idnits 2.17.1 draft-urien-uta-tls-dtls-security-module-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 2018) is 2114 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Outdated reference: A later version (-38) exists of draft-urien-eap-smartcard-30 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 UTA Working Group P. Urien 3 Internet Draft Telecom ParisTech 4 Intended status: Experimental 6 June 2018 7 Expires: December 2018 9 TLS and DTLS Security Modules 10 draft-urien-uta-tls-dtls-security-module-06.txt 12 Abstract 14 Security and trust are very critical topics in the context of the 15 anywhere, anytime, anything internet connectivity. TLS and DTLS are 16 two major IETF protocols widely used to secure IP exchanges. 17 According to CoAP, DTLS is the protocol used by constraint nodes in 18 the Internet of Things (IoT) context. 20 In this draft we specify an ISO7816 interface for TLS and DTLS 21 secure modules based on ISO7816 secure chips, which are today 22 manufactured per billions every year. 24 Secure elements are cheap secure microcontrollers whose size is 25 about 25mm2 and whose security is ranked by evaluations typically 26 according to Common Criteria (CC) standards. 28 The support of TLS and DTLS is based on the EAP-TLS protocol, and 29 the IETF draft "EAP Support in smartcard" describing EAP-TLS support 30 for secure elements. First implementation demonstrates that such low 31 cost security modules are realistic, with a setup time for handshake 32 completion under the second. 34 Requirements Language 36 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 37 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 38 document are to be interpreted as described in RFC 2119. 40 Status of this Memo 42 This Internet-Draft is submitted in full conformance with the 43 provisions of BCP 78 and BCP 79. 45 Internet-Drafts are working documents of the Internet Engineering 46 Task Force (IETF). Note that other groups may also distribute 47 working documents as Internet-Drafts. The list of current Internet- 48 Drafts is at http://datatracker.ietf.org/drafts/current/. 50 Internet-Drafts are draft documents valid for a maximum of six 51 months and may be updated, replaced, or obsoleted by other documents 52 at any time. It is inappropriate to use Internet-Drafts as reference 53 material or to cite them other than as "work in progress." 55 This Internet-Draft will expire on December 2018. 57 Copyright Notice 59 Copyright (c) 2018 IETF Trust and the persons identified as the 60 document authors. All rights reserved. 62 This document is subject to BCP 78 and the IETF Trust's Legal 63 Provisions Relating to IETF Documents 64 (http://trustee.ietf.org/license-info) in effect on the date of 65 publication of this document. Please review these documents 66 carefully, as they describe your rights and restrictions with 67 respect to this document. Code Components extracted from this 68 document must include Simplified BSD License text as described in 69 Section 4.e of the Trust Legal Provisions and are provided without 70 warranty as described in the Simplified BSD License. 72 Table of Contents 74 Abstract........................................................... 1 75 Requirements Language.............................................. 1 76 Status of this Memo................................................ 2 77 Copyright Notice................................................... 2 78 1 Overview......................................................... 4 79 2 The EAP-TLS Smartcard............................................ 4 80 2.1 The EAP-TLS protocol........................................ 4 81 2.2 The EAP-TLS Smartcard....................................... 6 82 4 The TLS Security Module.......................................... 6 83 4.1 EAP-TLS for TLS Security Module............................. 6 84 4.2 The TLS / EAP-TLS Software Bridge........................... 8 85 4.3 The TLS Security Module Encryption and Decryption procedures 8 86 5 The DTLS Security Module........................................ 10 87 5.1 EAP-TLS for DTLS Security Module........................... 10 88 5.2 The DTLS / EAP-TLS Software Bridge......................... 11 89 5.3 The DTLS Security Module Encryption and Decryption procedures 90 ............................................................... 12 91 6 Example of TLS processing by the TLS security module............ 14 92 7 Example of DTLS processing by the DTLS security module.......... 16 93 8 Security Considerations......................................... 22 94 9 IANA Considerations............................................. 22 95 10 References..................................................... 22 96 10.1 Normative References...................................... 22 97 10.2 Informative References.................................... 23 98 11 Authors' Addresses............................................. 23 99 1 Overview 101 Security and trust are very critical topics in the context of the 102 anywhere, anytime, anything internet connectivity. TLS [TLS 1.0] 103 [TLS 1.1], [TLS 1.2] and DTLS [DTLS 1.0] [DTLS 1.2] are two major 104 IETF protocols widely used to secure IP exchanges. According to 105 [COAP], DTLS is the protocol used by constraint nodes in the 106 Internet of Things (IoT) context. In this draft we specify an 107 interface for TLS and DTLS secure modules based on [ISO7816] secure 108 chips, which are today manufactured per billions every year. Secure 109 elements are cheap secure microcontrollers whose size is about 25mm2 110 and whose security is ranked by evaluations typically according to 111 Common Criteria (CC) standards. The support of TLS and DTLS is based 112 on the EAP-TLS [EAP-TLS] protocol, and the IETF draft [EAP SC] "EAP 113 Support for Smartcards" describing EAP-TLS support for secure 114 elements. First implementation demonstrate that such low cost 115 security modules are realistic, with a setup time for handshake 116 completion, under the second. 118 2 The EAP-TLS Smartcard 120 2.1 The EAP-TLS protocol 122 The EAP-TLS [EAP-TLS] protocol (as illustrated by figure 1)defines a 123 transparent transport of the TLS protocol until the exchange 124 finished messages (both for server and client). According to EAP- 125 TLS, and similarly to DTLS [DTLS 1.0] [DTLS 1.2], messages are 126 grouped into a series of flights (four for the TLS full mode, and 127 three for the TLS Session Resumption. 129 The EAP-TLS protocol supports segmentation and reassembly operations 130 managed via the "Flags" byte, which is detailed below: 132 0 1 2 3 4 5 6 7 133 +-+-+-+-+-+-+-+-+ 134 |L M S R R R R R| 135 +-+-+-+-+-+-+-+-+ 137 L = Length included 138 M = More fragments 139 S = Start bit 140 R = Reserved 142 - The L bit (length included) is set to indicate the presence of the 143 four-octet TLS Message Length field, and MUST be set for the first 144 fragment of a fragmented TLS message or set of messages. 145 - The M bit (more fragments) is set on all but the last fragment. 146 - The S bit (EAP-TLS start) is set in an EAP-TLS Start message. 148 When an EAP-TLS peer receives an EAP-Request packet with the M bit 149 set, it MUST respond with an EAP-Response with EAP-Type=EAP-TLS and 150 no data. This serves as a fragment ACK. 152 Authenticating Peer Authenticator 153 EAP-TLS Smartcard (SC) SC User 154 ------------------- ------------- 155 <- EAP-Request/ 156 Identity 157 EAP-Response/ 158 Identity (MyID) -> 159 <- EAP-Request/ 160 EAP-Type=EAP-TLS 161 Flags 162 (TLS Start) 163 EAP-Response/ 164 EAP-Type=EAP-TLS 165 Flags 166 (TLS client-hello)-> Flight 1 167 <- EAP-Request/ 168 EAP-Type=EAP-TLS 169 Flags 170 (TLS server-hello, Flight 2 171 TLS certificate, 172 [TLS server-key-exchange,] 173 TLS certificate-request, 174 TLS server-hello-done) 175 EAP-Response/ 176 EAP-Type=EAP-TLS 177 Flags 178 (TLS certificate, Flight 3 179 TLS client-key-exchange, 180 TLS certificate-verify, 181 TLS change-cipher-spec, 182 TLS finished) -> 183 <- EAP-Request/ 184 EAP-Type=EAP-TLS 185 Flags 186 (TLS change-cipher-spec, Flight 4 187 TLS finished) 188 EAP-Response/ 189 EAP-Type=EAP-TLS 190 Flags -> 192 <- EAP-Success 194 Figure 1. The EAP-TLS protocol 195 2.2 The EAP-TLS Smartcard 197 The "EAP Support in Smartcard" draft [EAP SC] specifies an ISO7816 198 interface for a secure element (named EAP-TLS smartcard, in figure 199 1) that fully processes the EAP-TLS protocol until the reception of 200 the EAP-Success message. 202 The two main commands are detailed in figure 2: 203 - Reset-State, which resets the EAP-TLS state machine , 204 - Process-EAP that transports TLS flights encapsulated in EAP-TLS 205 messages. 207 +------------------------+-----+-----+----+----+----+----+ 208 | Command |Class| INS | P1 | P2 | Lc | Le | 209 +------------------------+-----+-----+----+----+----+----+ 210 | Process-EAP | A0 |80-88| 00 | 00 | xx | yy | 211 +------------------------+-----+-----+----+----+----+----+ 212 | Reset-State | A0 | 19 | 10 | 00 | 00 | 01 | 213 +------------------------+-----+-----+----+----+----+----+ 214 Figure 2 216 4 The TLS Security Module 218 4.1 EAP-TLS for the TLS Security Module 220 TLS security modules are based on EAP-TLS devices, performing, as 221 illustrated by figure 3, a transparent encapsulation of TLS packets. 223 The EAP-Request-Identity message and EAP-Success message are not 224 used by the TLS secure modules. 226 Security Module (SM) SM User 227 ------------------- ------------- 229 <- EAP-Request/ 230 EAP-Type=EAP-TLS 231 Flags 232 (TLS Start) 233 EAP-Response/ 234 EAP-Type=EAP-TLS 235 Flags 236 (TLS client-hello)-> 237 <- EAP-Request/ 238 EAP-Type=EAP-TLS 239 Flags 240 (TLS server-hello, 241 TLS certificate, 242 [TLS server-key-exchange,] 243 TLS certificate-request, 244 TLS server-hello-done) 245 EAP-Response/ 246 EAP-Type=EAP-TLS 247 Flags 248 (TLS certificate, 249 TLS client-key-exchange, 250 TLS certificate-verify, 251 TLS change-cipher-spec, 252 TLS finished) -> 253 <- EAP-Request/ 254 EAP-Type=EAP-TLS 255 Flags 256 (TLS change-cipher-spec, 257 TLS finished) 258 EAP-Response/ 259 EAP-Type=EAP-TLS 260 Flags -> 262 ======================================================= 263 Four ways TLS Handshake Completion 264 ======================================================= 266 Figure 2. The TLS Handshake Completion with the Security Module 267 4.2 The TLS / EAP-TLS Software Bridge 269 A software bridge, illustrated by figure 3 extracts TLS flights from 270 TLS packets, and manages EAP-TLS messages exchanged with the 271 Security Module. 273 +----------+ +-----------+ 274 TLS | TLS | EAP-TLS | TLS | 275 packet | EAP-TLS | Packet | Security | 276 <=======> | Bridge | <========> | Module | 277 +----------+ +-----------+ 279 Figure 3. The TLS / EAP-TLS Software Bridge 281 4.3 The TLS Security Module Encryption and Decryption procedures 283 After the completion of the TLS four ways or three ways handshake 284 (notified by the delivery of EAP-Success message in EAP-TLS) the 285 Security Module supports two procedures, Process-EAP-Encrypt and 286 Process-EAP-Decrypt, in order to respectively compute TLS encrypted 287 packets (see figure 4) or to check and decrypt the payload of TLS 288 ciphered packets (see figure 5). 290 Process-EAP-Encrypt(Type) 291 <- EAP-Request/ 292 EAP-Type=EAP-TLS 293 Flags 294 (Payload= Clear Text) 295 EAP-Response/ 296 EAP-Type=EAP-TLS 297 Flags 298 (Payload= TLS Encrypted 299 Record Layer Message)-> 301 Figure 4. Generation of TLS encrypted packet by TLS Security module 303 Process-EAP-Decrypt 304 <- EAP-Request/ 305 EAP-Type=EAP-TLS 306 Flags 307 (Payload= TLS Encrypted 308 Record Layer Message)-> 309 EAP-Response/ 310 EAP-Type=EAP-TLS 311 Flags 312 (Payload= TLS Clear 313 Record Layer payload)-> 315 Figure 5. Generation of TLS decrypted packets 316 In the case of the Process-EAP-Encrypt(Type) procedure the payload 317 of the EAP-TLS packet (see figure 4) is the clear text to be 318 encrypted in the TLS Record Layer packet. The SM adds the Type field 319 indicated in the Process-EAP-Encrypt command, and performs all 320 needed operations in order to compute the TLS encrypted packet 321 (including HMAC and optional padding bytes see figure 6), 322 encapsulated in the EAP-Response message (depicted in figure 4). 324 In the case of the Process-EAP-Decrypt() procedure, the payload of 325 the EAP-TLS packet (see figure 5) is the received TLS Record Layer 326 encrypted packet, as showed by figure 6. The Security Module checks 327 the HMAC, and upon success deciphers the encrypted payload; the 328 resulting data is returned encapsulated in the EAP-Response message. 330 +------+---------+--------+----------------------------+ 331 | Type | Version | Length | Encrypted | 332 +------+---------+--------+ Payload | 333 + | 334 + +------+-----+------------+----------------+ 335 + | HMAC | Pad | Pad Length | 336 +-----------+------+-----+------------+ 338 Figure 6. A TLS (Record Layer) encrypted packet. 340 The figure 7 details the structure of the Security Module command 341 needed for the encryption and decryption of TLS packets. 343 +-------------+-----+-----+----+------------+----+----+---------+ 344 | Command |Class| INS | P1 | P2 | Lc | Le | SW | 345 +-------------+-----+-----+----+------------+----+----+---------+ 346 | Process-EAP | A0 |80-88| 00 | 80 || Type | xx | yy | 9000 OK | 347 | Encrypt | | | | | | | 6985 ERR| 348 +-------------+-----+-----+----+------------+----+----+---------+ 349 | Process-EAP | A0 |80-88| 00 | 00 | xx | yy | 9000 OK | 350 | Decrypt | | | | | | | 6985 ERR| 351 +-------------+-----+-----+----+------------+----+----+---------+ 353 Figure 7. The Security Module ISO7816 commands 354 5 The DTLS Security Module 356 5.1 EAP-TLS for the DTLS Security Module 358 Security Module (SM) SM User 359 ------------------- ------------- 360 <- EAP-Request/ 361 EAP-Type=EAP-TLS 362 Flags 363 (TLS Start) 364 EAP-Response/ 365 EAP-Type=EAP-TLS 366 Flags 367 (DTLS client-hello) -> Flight 1 368 <- EAP-Request/ 369 DTLS Hello-Verify-Request Flight 2 370 (contains cookie) 371 EAP-Response/ 372 EAP-Type=EAP-TLS 373 Flags 374 (DTLS client-hello 375 with cookie) -> Flight 3 376 <- EAP-Request/ 377 EAP-Type=EAP-TLS 378 Flags 379 (DTLS server-hello, 380 DTLS certificate, Flight 4 381 [DTLS server-key-exchange,] 382 DTLS certificate-request, 383 DTLS server-hello-done) 384 EAP-Response/ 385 EAP-Type=EAP-TLS 386 Flags 387 (DTLS certificate, 388 DTLS client-key-exchange, 389 DTLS certificate-verify, Flight 5 390 DTLS change-cipher-spec, 391 DTLS finished) -> 392 <- EAP-Request/ 393 Flags 394 EAP-Type=EAP-TLS 395 (DTLS change-cipher-spec, Flight 6 396 DTLS finished) 397 EAP-Response/ 398 EAP-Type=EAP-TLS 399 Flags -> 400 ======================================================= 401 Four ways DTLS Handshake Completion 402 ======================================================= 404 Figure 8. The DTLS handshake completion with the Security Module 405 In a way similar to TLS (see figure 8), DTLS messages are 406 encapsulated in EAP-TLS messages. 408 5.2 The DTLS / EAP-TLS Software Bridge 410 A software bridge, illustrated by figure 9 extracts DTLS flights 411 from DTLS packets, and manages EAP-TLS exchanges with the Security 412 Module. 414 +----------+ +-----------+ 415 DTLS | DTLS | EAP-TLS | DTLS | 416 packets | EAP-TLS | Packets | Security | 417 <=======> | Bridge | <========> | Module | 418 +----------+ +-----------+ 420 Figure 9. DTLS / EAP-TLS software bridge 422 The DTLS security module doesn't manage handshake messages 423 fragmentation and reassembly. These operations are handled by the 424 software bridge during the DTLS three ways or four ways handshake. 425 Timeout and retransmission are also managed by the bridge entity. 427 According to [DTLS 1.0] finished messages have no sensitivity to 428 fragmentation. There are computed as if each handshake message had 429 been sent as a single fragment. The security module (see figure 10) 430 deals with handshake message with the fields fragment-offset set to 431 zero, and fragment-length equal to length. Because the handshake 432 sequence in not used in cryptographic calculations, it is fully 433 managed by the bridge. The security module does not take into 434 account the received messages sequences, and produces handshake 435 messages starting from zero (at the DTLS first hello message 436 generation) and incremented for every message. 438 HandshakeType msgtype; 439 uint24 length; 440 uint16 message-sequence; 441 uint24 fragment-offset; 442 uint24 fragment-length; 443 [Handshake Message] 445 Figure 10. Structure of the DTLS Handshake message. 447 It also should be noted that according to the DTLS protocol [DTLS 448 1.0] in cases where the cookie exchange is used, the initial 449 ClientHello and HelloVerifyRequest are NOT included in the Finished 450 MAC. 452 When the Security Module builds the client finished message it sets 453 the EPOCH field to one and resets the sequence number used by the 454 record layer. The record layer packet structure is detailed by 455 figure 11. 457 struct { 458 ContentType type; 459 ProtocolVersion version; 460 uint16 epoch; 461 uint48 sequence-number; 462 uint16 length; 463 opaque fragment[DTLSPlaintext.length]; 464 } DTLSPlaintext; 466 Figure 11. DTLS Record Layer packet structure 468 According to [DTLS 1.0] the DTLS MAC is the same as that of TLS 1.1. 469 However, rather than using TLS's implicit sequence number, the 470 sequence number used to compute the MAC is the 64-bit value formed 471 by concatenating the epoch and the sequence number in the order they 472 appear on the wire. TLS MAC calculation is parameterized on the 473 protocol version number, which, in the case of DTLS, is the on-the- 474 wire version, i.e., {254,255 } for DTLS 1.0. 476 5.3 The DTLS Security Module Encryption and Decryption procedures 478 Upon the completion of the DTLS handshake, i.e. after the generation 479 of finished messages (both and on client and server side) the record 480 layer is fully handle by the security module, which checks and 481 decrypts all incoming packets (see figure 13), and produces 482 encrypted and HMACed packets (see figure 12). 484 Process-EAP-Encrypt(Type) 485 <- EAP-Request/ 486 EAP-Type=EAP-TLS 487 Flags 488 (Payload= Clear Text) 489 EAP-Response/ 490 EAP-Type=EAP-TLS 491 Flags 492 (Payload= DTLS Encrypted 493 Record Layer Message)-> 495 Figure 12. Generation of DTLS encrypted packet by the DTLS Security 496 module 497 Process-EAP-Decrypt 498 <- EAP-Request/ 499 EAP-Type=EAP-TLS 500 Flags 501 (Payload= DTLS Encrypted 502 Record Layer Message)-> 503 EAP-Response/ 504 EAP-Type=EAP-TLS 505 Flags 506 (Payload= DTLS Clear 507 Record Layer payload)-> 509 Figure 13. Generation of TLS decrypted packets 510 6 Example of TLS processing by the TLS security module 512 The following choreography illustrates the processing of a TLS (1.0) 513 resume session by the TLS security module. The CipherSuite is AES- 514 SHA1. 516 // RESET the Security Module 517 >> A0 19 10 00 00 518 << 90 00 520 // Send EAP-TLS-Start in EAP-Request 521 // last four bytes represent the time 522 >> A0 80 00 00 0A 01 14 00 06 0D 20 55 82 E9 D1 524 // Flight 1 525 // Client Hello in EAP-Response 526 << 02 14 00 5C 0D 80 00 00 00 52 16 03 01 00 4D 01 00 00 49 03 527 01 55 82 E9 D1 BE 21 DF 71 68 C3 14 BB DC 09 57 24 DA 77 F1 528 EA C1 9F 54 AF 0F E4 61 C9 5A 3F 06 93 20 34 1A 3F 0A E5 6C 529 C0 39 F1 E2 9A F7 D3 D6 6E C0 91 CC EB 77 61 7D 88 FF C7 00 530 F9 C3 6D 1F 1F 8C 00 02 00 2F 01 00 531 90 00 533 // Flight 2 534 // Server Hello + CCS + Finished in EAP-Request 535 // 1st fragment 537 >> A0 80 00 00 8A 01 0D 00 8A 0D C0 00 00 00 8A 16 03 01 00 4A 538 02 00 00 46 03 01 55 82 EA 66 4D ED 28 C0 E2 4F 22 12 01 35 539 49 82 61 5A FC 29 64 3B 20 1D 3A D4 00 39 91 27 07 06 20 34 540 1A 3F 0A E5 6C C0 39 F1 E2 9A F7 D3 D6 6E C0 91 CC EB 77 61 541 7D 88 FF C7 00 F9 C3 6D 1F 1F 8C 00 2F 00 14 03 01 00 01 01 542 16 03 01 00 30 85 D5 76 49 D3 58 C9 93 D8 03 B1 91 19 78 3F 543 16 A1 3A DF 03 54 53 63 B6 42 A5 5A 8A 23 C2 C5 AD 84 75 30 544 85 BE 75 546 // EAP-TLS ACK 547 << 02 0D 00 06 0D 00 548 90 00 550 // 2nd fragment 551 >> A0 80 00 00 10 01 0E 00 10 0D 00 26 92 99 2A 9E 7F FF 2E 552 BC CB 554 // Flight 3 555 // Client CCS + Finished in EAP-Response 556 << 02 0E 00 45 0D 80 00 00 00 3B 14 03 01 00 01 01 16 03 01 00 557 30 86 8A 10 A2 85 5F DA D8 52 16 D6 57 12 75 A6 57 A2 20 1B 558 A5 5B F0 0A E5 34 62 FF 92 28 BC DD 72 5E D7 6E C0 D4 A5 52 559 1F AA F5 6D 7C 8A 37 02 54 560 90 00 561 // TLS handshake completion 563 // Process-EAP-Decrypt 564 >> A0 80 00 00 2B 01 0F 00 2B 0D 00 17 03 01 00 20 75 1A 28 2D 565 F3 E1 12 D5 19 7C 3E 38 CB 49 D6 43 CF B0 F3 E5 A3 1A BF A1 566 E0 75 AE A8 07 89 B0 45 568 // Empty Record Layer Payload 569 << 02 0F 00 0A 0D 80 00 00 00 00 570 90 00 572 //Process-EAP-Decrypt 574 >> A0 80 00 00 2B 01 10 00 2B 0D 00 17 03 01 00 20 A0 65 57 15 575 17 D2 DA 92 FF A3 7F 07 F4 95 53 86 4C 55 F3 2C 87 6B A8 CB 576 2F 36 F3 71 D2 AD A3 F7 578 // Record Layer Clear Payload = 31 32 33 34 0D OA 579 << 02 10 00 10 0D 80 00 00 00 06 31 32 33 34 0D 0A 580 90 00 582 // Process-EAP-Encrypt type=17h, payload = 31 32 33 34 0D 0A 583 >> A0 80 00 97 0C 01 11 00 0C 0D 00 31 32 33 34 0D 0A 585 // Encrypted TLS Record Layer packet in EAP-Response 586 << 02 11 00 2F 0D 80 00 00 00 25 17 03 01 00 20 15 06 B7 7D 1F 587 1E F3 51 4A 8E 70 3C AE B2 EF EF D0 45 A7 1E 3F 68 92 AF 0C 588 09 C7 91 97 F7 C2 E6 589 90 00 590 7 Example of DTLS processing by the DTLS security module 592 The following choreography illustrates the processing of a DTLS full 593 session the DTLS security module. The CipherSuite is AES-SHA1. 595 // RESET the Security Module 596 >> A0 19 10 00 00 597 << 90 00 599 // Send EAP-TLS-Start in EAP-Request 600 // The last four bytes represent the time 602 >> A0 80 00 00 0A 01 14 00 06 0D 20 55 83 BF CA 604 // Flight 1 605 // DTLS ClientHello (no cookie) in EAP-Response 606 // RL-seq=0, RL-epoch=0, Handshake-seq=0 607 << 02 14 00 4D 0D 80 00 00 00 43 16 FE FF 00 00 00 00 00 00 00 608 00 00 36 01 00 00 2A 00 00 00 00 00 00 00 2A FE FF 55 83 BF 609 CA DD 4C 24 32 85 D1 A5 21 EB EE F3 33 50 88 17 6B 48 6A CB 610 24 E6 28 8B FE 3C 85 F3 F1 00 00 00 02 00 2F 01 00 611 90 00 613 DTLS Bridge sends 67 bytes 614 DTLS Bridge receives RL-Seq=0, RL-epoch=0, Handshake-seq=0 616 // Flight 2 DTLS HelloVerifyRequest (contains cookie) 617 // DTLS HelloVerifyRequest in EAP-Response 619 >> A0 80 00 00 36 01 01 00 36 0D 00 16 FE FF 00 00 00 00 00 00 620 00 00 00 23 03 00 00 17 00 00 00 00 00 00 00 17 FE FF 14 C2 621 38 AC 8C F8 F5 CE CA 9B 9E F1 2F 8A D1 9E 2F 84 27 F2 FF 623 // Flight 3 DTLS HelloClient (contains cookie) 624 // DTLS ClientHello in EAP-Response 625 // RL-seq=1, RL-epoch=0, Handshake-seq=1 627 << 02 01 00 61 0D 80 00 00 00 57 16 FE FF 00 00 00 00 00 00 00 628 01 00 4A 01 00 00 3E 00 01 00 00 00 00 00 3E FE FF 55 83 BF 629 CA DD 4C 24 32 85 D1 A5 21 EB EE F3 33 50 88 17 6B 48 6A CB 630 24 E6 28 8B FE 3C 85 F3 F1 00 14 C2 38 AC 8C F8 F5 CE CA 9B 631 9E F1 2F 8A D1 9E 2F 84 27 F2 FF 00 02 00 2F 01 00 632 90 00 634 DTLS Bridges sends 87 bytes 635 DTLS Bridges receives 636 RL-seq=1 RL-epoch=0 Handshake-seq=1 637 RL-seq=2 RL-epoch=0 Handshake-seq=2 638 RL-seq=3 RL-epoch=0 Handshake-seq=3 639 RL-seq=4 RL-epoch=0 Handshake-seq=4 641 // Flight 4 642 // DTLS ServerHello, Certificate, CertificateRequest 643 // ServerHelloDone in EAP-Request 644 // 4 record layer messages 646 // EAP-TLS message 1st fragment 647 >> A0 80 00 00 8A 01 02 00 8A 0D C0 00 00 02 D2 16 FE FF 00 00 648 00 00 00 00 00 01 00 32 02 00 00 26 00 01 00 00 00 00 00 26 649 FE FF 55 83 BF CF F6 1B 78 8E 10 05 FC F7 4C 0C 0D 9D 98 4E 650 90 DA 71 EC BC 83 45 97 4A 71 D9 89 19 C1 00 00 2F 00 16 FE 651 FF 00 00 00 00 00 00 00 02 02 4E 0B 00 02 42 00 02 00 00 00 652 00 02 42 00 02 3F 00 02 3C 30 82 02 38 30 82 01 A1 A0 03 02 653 01 02 02 02 00 8B 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 654 00 30 57 656 // EAP-TLS Ack 657 << 02 02 00 06 0D 00 658 90 00 660 // 2nd fragment 661 >> A0 80 00 00 8A 01 03 00 8A 0D 40 31 0B 30 09 06 03 55 04 06 662 13 02 55 53 31 11 30 0F 06 03 55 04 08 13 08 56 69 72 67 69 663 6E 69 61 31 10 30 0E 06 03 55 04 07 13 07 46 61 69 72 66 61 664 78 31 11 30 0F 06 03 55 04 0A 13 08 5A 6F 72 6B 2E 6F 72 67 665 31 10 30 0E 06 03 55 04 03 13 07 52 6F 6F 74 20 43 41 30 1E 666 17 0D 31 34 30 37 31 33 32 32 34 39 30 37 5A 17 0D 32 32 30 667 39 32 39 32 32 34 39 30 37 5A 30 5D 31 0B 30 09 06 03 55 04 668 06 13 02 670 // EAP-TLS Ack 671 << 02 03 00 06 0D 00 672 90 00 674 // 3rd fragment 675 >> A0 80 00 00 8A 01 04 00 8A 0D 40 46 52 31 14 30 12 06 03 55 676 04 08 13 0B 49 6C 65 44 65 46 72 61 6E 63 65 31 0E 30 0C 06 677 03 55 04 07 13 05 50 61 72 69 73 31 17 30 15 06 03 55 04 0A 678 13 0E 65 74 68 65 72 74 72 75 73 74 2E 63 6F 6D 31 0F 30 0D 679 06 03 55 04 03 13 06 63 6C 69 65 6E 74 30 81 9F 30 0D 06 09 680 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 681 81 00 E3 83 38 A1 60 FE 8B 24 6F 39 E6 A8 A9 81 8F BE 9C E2 682 E3 7F 45 684 // EAP-TLS ack 685 << 02 04 00 06 0D 00 686 90 00 688 // 4th fragment 689 >> A0 80 00 00 8A 01 05 00 8A 0D 40 2F 9B C7 41 09 B2 10 52 38 690 3F 74 46 89 C4 A1 4E 28 9D F7 22 8B AF 90 D1 3C 3C 03 4A 2F 691 FC AA 03 26 3E 21 6C 19 DB 87 D7 F6 19 D6 F4 57 A4 BA 08 14 692 CB B3 1C 1F 01 76 6B 08 5A 4B 40 09 8B AB C8 6E 31 25 17 78 693 04 78 84 0F CB 0E B1 B9 D0 27 73 30 0D AE C1 7D BB 8E 1B 65 694 0A 17 51 23 9F C9 89 62 44 38 5C E6 63 A0 72 E2 99 67 02 03 695 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 696 06 09 2A 698 // EAP-TLS Ack 699 << 02 05 00 06 0D 00 700 90 00 702 // 5th fragment 704 >> A0 80 00 00 8A 01 06 00 8A 0D 40 86 48 86 F7 0D 01 01 05 05 705 00 03 81 81 00 7C 95 33 F9 17 27 BE CB 2A 85 6C A9 9E B8 4B 706 07 9B 09 69 ED D1 8A 38 A5 CA 1B C6 44 06 F9 A3 BD E4 66 58 707 C4 BE 92 32 C9 9E 43 42 26 9E EF 67 1D 6E A3 2C CE 59 DE 3E 708 0F 07 3A 10 66 72 5E A1 E5 06 76 76 CC 8D C0 47 54 42 AB FA 709 36 1C F1 8B 57 C0 A7 2B 65 52 4F 2E 36 75 D5 15 34 18 38 61 710 3A 18 18 5D D5 E3 9E 8D 1C DD 3D D3 A6 93 3D 19 0C 9C FA 98 711 C0 B0 5B 713 // EAP-TLS Ack 714 << 02 06 00 06 0D 00 715 90 00 717 // 6th and last fragment 719 >> A0 80 00 00 48 01 07 00 48 0D 00 4F 35 CF B2 88 51 6D 9F 75 720 FD 16 FE FF 00 00 00 00 00 00 00 03 00 12 0D 00 00 06 00 03 721 00 00 00 00 00 06 03 01 02 40 00 00 16 FE FF 00 00 00 00 00 722 00 00 04 00 0C 0E 00 00 00 00 04 00 00 00 00 00 00 724 // Flight 5 725 // Certificate, KeyExchange, CertificateVerify, ChangeCipherSpec 726 // Finished, in EAP-Response, 2 record layer messages 727 // RL-seq=2, RL-epoch=0, Handshake-seq=2,3,4,5 728 // RL-seq=0, RL-epoch=0, Handshake-seq=0 730 // EAP-TLS message, 1st EAP fragment 731 << 02 07 00 8A 0D C0 00 00 04 0F 16 FE FF 00 00 00 00 00 00 00 732 02 03 A7 0B 00 02 7F 00 02 00 00 00 00 02 7F 00 02 7C 00 02 733 79 30 82 02 75 30 82 01 DE A0 03 02 01 02 02 01 0C 30 0D 06 734 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 81 94 31 0B 30 09 06 735 03 55 04 06 13 02 46 52 31 0F 30 0D 06 03 55 04 08 13 06 46 736 72 61 6E 63 65 31 0E 30 0C 06 03 55 04 07 13 05 50 61 72 69 737 73 31 13 30 11 06 03 55 04 0A 13 0A 45 74 68 65 72 54 90 00 738 // EAP-TLS ack 739 >> A0 80 00 00 06 01 08 00 06 0D 00 741 // 2nd EAP fragment 742 << 02 08 00 86 0D 40 72 75 73 74 31 0D 30 0B 06 03 55 04 0B 13 743 04 54 65 73 74 31 14 30 12 06 03 55 04 03 13 0B 50 61 73 63 744 61 6C 55 72 69 65 6E 31 2A 30 28 06 09 2A 86 48 86 F7 0D 01 745 09 01 16 1B 70 61 73 63 61 6C 2E 75 72 69 65 6E 40 65 74 68 746 65 72 74 72 75 73 74 2E 63 6F 6D 30 1E 17 0D 31 34 30 37 31 747 34 30 38 30 33 31 37 5A 17 0D 32 32 30 39 33 30 30 38 30 33 748 31 37 5A 30 5D 31 0B 30 09 06 03 55 04 06 749 90 00 751 // EAP-TLS Ack 752 >> A0 80 00 00 06 01 09 00 06 0D 00 754 // 3rd EAP fragment 755 << 02 09 00 86 0D 40 13 02 46 52 31 14 30 12 06 03 55 04 08 13 756 0B 49 6C 65 44 65 46 72 61 6E 63 65 31 0E 30 0C 06 03 55 04 757 07 13 05 50 61 72 69 73 31 17 30 15 06 03 55 04 0A 13 0E 65 758 74 68 65 72 74 72 75 73 74 2E 63 6F 6D 31 0F 30 0D 06 03 55 759 04 03 13 06 53 65 72 76 65 72 30 81 9F 30 0D 06 09 2A 86 48 760 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 D5 761 E3 52 F5 55 2B 10 1D 7D E9 3F 1A 49 23 59 762 90 00 764 // EAP-TLS Ack 765 >> A0 80 00 00 06 01 0A 00 06 0D 00 767 // 4th EAP fragment 768 << 02 0A 00 86 0D 40 8D F4 B2 E7 5C FE 4A 5B 0D D1 EA AB F2 A1 769 6D 79 36 EA CC 06 E2 2B 4F C9 6C EB 7C 69 DB 22 BE B2 72 26 770 26 A5 53 75 32 D4 80 7E CF AD 85 C1 B0 89 D4 35 FF B1 71 6B 771 65 74 46 23 BD 52 B5 1B 90 D2 78 4B AF 1F EE C5 94 8D 9B 93 772 55 70 4B 1B 5F E6 42 31 2D EA 48 BC C2 4E B4 CD C2 9F FF C2 773 BE F2 D8 2B E2 99 AD 98 2E 22 EB 97 81 12 70 8E AF 37 29 02 774 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 775 90 00 777 // EAP-TLS Ack 778 >> A0 80 00 00 06 01 0B 00 06 0D 00 780 // 5th EAP fragment 781 << 02 0B 00 86 0D 40 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 782 0D 01 01 05 05 00 03 81 81 00 05 C2 17 66 F6 50 B5 BC EB 77 783 CB 57 20 5A 46 9A FB FE 0B 53 1B E7 39 9F B4 8D FE A5 B8 5A 784 5A 70 18 32 9C EE 0F 67 E8 F3 A2 61 94 5D A7 ED 89 F0 42 A3 785 8C 85 CA 42 A9 94 49 C3 52 2C EF 9A 2E 64 DA BA B5 AE E9 29 786 C4 F6 5D 7F E9 4D BF CF 7A D9 6D DE 22 3F E2 57 DF 50 B0 E3 787 6E AD 69 4E 05 C8 B5 F7 DC FC 26 0D F8 B7 788 90 00 789 // EAP-TLS Ack 790 >> A0 80 00 00 06 01 0C 00 06 0D 00 792 // 6th EAP fragment 793 << 02 0C 00 86 0D 40 9A 9E B1 C3 9D 4C 4A C7 17 AB 72 18 80 84 794 3F 71 4F CA 14 29 78 40 37 FF 10 00 00 82 00 03 00 00 00 00 795 00 82 00 80 75 0B 3B E0 EC 77 E9 5E A0 4B A9 EE AE 1A B2 50 796 37 13 3C 5A 93 8B A9 DD C1 9D 0F 50 21 9E 12 34 60 AA 74 BC 797 AA 36 C7 41 D9 EA DE 25 6C A5 C7 43 F6 87 7A 4D 31 A0 50 D6 798 B4 B9 F9 4E 6A FF D1 25 9A 62 18 43 54 3F 00 B6 31 21 C1 09 799 28 9A BB 7B EE F0 62 92 5D E0 A3 9A CA E2 800 90 00 802 // EAP-TLS Ack 803 >> A0 80 00 00 06 01 0D 00 06 0D 00 805 // 7th EAP fragment 806 << 02 0D 00 86 0D 40 51 EE 0A 87 85 36 BD 02 7A 40 B2 86 16 0E 807 5E CE B5 E8 62 C0 3D F8 BC 2E F9 68 53 75 87 B7 AA 68 C8 EC 808 65 AD 50 AD 0F 00 00 82 00 04 00 00 00 00 00 82 00 80 5A 35 809 9C 84 56 48 04 91 2D EE 13 0D CB B1 C0 26 FE A9 37 40 B8 78 810 A8 C5 06 27 94 2B 5D 04 65 2F 85 22 FB D7 56 04 72 C5 7B B4 811 2D 41 E9 A9 4E 1D 14 1F F0 8C 83 40 FD 6A 84 39 49 E4 EF D6 812 D1 8C 4E 7E 22 BD 96 5B 9B 2E 65 04 91 28 813 90 00 815 // EAP-TLS Ack 816 >> A0 80 00 00 06 01 0E 00 06 0D 00 818 // 8th EAP fragment 819 << 02 0E 00 3A 0D 40 FE 91 4E 1A 1A 36 91 F1 05 12 C5 9D 78 11 820 24 E6 65 44 E9 A2 80 4D F4 61 0C 79 5C 93 D5 B4 F0 29 47 DE 821 50 91 77 6D 99 62 D8 3E 02 12 2C E0 75 BE A4 4F 1C B9 822 90 00 824 // EAP-TLS ack 825 >> A0 80 00 00 06 01 0F 00 06 0D 00 827 // 9th and last fragment 828 << 02 0F 00 61 0D 00 14 FE FF 00 00 00 00 00 00 00 03 00 01 01 829 16 FE FF 00 01 00 00 00 00 00 00 00 40 75 D7 8B EB FD 23 6F 830 F7 63 65 D0 4C 40 1E F2 D5 9F 4D F0 D2 EA DF 6E F0 A8 89 7D 831 15 86 B4 96 AB 93 61 9B 17 8D 01 50 64 C6 7C 76 BA 90 F7 22 832 B3 D9 1A E3 B3 DA F4 43 1E 2C 3D 8B 49 02 D7 F6 6F 833 90 00 835 DTLS Bridge sends 664 bytes 836 DTLS Bridge sends 155 bytes 837 DTLS Bridge sends 155 bytes 838 DTLS Bridge sends 14 bytes 839 DTLS Bridge sends 77 bytes 841 DTLS Bridge receives 842 RL-Seq=9, RL-epoch=0 843 RL-Seq=0, RL-epoch=1 845 // Flight 6 846 // ChangeCipherSpec, Finished, in EAP-TLS Request 847 >> A0 80 00 00 61 01 10 00 61 0D 00 14 FE FF 00 00 00 00 00 00 848 00 09 00 01 01 16 FE FF 00 01 00 00 00 00 00 00 00 40 3F 2C 849 D4 FE 86 92 89 66 C7 97 59 F1 C4 B8 15 C4 20 EC 39 FB B5 D5 850 37 D9 86 72 37 95 DF 88 3A 22 A8 54 98 F0 BD 99 AF AC 37 62 851 38 0C 86 4A 47 1B C0 63 08 CF 57 1B 5C DC 8C 7B C9 DB FE C0 852 64 11 854 // EAP-TLS Ack 855 << 02 10 00 06 0D 00 856 90 00 858 TLS handshake completion 860 // Process-EAP-Encrypt type=17h, payload = 16x AA 862 >> A0 80 00 97 16 01 11 00 16 0D 00 AA AA AA AA AA AA AA AA AA 863 AA AA AA AA AA AA AA 865 // Encrypted DTLS Record Layer packet in EAP-Response 866 << 02 11 00 57 0D 80 00 00 00 4D 17 FE FF 00 01 00 00 00 00 00 867 01 00 40 2C E9 45 8E A9 44 FA 2B 13 75 A3 A3 63 01 F5 29 91 868 8B 20 B1 9B E2 7D 30 2D 91 D1 32 9A 6F 2E 3E D1 7B 64 F0 2A 869 06 3E C3 5E 34 81 A0 2D 6D C5 30 70 41 83 4A 1C 09 E6 93 66 870 76 23 45 63 14 3E BB 871 90 00 873 Bridge sends 77 bytes 874 Bridge receives RL-seq=1, RL-epoch=1 876 //Process-EAP-Decrypt 877 >> A0 80 00 00 53 01 12 00 53 0D 00 17 FE FF 00 01 00 00 00 00 878 00 01 00 40 0F 0E EE 3C F7 F4 FF 87 03 22 53 93 53 0D 83 E8 879 86 A5 F4 36 FB 94 B3 58 B3 A8 86 1A 29 B5 A8 BB 6A EA 8B ED 880 B9 81 62 A4 96 57 7B 39 8E 55 E5 D1 0E DC 74 49 42 16 27 60 881 C3 32 ED DA CC D3 42 4A 883 // DTLS Record Layer Clear Payload = 16x AA 884 << 02 12 00 1A 0D 80 00 00 00 10 AA AA AA AA AA AA AA AA AA AA 885 AA AA AA AA AA AA 886 90 00 887 // Process-EAP-Encrypt type=15h (Alert), payload = 0100 888 >> A0 80 00 95 08 01 13 00 08 0D 00 01 00 890 // Encrypted DTLS Record Layer packet in EAP-Response 891 << 02 13 00 47 0D 80 00 00 00 3D 15 FE FF 00 01 00 00 00 00 00 892 02 00 30 76 A5 73 71 9A 69 A3 8F DE 2F 0D 3D 15 49 D5 C1 01 893 23 AE 0A 0B BB 14 F4 EC 8E 2E 84 A0 76 20 BF 3B 56 E7 C2 B9 894 A4 0B 13 C2 71 BD AE C4 7F 95 32 895 90 00 897 Bridge sends 61 bytes 898 Bridges receives RL-seq=2, RL-epoch=1 900 //Process-EAP-Decrypt 901 >> A0 80 00 00 43 01 14 00 43 0D 00 15 FE FF 00 01 00 00 00 00 902 00 02 00 30 6B 4A 48 86 92 88 95 3C D9 0D 7B CD 9E 94 7B 93 903 02 5C 75 FE C1 25 3E 5B 0D 99 8D 13 06 A3 3D 36 12 CD F9 1B 904 23 0B CE 6E 55 E1 B1 9F 39 18 FA 10 906 // DTLS Record Layer Clear Payload = 0100 907 << 02 14 00 0C 0D 80 00 00 00 02 01 00 908 90 00 910 8 Security Considerations 912 9 IANA Considerations 914 10 References 916 10.1 Normative References 918 [TLS 1.0] Dierks, T., C. Allen, "The TLS Protocol Version 1.0", RFC 919 2246, January 1999 921 [TLS 1.1] Dierks, T., Rescorla, E., "The Transport Layer Security 922 (TLS) Protocol Version 1.1", RFC 4346, April 2006 924 [DTLS 1.0] E. Rescorla, N. Modadugu, " Datagram Transport Layer 925 Security", RFC 4347, April 2006 927 [EAP-TLS] D. Simon, B. Aboba, R. Hurst, "The EAP-TLS Authentication 928 Protocol", RFC 5216, March 2008 930 [TLS 1.2] Dierks, T., Rescorla, E., "The Transport Layer Security 931 (TLS) Protocol Version 1.1", RFC 5746, August 2008 933 [DTLS 1.2] E. Rescorla, N. Modadugu "Datagram Transport Layer 934 Security Version 1.2", RFC 6347, January 2012 936 [COAP] Z. Shelby, K. Hartke, C. Bormann, "The Constrained 937 Application Protocol (CoAP)", RFC 7252, June 2014 939 [ISO7816] ISO 7816, "Cards Identification - Integrated Circuit Cards 940 with Contacts", The International Organization for Standardization 941 (ISO) 943 10.2 Informative References 945 [EAP SC] Urien, P., "EAP Support in Smartcard", draft-urien-eap- 946 smartcard-30.txt, December 2016 948 11 Authors' Addresses 950 Pascal Urien 951 Telecom ParisTech 952 23 avenue d'Italie 953 75013 Paris Phone: NA 954 France Email: Pascal.Urien@telecom-paristech.fr