]> Ericsson

francesca.palombini@ericsson.com

RISE AB

Isafjordsgatan 22 Kista 16440 Stockholm Sweden marco.tiloca@ri.se

RISE AB

Isafjordsgatan 22 Kista 16440 Stockholm Sweden rikard.hoglund@ri.se

Fraunhofer AISEC

stefan.hristozov@eriptic.com

Ericsson

goran.selander@ericsson.com

Internet CoRE Working Group Internet-Draft The lightweight authenticated key exchange protocol EDHOC can be run over CoAP and used by two peers to establish an OSCORE Security Context. This document further profiles this use of the EDHOC protocol, by specifying a number of additional and optional mechanisms. These especially include an optimization approach for combining the execution of EDHOC with the first subsequent OSCORE transaction. This combination reduces the number of round trips required to set up an OSCORE Security Context and to complete an OSCORE transaction using that Security Context. Discussion Venues Discussion of this document takes place on the Constrained RESTful Environments Working Group mailing list (core@ietf.org), which is archived at . Source for this draft and an issue tracker can be found at .

Introduction Ephemeral Diffie-Hellman Over COSE (EDHOC) is a lightweight authenticated key exchange protocol, especially intended for use in constrained scenarios. In particular, EDHOC messages can be transported over the Constrained Application Protocol (CoAP) and used for establishing a Security Context for Object Security for Constrained RESTful Environments (OSCORE) . This document profiles this use of the EDHOC protocol, and specifies a number of additional and optional mechanisms. These especially include an optimization approach, that combines the EDHOC execution with the first subsequent OSCORE transaction (see ). This allows for a minimum number of round trips necessary to setup the OSCORE Security Context and complete an OSCORE transaction, e.g., when an IoT device gets configured in a network for the first time. This optimization is desirable, since the number of protocol round trips impacts on the minimum number of flights, which in turn can have a substantial impact on the latency of conveying the first OSCORE request, when using certain radio technologies. Without this optimization, it is not possible, not even in theory, to achieve the minimum number of flights. This optimization makes it possible also in practice, since the last message of the EDHOC protocol can be made relatively small (see ), thus allowing additional OSCORE-protected CoAP data within target MTU sizes. Furthermore, this document defines:

• A method for deterministically converting an OSCORE Sender/Recipient ID to a corresponding EDHOC connection identifier (see ). While this method is required to be used when using the optimization above, it is recommended in general, since it ensures that an OSCORE Sender/Recipient ID is always converted to the EDHOC identifier with the smallest size.
• A number of parameters corresponding to different information elements of an EDHOC applicability statement (see ). These can be specified as target attributes in the link to an EDHOC resource associated with that applicability statement, thus enabling an enhanced discovery of such resource for CoAP clients.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. The reader is expected to be familiar with terms and concepts defined in CoAP , CBOR , CBOR sequences , OSCORE and EDHOC .

EDHOC Overview The EDHOC protocol allows two peers to agree on a cryptographic secret, in a mutually-authenticated way and by using Diffie-Hellman ephemeral keys to achieve forward secrecy. The two peers are denoted as Initiator and Responder, as the one sending or receiving the initial EDHOC message_1, respectively. After successful processing of EDHOC message_3, both peers agree on a cryptographic secret that can be used to derive further security material, and especially to establish an OSCORE Security Context . The Responder can also send an optional EDHOC message_4 to achieve key confirmation, e.g., in deployments where no protected application message is sent from the Responder to the Initiator. specifies how to transfer EDHOC over CoAP. That is, the EDHOC data (referred to as "EDHOC messages") are transported in the payload of CoAP requests and responses. The default message flow consists in the CoAP Client acting as Initiator and the CoAP Server acting as Responder. Alternatively, the two roles can be reversed. In the rest of this document, EDHOC messages are considered to be transferred over CoAP. shows a CoAP Client and Server running EDHOC as Initiator and Responder, respectively. That is, the Client sends a POST request to a reserved EDHOC resource at the Server, by default at the Uri-Path "/.well-known/edhoc". The request payload consists of the CBOR simple value "true" (0xf5) concatenated with EDHOC message_1, which also includes the EDHOC connection identifier C_I of the Client. This triggers the EDHOC exchange at the Server, which replies with a 2.04 (Changed) response. The response payload consists of EDHOC message_2, which also includes the EDHOC connection identifier C_R of the Server. The Content-Format of the response may be set to "application/edhoc". Finally, the Client sends a POST request to the same EDHOC resource used earlier to send EDHOC message_1. The request payload consists of the EDHOC connection identifier C_R, concatenated with EDHOC message_3. After this exchange takes place, and after successful verifications as specified in the EDHOC protocol, the Client and Server can derive an OSCORE Security Context, as defined in . After that, they can use OSCORE to protect their communications as per . The Client and Server are required to agree in advance on certain information and parameters describing how they should use EDHOC. These are specified in an applicability statement see , associated with the used EDHOC resource.

EDHOC and OSCORE run sequentially | | Header: 0.02 (POST) | | Uri-Path: "/.well-known/edhoc" | | Payload: true, EDHOC message_1 | | | | <---------------- EDHOC Response---------------- | | Header: 2.04 (Changed) | | Content-Format: application/edhoc | | Payload: EDHOC message_2 | | | EDHOC verification | | | | ----------------- EDHOC Request ---------------> | | Header: 0.02 (POST) | | Uri-Path: "/.well-known/edhoc" | | Payload: C_R, EDHOC message_3 | | | | EDHOC verification | + OSCORE Sec Ctx OSCORE Sec Ctx Derivation Derivation | | | ---------------- OSCORE Request ---------------> | | Header: 0.02 (POST) | | Payload: OSCORE-protected data | | | | <--------------- OSCORE Response --------------- | | Header: 2.04 (Changed) | | Payload: OSCORE-protected data | | | ]]>

As shown in , this purely-sequential flow where EDHOC is run first and then OSCORE is used takes three round trips to complete. defines an optimization for combining EDHOC with the first subsequent OSCORE transaction. This reduces the number of round trips required to set up an OSCORE Security Context and to complete an OSCORE transaction using that Security Context.

EDHOC Combined with OSCORE This section defines an optimization for combining the EDHOC exchange with the first subsequent OSCORE transaction, thus minimizing the number of round trips between the two peers. This approach can be used only if the default EDHOC message flow is used, i.e., when the Client acts as Initiator and the Server acts as Responder, while it cannot be used in the case with reversed roles. When running the purely-sequential flow of , the Client has all the information to derive the OSCORE Security Context already after receiving EDHOC message_2 and before sending EDHOC message_3. Hence, the Client can potentially send both EDHOC message_3 and the subsequent OSCORE Request at the same time. On a semantic level, this requires sending two REST requests at once, as in .

EDHOC and OSCORE combined | | Header: 0.02 (POST) | | Uri-Path: "/.well-known/edhoc" | | Payload: true, EDHOC message_1 | | | | <----------------- EDHOC Response------------------ | | Header: Changed (2.04) | | Content-Format: application/edhoc | | Payload: EDHOC message_2 | | | EDHOC verification | + | OSCORE Sec Ctx | Derivation | | | | ------------- EDHOC + OSCORE Request -------------> | | Header: 0.02 (POST) | | Payload: EDHOC message_3 + OSCORE-protected data | | | | EDHOC verification | + | OSCORE Sec Ctx | Derivation | | | <--------------- OSCORE Response ------------------ | | Header: 2.04 (Changed) | | Payload: OSCORE-protected data | | | ]]>

To this end, the specific approach defined in this section consists of sending a single EDHOC + OSCORE request, which conveys the pair (C_R, EDHOC message_3) within an OSCORE-protected CoAP message. That is, the EDHOC + OSCORE request is in practice the OSCORE Request from , as still sent to a protected resource and with the correct CoAP method and options intended for accessing that resource. At the same time, the EDHOC + OSCORE request also transports the pair (C_R, EDHOC message_3) required for completing the EDHOC exchange. Note that C_R is not transported precisely in the request payload. Since EDHOC message_3 may be too large to be included in a CoAP Option, e.g., if conveying a protected large public key certificate chain as ID_CRED_I (see ) or if conveying protected External Authorization Data as EAD_3 (see ), EDHOC message_3 has to be transported in the CoAP payload of the EDHOC + OSCORE request. The rest of this section specifies how to transport the data in the EDHOC + OSCORE request and their processing order. In particular, the use of this approach is explicitly signalled by including an EDHOC Option (see ) in the EDHOC + OSCORE request. The processing of the EDHOC + OSCORE request is specified in for the Client side and in for the Server side.

EDHOC Option This section defines the EDHOC Option. The option is used in a CoAP request, to signal that the request payload conveys both an EDHOC message_3 and OSCORE-protected data, combined together. The EDHOC Option has the properties summarized in , which extends Table 4 of . The option is Critical, Safe-to-Forward, and part of the Cache-Key. The option MUST occur at most once and is always empty. If any value is sent, the value is simply ignored. The option is intended only for CoAP requests and is of Class U for OSCORE .

The EDHOC Option.

The presence of this option means that the message payload contains also EDHOC data, that must be extracted and processed as defined in , before the rest of the message can be processed. shows the format of a CoAP message containing both the EDHOC data and the OSCORE ciphertext, using the newly defined EDHOC option for signalling.

CoAP message for EDHOC and OSCORE combined - signalled with the EDHOC Option

Client Processing The Client prepares an EDHOC + OSCORE request as follows.

1. Compose EDHOC message_3 as per .
2. Encrypt the original CoAP request as per , using the new OSCORE Security Context established after receiving EDHOC message_2. Note that the OSCORE ciphertext is not computed over EDHOC message_3, which is not protected by OSCORE. That is, the result of this step is the OSCORE Request as in .
3. Build a CBOR sequence composed of two CBOR byte strings in the following order.
   • The first CBOR byte string is the EDHOC message_3 resulting from step 1.
   • The second CBOR byte string has as value the OSCORE ciphertext of the OSCORE-protected CoAP request resulting from step 2.
4. Compose the EDHOC + OSCORE request, as the OSCORE-protected CoAP request resulting from step 2, where the payload is replaced with the CBOR sequence built at step 3. Note that the new payload includes EDHOC message_3, but it does not include the EDHOC connection identifier C_R. As the Client is the EDHOC Initiator, C_R encodes the OSCORE Sender ID of the Client, which is already specified as 'kid' in the OSCORE Option of the request from step 2, hence of the EDHOC + OSCORE request.
5. Signal the usage of this approach, by including the new EDHOC Option defined in into the EDHOC + OSCORE request.
6. Send the EDHOC + OSCORE request to the server.

With the same Server, the Client MUST NOT have more than one simultaneous outstanding interaction (see ) consisting of an EDHOC + OSCORE request and whose EDHOC data are intended to the EDHOC session with the same connection identifier C_R.

Supporting Block-wise If Block-wise is supported, the Client may fragment the original CoAP request before protecting it with OSCORE, as defined in . In such a case, the OSCORE processing in step 2 of is performed on each inner block of the original CoAP request, and the following also applies. The Client takes the additional following step between steps 2 and 3 of . A. If the OSCORE-protected request from step 2 conveys a non-first inner block of the original CoAP request (i.e., the Block1 Option processed at step 2 had NUM different than 0), then the Client skips the following steps and sends the OSCORE-protected request to the Server. In particular, the Client MUST NOT include the EDHOC Option in the OSCORE-protected request. The Client takes the additional following step between steps 3 and 4 of . B. If the size of the built CBOR sequence exceeds MAX_UNFRAGMENTED_SIZE (see ), the Client MUST stop processing the request and MUST abort the Block-wise tranfer. The Client can switch to the purely sequential workflow in , hence separately sending first EDHOC message_3 and then the OSCORE-protected CoAP request once the EDHOC execution is completed.

Server Processing In order to process a request containing the EDHOC option, i.e., an EDHOC + OSCORE request, the Server MUST perform the following steps.

1. Check that the EDHOC + OSCORE request includes the OSCORE option and that the request payload is a CBOR sequence composed of two CBOR byte strings. If this is not the case, the Server MUST stop processing the request and MUST reply with a 4.00 (Bad Request) error response.
2. Extract EDHOC message_3 from the payload of the EDHOC + OSCORE request, as the first CBOR byte string in the CBOR sequence.
3. Take the value of 'kid' from the OSCORE option of the EDHOC + OSCORE request (i.e., the OSCORE Sender ID of the Client), and use it to rebuild the EDHOC connection identifier C_R, as per .
4. Retrieve the correct EDHOC session by using the connection identifier C_R rebuilt at step 3. If the applicability statement used in the EDHOC session specifies that EDHOC message_4 shall be sent, the Server MUST stop the EDHOC processing and consider it failed, as due to a client error. Otherwise, perform the EDHOC processing on the EDHOC message_3 extracted at step 2 as per , based on the protocol state of the retrieved EDHOC session. The applicability statement used in the EDHOC session is the same one associated with the EDHOC resource where the server received the request conveying EDHOC message_1 that started the session. This is relevant in case the server provides multiple EDHOC resources, which may generally refer to different applicability statements.
5. Establish a new OSCORE Security Context associated with the client as per , using the EDHOC output from step 4.
6. Extract the OSCORE ciphertext from the payload of the EDHOC + OSCORE request, as the value of the second CBOR byte string in the CBOR sequence.
7. Rebuild the OSCORE-protected CoAP request, as the EDHOC + OSCORE request where the payload is replaced with the OSCORE ciphertext extracted at step 6. Then, remove the EDHOC option.
8. Decrypt and verify the OSCORE-protected CoAP request rebuilt at step 7, as per , by using the OSCORE Security Context established at step 5. If the decrypted request includes an EDHOC option but it does not include an OSCORE option, the Server MUST stop processing the request and MUST reply with a 4.00 (Bad Request) error response.
9. Deliver the CoAP request resulting from step 8 to the application.

If steps 4 (EDHOC processing) and 8 (OSCORE processing) are both successfully completed, the Server MUST reply with an OSCORE-protected response, in order for the Client to achieve key confirmation (see ). The usage of EDHOC message_4 as defined in is not applicable to the approach defined in this document. If step 4 (EDHOC processing) fails, the server discontinues the protocol as per and responds with an EDHOC error message with error code 1, formatted as defined in . In particular, the CoAP response conveying the EDHOC error message MUST have Content-Format set to application/edhoc defined in . If step 4 (EDHOC processing) is successfully completed but step 8 (OSCORE processing) fails, the same OSCORE error handling as defined in applies.

Supporting Block-wise If Block-wise is supported, the following applies, the Server takes the additional following step before any other in . A. If Block-wise is present in the request, then process the Outer Block options according to , until all blocks of the request have been received (see ).

Example of EDHOC + OSCORE Request shows an example of EDHOC + OSCORE Request. In particular, the example assumes that:

• The used OSCORE Partial IV is 0, consistently with the first request protected with the new OSCORE Security Context.
• The OSCORE Sender ID of the Client is 0x01. As per , this corresponds to the numeric EDHOC connection identifier C_R with value 1. When using the purely-sequential flow shown in , this would be prepended to EDHOC message_3 as the CBOR integer 1 (0x01 in CBOR encoding), in the payload of the second EDHOC request.
• The EDHOC option is registered with CoAP option number 21.

Example of CoAP message with EDHOC and OSCORE combined

Conversion from OSCORE to EDHOC Identifiers defines how an EDHOC connection identifier is converted to an OSCORE Sender/Recipient ID. In the following, defines a method for converting from OSCORE Sender/Recipient ID to EDHOC connection identifier. When running EDHOC through a certain EDHOC resource, the Client and Server MUST both use the conversion method defined in and MUST perform the additional message processing specified in , if at least one of the following conditions hold.

• The applicability statement associated with the EDHOC resource indicates that the server supports the EDHOC + OSCORE request defined in .
• The applicability statement associated with the EDHOC resource indicates that the conversion method defined in is the one to use.

Instead, if none of the above conditions hold, the Client and the Server can independently use any consistent conversion method, such as the one defined in or different ones defined in separate specifications. In particular, the Client and Server are not required to use the same conversion method. In fact, as per , it is sufficient that the two connection identifiers C_I and C_R exchanged during an EDHOC execution are different and not "equivalent", hence not convertible to the same OSCORE Sender/Recipient ID. Even in case none of the above conditions hold, it is RECOMMENDED for the Client and Server to use the conversion method defined in , since it ensures that an OSCORE Sender/Recipient ID is always converted to the EDHOC identifier with the smallest size among the two equivalent ones.

Conversion Method The process defined in this section ensures that every OSCORE Sender/Recipient ID is converted to only one of the two corresponding, equivalent EDHOC connection identifiers, see . An OSCORE Sender/Recipient ID, OSCORE_ID, is converted to an EDHOC connection identifier, EDHOC_ID, as follows.

• If OSCORE_ID is 0 bytes in size, it is converted to the empty byte string EDHOC_ID (0x40 in CBOR encoding).
• If OSCORE_ID has a size in bytes different than 0, 1, 2, 3, 5 or 9, it is converted to a byte-valued EDHOC_ID, i.e., a CBOR byte string with value OSCORE_ID. For example, the OSCORE_ID 0x001122334455 is converted to the byte-valued EDHOC_ID 0x001122334455 (0x46001122334455 in CBOR encoding).
• If OSCORE_ID has a size in bytes equal to 1, 2, 3, 5 or 9 the following applies.
  • If OSCORE_ID is a valid CBOR encoding for an integer value (i.e., it can be correctly decoded as a CBOR integer), then it is converted to a numeric EDHOC_ID having OSCORE_ID as its CBOR encoded form. For example, the OSCORE_ID 0x01 is converted to the numeric EDHOC_ID 1 (0x01 in CBOR encoding), while the OSCORE_ID 0x2B is converted to the numeric EDHOC_ID -12 (0x2B in CBOR encoding).
  • If OSCORE_ID is not a valid CBOR encoding for an integer value (i.e., it cannot be correctly decoded as a CBOR integer), then it is converted to a byte-valued EDHOC_ID having OSCORE_ID as its value. For example, the OSCORE_ID 0xFF is converted to the byte-valued EDHOC_ID 0xFF (0x41FF in CBOR encoding).
  Implementations can easily determine which case holds for a given OSCORE_ID with no need to try to actually CBOR-decode it, e.g., by using the approach in .

When performing the conversions above, the two peers MUST always refer to Deterministically Encoded CBOR as specified in , consistently with what is required by the EDHOC protocol .

Additional Processing of EDHOC Messages This section specifies additional EDHOC message processing compared to what is specified in .

Initiator Processing of Message 1 The Initiator selects C_I as follows.

1. The Initiator initializes a set ID_SET as the empty set.
2. The Initiator selects an available OSCORE Recipient ID, namely ID*, which is not included in ID_SET. Consistently with the requirements in , when selecting ID*:
   • The Initiator SHOULD select ID* only among the Recipient IDs which are currently not used in the sets of all its Recipient Contexts.
   • The Initiator MUST NOT select a Recipient ID as ID* if this is currently used in a Recipient Context within a Security Context where the ID Context has zero-length.
3. The Initiator converts ID* to the EDHOC connection identifier C_I, as per .
4. If the resulting C_I is already used, the Initiator adds ID* to ID_SET and moves back to step 2. Otherwise, it uses C_I as its EDHOC connection identifier.

Responder Processing of Message 1 The Responder MUST discontinue the protocol and reply with an EDHOC error message with error code 1, formatted as defined in , if C_I is a CBOR byte string and it has as value a valid CBOR encoding of an integer value (e.g., C_I is CBOR encoded as 0x4100). In fact, this would mean that the Initiator has not followed the conversion rule in when converting its (to be) OSCORE Recipient ID to C_I.

Responder Processing of Message 2 The Responder selects C_R as follows.

1. The Responder initializes a set ID_SET as the empty set.
2. The Responder selects an available OSCORE Recipient ID, ID*, which is not included in ID_SET. Consistently with the requirements in , when selecting ID*:
   • The Responder SHOULD select ID* only among the Recipient IDs which are currently not used in the sets of all its Recipient Contexts.
   • The Responder MUST NOT select a Recipient ID as ID* if this is currently used in a Recipient Context within a Security Context where the ID Context has zero-length.
3. The Responder converts ID* to the EDHOC connection identifier C_R, as per .
4. If the resulting C_R is already used or it is equal byte-by-byte to the C_I specified in EDHOC message_1, the Initiator adds ID* to ID_SET and moves back to step 2. Otherwise, it uses C_R as its EDHOC connection identifier.

Initiator Processing of Message 2 If any of the following conditions holds, the Initiator MUST discontinue the protocol and reply with an EDHOC error message with error code 1, formatted as defined in .

• C_R is equal byte-by-byte to the C_I that was specified in EDHOC message_1.
• C_R is a CBOR byte string and it has as value a valid CBOR encoding of an integer value (e.g., C_R is CBOR encoded as 0x4100). In fact, this would mean that the Responder has not followed the conversion rule in when converting its (to be) OSCORE Recipient ID to C_R.

Extension and Consistency of Applicability Statement The applicability statement referred by the Client and Server can include the information elements introduced below, in accordance with the specified consistency rules. If the Server supports the EDHOC + OSCORE request within an EDHOC execution started at a certain EDHOC resource, then the applicability statement associated with that resource:

• MUST NOT specify that EDHOC message_4 shall be sent.
• SHOULD explicitly specify support for the EDHOC + OSCORE request.
• SHOULD explicitly specify that the method to convert from EDHOC to OSCORE identifiers is the one defined in and MUST NOT specify any other method than that. If the support for the EDHOC + OSCORE request is explicitly specified and the method defined in is not explicitly specified, then the Client and Server MUST use it as conversion method.

If the Server does not support the EDHOC + OSCORE request within an EDHOC execution started at a certain EDHOC resource, then the applicability statement associated with that resource MAY specify a method to convert from EDHOC to OSCORE identifiers. In such a case, the Client and Server MUST use the specified conversion method, which MAY be the one defined in .

Web Linking registers the resource type "core.edhoc", which can be used as target attribute in a web link to an EDHOC resource, e.g., using a link-format document . This enables Clients to discover the presence of EDHOC resources at a Server, possibly using the resource type as filter criterion. At the same time, the applicability statement associated with an EDHOC resource provides a number of information describing how the EDHOC protocol can be used through that resource. While a Client may become aware of the applicability statement through several means, it would be convenient to obtain its information elements upon discovering the EDHOC resources at the Server. This might aim at discovering especially the EDHOC resources whose associated applicability statement denotes a way of using EDHOC which is most suitable to the Client, e.g., with EDHOC cipher suites or authentication methods that the Client also supports or prefers. That is, it would be convenient that a Client discovering an EDHOC resource contextually obtains relevant pieces of information from the applicability statement associated with that resource. The resource discovery can occur by means of a direct interaction with the Server, or instead by means of the CoRE Resource Directory , where the Server may have registered the links to its resources. In order to enable the above, this section defines a number of parameters, each of which can be optionally specified as a target attribute with the same name in the link to the respective EDHOC resource, or as filter criteria in a discovery request from the Client. When specifying these parameters in a link to an EDHOC resource, the target attribute rt="core.edhoc" MUST be included, and the same consistency rules defined in for the corresponding information elements of an applicability statement MUST be followed. The following parameters are defined.

• 'method', specifying an authentication method supported by the Server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Method Type" registry defined in . This parameter MAY occur multiple times, with each occurrence specifying a different authentication method.
• 'csuite', specifying an EDHOC cipher suite supported by the Server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Cipher Suites" registry defined in . This parameter MAY occur multiple times, with each occurrence specifying a different cipher suite.
• 'cred_t', specifying a type of authentication credential supported by the Server. This parameter MAY occur multiple times, with each occurrence specifying a different authentication credential type. Possible values are: "x509", for X.509 certificate ; "c509", for C509 certificate ; "cwt" for CWT ; "ccs" for CWT Claims Set (CCS) .
• 'idcred_t', specifying the type of identifiers supported by the Server for identifying authentication credentials. This parameter MUST specify a single value, which is taken from the 'Label' column of the "COSE Headers Parameters" registry . This parameter MAY occur multiple times, with each occurrence specifying a different type of identifier for authentication credentials. Note that the values in the 'Label' column of the "COSE Headers Parameters" registry are strongly typed. On the contrary, Link Format is weakly typed and thus does not distinguish between, for instance, the string value "-10" and the integer value -10. Thus, if responses in Link Format are returned, string values which look like an integer are not supported. Therefore, such values MUST NOT be used in the 'idcred_t' parameter.
• 'ead_1', 'ead_2', 'ead_3' and 'ead_4', specifying, if present, that the Server supports the use of External Authorization Data EAD_1, EAD_2, EAD_3 and EAD_4, respectively (see ). For each of these parameters, the following applies.
  • It MUST occur at most once, with its presence denoting support from the server for the respective external authorization data.
  • It MUST specify a single value, which is taken from the 'Label' column of the "EDHOC External Authorization Data" registry defined in .
• 'comb_req', specifying, if present, that the server supports the EDHOC + OSCORE request defined in . A value MUST NOT be given to this parameter and any present value MUST be ignored by parsers.
• 'osc_id_conv', specifying, if present, that the method to convert from OSCORE to EDHOC identifiers defined in is used. A value MUST NOT be given to this parameter and any present value MUST be ignored by parsers. The absence of this parameter does not mean that the method defined in is not used. Also, consistently with , the presence of the 'comb_req' parameter implies the use of the method defined in , and thus makes the additional presence of the 'osc_id_conv' parameter unnecessary.

The example in shows how a Client discovers two EDHOC resources at a Server, obtaining information elements from the respective applicability statements. The Link Format notation from is used.

The Web Link ;osc, ;if="sensor", ;rt="core.edhoc";csuite="0";csuite="2";method="0"; cred_t="c509";cred_t="ccs";idcred_t="4";comb_req, ;rt="core.edhoc";csuite="0";csuite="2";method="0"; method="3";cred_t="c509";cred_t="x509";idcred_t="34";osc_id_conv ]]>

Security Considerations The same security considerations from OSCORE and EDHOC hold for this document. TODO: more considerations

IANA Considerations RFC Editor: Please replace "[[this document]]" with the RFC number of this document and delete this paragraph. This document has the following actions for IANA.

CoAP Option Numbers Registry IANA is asked to enter the following option number to the "CoAP Option Numbers" registry within the "CoRE Parameters" registry group. [ The CoAP option numbers 13 and 21 are both consistent with the properties of the EDHOC Option defined in , and they both allow the EDHOC Option to always result in an overall size of 1 byte. This is because:

• The EDHOC option is always empty, i.e., with zero-length value; and
• Since the OSCORE option with option number 9 is always present in the CoAP request, the EDHOC option would be encoded with a maximum delta of 4 or 12, depending on its option number being 13 or 21.

At the time of writing, the CoAP option numbers 13 and 21 are both unassigned in the "CoAP Option Numbers" registry, as first available and consistent option numbers for the EDHOC option. This document suggests 21 (TBD21) as option number to be assigned to the new EDHOC option, since both 13 and 21 are consistent for the use case in question, but different use cases or protocols may make better use of the option number 13. ]

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This specification defines Web Linking using a link format for use by constrained web servers to describe hosted resources, their attributes, and other relationships between links. Based on the HTTP Link Header field defined in RFC 5988, the Constrained RESTful Environments (CoRE) Link Format is carried as a payload and is assigned an Internet media type. "RESTful" refers to the Representational State Transfer (REST) architecture. A well-known URI is defined as a default entry point for requesting the links hosted by a server. [STANDARDS-TRACK] The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation. CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments. The Constrained Application Protocol (CoAP) is a RESTful transfer protocol for constrained nodes and networks. Basic CoAP messages work well for small payloads from sensors and actuators; however, applications will need to transfer larger payloads occasionally -- for instance, for firmware updates. In contrast to HTTP, where TCP does the grunt work of segmenting and resequencing, CoAP is based on datagram transports such as UDP or Datagram Transport Layer Security (DTLS). These transports only offer fragmentation, which is even more problematic in constrained nodes and networks, limiting the maximum size of resource representations that can practically be transferred. Instead of relying on IP fragmentation, this specification extends basic CoAP with a pair of "Block" options for transferring multiple blocks of information from a resource representation in multiple request-response pairs. In many important cases, the Block options enable a server to be truly stateless: the server can handle each block transfer separately, with no need for a connection setup or other server-side memory of previous block transfers. Essentially, the Block options provide a minimal way to transfer larger representations in a block-wise fashion. A CoAP implementation that does not support these options generally is limited in the size of the representations that can be exchanged, so there is an expectation that the Block options will be widely used in CoAP implementations. Therefore, this specification updates RFC 7252. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This specification defines a model for the relationships between resources on the Web ("links") and the type of those relationships ("link relation types"). It also defines the serialisation of such links in HTTP headers with the Link header field. This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols. Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252. This document describes the Concise Binary Object Representation (CBOR) Sequence format and associated media type "application/cbor-seq". A CBOR Sequence consists of any number of encoded CBOR data items, simply concatenated in sequence. Structured syntax suffixes for media types allow other media types to build on them and make it explicit that they are built on an existing media type as their foundation. This specification defines and registers "+cbor-seq" as a structured syntax suffix for CBOR Sequences. The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. ARM SmartThings Universitaet Bremen TZI consultant In many IoT applications, direct discovery of resources is not practical due to sleeping nodes, or networks where multicast traffic is inefficient. These problems can be solved by employing an entity called a Resource Directory (RD), which contains information about resources held on other servers, allowing lookups to be performed for those resources. The input to an RD is composed of links and the output is composed of links constructed from the information stored in the RD. This document specifies the web interfaces that an RD supports for web servers to discover the RD and to register, maintain, lookup and remove information on resources. Furthermore, new target attributes useful in conjunction with an RD are defined. Ericsson AB Ericsson AB Ericsson AB This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios and a main use case is to establish an OSCORE security context. By reusing COSE for cryptography, CBOR for encoding, and CoAP for transport, the additional code size can be kept very low. IANA Informative References This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON. Ericsson AB Ericsson AB RISE AB RISE AB Nexus Group This document specifies a CBOR encoding of X.509 certificates. The resulting certificates are called C509 Certificates. The CBOR encoding supports a large subset of RFC 5280 and all certificates compatible with the RFC 7925, IEEE 802.1AR (DevID), CNSA, RPKI, GSMA eUICC, and CA/Browser Forum Baseline Requirements profiles. When used to re-encode DER encoded X.509 certificates, the CBOR encoding can in many cases reduce the size of RFC 7925 profiled certificates with over 50%. The CBOR encoded structure can alternatively be signed directly ("natively signed"), which does not require re- encoding for the signature to be verified. The document also specifies C509 COSE headers, a C509 TLS certificate type, and a C509 file format.

Checking CBOR Encoding of Numeric Values A binary string of N bytes in size is a valid CBOR encoding of an integer value if and only if both the following conditions hold, with reference to the table below.

• The size N is one of the values specified in the "Size" column.
• The first byte of the binary string is equal to one of the byte values specified in the "First byte" column, exactly for the row having N as value of the "Size" column.

Document Updates RFC Editor: Please remove this section.

Version -02 to -03

• Clarifications on transporting EDHOC message_3 in the CoAP payload.
• At most one simultaneous outstanding interaction as an EDHOC + OSCORE request with the same server for the same session with connection identifier C_R.
• The EDHOC option is removed from the EDHOC + OSCORE request after processing the EDHOC data.
• Added explicit constraints when selecting a Recipient ID as C_X.
• Added processing steps for when Block-wise is used.
• Improved error handling on the Server.
• Improved section on Web Linking.
• Updated figures; editorial improvements.

Version -01 to -02

• New title, abstract and introduction.
• Restructured table of content.
• Alignment with latest format of EDHOC messages.
• Guideline on ID conversions based on applicability statement.
• Clarifications, extension and consistency on applicability statement.
• Section on web-linking.
• RFC8126 terminology in IANA considerations.
• Revised Appendix "Checking CBOR Encoding of Numeric Values".

Version -00 to -01

• Improved background overview of EDHOC.
• Added explicit rules for converting OSCORE Sender/Recipient IDs to EDHOC connection identifiers following the removal of bstr_identifier from EDHOC.
• Revised section organization.
• Recommended number for EDHOC option changed to 21.
• Editorial improvements.

Acknowledgments The authors sincerely thank Christian Amsuess, Esko Dijk, Klaus Hartke, Jim Schaad and Malisa Vucinic for their feedback and comments. The work on this document has been partly supported by VINNOVA and the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home (Grant agreement 952652).