Internet-Draft | Cacheable OSCORE | July 2023 |
Amsüss & Tiloca | Expires 11 January 2024 | [Page] |
Group communication with the Constrained Application Protocol (CoAP) can be secured end-to-end using Group Object Security for Constrained RESTful Environments (Group OSCORE), also across untrusted intermediary proxies. However, this sidesteps the proxies' abilities to cache responses from the origin server(s). This specification restores cacheability of protected responses at proxies, by introducing consensus requests which any client in a group can send to one server or multiple servers in the same group.¶
This note is to be removed before publishing as an RFC.¶
Discussion of this document takes place on the CORE Working Group mailing list (core@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/core/.¶
Source for this draft and an issue tracker can be found at https://gitlab.com/chrysn/core-cachable-oscore/.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 11 January 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The Constrained Application Protocol (CoAP) [RFC7252] supports also group communication, for instance over UDP and IP multicast [I-D.ietf-core-groupcomm-bis]. In a group communication environment, exchanged messages can be secured end-to-end by using Group Object Security for Constrained RESTful Environments (Group OSCORE) [I-D.ietf-core-oscore-groupcomm].¶
Requests and responses protected with the group mode of Group OSCORE can be read by all group members, i.e., not only by the intended recipient(s), thus achieving group-level confidentiality.¶
This allows a trusted intermediary proxy which is also a member of the OSCORE group to populate its cache with responses from origin servers. Later on, the proxy can possibly reply to a request in the group with a response from its cache, if recognized as an eligible server by the client.¶
However, an untrusted proxy which is not member of the OSCORE group only sees protected responses as opaque, uncacheable ciphertext. In particular, different clients in the group that originate a same plain CoAP request would send different protected requests, as a result of their Group OSCORE processing. Such protected requests cannot yield a cache hit at the proxy, which makes the whole caching of protected responses pointless.¶
This document addresses this complication and enables cacheability of protected responses, also for proxies that are not members of the OSCORE group and are unaware of OSCORE in general. To this end, it builds on the concept of "consensus request" initially considered in [I-D.ietf-core-observe-multicast-notifications], and defines "Deterministic Request" as a convenient incarnation of such concept.¶
All clients wishing to send a particular GET or FETCH request are able to deterministically compute the same protected request, using a variation on the pairwise mode of Group OSCORE. It follows that cache hits become possible at the proxy, which can thus serve clients in the group from its cache. Like in [I-D.ietf-core-observe-multicast-notifications], this requires that clients and servers are already members of a suitable OSCORE group.¶
Cacheability of protected responses is useful also in applications where several clients wish to retrieve the same object from a single server. Some security properties of OSCORE are dispensed with, in order to gain other desirable properties.¶
In order to clearly handle the protocol's security properties, and to broaden applicability to group situations outside the deterministic case, the technical implementation is split into two halves:¶
When firmware updates are delivered using CoAP, many similar devices fetch the same large data at the same time. Collecting such large data at a proxy from its cache not only keeps the traffic low, but also lets the clients ride single file to hide their numbers [SW-EPIV] and identities. By using protected Deterministic Requests as defined in this document, it is possible to efficiently perform data collection at a proxy also when the firmware updates are protected end-to-end.¶
When relying on intermediaries to fan out the delivery of multicast data protected end-to-end as in [I-D.ietf-core-observe-multicast-notifications], the use of protected Deterministic Requests as defined in this document allows for a more efficient setup, by reducing the amount of message exchanges and enabling early population of cache entries (see Appendix D).¶
When relying on Information-Centric Networking (ICN) for multiparty dissemination of cacheable content, CoAP and CoAP proxies can be used to enable asynchronous group communication. This leverages CoAP proxies performing request aggregation, as well as response replication and cacheability [ICN-paper]. By restoring cacheability of OSCORE-protected responses, the Deterministic Requests defined in this document make it possible to attain dissemination of cacheable content in ICN-based deployments, also when the content is protected end-to-end.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Readers are expected to be familiar with terms and concepts of CoAP [RFC7252] and its method FETCH [RFC8132], group communication for CoAP [I-D.ietf-core-groupcomm-bis], COSE [RFC9052][RFC9053], OSCORE [RFC8613], and Group OSCORE [I-D.ietf-core-oscore-groupcomm].¶
This document also introduces the following new terms.¶
Consensus Request: a CoAP request that multiple clients use to repeatedly access a particular resource. In this document, it exclusively refers to requests protected with Group OSCORE to a resource hosted at one or more servers in the OSCORE group.¶
A Consensus Request has all the properties relevant to caching, but its transport dependent properties (e.g., Token or Message ID) are not defined. Thus, different requests on the wire can be said to "be the same Consensus Request" even if they have different Tokens or source addresses.¶
The Consensus Request is the reference for request-response binding. In general, a client processing a response to a Consensus Request did not generate (and thus sign) the consensus request. The client not only needs to decrypt the Consensus Request to understand a response to it (for example to tell which path was requested), but it also needs to verify that this is the only Consensus Request that could elicit this response.¶
Deterministic Client: a fictitious member of an OSCORE group, having no Sender Sequence Number, no asymmetric key pair, and no Recipient Context.¶
The Group Manager sets up the Deterministic Client, and assigns it a unique Sender ID as for other group members. Furthermore, the Deterministic Client has only the minimum common set of privileges shared by all group members.¶
Ticket Request: a Consensus Request generated by the server itself.¶
This term is not used in the main document, but is useful in comparison with other applications of Consensus Requests that are generated in a different way than as Deterministic Requests. The prototypical Ticket Request is the Phantom Request defined in [I-D.ietf-core-observe-multicast-notifications].¶
In Appendix C, the term is used to bridge the gap with that document.¶
The request-response binding of OSCORE is achieved by the items request_kid / request_piv (and, in group OSCORE, request_kid_context) that are present in both the request's and the response's AAD, and are hereafter referred to as "request_ details".¶
The security of such binding depends on the server obtaining source authentication for the request: if this precondition is not fulfilled, a malicious group member could alter a request to the server (without altering the request_ details above), and the client would still accept the response as if it were a response to its request.¶
Source authentication is thus a precondition for the secure use of OSCORE and Group OSCORE. However, it is hard to provide when:¶
This document does not [ yet? ] give full guidance on how to restore request-response binding for the general case, but currently only offers suggestions:¶
[ Suggestion for any OSCORE v2: avoid request_ details in the request's AAD as individual elements. Rather than having 'request_kid', 'request_piv' (and, in Group OSCORE, 'request_kid_context') as separate fields, they can better be something more pluggable. This would avoid the need to make up an option before processing, and would allow just plugging in the hash or request in there as replacing the elements for the request_ details. ]¶
Additional care has to be taken in ensuring that request_ details that are not expressed in the request itself are captured. For instance, these include an indication of the Security Context from which the request is assumed to have been originated.¶
Requests without source authentication have to be processed assuming only the minimal possible privilege of the requester [ which is currently described as the authorization of the Deterministic Client, and may be moved up here in later versions of this document ]. If a response is built to such a request and contains data more sensitive than that (which might be justified if the response is protected for an authorized group member in pairwise mode), special consideration for any side channels like response size or timing is required.¶
This section defines a method for clients starting from a same plain CoAP request to independently build the same, corresponding Deterministic Request protected with Group OSCORE.¶
Clients build the unprotected Deterministic Request in a way which is as much reproducible as possible. This document does not set out full guidelines for minimizing the variation, but considered starting points are:¶
Set the inner Observe option to 0 even if no observation is intended (and hence no outer Observe is set). Thus, both observing and non-observing requests can be aggregated into a single request, which is upstreamed as an observation at the latest when any observing request reaches a caching proxy.¶
In this case, following a Deterministic Request that includes only an inner Observe option, servers include an inner Observe option (but no outer Observe option) in a successful response sent as reply. Also, when receiving a response to such a Deterministic Request previously sent, clients have to silently ignore the inner Observe option in that response.¶
Outer block-wise transfer can then be used if these messages exceed a hop's efficiently usable MTU size.¶
(If BERT [RFC8323] is usable with OSCORE, its use is fine as well; in that case, the server picks a consistent block size for all clients anyway).¶
Clients should not send any inner Echo options [RFC9175] in Deterministic Requests.¶
This limits the use of the Echo option in combination with Deterministic Requests to unprotected (outer) options, and thus is limited to testing the reachability of the client. This is not practically limiting, as the use as an inner option would be to prove freshness, which is something Deterministic Requests simply cannot provide anyway.¶
These only serve to ensure that cache entries are utilized; failure to follow them has no more severe consequences than decreasing the utility and effectiveness of a cache.¶
The hard part is determining a consensus pair (key, nonce) to be used with the AEAD cipher for encrypting the plain CoAP request and obtaining the Deterministic Request as a result, while also avoiding the reuse of the same (key, nonce) pair across different requests.¶
Diversity can conceptually be enforced by applying a cryptographic hash function to the complete input of the encryption operation over the plain CoAP request (i.e., the AAD and the plaintext of the COSE object), and then using the result as source of uniqueness. Any non-malleable cryptographically secure hash of sufficient length to make collisions sufficiently unlikely is suitable for this purpose.¶
A tempting possibility is to use a fixed (group) key, and use the hash as a deterministic AEAD nonce for each Deterministic Request through the Partial IV component (see Section 5.2 of [RFC8613]). However, the 40 bit available for the Partial IV are by far insufficient to ensure that the deterministic nonce is not reused across different Deterministic Requests. Even if the full deterministic AEAD nonce could be set, the sizes used by common algorithms would still be too small.¶
As a consequence, the proposed method takes the opposite approach, by considering a fixed deterministic AEAD nonce, while deriving a different deterministic encryption key for each Deterministic Request. That is, the hash computed over the plain CoAP request is taken as input to the key derivation. As an advantage, this approach does not require to transport the computed hash in the OSCORE option.¶
[ Note: This has a further positive side effect arising with version -11 of Group OSCORE. That is, since the full encoded OSCORE option is part of the AAD, it avoids a circular dependency from feeding the AAD into the hash computation, which in turn needs crude workarounds like building the full AAD twice, or zeroing out the hash-to-be. ]¶
In order to transport the hash of the plain CoAP request, a new CoAP option is defined, which MUST be supported by clients and servers that support Deterministic Requests.¶
The option is called Request-Hash. As summarized in Figure 1, the Request-Hash option is elective, safe to forward, part of the cache key, and repeatable.¶
The Request-Hash option is identical in all its properties to the Request-Tag option defined in [RFC9175], with the following exceptions:¶
It may be arbitrarily long.¶
Implementations can limit its length to that of the longest output of the supported hash functions.¶
It may be present in responses (TBD: Does this affect any other properties?).¶
A response's Request-Hash option is, as a matter of default value, equal to the request's Request-Hash option. The response is only valid if the value of its Request-Hash option is equal to the value of the Request-Hash option in the corresponding request.¶
Servers (including proxies) thus generally SHOULD NOT need to include the Request-Hash option explicitly in responses, especially as a matter of bandwidth efficiency.¶
A reason (and, currently, the only known) to actually include a Request-Hash option in a response is the possible use of non-traditional responses as described in [I-D.bormann-core-responses], which in terms of that document are non-matching to the request (and thus easily usable). The Request-Hash option in the response allows populating caches (see below) and enables the decryption of a response sent as a reply to a Deterministic Request. In the context of non-traditional responses, the Request-Hash value of the request corresponding to a response can be inferred from the value of the Request-Hash option in the response.¶
A proxy MAY use any fresh cached response from the selected server to respond to a request with the same Request-Hash; this may save it some memory.¶
A proxy can add or remove the request's Request-Tag value to / from a response.¶
This option achieves request-response binding described in Section 2.¶
This section defines how a Deterministic Request is built on the client side and then processed on the server side.¶
The use of Deterministic Requests in an OSCORE group requires that the interested group members are aware of the Deterministic Client in the group. In particular, they need to know:¶
The Sender ID of the Deterministic Client, to be used as 'kid' parameter for the Deterministic Requests. This allows all group members to compute the Sender Key of the Deterministic Client.¶
The Sender ID of the Deterministic Client is immutable throughout the lifetime of the OSCORE group. That is, it is not relinquished and it does not change upon changes of the group keying material following a group rekeying performed by the Group Manager.¶
Group members have to obtain this information from the Group Manager. A group member can do that, for instance, when obtaining the group keying material upon joining the OSCORE group, or later on as an active member by sending a request to a dedicated resource at the Group Manager.¶
The joining process based on the Group Manager defined in [I-D.ietf-ace-key-groupcomm-oscore] can be easily extended to support the provisioning of information about the Deterministic Client. Such an extension is defined in Section 4 of this document.¶
In order to build a Deterministic Request, the client protects the plain CoAP request using the pairwise mode of Group OSCORE (see Section 9 of [I-D.ietf-core-oscore-groupcomm]), with the following alterations.¶
When preparing the OSCORE option, the external_aad, and the AEAD nonce:¶
When preparing the external_aad, the element 'sender_public_key' in the aad_array takes the empty CBOR byte string.¶
The client uses the hash function indicated for the Deterministic Client, and computes a hash H over the following input: the Sender Key of the Deterministic Client, concatenated with the external_aad from step 1, concatenated with the COSE plaintext.¶
Note that the payload of the plain CoAP request (if any) is not self-delimiting, and thus hash functions are limited to non-malleable ones.¶
The client derives the deterministic Pairwise Sender Key K as defined in Section 2.5.1 of [I-D.ietf-core-oscore-groupcomm], with the following differences:¶
The hash H from step 2 is used as second argument of the HKDF, i.e., as a pseudo IKM-Sender computable by all the group members.¶
Note that an actual IKM-Sender cannot be obtained, since there is no authentication credential (and public key included therein) associated with the Deterministic Client, to be used as Sender Authentication Credential and for computing an actual Diffie-Hellman Shared Secret.¶
The result is the Deterministic Request to be sent.¶
Since the encryption key K is derived using material from the whole plain CoAP request, this (key, nonce) pair is only used for this very message, which is deterministically encrypted unless there is a hash collision between two Deterministic Requests.¶
The deterministic encryption requires the used AEAD algorithm to be deterministic in itself. This is the case for all the AEAD algorithms currently registered with COSE in [COSE.Algorithms]. For future algorithms, a flag in the COSE registry is to be added.¶
Note that, while the process defined above is based on the pairwise mode of Group OSCORE, no information about the server takes part to the key derivation or is included in the AAD. This is intentional, since it allows for sending a Deterministic Request to multiple servers at once (see Section 3.4.5). On the other hand, it requires later checks at the client when verifying a response to a Deterministic Request (see Section 3.4.4).¶
Upon receiving a Deterministic Request, a server performs the following actions.¶
A server that does not support Deterministic Requests would not be able to create the necessary Recipient Context, and thus will fail decrypting the request.¶
The server actually recognizes the request to be a Deterministic Request, due to the presence of the Request-Hash option and to the 'kid' parameter of the OSCORE option set to the Sender ID of the Deterministic Client.¶
If the 'kid' parameter of the OSCORE option specifies a different Sender ID than the one of the Deterministic Client, the server MUST NOT take the following steps, and instead processes the request as per Section 9.4 of [I-D.ietf-core-oscore-groupcomm].¶
The server derives a Recipient Context for processing the Deterministic Request. In particular:¶
In case of successful verification, the server MUST also perform the following actions, before possibly delivering the request to the application.¶
Starting from the recovered plain CoAP request, the server MUST recompute the same hash that the client computed at step 2 of Section 3.4.2.¶
If the recomputed hash value differs from the value retrieved from the Request-Hash option at step 3, the server MUST treat the request as invalid and MAY reply with an unprotected 4.00 (Bad Request) error response. The server MAY set an Outer Max-Age option with value zero. The diagnostic payload MAY contain the string "Decryption failed".¶
This prevents an attacker that guessed a valid authentication tag for a given Request-Hash value to poison caches with incorrect responses.¶
The server MUST verify that the unprotected request is safe to be processed in the REST sense, i.e., that it has no side effects. If verification fails, the server MUST discard the message and SHOULD reply with a protected 4.01 (Unauthorized) error response.¶
Note that some CoAP implementations may not be able to prevent that an application produces side effects from a safe request. This may incur checking whether the particular resource handler is explicitly marked as eligible for processing Deterministic Requests. An implementation may also have a configured list of requests that are known to be side effect free, or even a pre-built list of valid hashes for all sensible requests for them, and reject any other request.¶
These checks replace the otherwise present requirement that the server needs to check the Replay Window of the Recipient Context (see step 5 above), which is inapplicable with the Recipient Context derived at step 4 from the value of the Request-Hash option. The reasoning is analogous to the one in [I-D.amsuess-lwig-oscore] to treat the potential replay as answerable, if the handled request is side effect free.¶
When preparing a response to a Deterministic Request, the server treats the Request-Hash option as a Class I option. The value of the Request-Hash option MUST be equal to the value of the Request-Hash option that was specified in the corresponding Deterministic Request. Since the client is aware of the Request-Hash value to expect in the response, the server usually elides the Request-Hash option from the actually transmitted response.¶
Treating the Request-Hash option as a Class I option creates the request-response binding, thus ensuring that no mismatched responses can be successfully unprotected and verified by the client (see Section 2).¶
The client MUST reject a response to a Deterministic Request, if the Request-Hash value of the response is not equal to the value that was specified in the Request-Hash option of that Deterministic Request.¶
When preparing the response, the server performs the following actions.¶
The server MUST protect the response using the group mode of Group OSCORE, as defined in Section 8.3 of [I-D.ietf-core-oscore-groupcomm]. This is required to ensure that the client can verify the source authentication of the response, since the "pairwise" key used for producing the Deterministic Request is actually shared among all the group members.¶
Note that the Request-Hash option is treated as Class I here.¶
Upon receiving the response, the client performs the following actions.¶
In case the response does not include the Request-Hash option, the client adds the Request-Hash option to the response, setting its value to the same value of the Request-Hash option that was specified in the Deterministic Request.¶
Otherwise, the client MUST reject the response if the value of the Request-Hash option is different from the value of the Request-Hash option that was specified in the Deterministic Request.¶
[ Note: This deviates from Section 4.1.3.5.2 of RFC 8613, but it is limited to a very specific situation, where the client and server both know exactly what happens. This does not affect the use of OSCORE in other situations. ]¶
A Deterministic Request can be sent to a CoAP group, e.g., over UDP and IP multicast [I-D.ietf-core-groupcomm-bis], thus targeting multiple servers at once.¶
To simplify key derivation, such a Deterministic Request is still created in the same way as a one-to-one request and still protected with the pairwise mode of Group OSCORE, as defined in Section 3.4.2.¶
Note that this deviates from Section 8 of [I-D.ietf-core-oscore-groupcomm], since the Deterministic Request in this case is indeed intended to multiple recipients, but yet it is protected with the pairwise mode. However, this is limited to a very specific situation, where the client and servers both know exactly what happens. This does not affect the use of Group OSCORE in other situations.¶
[ Note: If it was protected with the group mode, the request hash would need to be fed into a group key derivation just for this corner case. Furthermore, there would need to be a signature in spite of no authentication credential (and public key included therein) associated with the Deterministic Client. ]¶
When a server receives a request from the Deterministic Client as addressed to a CoAP group, the server proceeds as defined in Section 3.4.3, with the difference that it MUST include its own Sender ID in the response, as 'kid' parameter of the OSCORE option.¶
Although it is normally optional for the server to include its Sender ID when replying to a request protected in pairwise mode, it is required in this case for allowing the client to retrieve the Recipient Context associated with the server originating the response.¶
If a server is member of a CoAP group, and it fails to successfully decrypt and verify an incoming Deterministic Request, then it is RECOMMENDED for that server to not send back any error message, in case the server asserts that the Deterministic Request was sent to the CoAP group (e.g., to the associated IP multicast address) or in case the server is not able to assert that altogether.¶
This section extends the Joining Process defined in [I-D.ietf-ace-key-groupcomm-oscore], and based on the ACE framework for Authentication and Authorization [RFC9200]. Upon joining the OSCORE group, this enables a new group member to obtain from the Group Manager the required information about the Deterministic Client (see Section 3.4.1).¶
With reference to the 'key' parameter of the Join Response defined in Section 6.3 of [I-D.ietf-ace-key-groupcomm-oscore], the Group_OSCORE_Input_Material object specified as its value contains also the two additional parameters 'det_senderId' and 'det_hash_alg'. These are defined in Section 6.2 of this document. In particular:¶
The same extension above applies also to the 'key' parameter when included in a Key Distribution Response (see Sections 9.1.1 and 9.1.2 of [I-D.ietf-ace-key-groupcomm-oscore]) and in a Signature Verification Data Response (see Section 9.6 of [I-D.ietf-ace-key-groupcomm-oscore]).¶
The same security considerations from [RFC7252][I-D.ietf-core-groupcomm-bis][RFC8613][I-D.ietf-core-oscore-groupcomm] hold for this document.¶
The following elaborates on how, compared to Group OSCORE, Deterministic Requests dispense with some of the OSCORE security properties, by just so much as to make caching possible.¶
A Deterministic Request is intrinsically designed to be replayed, as intended to be identically sent multiple times by multiple clients to the same server(s).¶
Consistently, as per the processing defined in Section 3.4.3, a server receiving a Deterministic Request does not perform replay checks against an OSCORE Replay Window.¶
This builds on the following considerations.¶
For a given request, the level of tolerance to replay risk is specific to the resource it operates upon (and therefore only known to the origin server). In general, if processing a request does not have state-changing side effects, the consequences of replay are not significant.¶
Just like for what concerns the lack of source authentication (see below), the server must verify that the received Deterministic Request (more precisely, its handler) is side effect free. The distinct semantics of the CoAP request codes can help the server make that assessment.¶
Receiving a response to a Deterministic Request does not mean that the response was generated after the Deterministic Request was sent.¶
However, a valid response to a Deterministic Request still contains two freshness statements.¶
Source authentication of Deterministic Requests is lost.¶
Instead, the server must verify that the Deterministic Request (more precisely, its handler) is side effect free. The distinct semantics of the CoAP request codes can help the server make that assessment.¶
Just like for what concerns the acceptance of replayed Deterministic Requests (see above), the server can choose whether it will process a Deterministic Request on a per-resource basis.¶
The privacy of Deterministic Requests is limited.¶
An intermediary can determine that two Deterministic Requests from different clients are identical, and associate the different responses generated for them. A server producing responses of varying size to a Deterministic Request can use the Padding option to hide when the response is changing.¶
[ More on the verification of the Deterministic Request ]¶
Note to RFC Editor: Please replace "[RFC-XXXX]" with the RFC number of this document and delete this paragraph.¶
This document has the following actions for IANA.¶
IANA is asked to enter the following option numbers to the "CoAP Option Numbers" registry within the "Constrained RESTful Environments (CoRE) Parameters" registry group.¶
[¶
For the Request-Hash option, the number suggested to IANA is 548.¶
For the Padding option, the option number is picked to be the highest number in the Experts Review range; the high option number allows it to follow practically all other options, and thus to be set when the final unpadded message length including all options is known. Therefore, the number suggested to IANA is 64988.¶
Applications that make use of the "Experimental use" range and want to preserve that property are invited to pick the largest suitable experimental number (65532)¶
Note that unless other high options are used, this means that padding a message adds an overhead of at least 3 bytes, i.e., 1 byte for option delta/length and two more bytes of extended option delta. This is considered acceptable overhead, given that the application has already chosen to prefer the privacy gains of padding over wire transfer length.¶
]¶
IANA is asked to register the following entries in the "OSCORE Security Context Parameters" registry within the "Authentication and Authorization for Constrained Environments (ACE)" registry group.¶
Since -06:¶
Since -05:¶
Since -04:¶
Since -03:¶
Since -02:¶
Since -01:¶
Not meddling with request_kid any more.¶
Instead, Request-Hash in responses is treated as Class I, but typically elided.¶
In requests, this removes the need to compute the external_aad twice.¶
Since -00:¶
As discussed in Section 5, information can be leaked by the length of a response or, in different contexts, of a request.¶
In order to hide such information and mitigate the impact on privacy, the new CoAP option with name Padding is defined, in order to allow increasing a message's length without changing its meaning.¶
The option can be used with any CoAP transport, but is especially useful with OSCORE as that does not provide any padding of its own.¶
Before choosing to pad a message by using the Padding option, application designers should consider whether they can arrange for common message variants to have the same length by picking a suitable content representation; the canonical example here is expressing "yes" and "no" with "y" and "n", respectively.¶
As summarized in Figure 3, the Padding option is elective, safe to forward and not part of the cache key; these follow from the usage instructions. The option may be repeated, as that may be the only way to achieve a certain total length for the padded message.¶
When used with OSCORE, the Padding option is of Class E, which makes it indistinguishable from other Class E options or the payload to third parties.¶
When a server produces different responses of different length for a given class of requests but wishes to produce responses of consistent length (typically to hide the variation from anyone but the intended recipient), the server can pick a length that all possible responses can be padded to, and set the Padding option with a suitable all-zero option value in all responses to that class of requests.¶
Likewise, a client can decide on a class of requests that it pads to reach a consistent length. This has considerably less efficacy and applicability when applied to Deterministic Requests. That is: an external observer can group together different requests even if they are of the same length; and padding would hinder convergence on a single Consensus Request, thus requiring all users of the same Group OSCORE Security Context to agree on the same total length in advance.¶
Any party receiving a Padding option MUST ignore it. In particular, a server MUST NOT make its choice of padding a response dependent on any padding present in the corresponding request. A means driven by the client for coordinating response padding is out of scope for this document.¶
Proxies that see a Padding option MAY discard it.¶
Building on the concept of Phantom Requests and Informative Responses defined in [I-D.ietf-core-observe-multicast-notifications], basic caching is already possible without building a Deterministic Request.¶
The approach discussed in this appendix is not provided for application. In fact, it is efficient only when dealing with very large representations and no OSCORE inner Block-Wise mode (which is inefficient for other reasons), or when dealing with observe notifications (which are already well covered in [I-D.ietf-core-observe-multicast-notifications]).¶
Rather, it is more provided as a "mental exercise" for the authors and interested readers to bridge the gap between this document and [I-D.ietf-core-observe-multicast-notifications].¶
That is, instead of replying to a client with a regular response, a server can send an Informative Response, defined as a protected 5.03 (Service Unavailable) error message. The payload of the Informative Response contains the Phantom Request, which is a Ticket Request in the broader terminology used by this document.¶
Unlike a Deterministic Request, a Phantom Request is protected with the Group Mode of Group OSCORE. Instead of verifying a hash, the client can see from the countersignature that this was indeed the request the server is answering. The client also verifies that the request URI is identical between the original request and the Ticket Request.¶
The remaining exchange largely plays out like in [I-D.ietf-core-observe-multicast-notifications]'s "Example with a Proxy and Group OSCORE":
The client sends the Phantom Request to the proxy (but, lacking a tp_info
, without a Listen-To-Multicast-Responses option),
which forwards it to the server for lack of the option.¶
The server then produces a regular response and includes a non-zero Max-Age option as an outer CoAP option. Note that there is no point in including an inner Max-Age option, as the client could not pin it in time.¶
When a second, different client later asks for the same resource at the same server, its new request uses a different 'kid' and 'Partial IV' than the first client's. Thus, the new request produces a cache miss at the proxy and is forwarded to the server, which responds with the same Ticket Request provided to the first client. After that, when the second client sends the Ticket Request, a cache hit at the proxy will be produced, and the Ticket Request can be served from the proxy's cache.¶
When multiple proxies are in use, or the response has expired from the proxy's cache, the server receives the Ticket Request multiple times. It is a matter of perspective whether the server treats that as an acceptable replay (given that this whole mechanism only makes sense on requests free of side effects), or whether it is conceptualized as having an internal proxy where the request produces a cache hit.¶
[I-D.ietf-core-observe-multicast-notifications] defines how a CoAP server can serve all clients observing a same resource at once, by sending notifications over multicast. The approach supports the possible presence of intermediaries such as proxies, also if Group OSCORE is used to protect notifications end-to-end.¶
However, comparing the "Example with a Proxy" in Appendix E of [I-D.ietf-core-observe-multicast-notifications] and the "Example with a Proxy and Group OSCORE" in Appendix F of [I-D.ietf-core-observe-multicast-notifications] shows that, when using Group OSCORE, more requests need to hit the server. This is because every client originally protects its Observation request individually, and thus needs a custom response served to obtain the Phantom Request as a Ticket Request.¶
If the clients send their requests as the same Deterministic Request, then the server can use these requests as Ticket Requests as well. Thus, there is no need for the server to provide a same Phantom Request to each client.¶
Instead, the server can send a single, unprotected Informative Response - very much like in the example without Group OSCORE - hence setting the proxy up and optionally providing also the latest notification along the way.¶
The proxy can thus be configured by the server following the first request from the clients, after which it has an active observation and a fresh cache entry in time for the second client to arrive.¶
Is "deterministic encryption" something worthwhile to consider in COSE?¶
COSE would probably specify something more elaborate for the KDF (the current KDF round is the pairwise mode's; COSE would probably run through KDF with a KDF context structure).¶
COSE would give a header parameter name to the Request-Hash (which for the purpose of OSCORE Deterministic Requests would put back into Request-Hash by extending the option compression function across the two options).¶
Conceptually, they should align well, and the implementation changes are likely limited to how the KDF is run.¶
An unprotection failure from a mismatched hash will not be part of the ideally constant-time code paths that otherwise lead to AEAD unprotect failures. Is that a problem?¶
After all, it does tell the attacker that they did succeed in producing a valid MAC (it's just not doing it any good, because this key is only used for Deterministic Requests and thus also needs to pass the Request-Hash check).¶
We could allows clients to elide all other options than Request-Hash, and elide the payload, if it has reason to believe that it can produce a cache hit with the abbreviated request alone.¶
This may prove troublesome in terms of cache invalidation (the server would have to use short-lived responses to indicate that it does need the full request, or we'd need special handling for error responses, or criteria by which proxies don't even forward these if they don't have a response at hand).¶
That may be more trouble than it's worth without a strong use case (say, of complex but converging FETCH requests).¶
Hashes could also be used in truncated form for that.¶
The authors sincerely thank Michael Richardson, Jim Schaad, and Göran Selander for their comments and feedback.¶
The work on this document has been partly supported by VINNOVA and the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home (Grant agreement 952652).¶