| Internet-Draft | BP SAFE | June 2025 |
| Sipos | Expires 6 December 2025 | [Page] |
This document defines a protocol for negotiating scoped security associations between Bundle Protocol version 7 (BPv7) agents within a delay-tolerant network (DTN). Security associations are used to amortize the costs of asymmetric-keyed security operations and allow for efficient and high-throughput BPv7 security within a public key infrastructure.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 6 December 2025.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The combination of Bundle Protocol version 7 (BPv7) [RFC9171] and Bundle Protocol Security (BPSec) [RFC9172] enables security to be applied at a fine-grained level to individual blocks of a bundle.¶
When operating within a Public Key Infrastructure Using X.509 (PKIX) [RFC5280] environment, in the absence of any kind of online protocol between the security source and expected acceptor(s) there are two extreme alternatives for the use of public keys for integrity and/or confidentiality:¶
The security source can use a public key of the security source directly for signing each target or use a public key of the security acceptor directly for each target (for either key agreement or key encapsulation).¶
This is the strategy taken by the email security of S/MIME [RFC8551] and asymmetric algorithms of CBOR Object Signing and Encryption (COSE) [RFC9052]. While it ensures that each security operation can be processed independently it also introduces a large overhead because asymmetric-keyed algorithms are likely to be orders of magnitude more resource intensive than symmetric-keyed ones.¶
For key types which support key exchange, such as elliptic curve (EC) keys, the security source can use a public key from both the security source and acceptor to perform a one-time key derivation of a shared secret, and from that secret a pseudorandom function (PRF) can be used to derive symmetric keys known to both entities.¶
This allows the cost of one-time key exchange and PRF operations to be amortized across all of the cryptographic operations using the derived symmetric keys. But without any additional scoping added to the derived keys (e.g., valid time of use or volume of data processed, restriction to specific ciphersuites or algorithms, etc.), the keys themselves will be vulnerable to overuse or cross-use vulnerabilities.¶
This technique alone also provides confidentiality of the derived symmetric keys but does not intrinsically provide any authentication of the peer entity (via some identity binding to the associated private key). It also does not allow for forward secrecy because the original asymmetric keys need to be long-lived enough to handle all communications between the entities.¶
In order to both amortize the costs of asymmetric-keyed algorithms and to provide a separate means of mutually authenticating a peer BP node, including a proof-of-possession for the private key associated with a known public key, this document defines the Security Associations with Few Exchanges (SAFE) protocol.¶
The SAFE protocol operation is explained in detail in Section 2. It operates as an "in-band" application over BPv7 as depicted in Figure 1. This is similar to how the Internet Key Exchange Version 2 (IKEv2) protocol of [RFC7296] operates as an application over UDP/IP.¶
+-----------------------+ | Security Associations | -\ | (SAFE) | | +-----------------------| | | BPv7 + BPSec | -> Application Layer +-----------------------+ | | CL + opt. security | -/ +-----------------------+ | TCP/UDP/etc. | ---> Transport Layer +-----------------------+ | IPv4/IPv6 | ---> Network Layer +-----------------------+ | Link-Layer Protocol | ---> Link Layer +-----------------------+
This document describes the format of the protocol data units passed between BP nodes for security association negotiation and defines behavior at message source and destination nodes. It also defines how each participating node acts on those security associations to process BPSec security operations.¶
This document does not address:¶
Based on terminology from Section 3.1 of [RFC9171], the four data plane interaction points between a BP Agent (BPA) and other entities are shown for two agents in Figure 2. For simplicity that diagram shows a situation where there is reachability between the nodes in one direction, but typically reachability between nodes would be in both directions (via similar or dissimilar convergence layer types and/or hop counts).¶
Two of the interaction points are with application(s) registered as endpoints in the BPA (transmit and deliver) and two are with underlying convergence layer(s) used to transport bundles between BPAs (forward and receive) for each hop. Within a BPA there is logic about how and when to deliver, forward, retain, delete, discard, or some combination of those actions which are defined in Section 5 of [RFC9171]. This logic is indicated in later diagrams by the "(Decide)" label inside a BPA block.¶
+---------------+ +---------------+
| Registered | | Registered |
| Application(s)| | Application(s)|
+---------------+ +---------------+
| ^ | ^
Transmit| |Deliver Transmit| |Deliver
v | v |
+----------------+----+ +----------------+----+
| | | |
| BP Agent | | BP Agent |
| | | |
+----------------+----+ +----------------+----+
^ | ^ |
Receive| |Forward Receive| |Forward
| v | v
~---------+ +-----------~ ~---------+-+ +--------~
| | Forwarding Hop(s) | |
~---------+ +-----------~ ~-----------+ +--------~
This document considers two principal use cases to narrow the scope of discussion, each described in the following subsections. More complex use cases can be achieved by this protocol, either by more complex interaction with a BPSec entity or the use of techniques such as BIBE of [I-D.ietf-dtn-bibect] to perform secure tunneling between pairs of security gateway nodes.¶
The end-to-end use case is where the SAFE entities negotiate secondary SAs which match endpoints on the participating nodes themselves.
This use case corresponds to the end-to-end mode of Security Mode Selector (SMS).¶
For this mode the bundle flows and security processing will look like what is depicted in Figure 3. The negotiated security service is sourced immediately upon bundle creation (after the corresponding ADU is transmitted by the source endpoint), has a lifetime equal to the bundle itself, and is accepted immediately before bundle delivery (of the ADU to the destination endpoint).¶
| ^
Transmit| |Deliver
v |
+----+----------------+ +----------------+----+
| Source | | Accept |
| \ | | / |
| (Decide) | | (Decide) |
| \ | | / |
| \ | | / |
+----------------+----+ +----+----------------+
| ^
|Forward Receive|
v |
+-----------~ ~---------+-+
| Forwarding Hop(s) |
+-----------~ ~-----------+
The purpose of this mode is to ensure that specific traffic has integrity or confidentiality protection for its entire lifetime, applied as close to the endpoints as possible. This protection also includes any possible storage at the source and destination nodes.¶
The one-hop use case is where the SAFE entities negotiate secondary SAs which match arbitrary endpoints but apply to bundles traversing a single hop with a neighbor node.
This use case corresponds to the one-hop mode of Security Mode Selector (SMS).¶
For this mode the bundle flows and security processing will look like what is depicted in Figure 4. The negotiated security service is sourced immediately before forwarding (specifically to the peer node of the SA), has a lifetime of just a single bundle hop, and is accepted immediately upon reception at that peer node.¶
| ^
Transmit| |Deliver
v |
+----+----------------+ +----------------+----+
| \ | | / |
| \ | | / |
| (Decide) | | (Decide) |
| / \ | | / \ |
| / Source | | Accept \ |
+----+-----------+----+ +----+-----------+----+
^ | ^ |
Receive| |Forward Receive| |Forward
| v | v
+--------------------+-+
| Forwarding Hop |
+----------------------+
The purpose of this mode is to supplement security mechanisms (if any) provided by the forwarding convergence layer adapter (CLA). This allows the receiving node to authenticate data from the previous node during reception, by transitively linking the one-hop security back to the mutual authentication and proof-of-possession from the Initial Authentication (IA) activity.¶
This document defines CBOR structure using the Concise Data Definition Language (CDDL) of [RFC8610]. The entire CDDL structure can be extracted from the XML version of this document using the following XPath expression:¶
'//sourcecode[@type="cddl"]'¶
The following initial fragment defines the top-level symbols of this document's CDDL, including the PDU data structure with its parameter/result sockets.¶
start = safe-pdu-seq / safe-msg / safe-msg-bstr¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Terminology used within the SAFE protocol includes the following:¶
The service of this protocol is the establishment and management of one or more secondary security association (SA) between two participating peer BP nodes (that may or may not be BP neighbors) which are used to inform a BPSec entity on each node how to secure specific traffic.¶
The initial confidential channel with forward secrecy, mutual authentication, and proof-of-possession is provided by an Ephemeral Diffie-Hellman Over COSE (EDHOC) session [RFC9528]. The EDHOC session also allows using external authorization data (EAD) items to confidentially transport SAND messages.¶
A side effect of the EDHOC session is the establishment of a primary SA between the two peers. The primary SA provides message confidentiality after the initial authentication EDHOC session. After a primary SA is established, this protocol allows creating secondary SAs through a single 1.5 round-trip activity without re-authenticating. It also allows managing established SAs, including symmetric key decommissioning and roll-over, in order to bound keys over time and over volume of processed data.¶
The concepts and procedures of SAFE are similar in both form and function to the IP-level IKEv2 of [RFC7296] and MAC-level Port-Based Network Access Control (BPNAC) of [802.1X]. These earlier protocols assume a low enough latency that chaining two-way exchanges over time is not a resource burden or source of major delay, and that if retransmissions are needed they can easily be performed at the exchange initiator side. Because SAFE is expected to operate in environments where one-way latency can be significant (see [RFC4838]), its structure in Section 4 is organized to avoid a sequence-of-exchanges pattern.¶
Instead of a two-way request--response pattern where all retransmission occurs from the requesting entity, the SAFE pattern is an activity sequence where the final message is purely acknowledgement that the activity has finished. SAFE separates its messaging sub-layer from its packetization sub-layer (see Section 4) to allow messages from multiple simultaneous activities to be aggregated together into a single protocol data unit (PDU). For an individual activity sequence this is results in more messages than two-way exchanges, but it enables pipelining of messages and retransmission from either side of an activity conversation.¶
This protocol embeds EDHOC as the messaging structure and behavior of the Initial Authentication (IA) activity type. Because the IA activity is the very beginning of a conversation between two SAFE entities, the packetization behavior during the IA activity is a special case containing a single EDHOC message in each PDU. This also means that during the IA activity EDHOC is responsible for confidentiality of SAFE data. After the IA has finished and a primary SA is established, confidentiality is provided by an application-layer use of COSE encryption (see Section 4.4).¶
The reason for establishing SAs in the first place is to be able to provide symmetric session keys to be used by BPSec for security operations on individual target blocks within specific bundles as described in Section 1.2. Part of the scoping of each SA includes a BPSec security context identifier and its options for which each derived symmetric key is authorized to be used.¶
A secondary SA is scoped by the following aspects which inform BPSec policy on each peer node.¶
In the typical use of IKEv2 [RFC7296], TLS [RFC8446], or DTLS [RFC9147] the full credentials (and in the case of PKIX certificates, full certificate chains) are carried in the protocol exchanges. Because the original target for EDHOC was constrained networks, the credentials themselves are purposefully omitted from the EDHOC messages and instead only credential identifiers are exchanged Section 3.5.3 of [RFC9528].¶
Part of the configuration for each SAFE entity is a set of peer information (see Section 3.1), each of which contains a set of validated credentials and their root-of-trust for that peer. It is still possible for SAFE entities to provide actual credential data, which itself is kept confidential as part of the secure channel established by EDHOC.¶
The protocol defined in this document defines a basic set of modes and data types which are expected to be suitable for many bundle security use cases. But the protocol uses extensible IANA registries (see Section 12.3) which allow future specifications to define additional well-known code points. And each registry has a reserved block to allow private networks to make use of private code points tailored to their specific needs.¶
BP SAFE operates by using an activity sequence of messages (see Section 5) to establish and maintain security associations between pairs of participating nodes.¶
There are two logical tiers of SA, primary and secondary, which are treated here as two separate information tables. How these are mapped to an actual internal data model is an implementation detail, as well as whether an entity treats all SAs together into one pool or separates primary and secondary SA data as indicated in this section.¶
All private asymmetric key material and all derived PRK and symmetric key material is expected to be maintained outside of the SAFE entity in some form of trusted execution environment (TEE). The key material is included in these information bases as a logical placeholder and to show its association with the other fields.¶
In order to set appropriate retransmission timers, the local entity needs to know expected timing information for each participating peer node.¶
| Name | Description |
|---|---|
| Peer EID | The transport EID for the SAFE entity on the peer node. |
| Round-Trip Time | The expected full round-trip time between a sent message and an acknowledgement. This value includes actual one-way-light time (OWLT) of links as well as expected queuing and processing delays. |
| Acceptable EDHOC Cipher Suites | A priority list of code points from the "EDHOC Cipher Suites" registry of [IANA-EDHOC] which are acceptable to use for EDHOC sessions with this peer. This value is sent in Message 1 when acting as an EDHOC initiator and validated when acting as an EDHOC responder. |
| TX Credential Types | A priority list of acceptable COSE credential types for EDHOC authentication of this node to the peer. Details on this complex field are described below. |
| Acceptable RX Credential Types | A priority list of acceptable COSE credential types for EDHOC authentication of the peer node. Details on this complex field are described below. |
For the two stores of credential types in the Participating Peers information base, the detailed information present consists of an ordered list of entries, each containing the following.¶
One of the "COSE Header Parameters" registry values from [IANA-COSE] which identifies a credential type:¶
Each SAFE entity maintains a table of in-progress activities and their associated metadata, with logical columns as indicated in Table 2.¶
| Name | Description |
|---|---|
| Initiator | The transport EID for the initiator of the activity. This may be a local endpoint or remote. |
| Responder | The transport EID for the responder of the activity. This will be the opposite site of conversation from the initiator endpoint. |
| Activity Index | The index, unique to the initiator, for the activity. |
| Last Step Transmitted (LTX) | The step of the activity which is associated with the last message sent to the peer. |
| Last Step Received (LRX) | The step of the activity which is associated with the last message received from the peer. This value is optional for activities initiated by the local entity. |
While the last received step is less than the last sent step, it means that the local entity is waiting for an acknowledging message. After the final message of an activity is received, the associated table row is removed as there is no need to maintain long-term bookkeeping of finished activities. TBD about row removal timer and ignoring late duplicate messages.¶
Each primary SA allows SAFE entities to provide PDU-level confidentiality and is used as the source of a shared secret from which secondary SAs can be derived. The state of each primary SA known to the local entity has logical columns as indicated in Table 3. The key information of a primary SA will contain exactly one key for each direction TBD. The primary SA has no specific endpoint selectors because each is used for security between the SAFE entities themselves rather than any other traffic.¶
| Name | Description |
|---|---|
| Local SAI | The locally-generated SA identifier for this entry. |
| Peer EID | The transport EID for the SAFE entity on the peer node. |
| Peer SAI | The peer-generated SA identifier for this entry. |
| AEAD Algorithm | The "application AEAD algorithm" from the EDHOC cipher suite negotiated as part of the IA activity. This applies to SAFE confidential PDU processing defined in Section 9.1. |
| Hash Algorithm |
The "application hash algorithm" from the EDHOC cipher suite negotiated as part of the IA activity.
This applies to the SAFE_KDF function defined in Section 8.3.
|
| TX Key Information | The primary SA has a single symmetric key for outgoing PDUs to the Peer EID, as a COSE key with contents as defined in Section 8.1. The associated key material is derived from the shared secret created during an Initial Authentication (IA) activity. |
| RX Key Information | The primary SA has a single symmetric key for incoming PDUs from the Peer EID, as a COSE key with contents as defined in Section 8.1. The associated key material is derived from the shared secret created during an Initial Authentication (IA) activity. |
| Primary pseudo-random key (PRK) |
Internal key material derived from the EDHOC session for this SA, as the byte string PRK_SA1 defined in Section 8.1.
This is used to derive further values for secondary SAs as defined in Section 8.3 and context-specific key derivations.
|
Each secondary SA allows SAFE entities to provide key material and associated policy configuration to a BPSec entity on the same BP node. The state of each secondary SA known to the local entity has logical columns as indicated in Table 4.¶
| Name | Description |
|---|---|
| Parent SA | The primary SA (Table 3) from which this secondary SA was derived, which includes the Peer EID of the other SAFE entity. |
| Local SAI | The locally-generated SA identifier for this entry, as defined in Section 6.5. |
| Peer SAI | The peer-generated SA identifier for this entry, as defined in Section 6.5. |
| Security Mode Selector | This is a mode selector for this SA, as defined in Section 6.8. |
| Validity Time Interval | An optional interval of time during which the SA is valid. The logic is consistent with the node time interval (NTI) of Section 6.9. If absent, the SA is valid for all time. |
| Local Endpoint Selectors | This is an unordered set of endpoint selector items for the local side of the SA, as described below and in Section 6.10. |
| Peer Endpoint Selectors | This is an unordered set of endpoint selector items for the local side of the SA, as described below and in Section 6.10. |
| Security Operation Selector | This is a combination of information derived from the negotiated Security Operation Selectors (SOS) during the Section 5.3 activity. |
| BPSec Context ID | This is a single code point from the "BPSec Security Context Identifiers" registry at [IANA-BUNDLE], which restricts the scope in which the key can be used and provides context for the Key Use Selector details below. |
| Key Use Options | This field represents a set of context-specific options which determine exactly how the SA and its keys are to be used by the BPSec entity on this node. The options are negotiated during SA Creation (SC) as defined in Section 6.12 and per-context specifications (see Section 9). |
| Key Information | This field represent a set of context-specific key material and derived options for each direction between the two peers. The key material are derived from the shared secret created during SA Creation (SC) as defined in Section 8.3 and per-context specifications (see Section 9). |
Each endpoint selector item functions as a filter for the BP Agent to determine to which bundles the SA applies. The order in which endpoint selectors and other filters are applied to filter bundles for security processing is an implementation matter and can be optimized to, for example, process the less expensive checks first to reduce the average expense of matching. An implementation is also free to perform additional indexing of endpoint selectors across multiple SAs to reduce total processing expense.¶
Each key use option contains fields necessary to restrict when and how the key can be used for BPSec security operations. The fields of each item roughly correspond with a COSE Key from Section 7 of [RFC9052] and an implementation can choose to use a COSE Key representation if that is convenient.¶
The SAFE protocol operates with three distinct sub-layers, each with a different structure and purpose. They are described as follows, starting from the topmost sub-layer and working down toward the BP transport.¶
+-------------------------------------------+
| Data Item 1 | ... | Data Item N | <- Activity
+-------------------------------------------+ Data
\__________________________________ |
\ |
+-------------------------------------------+
| Act. Idx. | Act. Step | Act. Type | Data |
+-------------------------------------------+
| SAFE Message | <- Messaging
+-------------------------------------------+ and Retransmission
\__ ____________________________/
\ /
+-------------------------------------+
| Msg. 1 bstr |...| Msg. N bstr | pad | <- Message Aggregation
+-------------------------------------+
| Plaintext |
+ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ +
| Ciphertext + tag | <- Message Security
+-------------------------------------------+
\____________________ |
\ |
+-------------------------------------------+
| Version | PIV | SAI | EDHOC / Ciphertext |
+-------------------------------------------+
| SAFE PDU | <- Packetization
+-------------------------------------------+
\___________________________ /
\ /
+-------------------------------------------+
| Bundle | Payload Block | <- Transport
+-------------------------------------------+ and Security
The contents of a SAFE message allow it to be correlated to a specific activity sequence and an individual step within that sequence (see Section 4.2 for details). All steps are numbered starting with zero at the initiator of an activity. The sending of a step number greater than zero is also used to acknowledge receipt and processing of the message with its preceding step number. The final acknowledgement of an activity is sent without a corresponding data payload in order to indicate that it is the end of the sequence.¶
Because SAFE allows messages to be aggregated into an PDU, this also enables explicit pipelining of multiple activities over a sequence of PDUs. It is an implementation matter to determine when to aggregate messages but the patterns defined in Section 7 make use of aggregation.¶
An example of this pipelining is shown in Figure 6, which depicts a series of PDUs sent in opposite direction between two peers "A" and "B". A Initial Authentication (IA) is the first activity, followed by a Capability Indication (CI) initiated in the opposite direction, and finally a pair of SA Creation (SC) activities initiated opposite that.¶
Node A A A A A
| ^ | ^ |
v | v | v
Node B B B B B
PDU #1 #2 #3 #4 #5
| | | | |
(IA 0 --- 1 --- 2 --- 3) |
| (CI 0 --- 1 --- 2) |
| | (SC 0 --- 1 --- 2)
| | (SC 0 --- 1 --- 2)
=----- time ----->
Each encoded SAFE message SHOULD use CBOR core deterministic encoding requirements from Section 4.2.1 of [RFC8949]. Each SAFE message SHALL consist of a CBOR sequence containing the following items.¶
The combination of Activity Index and Activity Step SHALL uniquely identify a message in an activity sequence independently of the type of activity being performed.¶
The activity index SHALL be unique per initiator and transport conversation (e.g., unordered pair of source and destination EID). The first activity index for a conversation SHALL be zero, and each subsequent activity initiated by a peer SHALL increment the activity index by one.¶
The first step of an activity SHALL be zero, and each subsequent step SHALL increment by one. This means that the initiator of an activity can be identified implicitly because it will only send messages with an even step number and will only receive messages with an odd step number.¶
The last message of an activity sequence SHALL NOT contain either an activity type or a data payload. That last message is purely to acknowledge the message from the previous step and conclude the activity.¶
This structure is indicated by the following CDDL for the general SAFE message structure and its data item payload.¶
safe-msg-bstr = bstr .cborseq safe-msg
safe-msg = $safe-msg .within safe-msg-struct
safe-msg-struct = [
msg-ident,
? (
act-type: int16,
data-map
)
]
; Unique identifier for a single message (one step of one activity)
msg-ident = (
act-idx: uint,
act-step: uint,
)
; activity-type-specific data
; non-negative labels are well-known
; negative labels are private use
data-map = {
* label => value,
}
; Generic map label
label = int16
; Generic map value
value = any
; Signed integer that fits in 16-bit two's complement form
int16 = (-32768 .. 32767) .within int
¶
As described in Section 3.2, the state kept by each entity about an activity includes the step of the message last sent by the entity (LTX) and the step last received from the peer entity (LRX). Based on these two step states, each entity can determine how to make progress¶
An example of this logic is shown in Figure 7.
The state notation of {LTX,LRX} indicates the LTX and LRX steps respectively and negative values are used as a placeholder for an invalid/absent step number.
If a transition has a specific trigger, it is indicated by square bracket text.¶
Initiator Responder
+-----------------+ +-----------------+
| | | |
| {-1,-1} Start | | {-1,-1} Start |
| | Step 0 | |
+--------+--------+ Message +--------+--------+
Re-TX | ident+data [RX 0]|
+--------+ | TX 0 ~~~~~~~~~~~~~~> |
| v v v
| +-----------------+ +-----------------+
| | | | |
+--+ { 0,-1} Wait | | {-1, 0} Process |
[timer]| | Step 1 | |
+--------+--------+ Message +--------+--------+
|[RX 1] ident+data | Re-TX
| <~~~~~~~~~~~~~~ TX 1 | +--------+
v v v |
+-----------------+ +-----------------+ |
| | | | |
| { 0, 1} Process | | { 1, 0} Wait +--+
| | Step 2 | |[timer]
+--------+--------+ Message +--------+--------+
| ident [RX 2]|
| TX 2 ~~~~~~~~~~~~~~> |
v v
+-----------------+ +-----------------+
| | | |
| { 2, 1} Finished| | { 1, 2} Finished|
| | | |
+--------+--------+ +--------+--------+
|[timer] [timer]|
v v
+-----------------+ +-----------------+
| | | |
| {-1,-1} Removed | | {-1,-1} Removed |
| | | |
+-----------------+ +-----------------+
Based on an existing activity state (Section 3.2) when the last LTX step is less than the LRX step, or when the initiator starts the activity, or an associated retransmission timer expires, the entity SHALL perform the following:¶
If the next step is within the number of steps for this activity type, generate type-specific data items based on the activity type and next step.¶
Otherwise, only the message identity is present and no activity type or data items are needed.¶
If either the LTX or LRX step are beyond the number of steps for this activity type, the activity is in the finished state.¶
Otherwise, begin a retransmission timer correlated to the activity index with a duration taken from the expected round-trip time between the peer node plus some optional additional margin. It is an implementation matter to determine the specific margin added to the expected round-trip duration.¶
Upon receiving a SAFE message from a peer, an entity SHALL perform the following:¶
Because SAFE is used to provide BPSec key material, the security properties of a SAFE bundle are more complex than other BP flows might be. For example, the bundles carrying Initialization messages need to be transported as plaintext payload (with intrinsic EDHOC protections) while other SAFE bundles need to be protected by the keys from a primary SA (negotiated as part of the EDHOC sequence).¶
The structure of a SAFE PDU is a CBOR sequence of the SAFE version number followed by header items and then payload items. The protocol in this document SHALL be identified by version number 1. The version specific header defined in this document SHALL be the following:¶
null value¶
true value¶
When the Partial IV is null, the payload SHALL be one of the EDHOC messages defined in [RFC9528] and handled in accordance with Section 5.1.
When the Receiver SAI is true, the payload SHALL be a Message 1 as defined in Section 5.2 of [RFC9528].
All other Receiver SAI values SHALL be treated as a connection identifier, encoded in accordance with Section 3.3.2 of [RFC9528], used to correlate with an existing EDHOC session.¶
When the Partial IV is a byte string, the payload SHALL be a SAFE ciphertext and handled in accordance with Section 9.1.2. In this case, Receiver SAI values SHALL be decoded as and treated as a Security Association Identifier (SAI) used to correlate with the Local SAI of a Primary SA (see Table 3) on the receiving entity.¶
This is indicated by the following CDDL for the SAFE bundle PDU sequence.¶
; Encoded to PDU as CBOR sequence
safe-pdu-seq = [
version: 1,
; PDU variants follow the same structure with unique prefix items
safe-pdu-edhoc // safe-pdu-confidential,
]
safe-pdu-edhoc //= (
partial-iv: null,
rx-sai: true,
; Group message_1 from RFC 9528
message_1
)
safe-pdu-edhoc //= (
partial-iv: null,
rx-sai: safe-sai,
edhoc_234 // error
)
; Equivalent to (message_2 // message_3 // message_4) from RFC 9528
; Encoded SAFE messages can be present in EAD items
edhoc_234 = bstr
safe-pdu-confidential //= (
partial-iv: bstr,
rx-sai: safe-sai,
; Ciphertext data corresponding to safe-pdu-plaintext below
ciphertext: bstr
)
; A sequence of encoded-message bstr with optional tagged padding
safe-pdu-plaintext = (+ safe-msg-bstr, ? safe-padding)
safe-padding = #6.55799(bstr)
safe-pdu-aad = (
rx-sai: safe-sai
)
Within restrictions defined for each message type, multiple messages MAY be combined into a single PDU (as either EDHOC EAD or SAFE plaintext). Due to the logic of the Initial Authentication (IA) sequencing, only one EDHOC session can make progress between two endpoints at any time so there is no concept of an EDHOC message embedded within an EAD item.¶
Each SAFE PDU is handled an application data unit (ADU) of a BPv7 bundle, referred to as a "SAFE bundle" in this document. Additional constraints, controllability, and visibility on transport parameters are defined in the following subsection.¶
Both the source and destination EID, defined in Section 4.3.1 of [RFC9171], for a SAFE bundle SHALL be singleton. The source EID for SAND bundles SHALL NOT be a null EID. Each endpoint for SAND messaging needs to be an identified singleton. The bundle source and destination EID for received bundles SHALL be exposed to the SAND application in order to support message exchange sequencing.¶
When using the IPN scheme, the EIDs used as source and/or destination SHOULD use the well-known service number defined in Section 12.1. SAFE applications can use other schemes and service numbers, but such configuration is an implementation and deployment matter.¶
The bundle creation timestamp (both DTN time and sequence number), defined in Timestamp Section 4.3.1 of [RFC9171], for received bundles SHALL be exposed to the SAND application to allow it to order received SAND bundles.¶
This section defines the initial types of activity which make use of SAFE message (Section 4.2) sequencing to exchange data.¶
Any current or future activity type SHALL define how many steps comprise a single sequence of messages and what is the required data payload of each step.¶
This activity is used to establish an initial shared secret between two SAFE endpoints which don't already have a usable SA, or when re-authentication is deemed necessary by either side of an existing SA.¶
Because this is the initializing activity for all other SAFE interactions, and occurs outside of any pre-existing SA, it does not follow the same message structure as other SAFE activities but it does use the same local progress bookkeeping and retransmission logic (from Section 4.3). The retransmission logic and the BP transport of Section 4 satisfies the EDHOC requirements of Section 3.4 of [RFC9528].¶
Even though the Initial Authentication (IA) activity does not follow the same messaging structure, it does have an activity identifier allocated to it in Table 22 to allow its state to be tracked in accordance with Section 3.2. The IA activity SHALL be identified by activity type 0.¶
Only one instance of this activity SHOULD be in progress at any time. The data of each PDU for the PI activity SHALL contain an EDHOC message as defined in Section 5 of [RFC9528].¶
The sequence of steps and their data for this activity are the following:¶
During transport, PI PDUs SHALL NOT be the target of a BPSec confidentiality operation between the participating (source and destination) nodes. The use of application-level confidentiality ensures the security of information exchanged via this PDU. There is no restriction on any intermediate security handling of SAFE PDUs between the participating nodes.¶
The CDDL corresponding to this activity type are the first two variations of safe-pdu-data from Section 4.4.
Additionally, the EAD payload of the EDHOC messages are extended to be able to carry encoded SAFE messages during the IA activity based on the safe-msg-bstr rule defined in Section 4.2.¶
After receiving the ID_CRED_x values from a peer, each SAFE entity SHALL¶
When the Message 2 payload is received by the initiator, both peers have established an EDHOC shared secret but only the responder has sent an identity to authenticate with the initiator. When the Message 3 payload is received by the responder, both peers have authenticated each other and established an application AEAD symmetric key and exporter state.¶
Upon the first reception or transmission of IA step 2 (i.e., EDHOC message_3), the entity SHALL create a primary SA based on the data derived in Section 8.1.¶
TBD based on Section 4 of [I-D.ietf-dtn-bpsec-cose]¶
This activity allows each entity to indicate its SAFE-related capabilities to its peer. The Capability Indication (CI) activity SHALL be identified by activity type 2.¶
The sequence of steps and their data for this activity are the following:¶
| Label | Type |
|---|---|
| 1 | A Concurrent Activity Support (CAS) limit |
| 2 | An EID Scheme Support (ESS) list |
| 3 | A BPSec Context Support (BCS) list |
ci-data = { * $$ci-data } .within data-map
$$ci-data //= (1: concur-act-limit)
$$ci-data //= (2: eid-scheme-list)
$$ci-data //= (3: bpsec-ctxid-list)
¶
This activity is used to create a new SA from within the context of an existing primary SA. The SA Creation (SC) activity SHALL be identified by activity type 3.¶
The sequence of steps and their data for this activity are the following:¶
The responder items with proposals SHALL be a logical subset of the initiator-provided proposals. The Secondary SA SHALL be configured to use a logical intersection between the items provided by the initiator and by the responder. For some cases of EID patterns, the intersection can be derived as a single pattern generated from the initiator and responder options. But for more complex cases, the intersection needs to be represented as a logical AND between the two separate patterns.¶
| Label | Type |
|---|---|
| 0 | Error indications per Section 6.1 for messages after step 0 |
| 1 | The local SAI per Section 6.5 for the SA which does not yet exist |
| Options for key material derivation | |
| 2 | An Additional Key Exchange (AKE) public key value |
| 3 | An Additional Random Nonce (ARN) value |
| Options for when to use the SA | |
| 9 | A Security Mode Selector (SMS) value |
| 6 | One or more Endpoint Selectors (ESx) proposals for the initiator side |
| 7 | One or more Endpoint Selectors (ESx) proposals for the responder side |
| 8 | A Node Time Interval (NTI) used as the SA validity time interval |
| Options for how to use the SA | |
| 4 | A Security Operation Selectors (SOS) with conditions for sourcing and accepting BPSec security |
| 5 | A Key Use Selectors (KUS) for a specific BPSec context, which contains one or more set of key use options as defined in Section 9 |
sc-data = {* $$sc-data } .within data-map
; Error codes from the responder
$$sc-data //= (0: safe-ete)
; SAI for the sender
$$sc-data //= (1: safe-sai)
; Optional PRF parameters
$$sc-data //= (2: safe-ake)
$$sc-data //= (3: safe-arn)
; Initiator side endpoint selectors
$$sc-data //= (6: safe-esx)
; Responder side endpoint selectors
$$sc-data //= (7: safe-esx)
; Time limit for the SA
$$sc-data //= (8: safe-nti)
; BPSec Context and its options for how to use the keys
$$sc-data //= (4: safe-kus)
¶
Upon the first reception or transmission of SC step 1, the entity SHALL create a secondary SA based on the data derived in Section 8.3.¶
This activity is used to establish a new set of derived key (and possibly other) material within an existing SA without changing the other parameters of the SA (e.g., algorithm choice or endpoint selectors). The SA Rekey (SR) activity SHALL be identified by activity type 4.¶
The sequence of steps and their data for this activity are the following:¶
| Label | Type |
|---|---|
| 1 | The local SAI per Section 6.5 |
| 2 | A key exchange public key per Section 6.6 |
| 3 | A random nonce per Section 6.7 |
sr-data = {* $$sr-data } .within data-map
; Error codes from the responder
$$sr-data //= (0: safe-ete)
; SAI for the sender
$$sr-data //= (1: safe-sai)
; Optional PRF parameters
$$sr-data //= (2: safe-ake)
$$sr-data //= (3: safe-arn)
¶
Upon the first reception or transmission of SR step 1, the entity SHALL correlate the Local SAI of a Primary SA or Secondary SA and rekey it based on the data derived in Section 8.2 or Section 8.4 respectively.¶
This activity is used to negotiate removal of an established SA from both entities. The SA Teardown (ST) activity SHALL be identified by activity type 5.¶
The sequence of steps and their data for this activity are the following:¶
| Label | Type |
|---|---|
| 1 | The local SAI per Section 6.5 |
st-data = {* $$st-data } .within data-map
; Error codes from the responder
$$st-data //= (0: safe-ete)
; SAI for the sender
$$st-data //= (1: safe-sai / true)
¶
TBD This activity is used by the initiator to inform the peer entity of an event. The Event Notification (EN) activity SHALL be identified by activity type 7.¶
en-data = {* $$en-data } .within data-map
$$en-data //= (1: en-cause)
en-cause = [msg-ident]
¶
This section defines the initial set of data items which can be present as the data payload of a SAFE message (Section 4.2).¶
Some types of data item allow the activity initiator to provide multiple independent proposals, from which the responder can either choose one proposal or create a new single proposal which narrows down from one provided by the initiator. It is the responsibility for each data item type to define detailed logic of acceptable responder proposals. Each proposal SHALL take the form of a CBOR map. When multiple proposals are present, they SHALL take the form of a CBOR array of proposal maps.¶
safe-proposals = [data-map] / [+ data-map]¶
The Error Type Enumeration (ETE) data item is used by its sender to signal a failure to process a message or make progress in an activity. The ETE value SHALL be an integer limited to the inclusive range -32768 to 32767.¶
These values are used in many activities to indicate a failure in decoding, processing, or consistency of received message contents. Well-known error values are non-negative and registered in Section 12.3. Private and experimental use error values are negative and not registered.¶
safe-ete = [+ safe-error] safe-error = int16¶
This data item indicates how many concurrent (pipelined) SAFE activities the sender of the item supports. The minimum number of concurrent activities supported SHALL be 2. This is necessary in order to enable the processing of Capability Indication (CI) containing this data item during the Initial Authentication (IA) messaging. The maximum number of concurrent activities supported SHALL be 1024. This is an arbitrary upper bound not expected to be encountered during normal operations.¶
An attempt by a peer to send messages associated with more than this limit¶
concur-act-limit = 2 .. 1024¶
This data item indicates which EID schemes the sender of the item supports. Schemes are identified by the code points from the "Bundle Protocol URI Scheme Types" registry at [IANA-BUNDLE], which includes a block reserved for private-use. Expressing support for an EID scheme indicates that the node can handle EIDs of that scheme and EID Patterns with scheme-specific parts.¶
eid-scheme-list = [+ eid-scheme] ; Unrestricted per RFC 9171 eid-scheme = uint¶
This data item indicates which BPSec contexts the sender of the data item supports. Schemes are identified by the code points from the "BPSec Security Context Identifiers" registry at [IANA-BUNDLE], which includes a block of negative values reserved for private-use. Expressing support for a security context indicates that the node can handle sourcing, verifying, and accepting security blocks using that context.¶
bpsec-ctxid-list = [+ bpsec-ctxid] ; Restricted domain per RFC 9172 bpsec-ctxid = -32768 .. 32767¶
The Security Association Identifier (SAI) data item is used by both sides of an SA to uniquely identify the SA within each entity. This means that a single SA has two SAIs used to identify it, one from each entity.¶
An SAI SHALL be treated as an opaque byte string as its internal representation and comparison logic. An SAI SHALL have the same compressed encoding rules as EDHOC connection identifiers as defined in Section 3.3.2 of [RFC9528].¶
safe-sai = bstr / -24..23¶
This data item indicates the public key of the sender for an additional ECDH exchange to add forward secrecy to a secondary SA. When sent by the activity initiator this is a request for additional key exchange, and when sent by the responder this is the confirmation that a key exchange is supported and desired. The algorithm and parameters related to key exchange are taken from the cipher suite negotiated by the primary SA.¶
; The compressed public key for the same algorithm as the primary SA safe-ake = bstr¶
This data item provides a random nonce value from the sender to add entropy into the PRF used during SA Creation (Section 5.3) and SA Rekey (Section 5.4) to generate SA data. The data value SHALL be a byte string with a size in the inclusive range 1 to 256 bytes.¶
safe-arn = bstr .size (1..256)¶
This data item controls how the secondary SA is used in the BP data plane by the BPSec entity in each participating node. This data value SHALL be an integer limited to the inclusive range -32768 to 32767.¶
Based on the discussion in Section 1.2 this document defines two modes: end-to-end (1) and one-hop (2). The behavior of these modes is defined in Section 9.2. Future specifications can add additional mode code points with different behavior.¶
safe-sms = secondary-sa-mode .within int16
secondary-sa-mode = &(
end-to-end: 1,
one-hop: 2,
)
¶
This data item filters on the current DTN time of the node hosting the SAFE entity. The type is used to limit the validity time of the associated SA, but requires synchronization of time between the two peers to perform properly. The start time can be the current time to allow immediate use of the SA or can be in the future to pre-establish an SA meant to be used later on. An entity can use NTI in multiple SCs, possibly using concurrent SC activities, to establish a chain of SAs each spanning a small time interval that together spans a large time interval.¶
The NTI value SHALL consist of a start time and an end time. The SA established with an NTI value SHALL be valid at an after the start time (inclusive), and only before the end time (exclusive).¶
relocate this to secondary SA info section? Multiple SAs between the same two peers with the same mode and endpoint selectors MAY have validity NTIs which overlap in time. In that case, it is an implementation matter to choose which SA to use for securing traffic. prefer lexicographic lower SAI?¶
; Using DTN time as reported by the local BP node
safe-nti = [
begin: dtn-time,
end: dtn-time
]
¶
This data item is used to determine which individual bundles will correlate with a secondary SA by comparing their source and destination EIDs to patterns. There is a separate endpoint selector applied to the initiator and responder side of a secondary SA, where each side selects on the source EID for traffic being forwarded from that node and destination EID for traffic being received by that node.¶
This selector filters on the Source or Destination of the bundle contained in its primary block (see Section 4.3.1 of [RFC9171]). The pattern can, but doesn't need to, include the EIDs from the node to which it applies (see Section 1.2).¶
The value of this data item consists of one or more EID Pattern in accordance with [I-D.ietf-dtn-eid-pattern], as indicated by the following CDDL. When multiple patterns are present they each represent an alternate proposal provided by the initiator and chosen by the responder of an activity.¶
safe-esx = eid-selectors .within safe-proposals eid-selectors = embed-eid-pattern / [+ embed-eid-pattern]¶
This data item controls how the node of each SAFE endpoint applies BPSec security operations to traffic selected for handling by the secondary SA.¶
The SOS value SHALL be an array with the following items.¶
safe-sos = [
target-block-types: [+ bpv7-block-type],
service: bpsec-service,
]
; Type consistent with RFC 9171
bpv7-block-type = uint
; Services available in RFC 9172
bpsec-service = &(
integrity: 1,
confidentiality: 2,
)
¶
This data item is used to negotiate the purpose(s) for which an SA-derived symmetric key can be used by each side of the SA.¶
The KUS value is an array with the following items.¶
safe-kus = $safe-kus .within safe-kus-struct
safe-kus-struct = [
ctxid: bpsec-ctxid,
options: data-map / [+ data-map] .within safe-proposals
]
¶
Some examples of what KUS options can be defined by each Context binding are: a specific algorithm identifier or an choice of additional authenticated data (AAD) outside the security target block.¶
The packetization form defined in Section 4 allows multiple messages to be combined into a single ADU but this behavior is limited by support for the receiving entity, as defined and communicated in the Concurrent Activity Support (CAS) data item. Two examples of how this parameter affects activity sequencing is shown in Figure 9 for a large CAS limit and Figure 10 for a constraining limit of two.¶
PDU #1 #2 #3 #4 #5
| | | | |
(IA 0 --- 1 --- 2 --- 3) |
| (CI 0 --- 1 --- 2) |
| | (SC 0 --- 1 --- 2)
| | (SC 0 --- 1 --- 2)
| | (SC 0 --- 1 --- 2)
=----- time ----->
PDU #1 #2 #3 #4 #5 #6 #7 #8 #9 #10
| | | | | | | | | |
(IA 0 --- 1 --- 2 --- 3)(SC 0 --- 1 --- 2)(SC 0 --- 1 --- 2)
| (CI 0 --- 1 --- 2)(SC 0 --- 1 --- 2)
=----- time ----->
Regardless of how activities are aggregated into specific ADUs, the following requirements apply to ordering of activities related to a single primary SA.¶
When no primary SA exists between two SAFE application endpoints, the first messaging between those applications SHALL be Initial Authentication (IA) used to progress the activity state and establish a primary SA. After a primary SA exists, either side of the SA MAY choose to initialize a new primary SA and re-authenticate with its peer.¶
Only after the first step of the IA activity has been received, the responder for the IA activity SHALL begin a Capability Indication (CI) activity. This CI activity MAY begin immediately upon sending of the second IA step, or MAY wait until after the IA activity has completed and a primary SA is established.¶
Only after the first step of the CI activity has been received, the initiator for the IA activity SHOULD begin any number of needed SA Creation (SC) activities. Only after the second step of the CI activity has been received, the responder for the IA activity SHOULD begin any number of needed SA Creation (SC) activities. The number of concurrent SC activities allowed to be started at each step is limited by the CAS limit for the receiving peer.¶
+-----------+
| Start |
+-----+-----+
IA step 0 |
|
+-------v--------+
| |
| Initializing <---.
| | |
+-------+---+----+ | IA step 1-2
IA step 3 | | |
| '--------`
|
+-------v--------+
| |
| Established <---.
| | | SA Rekey
+-------+------+-+ | (optional)
ST step 0 | | |
| '-----`
+-----v-----+
| Half Down |
+-----------+
ST step 1 |
+-----v-----+
| Removed |
+-----------+
Within the Initial Authentication (IA) activity, a shared secret is established and internal pseudo-random keys (PRKs) for EDHOC processing are derived.
One of the final PRKs, the PRK_exporter, is used for "EDHOC application" purposes which in this case means SAFE entity use.¶
The primary SA is used to manage derived data for two independent purposes: key parameters for message security between the SAFE endpoints themselves, and as the PRK shared secret used to derive secondary SAs between the two SAFE entities.¶
The primary SA key uses take the form of COSE key objects as defined in Section 7 of [RFC9052]. Because the acceptable algorithms are limited to AEAD encryption, the acceptable operations for each key in each entity are one of: encrypt (3), or decrypt (4).¶
When the COSE algorithm is one of the AEAD algorithms, the COSE key SHALL contain the following parameters.
Notably, these keys do not contain a kid parameter because they are not intended to be referenced from outside of the SAFE entity managing the primary SA.¶
kty (1):alg (3):key_ops (4):Base IV (5):BIV_IR (from Figure 12) if the key is for traffic from the initiator side, or BIV_RI otherwise¶
k (-1):K_IR (from Figure 12) if the key is for traffic from the initiator side, or K_RI otherwise¶
Pseudocode used to explain this is shown in Figure 12, where the named parameters are:¶
key_length:iv_length:hash_length:K_IR = EDHOC_Exporter(TBA4, 'key_ir', key_length) BIV_IR = EDHOC_Exporter(TBA4, 'biv_ir', iv_length) K_RI = EDHOC_Exporter(TBA4, 'key_ri', key_length) BIV_RI = EDHOC_Exporter(TBA4, 'biv_ri', iv_length) PRK_SA1 = EDHOC_Exporter(TBA4, 'prk_sa1', hash_length)
The "_ir" derived values apply to SAFE traffic from the initiator to the responder of the IA activity, and the "_ri" derived values apply to SAFE traffic in the other direction.¶
This procedure is based on the example from Appendix H of [RFC9528].¶
context_rekey = ARN(i) | ARN(r) | G_XY PRK_out, PRK_exporter = EDHOC_KeyUpdate(context_rekey)
An application-level derivation function SAFE_KDF is defined with the same logic as the EDHOC_KDF in Section 4.1.2 of [RFC9528] except using the "application hash algorithm" of the EDHOC cipher suite.
This KDF is used once per secondary SA to derive a seed PRK for the entire SA.¶
Pseudocode used to explain this is shown in Figure 14, where the named parameters are:¶
SAI(i) and SAI(r):ARN(i) and ARN(r):G_XY:context_sa2 = SAI(i) | SAI(r) | ARN(i) | ARN(r) | G_XY PRK_SA2 = SAFE_KDF(PRK_SA1, 0, context_sa2, hash_length)
Additional output key material (OKM) specific to the BPSec security context being used is then derived from the PRK_SA2 value with integer labels for different purposes.
It is part of the obligation of each BPSec key use to define what label values apply to key material needed by that context.
An IANA registry for recording these labels is defined in Section 12.3.¶
Pseudocode used to explain this is shown in Figure 15, where the named parameters are:¶
ctxid:context:length:SAFE_OKM(ctxid, context, length) = SAFE_KDF(PRK_SA2, ctxid, context, length)
The ultimate point of establishing a SA is to make use of the derived symmetric keys for BPSec security operations as defined in [RFC9172].¶
When BPSec contexts make use of SAs defined by this document they will require an explicit mapping from the algorithm and operation selectors from Section 3.4 onto the algorithm and operation identifiers specific to that context. For example the default security contexts correspond to a subset of the AES-GCM algorithms of specific key lengths (see Section 9.4) and the HMAC-SHA2 algorithms of specific key lengths (see Section 9.3).¶
All current and future BPSec context bindings SHALL define the following aspects:¶
SAFE_SA2 PRK from the secondary SA.¶
Part of the purpose of establishing a primary SA with a peer is to derive an encryption key (with associated base IV) to enable SAFE message confidentiality in each direction. Similar to how EDHOC cryptographic functions make use of COSE primitives but not COSE message encodings, SAFE reuses COSE primitives for its own end-to-end security.¶
These conditions apply even if there is an existing Primary SA which is being superseded by a new IA activity.¶
While an IA activity is in progress, outgoing SAFE messages SHALL be embedded as EAD items within an associated EDHOC message. Each encoded message byte string SHALL be placed in a separate EAD value with corresponding EAD label TBA5 in accordance with Section 3.8 of [RFC9528].¶
While an IA activity is in progress, incoming SAFE messages SHALL be extracted from the EAD of an associated EDHOC message. These messages are not processed any differently than other received SAFE messages.¶
After the IA activity has completed (initiator has sent, responder has received) step 3, a SAFE entity SHALL encrypt aggregated outgoing messages according to the following.¶
Internally generate and encrypt a COSE_Encrypt0 object as defined in Section 5.3 of [RFC9052] using the following inputs:¶
h''¶
A map containing the following pairs:¶
K_IR or K_RI of Section 8.1 from the Primary SA for the initiator or responder respectively, which will include a Base IV key parameter.¶
external_aad:safe-pdu-aad (as defined in Figure 8, and using the same encoding as the PDU) No binding to transport source EID??¶
Use the result to construct the following PDU fields, named as in Section 4.4:¶
partial-iv:rx-sai:ciphertext:Because this encoding does not use AAD to bind it to specific transport parameters, the entire PDU can be retained and retransmitted if necessary (see Section 4.3).¶
Upon receiving an PDU containing a non-null partial-iv value, the SAFE entity SHALL decrypt the aggregated messages according to the following.¶
Use the provided rx-sai to match with the Local SAI of one Primary SA.¶
If no match is found then TBD.¶
Internally generate and decrypt a COSE_Encrypt0 object as defined in Section 5.3 of [RFC9052] using the following parameters:¶
h''¶
A map containing the following pairs:¶
K_IR or K_RI of Section 8.3 from the Secondary SA for the initiator or responder respectively.¶
ciphertext field of the PDU payload¶
external_aad:safe-pdu-aad (as defined in Figure 8, and using the same encoding as the PDU)¶
If decryption fails then TBD.¶
For both encryption and decryption, the Base IV (defined in Section 8.1) present in the keys of the Primary SA is combined with the Partial IV byte string in accordance with Section 3.1 of [RFC9052].¶
This section contains logic related to how the Security Mode Selector (SMS), Validity Time Interval, Endpoint Selectors, and Security Operation Selector (SOS) of the Secondary SA (as described in Section 3.4) inform the BPSec entity on both the Initiator and Responder nodes.¶
The SMS value determines at which of the BP Agent interaction points (see Figure 2) the SA is applicable with logic as follows.¶
When the SMS value is end-to-end (1), the node SHALL apply the SA policy at bundle transmission (from endpoint application) as source and at bundle delivery (to endpoint application) as acceptor.¶
When the SMS value is one-hop (2), the node SHALL apply the SA policy at bundle forwarding (to CLA) as source and at bundle reception (from CLA) as acceptor.¶
At the source interaction point, the node SHALL only apply the SA policy when the current DTN time of the node is within the Validity Time Interval of the SA.¶
At the acceptor interaction point, the node SHALL only apply the SA policy when the DTN time from the Timestamp of the Primary Block (see Section 4.3.1 of [RFC9171]) is within the Validity Time Interval of the SA.¶
At each interaction point, the node SHALL compare the Source and Destination EID of the Primary Block (as defined in Section 4.3.1 of [RFC9171]) of each bundle against one of the following.¶
At the source interaction point, the Source EID is compared to the Local Endpoint Selectors field and the Destination EID is compared to the Peer Endpoint Selectors field.¶
At the acceptor interaction point, the Source EID is compared to the Peer Endpoint Selectors field and the Destination EID is compared to the Local Endpoint Selectors field.¶
This section defines how a secondary SA can be negotiated for and used by the integrity context of [RFC9173] with context identifier code point 1.¶
For the BIB-HMAC-SHA2 context the "Key Use Options" field of Section 3.4 is augmented to include the following information.¶
| Name | Description |
|---|---|
| SHA Variant | One of the code points defined in Section 3.3.1 of [RFC9173]. |
| Integrity Scope Flags | A value with bit flags defined in Section 3.3.3 of [RFC9173]. |
For the BIB-HMAC-SHA2 context the "Key Information" field of Section 3.4 is augmented to include the following information.¶
| Name | Description |
|---|---|
| TX Key | A byte string for the security source role. |
| RX Keys | One or more byte strings for the security acceptor role. |
The BIB-HMAC-SHA2 context uses existing code points to identify key use options.¶
$safe-kus /= [
ctxid: 1,
options: kus-options-ctxid1 .within safe-proposals
]
kus-options-ctxid1 = kus-map-ctxid1 / [+ kus-map-ctxid1]
kus-map-ctxid1 = {
; SHA Variant values from Section 3.3.1 of RFC 9173
1: uint,
; Integrity Scope flags from Section 3.3.3 of RFC 9173
2: uint,
}
¶
The secondary SA key uses for context 1 take the form of raw symmetric key data. Because the acceptable algorithms are limited to HMAC, there are no other options beyond the symmetric key.¶
The raw symmetric key SHALL be either CTX1_KEY_IR (from Figure 16) if the key is for traffic from the initiator side, or CTX1_KEY_RI otherwise.¶
CTX1_KEY_IR = SAFE_OKM(1, 'key_ir', key_length) CTX1_KEY_RI = SAFE_OKM(1, 'key_ri', key_length)
When each security operation for context 1 needs to be applied, as defined in Section 9.2, as the security source the node SHALL perform the following:¶
When each security operation for context 1 needs to be applied, as defined in Section 9.2, as the security acceptor the node SHALL perform the following:¶
This section defines how a secondary SA can be negotiated for and used by the confidentiality context of [RFC9173] with context identifier code point 2.¶
For the BCB-AES-GCM context the "Key Use Options" field of Section 3.4 is augmented to include the following information.¶
| Name | Description |
|---|---|
| AES Variant | One of the code points defined in Section 4.3.2 of [RFC9173]. |
| AAD Scope Flags | A value with bit flags defined in Section 4.3.4 of [RFC9173]. |
| IV Counter | An integer counter which initializes to 0 at SA creation. |
For the BCB-AES-GCM context the "Key Information" field of Section 3.4 is augmented to include the following information.¶
| Name | Description |
|---|---|
| TX Key | A byte string for the security source role. |
| TX IV Counter | An integer counter which initializes to 0 at SA creation. |
| RX Keys | One or more byte strings for the security acceptor role. |
The BCB-AES-GCM context uses existing code points to identify key use options.¶
$safe-kus /= [
ctxid: 2,
options: kus-options-ctxid2 .within safe-proposals
]
kus-options-ctxid2 = kus-map-ctxid2 / [+ kus-map-ctxid2]
kus-map-ctxid2 = {
; AES Variant values from Section 4.3.2 of RFC 9173
1: uint,
; AAD Scope flags from Section 4.3.4 of RFC 9173
2: uint,
}
¶
The secondary SA key uses for context 2 take the form of raw symmetric key data. Because the acceptable algorithms are limited to AEAD, there are no other options beyond the symmetric key.¶
The raw symmetric key SHALL be either CTX2_KEY_IR (from Figure 17) if the key is for traffic from the initiator side, or CTX2_KEY_RI otherwise.¶
CTX2_KEY_IR = SAFE_OKM(2, 'key_ir', key_length) CTX2_KEY_RI = SAFE_OKM(2, 'key_ri', key_length)
When each security operation for context 2 needs to be applied, as defined in Section 9.2, as the security source the node SHALL perform the following:¶
When each security operation for context 2 needs to be applied, as defined in Section 9.2, as the security acceptor the node SHALL perform the following:¶
This section defines how a secondary SA can be negotiated for and used by the COSE context of [I-D.ietf-dtn-bpsec-cose] with context identifier code point 3. The derived keys are suitable for use with COSE encryption or MAC operations between the nodes hosting the SAFE entities.¶
For the COSE context the "Key Use Options" field of Section 3.4 is augmented to include the following information.¶
| Name | Description |
|---|---|
| COSE Algorithm | One of the code points defined in the "COSE Algorithms" registry of [IANA-COSE] for either AEAD encryption or MAC operation. |
| AAD Scope | A map structure defined in Section 2.2.2 of [I-D.ietf-dtn-bpsec-cose]. |
For the COSE context the "Key Information" field of Section 3.4 is augmented to include the following information.¶
| Name | Description |
|---|---|
| TX COSE Key | A COSE Key object for the security source role. |
| TX Partial IV Counter | An integer counter which initializes to 0 at SA creation. This field is used only for confidentiality services. |
| RX COSE Keys | One or more COSE Key objects for the security acceptor role. |
The COSE key structure is defined in Section 7 of [RFC9052].¶
The BPSec COSE context uses existing COSE code points to identify key use options.¶
| Label | Description |
|---|---|
| 3 | One of the code points defined in the "COSE Algorithms" registry of [IANA-COSE] for either AEAD encryption or MAC operation. |
$safe-kus /= [
ctxid: 3,
options: kus-options-ctxid3 .within safe-proposals
]
kus-options-ctxid3 = kus-map-ctxid3 / [+ kus-map-ctxid3]
kus-map-ctxid3 = {
; COSE alg header values
3: tstr / int,
}
¶
The secondary SA key uses for context 3 take the form of COSE key objects. Because the acceptable algorithms are limited to AEAD encryption and MAC, the acceptable operations for each key in each entity are one of: encrypt (3), decrypt (4), MAC create (9), or MAC verify (10).¶
When the COSE algorithm is one of the MAC algorithms, the COSE key SHALL contain the following parameters.¶
kty (1):kid (2):alg (3):key_ops (4):k (-1):CTX3_KEY_IR (from Figure 18) if the key is for traffic from the initiator side, or CTX3_KEY_RI otherwise¶
When the COSE algorithm is one of the AEAD algorithms, the COSE key SHALL contain the following parameters.¶
kty (1):kid (2):alg (3):key_ops (4):Base IV (5):CTX3_BIV_IR (from Figure 18) if the key is for traffic from the initiator side, or CTX3_BIV_RI otherwise¶
k (-1):CTX3_KEY_IR (from Figure 18) if the key is for traffic from the initiator side, or CTX3_KEY_RI otherwise¶
CTX3_KEY_IR = SAFE_OKM(3, 'key_ir', key_length) CTX3_BIV_IR = SAFE_OKM(3, 'biv_ir', iv_length) CTX3_KEY_RI = SAFE_OKM(3, 'key_ri', key_length) CTX3_BIV_RI = SAFE_OKM(3, 'biv_ri', iv_length)
When each security operation for context 3 needs to be applied, as defined in Section 9.2, as the security source and the COSE algorithm is one of the MAC algorithms, the node SHALL perform the following:¶
A BIB result for COSE_Mac0 (17) SHALL be constructed in accordance with Section 2.3.1 of [I-D.ietf-dtn-bpsec-cose] containing the following parameters.¶
An encoded map containing the following pairs:¶
A map containing the following pairs:¶
external_aad:When each security operation for context 3 needs to be applied, as defined in Section 9.2, as the security acceptor and the COSE algorithm is one of the MAC algorithms, the node SHALL perform the following:¶
A BIB result for COSE_Mac0 (17) SHALL be extracted in accordance with Section 2.3.1 of [I-D.ietf-dtn-bpsec-cose] and verified to have the following minimum parameters.¶
An encoded map containing the following pairs:¶
A map containing the following pairs:¶
kid parameter from one of the COSE Key of the TX Key Information of the SA¶
If the required header parameters are missing or invalid, the procedure is considered failed.¶
The extracted COSE_Mac0 is then verified using the following parameters:¶
external_aad:If the verification fails, the procedure is considered failed.¶
When each security operation for context 3 needs to be applied, as defined in Section 9.2, as the security source and the COSE algorithm is one of the AEAD algorithms, the node SHALL perform the following:¶
A BCB result for COSE_Encrypt0 (16) SHALL be constructed in accordance with Section 2.3.2 of [I-D.ietf-dtn-bpsec-cose] containing the following parameters.¶
An encoded map containing the following pairs:¶
A map containing the following pairs:¶
external_aad:When each security operation for context 3 needs to be applied, as defined in Section 9.2, as the security acceptor and the COSE algorithm is one of the AEAD algorithms, the node SHALL perform the following:¶
A BCB result for COSE_Encrypt0 (16) SHALL be extracted in accordance with Section 2.3.2 of [I-D.ietf-dtn-bpsec-cose] and verified to have the following minimum parameters.¶
An encoded map containing the following pairs:¶
A map containing the following pairs:¶
If the required header parameters are missing or invalid, the procedure is considered failed.¶
The extracted COSE_Encrypt0 is then processed to decrypt using the following parameters:¶
external_aad:The decryption modifies the target block in place as a detached payload. If the authenticated decryption fails, the procedure is considered failed.¶
The parameters of the derived COSE keys already intrinsically restrict their use based on the requirements of [I-D.ietf-dtn-bpsec-cose] and [RFC9053], so no additional checks are specified in this document.¶
TBD with a new extended key use for this protocol. Profile of [RFC5280] allowing C509 [I-D.ietf-cose-cbor-encoded-cert].¶
This section separates security considerations into threat categories based on guidance of BCP 72 [RFC3552].¶
Because the SAFE protocol uses EDHOC for its initial authentication activity and messaging and uses primary SA data for confidentiality afterward, the only information which is exposed in plaintext are the Security Association Identifier (SAI) values (which are also EDHOC connection identifiers) and SAFE confidentiality partial IV (Section 4.4) values.¶
Both of these values are used strictly for uniqueness and can either be generated by a SAFE entity deterministically or randomly. Neither value contains data derived from or correlated to any outside information, so visibility to a passive attacker is not useful to degrade SAFE security. Their visibility could be used by a passive attacker for SAFE traffic analysis.¶
The sizes of ciphertext values in all forms of SAFE PDU can be used by a passive attacker to estimate the types of SAFE activities being performed. To mitigate this threat, it is possible for a SAFE entity to use EDHOC padding EAD (see Section 3.8.1 of [RFC9528]) during the IA activity or SAFE confidential PDU plaintext padding item (see Section 4.4).¶
The SAI values are necessary to correlate EDHOC messages and to decrypt SAFE PDUs, so must be in plaintext and any on-path attacker modification of these values will cause either the EDHOC negotiation to fail or the SAFE decryption to fail.¶
The IV values are already part of what would be sent with the associated ciphertext, and any modification will cause the SAFE decryption to fail.¶
Both of these conditions are detectable by the receiver being attacked so there is no possibility of the attacker causing undetectable changes.¶
The behaviors described in this section all amount to a potential denial-of-service to a participating node. The denial-of-service could be limited to an individual node, or could affect all entities on a host or network segment.¶
TBD¶
Registration procedures referred to in this section are defined in [RFC8126].¶
Within the registry group of [IANA-URI], the registry titled "'ipn' Scheme URI Well-known Service Numbers for BPv7" has been updated to include the following entry.¶
| Value | Description | Reference |
|---|---|---|
| TBA3 | BPv7 SAFE Messaging | [This specification] |
Within the registry group of [IANA-EDHOC], the registry titled "EDHOC Exporter Labels" has been updated to include the following entry.¶
| Label | Description | Reference |
|---|---|---|
| TBA4 | Derived BPv7 SAFE Secret | [This specification] |
Within the registry group of [IANA-EDHOC], the registry titled "EDHOC External Authorization Data" has been updated to include the following entry.¶
| Name | Label | Description | Reference |
|---|---|---|---|
| BPv7 SAFE | TBA5 | Set of Create messages for BPv7 SAFE | [This specification] |
A new registry group "Bundle Protocol (BP) Security Associations with Few Exchanges (SAFE)" has been created at [IANA-SAFE].¶
Within the registry group of [IANA-SAFE], the registry titled "SAFE Security Modes" has been created with registration procedures from Table 19 and initial contents of Table 20.¶
| Range | Registration Procedures |
|---|---|
| -32768 to -32641 | Experimental use |
| -32640 to -1 | Private use |
| 0 to 255 | RFC Required |
| 256 to 32767 | Specification Required |
| Value | Name | Reference |
|---|---|---|
| -32768 to -32641 | Reserved for experimental use | [This specification] |
| -32640 to -1 | Reserved for private use | [This specification] |
| 0 | reserved | [This specification] |
| 1 | end-to-end | [This specification] |
| 2 | one-hop | [This specification] |
| 3 to 32767 | Unassigned |
Within the registry group of [IANA-SAFE], the registry titled "SAFE Activity Types" has been created with registration procedures from Table 21 and initial contents of Table 22.¶
| Range | Registration Procedures |
|---|---|
| -32768 to -32641 | Experimental use |
| -32640 to -1 | Private use |
| 0 to 255 | RFC Required |
| 256 to 32767 | Specification Required |
| Value | Description | Notation | Reference |
|---|---|---|---|
| -32768 to -32641 | Reserved for experimental use | [This specification] | |
| -32640 to -1 | Reserved for private use | [This specification] | |
| 0 | Reserved for Initial Authentication | IA | Section 5.1 of [This specification] |
| 1 | Capability Indication | CI | Section 5.2 of [This specification] |
| 2 | SA Creation | SC | Section 5.3 of [This specification] |
| 3 | SA Rekey | SR | Section 5.4 of [This specification] |
| 4 | SA Teardown | ST | Section 5.5 of [This specification] |
| 5 | Event Notification | EN | Section 5.6 of [This specification] |
| 6 to 32767 | Unassigned |
Within the registry group of [IANA-SAFE], the registry titled "SAFE Message Data Items" has been created with the following initial contents. Each entry in the table indicates which messages are valid for containing the associated data item and the map label by which the item is identified. The registration procedure for this registry is identical to the corresponding "SAFE Activity Types" entry from the first column.¶
This registry includes only well-known data item types; private use labels can be used to include any other data items in a message.¶
| Activity Type Notation | Label | Description | Notation | Reference |
|---|---|---|---|---|
| all types | -32768 to -1 | Reserved for private use | [This specification] | |
| all types | 0 | Error Type Enumeration | ETE | Section 6.1 of [This specification] |
| IA | this activity does not use data item labels | |||
| CI | 1 | Concurrent Activity Support | CAS | Section 6.2 of [This specification] |
| CI | 2 | EID Scheme Support | ESS | Section 6.3 of [This specification] |
| CI | 3 | BPSec Context Support | BCS | Section 6.4 of [This specification] |
| SC | 1 | Security Association Identifier | SAI | Section 6.5 of [This specification] |
| SC | 2 | Additional Key Exchange | AKE | Section 6.6 of [This specification] |
| SC | 3 | Additional Random Nonce | ARN | Section 6.7 of [This specification] |
| SC | 9 | Security Mode Selector | SMS | Section 6.8 of [This specification] |
| SC | 6 | Endpoint Selector at Initiator | ESI | Section 6.10 of [This specification] |
| SC | 7 | Endpoint Selector at Responder | ESR | Section 6.10 of [This specification] |
| SC | 8 | Validity Node Time Interval | NTI | Section 6.9 of [This specification] |
| SC | 4 | Security Operation Selector | SOS | Section 6.11 of [This specification] |
| SC | 5 | Key Use Selector | KUS | Section 6.12 of [This specification] |
Within the registry group of [IANA-SAFE], the registry titled "SAFE Error Type Enumerations" has been created with the following initial contents. These entries are distinct and separate from the "EDHOC Error Codes" registry of [IANA-EDHOC].¶
| Activity Type Notation | Value | Description | Reference |
|---|---|---|---|
| all types | -32768 to -32641 | Reserved for experimental use | [This specification] |
| all types | -32640 to -1 | Reserved for private use | [This specification] |
| all types | 1 | Invalid data item label | [This specification] |
| all types | 2 | Unknown data item label | [This specification] |
| all types | 3 | Invalid data item value | [This specification] |
| SR,ST | 256 | Unknown security association | [This specification] |
This section contains a minimal example of two nodes initializing a primary SA and two secondary SAs with overlapping activities using pipelined messaging. The EDHOC messages in the IA activity are taken from the example in Section 2 of [RFC9529] to avoid duplicating EDHOC example logic here. This example does not include any PDU losses so no retransmission is needed.¶
PDU #1 #2 #3 #4 #5
| | | | |
(IA 0 --- 1 --- 2 --- 3) |
| (CI 0 --- 1 --- 2) |
| | (SC 0 --- 1 --- 2)
=----- time ----->
The encoded PDU #1 (initiator-to-responder) is the following byte string:¶
01f6f50006582031f82c7b5b9cbbf0f194d913cc12ef1532d328ef32632a4881a1c0 701e237f042d¶
The contents of that PDU are following CBOR sequence:¶
1, / version / null, / partial-iv / true, / rx-sai / / message_1: / 0, / method / 6, / suites / h'31f82c7b5b9cbbf0f194d913cc12ef1532d328ef32632a48 81a1c0701e237f04', / G_X / -14 / C_I /¶
The encoded PDU #2 (responder-to-initiator) is following byte string:¶
01f62d5880dc88d2d51da5ed67fc4616356bc8ca74ef9ebe8b387e623a360ba480b9 b29d1c9e2115f057ff0687a41a21a1d7fc4553061357fe93dbef391c83e18a27b29c e24e44a45916fdebe9c5a505abdec132750551154966a67eed27236c093e2774814f 11c5affadf8c0cd96e31fef7deda3398136d3e79419efd86efe646e1606b77¶
That PDU has the following decoded header, eliding the ciphertext message.¶
1, / version / null, / partial-iv / -14 / rx-sai from C_I / / message_2: h'dc88...6b77' /¶
Derived from the shared secrets, the PLAINTEXT_2 contents are the following:¶
4118A11822822E4879F2A41B510C1F9B58407934E54041AE5ACB7C68DE7ED477D947 E4214E84659D99FCD49C4B25033DD92AF50DE0570BC27B72039CEB2F4A4F8F05082F F9739A823C25634FE42BB306F296364F010001A30119040002820102038103¶
That plaintext has the following decoded items.¶
h'18', / C_R /
{34: [-15, h'79F2A41B510C1F9B']}, / ID_CRED_R with following sig. /
h'A9CAAE6BB615B3C50D774AFA0B6297AA3CCDBED1A03A34614DEE8A62216F685DC9
ED1C8DE7291E2C571E1E9DAD39B350869CC7B2658514EB7881E8B03D5C9D89',
-23, / EAD label with following value /
h'010001A30119040002820102038103'
¶
The embedded EAD_2 contains the following SAFE message:¶
1, / act. index /
0, / act. step /
1, / act. type: CI /
{
1: 1024, / CAS: max 1024 /
2: [1, 2], / ESS: dtn and ipn schemes /
3: [3] / BCS: COSE Context /
}
¶
The encoded PDU #3 is following byte string:¶
01f6411858c1e418256972ed10356c2cadc3e72dd86c16e830590972a7fa238c92b3 0c7cb6a030397061de4327b02b5aae7c0e1c6de2d67bd7627b33b8cb8e9bb8303aca 53143aacd8713413becc1a3ad2ad7ac3bee1b56cb576637738787106a415c41ab3c4 b70fe87782994bb93d25c2a7565255948267637511364b2236ae8ddbbfb4321246fc 38ba317216893f9afe59b85a4301e871944d8e3afb7de0278bf2cf7c161ce6fe2ff6 b2e6d8f5666d5ae4c555f07ee534293f4dc85d282bdd35e2676b126eee¶
That PDU has the following decoded header, eliding the ciphertext message.¶
1, / version / null, / partial-iv / h'18' / rx-sai from C_I / / message_3: h'e418...6eee' /¶
Derived from the shared secrets, the PLAINTEXT_3 contents are the following:¶
A11822822E48C24AB2FD7643C79F5840A6F33C8F1FED68F30F83261652D193DC1B29 A5B40A53AA6D695466F8E473B74548914C293F8EB127C71813993338E6573F90A60A BB6F3484FE4172056B645A0A36584D010002A80146235A91D189EA035056B44D9A0F 87538A24CA8EBE49D4FD51040305A10101090106F607F602582031F82C7B5B9CBBF0 F194D913CC12EF1532D328EF32632A4881A1C0701E237F04364F010101A301190400 02820102038103¶
That plaintext has the following decoded items.¶
{34: [-15, h'C24AB2FD7643C79F']}, / ID_CRED_I with following sig. /
h'A6F33C8F1FED68F30F83261652D193DC1B29A5B40A53AA6D695466F8E473B74548
914C293F8EB127C71813993338E6573F90A60ABB6F3484FE4172056B645A0A',
-23, / EAD label with following value /
h'010002A80146235A91D189EA035056B44D9A0F87538A24CA8EBE49D4FD51040305
A10101090106F607F602582031F82C7B5B9CBBF0F194D913CC12EF1532D328EF32
632A4881A1C0701E237F04',
-23, / EAD label with following value /
h'010101A30119040002820102038103'
¶
The embedded EAD_3 contains the following SAFE messages:¶
1, / act. index /
0, / act. step /
2, / act. type: SC /
{
1: h'235A91D189EA', / local SAI bytes /
3: h'56B44D9A0F87538A24CA8EBE49D4FD51', / ARN bytes /
4: 3, / CTX: COSE (3) /
5: { / KUS: /
1: 1 / alg: A128GCM (1) /
},
9: 1, / SMS: end-to-end (1) /
6: null, / TSI: still TBD /
7: null, / TSR: still TBD /
2: h'31F82C7B5B9CBBF0F194D913CC12EF1532D328EF32632A4881A1C0701E2
37F04' / AKE bytes /
}
¶
1, / act. index /
1, / act. step /
1, / act. type: CI /
{
1: 1024, / CAS: max 1024 /
2: [1, 2], / ESS: dtn and ipn schemes /
3: [3] / BCS: COSE Context /
}
¶
The encoded PDU #4 is following byte string:¶
01F62D586492459A97A617FE0176E1040FB1E98A640FBDF104E4839EB576F32EF07C F283B9C8FF4AC2B5B3DC72F15A5CAEC383A366A8310D97E369E1696D4D43BC9BAA99 E63E750D29344A95D9C703B21B7AE796F36F82FDF8798F5428AD8057C2D197B7F6DE 7ADEB6¶
That PDU has the following decoded header, eliding the ciphertext message.¶
1, / version / null, / partial-iv / -14 / rx-sai from C_I / / message_3: h'9245...DEB6' /¶
Derived from the shared secrets, the PLAINTEXT_4 contents are the following:¶
3642010236584d010102a80146a8c046494ebd035043184c4d9f379d2eb35fd2f2f1 1ae27b040305a10101090106f607f6025820dc88d2d51da5ed67fc4616356bc8ca74 ef9ebe8b387e623a360ba480b9b29d1c¶
That plaintext has the following decoded items.¶
-23, / EAD label with following value / h'0102', -23, / EAD label with following value / h'010102A80146A8C046494EBD035043184C4D9F379D2EB35FD2F2F11AE27B040305 A10101090106F607F6025820DC88D2D51DA5ED67FC4616356BC8CA74EF9EBE8B38 7E623A360BA480B9B29D1C'¶
The embedded EAD_4 contains the following SAFE messages:¶
1, / act. index / 2 / act. step /¶
1, / act. index /
1, / act. step /
2, / act. type: SC /
{
1: h'A8C046494EBD', / local SAI bytes /
3: h'43184C4D9F379D2EB35FD2F2F11AE27B', / ARN bytes /
4: 3, / CTX: COSE (3) /
5: { / KUS: /
1: 1 / alg: A128GCM (1) /
},
9: 1, / SMS: end-to-end (1) /
6: null, / TSI: still TBD /
7: null, / TSR: still TBD /
2: h'DC88D2D51DA5ED67FC4616356BC8CA74EF9EBE8B387E623A360BA480B9B
29D1C' / AKE bytes /
}
¶
The encoded PDU #5 is following byte string:¶
01410141185306684BF319BBE5B2237EF71606DB2714E0F992¶
That PDU has the following decoded header, eliding the ciphertext message.¶
1, / version / h'01', / partial-iv / h'18' / rx-sai from C_R / / message_3: h'0668...F992' /¶
Derived from the shared secrets, the PLAINTEXT contents are the following:¶
420102¶
That plaintext has the following decoded items.¶
h'0102'¶
The embedded byte strings contain the following SAFE messages:¶
1, / act. index / 2 / act. step /¶
Thanks go to Leonardo Babun and Cherita Corbett of JHU/APL for pre-draft review and editing of this document.¶