Cacheable OSCOREAustriachristian@amsuess.comRISE ABIsafjordsgatan 22Kista16440 StockholmSwedenmarco.tiloca@ri.seCoRE Working GroupCoAP, OSCORE, multicast, caching, proxyGroup communication with the Constrained Application Protocol (CoAP) can be secured end-to-end using Group Object Security for Constrained RESTful Environments (Group OSCORE), also across untrusted intermediary proxies. However, this sidesteps the proxies' abilities to cache responses from the origin server(s). This specification restores cacheability of protected responses at proxies, by introducing consensus requests which any client in a group can send to one server or multiple servers in the same group.Discussion VenuesDiscussion of this document takes place on the
CORE Working Group mailing list (core@ietf.org),
which is archived at .Source for this draft and an issue tracker can be found at
.IntroductionThe Constrained Application Protocol (CoAP) supports also group communication, for instance over UDP and IP multicast . In a group communication environment, exchanged messages can be secured end-to-end by using Group Object Security for Constrained RESTful Environments (Group OSCORE) .Requests and responses protected with the group mode of Group OSCORE can be read by all group members, i.e. not only by the intended recipient(s), thus achieving group-level confidentiality.This allows a trusted intermediary proxy which is also a member of the OSCORE group to populate its cache with responses from origin servers. Later on, the proxy can possibly reply to a request in the group with a response from its cache, if recognized as an eligible server by the client.However, an untrusted proxy which is not member of the OSCORE group only sees protected responses as opaque, uncacheable ciphertext. In particular, different clients in the group that originate a same plain CoAP request would send different protected requests, as a result of their Group OSCORE processing. Such protected requests cannot yield a cache hit at the proxy, which makes the whole caching of protected responses pointless.This document addresses this complication and enables cacheability of protected responses, also for proxies that are not members of the OSCORE group and are unaware of OSCORE in general. To this end, it builds on the concept of "consensus request" initially considered in , and defines "deterministic request" as a convenient incarnation of such concept.All clients wishing to send a particular GET or FETCH request are able to deterministically compute the same protected request, using a variation on the pairwise mode of Group OSCORE. It follows that cache hits become possible at the proxy, which can thus serve clients in the group from its cache. Like in , this requires that clients and servers are already members of a suitable OSCORE group.Cacheability of protected responses is useful also in applications where several clients wish to retrieve the same object from a single server.
Some security properties of OSCORE are dispensed with to gain other desirable properties.In order to clearly handle the protocol's security properties,
and to broaden applicability to group situations outside the deterministic case,
the technical implementation is split in two halves:
maintaining request-response bindings in absence of request source authentication, and
building and processing of deterministic requests
(which have no source authentication, and thus require the former).
Use casesWhen firmware updates are delivered using CoAP,
many similar devices fetch large representations at the same time.
Collecting them at a proxy not only keeps the traffic low,
but also lets the clients ride single file to hide their numbers and identities.When relying on intermediaries to fan out the delivery of multicast data protected end-to-end as in , deterministic requests allow for a more efficient setup, by reducing the amount of message exchanges and enabling early population of cache entries (see ).TerminologyThe key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.Readers are expected to be familiar with terms and concepts of CoAP and its method FETCH , group communication for CoAP , COSE , OSCORE , and Group OSCORE .This document introduces the following new terms.
Consensus Request: a CoAP request protected with Group OSCORE that can be used repeatedly to access a particular resource, hosted at one or more servers in the OSCORE group.
A Consensus Request has all the properties relevant to caching, but its transport dependent properties (e.g. Token or Message ID) are not defined. Thus, different requests on the wire can be said to "be the same Consensus Request" even if they have different Tokens or source addresses.
The Consensus Request is the reference for request-response binding.
In general, a client processing a response to a consensus request did not generate (and thus sign) the consensus request.
The client not only needs to decrypt the Consensus Request to understand a response to it (for example to tell which path was requested),
it also needs to verify that this is the only Consensus Request that could elicit this response.
Deterministic Client: a fictitious member of an OSCORE group, having no Sender Sequence Number, no asymmetric key pair, and no Recipient Context.
The Group Manager sets up the Deterministic Client, and assigns it a unique Sender ID as for other group members. Furthermore, the Deterministic Client has only the minimum common set of privileges shared by all group members.
Deterministic Request: a Consensus Request generated by the Deterministic Client. The use of Deterministic Requests is defined in .
Ticket Request: a Consensus Request generated by the server itself.
This term is not used in the main document, but is useful in comparison with other applications of consensus requests
that are generated in a different way than as a Deterministic Request.
The prototypical Ticket Request is the Phantom Request defined in .
In , the term is used to bridge the gap to that draft.
OSCORE processing without source authenticationThe request-response binding of OSCORE is achieved by the request_kid / request_pid items
(and, in group OSCORE, request_kid_context)
present in the response's AAD.
It security depends on the server obtaining source authentication for the request:
Without, a malicious group member could alter a request to the server (without altering the request_ details above),
and the client would still accept the response as if it were a response to its request.Source authentication is thus a precondition to secure use of OSCORE.
However, it is hard to provide when:
Requests are built exclusively using shared key material (as in a deterministic client).
Requests are sent without source authentication, or where the source authentication is not checked. (This was part of in revisions before -12).
This document does not [ yet? ] give full guidance on how to restore request-response binding for the general case,
but currently only offers suggestions:
The response can contain the full request. An option that allows doing that was presented in .
The response can contain a cryptographic hash of the full request. This is used in .
The above details can be transported in a Class E option (encrypted) or a a Class I option (unencrypted but part of the AAD).
The latter has the advantage that it can be removed in transit and reconstructed at the receiver.
Alternatively, the agreed-on request data can be placed in a different position in the AAD,
or be part of the security context derivation.
In the latter case, care needs to be taken to never initialize a security context twice with the same input,
as that would lead to nonce reuse.
[ Suggestion for any OSCORE v2: avoid request details in the request's AAD as individual elements. Rather than having 'request_kid', 'request_piv' and (in Group OSCORE) 'request_kid_context' as separate fields, they can better be something more pluggable.
This would avoid the need to make up an option before processing, and would allow just plugging in the hash or request in there replacing the request_ items. ]Additional care has to be taken that details not expressed in the request itself
(like the security context from which it is assumed to have originated) are captured.Processing of requests without source authentication has to be done assuming only the minimal possible privilege of the requester
[ which currently described as the authorization of the deterministic client, and may be moved up here in later versions of this document ].
If a response is built to such a request that contains data more sensitive than that
(which might be justified if the response is protected for an authorized group member in pairwise response mode),
special consideration for any side channels like response size or timing is required.Deterministic RequestsThis section defines a method for clients starting from a same plain CoAP request to independently arrive at a same Deterministic Request protected with Group OSCORE.Deterministic Unprotected RequestClients build the unprotected Deterministic Request in a way which is as much reproducible as possible.
This document does not set out full guidelines for minimizing the variation,
but considered starting points are:
Set the inner Observe option to 0,
even if no observation is intended (and no outer Observe is set).
Thus, both observing and non-observing requests can be aggregated into a single request,
that is upstreamed as an observation at the latest when any observing request reaches the proxy.
Avoid setting the ETag option in requests on a whim.
Only set it when there was a recent response with that ETag.
When obtaining later blocks, do not send the known-stale ETag.
In block-wise transfer, maximally sized large inner blocks (szx=6) should be selected.
This serves not only to align the clients on consistent cache entries,
but also helps amortize the additional data transferred in the per-message signatures.
Outer block-wise transfer can then be used if these messages excede a hop's efficiently usable MTU size.(If BERT is usable with OSCORE, its use is fine as well;
in that case, the server picks a consistent block size for all clients anyway).
If padding (see ) is used to limit an adversary's ability to deduce requests' content from their length, the requests are padded to reach a total length that should be agreed on among all users of a security context.
These only serve to ensure that cache entries are utilized; failure to follow them has no more severe consequences than decreasing the utility and effectiveness of a cache.Design ConsiderationsThe hard part is arriving at a consensus pair (key, nonce) to be used with the AEAD cipher for encrypting the Deterministic Request, while also avoiding reuse of the same (key, nonce) pair across different requests.Diversity can conceptually be enforced by applying a cryptographic hash function to the complete input of the encryption operation over the plain CoAP request (i.e., the AAD and the plaintext of the COSE object), and then using the result as source of uniqueness.
Any non-malleable cryptographically secure hash of sufficient length to make collisions sufficiently unlikely is suitable for this purpose.A tempting possibility is to use a fixed (group) key, and use the hash as a deterministic AEAD nonce for each Deterministic Request throught the Partial IV component (see ). However, the 40 bit available for the Partial IV are by far insufficient to ensure that the deterministic nonce is not reused across different Deterministic Requests. Even if the full deterministic AEAD nonce could be set, the sizes used by common algorithms would still be too small.As a consequence, the proposed method takes the opposite approach, by considering a fixed deterministic AEAD nonce, while generating a different deterministic encryption key for each Deterministic Request. That is, the hash computed over the plain CoAP request is taken as input to the key generation. As an advantage, this approach does not require to transport the computed hash in the OSCORE option.[ Note: This has a further positive side effect arising with version -11 of Group OSCORE. That is, since the full encoded OSCORE option is part of the AAD, it avoids a circular dependency from feeding the AAD into the hash computation, which in turn needs crude workarounds like building the full AAD twice, or zeroing out the hash-to-be. ]Request-HashIn order to transport the hash of the plain CoAP request, a new CoAP option is defined, which MUST be supported by clients and servers that support Deterministic Requests.The option is called Request-Hash. As summarized in , the Request-Hash option is elective, safe to forward, part of the cache key and repeatable.The Request-Hash option is identical in all its properties to the Request-Tag option defined in , with the following exceptions:
It may be arbitrarily long.
Implementations can limit its length to that of the longest output of the supported hash functions.
A proxy MAY use any fresh cached response from the selected server to respond to a request with the same Request-Hash (or possibly even if the new request's Request-Hash is a prefix of the cached one).
This is a potential future optimization which is not mentioned anywhere else yet, and allows clients to elide all other options and payload if it has reason to believe that it can produce a cache hit with the abbreviated request alone.
It may be present in responses (TBD: Does this affect any other properties?).
When used with a Deterministic Request, this option is created at message protection time by the sender, and used before message unprotection by the recipient. Therefore, in this use case, it is treated as Class U for OSCORE in requests. In the same application, for responses, it is treated as Class I, and often elided from sending (but reconstructed at the receiver). Other uses of this option can put it into different classes for the OSCORE processing.
This option achieves request-response binding described in .Use of Deterministic RequestsThis section defines how a Deterministic Request is built on the client side and then processed on the server side.Pre-ConditionsThe use of Deterministic Requests in an OSCORE group requires that the interested group members are aware of the Deterministic Client in the group. In particular, they need to know:
The Sender ID of the Deterministic Client, to be used as 'kid' parameter for the Deterministic Requests. This allows all group members to compute the Sender Key of the Deterministic Client.
The Sender ID of the Deterministic Client is immutable throughout the lifetime of the OSCORE group. That is, it is not relinquished and it does not change upon changes of the group keying material following a group rekeying performed by the Group Manager.
The hash algorithm to use for computing the hash of a plain CoAP request, when producing the associated Deterministic Request.
Group members have to obtain this information from the Group Manager. A group member can do that, for instance, when obtaining the group keying material upon joining the OSCORE group, or later on as an active member by sending a request to a dedicated resource at the Group Manager.The joining process based on the Group Manager defined in can be easily extended to support the provisioning of information about the Deterministic Client. Such an extension is defined in of this document.Client Processing of Deterministic RequestIn order to build a Deterministic Request, the client protects the plain CoAP request using the pairwise mode of Group OSCORE (see ), with the following alterations.
When preparing the OSCORE option, the external_aad and the AEAD nonce:
The used Sender ID is the Deterministic Client's Sender ID.
The used Partial IV is 0.
When preparing the external_aad, the element 'sender_public_key' in the aad_array takes the empty CBOR byte string.
The client uses the hash function indicated for the Deterministic Client, and computes a hash H over the following input: the Sender Key of the Deterministic Client, concatenated with the external_aad from step 1, concatenated with the COSE plaintext.
Note that the payload of the plain CoAP request (if any) is not self-delimiting, and thus hash functions are limited to non-malleable ones.
The client derives the deterministic Pairwise Sender Key K as defined in , with the following differences:
The Sender Key of the Deterministic Client is used as first argument of the HKDF.
The hash H from step 2 is used as second argument of the HKDF, i.e. as a pseudo IKM-Sender computable by all the group members.
Note that an actual IKM-Sender cannot be obtained, since there is no public key associated with the deterministic client, to be used as Sender Public Key and for computing an actual Diffie-Hellman Shared Secret.
The Sender ID of the Deterministic Client is used as value for the 'id' element of the 'info' parameter used as third argument of the HKDF.
The client includes a Request-Hash option in the request to protect, with value set to the hash H from Step 2.
The client protects the request using the pairwise mode of Group OSCORE as defined in , using the AEAD nonce from step 1, the deterministic Pairwise Sender Key K from step 3 as AEAD encryption key, and the finalized AAD.
The client sets FETCH as the outer code of the protected request to make it usable for a proxy's cache, even if no observation is requested .
The result is the Deterministic Request to be sent.Since the encryption key K is derived using material from the whole plain CoAP request, this (key, nonce) pair is only used for this very message, which is deterministically encrypted unless there is a hash collision between two Deterministic Requests.The deterministic encryption requires the used AEAD algorithm to be deterministic in itself. This is the case for all the AEAD algorithms currently registered with COSE in . For future algorithms, a flag in the COSE registry is to be added.Note that, while the process defined above is based on the pairwise mode of Group OSCORE, no information about the server takes part to the key derivation or is included in the AAD. This is intentional, since it allows for sending a deterministic request to multiple servers at once (see ). On the other hand, it requires later checks at the client when verifying a response to a Deterministic Request (see ).Server Processing of Deterministic RequestUpon receiving a Deterministic Request, a server performs the following actions.A server that does not support Deterministic Requests would not be able to create the necessary Recipient Context, and thus will fail decrypting the request.
If not already available, the server retrieves the information about the Deterministic Client from the Group Manager, and derives the Sender Key of the Deterministic Client.
The server actually recognizes the request to be a Deterministic Request, due to the presence of the Request-Hash option and to the 'kid' parameter of the OSCORE option set to the Sender ID of the Deterministic Client.
If the 'kid' parameter of the OSCORE option specifies a different Sender ID than the one of the Deterministic Client, the server MUST NOT take the following steps, and instead processes the request as per .
The server retrieves the hash H from the Request-Hash option.
The server derives a Recipient Context for processing the Deterministic Request. In particular:
The Recipient ID is the Sender ID of the Deterministic Client.
The Recipient Key is derived as the key K in step 3 of , with the hash H retrieved at the previous step.
The server verifies the request using the pairwise mode of Group OSCORE, as defined in , using the Recipient Context from step 4, with the following differences.
The server does not perform replay checks against a Replay Window (see below).
In case of successful verification, the server MUST also perform the following actions, before possibly delivering the request to the application.
Starting from the recovered plain CoAP request, the server MUST recompute the same hash that the client computed at step 2 of .
If the recomputed hash value differs from the value retrieved from the Request-Hash option at step 3, the server MUST treat the request as invalid and MAY reply with an unprotected 4.00 (Bad Request) error response. The server MAY set an Outer Max-Age option with value zero. The diagnostic payload MAY contain the string "Decryption failed".
This prevents an attacker that guessed a valid authentication tag for a given Request-Hash value to poison caches with incorrect responses.
The server MUST verify that the unprotected request is safe to be processed in the REST sense, i.e. that it has no side effects. If verification fails, the server MUST discard the message and SHOULD reply with a protected 4.01 (Unauthorized) error response.
Note that some CoAP implementations may not be able to prevent that an application produces side effects from a safe request. This may incur checking whether the particular resource handler is explicitly marked as eligible for processing deterministic requests. An implementation may also have a configured list of requests that are known to be side effect free, or even a pre-built list of valid hashes for all sensible requests for them, and reject any other request.
These checks replace the otherwise present requirement that the server needs to check the Replay Window of the Recipient Context (see step 5 above), which is inapplicable with the Recipient Context derived at step 4 from the value of the Request-Hash option. The reasoning is analogous to the one in to treat the potential replay as answerable, if the handled request is side effect free.
Response to a Deterministic RequestWhen treating a response to a deterministic request, the Request-Hash option is treated as a Class I option. This creates the request-response binding ensuring that no mismatched responses can be successfully unprotected (see ).
The option does not actually need to be present in the message as transported (the server SHOULD elide it for compactness).
The client MUST reject responses with a Request-Hash not matching the one it sent in the request.When preparing the response, the server performs the following actions.
The server sets a non-zero Max-Age option, thus making the Deterministic Request usable for the proxy cache.
The server preliminarily sets the Request-Hash option with the full request hash.
The server MUST protect the response using the group mode of Group OSCORE, as defined in . This is required to ensure that the client can verify source authentication of the response, since the "pairwise" key used for the Deterministic Request is actually shared among all the group members.
Note that the Request-Hash option is treated as Class I here.
The server MUST use its own Sender Sequence Number as Partial IV to protect the response, and include it as Partial IV in the OSCORE option of the response. This is required since the server does not perform replay protection on the Deterministic Request (see ).
The server uses 2.05 (Content) as outer code even though it is not necessarily an Observe notification , in order to make the response cacheable.
The server SHOULD remove the Request-Hash option from the message before sending.
Upon receiving the response, the client performs the following actions.
In case the response includes a 'kid' in the OSCORE option and unless responses from multiple servers are expected (see ), the client MUST verify it to be exactly the 'kid' of the server to which the Deterministic Request was sent.
The client sets the Request-Hash option with the full request hash on the reponse.
If an option of a different value is already present, it rejects the response.
The client verifies the response using the group mode of Group OSCORE, as defined in . In particular, the client verifies the counter signature in the response, based on the 'kid' of the server it sent the request to. When verifying the response, the Request-Hash option is treated as a Class I option.
Deterministic Requests to Multiple ServersA Deterministic Request can be sent to a CoAP group, e.g. over UDP and IP multicast , thus targeting multiple servers at once.To simplify key derivation, such a Deterministic Request is still created in the same way as a one-to-one request and still protected with the pairwise mode of Group OSCORE, as defined in .[ Note: If it was protected with the group mode, the request hash would need to be fed into the group key derivation just for this corner case. Furthermore, there would need to be a signature from the absent public key. ]When a server receives a request from the Deterministic Client as addressed to a CoAP group, the server proceeds as defined in , with the difference that it MUST include its own Sender ID in the response, as 'kid' parameter of the OSCORE option.Although it is normally optional for the server to include its Sender ID when replying to a request protected in pairwise mode, it is required in this case for allowing the client to retrieve the Recipient Context associated to the server originating the response.Obtaining Information about the Deterministic ClientThis section extends the Joining Process defined in , and based on the ACE framework for Authentication and Authorization . Upon joining the OSCORE group, this enables a new group member to obtain from the Group Manager the required information about the Deterministic Client (see ).With reference to the 'key' parameter of the Joining Response defined in , the Group_OSCORE_Input_Material object specified as its value contains also the two additional parameters 'det_senderId' and 'det_hash_alg'. These are defined in of this document. In particular:
The 'det_senderId' parameter, if present, has as value the OSCORE Sender ID assigned to the Deterministic Client by the Group Manager. This parameter MUST be present if the OSCORE group uses deterministic requests as defined in this document. Otherwise, this parameter MUST NOT be present.
The 'det_hash_alg' parameter, if present, has as value the hash algorithm to use for computing the hash of a plain CoAP request, when producing the associated Deterministic Request. This parameter takes values from the "Value" column of the "COSE Algorithms" Registry . This parameter MUST be present if the OSCORE group uses deterministic requests as defined in this document. Otherwise, this parameter MUST NOT be present.
The same extension above applies also to the 'key' parameter when included in a Key Distribution Response (see Sections and of ) and in a Signature Verification Data Response (see ).Security ConsiderationsThe same security considerations from hold for this document.Compared to Group OSCORE,
deterministic requests dispense with some of OSCORE's security properties
by just so much as to make caching possible:
Receiving a response to a deterministic request does not mean that the response was generated after the request was sent.
It still contains two freshness statements, though:
It is more recent than any other response from the same group member that has a smaller sequence number.
It is more recent than the original creation of the deterministic security context's key material.
Request privacy is limited.
An intermediary can determine that two requests from different clients
are identical, and associate the different responses generated for them.
A server producing responses of varying size to a request
can use the Padding option to hide when the response is changing.
Source authentication for requests is lost.
Instead, the server must verify that the request (precisely: its handler) is side effect free.
The distinct semantics of the CoAP request codes can help the server make that assessment.
[ More on the verification of the Deterministic Request ]IANA ConsiderationsThis document has the following actions for IANA.CoAP Option Numbers RegistryIANA is asked to enter the following option numbers to the "CoAP Option Numbers" registry defined in within the "CoRE Parameters" registry.[For the Request-Hash option, the number suggested to IANA is 548.For the Padding option, the option number is picked to be the highest number in the Experts Review range; the high option number allows it to follow practically all other options, and thus to be set when the final unpadded message length including all options is known. Therefore, the number suggested to IANA is 64988.Applications that make use of the "Experimental use" range and want to preserve that property are invited to pick the largest suitable experimental number (65532)Note that unless other high options are used, this means that padding a message adds an overhead of at least 3 bytes, i.e. 1 byte for option delta/length and two more bytes of extended option delta. This is considered acceptable overhead, given that the application has already chosen to prefer the privacy gains of padding over wire transfer length.]OSCORE Security Context Parameters RegistryIANA is asked to register the following entries in the "OSCORE Security Context Parameters" Registry defined in .
Name: det_senderId
CBOR Label: TBD3
CBOR Type: bstr
Registry: -
Description: OSCORE Sender ID assigned to the Deterministic Client of an OSCORE group
Reference: [[this document]] ()
Name: det_hash_alg
CBOR Label: TBD4
CBOR Type: int / tstr
Registry: -
Description: Hash algorithm to use in an OSCORE group when producing a Deterministic Request
Reference: [[this document]] ()
ReferencesNormative ReferencesGroup Communication for the Constrained Application Protocol (CoAP)IoTconsultancy.nlInterDigitalRISE AB This document specifies the use of the Constrained Application
Protocol (CoAP) for group communication, including the use of UDP/IP
multicast as the default underlying data transport. Both unsecured
and secured CoAP group communication are specified. Security is
achieved by use of the Group Object Security for Constrained RESTful
Environments (Group OSCORE) protocol. The target application area of
this specification is any group communication use cases that involve
resource-constrained devices or networks that support CoAP. This
document replaces RFC 7390, while it updates RFC 7252 and RFC 7641.
Group OSCORE - Secure Group Communication for CoAPRISE ABEricsson ABEricsson ABEricsson ABUniversitaet Duisburg-Essen This document defines Group Object Security for Constrained RESTful
Environments (Group OSCORE), providing end-to-end security of CoAP
messages exchanged between members of a group, e.g., sent over IP
multicast. In particular, the described approach defines how OSCORE
is used in a group communication setting to provide source
authentication for CoAP group requests, sent by a client to multiple
servers, and for protection of the corresponding CoAP responses.
Group OSCORE also defines a pairwise mode where each member of the
group can efficiently derive a symmetric pairwise key with any other
member of the group for pairwise OSCORE communication.
CBOR Object Signing and Encryption (COSE): Structures and ProcessAugust Cellars Concise Binary Object Representation (CBOR) is a data format designed
for small code size and small message size. There is a need for the
ability to have basic security services defined for this data format.
This document defines the CBOR Object Signing and Encryption (COSE)
protocol. This specification describes how to create and process
signatures, message authentication codes, and encryption using CBOR
for serialization. This specification additionally describes how to
represent cryptographic keys using CBOR.
This document along with [I-D.ietf-cose-rfc8152bis-algs] obsoletes
RFC8152.
CBOR Object Signing and Encryption (COSE): Initial AlgorithmsAugust Cellars Concise Binary Object Representation (CBOR) is a data format designed
for small code size and small message size. There is a need for the
ability to have basic security services defined for this data format.
THis document defines a set of algorithms that can be used with the
CBOR Object Signing and Encryption (COSE) protocol RFC XXXX.
Key words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.The Constrained Application Protocol (CoAP)The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.PATCH and FETCH Methods for the Constrained Application Protocol (CoAP)The methods defined in RFC 7252 for the Constrained Application Protocol (CoAP) only allow access to a complete resource, not to parts of a resource. In case of resources with larger or complex data, or in situations where resource continuity is required, replacing or requesting the whole resource is undesirable. Several applications using CoAP need to access parts of the resources.This specification defines the new CoAP methods, FETCH, PATCH, and iPATCH, which are used to access and update parts of a resource.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.Object Security for Constrained RESTful Environments (OSCORE)This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.COSE AlgorithmsIANAInformative ReferencesObserving Resources in the Constrained Application Protocol (CoAP)The Constrained Application Protocol (CoAP) is a RESTful application protocol for constrained nodes and networks. The state of a resource on a CoAP server can change over time. This document specifies a simple protocol extension for CoAP that enables CoAP clients to "observe" resources, i.e., to retrieve a representation of a resource and keep this representation updated by the server over a period of time. The protocol follows a best-effort approach for sending new representations to clients and provides eventual consistency between the state observed by each client and the actual resource state at the server.CoAP: Echo, Request-Tag, and Token ProcessingEricsson ABEricsson AB This document specifies enhancements to the Constrained Application
Protocol (CoAP) that mitigate security issues in particular use
cases. The Echo option enables a CoAP server to verify the freshness
of a request or to force a client to demonstrate reachability at its
claimed network address. The Request-Tag option allows the CoAP
server to match block-wise message fragments belonging to the same
request. This document updates RFC 7252 with respect to the client
Token processing requirements, forbidding non-secure reuse of Tokens
to ensure binding of response to request when CoAP is used with a
security protocol, and with respect to amplification mitigation,
where the use of Echo is now recommended.
Key Management for OSCORE Groups in ACERISE ABUniversitaet Duisburg-EssenEricsson AB This document defines an application profile of the ACE framework for
Authentication and Authorization, to request and provision keying
material in group communication scenarios that are based on CoAP and
secured with Group Object Security for Constrained RESTful
Environments (OSCORE). This application profile delegates the
authentication and authorization of Clients that join an OSCORE group
through a Resource Server acting as Group Manager for that group.
This application profile leverages protocol-specific transport
profiles of ACE to achieve communication security, server
authentication and proof-of-possession for a key owned by the Client
and bound to an OAuth 2.0 Access Token.
OSCORE Implementation Guidance Object Security for Constrained RESTful Environments (OSCORE) is a
means of end-to-end protection of short request/response exchanges
for tiny devices, typically transported using the Constrained
Application Protocol (CoAP). This document aims to assist
implementers in leveraging the optimizations catered for by the
combination of CoAP and OSCORE, and by generally providing experience
from earlier implementations.
Observe Notifications as CoAP Multicast ResponsesRISE ABRISE ABEricsson AB The Constrained Application Protocol (CoAP) allows clients to
"observe" resources at a server, and receive notifications as unicast
responses upon changes of the resource state. In some use cases,
such as based on publish-subscribe, it would be convenient for the
server to send a single notification addressed to all the clients
observing a same target resource. This document updates RFC7252 and
RFC7641, and defines how a server sends observe notifications as
response messages over multicast, synchronizing all the observers of
a same resource on a same shared Token value. Besides, this document
defines how Group OSCORE can be used to protect multicast
notifications end-to-end between the server and the observer clients.
Authentication and Authorization for Constrained Environments (ACE) using the OAuth 2.0 Framework (ACE-OAuth)CombitechEricssonSpotify ABArm Ltd. This specification defines a framework for authentication and
authorization in Internet of Things (IoT) environments called ACE-
OAuth. The framework is based on a set of building blocks including
OAuth 2.0 and the Constrained Application Protocol (CoAP), thus
transforming a well-known and widely used authorization solution into
a form suitable for IoT devices. Existing specifications are used
where possible, but extensions are added and profiles are defined to
better serve the IoT use cases.
OSCORE Profile of the Authentication and Authorization for Constrained Environments FrameworkEricsson ABCombitechEricsson ABRISE This document specifies a profile for the Authentication and
Authorization for Constrained Environments (ACE) framework. It
utilizes Object Security for Constrained RESTful Environments
(OSCORE) to provide communication security and proof-of-possession
for a key owned by the client and bound to an OAuth 2.0 access token.
Star WarsCoAP: Non-traditional response formsUniversitaet Bremen TZI In CoAP as defined by RFC 7252, responses are always unicast back to
a client that posed a request. The present memo describes two forms
of responses that go beyond that model. These descriptions are not
intended as advocacy for adopting these approaches immediately, they
are provided to point out potential avenues for development that
would have to be carefully evaluated.
CoAP (Constrained Application Protocol) over TCP, TLS, and WebSocketsThe Constrained Application Protocol (CoAP), although inspired by HTTP, was designed to use UDP instead of TCP. The message layer of CoAP over UDP includes support for reliable delivery, simple congestion control, and flow control.Some environments benefit from the availability of CoAP carried over reliable transports such as TCP or Transport Layer Security (TLS). This document outlines the changes required to use CoAP over TCP, TLS, and WebSockets transports. It also formally updates RFC 7641 for use with these transports and RFC 7959 to enable the use of larger messages over a reliable transport.Change logSince -02:
Separate parts needed to respond to unauthenticated requests from the remaining deterministic response part.
(Currently this is mainly an addition; the document will undergo further refactoring if that split proves helpful).
Inner Observe is set unconditionally in deterministic requests.
Clarifications around padding and security considerations.
Since -01:
Not meddling with request_kid any more.
Instead, Request-Hash in responses is treated as Class I, but typically elided.
In requests, this removes the need to compute the external_aad twice.
Derivation of the hash now uses the external_aad, rather than the full AAD. This is good enough because AAD is a function only of the external_aad, and the external_aad is easier to get your hands on if COSE manages all the rest.
The Sender ID of the Deterministic Client is immutable throughout the group lifetime. Hence, no need for any related expiration/creation time and mechanisms to perform its update in the group.
Extension to the ACE Group Manager of ace-key-groupcomm-oscore to provide required info about the Deterministic Client to new group members when joining the group.
Alignment with changes in core-oscore-groupcomm-12.
Editorial improvements.
Since -00:
More precise specification of the hashing (guided by first implementations)
Focus shifted to deterministic requests (where it should have been in the first place; all the build-up of Token Requests was moved to a motivating appendix)
Aligned with draft-tiloca-core-observe-responses-multicast-05 (not submitted at the time of submission)
List the security properties lost compared to OSCORE
PaddingAs discussed in , information can be leaked by the length of a response or, in different contexts, of a request.In order to hide such information and mitigate the impact on privacy, the following Padding option is defined, to allow increasing a message's length without changing its meaning.The option can be used with any CoAP transport, but is especially useful with OSCORE as that does not provide any padding of its own.Before choosing to pad a message by using the Padding option, application designers should consider whether they can arrange for common message variants to have the same length by picking a suitable content representation; the canonical example here is expressing "yes" and "no" with "y" and "n", respectively.Definition of the Padding OptionAs summarized in , the Padding option is elective, safe to forward and not part of the cache key; these follow from the usage instructions. The option may be repeated, as that may be the only way to achieve a certain total length for the padded message.When used with OSCORE, the Padding option is of Class E,
this makes it indistinguishable from other Class E options or the payload to third parties.Using and processing the Padding optionWhen a server produces different responses of different length for a given class of requests
but wishes to produce responses of consistent length
(typically to hide the variation from anyone but the intended recipient),
the server can pick a length that all possible responses can be padded to,
and set the Padding option with a suitable all-zero option value in all responses to that class of requests.Likewise, a client can decide on a class of requests that it pads to consistent length.
(This is of little applicability to Deterministic Requests;
there, the observer can group requests even if they are of the same length, and padding would hinder convergence on a single consensus request).Any party receiving a Padding option MUST ignore it.
In particular, a server MUST NOT make its choice of padding dependent on any padding present in the request.
(An option to coordinate response padding driven by the client is out of scope for this document).Proxies that see a padding option MAY discard it.Simple Cacheability using Ticket RequestsBuilding on the concept of Phantom Requests and Informative Responses defined in ,
basic caching is already possible without building a Deterministic Request.The approach discussed in this appendix is not provided for application. In fact, it is efficient only when dealing with very large representations and no OSCORE inner Block-Wise mode (which is inefficient for other reasons), or when dealing with observe notifications (which are already well covered in ).Rather, it is more provided as a "mental exercise" for the authors and interested readers to bridge the gap between this document and .That is, instead of replying to a client with a regular response, a server can send an Informative Response, defined as a protected 5.03 (Service Unavailable) error message. The payload of the Informative Response contains the Phantom Request, which is a Ticket Request in this document's broader terminology.Unlike a Deterministic Request, a Phantom Request is protected in Group Mode.
Instead of verifying a hash, the client can see from the signature that this was indeed the request the server is answering.
The client also verifies that the request URI is identical between the original request and the Ticket Request.The remaining exchange largely plays out like in 's "Example with a Proxy and Group OSCORE":
The client sends the Phantom Request to the proxy (but, lacking a tp_info, without a Listen-To-Multicast-Responses option),
which forwards it to the server for lack of the option.The server then produces a regular response and includes a non-zero Max-Age option as an outer CoAP option. Note that there is no point in including an inner Max-Age option, as the client could not pin it in time.When a second, different client later asks for the same resource at the same server, its new request uses a different 'kid' and 'Partial IV' than the first client's. Thus, the new request produces a cache miss at the proxy and is forwarded to the server, which responds with the same Ticket Request provided to the first client. After that, when the second client sends the Ticket Request, a cache hit at the proxy will be produced, and the Ticket Request can be served from the proxy's cache.When multiple proxies are in use, or the response has expired from the proxy's cache, the server receives the Ticket Request multiple times. It is a matter of perspective whether the server treats that as an acceptable replay (given that this whole mechansim only makes sense on requests free of side effects), or whether it is conceptualized as having an internal proxy where the request produces a cache hit.Application for More Efficient End-to-End Protected Multicast Notifications defines how a CoAP server can serve all clients observing a same resource at once, by sending notifications over multicast. The approach supports the possible presence of intermediaries such as proxies, also if Group OSCORE is used to protect notifications end-to-end.However, comparing the "Example with a Proxy" in and the "Example with a Proxy and Group OSCORE" in shows that, when using Group OSCORE, more requests need to hit the server. This is because every client originally protects its Observation request individually, and thus needs a custom response served to obtain the Phantom Request as a Ticket Request.If the clients send their requests as the same deterministic request, the server can use these requests as Ticket Requests as well. Thus, there is no need for the server to provide a same Phantom Request to each client.Instead, the server can send a single unprotected Informative Response - very much like in the example without Group OSCORE - hence setting the proxy up and optionally providing also the latest notification along the way.The proxy can thus be configured by the server following the first request from the clients, after which it has an active observation and a fresh cache entry in time for the second client to arrive.Open questions
Is "deterministic encryption" something worthwhile to consider in COSE?
COSE would probably specify something more elaborate for the KDF
(the current KDF round is the pairwise mode's;
COSE would probably run through KDF with a KDF context structure).
COSE would give a header parameter name to the Request-Hash
(which for the purpose of OSCORE deterministic requests would put back into Request-Hash by extending the option compression function across the two options).
Conceptually, they should align well, and the implementation changes are likely limited to how the KDF is run.
An unprotection failure from a mismatched hash will not be part of the ideally constant-time code paths that otherwise lead to AEAD unprotect failures. Is that a problem?
After all, it does tell the attacker that they did succeed in producing a valid MAC (it's just not doing it any good, because this key is only used for deterministic requests and thus also needs to pass the Request-Hash check).
Unsorted further ideas
All or none of the deterministic requests should have an inner observe option.
Preferably none -- that makes messages shorter, and clients need to ignore that option either way when checking whether a Consensus Request matches their intended request.
AcknowledgmentsThe authors sincerely thank Michael Richardson, Jim Schaad and Goeran Selander for their comments and feedback.The work on this document has been partly supported by VINNOVA and the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home (Grant agreement 952652).