Using Ephemeral Diffie-Hellman Over COSE (EDHOC) with the Constrained Application Protocol (CoAP) and Object Security for Constrained RESTful Environments (OSCORE) Ericsson AB
Torshamnsgatan 23 Kista 164 40 Sweden francesca.palombini@ericsson.com
RISE AB
Isafjordsgatan 22 Kista 164 40 Sweden marco.tiloca@ri.se
RISE AB
Isafjordsgatan 22 Kista 164 40 Sweden rikard.hoglund@ri.se
Eriptic
stefan.hristozov@eriptic.com
Ericsson
goran.selander@ericsson.com
WIT core Security Key agreement; Secure communication Constrained enviornments AKE lightweight authenticated key exchange IoT security The lightweight authenticated key exchange protocol Ephemeral Diffie-Hellman Over COSE (EDHOC) can be run over the Constrained Application Protocol (CoAP) and used by two peers to establish a Security Context for the security protocol Object Security for Constrained RESTful Environments (OSCORE). This document details this use of the EDHOC protocol by specifying a number of additional and optional mechanisms, including an optimization approach for combining the execution of EDHOC with the first OSCORE transaction. This combination reduces the number of round trips required to set up an OSCORE Security Context and to complete an OSCORE transaction using that Security Context.
Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .
Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.
Table of Contents
  • .  Introduction
    • .  Terminology
  • .  EDHOC Overview
  • .  EDHOC Combined with OSCORE
    • .  EDHOC Option
    • .  Client Processing
      • .  Processing of the EDHOC + OSCORE Request
      • .  Supporting Block-Wise Transfers
    • .  Server Processing
      • .  Processing of the EDHOC + OSCORE Request
      • .  Supporting Block-Wise Transfers
    • .  Example of the EDHOC + OSCORE Request
  • .  Use of EDHOC Connection Identifiers with OSCORE
    • .  Additional Processing of EDHOC Messages
      • .  Initiator Processing of Message 1
      • .  Responder Processing of Message 2
      • .  Initiator Processing of Message 2
  • .  Extension and Consistency of Application Profiles
  • .  Web Linking
  • .  Security Considerations
  • .  IANA Considerations
    • .  CoAP Option Numbers Registry
    • .  Target Attributes Registry
    • .  EDHOC Authentication Credential Types Registry
    • .  Expert Review Instructions
  • .  References
    • .  Normative References
    • .  Informative References
  • Acknowledgments
  • Authors' Addresses
Introduction Ephemeral Diffie-Hellman Over COSE (EDHOC) is a lightweight authenticated key exchange protocol that is specifically intended for use in constrained scenarios. In particular, EDHOC messages can be transported over the Constrained Application Protocol (CoAP) and used for establishing a Security Context for Object Security for Constrained RESTful Environments (OSCORE) . This document details the use of the EDHOC protocol with CoAP and OSCORE and specifies a number of additional and optional mechanisms. These include an optimization approach that combines the EDHOC execution with the first OSCORE transaction (see ). This allows for a minimum number of two round trips necessary to set up the OSCORE Security Context and complete an OSCORE transaction, e.g., when an Internet of Things (IoT) device gets configured in a network for the first time. This optimization is desirable since the number of message exchanges can have a substantial impact on the latency of conveying the first OSCORE request when using certain radio technologies. Without this optimization, it is not possible to achieve the minimum number of two round trips. This optimization makes it possible since the message_3 of the EDHOC protocol can be made relatively small (see ), thus allowing additional OSCORE-protected CoAP data within target MTU sizes. The minimum number of two round trips can be achieved only if the default forward message flow of EDHOC is used, i.e., when a CoAP client acts as EDHOC Initiator and a CoAP server acts as EDHOC Responder. The performance advantage of using this optimization can be lost when used in combination with Block-wise transfers that rely on specific parameter values and block sizes. Furthermore, this document defines a number of parameters corresponding to different information elements of an EDHOC application profile (see ). These parameters can be specified as target attributes in the link to an EDHOC resource associated with that application profile, thus enabling an enhanced discovery of such a resource for CoAP clients.
Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. The reader is expected to be familiar with terms and concepts defined in CoAP , Concise Binary Object Representation (CBOR) , OSCORE , and EDHOC .
EDHOC Overview This section is not normative and summarizes what is specified in (specifically ). Thus, it provides a baseline for the enhancements in the subsequent sections. The EDHOC protocol specified in allows two peers to agree on a cryptographic secret in a mutually-authenticated way and achieves forward secrecy by using Diffie-Hellman ephemeral keys. The two peers are denoted as the "Initiator" and "Responder", as the one sending or receiving the initial EDHOC message_1, respectively. After successful processing of EDHOC message_3, both peers agree on a cryptographic secret that can be used to derive further security material and establish an OSCORE Security Context . The Responder can also send an optional EDHOC message_4 in order for the Initiator to achieve key confirmation, e.g., in deployments where no protected application message is sent from the Responder to the Initiator. specifies how to transfer EDHOC over CoAP. That is, the EDHOC data (i.e., the EDHOC message possibly with a prepended connection identifier) is transported in the payload of CoAP requests and responses. The default forward message flow of EDHOC consists in the CoAP client acting as Initiator and the CoAP server acting as Responder (see ). Alternatively, the two roles can be reversed as per the reverse message flow of EDHOC (see ). In the rest of this document, EDHOC messages are considered to be transferred over CoAP. shows a successful execution of EDHOC, with a CoAP client and a CoAP server running EDHOC as Initiator and Responder, respectively. In particular, it extends Figure 10 from by highlighting when the two peers perform EDHOC verification and establish the OSCORE Security Context, and by adding an exchange of OSCORE-protected CoAP messages after completing the EDHOC execution. That is, the client sends a POST request to a reserved EDHOC resource at the server, by default at the Uri-Path "/.well-known/edhoc". The request payload consists of the CBOR simple value true (0xf5) concatenated with EDHOC message_1, which also includes the EDHOC connection identifier C_I of the client encoded as per . The request has Content-Format application/cid-edhoc+cbor-seq. This triggers the EDHOC execution at the server, which replies with a 2.04 (Changed) response. The response payload consists of EDHOC message_2, which also includes the EDHOC connection identifier C_R of the server encoded as per . The response has Content-Format application/edhoc+cbor-seq. Finally, the client sends a POST request to the same EDHOC resource used earlier when it sent EDHOC message_1. The request payload consists of the EDHOC connection identifier C_R encoded as per concatenated with EDHOC message_3. The request has Content-Format application/cid-edhoc+cbor-seq. After this exchange takes place, and after successful verifications as specified in the EDHOC protocol, the client and server can derive an OSCORE Security Context as defined in . After that, the client and server can use OSCORE to protect their communications as per . Note that the EDHOC connection identifier C_R is used as the OSCORE Sender ID of the client (see ). Therefore, C_R is transported in the 'kid' field of the OSCORE option of the OSCORE Request (see ). The client and server are required to agree in advance on certain information and parameters describing how they should use EDHOC. These are specified in an application profile associated with the EDHOC resource addressed (see ).
Sequential Flow of EDHOC and OSCORE with the Optional message_4 Included CoAP client CoAP server (EDHOC Initiator) (EDHOC Responder) EDHOC Request Header: 0.02 (POST) Uri-Path: "/.well-known/edhoc" Content-Format: application/cid-edhoc+cbor-seq Payload: true, EDHOC message_1 EDHOC Response Header: 2.04 (Changed) Content-Format: application/edhoc+cbor-seq Payload: EDHOC message_2 EDHOC verification EDHOC Request Header: 0.02 (POST) Uri-Path: "/.well-known/edhoc" Content-Format: application/cid-edhoc+cbor-seq Payload: C_R, EDHOC message_3 EDHOC verification + OSCORE Sec Ctx Derivation EDHOC Response Header: 2.04 (Changed) Content-Format: application/edhoc+cbor-seq Payload: EDHOC message_4 OSCORE Sec Ctx Derivation OSCORE Request Header: 0.02 (POST) OSCORE: { ... ; kid: C_R } Payload: OSCORE-protected data OSCORE Response Header: 2.04 (Changed) OSCORE: { ... } Payload: OSCORE-protected data CoAP client CoAP server (EDHOC Initiator) (EDHOC Responder) | | | | | ----------------- EDHOC Request -----------------> | | Header: 0.02 (POST) | | Uri-Path: "/.well-known/edhoc" | | Content-Format: application/cid-edhoc+cbor-seq | | Payload: true, EDHOC message_1 | | | | <---------------- EDHOC Response------------------ | | Header: 2.04 (Changed) | | Content-Format: application/edhoc+cbor-seq | | Payload: EDHOC message_2 | | | EDHOC verification | | | | ----------------- EDHOC Request -----------------> | | Header: 0.02 (POST) | | Uri-Path: "/.well-known/edhoc" | | Content-Format: application/cid-edhoc+cbor-seq | | Payload: C_R, EDHOC message_3 | | | | EDHOC verification | + | OSCORE Sec Ctx | Derivation | | | <---------------- EDHOC Response------------------ | | Header: 2.04 (Changed) | | Content-Format: application/edhoc+cbor-seq | | Payload: EDHOC message_4 | | | OSCORE Sec Ctx | Derivation | | | | ---------------- OSCORE Request -----------------> | | Header: 0.02 (POST) | | OSCORE: { ... ; kid: C_R } | | Payload: OSCORE-protected data | | | | <--------------- OSCORE Response ----------------- | | Header: 2.04 (Changed) | | OSCORE: { ... } | | Payload: OSCORE-protected data | | |
The sequential flow of EDHOC and OSCORE (where EDHOC runs first and OSCORE is used after) takes three round trips to complete, as shown in . defines an optimization for combining EDHOC with the first OSCORE transaction. This reduces the number of round trips required to set up an OSCORE Security Context and complete an OSCORE transaction using that Security Context.
EDHOC Combined with OSCORE This section defines an optimization for combining the EDHOC message exchange with the first OSCORE transaction, thus minimizing the number of round trips between the two peers to the absolute possible minimum of two round trips. To this end, this approach can be used only if the default forward message flow of EDHOC is used, i.e., when the client acts as Initiator and the server acts as Responder. The same is not possible in the case with reversed roles as per the reverse message flow of EDHOC. When running the sequential flow of , the client has all the information to derive the OSCORE Security Context already after receiving EDHOC message_2 and before sending EDHOC message_3. Hence, the client can potentially send both EDHOC message_3 and the subsequent OSCORE Request at the same time. On a semantic level, this requires sending two REST requests at once as shown in .
EDHOC and OSCORE Combined CoAP client CoAP server (EDHOC Initiator) (EDHOC Responder) EDHOC Request Header: 0.02 (POST) Uri-Path: "/.well-known/edhoc" Content-Format: application/cid-edhoc+cbor-seq Payload: true, EDHOC message_1 EDHOC Response Header: 2.04 (Changed) Content-Format: application/edhoc+cbor-seq Payload: EDHOC message_2 EDHOC verification + OSCORE Sec Ctx Derivation EDHOC + OSCORE Request Header: 0.02 (POST) OSCORE: { ... ; kid: C_R } Payload: EDHOC message_3 + OSCORE-protected data EDHOC verification + OSCORE Sec Ctx Derivation OSCORE Response Header: 2.04 (Changed) OSCORE: { ... } Payload: OSCORE-protected data CoAP client CoAP server (EDHOC Initiator) (EDHOC Responder) | | | ------------------ EDHOC Request -----------------> | | Header: 0.02 (POST) | | Uri-Path: "/.well-known/edhoc" | | Content-Format: application/cid-edhoc+cbor-seq | | Payload: true, EDHOC message_1 | | | | <----------------- EDHOC Response------------------ | | Header: 2.04 (Changed) | | Content-Format: application/edhoc+cbor-seq | | Payload: EDHOC message_2 | | | EDHOC verification | + | OSCORE Sec Ctx | Derivation | | | | -------------- EDHOC + OSCORE Request ------------> | | Header: 0.02 (POST) | | OSCORE: { ... ; kid: C_R } | | Payload: EDHOC message_3 + OSCORE-protected data | | | | EDHOC verification | + | OSCORE Sec Ctx | Derivation | | | <--------------- OSCORE Response ------------------ | | Header: 2.04 (Changed) | | OSCORE: { ... } | | Payload: OSCORE-protected data | | |
To this end, the specific approach defined in this section consists of sending a single EDHOC + OSCORE request, which conveys the pair (C_R, EDHOC message_3) within an OSCORE-protected CoAP message. That is, the EDHOC + OSCORE request is composed of the following two parts combined together in a single CoAP message. The steps for processing the EDHOC + OSCORE request and the two parts combined in the request itself are defined in Sections and .
  • The OSCORE Request from , which, in this case, is also sent to a protected resource with the correct CoAP method and options intended for accessing that resource.
  • EDHOC data consisting of the pair (C_R, EDHOC message_3) required for completing the EDHOC session transported as follows:
    • C_R is the OSCORE Sender ID of the client; hence, it is transported in the 'kid' field of the OSCORE option (see ). Unlike the sequential workflow shown in , C_R is not transported in the payload of the EDHOC + OSCORE request.
    • EDHOC message_3 is transported in the payload of the EDHOC + OSCORE request and prepended to the payload of the OSCORE Request. This is because EDHOC message_3 may be too large to be included in a CoAP option, e.g., when conveying a large public key certificate chain in the ID_CRED_I field (see ), or when conveying large External Authorization Data in the EAD_3 field (see ).
The rest of this section specifies how to transport the data in the EDHOC + OSCORE request and their processing order. In particular, the use of this approach is explicitly signalled by including an EDHOC option () in the EDHOC + OSCORE request. The processing of the EDHOC + OSCORE request is specified in for the client side and in for the server side.
EDHOC Option This section defines the EDHOC option. This option is used in a CoAP request to signal that the request payload conveys both an EDHOC message_3 and OSCORE-protected data combined together. The EDHOC option has the properties summarized in , which extends Table 4 of . The option is Critical, Safe-to-Forward, and part of the Cache-Key. The option MUST occur at most once and MUST be empty. If any value is sent, the recipient MUST ignore it. (Future documents may update the definition of the option by expanding its semantics and specifying admitted values.) The option is intended only for CoAP requests and is of Class U for OSCORE . The EDHOC Option. C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable
No. C U N R Name Format Length Default
21 x EDHOC Empty 0 (none)
The presence of this option means that the message payload also contains EDHOC data that must be extracted and processed as defined in before the rest of the message can be processed. shows an example of a CoAP message that is transported over UDP and that contains both the EDHOC data and the OSCORE ciphertext using the newly defined EDHOC option for signalling.
Example of a CoAP Message Containing the Combined EDHOC and OSCORE Data, Signalled by the EDHOC Option and Transported over UDP 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Ver| T | TKL | Code | Message ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Token (if any, TKL bytes) ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Observe Option| OSCORE Option ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | EDHOC Option | Other Options (if any) ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1 1 1 1 1 1 1 1| Payload ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Client Processing This section describes the processing on the client side.
Processing of the EDHOC + OSCORE Request The client prepares an EDHOC + OSCORE request as follows.
  1. Compose EDHOC message_3 into EDHOC_MSG_3 as per .
  2. Establish the new OSCORE Security Context and use it to encrypt the original CoAP request as per . Note that the OSCORE ciphertext is not computed over EDHOC message_3, which is not protected by OSCORE. That is, the result of this step is the OSCORE Request as in .
  3. Build COMB_PAYLOAD as the concatenation of EDHOC_MSG_3 and OSCORE_PAYLOAD in the order of COMB_PAYLOAD = EDHOC_MSG_3 | OSCORE_PAYLOAD, where | denotes byte string concatenation and:
    • EDHOC_MSG_3 is the binary encoding of EDHOC message_3 resulting from Step 1. As per , EDHOC message_3 consists of one CBOR data item CIPHERTEXT_3, which is a CBOR byte string. Therefore, EDHOC_MSG_3 is the binary encoding of CIPHERTEXT_3.
    • OSCORE_PAYLOAD is the OSCORE ciphertext of the OSCORE-protected CoAP request resulting from Step 2.
  4. Compose the EDHOC + OSCORE request, as the OSCORE-protected CoAP request resulting from Step 2, where the payload is replaced with COMB_PAYLOAD built at Step 3. Note that the new payload includes EDHOC message_3, but it does not include the EDHOC connection identifier C_R. As the client is the EDHOC Initiator, C_R is the OSCORE Sender ID of the client, which is already specified as the value of the 'kid' field in the OSCORE option of the request from Step 2; hence, C_R is specified as the value of the 'kid' field of the EDHOC + OSCORE request.
  5. Include the new EDHOC option defined in into the EDHOC + OSCORE request. The application/cid-edhoc+cbor-seq media type does not apply to this message, whose media type is unnamed.
  6. Send the EDHOC + OSCORE request to the server.
With the same server, the client SHOULD NOT have multiple simultaneous outstanding interactions (see ), such that they consist of an EDHOC + OSCORE request and their EDHOC data pertains to the EDHOC session with the same connection identifier C_R. An exception might apply for clients that operate under particular time constraints over particularly unreliable networks, thus raising the chances to promptly complete the EDHOC execution with the server through multiple simultaneous EDHOC + OSCORE requests. As discussed in , this does not have any impact in terms of security.
Supporting Block-Wise Transfers If Block-wise transfers are supported, the client may fragment the first CoAP application request before protecting it as an original message with OSCORE as defined in . In such a case, the OSCORE processing in Step 2 of is performed on each inner block of the first CoAP application request. The following also applies.
  • The client takes the following additional step between Steps 2 and 3 of .
    1. If the OSCORE-protected request from Step 2 conveys a non-first inner block of the first CoAP application request (i.e., the Block1 option processed at Step 2 had NUM different than 0), then the client skips the following steps and sends the OSCORE-protected request to the server. In particular, the client MUST NOT include the EDHOC option in the OSCORE-protected request.
  • The client takes the following additional step between Steps 3 and 4 of .
    1. If the size of COMB_PAYLOAD exceeds MAX_UNFRAGMENTED_SIZE (see ), the client MUST stop processing the request and MUST abandon the Block-wise transfer. Then, the client can continue by switching to the sequential workflow shown in . That is, the client first sends EDHOC message_3 prepended by the EDHOC connection identifier C_R encoded as per . Then, the client sends the OSCORE-protected CoAP request once the EDHOC execution is completed.
The performance advantage of using the EDHOC + OSCORE request can be lost when used in combination with Block-wise transfers that rely on specific parameter values and block sizes. Application policies at the CoAP client can define when and how to detect whether the performance advantage is lost. If that is the case, they can also define whether to appropriately adjust the parameter values and block sizes or to fall back on the sequential workflow of EDHOC.
Server Processing This section describes the processing on the server side.
Processing of the EDHOC + OSCORE Request In order to process a request containing the EDHOC option, i.e., an EDHOC + OSCORE request, the server MUST perform the following steps.
  1. Check that the EDHOC + OSCORE request includes the OSCORE option and that the request payload has the format defined at Step 3 of for COMB_PAYLOAD. If this is not the case, the server MUST stop processing the request and MUST reply with a 4.00 (Bad Request) error response.
  2. Extract EDHOC message_3 from the payload COMB_PAYLOAD of the EDHOC + OSCORE request as the first element EDHOC_MSG_3 (see Step 3 of ).
  3. Take the value of the 'kid' field from the OSCORE option of the EDHOC + OSCORE request (i.e., the OSCORE Sender ID of the client), and use it as the EDHOC connection identifier C_R.
  4. Retrieve the correct EDHOC session by using the connection identifier C_R from Step 3. If the application profile used in the EDHOC session specifies that EDHOC message_4 shall be sent, the server MUST stop the EDHOC processing and consider it failed due to a client error. Otherwise, perform the EDHOC processing on the EDHOC message_3 extracted at Step 2 as per based on the protocol state of the retrieved EDHOC session. The application profile used in the EDHOC session is the same one associated with the EDHOC resource where the server received the request conveying EDHOC message_1 that started the session. This is relevant in case the server provides multiple EDHOC resources that may generally refer to different application profiles.
  5. Establish a new OSCORE Security Context associated with the client as per using the EDHOC output from Step 4.
  6. Extract the OSCORE ciphertext from the payload COMB_PAYLOAD of the EDHOC + OSCORE request as the second element OSCORE_PAYLOAD (see Step 3 of ).
  7. Rebuild the OSCORE-protected CoAP request as the EDHOC + OSCORE request, where the payload is replaced with the OSCORE ciphertext extracted at Step 6. Then, remove the EDHOC option.
  8. Decrypt and verify the OSCORE-protected CoAP request rebuilt at Step 7 as per by using the OSCORE Security Context established at Step 5. When the decrypted request is checked for any critical CoAP options (as it is during regular CoAP processing), the presence of an EDHOC option MUST be regarded as an unprocessed critical option unless it is processed by some further mechanism.
  9. Deliver the CoAP request resulting from Step 8 to the application.
If Steps 4 (EDHOC processing) and 8 (OSCORE processing) are both successfully completed, the server MUST reply with an OSCORE-protected response (see ). The usage of EDHOC message_4 as defined in is not applicable to the approach defined in this document. If Step 4 (EDHOC processing) fails, the server aborts the session as per and responds with an EDHOC error message with error code 1, which is formatted as defined in . The server MUST NOT establish a new OSCORE Security Context from the present EDHOC session with the client. The CoAP response conveying the EDHOC error message is not protected with OSCORE. As per , the server has to make sure that the error message does not reveal sensitive information. The CoAP response conveying the EDHOC error message MUST have Content-Format set to application/edhoc+cbor-seq registered in . If Step 4 (EDHOC processing) is successfully completed but Step 8 (OSCORE processing) fails, the same OSCORE error handling as defined in applies.
Supporting Block-Wise Transfers If Block-wise transfers are supported, the server takes the additional following step before any other in .
  1. If a Block option is present in the request, then process the Outer Block options according to until all blocks of the request have been received (see ).
Example of the EDHOC + OSCORE Request shows an example of an EDHOC + OSCORE request transported over UDP. In particular, the example assumes that:
  • The OSCORE Partial IV in use is 0 consistently with the first request protected with the new OSCORE Security Context.
  • The OSCORE Sender ID of the client is 0x01. As per , this straightforwardly corresponds to the EDHOC connection identifier C_R 0x01. As per , when using the sequential flow shown in , the same C_R with a value of 0x01 would be encoded on the wire as the CBOR integer 1 (0x01 in CBOR encoding) and prepended to EDHOC message_3 in the payload of the second EDHOC request.
This results in the following components shown in :
OSCORE option value:
0x090001 (3 bytes)
EDHOC option value:
- (0 bytes)
EDHOC message_3:
0x52d5535f3147e85f1cfacd9e78abf9e0a81bbf (19 bytes)
OSCORE ciphertext:
0x612f1092f1776f1c1668b3825e (13 bytes)
Example of a Protected CoAP Request Combining EDHOC and OSCORE Data 0x44025d1f ; CoAP 4-byte Header 00003974 ; Token 93 090001 ; OSCORE Option c0 ; EDHOC Option ff 52d5535f3147e85f1cfacd9e78abf9e0a81bbf 612f1092f1776f1c1668b3825e (46 bytes)
Use of EDHOC Connection Identifiers with OSCORE The OSCORE Sender/Recipient IDs are the EDHOC connection identifiers (see ). This applies also to the optimized workflow defined in of this document. Note that the value of the 'kid' field in the OSCORE option of the EDHOC + OSCORE request is both the server's Recipient ID (i.e., the client's Sender ID) and the EDHOC connection identifier C_R of the server at Step 3 of .
Additional Processing of EDHOC Messages When using EDHOC to establish an OSCORE Security Context, the client and server MUST perform the following additional steps during an EDHOC execution, thus extending .
Initiator Processing of Message 1 The Initiator selects an EDHOC connection identifier C_I as follows. The Initiator MUST choose a C_I that is neither used in any current EDHOC session as this peer's EDHOC connection identifier nor the Recipient ID in a current OSCORE Security Context where the ID Context is not present. The chosen C_I SHOULD NOT be the Recipient ID of any current OSCORE Security Context. Note that, unless the two peers concurrently use alternative methods to establish OSCORE Security Contexts, this allows the Responder to always omit the 'kid context' in the OSCORE option of its messages sent to the Initiator when protecting those with an OSCORE Security Context where C_I is the Responder's OSCORE Sender ID (see ).
Responder Processing of Message 2 The Responder selects an EDHOC connection identifier C_R as follows. The Responder MUST choose a C_R that is none of the following:
  • used in any current EDHOC session as this peer's EDHOC connection identifier,
  • equal to the EDHOC connection identifier C_I specified in the EDHOC message_1 of the present EDHOC session, or
  • the Recipient ID in a current OSCORE Security Context where the ID Context is not present.
The chosen C_R SHOULD NOT be the Recipient ID of any current OSCORE Security Context. Note that, for a reason analogous to the one given in with C_I, this allows the Initiator to always omit the 'kid context' in the OSCORE option of its messages sent to the Responder when protecting those with an OSCORE Security Context where C_R is the Initiator's OSCORE Sender ID (see ).
Initiator Processing of Message 2 If the EDHOC connection identifier C_I is equal to the EDHOC connection identifier C_R specified in EDHOC message_2, then the Initiator MUST abort the session and reply with an EDHOC error message with error code 1 formatted as defined in .
Extension and Consistency of Application Profiles It is possible to include the information below in the application profile referred by the client and server according to the specified consistency rules. If the server supports the EDHOC + OSCORE request within an EDHOC execution started at a certain EDHOC resource, then the application profile associated with that resource SHOULD explicitly specify support for the EDHOC + OSCORE request. In the case where the application profile indicates that the server supports the optional EDHOC message_4 (see ), it is still possible to use the optimized workflow based on the EDHOC + OSCORE request. However, this means that the server is not going to send EDHOC message_4 since it is not applicable to the optimized workflow (see ). Also, in the case where the application profile indicates that the server shall send EDHOC message_4, the application profile MUST NOT specify support for the EDHOC + OSCORE request. There is no point for the client to use the optimized workflow that is bound to fail (see ).
Web Linking registers the resource type "core.edhoc", which can be used as target attribute in a web link to an EDHOC resource, e.g., using a link-format document . This enables clients to discover the presence of EDHOC resources at a server, possibly using the resource type as a filter criterion. At the same time, the application profile associated with an EDHOC resource provides information describing how the EDHOC protocol can be used through that resource. A client may become aware of the application profile, e.g., by obtaining its information elements upon discovering the EDHOC resources at the server. This allows the client to discover the EDHOC resources whose associated application profile denotes a way of using EDHOC that is most suitable to the client, e.g., with EDHOC cipher suites or authentication methods that the client also supports or prefers. That is, while discovering an EDHOC resource, a client can contextually obtain relevant pieces of information from the application profile associated with that resource. The resource discovery can occur by means of a direct interaction with the server or by means of the CoRE Resource Directory where the server may have registered the links to its resources. In order to enable the above, this section defines a number of parameters, each of which can be optionally specified as a target attribute with the same name in the link to the respective EDHOC resource or as filter criterion in a discovery request from the client. When specifying these parameters in a link to an EDHOC resource, the target attribute rt="core.edhoc" MUST be included and the same consistency rules defined in for the corresponding information elements of an application profile MUST be followed. The following parameters are defined.
'ed-i':
If present, specifies that the server supports the EDHOC Initiator role, hence the reverse message flow of EDHOC. A value MUST NOT be given to this parameter and any present value MUST be ignored by the recipient.
'ed-r':
If present, specifies that the server supports the EDHOC Responder role, hence the forward message flow of EDHOC. A value MUST NOT be given to this parameter and any present value MUST be ignored by the recipient.
'ed-method':
Specifies an authentication method supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Method Type" registry defined in . This parameter MAY occur multiple times, with each occurrence specifying an authentication method.
'ed-csuite':
Specifies an EDHOC cipher suite supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Cipher Suites" registry defined in . This parameter MAY occur multiple times, with each occurrence specifying a cipher suite.
'ed-cred-t':
Specifies a type of authentication credential supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Authentication Credential Types" Registry defined in of this document. This parameter MAY occur multiple times, with each occurrence specifying a type of authentication credential.
'ed-idcred-t':
Specifies a type of identifier supported by the server for identifying authentication credentials. This parameter MUST specify a single value, which is taken from the 'Label' column of the "COSE Header Parameters" registry . This parameter MAY occur multiple times, with each occurrence specifying a type of identifier for authentication credentials. Note that the values in the 'Label' column of the "COSE Header Parameters" registry are strongly typed. On the contrary, CoRE Link Format is weakly typed; thus, it does not distinguish between, for instance, the string value "-10" and the integer value -10. Therefore, if responses in CoRE Link Format are returned, string values that look like an integer are not supported. Thus, such values MUST NOT be used in the 'ed-idcred-t' parameter.
'ed-ead':
Specifies the support of the server for an External Authorization Data (EAD) item (see ). This parameter MUST specify a single value, which is taken from the 'Label' column of the "EDHOC External Authorization Data" registry defined in . This parameter MAY occur multiple times, with each occurrence specifying the ead_label of an EAD item that the server supports.
'ed-comb-req':
If present, specifies that the server supports the EDHOC + OSCORE request defined in . A value MUST NOT be given to this parameter and any present value MUST be ignored by the recipient.
Future documents may update the definition of the parameters 'ed-i', 'ed-r', and 'ed-comb-req' by expanding their semantics and specifying what they can take as value. The example in shows how a client discovers one EDHOC resource at a server and obtains information elements from the respective application profile. The CoRE Link Format notation from is used.
The Web Link REQ: GET /.well-known/core RES: 2.05 Content </sensors/temp>;osc, </sensors/light>;if=sensor, </.well-known/edhoc>;rt=core.edhoc;ed-csuite=0;ed-csuite=2; ed-method=0;ed-cred-t=0;ed-cred-t=1;ed-idcred-t=4; ed-i;ed-r;ed-comb-req
Security Considerations The same security considerations from OSCORE and EDHOC hold for this document. In addition, the following considerations apply. specifies that a client SHOULD NOT have multiple outstanding EDHOC + OSCORE requests pertaining to the same EDHOC session. Even if a client did not fulfill this requirement, it would not have any impact in terms of security. That is, the server would still not process different instances of the same EDHOC message_3 more than once in the same EDHOC session (see ) and would still enforce replay protection of the OSCORE-protected request (see Sections and of ). When using the optimized workflow in , a minimum of 128-bit security against online brute-force attacks is achieved after the client receives and successfully verifies the first OSCORE-protected response (see Sections and of ). As an example, if EDHOC is used with method 3 (see ) and cipher suite 2 (see ), then the following holds:
  • The Initiator is authenticated with 128-bit security against online attacks. As per , this results from the combination of the strength of the 64-bit Message Authentication Code (MAC) in EDHOC message_3 and of the 64-bit MAC in the Authenticated Encryption with Associated Data (AEAD) of the first OSCORE-protected CoAP request as rebuilt at Step 7 of .
  • The Responder is authenticated with 128-bit security against online attacks. As per , this results from the combination of the strength of the 64-bit MAC in EDHOC message_2 and of the 64-bit MAC in the AEAD of the first OSCORE-protected CoAP response.
With reference to the sequential workflow in , the OSCORE request might have to undergo access-control checks at the server before being actually executed for accessing the target protected resource. The same MUST hold when the optimized workflow in is used, i.e., when using the EDHOC + OSCORE request. That is, the rebuilt OSCORE-protected application request from Step 7 in MUST undergo the same access-control checks that would be performed on a traditional OSCORE-protected application request sent individually as shown in . To this end, validated information to perform access-control checks (e.g., an access token issued by a trusted party) has to be available at the server before starting to process the rebuilt OSCORE-protected application request. Such information may have been provided to the server separately before starting the EDHOC execution altogether, or instead as External Authorization Data during the EDHOC execution (see ). Thus, a successful completion of the EDHOC protocol and the following derivation of the OSCORE Security Context at the server do not play a role in determining whether the rebuilt OSCORE-protected request is authorized to access the target protected resource at the server.
IANA Considerations This document has the following actions for IANA.
CoAP Option Numbers Registry IANA has registered the following option number in the "CoAP Option Numbers" registry within the "Constrained RESTful Environments (CoRE) Parameters" registry group. Registration in the "CoAP Option Numbers" Registry
Number Name Reference
21 EDHOC RFC 9668
Target Attributes Registry IANA has registered the following entries in the "Target Attributes" registry within the "Constrained RESTful Environments (CoRE) Parameters" registry group as per . For all entries, the Change Controller is IETF and the reference is RFC 9668. Registrations in the "Target Attributes" Registry
Attribute Name Brief Description
ed-i Hint: support for the EDHOC Initiator role
ed-r Hint: support for the EDHOC Responder role
ed-method A supported authentication method for EDHOC
ed-csuite A supported cipher suite for EDHOC
ed-cred-t A supported type of authentication credential for EDHOC
ed-idcred-t A supported type of authentication credential identifier for EDHOC
ed-ead A supported External Authorization Data (EAD) item for EDHOC
ed-comb-req Hint: support for the EDHOC + OSCORE request
EDHOC Authentication Credential Types Registry IANA has created the "EDHOC Authentication Credential Types" registry within the "Ephemeral Diffie-Hellman Over COSE (EDHOC)" registry group defined in . The registration policy is either "Private Use", "Standards Action with Expert Review", or "Specification Required" per . "Expert Review" guidelines are provided in . All assignments according to "Standards Action with Expert Review" are made on a "Standards Action" basis per with "Expert Review" additionally required per . The procedure for early IANA allocation of "standards track code points" defined in also applies. When such a procedure is used, IANA will ask the designated expert(s) to approve the early allocation before registration. In addition, working group chairs are encouraged to consult the expert(s) early during the process outlined in . The columns of this registry are:
Value:
This field contains the value used to identify the type of authentication credential. These values MUST be unique. The value can be an unsigned integer or a negative integer. Different ranges of values use different registration policies:
  • Integer values from -24 to 23 are designated as "Standards Action With Expert Review".
  • Integer values from -65536 to -25 and from 24 to 65535 are designated as "Specification Required".
  • Integer values smaller than -65536 and greater than 65535 are marked as "Private Use".
Description:
This field contains a short description of the type of authentication credential.
Reference:
This field contains a pointer to the public specification for the type of authentication credential.
Initial Entries in the "EDHOC Authentication Credential Types" Registry
Value Description Reference
0 CBOR Web Token (CWT) containing a COSE_Key in a 'cnf' claim and possibly other claims. CWT is defined in RFC 8392.
1 CWT Claims Set (CCS) containing a COSE_Key in a 'cnf' claim and possibly other claims. CCS is defined in RFC 8392.
2 X.509 certificate
Expert Review Instructions "Standards Action with Expert Review" and "Specification Required" are two of the registration policies defined for the IANA registry established in . This section gives some general guidelines for what the experts should be looking for; however, they are being designated as experts for a reason, so they should be given substantial latitude. Expert reviewers should take into consideration the following points:
  • Clarity and correctness of registrations. Experts are expected to check the clarity of purpose and use of the requested entries. Experts need to make sure that registered identifiers indicate a type of authentication credential whose format and encoding is clearly defined in the corresponding specification. Identifiers of types of authentication credentials that do not meet these objectives of clarity and completeness must not be registered.
  • Point squatting should be discouraged. Reviewers are encouraged to get sufficient information for registration requests to ensure that the usage is not going to duplicate one that is already registered and that the point is likely to be used in deployments. The zones tagged as "Private Use" are intended for testing purposes and closed environments. Code points in other ranges should not be assigned for testing.
  • Specifications are required for the "Standards Action With Expert Review" range of point assignment. Specifications should exist for "Specification Required" ranges, but early assignment before a specification is available is considered to be permissible. When specifications are not provided, the description provided needs to have sufficient information to identify what the point is being used for.
  • Experts should take into account the expected usage of fields when approving point assignment. Documents published via Standards Action can also register points outside the Standards Action range. The length of the encoded value should be weighed against how many code points of that length are left, the size of device it will be used on, and the number of code points left that encode to that size.
 References Normative References Target Attributes IANA COSE Header Parameters IANA Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] Constrained RESTful Environments (CoRE) Link Format This specification defines Web Linking using a link format for use by constrained web servers to describe hosted resources, their attributes, and other relationships between links. Based on the HTTP Link Header field defined in RFC 5988, the Constrained RESTful Environments (CoRE) Link Format is carried as a payload and is assigned an Internet media type. "RESTful" refers to the Representational State Transfer (REST) architecture. A well-known URI is defined as a default entry point for requesting the links hosted by a server. [STANDARDS-TRACK] Early IANA Allocation of Standards Track Code Points This memo describes the process for early allocation of code points by IANA from registries for which "Specification Required", "RFC Required", "IETF Review", or "Standards Action" policies apply. This process can be used to alleviate the problem where code point allocation is needed to facilitate desired or required implementation and deployment experience prior to publication of an RFC, which would normally trigger code point allocation. The procedures in this document are intended to apply only to IETF Stream documents. The Constrained Application Protocol (CoAP) The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation. CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments. Block-Wise Transfers in the Constrained Application Protocol (CoAP) The Constrained Application Protocol (CoAP) is a RESTful transfer protocol for constrained nodes and networks. Basic CoAP messages work well for small payloads from sensors and actuators; however, applications will need to transfer larger payloads occasionally -- for instance, for firmware updates. In contrast to HTTP, where TCP does the grunt work of segmenting and resequencing, CoAP is based on datagram transports such as UDP or Datagram Transport Layer Security (DTLS). These transports only offer fragmentation, which is even more problematic in constrained nodes and networks, limiting the maximum size of resource representations that can practically be transferred. Instead of relying on IP fragmentation, this specification extends basic CoAP with a pair of "Block" options for transferring multiple blocks of information from a resource representation in multiple request-response pairs. In many important cases, the Block options enable a server to be truly stateless: the server can handle each block transfer separately, with no need for a connection setup or other server-side memory of previous block transfers. Essentially, the Block options provide a minimal way to transfer larger representations in a block-wise fashion. A CoAP implementation that does not support these options generally is limited in the size of the representations that can be exchanged, so there is an expectation that the Block options will be widely used in CoAP implementations. Therefore, this specification updates RFC 7252. Guidelines for Writing an IANA Considerations Section in RFCs Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Web Linking This specification defines a model for the relationships between resources on the Web ("links") and the type of those relationships ("link relation types"). It also defines the serialisation of such links in HTTP headers with the Link header field. CBOR Web Token (CWT) CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON. Object Security for Constrained RESTful Environments (OSCORE) This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols. Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252. Concise Binary Object Representation (CBOR) The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. Constrained RESTful Environments (CoRE) Resource Directory In many Internet of Things (IoT) applications, direct discovery of resources is not practical due to sleeping nodes or networks where multicast traffic is inefficient. These problems can be solved by employing an entity called a Resource Directory (RD), which contains information about resources held on other servers, allowing lookups to be performed for those resources. The input to an RD is composed of links, and the output is composed of links constructed from the information stored in the RD. This document specifies the web interfaces that an RD supports for web servers to discover the RD and to register, maintain, look up, and remove information on resources. Furthermore, new target attributes useful in conjunction with an RD are defined. Ephemeral Diffie-Hellman Over COSE (EDHOC) This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios, and a main use case is to establish an Object Security for Constrained RESTful Environments (OSCORE) security context. By reusing CBOR Object Signing and Encryption (COSE) for cryptography, Concise Binary Object Representation (CBOR) for encoding, and Constrained Application Protocol (CoAP) for transport, the additional code size can be kept very low. Informative References Constrained RESTful Environments (CoRE) Target Attributes Registry The Constrained RESTful Environments (CoRE) specifications apply web technologies to constrained environments. One such important technology is Web Linking (RFC 8288), which CoRE specifications use as the basis for a number of discovery protocols, such as the Link Format (RFC 6690) in the Constrained Application Protocol's (CoAP's) resource discovery process (Section 7.2 of RFC 7252) and the Resource Directory (RD) (RFC 9176). Web Links can have target attributes, the names of which are not generally coordinated by the Web Linking specification (Section 2.2 of RFC 8288). This document introduces an IANA registry for coordinating names of target attributes when used in CoRE. It updates the "RD Parameters" IANA registry created by RFC 9176 to coordinate with this registry.
Acknowledgments The authors sincerely thank , , , , , , , , , , , , , , , , , and for their feedback and comments. The work on this document has been partly supported by the Sweden's Innovation Agency VINNOVA and the Celtic-Next project CRITISEC, and by the H2020 project SIFIS-Home (Grant agreement 952652).
Authors' Addresses Ericsson AB
Torshamnsgatan 23 Kista 164 40 Sweden francesca.palombini@ericsson.com
RISE AB
Isafjordsgatan 22 Kista 164 40 Sweden marco.tiloca@ri.se
RISE AB
Isafjordsgatan 22 Kista 164 40 Sweden rikard.hoglund@ri.se
Eriptic
stefan.hristozov@eriptic.com
Ericsson
goran.selander@ericsson.com