The security protocol Object Security for Constrained RESTful Environments (OSCORE) defined in [RFC8613] provides end-to-end security for CoAP messages at the application level, by using CBOR Object Signing and Encryption (COSE) [RFC9052]. In order to protect their communications, two peers need to have already established an OSCORE Security Context.¶
-As an example, Appendix B.2 of [RFC8613] provides a key update procedure, which two OSCORE peers can run for establishing a new shared OSCORE Security Context that replaces their old one. The recent key update protocol KUDOS [I-D.ietf-core-oscore-key-update] specifies how two OSCORE peers can establish a new shared OSCORE Security Context that replaces their old one, with a number of advantages compared to the method defined in Appendix B.2 of [RFC8613].¶
+Appendix B.2 of [RFC8613] provides an example for a key update procedure, which two OSCORE peers can run for establishing a new shared OSCORE Security Context that replaces their old one. The recent key update protocol KUDOS [I-D.ietf-core-oscore-key-update] specifies how two OSCORE peers can establish a new shared OSCORE Security Context that replaces their old one, with a number of advantages compared to the method defined in Appendix B.2 of [RFC8613].¶
The security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE) defined in [I-D.ietf-core-oscore-groupcomm] builds on OSCORE and protects group communication for CoAP [I-D.ietf-core-groupcomm-bis]. The management of the group keying material is entrusted to a Group Manager (see Section 3 of [I-D.ietf-core-oscore-groupcomm]), which provides the latest group keying material to a new group member upon its group joining, and can update the group keying material by performing a group rekeying.¶
-The following discusses how OSCORE, KUDOS, and Group OSCORE position themselves with respect to the match boxing, the used transport underlying CoAP, and the renewal of the keying material.¶
+The following discusses how OSCORE, KUDOS, and Group OSCORE position themselves with respect to the match boxing, the transport used underlying CoAP, and the renewal of the keying material.¶
The security processing of (Group) OSCORE is agnostic of the value assumed by the CoAP Token and Message ID. Also, (Group) OSCORE can be seamlessly used in the presence of (cross-)proxies that will change the value of the CoAP Token and Message ID on the different communication legs. This does not affect the security processing at the (Group) OSCORE endpoints.¶
Before any security processing is performed, the only use that (Group) OSCORE makes of the Token value is on the CoAP client upon receiving a response, in order to retrieve the right Security Context to use for decrypting and verifying the response.¶
Even in case the Token value in a CoAP response is manipulated to induce a Request-Response matching at the client, there is no risk for the client to successfully decrypt the response instead of failing as expected. This is because, per Section 12.3 of [RFC8613], the OSCORE Master Secret of each OSCORE Security Context is required not only to be secret, but also to have a good amount of randomness.¶
-Building on that, an HKDF is used to derive the actual encryption keys from the Master Secret and, optionally, from an additional Master Salt. Furthermore, for each OSCORE Security Context, the quartet (Master Secret, Master Salt, ID Context, Sender ID) must be unique. As per Section 3.3 of [RFC8613], this is a hard requirement and guarantees unique (key, nonce) pairs for the used AEAD algorithm.¶
+Building on that, an HKDF is used to derive the actual encryption keys +from the Master Secret and, optionally, from an additional Master +Salt. Furthermore, for each OSCORE Security Context, the quartet +(Master Secret, Master Salt, ID Context, Sender ID) must be unique. As +per Section 3.3 of [RFC8613], this is a hard requirement and +guarantees unique (key, nonce) pairs for the AEAD algorithm used.¶
In Group OSCORE, the Security Context extends that of OSCORE, and the same as above holds (see Sections 2, 2.2, and 13.11 of [I-D.ietf-core-oscore-groupcomm]).¶
Finally, (Group) OSCORE performs a separate secure match boxing under its own control, by cryptographically binding each protected request with all the corresponding protected responses. This is achieved by means of the COSE external_aad involved during the security processing of protected messages (see Section 5.4 of [RFC8613] and Section 4.4 of [I-D.ietf-core-oscore-groupcomm]).¶
The security protocol (Group) OSCORE does not have any requirement on binding the used Security Context to specific addressing information used by the transport protocol underlying CoAP. What occurs below (Group) OSCORE with transport-specific addressing information is transparent to (Group) OSCORE, but it needs to work well enough to ensure that received data is delivered to (Group) OSCORE for security processing.¶
+The security protocol (Group) OSCORE does not have any requirement on +binding the Security Context in use to specific addressing information used by the transport protocol underlying CoAP. What occurs below (Group) OSCORE with transport-specific addressing information is transparent to (Group) OSCORE, but it needs to work well enough to ensure that received data is delivered to (Group) OSCORE for security processing.¶
Consistent with the above, (Group) OSCORE does not interfere with any low-layer, transport specific information. Instead, it entrusts data to a Request-Response exchange mechanism that can rely on different means to enforce the Request-Response matching at the transport level (e.g., the 5-tuple, the CoAP Message ID, a file handle). Also, (Group) OSCORE does not alter the fact that a CoAP response needs to come from where the corresponding CoAP request was sent, which simply follows from using transports where that is a requirement.¶
Furthermore, two peers can seamlessly use (Group) OSCORE also in the presence of cross-proxies that change transport across different communication legs. This does not affect the security processing at the (Group) OSCORE endpoints.¶
Practically, (Group) OSCORE relies on the underlying CoAP implementation for obtaining received CoAP messages on which to perform the expected security processing.¶
Upon receiving a protected message, the recipient endpoint retrieves the OSCORE Security Context to use for decryption based on key identifier information specified in the CoAP OSCORE Option of protected requests, and on the value of the CoAP Token of protected responses.¶
-In OSCORE, the key identifier information in request messages is typically limited to a "kid", with value the OSCORE Sender ID associated with the message sender. In case Sender IDs are not unique among different OSCORE Security Contexts stored by the same peer, it is possible to disambiguate by additionally using a "kid context" identifying the OSCORE Security Context as a whole. Instead, response messages are not required to convey key identifier information, as the client can rely on the Token conveyed in the response for retrieving the Security Context to use (see above).¶
+In OSCORE, the key identifier information in request messages is +typically limited to a "kid", with a value the OSCORE Sender ID associated with the message sender. In case Sender IDs are not unique among different OSCORE Security Contexts stored by the same peer, it is possible to disambiguate by additionally using a "kid context" identifying the OSCORE Security Context as a whole. Instead, response messages are not required to convey key identifier information, as the client can rely on the Token conveyed in the response for retrieving the Security Context to use (see above).¶
In Group OSCORE, the key identifier information in request messages always includes also a "kid context", whose value is used as identifier of the OSCORE group associated with the Security Context to use for security processing of the exchanged message. Response messages are also required to convey a "kid" as key identifier information (i.e., the OSCORE Sender ID associated with the message sender), if the corresponding request was protected with the group mode of Group OSCORE (see Section 8 of [I-D.ietf-core-oscore-groupcomm]) .¶
Some particular uses of (Group) OSCORE enable to build OSCORE-based tunneling [I-D.ietf-core-oscore-capable-proxies]. In such a case, a CoAP server might have to enforce that some OSCORE Security Contexts are not just looked up by a "kid" and similar key identifier information from the CoAP OSCORE Option in the incoming request to decrypt. Such a lookup should also rely on the alleged client's address, or on an alternative identifier of the tunnel from which the request came from.¶
@@ -1630,21 +1637,23 @@The following provides more details about key update, separately for OSCORE, KUDOS, and Group OSCORE.¶
OSCORE - [RFC8613] tacitly assumes that two peers terminate any ongoing CoAP Observation that they still have ongoing, upon installing a new OSCORE Security Context, irrespective of the method used to perform the key update.¶
+OSCORE: [RFC8613] tacitly assumes that two peers terminate any ongoing CoAP Observation that they still have ongoing, upon installing a new OSCORE Security Context, irrespective of the method used to perform the key update.¶
-On these premises, a belated response protected with the old OSCORE Security Context will fail decryption, due to that Security Context not available anymore on the receiving client.¶
+On these premises, a belated response protected with the old OSCORE +Security Context will fail decryption, as that Security Context is not available anymore on the receiving client.¶KUDOS - The key update protocol KUDOS allows the two OSCORE peers to negotiate about preserving their ongoing CoAP Observations across the performed key update. If and only if both peers agree to do that during an execution of KUDOS, their Observations will remain active after installing the new OSCORE Security Context, which the two peers will use from then on to protect their exchanged Observe notifications.¶
+KUDOS: The key update protocol KUDOS allows the two OSCORE peers to negotiate about preserving their ongoing CoAP Observations across the performed key update. If and only if both peers agree to do that during an execution of KUDOS, their Observations will remain active after installing the new OSCORE Security Context, which the two peers will use from then on to protect their exchanged Observe notifications.¶
Furthermore, irrespective of the method used to perform a key update, Section 3 of [I-D.ietf-core-oscore-key-update] updates the security protocol OSCORE [RFC8613] in order to prevent security issues that can arise from misbinding a request and a response, when those are protected with two different OSCORE Security Contexts.¶
Such an update to the OSCORE protocol requires a server to include its own Sender Sequence Number as Partial IV of an outgoing response, when protecting it with a Security Context different from the one used to protect the corresponding request. An exception safely applies to the response messages that are sent when running the key update procedure defined in Appendix B.2 of [RFC8613].¶
Group OSCORE - The Group Manager can distribute new group keying material to the members of an OSCORE group, by performing a group rekeying. When receiving updated group keying material from the Group Manager, either upon joining the group or by participating in a group rekeying, a group member uses that material to install a new, commonly shared Group OSCORE Security Context, which replaces the old one (if any is stored).¶
+Group OSCORE: The Group Manager can distribute new group keying material to the members of an OSCORE group, by performing a group rekeying. When receiving updated group keying material from the Group Manager, either upon joining the group or by participating in a group rekeying, a group member uses that material to install a new, commonly shared Group OSCORE Security Context, which replaces the old one (if any is stored).¶
-Also, Group OSCORE makes it possible for group members to safely preserve their ongoing long exchanges (e.g., CoAP Observations), also across the establishment of new Group OSCORE Security Contexts. This is achieved by virtue of how the Group Manager assigns and maintains the identifiers of OSCORE groups (see Section 3.2.1.1 of [I-D.ietf-core-oscore-groupcomm]).¶
+Also, Group OSCORE makes it possible for group members to safely +preserve their ongoing active requests (e.g., CoAP Observations), also across the establishment of new Group OSCORE Security Contexts. This is achieved by virtue of how the Group Manager assigns and maintains the identifiers of OSCORE groups (see Section 3.2.1.1 of [I-D.ietf-core-oscore-groupcomm]).¶Furthermore, analogous to the update that [I-D.ietf-core-oscore-key-update] makes on the OSCORE protocol with respect to protecting responses, Group OSCORE prevents security issues that can arise from misbinding a request and a response, when those are protected with two different Group OSCORE Security Contexts.¶
diff --git a/address-9-oscore/draft-bormann-core-corr-clar.txt b/address-9-oscore/draft-bormann-core-corr-clar.txt index 2c0e711..9ae46d8 100644 --- a/address-9-oscore/draft-bormann-core-corr-clar.txt +++ b/address-9-oscore/draft-bormann-core-corr-clar.txt @@ -494,7 +494,7 @@ Internet-Draft Corrections and Clarifications to CoAP September 2024 their communications, two peers need to have already established an OSCORE Security Context. - As an example, Appendix B.2 of [RFC8613] provides a key update + Appendix B.2 of [RFC8613] provides an example for a key update procedure, which two OSCORE peers can run for establishing a new shared OSCORE Security Context that replaces their old one. The recent key update protocol KUDOS [I-D.ietf-core-oscore-key-update] @@ -522,7 +522,7 @@ Internet-Draft Corrections and Clarifications to CoAP September 2024 group rekeying. The following discusses how OSCORE, KUDOS, and Group OSCORE position - themselves with respect to the match boxing, the used transport + themselves with respect to the match boxing, the transport used underlying CoAP, and the renewal of the keying material. 2.5.1.1. Match Boxing @@ -551,7 +551,7 @@ Internet-Draft Corrections and Clarifications to CoAP September 2024 Master Salt. Furthermore, for each OSCORE Security Context, the quartet (Master Secret, Master Salt, ID Context, Sender ID) must be unique. As per Section 3.3 of [RFC8613], this is a hard requirement - and guarantees unique (key, nonce) pairs for the used AEAD algorithm. + and guarantees unique (key, nonce) pairs for the AEAD algorithm used. @@ -576,12 +576,12 @@ Internet-Draft Corrections and Clarifications to CoAP September 2024 2.5.1.2. Underlying Transport The security protocol (Group) OSCORE does not have any requirement on - binding the used Security Context to specific addressing information - used by the transport protocol underlying CoAP. What occurs below - (Group) OSCORE with transport-specific addressing information is - transparent to (Group) OSCORE, but it needs to work well enough to - ensure that received data is delivered to (Group) OSCORE for security - processing. + binding the Security Context in use to specific addressing + information used by the transport protocol underlying CoAP. What + occurs below (Group) OSCORE with transport-specific addressing + information is transparent to (Group) OSCORE, but it needs to work + well enough to ensure that received data is delivered to (Group) + OSCORE for security processing. Consistent with the above, (Group) OSCORE does not interfere with any low-layer, transport specific information. Instead, it entrusts data @@ -608,7 +608,7 @@ Internet-Draft Corrections and Clarifications to CoAP September 2024 responses. In OSCORE, the key identifier information in request messages is - typically limited to a "kid", with value the OSCORE Sender ID + typically limited to a "kid", with a value the OSCORE Sender ID associated with the message sender. In case Sender IDs are not @@ -656,14 +656,14 @@ Internet-Draft Corrections and Clarifications to CoAP September 2024 The following provides more details about key update, separately for OSCORE, KUDOS, and Group OSCORE. - * OSCORE - [RFC8613] tacitly assumes that two peers terminate any + * OSCORE: [RFC8613] tacitly assumes that two peers terminate any ongoing CoAP Observation that they still have ongoing, upon installing a new OSCORE Security Context, irrespective of the method used to perform the key update. On these premises, a belated response protected with the old - OSCORE Security Context will fail decryption, due to that Security - Context not available anymore on the receiving client. + OSCORE Security Context will fail decryption, as that Security + Context is not available anymore on the receiving client. @@ -674,7 +674,7 @@ Bormann Expires 28 March 2025 [Page 12] Internet-Draft Corrections and Clarifications to CoAP September 2024 - * KUDOS - The key update protocol KUDOS allows the two OSCORE peers + * KUDOS: The key update protocol KUDOS allows the two OSCORE peers to negotiate about preserving their ongoing CoAP Observations across the performed key update. If and only if both peers agree to do that during an execution of KUDOS, their Observations will @@ -697,7 +697,7 @@ Internet-Draft Corrections and Clarifications to CoAP September 2024 when running the key update procedure defined in Appendix B.2 of [RFC8613]. - * Group OSCORE - The Group Manager can distribute new group keying + * Group OSCORE: The Group Manager can distribute new group keying material to the members of an OSCORE group, by performing a group rekeying. When receiving updated group keying material from the Group Manager, either upon joining the group or by participating @@ -706,7 +706,7 @@ Internet-Draft Corrections and Clarifications to CoAP September 2024 replaces the old one (if any is stored). Also, Group OSCORE makes it possible for group members to safely - preserve their ongoing long exchanges (e.g., CoAP Observations), + preserve their ongoing active requests (e.g., CoAP Observations), also across the establishment of new Group OSCORE Security Contexts. This is achieved by virtue of how the Group Manager assigns and maintains the identifiers of OSCORE groups (see