00 629 // Send EAP-TLS-Start in EAP-Request 630 // The last four bytes represent the time 632 >> A0 80 00 00 0A 01 14 00 06 0D 20 55 83 BF CA 634 // Flight 1 635 // DTLS ClientHello (no cookie) in EAP-Response 636 // RL-seq=0, RL-epoch=0, Handshake-seq=0 637 << 02 14 00 4D 0D 80 00 00 00 43 16 FE FF 00 00 00 00 00 00 00 638 00 00 36 01 00 00 2A 00 00 00 00 00 00 00 2A FE FF 55 83 BF 639 CA DD 4C 24 32 85 D1 A5 21 EB EE F3 33 50 88 17 6B 48 6A CB 640 24 E6 28 8B FE 3C 85 F3 F1 00 00 00 02 00 2F 01 00 641 90 00 643 DTLS Bridge sends 67 bytes 644 DTLS Bridge receives RL-Seq=0, RL-epoch=0, Handshake-seq=0 646 // Flight 2 DTLS HelloVerifyRequest (contains cookie) 647 // DTLS HelloVerifyRequest in EAP-Response 649 >> A0 80 00 00 36 01 01 00 36 0D 00 16 FE FF 00 00 00 00 00 00 650 00 00 00 23 03 00 00 17 00 00 00 00 00 00 00 17 FE FF 14 C2 651 38 AC 8C F8 F5 CE CA 9B 9E F1 2F 8A D1 9E 2F 84 27 F2 FF 653 // Flight 3 DTLS HelloClient (contains cookie) 654 // DTLS ClientHello in EAP-Response 655 // RL-seq=1, RL-epoch=0, Handshake-seq=1 657 << 02 01 00 61 0D 80 00 00 00 57 16 FE FF 00 00 00 00 00 00 00 658 01 00 4A 01 00 00 3E 00 01 00 00 00 00 00 3E FE FF 55 83 BF 659 CA DD 4C 24 32 85 D1 A5 21 EB EE F3 33 50 88 17 6B 48 6A CB 660 24 E6 28 8B FE 3C 85 F3 F1 00 14 C2 38 AC 8C F8 F5 CE CA 9B 661 9E F1 2F 8A D1 9E 2F 84 27 F2 FF 00 02 00 2F 01 00 662 90 00 664 DTLS Bridges sends 87 bytes 665 DTLS Bridges receives 666 RL-seq=1 RL-epoch=0 Handshake-seq=1 667 RL-seq=2 RL-epoch=0 Handshake-seq=2 668 RL-seq=3 RL-epoch=0 Handshake-seq=3 669 TLS and DTLS Security Modules December 2017 671 RL-seq=4 RL-epoch=0 Handshake-seq=4 673 // Flight 4 674 // DTLS ServerHello, Certificate, CertificateRequest 675 // ServerHelloDone in EAP-Request 676 // 4 record layer messages 678 // EAP-TLS message 1st fragment 679 >> A0 80 00 00 8A 01 02 00 8A 0D C0 00 00 02 D2 16 FE FF 00 00 680 00 00 00 00 00 01 00 32 02 00 00 26 00 01 00 00 00 00 00 26 681 FE FF 55 83 BF CF F6 1B 78 8E 10 05 FC F7 4C 0C 0D 9D 98 4E 682 90 DA 71 EC BC 83 45 97 4A 71 D9 89 19 C1 00 00 2F 00 16 FE 683 FF 00 00 00 00 00 00 00 02 02 4E 0B 00 02 42 00 02 00 00 00 684 00 02 42 00 02 3F 00 02 3C 30 82 02 38 30 82 01 A1 A0 03 02 685 01 02 02 02 00 8B 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 686 00 30 57 688 // EAP-TLS Ack 689 << 02 02 00 06 0D 00 690 90 00 692 // 2nd fragment 693 >> A0 80 00 00 8A 01 03 00 8A 0D 40 31 0B 30 09 06 03 55 04 06 694 13 02 55 53 31 11 30 0F 06 03 55 04 08 13 08 56 69 72 67 69 695 6E 69 61 31 10 30 0E 06 03 55 04 07 13 07 46 61 69 72 66 61 696 78 31 11 30 0F 06 03 55 04 0A 13 08 5A 6F 72 6B 2E 6F 72 67 697 31 10 30 0E 06 03 55 04 03 13 07 52 6F 6F 74 20 43 41 30 1E 698 17 0D 31 34 30 37 31 33 32 32 34 39 30 37 5A 17 0D 32 32 30 699 39 32 39 32 32 34 39 30 37 5A 30 5D 31 0B 30 09 06 03 55 04 700 06 13 02 702 // EAP-TLS Ack 703 << 02 03 00 06 0D 00 704 90 00 706 // 3rd fragment 707 >> A0 80 00 00 8A 01 04 00 8A 0D 40 46 52 31 14 30 12 06 03 55 708 04 08 13 0B 49 6C 65 44 65 46 72 61 6E 63 65 31 0E 30 0C 06 709 03 55 04 07 13 05 50 61 72 69 73 31 17 30 15 06 03 55 04 0A 710 13 0E 65 74 68 65 72 74 72 75 73 74 2E 63 6F 6D 31 0F 30 0D 711 06 03 55 04 03 13 06 63 6C 69 65 6E 74 30 81 9F 30 0D 06 09 712 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 713 81 00 E3 83 38 A1 60 FE 8B 24 6F 39 E6 A8 A9 81 8F BE 9C E2 714 E3 7F 45 716 // EAP-TLS ack 717 << 02 04 00 06 0D 00 718 90 00 720 // 4th fragment 721 >> A0 80 00 00 8A 01 05 00 8A 0D 40 2F 9B C7 41 09 B2 10 52 38 722 TLS and DTLS Security Modules December 2017 724 3F 74 46 89 C4 A1 4E 28 9D F7 22 8B AF 90 D1 3C 3C 03 4A 2F 725 FC AA 03 26 3E 21 6C 19 DB 87 D7 F6 19 D6 F4 57 A4 BA 08 14 726 CB B3 1C 1F 01 76 6B 08 5A 4B 40 09 8B AB C8 6E 31 25 17 78 727 04 78 84 0F CB 0E B1 B9 D0 27 73 30 0D AE C1 7D BB 8E 1B 65 728 0A 17 51 23 9F C9 89 62 44 38 5C E6 63 A0 72 E2 99 67 02 03 729 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 730 06 09 2A 732 // EAP-TLS Ack 733 << 02 05 00 06 0D 00 734 90 00 736 // 5th fragment 738 >> A0 80 00 00 8A 01 06 00 8A 0D 40 86 48 86 F7 0D 01 01 05 05 739 00 03 81 81 00 7C 95 33 F9 17 27 BE CB 2A 85 6C A9 9E B8 4B 740 07 9B 09 69 ED D1 8A 38 A5 CA 1B C6 44 06 F9 A3 BD E4 66 58 741 C4 BE 92 32 C9 9E 43 42 26 9E EF 67 1D 6E A3 2C CE 59 DE 3E 742 0F 07 3A 10 66 72 5E A1 E5 06 76 76 CC 8D C0 47 54 42 AB FA 743 36 1C F1 8B 57 C0 A7 2B 65 52 4F 2E 36 75 D5 15 34 18 38 61 744 3A 18 18 5D D5 E3 9E 8D 1C DD 3D D3 A6 93 3D 19 0C 9C FA 98 745 C0 B0 5B 747 // EAP-TLS Ack 748 << 02 06 00 06 0D 00 749 90 00 751 // 6th and last fragment 753 >> A0 80 00 00 48 01 07 00 48 0D 00 4F 35 CF B2 88 51 6D 9F 75 754 FD 16 FE FF 00 00 00 00 00 00 00 03 00 12 0D 00 00 06 00 03 755 00 00 00 00 00 06 03 01 02 40 00 00 16 FE FF 00 00 00 00 00 756 00 00 04 00 0C 0E 00 00 00 00 04 00 00 00 00 00 00 758 // Flight 5 759 // Certificate, KeyExchange, CertificateVerify, ChangeCipherSpec 760 // Finished, in EAP-Response, 2 record layer messages 761 // RL-seq=2, RL-epoch=0, Handshake-seq=2,3,4,5 762 // RL-seq=0, RL-epoch=0, Handshake-seq=0 764 // EAP-TLS message, 1st EAP fragment 765 << 02 07 00 8A 0D C0 00 00 04 0F 16 FE FF 00 00 00 00 00 00 00 766 02 03 A7 0B 00 02 7F 00 02 00 00 00 00 02 7F 00 02 7C 00 02 767 79 30 82 02 75 30 82 01 DE A0 03 02 01 02 02 01 0C 30 0D 06 768 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 81 94 31 0B 30 09 06 769 03 55 04 06 13 02 46 52 31 0F 30 0D 06 03 55 04 08 13 06 46 770 72 61 6E 63 65 31 0E 30 0C 06 03 55 04 07 13 05 50 61 72 69 771 73 31 13 30 11 06 03 55 04 0A 13 0A 45 74 68 65 72 54 90 00 772 TLS and DTLS Security Modules December 2017 774 // EAP-TLS ack 775 >> A0 80 00 00 06 01 08 00 06 0D 00 777 // 2nd EAP fragment 778 << 02 08 00 86 0D 40 72 75 73 74 31 0D 30 0B 06 03 55 04 0B 13 779 04 54 65 73 74 31 14 30 12 06 03 55 04 03 13 0B 50 61 73 63 780 61 6C 55 72 69 65 6E 31 2A 30 28 06 09 2A 86 48 86 F7 0D 01 781 09 01 16 1B 70 61 73 63 61 6C 2E 75 72 69 65 6E 40 65 74 68 782 65 72 74 72 75 73 74 2E 63 6F 6D 30 1E 17 0D 31 34 30 37 31 783 34 30 38 30 33 31 37 5A 17 0D 32 32 30 39 33 30 30 38 30 33 784 31 37 5A 30 5D 31 0B 30 09 06 03 55 04 06 785 90 00 787 // EAP-TLS Ack 788 >> A0 80 00 00 06 01 09 00 06 0D 00 790 // 3rd EAP fragment 791 << 02 09 00 86 0D 40 13 02 46 52 31 14 30 12 06 03 55 04 08 13 792 0B 49 6C 65 44 65 46 72 61 6E 63 65 31 0E 30 0C 06 03 55 04 793 07 13 05 50 61 72 69 73 31 17 30 15 06 03 55 04 0A 13 0E 65 794 74 68 65 72 74 72 75 73 74 2E 63 6F 6D 31 0F 30 0D 06 03 55 795 04 03 13 06 53 65 72 76 65 72 30 81 9F 30 0D 06 09 2A 86 48 796 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 D5 797 E3 52 F5 55 2B 10 1D 7D E9 3F 1A 49 23 59 798 90 00 800 // EAP-TLS Ack 801 >> A0 80 00 00 06 01 0A 00 06 0D 00 803 // 4th EAP fragment 804 << 02 0A 00 86 0D 40 8D F4 B2 E7 5C FE 4A 5B 0D D1 EA AB F2 A1 805 6D 79 36 EA CC 06 E2 2B 4F C9 6C EB 7C 69 DB 22 BE B2 72 26 806 26 A5 53 75 32 D4 80 7E CF AD 85 C1 B0 89 D4 35 FF B1 71 6B 807 65 74 46 23 BD 52 B5 1B 90 D2 78 4B AF 1F EE C5 94 8D 9B 93 808 55 70 4B 1B 5F E6 42 31 2D EA 48 BC C2 4E B4 CD C2 9F FF C2 809 BE F2 D8 2B E2 99 AD 98 2E 22 EB 97 81 12 70 8E AF 37 29 02 810 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 811 90 00 813 // EAP-TLS Ack 814 >> A0 80 00 00 06 01 0B 00 06 0D 00 816 // 5th EAP fragment 817 << 02 0B 00 86 0D 40 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 818 0D 01 01 05 05 00 03 81 81 00 05 C2 17 66 F6 50 B5 BC EB 77 819 CB 57 20 5A 46 9A FB FE 0B 53 1B E7 39 9F B4 8D FE A5 B8 5A 820 5A 70 18 32 9C EE 0F 67 E8 F3 A2 61 94 5D A7 ED 89 F0 42 A3 821 8C 85 CA 42 A9 94 49 C3 52 2C EF 9A 2E 64 DA BA B5 AE E9 29 822 C4 F6 5D 7F E9 4D BF CF 7A D9 6D DE 22 3F E2 57 DF 50 B0 E3 823 6E AD 69 4E 05 C8 B5 F7 DC FC 26 0D F8 B7 824 90 00 825 TLS and DTLS Security Modules December 2017 827 // EAP-TLS Ack 828 >> A0 80 00 00 06 01 0C 00 06 0D 00 830 // 6th EAP fragment 831 << 02 0C 00 86 0D 40 9A 9E B1 C3 9D 4C 4A C7 17 AB 72 18 80 84 832 3F 71 4F CA 14 29 78 40 37 FF 10 00 00 82 00 03 00 00 00 00 833 00 82 00 80 75 0B 3B E0 EC 77 E9 5E A0 4B A9 EE AE 1A B2 50 834 37 13 3C 5A 93 8B A9 DD C1 9D 0F 50 21 9E 12 34 60 AA 74 BC 835 AA 36 C7 41 D9 EA DE 25 6C A5 C7 43 F6 87 7A 4D 31 A0 50 D6 836 B4 B9 F9 4E 6A FF D1 25 9A 62 18 43 54 3F 00 B6 31 21 C1 09 837 28 9A BB 7B EE F0 62 92 5D E0 A3 9A CA E2 838 90 00 840 // EAP-TLS Ack 841 >> A0 80 00 00 06 01 0D 00 06 0D 00 843 // 7th EAP fragment 844 << 02 0D 00 86 0D 40 51 EE 0A 87 85 36 BD 02 7A 40 B2 86 16 0E 845 5E CE B5 E8 62 C0 3D F8 BC 2E F9 68 53 75 87 B7 AA 68 C8 EC 846 65 AD 50 AD 0F 00 00 82 00 04 00 00 00 00 00 82 00 80 5A 35 847 9C 84 56 48 04 91 2D EE 13 0D CB B1 C0 26 FE A9 37 40 B8 78 848 A8 C5 06 27 94 2B 5D 04 65 2F 85 22 FB D7 56 04 72 C5 7B B4 849 2D 41 E9 A9 4E 1D 14 1F F0 8C 83 40 FD 6A 84 39 49 E4 EF D6 850 D1 8C 4E 7E 22 BD 96 5B 9B 2E 65 04 91 28 851 90 00 853 // EAP-TLS Ack 854 >> A0 80 00 00 06 01 0E 00 06 0D 00 856 // 8th EAP fragment 857 << 02 0E 00 3A 0D 40 FE 91 4E 1A 1A 36 91 F1 05 12 C5 9D 78 11 858 24 E6 65 44 E9 A2 80 4D F4 61 0C 79 5C 93 D5 B4 F0 29 47 DE 859 50 91 77 6D 99 62 D8 3E 02 12 2C E0 75 BE A4 4F 1C B9 860 90 00 862 // EAP-TLS ack 863 >> A0 80 00 00 06 01 0F 00 06 0D 00 865 // 9th and last fragment 866 << 02 0F 00 61 0D 00 14 FE FF 00 00 00 00 00 00 00 03 00 01 01 867 16 FE FF 00 01 00 00 00 00 00 00 00 40 75 D7 8B EB FD 23 6F 868 F7 63 65 D0 4C 40 1E F2 D5 9F 4D F0 D2 EA DF 6E F0 A8 89 7D 869 15 86 B4 96 AB 93 61 9B 17 8D 01 50 64 C6 7C 76 BA 90 F7 22 870 B3 D9 1A E3 B3 DA F4 43 1E 2C 3D 8B 49 02 D7 F6 6F 871 90 00 873 DTLS Bridge sends 664 bytes 874 DTLS Bridge sends 155 bytes 875 DTLS Bridge sends 155 bytes 876 TLS and DTLS Security Modules December 2017 878 DTLS Bridge sends 14 bytes 879 DTLS Bridge sends 77 bytes 881 DTLS Bridge receives 882 RL-Seq=9, RL-epoch=0 883 RL-Seq=0, RL-epoch=1 885 // Flight 6 886 // ChangeCipherSpec, Finished, in EAP-TLS Request 887 >> A0 80 00 00 61 01 10 00 61 0D 00 14 FE FF 00 00 00 00 00 00 888 00 09 00 01 01 16 FE FF 00 01 00 00 00 00 00 00 00 40 3F 2C 889 D4 FE 86 92 89 66 C7 97 59 F1 C4 B8 15 C4 20 EC 39 FB B5 D5 890 37 D9 86 72 37 95 DF 88 3A 22 A8 54 98 F0 BD 99 AF AC 37 62 891 38 0C 86 4A 47 1B C0 63 08 CF 57 1B 5C DC 8C 7B C9 DB FE C0 892 64 11 894 // EAP-TLS Ack 895 << 02 10 00 06 0D 00 896 90 00 898 TLS handshake completion 900 // Process-EAP-Encrypt type=17h, payload = 16x AA 902 >> A0 80 00 97 16 01 11 00 16 0D 00 AA AA AA AA AA AA AA AA AA 903 AA AA AA AA AA AA AA 905 // Encrypted DTLS Record Layer packet in EAP-Response 906 << 02 11 00 57 0D 80 00 00 00 4D 17 FE FF 00 01 00 00 00 00 00 907 01 00 40 2C E9 45 8E A9 44 FA 2B 13 75 A3 A3 63 01 F5 29 91 908 8B 20 B1 9B E2 7D 30 2D 91 D1 32 9A 6F 2E 3E D1 7B 64 F0 2A 909 06 3E C3 5E 34 81 A0 2D 6D C5 30 70 41 83 4A 1C 09 E6 93 66 910 76 23 45 63 14 3E BB 911 90 00 913 Bridge sends 77 bytes 914 Bridge receives RL-seq=1, RL-epoch=1 916 //Process-EAP-Decrypt 917 >> A0 80 00 00 53 01 12 00 53 0D 00 17 FE FF 00 01 00 00 00 00 918 00 01 00 40 0F 0E EE 3C F7 F4 FF 87 03 22 53 93 53 0D 83 E8 919 86 A5 F4 36 FB 94 B3 58 B3 A8 86 1A 29 B5 A8 BB 6A EA 8B ED 920 B9 81 62 A4 96 57 7B 39 8E 55 E5 D1 0E DC 74 49 42 16 27 60 921 C3 32 ED DA CC D3 42 4A 923 // DTLS Record Layer Clear Payload = 16x AA 924 << 02 12 00 1A 0D 80 00 00 00 10 AA AA AA AA AA AA AA AA AA AA 925 AA AA AA AA AA AA 926 90 00 927 TLS and DTLS Security Modules December 2017 929 // Process-EAP-Encrypt type=15h (Alert), payload = 0100 930 >> A0 80 00 95 08 01 13 00 08 0D 00 01 00 932 // Encrypted DTLS Record Layer packet in EAP-Response 933 << 02 13 00 47 0D 80 00 00 00 3D 15 FE FF 00 01 00 00 00 00 00 934 02 00 30 76 A5 73 71 9A 69 A3 8F DE 2F 0D 3D 15 49 D5 C1 01 935 23 AE 0A 0B BB 14 F4 EC 8E 2E 84 A0 76 20 BF 3B 56 E7 C2 B9 936 A4 0B 13 C2 71 BD AE C4 7F 95 32 937 90 00 939 Bridge sends 61 bytes 940 Bridges receives RL-seq=2, RL-epoch=1 942 //Process-EAP-Decrypt 943 >> A0 80 00 00 43 01 14 00 43 0D 00 15 FE FF 00 01 00 00 00 00 944 00 02 00 30 6B 4A 48 86 92 88 95 3C D9 0D 7B CD 9E 94 7B 93 945 02 5C 75 FE C1 25 3E 5B 0D 99 8D 13 06 A3 3D 36 12 CD F9 1B 946 23 0B CE 6E 55 E1 B1 9F 39 18 FA 10 948 // DTLS Record Layer Clear Payload = 0100 949 << 02 14 00 0C 0D 80 00 00 00 02 01 00 950 90 00 952 8 Security Considerations 954 9 IANA Considerations 956 10 References 958 10.1 Normative References 960 [TLS 1.0] Dierks, T., C. Allen, "The TLS Protocol Version 1.0", RFC 961 2246, January 1999 963 [TLS 1.1] Dierks, T., Rescorla, E., "The Transport Layer Security 964 (TLS) Protocol Version 1.1", RFC 4346, April 2006 966 [DTLS 1.0] E. Rescorla, N. Modadugu, " Datagram Transport Layer 967 Security", RFC 4347, April 2006 969 [EAP-TLS] D. Simon, B. Aboba, R. Hurst, "The EAP-TLS Authentication 970 Protocol", RFC 5216, March 2008 972 [TLS 1.2] Dierks, T., Rescorla, E., "The Transport Layer Security 973 (TLS) Protocol Version 1.1", RFC 5746, August 2008 974 TLS and DTLS Security Modules December 2017 976 [DTLS 1.2] E. Rescorla, N. Modadugu "Datagram Transport Layer 977 Security Version 1.2", RFC 6347, January 2012 979 [COAP] Z. Shelby, K. Hartke, C. Bormann, "The Constrained 980 Application Protocol (CoAP)", RFC 7252, June 2014 982 [ISO7816] ISO 7816, "Cards Identification - Integrated Circuit Cards 983 with Contacts", The International Organization for Standardization 984 (ISO) 986 10.2 Informative References 988 [EAP SC] Urien, P., "EAP Support in Smartcard", draft-urien-eap- 989 smartcard-30.txt, December 2016 991 11 Authors' Addresses 993 Pascal Urien 994 Telecom ParisTech 995 23 avenue d'Italie 996 75013 Paris Phone: NA 997 France Email: Pascal.Urien@telecom-paristech.fr