<?xmlversion='1.0' encoding='utf-8'?>version="1.0" encoding="utf-8"?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.39 (Ruby 3.0.2) --><rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902"docName="draft-ietf-lake-edhoc-22"docName="draft-ietf-lake-edhoc-23" number="9528" submissionType="IETF" category="std" consensus="true"submissionType="IETF"tocDepth="2" tocInclude="true" sortRefs="true" symRefs="true" updates="" obsoletes="" xml:lang="en" version="3"> <!-- xml2rfc v2v3 conversion 3.18.0 --> <front> <title abbrev="EDHOC">Ephemeral Diffie-Hellman Over COSE (EDHOC)</title> <seriesInfoname="Internet-Draft" value="draft-ietf-lake-edhoc-22"/>name="RFC" value="9528"/> <author initials="G." surname="Selander" fullname="Göran Selander"> <organization abbrev="Ericsson">Ericsson AB</organization> <address> <postal><street>SE-164 80 Stockholm</street><code>164 80</code> <city>Stockholm</city> <country>Sweden</country> </postal> <email>goran.selander@ericsson.com</email> </address> </author> <author initials="J" surname="Preuß Mattsson" fullname="John Preuß Mattsson"> <organization abbrev="Ericsson">Ericsson AB</organization> <address> <postal><street>SE-164<code>164 80Stockholm</street></code> <city>Stockholm</city> <country>Sweden</country> </postal> <email>john.mattsson@ericsson.com</email> </address> </author> <author initials="F." surname="Palombini" fullname="Francesca Palombini"> <organization abbrev="Ericsson">Ericsson AB</organization> <address> <postal><street>SE-164<code>164 80Stockholm</street></code> <city>Stockholm</city> <country>Sweden</country> </postal> <email>francesca.palombini@ericsson.com</email> </address> </author> <dateyear="2023" month="August" day="25"/> <area>SEC</area> <workgroup>LAKE Working Group</workgroup>year="2024" month="March"/> <area>sec</area> <workgroup>lake</workgroup> <keyword>AKE</keyword> <keyword>LAKE</keyword> <keyword>COSE</keyword> <keyword>OSCORE</keyword> <keyword>lightweight authenticated key exchange</keyword> <keyword>constrained node networks</keyword> <keyword>IoT security</keyword> <abstract><?line 278?><t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman (DH) key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrainedscenariosscenarios, and a main use case is to establish anOSCOREObject Security for Constrained RESTful Environments (OSCORE) security context. By reusingCOSECBOR Object Signing and Encryption (COSE) for cryptography,CBORConcise Binary Object Representation (CBOR) for encoding, andCoAPConstrained Application Protocol (CoAP) for transport, the additional code size can be kept very low.</t> </abstract> </front> <middle> <?line 282?> <section anchor="introduction"> <name>Introduction</name> <section anchor="motivation"> <name>Motivation</name> <t>Many Internet of Things (IoT) deployments require technologieswhichthat are highly performant in constrained environments <xref target="RFC7228"/>. IoT devices may be constrained in various ways, including memory, storage, processing capacity, and power. The connectivity for these settings may also exhibitconstraintsconstraints, such as unreliable and lossy channels, highly restricted bandwidth, and dynamic topology. The IETF has acknowledged this problem by standardizing a range of lightweight protocols and enablers designed for the IoT, including theConstrained Application Protocol (CoAP,CoAP <xreftarget="RFC7252"/>), Concise Binary Object Representation (CBOR,target="RFC7252"/>, CBOR <xreftarget="RFC8949"/>),target="RFC8949"/>, and Static Context Header Compression(SCHC,(SCHC) <xreftarget="RFC8724"/>).</t>target="RFC8724"/>.</t> <t>The need for special protocols targeting constrained IoT deployments extends also to the security domain <xref target="I-D.ietf-lake-reqs"/>. Important characteristics in constrained environments are the number of round trips and protocol message sizes, whichif(if keptlowlow) can contribute to good performance by enabling transport over a small number of radio frames, reducing latency due tofragmentation orfragmentation, duty cycles, etc. Another important criterion is code size, which may be prohibitively large for certain deployments due to device capabilities or network load during firmwareupdate.updates. Some IoT deployments also need to support a variety of underlying transport technologies, potentially even with a single connection.</t> <t>Some security solutions for such settings exist already.CBOR Object Signing and Encryption (COSE,COSE <xreftarget="RFC9052"/>)target="RFC9052"/> specifies basic application-layer security services efficiently encoded in CBOR. Another example isObject Security for Constrained RESTful Environments (OSCORE,OSCORE <xreftarget="RFC8613"/>)target="RFC8613"/>, which is a lightweight communication security extension to CoAP using CBOR and COSE. In order to establish good quality cryptographic keys for security protocols such as COSE and OSCORE, the two endpoints may run an authenticated Diffie-Hellman key exchange protocol, from which shared secret keying material can be derived. Such a key exchange protocol should also belightweight;lightweight to prevent bad performance in case of repeated use, e.g., due to device rebooting or frequent rekeying for securityreasons;reasons or to avoid latencies in a network formation setting with many devices authenticating at the same time.</t> <t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a lightweight authenticated key exchange protocol providing good security properties including forward secrecy, identity protection, and cipher suite negotiation. Authentication can be based on raw public keys(RPK)(RPKs) or public key certificates and requires the application to provide input on how to verify that endpoints are trusted. This specification supports the referencing of credentials in order to reduce message overhead, but credentials may alternatively be embedded in the messages. EDHOC does not currently supportpre-shared keyPre-Shared Key (PSK) authentication as authentication with static Diffie-Hellman public keys by reference produces equally small message sizes but with much simpler key distribution and identity protection.</t> <t>EDHOC makes use of known protocol constructions, such asSIGMASIGn-and-MAc <xref target="SIGMA"/>, the Noise XX pattern <xref target="Noise"/>, and Extract-and-Expand <xref target="RFC5869"/>. EDHOC uses COSE for cryptography and identification of credentials (including COSE_Key, CBOR Web Token (CWT), CWT Claims Set (CCS), X.509, andCBOR encodedCBOR-encoded X.509 (C509)certificates,certificates; see <xref target="auth-cred"/>). COSE provides crypto agility and enables the use of future algorithms and credential types targeting IoT.</t> <t>EDHOC is designed for highly constrainedsettingssettings, making it especially suitable for low-power networks <xref target="RFC8376"/> such as Cellular IoT,6TiSCH,IPv6 over the TSCH mode of IEEE 802.15.4e (6TiSCH), and LoRaWAN. A main objective for EDHOC is to be a lightweight authenticated key exchange for OSCORE, i.e., to provide authentication and session key establishment for IoT use cases such as those built on CoAP <xref target="RFC7252"/> involving 'things' with embedded microcontrollers, sensors, and actuators. By reusing the same lightweight primitives as OSCORE (CBOR, COSE,CoAP)and CoAP), the additional code size can be kept very low. Note that while CBOR and COSE primitives are built into the protocol messages, EDHOC is not bound to a particular transport.</t> <t>A typical setting is when one of the endpoints is constrained or in a constrainednetwork,network and the other endpoint is a node on the Internet (such as a mobile phone). Thing-to-thing interactions over constrained networks are also relevant since both endpoints would then benefit from the lightweight properties of the protocol. EDHOC could, e.g., be run when a device connects for the firsttime,time or to establish fresh keyswhichthat are not revealed by a later compromise of the long-term keys.</t> </section> <section anchor="message-size-examples"> <name>Message Size Examples</name> <t>Examples of EDHOC message sizes are shown in <xreftarget="fig-sizes"/>, usingtarget="tab-sizes"/>, which use different kinds of authentication keys and COSE header parameters foridentification:identification, i.e., static Diffie-Hellman keys or signature keys, either inCBOR Web Token (CWT) / CWT Claims Set (CCS)CWT/CCS <xref target="RFC8392"/> identified by a key identifier using 'kid' <xreftarget="RFC9052"/>,target="RFC9052"/> or in X.509 certificates identified by a hash value using 'x5t' <xref target="RFC9360"/>. EDHOC always uses ephemeral-ephemeral key exchange. As a comparison, in the case of RPKauthentication,authentication and when transferred in CoAP, the EDHOC message sizewhen transferred in CoAPcan be less than 1/7 of the DTLS 1.3 handshake <xref target="RFC9147"/> withECDHEEphemeral Elliptic Curve Diffie-Hellman (ECDHE) and connectionID,ID; see <xref section="2" sectionFormat="of" target="I-D.ietf-iotops-security-protocol-comparison"/>.</t><figure anchor="fig-sizes"><table anchor="tab-sizes"> <name>Examples of EDHOCmessage sizesMessage Sizes inbytes.</name> <artset> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="208" width="472" viewBox="0 0 472 208" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,32 L 464,32" fill="none" stroke="black"/> <path d="M 168,64 L 288,64" fill="none" stroke="black"/> <path d="M 344,64 L 464,64" fill="none" stroke="black"/> <path d="M 8,96 L 464,96" fill="none" stroke="black"/> <path d="M 8,160 L 464,160" fill="none" stroke="black"/> <path d="M 8,192 L 464,192" fill="none" stroke="black"/> <g class="text"> <text x="196" y="52">Static</text> <text x="236" y="52">DH</text> <text x="268" y="52">Keys</text> <text x="384" y="52">Signature</text> <text x="444" y="52">Keys</text> <text x="184" y="84">kid</text> <text x="272" y="84">x5t</text> <text x="360" y="84">kid</text> <text x="448" y="84">x5t</text> <text x="48" y="116">message_1</text> <text x="188" y="116">37</text> <text x="276" y="116">37</text> <text x="364" y="116">37</text> <text x="452" y="116">37</text> <text x="48" y="132">message_2</text> <text x="188" y="132">45</text> <text x="276" y="132">58</text> <text x="360" y="132">102</text> <text x="448" y="132">115</text> <text x="48" y="148">message_3</text> <text x="188" y="148">19</text> <text x="276" y="148">33</text> <text x="364" y="148">77</text> <text x="452" y="148">90</text> <text x="32" y="180">Total</text> <text x="184" y="180">101</text> <text x="272" y="180">128</text> <text x="360" y="180">216</text> <text x="448" y="180">242</text> </g> </svg> </artwork> <artwork type="ascii-art" align="center"><![CDATA[ ---------------------------------------------------------- StaticBytes</name> <thead> <tr> <th></th> <th colspan="2">Static DHKeys Signature Keys ---------------- ---------------- kid x5t kid x5t ---------------------------------------------------------- message_1 37 37 37 37 message_2 45 58 102 115 message_3 19 33 77 90 ---------------------------------------------------------- Total 101 128 216 242 ---------------------------------------------------------- ]]></artwork> </artset> </figure>Keys</th> <th colspan="2">Signature Keys</th> </tr> <tr> <th></th> <th align="right">kid</th> <th align="right">x5t</th> <th align="right">kid</th> <th align="right">x5t</th> </tr> </thead> <tbody> <tr> <td>message_1</td> <td align="right">37</td> <td align="right">37</td> <td align="right">37</td> <td align="right">37</td> </tr> <tr> <td>message_2</td> <td align="right">45</td> <td align="right">58</td> <td align="right">102</td> <td align="right">115</td> </tr> <tr> <td>message_3</td> <td align="right">19</td> <td align="right">33</td> <td align="right">77</td> <td align="right">90</td> </tr> <tr> <td>Total</td> <td align="right">101</td> <td align="right">128</td> <td align="right">216</td> <td align="right">242</td> </tr> </tbody> </table> </section> <section anchor="document-structure"> <name>Document Structure</name> <t>The remainder of the document is organized as follows: <xref target="background"/> outlines EDHOC authenticated with signaturekeys,keys; <xref target="overview"/> describes the protocol elements of EDHOC, including formatting of the ephemeral publickeys,keys; <xref target="key-der"/> specifies the keyderivation,derivation; <xref target="asym"/> specifies message processing for EDHOC authenticated with signature keys or static Diffie-Hellmankeys,keys; <xref target="error"/> describes the errormessages,messages; <xref target="duplication"/> describes EDHOC support for transport that does not handle messageduplication,duplication; and <xref target="mti"/> lists compliance requirements. Note that normative text is also used in appendices, in particular <xref target="transfer"/>.</t> </section> <section anchor="term"> <name>Terminology and Requirements Language</name><t>The<t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.<?line -6?></t> <t>Readers are expected to be familiar with the terms and concepts described in CBOR <xref target="RFC8949"/>, CBOR Sequences <xref target="RFC8742"/>, COSEstructuresStructures andprocessingProcessing <xref target="RFC9052"/>, COSEalgorithmsAlgorithms <xref target="RFC9053"/>, CWT andCWT Claims SetCCS <xref target="RFC8392"/>, and the Concise Data Definition Language(CDDL,(CDDL) <xreftarget="RFC8610"/>),target="RFC8610"/>, which is used to express CBOR data structures. Examples of CBOR and CDDL are provided in <xref target="CBOR"/>. When referring to CBOR, this specification always refers to Deterministically EncodedCBORCBOR, as specified in Sections4.2.1<xref target="RFC8949" section="4.2.1" sectionFormat="bare"/> and4.2.2<xref target="RFC8949" section="4.2.2" sectionFormat="bare"/> of <xref target="RFC8949"/>. The single output from authenticated encryption (including the authentication tag) is called "ciphertext", following <xref target="RFC5116"/>.</t> </section> </section> <section anchor="background"> <name>EDHOC Outline</name> <t>EDHOC specifies different authentication methods of the ephemeral-ephemeral Diffie-Hellman keyexchange:exchange, i.e., signature keys and static Diffie-Hellman keys. This section outlines thesignature key basedsignature-key-based method. Further details of protocol elements and other authentication methods are provided in the remainder of this document.</t><t>SIGMA (SIGn-and-MAc)<t>SIGn-and-MAc (SIGMA) is a family of theoretical protocols with alargenumber of variants <xref target="SIGMA"/>. Like inIKEv2Internet Key Exchange Protocol Version 2 (IKEv2) <xref target="RFC7296"/> and (D)TLS 1.3 <xreftarget="RFC8446"/><xreftarget="RFC8446"/> <xref target="RFC9147"/>, EDHOC authenticated with signature keys is built on a variant of the SIGMA protocol, SIGMA-I, which provides identity protection against active attacks on the party initiating the protocol. Also like IKEv2, EDHOC implements the MAC-then-Sign variant of the SIGMA-I protocol. The message flow (excluding an optional fourth message) is shown in <xref target="fig-sigma"/>.</t> <figure anchor="fig-sigma"> <name>MAC-then-SignvariantVariant of the SIGMA-Iprotocol usedProtocol Used by the EDHOCmethod 0.</name>Method 0</name> <artset> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1"height="192" width="560"height="" width="" viewBox="0 0 560 192" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,48 L 8,176" fill="none" stroke="black"/> <path d="M 552,48 L 552,176" fill="none" stroke="black"/> <path d="M 8,64 L 544,64" fill="none" stroke="black"/> <path d="M 16,112 L 552,112" fill="none" stroke="black"/> <path d="M 8,160 L 544,160" fill="none" stroke="black"/> <polygon class="arrowhead" points="552,160 540,154.4 540,165.6" fill="black" transform="rotate(0,544,160)"/> <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fill="black" transform="rotate(0,544,64)"/> <polygon class="arrowhead" points="24,112 12,106.4 12,117.6" fill="black" transform="rotate(180,16,112)"/> <g class="text"> <text x="40" y="36">Initiator</text> <text x="520" y="36">Responder</text> <text x="280" y="52">G_X</text> <text x="76" y="100">G_Y,</text> <text x="116" y="100">Enc(</text> <text x="180" y="100">ID_CRED_R,</text> <text x="244" y="100">Sig(</text> <text x="276" y="100">R;</text> <text x="308" y="100">MAC(</text> <text x="360" y="100">CRED_R,</text> <text x="412" y="100">G_X,</text> <text x="448" y="100">G_Y</text> <text x="472" y="100">)</text> <text x="488" y="100">)</text> <text x="504" y="100">)</text> <text x="96" y="148">AEAD(</text> <text x="164" y="148">ID_CRED_I,</text> <text x="228" y="148">Sig(</text> <text x="260" y="148">I;</text> <text x="292" y="148">MAC(</text> <text x="344" y="148">CRED_I,</text> <text x="396" y="148">G_Y,</text> <text x="432" y="148">G_X</text> <text x="456" y="148">)</text> <text x="472" y="148">)</text> <text x="488" y="148">)</text> </g> </svg> </artwork> <artwork type="ascii-art" align="center"><![CDATA[ Initiator Responder | G_X | +------------------------------------------------------------------>| | | | G_Y, Enc( ID_CRED_R, Sig( R; MAC( CRED_R, G_X, G_Y ) ) ) | |<------------------------------------------------------------------+ | | | AEAD( ID_CRED_I, Sig( I; MAC( CRED_I, G_Y, G_X ) ) ) | +------------------------------------------------------------------>| | | ]]></artwork> </artset> </figure> <t>The parties exchanging messages in an EDHOC session are called the Initiator (I) and the Responder (R), where the Initiator sends message_1 (see <xref target="overview"/>). They exchange ephemeral public keys, compute a shared secret session key PRK_out, and derive symmetric application keys used to protect application data.</t> <ul spacing="normal"> <li>G_X and G_Y are theECDHElliptic Curve Diffie-Hellman (ECDH) ephemeral public keys of I and R, respectively.</li> <li>CRED_I and CRED_R are the authentication credentials containing the public authentication keys of I and R, respectively.</li> <li>ID_CRED_I and ID_CRED_R are used to identify and optionally transport the credentials ofthe InitiatorI andthe Responder,R, respectively.</li> <li>Sig(I; . ) and Sig(R; . ) denote signatures made with the private authentication key of I and R, respectively.</li> <li>Enc(), AEAD(), and MAC()denotesdenote encryption,authenticated encryptionAuthenticated Encryption withadditional data,Associated Data, andmessage authentication code -Message Authentication Code -- crypto algorithms applied with keys derived from one or more shared secrets calculated during the protocol.</li> </ul> <t>In order to create a "full-fledged"protocolprotocol, some additional protocol elements are needed. EDHOC adds:</t> <ul spacing="normal"><li>Transcript<li>transcript hashes (hashes of messagedata)data), TH_2, TH_3,TH_4and TH_4, used for key derivation and as additional authenticateddata.</li> <li>Computationallydata,</li> <li>computationally independent keys derived from the ECDH shared secret and used for authenticated encryption of differentmessages.</li> <li>Anmessages,</li> <li>an optional fourth message giving key confirmation to I in deployments where no protected application data is sent from R toI.</li> <li>AI,</li> <li>a keying material exporter and a key update function with forwardsecrecy.</li> <li>Securesecrecy,</li> <li>secure negotiation of the ciphersuite.</li> <li>Methodsuite,</li> <li>method types, error handling, andpadding.</li> <li>Selectionpadding,</li> <li>a selection of connectionidentifiersidentifiers, C_I andC_RC_R, which may be used in EDHOC to identify the protocolstate.</li> <li>Transportstate, and</li> <li>transport of external authorization data.</li> </ul> <t>EDHOC is designed to encrypt and integrity protect as much information as possible. Symmetric keys and random material used in EDHOC are derived using EDHOC_KDF with as much previous information aspossible,possible; see <xref target="fig-edhoc-kdf"/>. EDHOC is furthermore designed to be as compact and lightweight as possible, in terms of message sizes, processing, and the ability to reuse already existing CBOR, COSE, and CoAP libraries. Like in (D)TLS, authentication is the responsibility of the application. EDHOC identifies (and optionally transports) authenticationcredentials,credentials and provides proof-of-possession of the private authentication key.</t> <t>To simplify for implementors, the use of CBOR and COSE in EDHOC is summarized in <xref target="CBORandCOSE"/>. Testvectorsvectors, including CBOR diagnosticnotationnotation, are provided in <xreftarget="I-D.ietf-lake-traces"/>.</t>target="RFC9529"/>.</t> </section> <section anchor="overview"> <name>Protocol Elements</name> <section anchor="general"> <name>General</name> <t>The EDHOC protocol consists of three mandatory messages (message_1, message_2, and message_3), an optional fourth message (message_4), and an error message, between an Initiator (I) and a Responder (R). The odd messages are sent by I, the even by R. Both I and R can send error messages. The roles have slightly different security propertieswhichthat should be considered when the roles areassigned,assigned; see <xref target="sec-prop"/>. All EDHOC messages are CBOR Sequences <xreftarget="RFC8742"/>,target="RFC8742"/> and are defined to be deterministicallyencoded.encoded CBOR as specified in <xref target="RFC8949" sectionFormat="of" section="4.2.1"/>. <xref target="fig-flow"/> illustrates an EDHOC message flow with the optional fourth message as well as the content of each message. The protocol elements in the figure are introduced in Sections <xreftarget="overview"/>target="overview" format="counter"/> and <xreftarget="asym"/>.target="asym" format="counter"/>. Message formatting and processing are specified in Sections <xreftarget="asym"/>target="asym" format="counter"/> and <xreftarget="error"/>.</t>target="error" format="counter"/>.</t> <t>Application data may be protected using the agreed application algorithms (AEAD, hash) in the selected cipher suite (see <xreftarget="cs"/>)target="cs"/>), and the application can make use of the established connection identifiers C_I and C_R (see <xref target="ci"/>). Media types that may be used for EDHOC are defined in <xref target="media-type"/>.</t> <t>The Initiator can derive symmetric application keys after creating EDHOCmessage_3,message_3; see <xref target="exporter"/>. Protected application data can therefore be sent in parallel or together with EDHOC message_3. EDHOC message_4 is typically not sent.</t> <figure anchor="fig-flow"> <name>EDHOCmessage flow includingMessage Flow Including theoptional fourth message.</name>Optional Fourth Message</name> <artset> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1"height="288" width="560"height="" width="" viewBox="0 0 560 288" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,48 L 8,272" fill="none" stroke="black"/> <path d="M 552,48 L 552,272" fill="none" stroke="black"/> <path d="M 8,64 L 544,64" fill="none" stroke="black"/> <path d="M 16,128 L 552,128" fill="none" stroke="black"/> <path d="M 8,192 L 544,192" fill="none" stroke="black"/> <polygon class="arrowhead" points="552,192 540,186.4 540,197.6" fill="black" transform="rotate(0,544,192)"/> <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fill="black" transform="rotate(0,544,64)"/> <polygon class="arrowhead" points="24,128 12,122.4 12,133.6" fill="black" transform="rotate(180,16,128)"/> <g class="text"> <text x="40" y="36">Initiator</text> <text x="520" y="36">Responder</text> <text x="176" y="52">METHOD,</text> <text x="248" y="52">SUITES_I,</text> <text x="308" y="52">G_X,</text> <text x="348" y="52">C_I,</text> <text x="392" y="52">EAD_1</text> <text x="280" y="84">message_1</text> <text x="84" y="116">G_Y,</text> <text x="124" y="116">Enc(</text> <text x="164" y="116">C_R,</text> <text x="228" y="116">ID_CRED_R,</text> <text x="352" y="116">Signature_or_MAC_2,</text> <text x="456" y="116">EAD_2</text> <text x="488" y="116">)</text> <text x="280" y="148">message_2</text> <text x="128" y="180">AEAD(</text> <text x="196" y="180">ID_CRED_I,</text> <text x="320" y="180">Signature_or_MAC_3,</text> <text x="424" y="180">EAD_3</text> <text x="456" y="180">)</text> <text x="280" y="212">message_3</text> <text x="248" y="244">AEAD(</text> <text x="296" y="244">EAD_4</text> <text x="328" y="244">)</text> <text x="20" y="260"><-</text> <text x="40" y="260">-</text> <text x="56" y="260">-</text> <text x="72" y="260">-</text> <text x="88" y="260">-</text> <text x="104" y="260">-</text> <text x="120" y="260">-</text> <text x="136" y="260">-</text> <text x="152" y="260">-</text> <text x="168" y="260">-</text> <text x="184" y="260">-</text> <text x="200" y="260">-</text> <text x="216" y="260">-</text> <text x="232" y="260">-</text> <text x="248" y="260">-</text> <text x="264" y="260">-</text> <text x="280" y="260">-</text> <text x="296" y="260">-</text> <text x="312" y="260">-</text> <text x="328" y="260">-</text> <text x="344" y="260">-</text> <text x="360" y="260">-</text> <text x="376" y="260">-</text> <text x="392" y="260">-</text> <text x="408" y="260">-</text> <text x="424" y="260">-</text> <text x="440" y="260">-</text> <text x="456" y="260">-</text> <text x="472" y="260">-</text> <text x="488" y="260">-</text> <text x="504" y="260">-</text> <text x="520" y="260">-</text> <text x="536" y="260">-</text> <text x="280" y="276">message_4</text> </g> </svg> </artwork> <artwork type="ascii-art" align="center"><![CDATA[ Initiator Responder | METHOD, SUITES_I, G_X, C_I, EAD_1 | +------------------------------------------------------------------>| | message_1 | | | | G_Y, Enc( C_R, ID_CRED_R, Signature_or_MAC_2, EAD_2 ) | |<------------------------------------------------------------------+ | message_2 | | | | AEAD( ID_CRED_I, Signature_or_MAC_3, EAD_3 ) | +------------------------------------------------------------------>| | message_3 | | | | AEAD( EAD_4 ) | |<- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | message_4 | ]]></artwork> </artset> </figure> </section> <section anchor="method"> <name>Method</name> <t>The data item METHOD in message_1 (see <xreftarget="asym-msg1-form"/>),target="asym-msg1-form"/>) is an integer specifying the authentication method. EDHOC supports authentication with signature or static Diffie-Hellman keys, as defined in the four authentication methods: 0, 1, 2, and3,3; see <xreftarget="fig-method-types"/>.target="tab-method-types"/>. When using a static Diffie-Hellmankeykey, the authentication is provided by a Message Authentication Code (MAC) computed from an ephemeral-static ECDH shared secretwhichthat enables significant reductions in message sizes. Notethatthat, also in the staticDiffie-Hellman basedDiffie-Hellman-based authenticationmethodsmethods, there is an ephemeral-ephemeral Diffie-Hellman key exchange.</t> <t>The Initiator andtheResponder need to have agreed on a single method to be used forEDHOC,EDHOC; see <xref target="applicability"/>.</t><figure anchor="fig-method-types"><table anchor="tab-method-types"> <name>AuthenticationkeysKeys formethod types.</name> <artset> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="464" viewBox="0 0 464 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,32 L 8,160" fill="none" stroke="black"/> <path d="M 120,32 L 120,160" fill="none" stroke="black"/> <path d="M 288,32 L 288,160" fill="none" stroke="black"/> <path d="M 456,32 L 456,160" fill="none" stroke="black"/> <path d="M 8,32 L 456,32" fill="none" stroke="black"/> <path d="M 8,78 L 456,78" fill="none" stroke="black"/> <path d="M 8,82 L 456,82" fill="none" stroke="black"/> <path d="M 8,160 L 456,160" fill="none" stroke="black"/> <g class="text"> <text x="44" y="52">Method</text> <text x="92" y="52">Type</text> <text x="168" y="52">Initiator</text> <text x="336" y="52">Responder</text> <text x="88" y="68">Value</text> <text x="188" y="68">Authentication</text> <text x="264" y="68">Key</text> <text x="356" y="68">Authentication</text> <text x="432" y="68">Key</text> <text x="104" y="100">0</text> <text x="168" y="100">Signature</text> <text x="224" y="100">Key</text> <text x="336" y="100">Signature</text> <text x="392" y="100">Key</text> <text x="104" y="116">1</text> <text x="168" y="116">Signature</text> <text x="224" y="116">Key</text> <text x="324" y="116">Static</text> <text x="364" y="116">DH</text> <text x="392" y="116">Key</text> <text x="104" y="132">2</text> <text x="156" y="132">Static</text> <text x="196" y="132">DH</text> <text x="224" y="132">Key</text> <text x="336" y="132">Signature</text> <text x="392" y="132">Key</text> <text x="104" y="148">3</text> <text x="156" y="148">Static</text> <text x="196" y="148">DH</text> <text x="224" y="148">Key</text> <text x="324" y="148">Static</text> <text x="364" y="148">DH</text> <text x="392" y="148">Key</text> </g> </svg> </artwork> <artwork type="ascii-art" align="center"><![CDATA[ +-------------+--------------------+--------------------+ |Method Types</name> <thead> <tr> <th>Method Type| Initiator | Responder | | Value |Value</th> <th>Initiator AuthenticationKey |Key</th> <th>Responder AuthenticationKey | +=============+====================+====================+ | 0 | Signature Key | Signature Key | | 1 | Signature Key | StaticKey</th> </tr> </thead> <tbody> <tr> <td align="right">0</td> <td>Signature Key</td> <td>Signature Key</td> </tr> <tr> <td align="right">1</td> <td>Signature Key</td> <td>Static DHKey | | 2 | StaticKey</td> </tr> <tr> <td align="right">2</td> <td>Static DHKey | Signature Key | | 3 | StaticKey</td> <td>Signature Key</td> </tr> <tr> <td align="right">3</td> <td>Static DHKey | StaticKey</td> <td>Static DHKey | +-------------+--------------------+--------------------+ ]]></artwork> </artset> </figure>Key</td> </tr> <tr> <td align="right">23</td> <td>Reserved</td> <td>Reserved</td> </tr> </tbody> </table> <t>EDHOC does not have a dedicated message field to indicate the protocol version. Breaking changes to EDHOC can be introduced by specifying and registering new methods.</t> </section> <section anchor="ci"> <name>Connection Identifiers</name> <t>EDHOC includes the selection of connection identifiers(C_I,(C_I and C_R) identifying a connection for which keys are agreed.</t> <t>Connection identifiers may be used to correlate EDHOC messages and facilitate the retrieval of protocol state during an EDHOC session (see <xreftarget="transport"/>),target="transport"/>) or may be used in applications of EDHOC, e.g., in OSCORE (see <xref target="ci-oscore"/>). The connection identifiers do not have any cryptographic purpose in EDHOC and only facilitate the retrieval of security data associated with the protocol state.</t> <t>Connection identifiers in EDHOC are intrinsically byte strings. Most constrained devices only have a few connections for which short identifiers may be sufficient. In somecasescases, minimum length identifiers are necessary to comply with overhead requirements. However, CBOR byte strings--- with the exception of the empty byte stringh’’h'', which encodes as one byte (0x40)--- are encoded as two or more bytes. To enable one-byte encoding of certain byte strings while maintaining CBOR encoding, EDHOC represents certain identifiers as CBOR integers on thewire,wire; see <xref target="bstr-repr"/>.</t> <section anchor="selection-of-connection-identifiers"> <name>Selection of Connection Identifiers</name> <t>C_I and C_R are chosen by I and R, respectively. The Initiator selects C_I and sends it in message_1 for the Responder to use as a reference to the connection incommunicationcommunications with the Initiator. The Responder selects C_R and sends it in message_2 for the Initiator to use as a reference to the connection in communications with the Responder.</t> <t>If connection identifiers are used by an application protocol for which EDHOC establisheskeyskeys, then the selected connection identifiersSHALL<bcp14>SHALL</bcp14> adhere to the requirements for thatprotocol,protocol; see <xref target="ci-oscore"/> for an example.</t> </section> <section anchor="bstr-repr"> <name>Representation of Byte String Identifiers</name> <t>To allow identifiers with minimal overhead on the wire, certain byte strings used in connection identifiers and credential identifiers (see <xref target="id_cred"/>) are defined to have integer representations.</t> <t>The integers with one-byte CBOR encoding are -24, ...,23,23; see <xref target="fig-int-one-byte"/>.</t> <figure anchor="fig-int-one-byte"><name>One-byte CBOR encoded integers.</name><name>One-Byte CBOR-Encoded Integers</name> <artwork align="center"><![CDATA[ Integer: -24 -23 ... -11 ... -2 -1 0 1 ... 15 ... 23 Encoding: 37 36 ... 2A ... 21 20 00 01 ... 0F ... 17 ]]></artwork> </figure> <t>The byte stringswhichthat coincide with a one-byte CBOR encoding of an integerMUST<bcp14>MUST</bcp14> be represented by the CBOR encoding of that integer. Other byte strings are simply encoded as CBOR byte strings.</t> <t>For example:</t> <ul spacing="normal"> <li>0x21 is represented by 0x21 (CBOR encoding of the integer -2), not by 0x4121 (CBOR encoding of the byte string 0x21).</li> <li>0x0D is represented by 0x0D (CBOR encoding of the integer 13), not by 0x410D (CBOR encoding of the byte string 0x0D).</li> <li>0x18 is represented by 0x4118 (CBOR encoding of the byte string 0x18).</li> <li>0x38 is represented by 0x4138 (CBOR encoding of the byte string 0x38).</li> <li>0xABCD is represented by 0x42ABCD (CBOR encoding of the byte string 0xABCD).</li> </ul> <t>One may view this representation of byte strings as a transportencoding:encoding, i.e., a byte stringwhichthat parses as the one-byte CBOR encoding of an integer (i.e., integer in the interval -24, ..., 23) is just copied directly into the message, and a byte stringwhichthat does not is encoded as a CBOR byte string during transport.</t><t>Implementation<aside><t>Implementation Note: When implementing the byte string identifier representation,it canin some programminglanguageslanguages, it can help to define a newtype,type or other data structure, which (in itsuser facinguser-facing API) behaves like a bytestring,string but when serializing to CBOR produces a CBOR byte string or a CBOR integer depending on itsvalue.</t>value.</t></aside> </section> <section anchor="ci-oscore"> <name>Use of Connection Identifiers with OSCORE</name> <t>For OSCORE, the choice of connection identifier results in the endpoint selecting its RecipientID, see Section 3.1 ofID (see <xreftarget="RFC8613"/>,target="RFC8613" section="3.1" sectionFormat="of"/>) for which certain uniqueness requirementsapply, see Section 3.3 ofapply (see <xreftarget="RFC8613"/>.target="RFC8613" section="3.3" sectionFormat="of"/>). Therefore, the Initiator andtheResponderMUST NOT<bcp14>MUST NOT</bcp14> select connection identifiers such that it results in the same OSCORE Recipient ID. Since the connection identifier is a byte string, it is converted to an OSCORE Recipient ID equal to the byte string.</t> <t>Examples:</t> <ul spacing="normal"> <li>A connection identifier 0xFF (represented in the EDHOC message as0x41FF,0x41FF; see <xref target="bstr-repr"/>) is converted to the OSCORE Recipient ID 0xFF.</li> <li>A connection identifier 0x21 (represented in the EDHOC message as0x21,0x21; see <xref target="bstr-repr"/>) is converted to the OSCORE Recipient ID 0x21.</li> </ul> </section> </section> <section anchor="transport"> <name>Transport</name> <t>Cryptographically, EDHOC does not put requirements on the underlying layers. Received messages are processed as the expected next message according to the protocolstate,state; see <xref target="asym"/>. If processing fails for anyreason then, typically,reason, then typically an error message is attempted to be sent and the EDHOC session is aborted.</t> <t>EDHOC is not bound to a particular transport layer and can even be used in environments without IP. Ultimately, the application is free to choose how to transport EDHOC messages including errors. In order to avoid unnecessary message processing or protocol termination, it isRECOMMENDED<bcp14>RECOMMENDED</bcp14> to use reliable transport, such as CoAP in reliable mode, which is the defaulttransport,transport; see <xref target="coap"/>. In general, the transportSHOULD<bcp14>SHOULD</bcp14> handle:</t> <ul spacing="normal"> <li>message loss,</li> <li>messageduplication, seeduplication (see <xref target="duplication"/> for analternative,</li>alternative),</li> <li>flow control,</li> <li>congestion control,</li> <li>fragmentation and reassembly,</li> <li>demultiplexing EDHOC messages from other types of messages,</li> <li>denial-of-servicemitigation,</li>mitigation, and</li> <li>messagecorrelation, seecorrelation (see <xreftarget="ci-edhoc"/>.</li>target="ci-edhoc"/>).</li> </ul> <t>EDHOC does not requireerror freeerror-free transport since a change in message content is detected through the transcript hashes in a subsequent integrityverification,verification; see <xref target="asym"/>. The transport does not require additional means to handle message reordering because of the lockstep processing of EDHOC.</t> <t>EDHOC is designed to enable an authenticated key exchange with small messages, where the minimum message sizes are of the order illustrated in the first column of <xreftarget="fig-sizes"/>.target="tab-sizes"/>. There is no maximum message size specified by the protocol; for example, this isfor exampledependent on the size of the authentication credentials (if they are transported, see <xref target="auth-key-id"/>).</t> <t>The use of transport is specified in the application profile, which inparticularparticular, may specify limitations in messagesizes,sizes; see <xref target="applicability"/>.</t> <section anchor="ci-edhoc"> <name>EDHOC Message Correlation</name> <t>Correlation between EDHOC messages is needed to facilitate the retrieval of the protocol state and security context during an EDHOC session. It is also helpful for the Responder to get an indication that a received EDHOC message is the beginning of a new EDHOC session, such that no existing protocol state or security context needs to be retrieved.</t> <t>Correlation may be based on existing mechanisms in the transportprotocol,protocol; for example, the CoAP Token may be used to correlate EDHOC messages in a CoAP response and in an associated CoAP request. The connection identifiers may also be used to correlate EDHOC messages.</t> <t>If correlation between consecutive messages is not provided by othermeansmeans, then the transport bindingSHOULD<bcp14>SHOULD</bcp14> mandate prepending of an appropriate connection identifier (when available from the EDHOC protocol) to the EDHOC message. If message_1 indication is not provided by other means, then the transport bindingSHOULD<bcp14>SHOULD</bcp14> mandate prepending of message_1 with the CBOR simple value <tt>true</tt> (0xf5).</t> <t>Transport of EDHOC in CoAP payloads is described in <xref target="coap"/>, including how to use connection identifiers and message_1 indication with CoAP. A similar construction is possible for other client-server protocols. Protocols that do not provide any correlation at all can prescribe prepending of the peer's connection identifier to all messages.</t> <t>Note that correlation between EDHOC messages may be obtained without transport support or connection identifiers, forexampleexample, if the endpoints only accept a single instance of the protocol at atime,time and execute conditionally on a correct sequence of messages.</t> </section> </section> <section anchor="auth-key-id"> <name>Authentication Parameters</name> <t>EDHOC supports various settings for how the other endpoint's authentication (public) key may be transported, identified, and trusted.</t> <t>EDHOC performs the followingauthentication relatedauthentication-related operations:</t> <ul spacing="normal"> <li>EDHOC transports information about credentials in ID_CRED_I and ID_CRED_R (described in <xref target="id_cred"/>). Based on this information, the authentication credentials CRED_I and CRED_R (described in <xref target="auth-cred"/>) can be obtained. EDHOC may also transport certainauthentication relatedauthentication-related information asExternal Authorization Dataexternal authorization data (see <xref target="AD"/>).</li> <li> <t>EDHOC uses the authentication credentials in two ways (see Sections <xreftarget="asym-msg2-proc"/>target="asym-msg2-proc" format="counter"/> and <xreftarget="asym-msg3-proc"/>):target="asym-msg3-proc" format="counter"/>): </t> <ul spacing="normal"> <li>The authentication credential is input to the integrity verification using the MAC fields.</li> <li>The authentication key of the authentication credential is used with the Signature_or_MAC field to verify proof-of-possession of the private key.</li> </ul> </li> </ul> <t>Otherauthentication relatedauthentication-related verifications are out of scope forEDHOC,EDHOC andisare the responsibility of the application. In particular, the authentication credential needs to be validated in the context of the connection for which EDHOC isused,used; see <xref target="auth-validation"/>. EDHOCMUST<bcp14>MUST</bcp14> allow the application to read received information aboutcredential (ID_CRED_R, ID_CRED_I).credentials in ID_CRED_R and ID_CRED_I. EDHOCMUST<bcp14>MUST</bcp14> have access to the authentication key and the authentication credential.</t> <t>Note that the type of authentication key, the type of authentication credential, and the identification of the credential have a large impact on the message size. For example, the Signature_or_MAC field is much smaller with a static DH key than with a signature key. A CWT Claims Set (CCS) is much smaller than a self-signedcertificate/CWT,certificate / CWT, but if it is possible to reference the credential with a COSE header like 'kid', then that is in turn much smaller than a CCS.</t> <section anchor="auth-keys"> <name>Authentication Keys</name> <t>The authentication key (i.e., the public key used for authentication)MUST<bcp14>MUST</bcp14> be a signature key or a static Diffie-Hellman key. The Initiator andtheResponderMAY<bcp14>MAY</bcp14> use different types of authentication keys, e.g., one uses a signature key and the other uses a static Diffie-Hellman key.</t> <t>The authentication key algorithm needs to be compatible with the method and the selected cipher suite (see <xref target="cs"/>). The authentication key algorithm needs to be compatible with the EDHOC key exchange algorithm when static Diffie-Hellman authentication isused,used and compatible with the EDHOC signature algorithm when signature authentication is used.</t> <t>Note that for most signature algorithms, the signature is determined by the signature algorithm and the authentication key algorithm together. When using static Diffie-Hellmankeyskeys, the Initiator's and the Responder's private authentication keys are denoted as I and R, respectively, and the public authentication keys are denoted G_I and G_R, respectively.</t> <t>For X.509certificatescertificates, the authentication key is represented by a SubjectPublicKeyInfo field. For CWT and CCS (see <xreftarget="auth-cred"/>))target="auth-cred"/>), the authentication key is represented by a 'cnf' claim <xref target="RFC8747"/> containing a COSE_Key <xref target="RFC9052"/>. In EDHOC, a raw public key (RPK) is an authentication key encoded as a COSE_Key wrapped in a CCS.</t> </section> <section anchor="auth-cred"> <name>Authentication Credentials</name> <t>The authentication credentials, CRED_I and CRED_R,containscontain the public authentication key of the Initiator andtheResponder, respectively. We use the notation CRED_x to refer to CRED_I or CRED_R. Requirements on CRED_x applies both to CRED_I and to CRED_R. The authentication credential typically also contains other parameters that needs to be verified by theapplication, seeapplication (see <xreftarget="auth-validation"/>,target="auth-validation"/>) and in particular information about the identity ("subject") of the endpoint to prevent misbindingattacks, seeattacks (see <xreftarget="identities"/>.</t>target="identities"/>).</t> <t>EDHOC relies on COSE for identification of credentials (see <xref target="id_cred"/>), forexampleexample, X.509 certificates <xref target="RFC9360"/>, C509 certificates <xref target="I-D.ietf-cose-cbor-encoded-cert"/>, CWTs <xreftarget="RFC8392"/>target="RFC8392"/>, andCWT Claims Sets (CCS)CCSs <xref target="RFC8392"/>. When the identified credential is a chain or a bag, the authentication credential CRED_x is just the end entity X.509 or C509 certificate / CWT. In the choice between a chain orbaga bag, it isRECOMMENDED<bcp14>RECOMMENDED</bcp14> to use a chain, since the certificates in a bag are unordered and may contain self-signed and extraneous certificates, which can add complexity to the process of extracting the end entity certificate. The Initiator andtheResponderMAY<bcp14>MAY</bcp14> use different types of authentication credentials, e.g., one uses an RPK and the other uses a public key certificate.</t> <t>Since CRED_R is used in the integrityverification, seeverification (see <xreftarget="asym-msg2-proc"/>,target="asym-msg2-proc"/>), it needs to be specified such that it is identical when used by the Initiator or Responder. Similarly for CRED_I, see <xref target="asym-msg3-proc"/>. The Initiator and Responder are expected to agree on the specific encoding of the authenticationcredentials,credentials; see <xref target="applicability"/>. It isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that the COSE 'kid' parameter, when used to identify the authentication credential, refers toasuch a specific encoding of the authentication credential. The Initiator and ResponderSHOULD<bcp14>SHOULD</bcp14> use an available authentication credential (transported in EDHOC or otherwise provisioned) without re-encoding. If for some reason re-encoding ofthean authentication credential passed by reference may occur, then a potential common encoding forCBOR basedCBOR-based credentials isbytewise lexicographic order of their deterministic encodingsdeterministically encoded CBOR, as specified inSection 4.2.1Sections <xref target="RFC8949" section="4.2.1" sectionFormat="bare"/> and <xref target="RFC8949" section="4.2.2" sectionFormat="bare"/> of <xreftarget="RFC8949"/>.</t>target="RFC8949"/>. Authentication credentials passed by value are used as is without re-encoding.</t> <ul spacing="normal"> <li>When the authentication credential is an X.509 certificate, CRED_xSHALL<bcp14>SHALL</bcp14> be theDER encodedDER-encoded certificate, encoded as a bstr <xref target="RFC9360"/>.</li> <li>When the authentication credential is a C509 certificate, CRED_xSHALL<bcp14>SHALL</bcp14> be theC509CertificateC509 certificate <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</li> <li>When the authentication credential is a CWT including a COSE_Key, CRED_xSHALL<bcp14>SHALL</bcp14> be the untagged CWT.</li> <li> <t>When the authentication credential includes a COSE_Key but is not in a CWT, CRED_xSHALL<bcp14>SHALL</bcp14> be an untaggedCWT Claims Set (CCS).CCS. This is how RPKs are encoded, see <xref target="fig-ccs"/> for an example. </t> <ul spacing="normal"> <li>Naked COSE_Keys are thus dressed as CCS when used inEDHOC,EDHOC in its simplest form by prefixing the COSE_Key with 0xA108A101 (a map with a 'cnf' claim). In thatcasecase, the resulting authentication credential contains no other identity than the public keyitself,itself; see <xref target="identities"/>.</li> </ul> </li> </ul> <t>An example of CRED_x is shown below:</t> <figure anchor="fig-ccs"><name>CWT Claims Set (CCS) containing<name>CCS Containing an X25519staticStatic Diffie-HellmankeyKey and an EUI-64identity.</name>Identity</name> <artwork><![CDATA[ { /CCS/ 2 : "42-50-31-FF-EF-37-32-39", /sub/ 8 : { /cnf/ 1 : { /COSE_Key/ 1 : 1, /kty/ 2 : h'00', /kid/ -1 : 4, /crv/ -2 : h'b1a3e89460e88d3a8d54211dc95f0b90 /x/ 3ff205eb71912d6db8f4af980d2db83a' } } } ]]></artwork> </figure> </section> <section anchor="id_cred"> <name>Identification of Credentials</name> <t>The ID_CRED fields, ID_CRED_R and ID_CRED_I, are transported in message_2 and message_3,respectively,respectively; see Sections <xreftarget="asym-msg2-proc"/>target="asym-msg2-proc" format="counter"/> and <xreftarget="asym-msg3-proc"/>.target="asym-msg3-proc" format="counter"/>. We use the notation ID_CRED_x to refer to ID_CRED_I or ID_CRED_R. Requirements on ID_CRED_x applies both to ID_CRED_I and to ID_CRED_R. The ID_CRED fields are used to identify and optionally transport credentials:</t> <ul spacing="normal"> <li>ID_CRED_R is intended to facilitate for the Initiator retrieving the authentication credential CRED_R and the authentication key of R.</li> <li>ID_CRED_I is intended to facilitate for the Responder retrieving the authentication credential CRED_I and the authentication key of I.</li> </ul> <t>ID_CRED_x may contain the authentication credential CRED_x, for x = I or R, but for manysettingssettings, it is not necessary to transport the authentication credential within EDHOC. For example, it may be pre-provisioned or acquired out-of-band over less constrained links. ID_CRED_I and ID_CRED_R do not have any cryptographic purpose in EDHOC since the authentication credentials are integrityprotected.</t>protected by the Signature_or_MAC field.</t> <t>EDHOC relies on COSE for identification of credentials and supports all credential types for which COSE header parameters aredefineddefined, including X.509 certificates(<xref target="RFC9360"/>),<xref target="RFC9360"/>, C509 certificates(<xref target="I-D.ietf-cose-cbor-encoded-cert"/>), CWT (see<xref target="I-D.ietf-cose-cbor-encoded-cert"/>, CWTs (<xref target="new-header-param"/>) andCWT Claims Set (see <xrefCCSs (<xref target="new-header-param"/>).</t> <t>ID_CRED_I and ID_CRED_R are of type COSE header_map, as defined inSection 3 of<xreftarget="RFC9052"/>,target="RFC9052" section="3" sectionFormat="of"/>, andcontainscontain one or more COSE header parameters. If a map contains several header parameters, the labels do not need to be sorted in bytewise lexicographic order. ID_CRED_I and ID_CRED_RMAY<bcp14>MAY</bcp14> contain different header parameters. The header parameters typically provide some information about the format of the credential.</t> <t>Example: X.509 certificates can be identified by a hash value using the 'x5t'parameter,parameter; seeSection 2 of<xreftarget="RFC9360"/>:</t>target="RFC9360" section="2" sectionFormat="of"/>:</t> <ul spacing="normal"> <li>ID_CRED_x = { 34 : COSE_CertHash }, for x = I orR,</li>R</li> </ul> <t>Example: CWT or CCS can be identified by a key identifier using the 'kid'parameter,parameter; seeSection 3.1 of<xreftarget="RFC9052"/>:</t>target="RFC9052" section="3.1" sectionFormat="of"/>:</t> <ul spacing="normal"> <li>ID_CRED_x = { 4 : kid_x }, where kid_x : kid, for x = I orR.</li>R</li> </ul> <t>Note that COSE header parameters in ID_CRED_x are used to identify the message sender's credential.ThereTherefore, there isthereforeno reason to use the "-sender" header parameters, such as x5t-sender, defined inSection 3 of<xreftarget="RFC9360"/>.target="RFC9360" section="3" sectionFormat="of"/>. Instead, the corresponding parameter without "-sender", such as x5t,SHOULD<bcp14>SHOULD</bcp14> be used.</t> <t>As stated inSection 3.1 of<xreftarget="RFC9052"/>,target="RFC9052" section="3.1" sectionFormat="of"/>, applicationsMUST NOT<bcp14>MUST NOT</bcp14> assume that 'kid' values are unique and several keys associated with a 'kid' may need to be checked before the correct one is found. Applications might use additional information such as 'kid context' or lower layers to determine which key to try first. Applications should strive to make ID_CRED_x as unique as possible, since the recipient may otherwise have to try several keys.</t> <t>See <xref target="COSE"/> for more examples.</t> <section anchor="new-header-param"> <name>COSE Header Parameters for CWT and CWT Claims Set</name> <t>This document registers two new COSE headerparametersparameters, 'kcwt' and'kccs''kccs', for use with CBOR Web Token(CWT,(CWT) <xreftarget="RFC8392"/>)target="RFC8392"/> and CWT Claims Set(CCS,(CCS) <xreftarget="RFC8392"/>),target="RFC8392"/>, respectively. The CWT/CCSMUST<bcp14>MUST</bcp14> contain a COSE_Key in a 'cnf' claim <xref target="RFC8747"/>. There may be any number of additional claims present in the CWT/CCS.</t> <t>CWTs sent in 'kcwt' are protected using a MAC or a signature and are similar to a certificate (when used with public key cryptography) or a Kerberos ticket (when used with symmetric key cryptography). CCSs sent in 'kccs' are not protected and are therefore similar to raw public keys or self-signed certificates.</t> <t>Security considerations for 'kcwt' and 'kccs' are made in <xref target="impl-cons"/>.</t> </section> <section anchor="compact-kid"> <name>Compact Encoding of ID_CRED Fields for 'kid'</name> <t>To comply with theLAKELightweight Authenticated Key Exchange (LAKE) message sizerequirements, seerequirements (see <xreftarget="I-D.ietf-lake-reqs"/>,target="I-D.ietf-lake-reqs"/>), two optimizations are made for the case when ID_CRED_x, for x = I or R, contains a single 'kid' parameter.</t> <ol spacing="normal" type="1"><li>The CBOR map { 4 : kid_x } is replaced by the byte string kid_x.</li> <li>The representation of identifiers specified in <xref target="bstr-repr"/> is applied to kid_x.</li> </ol> <t>These optimizationsMUST<bcp14>MUST</bcp14> be applied if and only if ID_CRED_x = { 4 : kid_x } and ID_CRED_x in PLAINTEXT_y of message_y, y = 2 or3,3; see Sections <xreftarget="asym-msg2-proc"/>target="asym-msg2-proc" format="counter"/> and <xreftarget="asym-msg3-proc"/>.target="asym-msg3-proc" format="counter"/>. Note that these optimizations are not applied to instances of ID_CRED_xwhichthat have no impact on message size, e.g., context_y, or the COSE protected header.Examples:</t>For example:</t> <ul spacing="normal"> <li>For ID_CRED_x = { 4 : h'FF' }, the encoding in PLAINTEXT_y is not the CBOR map 0xA10441FF but the CBOR byte string h'FF', i.e., 0x41FF.</li> <li>For ID_CRED_x = { 4 : h'21' }, the encoding in PLAINTEXT_y is neither the CBOR map0xA1044121,0xA1044121 nor the CBOR byte string h'21', i.e., 0x4121, but the CBOR integer 0x21.</li> </ul> </section> </section> </section> <section anchor="cs"> <name>Cipher Suites</name> <t>An EDHOC cipher suite consists of an ordered set of algorithms from the "COSE Algorithms" and "COSE Elliptic Curves" registries as well as the EDHOC MAC length. All algorithm names and definitions followfromCOSEalgorithmsAlgorithms <xref target="RFC9053"/>. Note that COSE sometimes uses peculiar names such as ES256 forECDSAElliptic Curve Digital Signature Algorithm (ECDSA) with SHA-256, A128 for AES-128, and Ed25519 for the curve edwards25519. Algorithms need to be specified with enough parameters to make them completely determined. The EDHOC MAC lengthMUST<bcp14>MUST</bcp14> be at least 8 bytes. Any cryptographic algorithm used in the COSE header parameters in ID_CRED fields is selected independently of the selected cipher suite. EDHOC is currently only specified for use with key exchange algorithms of type ECDH curves, but any Key EncapsulationMethodMechanism (KEM), including Post-Quantum Cryptography (PQC) KEMs, can be used in method0,0; see <xref target="pqc"/>. Use of other types of key exchange algorithms to replace static DH authentication(method 1,2,3)(methods 1, 2, and 3) would likely require a specification updating EDHOC with new methods.</t> <t>EDHOC supports all signature algorithms defined by COSE. Just like in (D)TLS 1.3 <xreftarget="RFC8446"/><xreftarget="RFC8446"/> <xref target="RFC9147"/> and IKEv2 <xref target="RFC7296"/>, a signature in COSE is determined by the signature algorithm and the authentication key algorithmtogether,together; see <xref target="auth-keys"/>. The exact details of the authentication key algorithm depend on the type of authentication credential. COSE supports different formats for storing the public authentication keys including COSE_Key and X.509, which use different names and ways to represent the authentication key and the authentication key algorithm.</t> <t>An EDHOC cipher suite consists of the following parameters:</t> <ul spacing="normal"> <li>EDHOC AEADalgorithm</li>algorithm,</li> <li>EDHOC hashalgorithm</li>algorithm,</li> <li>EDHOC MAC length in bytes (StaticDH)</li>DH),</li> <li>EDHOC key exchange algorithm (ECDHcurve)</li>curve),</li> <li>EDHOC signaturealgorithm</li> <li>Applicationalgorithm,</li> <li>application AEADalgorithm</li> <li>Applicationalgorithm, and</li> <li>application hashalgorithm</li>algorithm.</li> </ul> <t>Each cipher suite is identified with apre-definedpredefined integer label.</t> <t>EDHOC can be used with all algorithms and curves defined for COSE. Implementations can either use any combination of COSE algorithms and parameters to define their own private ciphersuite,suite or use one of thepre-definedpredefined cipher suites. Private cipher suites can be identified with any of the fourvaluesvalues: -24, -23, -22, and -21. Thepre-definedpredefined cipher suites are listed in the IANA registry (<xref target="suites-registry"/>) with the initial content outlined here:</t> <ul spacing="normal"> <li> <t>Cipher suites 0-3, based on AES-CCM, are intended for constrained IoT where a message overhead is a very important factor. Note that AES-CCM-16-64-128 and AES-CCM-16-128-128 are compatible with the IEEECCM*Counter with CBC-MAC (CCM)* mode. </t> <ul spacing="normal"> <li>Cipher suites 1 and 3 use a larger tag length(128-bit)(128 bits) in EDHOC than in theApplicationapplication AEAD algorithm(64-bit).</li>(64 bits).</li> </ul> </li> <li>Cipher suites 4 and 5, based on ChaCha20, are intended for less constrained applications and only use 128-bit tag lengths.</li> <li>Cipher suite 6, based on AES-GCM, is for general non-constrained applications. It consists ofhigh performancehigh-performance algorithms that are widely used in non-constrained applications.</li> <li>Cipher suites 24 and 25 are intended for high security applications such as government use and financial applications. These cipher suites do not share any algorithms. Cipher suite 24 consists of algorithms from theCNSACommercial National Security Algorithm (CNSA) 1.0 suite <xref target="CNSA"/>.</li> </ul> <t>The different methods (<xref target="method"/>) use the same cipher suites, but some algorithms are not used in some methods. The EDHOC signature algorithm is not used in methods without signature authentication.</t> <t>The Initiator needs to have a list of cipher suites it supports in order of preference. The Responder needs to have a list of cipher suites it supports. SUITES_I contains cipher suites supported by theInitiator,Initiator and formatted and processed as detailed in <xref target="asym-msg1-form"/> to secure the cipher suite negotiation. Examples of cipher suite negotiation are given in <xref target="ex-neg"/>.</t> </section> <section anchor="cose_key"> <name>Ephemeral Public Keys</name> <t>The ephemeral public keys in EDHOC (G_X and G_Y) use compact representation of elliptic curvepoints,points; see <xref target="comrep"/>. In COSE, compact representation is achieved by formatting the ECDH ephemeral public keys as COSE_Keys of type EC2 orOKPOctet Key Pair (OKP) according to Sections7.1<xref target="RFC9053" section="7.1" sectionFormat="bare"/> and7.2<xref target="RFC9053" section="7.2" sectionFormat="bare"/> of <xreftarget="RFC9053"/>,target="RFC9053"/> but only including the 'x' parameter in G_X and G_Y. For Elliptic Curve Keys of type EC2, compact representationMAY<bcp14>MAY</bcp14> be used also in the COSE_Key. COSE always uses compact output for Elliptic Curve Keys of type EC2. If the COSE implementation requires a 'y' parameter, the value y = false or a calculated y-coordinate can beused,used; see <xref target="comrep"/>.</t> </section> <section anchor="AD"> <name>External Authorization Data (EAD)</name> <t>In order to reduce round trips and the number ofmessages,messages or to simplify processing, external security applications may be integrated into EDHOC by transportingauthorization relatedauthorization-related data in the messages.</t> <t>EDHOC allows processing of external authorization data (EAD) to be defined in a separatespecification,specification and sent in dedicated fields of the four EDHOCmessages (EAD_1,messages: EAD_1, EAD_2, EAD_3,EAD_4).and EAD_4. EAD is opaque data to EDHOC.</t> <t>Each EAD field,EAD_xEAD_x, for x = 1, 2,33, or 4, is a CBOR sequence (see <xref target="CBOR"/>) consisting of one or more EAD items.AnEAD item ead is a CBOR sequence of an ead_label and an optionalead_value,ead_value; see <xref target="fig-ead-item"/> and <xref target="CDDL"/> for the CDDL definitions.</t> <figure anchor="fig-ead-item"> <name>EADitem.</name>Item</name> <sourcecode type="CDDL"><![CDATA[ ead = ( ead_label : int, ? ead_value : bstr, ) ]]></sourcecode> </figure> <t>A security application may register one or more EADlabels, seelabels (see <xreftarget="iana-ead"/>,target="iana-ead"/>) and specify the associated processing and security considerations. The IANA registry contains the absolute value of the ead_label, |ead_label|; the same ead_value applies independently of the sign of the ead_label.</t> <t>An EAD item can be either critical or non-critical, determined by the sign of the ead_label in the EAD item transported in the EAD field. A negative value indicates that the EAD item iscriticalcritical, and anon-negativenonnegative value indicates that the EAD item is non-critical.</t> <t>If an endpoint receives a critical EAD item it does notrecognize,recognize or a critical EAD item that contains information that it cannot process, then the endpointMUST<bcp14>MUST</bcp14> send an EDHOC error message back as defined in <xref target="error"/>, and the EDHOC sessionMUST<bcp14>MUST</bcp14> be aborted. The EAD item specification defines the error processing. A non-critical EAD item can be ignored.</t> <t>The security application registering a new EAD item needs to describe under what conditions the EAD item is critical or non-critical, and thus whether the ead_label is used with a negative or positive sign. ead_label = 0 is used forpadding,padding; see <xref target="padding"/>.</t> <t>The security application may define multiple uses of certain EAD items, e.g., the same EAD item may be used in different EDHOC messages. Multiple occurrences of an EAD item in one EAD field may also be specified, but the criticality of the repeated EAD item is expected to be the same.</t> <t>The EAD fields of EDHOCMUST<bcp14>MUST</bcp14> only be used with registered EADitems,items; see <xref target="iana-ead"/>. Examples of the use of EAD are provided in <xref target="ead-appendix"/>.</t> <section anchor="padding"> <name>Padding</name> <t>EDHOC message_1 and the plaintext of message_2,message_3message_3, and message_4 can be padded with the use of the corresponding EAD_x field, for x = 1, 2, 3, or 4. Padding in EAD_1 mitigates amplification attacks (see <xref target="dos"/>), and padding in EAD_2, EAD_3, and EAD_4 hides the true length of the plaintext (see <xref target="internet-threat"/>). PaddingMUST<bcp14>MUST</bcp14> be ignored and discarded by the receiving application.</t> <t>Padding is obtained by using an EAD item with ead_label = 0 and a(pseudo-)randomly(pseudo)randomly generated byte string of appropriate length as ead_value, noting that the ead_label and the CBOR encoding of ead_value also add bytes.Examples:</t>For example:</t> <ul spacing="normal"> <li><t>One byte<t>One-byte padding (optional ead_value omitted): </t><ul spacing="normal"> <li>EAD_x<t>EAD_x =0x00</li> </ul>0x00</t> </li> <li><t>Two bytes<t>Two-byte padding, using the empty byte string (0x40) as ead_value: </t><ul spacing="normal"> <li>EAD_x<t>EAD_x =0x0040</li> </ul>0x0040</t> </li> <li><t>Three bytes<t>Three-byte padding, constructed from the pseudorandomly generated ead_value 0xe9 encoded as byte string: </t><ul spacing="normal"> <li>EAD_x<t>EAD_x =0x0041e9</li> </ul>0x0041e9</t> </li> </ul> <t>Multiple occurrences of EAD items with ead_label = 0 are allowed. Certain padding lengths require the use of at least two such EAD items.</t> <t>Note that padding is non-critical because the intendedbehaviourbehavior when receiving is to ignore it.</t> </section> </section> <section anchor="applicability"> <name>Application Profile</name> <t>EDHOC requires certain parameters to be agreed upon between the Initiator and Responder. Some parameters can be negotiated through the protocol execution (specifically, ciphersuite,suite; see <xreftarget="cs"/>)target="cs"/>), but other parameters are only communicated and may not be negotiated (e.g., which authentication method isused,used; see <xref target="method"/>).YetYet, other parameters need to be known out-of-band to ensure successful completion, e.g., whether message_4 is used or not. The application decides which endpoint is the Initiator and which is the Responder.</t> <t>The purpose of an application profile is to describe the intended use of EDHOC to allow for the relevant processing and verifications to be made, including thingslike:</t>like the following:</t> <ol spacing="normal" type="1"><li> <t>How the endpoint detects that an EDHOC message is received. This includes how EDHOC messages are transported, forexampleexample, in the payload of a CoAP message with a certain Uri-Path or Content-Format; see <xref target="coap"/>. </t><ul spacing="normal"> <li>The<t>The method of transporting EDHOC messages may also describe data carried along with the messages that are needed for the transport to satisfy the requirements of <xref target="transport"/>, e.g., connection identifiers used with certainmessages,messages; see <xreftarget="coap"/>.</li> </ul>target="coap"/>.</t> </li> <li>Authentication method (METHOD; see <xref target="method"/>).</li> <li>Profile for authentication credentials(CRED_I,(CRED_I and CRED_R; see <xref target="auth-cred"/>), e.g., profile for certificate or CCS, including supported authentication key algorithms (subject public key algorithm in X.509 or C509 certificate).</li> <li>Type used to identify credentials(ID_CRED_I,(ID_CRED_I and ID_CRED_R; see <xref target="id_cred"/>).</li> <li>Use and type of external authorization data (EAD_1, EAD_2, EAD_3, and EAD_4; see <xref target="AD"/>).</li> <li>Identifier used as the identity of the endpoint; see <xref target="identities"/>.</li> <li>If message_4 shall be sent/expected, and if not, how to ensure a protected application message is sent from the Responder to the Initiator; see <xref target="m4"/>.</li> </ol> <t>The application profile may also contain information about supported cipher suites. The procedure for selecting and verifying a cipher suite is still performed as described in Sections <xreftarget="asym-msg1-form"/>target="asym-msg1-form" format="counter"/> and <xreftarget="wrong-selected"/>,target="wrong-selected" format="counter"/>, but it may become simplified by this knowledge. EDHOC messages can be processed without the application profile, i.e., the EDHOC messagesincludesinclude information about the type and length of all fields.</t> <t>An example of an application profile is shown in <xref target="appl-temp"/>.</t> <t>For some parameters, like METHOD, the type of the ID_CREDfieldfield, or EAD, the receiver of an EDHOC message is able to verify compliance with the applicationprofile, andprofile and, if it needs to fail because of the lack of compliance, to infer the reason why the EDHOC session failed.</t> <t>For other encodings, like the profiling of CRED_x in the case that it is not transported, it may not be possible to verify that the lack of compliance with the application profile was the reason forfailure: Integrityfailure, i.e., integrity verification in message_2 or message_3 may fail not only because of a wrong credential. For example, in case the Initiator uses a public key certificate by reference (i.e., not transported within theprotocol)protocol), then both endpoints need to use an identical data structure as CRED_I or else the integrity verification will fail.</t> <t>Note that it is not necessary for the endpoints to specify a single transport for the EDHOC messages. For example, a mix of CoAP and HTTP may be used along the path, and this may still allow correlation between messages.</t> <t>The application profile may be dependent on the identity of the otherendpoint,endpoint or other information carried in an EDHOC message, but it then applies only to the later phases of the protocol when such information is known. (The Initiator does not know the identity of the Responder before having verified message_2, and the Responder does not know the identity of the Initiator before having verified message_3.)</t> <t>Other conditions may be part of the application profile, such as what is the target application or use (if there is more than one application/use) to the extent that EDHOC can distinguish between them. In case multiple application profiles are used, the receiver needs to be able to determine which is applicable for a given EDHOC session, forexampleexample, based on the URI to which the EDHOC message is sent, or external authorization data type.</t> </section> </section> <section anchor="key-der"> <name>Key Derivation</name> <section anchor="keys-for-edhoc-message-processing"> <name>Keys for EDHOC Message Processing</name> <t>EDHOC uses Extract-and-Expand <xref target="RFC5869"/> with the EDHOC hash algorithm in the selected cipher suite to derive keys used in message processing. This section defines EDHOC_Extract (<xref target="extract"/>) and EDHOC_Expand (<xreftarget="expand"/>),target="expand"/>) and how to use them to derive PRK_out (<xreftarget="prkout"/>)target="prkout"/>), which is the shared secret session key resulting from a completed EDHOC session.</t> <t>EDHOC_Extract is used to derive fixed-length uniformly pseudorandom keys(PRK)(PRKs) from ECDH shared secrets. EDHOC_Expand is used to define EDHOC_KDF for generating MACs and for deriving output keying material (OKM) from PRKs.</t> <t>InEDHOCEDHOC, a specific message is protected with a certainpseudorandom key,PRK, but how the key is derived depends on the authentication method (<xreftarget="method"/>)target="method"/>), as detailed in <xref target="asym"/>.</t><!-- A diagram of the EDHOC key schedule can be found in Figure 2 of {{Vucinic22}}. TBD: Rewrite the diagram --><section anchor="extract"> <name>EDHOC_Extract</name> <t>The pseudorandom keys (PRKs) used for EDHOC message processing are derived using EDHOC_Extract:</t> <artwork><![CDATA[ PRK = EDHOC_Extract( salt, IKM ) ]]></artwork> <t>where the input keying material (IKM) and salt are defined for each PRK below.</t> <t>The definition of EDHOC_Extract depends on the EDHOC hash algorithm of the selected cipher suite:</t> <ul spacing="normal"><li>if<li>If the EDHOC hash algorithm is SHA-2, then EDHOC_Extract( salt, IKM ) = HKDF-Extract( salt, IKM ) <xreftarget="RFC5869"/></li> <li>iftarget="RFC5869"/>.</li> <li>If the EDHOC hash algorithm is SHAKE128, then EDHOC_Extract( salt, IKM ) = KMAC128( salt, IKM, 256, "")</li> <li>if).</li> <li>If the EDHOC hash algorithm is SHAKE256, then EDHOC_Extract( salt, IKM ) = KMAC256( salt, IKM, 512, "")</li>).</li> </ul> <t>where the Keccakmessage authentication codeMessage Authentication Code (KMAC) is specified in <xref target="SP800-185"/>.</t> <t>The rest of the section defines the pseudorandom keys PRK_2e,PRK_3e2mPRK_3e2m, and PRK_4e3m; their use is shown in <xref target="fig-edhoc-kdf"/>. The index of a PRK indicates its use or in what message protection operation it is involved. For example, PRK_3e2m is involved in the encryption of message 3 and in calculating the MAC of message 2.</t> <section anchor="prk2e"> <name>PRK_2e</name> <t>The pseudorandom key PRK_2e is derived with the following input:</t> <ul spacing="normal"> <li>The saltSHALL<bcp14>SHALL</bcp14> be TH_2.</li> <li>The IKMSHALL<bcp14>SHALL</bcp14> be the ephemeral-ephemeral ECDH shared secret G_XY (calculated from G_X and Y or G_Y and X) as defined in <xref section="6.3.1" sectionFormat="of" target="RFC9053"/>. The use of G_XY gives forwardsecrecy,secrecy in the sense that compromise of the private authentication keys does not compromise past session keys.</li> </ul> <t>Example: Assuming the use of curve25519, the ECDH shared secret G_XY is the output of the X25519 function <xref target="RFC7748"/>:</t> <artwork><![CDATA[ G_XY = X25519( Y, G_X ) = X25519( X, G_Y ) ]]></artwork> <t>Example: Assuming the use ofSHA-256SHA-256, the extract phase ofHKDFthe Key Derivation Function (HKDF) produces PRK_2e as follows:</t> <artwork><![CDATA[ PRK_2e = HMAC-SHA-256( TH_2, G_XY ) ]]></artwork> </section> <section anchor="prk3e2m"> <name>PRK_3e2m</name> <t>The pseudorandom key PRK_3e2m is derived as follows:</t> <t>If the Responder authenticates with a static Diffie-Hellman key, then PRK_3e2m = EDHOC_Extract( SALT_3e2m, G_RX ), where</t> <ul spacing="normal"> <li>SALT_3e2m is derived fromPRK_2e, seePRK_2e (see <xreftarget="expand"/>,target="expand"/>) and</li> <li>G_RX is the ECDH shared secret calculated from G_R and X, or G_X and R (the Responder's private authenticationkey,key; see <xref target="auth-keys"/>),</li> </ul> <t>else PRK_3e2m = PRK_2e.</t> </section> <section anchor="prk4e3m"> <name>PRK_4e3m</name> <t>The pseudorandom key PRK_4e3m is derived as follows:</t> <t>If the Initiator authenticates with a static Diffie-Hellman key, then PRK_4e3m = EDHOC_Extract( SALT_4e3m, G_IY ), where</t> <ul spacing="normal"> <li>SALT_4e3m is derived fromPRK_3e2m, seePRK_3e2m (see <xreftarget="expand"/>,target="expand"/>) and</li> <li>G_IY is the ECDH shared secret calculated from G_I and Y, or G_Y and I (the Initiator's private authenticationkey,key; see <xref target="auth-keys"/>),</li> </ul> <t>else PRK_4e3m = PRK_3e2m.</t> </section> </section> <section anchor="expand"> <name>EDHOC_Expand and EDHOC_KDF</name> <t>The output keying material (OKM)--- including keys,IVs,initialization vectors (IVs), and salts--- are derived from the PRKs using the EDHOC_KDF, which is defined through EDHOC_Expand:</t> <artwork><![CDATA[ OKM = EDHOC_KDF( PRK, info_label, context, length ) = EDHOC_Expand( PRK, info, length ) ]]></artwork> <t>where info is encoded as the CBORsequence</t>sequence:</t> <sourcecodetype="CDDL"><![CDATA[type="cbor"><![CDATA[ info = ( info_label : int, context : bstr, length : uint, ) ]]></sourcecode><t>where</t><t>where:</t> <ul spacing="normal"> <li>info_label is anint</li>int,</li> <li>context is abstr</li>bstr, and</li> <li>length is the length of OKM inbytes</li>bytes.</li> </ul> <t>When EDHOC_KDF is used to derive OKM for EDHOC message processing, then the context includes one of the transcripthasheshashes, TH_2, TH_3, orTH_4TH_4, defined in Sections <xref target="asym-msg2-proc" format="counter"/> and <xref target="asym-msg3-proc" format="counter"/>.</t> <t>The definition of EDHOC_Expand depends on the EDHOC hash algorithm of the selected cipher suite:</t> <ul spacing="normal"><li>if<li>If the EDHOC hash algorithm is SHA-2, then EDHOC_Expand( PRK, info, length ) = HKDF-Expand( PRK, info, length ) <xreftarget="RFC5869"/></li> <li>iftarget="RFC5869"/>.</li> <li>If the EDHOC hash algorithm is SHAKE128, then EDHOC_Expand( PRK, info, length ) = KMAC128( PRK, info, L, "")</li> <li>if).</li> <li>If the EDHOC hash algorithm is SHAKE256, then EDHOC_Expand( PRK, info, length ) = KMAC256( PRK, info, L, "")</li>).</li> </ul> <t>where L = 8<contact fullname="⋅"/>⋅ length, the output length in bits.</t> <t><xref target="fig-edhoc-kdf"/> lists derivations made with EDHOC_KDF,where</t>where:</t> <ul spacing="normal"> <li>hash_length-is the length of output size of the EDHOC hash algorithm of the selected ciphersuite</li>suite,</li> <li>key_length-is the length of the encryption key of the EDHOC AEAD algorithm of the selected ciphersuite</li>suite, and</li> <li>iv_length-is the length of the initialization vector of the EDHOC AEAD algorithm of the selected cipher suite</li> </ul> <t>Further details of the key derivation and how the output keying material is used are specified in <xref target="asym"/>.</t> <figure anchor="fig-edhoc-kdf"> <name>Keyderivations using EDHOC_KDF. h'' is CBOR diagnostic notation for the empty byte string, 0x40.</name>Derivations Using EDHOC_KDF</name> <artwork align="center"><![CDATA[ KEYSTREAM_2 = EDHOC_KDF( PRK_2e, 0, TH_2, plaintext_length ) SALT_3e2m = EDHOC_KDF( PRK_2e, 1, TH_2, hash_length ) MAC_2 = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 ) K_3 = EDHOC_KDF( PRK_3e2m, 3, TH_3, key_length ) IV_3 = EDHOC_KDF( PRK_3e2m, 4, TH_3, iv_length ) SALT_4e3m = EDHOC_KDF( PRK_3e2m, 5, TH_3, hash_length ) MAC_3 = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 ) PRK_out = EDHOC_KDF( PRK_4e3m, 7, TH_4, hash_length ) K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length ) IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length ) PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) ]]></artwork> </figure> <t>h'' is CBOR diagnostic notation for the empty byte string, 0x40.</t> </section> <section anchor="prkout"> <name>PRK_out</name> <t>The pseudorandom key PRK_out, derived as shown in <xref target="fig-edhoc-kdf"/>, is the output session key of a completed EDHOC session.</t> <t>Keys for applications are derived using EDHOC_Exporter (see <xref target="exporter"/>) from PRK_exporter, which in turn is derived from PRK_out as shown in <xref target="fig-edhoc-kdf"/>. For the purpose of generating application keys, it is sufficient to store PRK_out or PRK_exporter. (Note that the word "store" used here does not imply that the application has access to the plaintext PRK_out since that may be reserved for code within a Trusted ExecutionEnvironment,Environment (TEE); see <xreftarget="impl-cons"/>).</t>target="impl-cons"/>.)</t> </section> </section> <section anchor="keys-for-edhoc-applications"> <name>Keys for EDHOC Applications</name> <t>This section defines EDHOC_Exporter in terms of EDHOC_KDF and PRK_exporter. A key update function is defined in <xref target="keyupdate"/>.</t> <section anchor="exporter"> <name>EDHOC_Exporter</name> <t>Keying material for the application can be derived using the EDHOC_Exporter interface defined as:</t> <artwork><![CDATA[ EDHOC_Exporter(exporter_label, context, length) = EDHOC_KDF(PRK_exporter, exporter_label, context, length) ]]></artwork><t>where</t><t>where:</t> <ul spacing="normal"> <li>exporter_label is a registered uint from theEDHOC_Exporter Label"EDHOC Exporter Labels" registry (<xreftarget="exporter-label"/>)</li>target="exporter-label"/>),</li> <li>context is a bstr defined by theapplication</li>application, and</li> <li>length is a uint defined by theapplication</li>application.</li> </ul> <t>The (exporter_label, context) pair used in EDHOC_Exporter must be unique, i.e., an (exporter_label, context)MUST NOT<bcp14>MUST NOT</bcp14> be used for two different purposes. However, an application can re-derive the same key several times as long as it is done securely. For example, in most encryptionalgorithmsalgorithms, the same key can be reused with different nonces. The contextcancan, forexampleexample, be the empty CBOR byte string.</t> <t>Examples of use of the EDHOC_Exporter are given in <xref target="transfer"/>.</t> </section> </section> </section> <section anchor="asym"> <name>Message Formatting and Processing</name> <t>This section specifies formatting of the messages and processing steps. Error messages are specified in <xref target="error"/>. Annotated traces of EDHOC sessions are provided in <xreftarget="I-D.ietf-lake-traces"/>.</t>target="RFC9529"/>.</t> <t>An EDHOC message is encoded as a sequence of CBOR data items (CBORSequence,Sequence <xref target="RFC8742"/>). Additional optimizations are made to reduce message overhead.</t> <t>While EDHOC uses the COSE_Key, COSE_Sign1, and COSE_Encrypt0 structures, only a subset of the parameters is included in the EDHOCmessages,messages; see <xref target="COSE"/>. In order to recreate the COSE object, the recipient endpoint may need to add parameters to the COSE headers not included in the EDHOC message, forexampleexample, the parameter 'alg' to COSE_Sign1 or COSE_Encrypt0.</t> <section anchor="proc-outline"> <name>EDHOC Message Processing Outline</name> <t>For each new/ongoing EDHOC session, the endpoints are assumed to keep an associated protocol state containing identifiers, keying material, etc. used for subsequent processing ofprotocol relatedprotocol-related data. The protocol state is assumed to be associated with an application profile (<xref target="applicability"/>)whichthat provides the context for how messages are transported, identified, and processed.</t> <t>EDHOC messagesSHALL<bcp14>SHALL</bcp14> be processed according to the current protocol state. The following steps are expected to be performed at reception of an EDHOC message:</t> <ol spacing="normal" type="1"><li>Detect that an EDHOC message has been received, forexampleexample, by means of a port number, URI, or media type (<xref target="applicability"/>).</li> <li>Retrieve the protocol state according to the messagecorrelation,correlation; see <xref target="ci-edhoc"/>. If there is no protocol state, in the case of message_1, a new protocol state is created. The Responder endpoint needs to make use of available denial-of-service mitigation (<xref target="dos"/>).</li> <li>If the message received is an error message, then process it according to <xref target="error"/>, else process it as the expected next message according to the protocol state.</li> </ol> <t>The message processing stepsSHALL<bcp14>SHALL</bcp14> be processed in order, unless otherwise stated. If the processing fails for somereason then, typically,reason, then typically an error message is sent, the EDHOC session is aborted, and the protocol state is erased. When the composition and sending of one message is completed and before the next message is received, error messagesSHALL NOT<bcp14>SHALL NOT</bcp14> be sent.</t> <t>After having successfully processed the last message (message_3 or message_4 depending on applicationprofile)profile), the EDHOC session iscompleted,completed; afterwhichwhich, no error messages are sent and EDHOC session outputMAY<bcp14>MAY</bcp14> be maintained even if error messages are received. Further details are provided in the following subsections and in <xref target="error"/>.</t> <t>Different instances of the same messageMUST NOT<bcp14>MUST NOT</bcp14> be processed in one EDHOC session. Note that processing will fail if the same message appears a second time for EDHOC processing in the same EDHOC session because the state of the protocol has moved on and now expects something else. Message deduplicationMUST<bcp14>MUST</bcp14> be done by the transport protocol (see <xref target="transport"/>) or, if not supported by the transport, as described in <xref target="duplication"/>.</t> </section> <section anchor="m1"> <name>EDHOC Message 1</name> <section anchor="asym-msg1-form"> <name>Formatting of Message 1</name> <t>message_1SHALL<bcp14>SHALL</bcp14> be a CBOR Sequence (see <xreftarget="CBOR"/>)target="CBOR"/>), as definedbelow</t>below.</t> <sourcecodetype="CDDL"><![CDATA[type="cbor"><![CDATA[ message_1 = ( METHOD : int, SUITES_I : suites, G_X : bstr, C_I : bstr / -24..23, ? EAD_1, ) suites = [ 2* int ] / int EAD_1 = 1* ead ]]></sourcecode> <t>where:</t> <ul spacing="normal"> <li>METHOD-is an authenticationmethod,method; see <xreftarget="method"/>.</li>target="method"/>,</li> <li>SUITES_I-is an array of cipher suiteswhichthat the Initiator supports constructed as specified in <xreftarget="init-proc-msg1"/>.</li>target="init-proc-msg1"/>,</li> <li>G_X-is the ephemeral public key of theInitiator</li>Initiator, and</li> <li>C_I- variable lengthis the variable-length connectionidentifier. Noteidentifier (note that connection identifiers are byte strings but certain values are represented as integers in themessage,message; see <xreftarget="bstr-repr"/>.</li>target="bstr-repr"/>), and</li> <li>EAD_1-is the external authorizationdata,data; see <xref target="AD"/>.</li> </ul> </section> <section anchor="init-proc-msg1"> <name>Initiator Composition of Message 1</name> <t>The processing steps are detailed below and in <xref target="wrong-selected"/>.</t> <t>The InitiatorSHALL<bcp14>SHALL</bcp14> compose message_1 as follows:</t> <ul spacing="normal"> <li> <t>Construct SUITES_I as an array of cipher suites supported by I in order of preference by I with the first cipher suite in the array being the most preferred byI,I and the last being the one selected by I for this EDHOC session. If the cipher suite most preferred by I isselectedselected, then SUITES_I contains only that cipher suite and is encoded as an int. All cipher suites, if any, preferred by I over the selected oneMUST<bcp14>MUST</bcp14> be included. (See also <xref target="wrong-selected"/>.) </t> <ul spacing="normal"> <li>The selected suite is based on what the Initiator can assume to be supported by the Responder; if the Initiator previously received from the Responder has an error message with error code 2 containing SUITES_R (see <xref target="wrong-selected"/>) indicating cipher suites supported by the Responder, then the InitiatorSHOULD<bcp14>SHOULD</bcp14> select its most preferred supported cipher suite among those (bearing in mind that error messages may be forged).</li> <li>The InitiatorMUST NOT<bcp14>MUST NOT</bcp14> change its order of preference for ciphersuites,suites andMUST NOT<bcp14>MUST NOT</bcp14> omit a cipher suite preferred to the selected one because of previous error messages received from the Responder.</li> </ul> </li> <li>Generate an ephemeral ECDH key pair using the curve in the selected cipher suite and format it as a COSE_Key. Let G_X be the 'x' parameter of the COSE_Key.</li> <li>Choose a connection identifier C_I and store it during the EDHOC session.</li> <li>Encode message_1 as a sequence ofCBOR encodedCBOR-encoded data items as specified in <xref target="asym-msg1-form"/></li> </ul> </section> <section anchor="resp-proc-msg1"> <name>Responder Processing of Message 1</name> <t>The ResponderSHALL<bcp14>SHALL</bcp14> process message_1 in the following order:</t><ul<ol spacing="normal"> <li>Decode message_1 (see <xref target="CBOR"/>).</li> <li>Processmessage_1, in particularmessage_1. In particular, verify that the selected cipher suite is supported and that no prior cipher suite as ordered in SUITES_I is supported.</li> <li>If all processing completed successfully, and if EAD_1 is present, then make it available to the application for EAD processing.</li></ul></ol> <t>If any processing step fails, then the ResponderMUST<bcp14>MUST</bcp14> send an EDHOC error message back as defined in <xref target="error"/>, and the EDHOC sessionMUST<bcp14>MUST</bcp14> be aborted.</t> </section> </section> <section anchor="m2"> <name>EDHOC Message 2</name> <section anchor="asym-msg2-form"> <name>Formatting of Message 2</name> <t>message_2SHALL<bcp14>SHALL</bcp14> be a CBOR Sequence (see <xreftarget="CBOR"/>)target="CBOR"/>), as definedbelow</t>below.</t> <sourcecodetype="CDDL"><![CDATA[type="cbor"><![CDATA[ message_2 = ( G_Y_CIPHERTEXT_2 : bstr, ) ]]></sourcecode> <t>where:</t> <ul spacing="normal"> <li>G_Y_CIPHERTEXT_2-is the concatenation of G_Y (i.e., the ephemeral public key of the Responder) and CIPHERTEXT_2.</li> </ul> </section> <section anchor="asym-msg2-proc"> <name>Responder Composition of Message 2</name> <t>The ResponderSHALL<bcp14>SHALL</bcp14> compose message_2 as follows:</t> <ul spacing="normal"> <li>Generate an ephemeral ECDH key pair using the curve in the selected cipher suite and format it as a COSE_Key. Let G_Y be the 'x' parameter of the COSE_Key.</li> <li>Choose a connection identifier C_R and store it for the length of the EDHOC session.</li> <li>Compute the transcript hash TH_2 = H( G_Y, H(message_1))), where H() is the EDHOC hash algorithm of the selected cipher suite. The input to the hash function is a CBOR Sequence. Note that H(message_1) can be computed and cached already in the processing of message_1.</li> <li> <t>Compute MAC_2 as in <xref target="expand"/> with context_2 = << C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 >> (see <xref target="CBOR"/> fornotation)notation). </t> <ul spacing="normal"> <li>If the Responder authenticates with a static Diffie-Hellman key (method equals 1 or 3), then mac_length_2 is the EDHOC MAC length of the selected cipher suite. If the Responder authenticates with a signature key (method equals 0 or 2), then mac_length_2 is equal to hash_length.</li> <li>C_R is a variable-length connection identifier. Note that connection identifiers are byte strings but certain values are represented as integers in the message; see <xref target="bstr-repr"/>.</li> <li>ID_CRED_R-is the identifier to facilitate the retrieval ofCRED_R,CRED_R; see <xreftarget="id_cred"/></li>target="id_cred"/>.</li> <li>CRED_R-is the CBOR item containing the authentication credential of theResponder,Responder; see <xreftarget="auth-cred"/></li>target="auth-cred"/>.</li> <li>EAD_2-is the external authorizationdata,data; see <xreftarget="AD"/></li>target="AD"/>.</li> </ul> </li> <li> <t>If the Responder authenticates with a static Diffie-Hellman key (method equals 1 or 3), then Signature_or_MAC_2 is MAC_2. If the Responder authenticates with a signature key (method equals 0 or 2), then Signature_or_MAC_2 is the 'signature' field of a COSE_Sign1 object, computed as specified inSection 4.4 of<xreftarget="RFC9053"/>target="RFC9052" section="4.4" sectionFormat="of"/> and using the signature algorithm of the selected cipher suite, the private authentication key of the Responder, and the following parameters as input (see <xref target="COSE"/> for an overview of COSE and <xref target="CBOR"/> for notation): </t> <ul spacing="normal"> <li>protected = << ID_CRED_R >></li> <li>external_aad = << TH_2, CRED_R, ? EAD_2 >></li> <li>payload = MAC_2</li> </ul> </li> <li> <t>CIPHERTEXT_2 is calculated with a binary additive stream cipher, using a keystream generated withEDHOC_Expand,EDHOC_Expand and the following plaintext: </t> <ul spacing="normal"> <li> <t>PLAINTEXT_2 = ( C_R, ID_CRED_R / bstr / -24..23, Signature_or_MAC_2, ? EAD_2 ) </t> <ul spacing="normal"> <li>If ID_CRED_R contains a single 'kid' parameter, i.e., ID_CRED_R = { 4 : kid_R }, then the compact encoding isapplied,applied; see <xref target="compact-kid"/>.</li> <li>C_R- variable lengthis the variable-length connection identifier. Note that connection identifiers are bytestringsstrings, but certain values are represented as integers in themessage,message; see <xref target="bstr-repr"/>.</li> </ul> </li> <li>Compute KEYSTREAM_2 as in <xref target="expand"/>, where plaintext_length is the length of PLAINTEXT_2. For the case of plaintext_length exceeding the EDHOC_KDF output size, see <xref target="large-plaintext_2"/>.</li> <li>CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2</li> </ul> </li> <li>Encode message_2 as a sequence ofCBOR encodedCBOR-encoded data items as specified in <xref target="asym-msg2-form"/>.</li> </ul> </section> <section anchor="initiator-processing-of-message-2"> <name>Initiator Processing of Message 2</name> <t>The InitiatorSHALL<bcp14>SHALL</bcp14> process message_2 in the following order:</t><ul<ol spacing="normal"> <li>Decode message_2 (see <xref target="CBOR"/>).</li> <li>Retrieve the protocol state using available message correlation (e.g., the CoAP Token, the 5-tuple, or the prependedC_I,C_I; see <xref target="ci-edhoc"/>).</li> <li>DecryptCIPHERTEXT_2,CIPHERTEXT_2; see <xref target="asym-msg2-proc"/>.</li> <li>If all processing is completed successfully, then make ID_CRED_R and (if present) EAD_2 available to the application forauthentication-authentication and EAD processing. When and how to perform authentication is up to the application.</li> <li>Obtain the authentication credential (CRED_R) and the authentication key of R from the application (or by other means).</li> <li>Verify Signature_or_MAC_2 using the algorithm in the selected cipher suite. The verification process depends on themethod,method; see <xref target="asym-msg2-proc"/>. Make the result of the verification available to the application.</li></ul></ol> <t>If any processing step fails, then the InitiatorMUST<bcp14>MUST</bcp14> send an EDHOC error message back as defined in <xref target="error"/>, and the EDHOC sessionMUST<bcp14>MUST</bcp14> be aborted.</t> </section> </section> <section anchor="m3"> <name>EDHOC Message 3</name> <section anchor="asym-msg3-form"> <name>Formatting of Message 3</name> <t>message_3SHALL<bcp14>SHALL</bcp14> be a CBOR Sequence (see <xreftarget="CBOR"/>)target="CBOR"/>), as definedbelow</t>below.</t> <sourcecodetype="CDDL"><![CDATA[type="cbor"><![CDATA[ message_3 = ( CIPHERTEXT_3 : bstr, ) ]]></sourcecode> </section> <section anchor="asym-msg3-proc"> <name>Initiator Composition of Message 3</name> <t>The InitiatorSHALL<bcp14>SHALL</bcp14> compose message_3 as follows:</t> <ul spacing="normal"> <li>Compute the transcript hash TH_3 = H(TH_2, PLAINTEXT_2,CRED_R)CRED_R), where H() is the EDHOC hash algorithm of the selected cipher suite. The input to the hash function is a CBOR Sequence. Note that TH_3 can be computed and cached already in the processing of message_2.</li> <li> <t>Compute MAC_3 as in <xref target="expand"/>, with context_3 = << ID_CRED_I, TH_3, CRED_I, ? EAD_3 >> </t> <ul spacing="normal"> <li>If the Initiator authenticates with a static Diffie-Hellman key (method equals 2 or 3), then mac_length_3 is the EDHOC MAC length of the selected cipher suite. If the Initiator authenticates with a signature key (method equals 0 or 1), then mac_length_3 is equal to hash_length.</li> <li>ID_CRED_I-is the identifier to facilitate the retrieval ofCRED_I,CRED_I; see <xreftarget="id_cred"/></li>target="id_cred"/>.</li> <li>CRED_I-is the CBOR item containing the authentication credential of theInitiator,Initiator; see <xreftarget="auth-cred"/></li>target="auth-cred"/>.</li> <li>EAD_3-is the external authorizationdata,data; see <xreftarget="AD"/></li>target="AD"/>.</li> </ul> </li> <li> <t>If the Initiator authenticates with a static Diffie-Hellman key (method equals 2 or 3), then Signature_or_MAC_3 is MAC_3. If the Initiator authenticates with a signature key (method equals 0 or 1), then Signature_or_MAC_3 is the 'signature' field of a COSE_Sign1 object, computed as specified inSection 4.4 of<xreftarget="RFC9052"/>target="RFC9052" section="4.4" sectionFormat="of"/> and using the signature algorithm of the selected cipher suite, the private authentication key of the Initiator, and the following parameters as input (see <xref target="COSE"/>): </t> <ul spacing="normal"> <li>protected = << ID_CRED_I >></li> <li>external_aad = << TH_3, CRED_I, ? EAD_3 >></li> <li>payload = MAC_3</li> </ul> </li> <li> <t>Compute a COSE_Encrypt0 object as defined in Sections5.2<xref target="RFC9052" section="5.2" sectionFormat="bare"/> and5.3<xref target="RFC9052" section="5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the EDHOC AEAD algorithm of the selected cipher suite, using the encryption key K_3, the initialization vector IV_3 (if used by the AEAD algorithm), the plaintext PLAINTEXT_3, and the following parameters as input (see <xref target="COSE"/>): </t> <ul spacing="normal"> <li>protected = h''</li> <li>external_aad = TH_3</li> <li>K_3 and IV_3 are defined in <xref target="expand"/></li> <li> <t>PLAINTEXT_3 = ( ID_CRED_I / bstr / -24..23, Signature_or_MAC_3, ? EAD_3 ) </t> <ul spacing="normal"> <li>If ID_CRED_I contains a single 'kid' parameter, i.e., ID_CRED_I = { 4 : kid_I }, then the compact encoding isapplied,applied; see <xref target="compact-kid"/>.</li> </ul> </li> </ul> <t> CIPHERTEXT_3 is the 'ciphertext' of COSE_Encrypt0.</t> </li> <li>Compute the transcript hash TH_4 = H(TH_3, PLAINTEXT_3,CRED_I)CRED_I), where H() is the EDHOC hash algorithm of the selected cipher suite. The input to the hash function is a CBOR Sequence.</li> <li>Calculate PRK_out as defined in <xref target="fig-edhoc-kdf"/>. The Initiator can now derive application keys using the EDHOC_Exporterinterface,interface; see <xref target="exporter"/>.</li> <li>Encode message_3 as a CBOR data item as specified in <xref target="asym-msg3-form"/>.</li> <li>Make the connection identifiers(C_I,(C_I and C_R) and the application algorithms in the selected cipher suite available to the application.</li> </ul> <t>After creating message_3, the Initiator can computePRK_out, seePRK_out (see <xreftarget="prkout"/>,target="prkout"/>) and derive application keys using the EDHOC_Exporterinterface, seeinterface (see <xreftarget="exporter"/>.target="exporter"/>). The InitiatorSHOULD NOT<bcp14>SHOULD NOT</bcp14> persistently store PRK_out or application keys until the Initiator has verified message_4 or a message protected with a derived application key, such as an OSCORE message, from the Responder and the application has authenticated the Responder. This is similar to waiting for an acknowledgment (ACK) in a transport protocol. The InitiatorSHOULD NOT<bcp14>SHOULD NOT</bcp14> send protected application data until the application has authenticated the Responder.</t> </section> <section anchor="responder-processing-of-message-3"> <name>Responder Processing of Message 3</name> <t>The ResponderSHALL<bcp14>SHALL</bcp14> process message_3 in the following order:</t><ul<ol spacing="normal"> <li>Decode message_3 (see <xref target="CBOR"/>).</li> <li>Retrieve the protocol state using available message correlation (e.g., the CoAP Token, the 5-tuple, or the prependedC_R,C_R; see <xref target="ci-edhoc"/>).</li> <li>Decrypt and verify the COSE_Encrypt0 as defined in Sections5.2<xref target="RFC9052" section="5.2" sectionFormat="bare"/> and5.3<xref target="RFC9052" section="5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the EDHOC AEAD algorithm in the selected ciphersuite,suite and the parameters defined in <xref target="asym-msg3-proc"/>.</li> <li>If all processing completed successfully, then make ID_CRED_I and (if present) EAD_3 available to the application forauthentication-authentication and EAD processing. When and how to perform authentication is up to the application.</li> <li>Obtain the authentication credential (CRED_I) and the authentication key of I from the application (or by other means).</li> <li>Verify Signature_or_MAC_3 using the algorithm in the selected cipher suite. The verification process depends on themethod,method; see <xref target="asym-msg3-proc"/>. Make the result of the verification available to the application.</li> <li>Make the connection identifiers(C_I,(C_I and C_R) and the application algorithms in the selected cipher suite available to the application.</li></ul></ol> <t>After processing message_3, the Responder can computePRK_out, seePRK_out (see <xreftarget="prkout"/>,target="prkout"/>) and derive application keys using the EDHOC_Exporterinterface, seeinterface (see <xreftarget="exporter"/>.target="exporter"/>). The ResponderSHOULD NOT<bcp14>SHOULD NOT</bcp14> persistently store PRK_out or application keys until the application has authenticated the Initiator. The ResponderSHOULD NOT<bcp14>SHOULD NOT</bcp14> send protected application data until the application has authenticated the Initiator.</t> <t>If any processing step fails, then the ResponderMUST<bcp14>MUST</bcp14> send an EDHOC error message back as defined in <xref target="error"/>, and the EDHOC sessionMUST<bcp14>MUST</bcp14> be aborted.</t> </section> </section> <section anchor="m4"> <name>EDHOC Message 4</name> <t>This section specifiesmessage_4message_4, which isOPTIONAL<bcp14>OPTIONAL</bcp14> to support. Key confirmation is normally provided by sending an application message from the Responder to the Initiator protected with a key derived with the EDHOC_Exporter, e.g., using OSCORE (see <xref target="transfer"/>). In deployments where no protected application message is sent from the Responder to the Initiator, message_4MUST<bcp14>MUST</bcp14> be supported andMUST<bcp14>MUST</bcp14> be used. Two examples of such deployments are:</t> <ol spacing="normal"type="1"><li>Whentype="1"><li>when EDHOC is only used for authentication and no application data issent.</li> <li>Whensent and</li> <li>when application data is only sent from the Initiator to the Responder.</li> </ol> <t>Further considerations about when to use message_4 are provided in Sections <xreftarget="applicability"/>target="applicability" format="counter"/> and <xreftarget="sec-prop"/>.</t>target="sec-prop" format="counter"/>.</t> <section anchor="asym-msg4-form"> <name>Formatting of Message 4</name> <t>message_4SHALL<bcp14>SHALL</bcp14> be a CBOR Sequence (see <xreftarget="CBOR"/>)target="CBOR"/>), as definedbelow</t>below.</t> <sourcecodetype="CDDL"><![CDATA[type="cbor"><![CDATA[ message_4 = ( CIPHERTEXT_4 : bstr, ) ]]></sourcecode> </section> <section anchor="asym-msg4-proc"> <name>Responder Composition of Message 4</name> <t>The ResponderSHALL<bcp14>SHALL</bcp14> compose message_4 as follows:</t> <ul spacing="normal"> <li> <t>Compute a COSE_Encrypt0 as defined in Sections5.2<xref target="RFC9052" section="5.2" sectionFormat="bare"/> and5.3<xref target="RFC9052" section="5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the EDHOC AEAD algorithm of the selected cipher suite, using the encryption key K_4, the initialization vector IV_4 (if used by the AEAD algorithm), the plaintext PLAINTEXT_4, and the following parameters as input (see <xref target="COSE"/>): </t> <ul spacing="normal"> <li>protected = h''</li> <li>external_aad = TH_4</li> <li>K_4 and IV_4 are defined in <xref target="expand"/></li> <li> <t>PLAINTEXT_4 = ( ? EAD_4 ) </t> <ul spacing="normal"> <li>EAD_4-is the external authorizationdata,data; see <xref target="AD"/>.</li> </ul> </li> </ul> <t> CIPHERTEXT_4 is the 'ciphertext' of COSE_Encrypt0.</t> </li> <li>Encode message_4 as a CBOR data item as specified in <xref target="asym-msg4-form"/>.</li> </ul> </section> <section anchor="initiator-processing-of-message-4"> <name>Initiator Processing of Message 4</name> <t>The InitiatorSHALL<bcp14>SHALL</bcp14> process message_4 as follows:</t> <ul spacing="normal"> <li>Decode message_4 (see <xref target="CBOR"/>).</li> <li>Retrieve the protocol state using available message correlation (e.g., the CoAP Token, the 5-tuple, or the prependedC_I,C_I; see <xref target="ci-edhoc"/>).</li> <li>Decrypt and verify the COSE_Encrypt0 as defined in Sections5.2<xref target="RFC9052" section="5.2" sectionFormat="bare"/> and5.3<xref target="RFC9052" section="5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the EDHOC AEAD algorithm in the selected ciphersuite,suite and the parameters defined in <xref target="asym-msg4-proc"/>.</li> <li>Make (if present) EAD_4 available to the application for EAD processing.</li> </ul> <t>If any processing step fails, then the InitiatorMUST<bcp14>MUST</bcp14> send an EDHOC error message back as defined in <xref target="error"/>, and the EDHOC sessionMUST<bcp14>MUST</bcp14> be aborted.</t> <t>After verifying message_4, the Initiator is assured that the Responder has calculated the key PRK_out (key confirmation) and that no other party can derive the key.</t> </section> </section> </section> <section anchor="error"> <name>Error Handling</name> <t>This section defines the format for errormessages,messages and the processing associated with the currently defined error codes. Additional error codes may beregistered,registered; see <xref target="error-code-reg"/>.</t> <t>Many kinds of errorsthatcan occur during EDHOC processing. As in CoAP, an error can be triggered by errors in the received message or internal errors in the receiving endpoint. Except for processing and formatting errors, it is up to the application when to send an error message. Sending error messages is essential for debugging butMAY<bcp14>MAY</bcp14> be skipped if, for example, an EDHOC session cannot be found or due to denial-of-servicereasons,reasons; see <xref target="dos"/>. Error messages in EDHOC are always fatal. After sending an error message, the senderMUST<bcp14>MUST</bcp14> abort the EDHOC session. The receiverSHOULD<bcp14>SHOULD</bcp14> treat an error message as an indication that the other party likely has aborted the EDHOC session. But since error messages might be forged, the receiverMAY<bcp14>MAY</bcp14> try to continue the EDHOC session.</t> <t>An EDHOC error message can be sent by either endpoint as a reply to any non-error EDHOC message. How errors at the EDHOC layer are transported depends on lower layers, which need to enable error messages to be sent and processed as intended.</t> <t>errorSHALL<bcp14>SHALL</bcp14> be a CBOR Sequence (see <xreftarget="CBOR"/>)target="CBOR"/>), as definedbelow</t>below.</t> <figure anchor="fig-error-message"> <name>EDHOCerror message.</name>Error Message</name> <sourcecodetype="CDDL"><![CDATA[type="cbor"><![CDATA[ error = ( ERR_CODE : int, ERR_INFO : any, ) ]]></sourcecode> </figure> <t>where:</t> <ul spacing="normal"> <li>ERR_CODE-is an error code encoded as an integer. The value 0 is reserved for success and can only be usedinternally,internally; all other values (negative or positive) indicate errors.</li> <li>ERR_INFO-is the error information. Content and encoding depend on the error code.</li> </ul> <t>The remainder of this section specifies the currently defined errorcodes,codes; see <xreftarget="fig-error-codes"/>.target="tab-error-codes"/>. Additional error codes and corresponding error information may be specified.</t><figure anchor="fig-error-codes"><table anchor="tab-error-codes"> <name>EDHOCerror codesError Codes anderror information.</name> <artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="208" width="560" viewBox="0 0 560 208" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,32 L 8,192" fill="none" stroke="black"/> <path d="M 96,32 L 96,192" fill="none" stroke="black"/> <path d="M 224,32 L 224,192" fill="none" stroke="black"/> <path d="M 552,32 L 552,192" fill="none" stroke="black"/> <path d="M 8,32 L 552,32" fill="none" stroke="black"/> <path d="M 8,62 L 552,62" fill="none" stroke="black"/> <path d="M 8,66 L 552,66" fill="none" stroke="black"/> <path d="M 8,96 L 552,96" fill="none" stroke="black"/> <path d="M 8,128 L 552,128" fill="none" stroke="black"/> <path d="M 8,160 L 552,160" fill="none" stroke="black"/> <path d="M 8,192 L 552,192" fill="none" stroke="black"/> <g class="text"> <text x="52" y="52">ERR_CODE</text> <text x="140" y="52">ERR_INFO</text> <text x="196" y="52">Type</text> <text x="280" y="52">Description</text> <text x="80" y="84">0</text> <text x="252" y="84">This</text> <text x="296" y="84">value</text> <text x="332" y="84">is</text> <text x="380" y="84">reserved</text> <text x="80" y="116">1</text> <text x="124" y="116">tstr</text> <text x="280" y="116">Unspecified</text> <text x="352" y="116">error</text> <text x="80" y="148">2</text> <text x="132" y="148">suites</text> <text x="256" y="148">Wrong</text> <text x="316" y="148">selected</text> <text x="380" y="148">cipher</text> <text x="432" y="148">suite</text> <text x="80" y="180">3</text> <text x="124" y="180">true</text> <text x="264" y="180">Unknown</text> <text x="340" y="180">credential</text> <text x="428" y="180">referenced</text> </g> </svg> </artwork> <artwork type="ascii-art"><![CDATA[ +----------+---------------+----------------------------------------+ | ERR_CODE | ERR_INFO Type | Description | +==========+===============+========================================+ | 0 | | This value is reserved | +----------+---------------+----------------------------------------+ | 1 | tstr | Unspecified error | +----------+---------------+----------------------------------------+ | 2 | suites | WrongError Information</name> <thead> <tr> <th>ERR_CODE</th> <th>ERR_INFO Type</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td align="right">0</td> <td></td> <td>Reserved for success</td> </tr> <tr> <td align="right">1</td> <td>tstr</td> <td>Unspecified error</td> </tr> <tr> <td align="right">2</td> <td>suites</td> <td>Wrong selected ciphersuite | +----------+---------------+----------------------------------------+ | 3 | true | Unknownsuite</td> </tr> <tr> <td align="right">3</td> <td>true</td> <td>Unknown credentialreferenced | +----------+---------------+----------------------------------------+ ]]></artwork> </artset> </figure>referenced</td> </tr> <tr> <td align="right">23</td> <td></td> <td>Reserved</td> </tr> </tbody> </table> <section anchor="success"> <name>Success</name> <t>Error code 0MAY<bcp14>MAY</bcp14> be used internally in an application to indicate success, i.e., as a standard value in case of no error, e.g., in status reporting or log files. Error code 0MUST NOT<bcp14>MUST NOT</bcp14> be used as part of the EDHOC message exchange. If an endpoint receives an error message with error code 0, then itMUST<bcp14>MUST</bcp14> abort the EDHOC session andMUST NOT<bcp14>MUST NOT</bcp14> send an error message.</t> </section> <section anchor="unspecified-error"> <name>Unspecified Error</name> <t>Error code 1 is used for errors that do not have a specific error code defined. ERR_INFOMUST<bcp14>MUST</bcp14> be a text string containing a human-readable diagnostic messagewhich SHOULDthat <bcp14>SHOULD</bcp14> be written in English, forexampleexample, "Method not supported". The diagnostic text message is mainly intended for software engineersthatwho during debugging need to interpret it in the context of the EDHOC specification. The diagnostic messageSHOULD<bcp14>SHOULD</bcp14> be provided to the calling application where itSHOULD<bcp14>SHOULD</bcp14> be logged.</t> </section> <section anchor="wrong-selected"> <name>Wrong Selected Cipher Suite</name> <t>Error code 2MUST<bcp14>MUST</bcp14> only be used when replying to message_1 in case the cipher suite selected by the Initiator is not supported by theResponder,Responder or if the Responder supports a cipher suite more preferred by the Initiator than the selected ciphersuite,suite; see <xref target="resp-proc-msg1"/>. In this case, ERR_INFO = SUITES_R and is of typesuites,suites; see <xref target="asym-msg1-form"/>. If the Responder does not support the selected cipher suite, then SUITES_RMUST<bcp14>MUST</bcp14> include one or more supported cipher suites. If the Responder supports a cipher suite in SUITES_I other than the selected cipher suite (independently of if the selected cipher suite is supported ornot)not), then SUITES_RMUST<bcp14>MUST</bcp14> include the supported cipher suite inSUITES_ISUITES_I, which is most preferred by the Initiator. SUITES_RMAY<bcp14>MAY</bcp14> include a single ciphersuite,suite; in whichcasecase, it is encoded as an int. If the Responder does not support any cipher suite in SUITES_I, then itSHOULD<bcp14>SHOULD</bcp14> include all its supported cipher suites in SUITES_R.</t> <t>In contrast to SUITES_I, the order of the cipher suites in SUITES_R has no significance.</t> <section anchor="cipher-suite-negotiation"> <name>Cipher Suite Negotiation</name> <t>After receiving SUITES_R, the Initiator can determine which cipher suite to select (if any) for the next EDHOC run with the Responder.</t><t>If the<t>The Initiatorintendsneeds tocontact the Responder in the future, the Initiator SHOULDremember which selected cipher suite to use until the next message_1 has beensent, otherwisesent; otherwise, the Initiator and Responder willlikelyrun into an infinite loop where the Initiator selects its most preferred cipher suite and the Responder sends an error with supported cipher suites. After a completed EDHOC session, the InitiatorMAY<bcp14>MAY</bcp14> remember the selected cipher suite to use in future EDHOC sessions. Note that if the Initiator or Responder is updated with new cipher suite policies, any cached information may be outdated.</t> <t>Note that the Initiator's list of supported cipher suites and order of preference is fixed (see Sections <xreftarget="asym-msg1-form"/>target="asym-msg1-form" format="counter"/> and <xreftarget="init-proc-msg1"/>).target="init-proc-msg1" format="counter"/>). Furthermore, the ResponderSHALL<bcp14>SHALL</bcp14> only accept message_1 if the selected cipher suite is the first cipher suite in SUITES_I that the Responder also supports (see <xref target="resp-proc-msg1"/>). Following this procedure ensures that the selected cipher suite is the most preferred (by the Initiator) cipher suite supported by both parties. For examples, see <xref target="ex-neg"/>.</t> <t>If the selected cipher suite is not the first cipher suitewhichthat the Responder supports in SUITES_I received in message_1, then the ResponderMUST<bcp14>MUST</bcp14> abort the EDHOCsession,session; see <xref target="resp-proc-msg1"/>. If SUITES_I in message_1 is manipulated, then the integrity verification of message_2 containing the transcript hash TH_2 will fail and the Initiator will abort the EDHOC session.</t> </section> <section anchor="ex-neg"> <name>Examples</name> <t>Assume that the Initiator supports the five ciphersuitessuites, 5, 6, 7, 8, and99, in decreasing order of preference. Figures <xref target="fig-error1" format="counter"/> and <xref target="fig-error2" format="counter"/> show two examples of how the Initiator can format SUITES_I and how SUITES_R is used by Responders to give the Initiator information about the cipher suites that the Responder supports.</t> <t>In Example 1 (<xref target="fig-error1"/>), the Responder supports cipher suite 6 but not the initially selected cipher suite 5. The Responder rejects the first message_1 with an error indicating support for suite 6 in SUITES_R. The Initiator also supports suite6,6 and therefore selects suite 6 in the second message_1. The Initiator prepends in SUITES_I the selected suite 6 with the more preferred suites, in this case suite 5, to mitigate a potential attack on the cipher suite negotiation.</t> <figure anchor="fig-error1"> <name>Ciphersuite negotiation example 1.</name>Suite Negotiation Example 1</name> <artset> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1"height="224" width="560"height="" width="" viewBox="0 0 560 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,48 L 8,208" fill="none" stroke="black"/> <path d="M 552,48 L 552,208" fill="none" stroke="black"/> <path d="M 8,64 L 544,64" fill="none" stroke="black"/> <path d="M 16,128 L 552,128" fill="none" stroke="black"/> <path d="M 8,192 L 544,192" fill="none" stroke="black"/> <polygon class="arrowhead" points="552,192 540,186.4 540,197.6" fill="black" transform="rotate(0,544,192)"/> <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fill="black" transform="rotate(0,544,64)"/> <polygon class="arrowhead" points="24,128 12,122.4 12,133.6" fill="black" transform="rotate(180,16,128)"/> <g class="text"> <text x="40" y="36">Initiator</text> <text x="520" y="36">Responder</text> <text x="152" y="52">METHOD,</text> <text x="220" y="52">SUITES_I</text> <text x="264" y="52">=</text> <text x="284" y="52">5,</text> <text x="316" y="52">G_X,</text> <text x="356" y="52">C_I,</text> <text x="400" y="52">EAD_1</text> <text x="280" y="84">message_1</text> <text x="196" y="116">ERR_CODE</text> <text x="240" y="116">=</text> <text x="260" y="116">2,</text> <text x="308" y="116">SUITES_R</text> <text x="352" y="116">=</text> <text x="368" y="116">6</text> <text x="280" y="148">error</text> <text x="144" y="180">METHOD,</text> <text x="212" y="180">SUITES_I</text> <text x="256" y="180">=</text> <text x="280" y="180">[5,</text> <text x="312" y="180">6],</text> <text x="348" y="180">G_X,</text> <text x="388" y="180">C_I,</text> <text x="432" y="180">EAD_1</text> <text x="280" y="212">message_1</text> </g> </svg> </artwork> <artwork type="ascii-art" align="center"><![CDATA[ Initiator Responder | METHOD, SUITES_I = 5, G_X, C_I, EAD_1 | +------------------------------------------------------------------>| | message_1 | | | | ERR_CODE = 2, SUITES_R = 6 | |<------------------------------------------------------------------+ | error | | | | METHOD, SUITES_I = [5, 6], G_X, C_I, EAD_1 | +------------------------------------------------------------------>| | message_1 | ]]></artwork> </artset> </figure> <t>In Example 2 (<xref target="fig-error2"/>), the Responder supports cipher suites 8 and 9 but not the more preferred (by the Initiator) cipher suites 5, 6 or 7. To illustrate the negotiationmechanicsmechanics, we let the Initiator first make a guess that the Responder supports suite 6 but not suite 5. Since the Responder supports neither 5 nor 6, it rejects the first message_1 with an error indicating support for suites 8 and 9 in SUITES_R (in any order). The Initiator also supports suites 8 and 9, and prefers suite 8, so it selects suite 8 in the second message_1. The Initiator prepends in SUITES_I the selected suite 8 with the more preferred suites in order of preference, in thiscasecase, suites 5, 6 and 7, to mitigate a potential attack on the cipher suite negotiation.</t><t>Note 1. If<ol type="Note %d."> <li>If the Responder had supported suite 5, then the first message_1 would not have been accepted either, since the Responder observes that suite 5 is more preferred by the Initiator than the selected suite 6. In thatcasecase, the Responder would have included suite 5 in SUITES_R of the response, and it would then have become the selected and only suite in the secondmessage_1.</t> <t>Note 2. Formessage_1.</li> <li>For eachmessage_1message_1, the InitiatorMUST<bcp14>MUST</bcp14> generate a new ephemeral ECDH key pair matching the selected ciphersuite.</t>suite.</li> </ol> <figure anchor="fig-error2"> <name>Ciphersuite negotiation example 2.</name>Suite Negotiation Example 2</name> <artset> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1"height="224" width="560"height="" width="" viewBox="0 0 560 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,48 L 8,208" fill="none" stroke="black"/> <path d="M 552,48 L 552,208" fill="none" stroke="black"/> <path d="M 8,64 L 544,64" fill="none" stroke="black"/> <path d="M 16,128 L 552,128" fill="none" stroke="black"/> <path d="M 8,192 L 544,192" fill="none" stroke="black"/> <polygon class="arrowhead" points="552,192 540,186.4 540,197.6" fill="black" transform="rotate(0,544,192)"/> <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fill="black" transform="rotate(0,544,64)"/> <polygon class="arrowhead" points="24,128 12,122.4 12,133.6" fill="black" transform="rotate(180,16,128)"/> <g class="text"> <text x="40" y="36">Initiator</text> <text x="520" y="36">Responder</text> <text x="136" y="52">METHOD,</text> <text x="204" y="52">SUITES_I</text> <text x="248" y="52">=</text> <text x="272" y="52">[5,</text> <text x="304" y="52">6],</text> <text x="340" y="52">G_X,</text> <text x="380" y="52">C_I,</text> <text x="424" y="52">EAD_1</text> <text x="280" y="84">message_1</text> <text x="188" y="116">ERR_CODE</text> <text x="232" y="116">=</text> <text x="252" y="116">2,</text> <text x="300" y="116">SUITES_R</text> <text x="344" y="116">=</text> <text x="368" y="116">[9,</text> <text x="396" y="116">8]</text> <text x="280" y="148">error</text> <text x="128" y="180">METHOD,</text> <text x="196" y="180">SUITES_I</text> <text x="240" y="180">=</text> <text x="264" y="180">[5,</text> <text x="292" y="180">6,</text> <text x="316" y="180">7,</text> <text x="344" y="180">8],</text> <text x="380" y="180">G_X,</text> <text x="420" y="180">C_I,</text> <text x="464" y="180">EAD_1</text> <text x="280" y="212">message_1</text> </g> </svg> </artwork> <artwork type="ascii-art" align="center"><![CDATA[ Initiator Responder | METHOD, SUITES_I = [5, 6], G_X, C_I, EAD_1 | +------------------------------------------------------------------>| | message_1 | | | | ERR_CODE = 2, SUITES_R = [9, 8] | |<------------------------------------------------------------------+ | error | | | | METHOD, SUITES_I = [5, 6, 7, 8], G_X, C_I, EAD_1 | +------------------------------------------------------------------>| | message_1 | ]]></artwork> </artset> </figure> </section> </section> <section anchor="unknown-credential-referenced"> <name>Unknown Credential Referenced</name> <t>Error code 3 is used for errors due to a received credential identifier (ID_CRED_R in message_2 or ID_CRED_I message_3) containing a reference to a credentialwhichthat the receiving endpoint does not have access to. The intent with this error code is that the endpoint who sent the credential identifiershouldshould, for the next EDHOCsessionsession, try another credential identifier supported according to the application profile.</t> <t>For example, an application profile could list x5t and x5chain as supported credentialidentifiers,identifiers and state that x5t should be used if it can be assumed that the X.509 certificate is available at the receiving side. This error code thus enables the certificate chain to be sent only when needed, bearing in mind that error messages are not protected so an adversary can try to causeunnecessaryunnecessary, large credential identifiers.</t> <t>For the error code 3, the error informationSHALL<bcp14>SHALL</bcp14> be the CBOR simple value <tt>true</tt> (0xf5). Error code 3MUST NOT<bcp14>MUST NOT</bcp14> be used when the received credential identifier type is not supported.</t> </section> </section> <section anchor="duplication"> <name>EDHOC Message Deduplication</name><t>EDHOC by default<t>By default, EDHOC assumes that message duplication is handled by thetransport,transport (which is exemplified by CoAP in thissection exemplified with CoAP,section); see <xref target="coap"/>.</t> <t>Deduplication of CoAP messages is described inSection 4.5 of<xreftarget="RFC7252"/>.target="RFC7252" section="4.5" sectionFormat="of"/>. This handles the case when the same Confirmable (CON) message is received multiple times due to missing acknowledgment on the CoAP messaging layer. The recommended processing in <xref target="RFC7252"/> is that the duplicate message isacknowledged (ACK),acknowledged, but the received message is only processed once by the CoAP stack.</t> <t>Message deduplication is resource demanding and therefore not supported in all CoAP implementations. Since EDHOC is targeting constrained environments, it is desirable that EDHOC can optionally support transport layerswhichthat do not handle message duplication. Special care is needed to avoid issues with duplicatemessages,messages; see <xref target="proc-outline"/>.</t> <t>The guiding principle here is similar to the deduplication processing on the CoAP messaginglayer:layer, i.e., a received duplicate EDHOC messageSHALL NOT<bcp14>SHALL NOT</bcp14> result in another instance of the next EDHOC message. The resultMAY<bcp14>MAY</bcp14> be that a duplicate next EDHOC message is sent, provided it is still relevant with respect to the current protocol state. In any case, the received messageMUST NOT<bcp14>MUST NOT</bcp14> be processed more than once in the same EDHOC session. This is called "EDHOC message deduplication".</t> <t>An EDHOC implementationMAY<bcp14>MAY</bcp14> store the previously sent EDHOC message to be able to resend it.</t> <t>In principle, if the EDHOC implementation would deterministically regenerate the identical EDHOC message previously sent, it would be possible to instead store the protocol state to be able to recreate and resend the previously sent EDHOC message. However, even if the protocol state is fixed, the message generation may introduce differenceswhichthat compromise security. For example, in the generation of message_3, if I is performing a (non-deterministic) ECDSA signature (say, method 0 or1,1 and cipher suite 2 or3)3), then PLAINTEXT_3 is randomized, but K_3 and IV_3 are the same, leading to a key and nonce reuse.</t> <t>The EDHOC implementationMUST NOT<bcp14>MUST NOT</bcp14> store the previous protocol state and regenerate an EDHOC message if there is a risk that the same key and IV are used for two (or more) distinct messages.</t> <t>The previous message or protocol stateMUST NOT<bcp14>MUST NOT</bcp14> be kept longer than what is required for retransmission, for example, in the case of CoAP transport, no longer than the EXCHANGE_LIFETIME (seeSection 4.8.2 of<xreftarget="RFC7252"/>).</t>target="RFC7252" section="4.8.2" sectionFormat="of"/>).</t> </section> <section anchor="mti"> <name>Compliance Requirements</name> <t>In the absence of an application profile specifying otherwise:</t><t>An<ul spacing="normal"> <li>An implementationMAY<bcp14>MAY</bcp14> support only an Initiator or onlyResponder.</t> <t>Ana Responder.</li> <li>An implementationMAY<bcp14>MAY</bcp14> support only a single method. None of the methods aremandatory-to-implement.</t> <t>Implementations MUSTmandatory to implement.</li> <li>Implementations <bcp14>MUST</bcp14> support 'kid' parameters. None of the other COSE header parameters aremandatory-to-implement.</t> <t>Anmandatory to implement.</li> <li>An implementationMAY<bcp14>MAY</bcp14> support only a single credential type (CCS, CWT, X.509, or C509). None of the credential types aremandatory-to-implement.</t> <t>Implementations MUSTmandatory to implement.</li> <li>Implementations <bcp14>MUST</bcp14> support theEDHOC_Exporter.</t> <t>Implementations MAYEDHOC_Exporter.</li> <li>Implementations <bcp14>MAY</bcp14> support message_4. Error codes (ERR_CODE) 1 and 2MUST<bcp14>MUST</bcp14> besupported.</t> <t>Implementations MUSTsupported.</li> <li>Implementations <bcp14>MUST</bcp14> supportEAD.</t> <t>Implementations MUSTEAD.</li> <li>Implementations <bcp14>MUST</bcp14> support ciphersuitesuites 2 and 3. Cipher suites 2 (AES-CCM-16-64-128, SHA-256, 8, P-256, ES256, AES-CCM-16-64-128, SHA-256) and 3 (AES-CCM-16-128-128, SHA-256, 16, P-256, ES256, AES-CCM-16-64-128, SHA-256) only differ in the size of the MAC length, so supporting one or both of these is not significantly different. Implementations only need to implement the algorithms needed for their supportedmethods.</t>methods.</li> </ul> </section> <section anchor="security"> <name>Security Considerations</name> <section anchor="sec-prop"> <name>Security Properties</name> <t>EDHOC has similar security properties as can be expected from the theoretical SIGMA-I protocol <xref target="SIGMA"/> and the Noise XX pattern <xref target="Noise"/>, which are similar to methods 0 and 3, respectively. Proven security properties are detailed in the security analysis publications referenced at the end of this section.</t> <t>Using the terminology from <xref target="SIGMA"/>, EDHOC provides forward secrecy, mutual authentication with aliveness, consistency, and peer awareness. As described in <xref target="SIGMA"/>, message_3 provides peer awareness to theResponderResponder, while message_4 provides peer awareness to the Initiator. By including the authentication credentials in the transcript hash, EDHOC protects against an identity misbinding attack like the Duplicate Signature Key Selection(DSKS)-like identity mis-binding attack(DSKS) that the MAC-then-Sign variant of SIGMA-I is otherwise vulnerable to.</t> <t>As described in <xref target="SIGMA"/>, different levels of identity protection are provided to the Initiator andtheResponder. EDHOC provides identity protection of the Initiator against active attacks and identity protection of the Responder against passive attacks. An active attacker can get the credential identifier of the Responder by eavesdropping on the destination address used for transporting message_1 and then sending its own message_1 to the same address. The roles should be assigned to protect the most sensitive identity/identifier, typically that which is not possible to infer from routing information in the lower layers.</t> <t>EDHOC messages might change in transit due to a noisy channel or through modification by an attacker. Changes in message_1 and message_2 (except Signature_or_MAC_2 when the signature scheme is not strongly unforgeable) are detected when verifying Signature_or_MAC_2. Changes to not strongly unforgeableSignature_or_MAC_2,Signature_or_MAC_2 and message_3 are detected when verifying CIPHERTEXT_3. Changes to message_4 are detected when verifying CIPHERTEXT_4.</t> <t>Compared to <xref target="SIGMA"/>, EDHOC adds an explicit method type and expands the message authentication coverage to additional elements such as algorithms, external authorization data, and previous plaintext messages. This protects against an attacker replaying messages or injecting messages from another EDHOC session.</t> <t>EDHOC also adds a selection of connection identifiers anddowngradedowngrades protected negotiation of cryptographic parameters, i.e., an attacker cannot affect the negotiated parameters. A single session of EDHOC does not include negotiation of cipher suites, but it enables the Responder to verify that the selected cipher suite is the most preferred cipher suite by the Initiatorwhichthat is supported by both the Initiator andthe Responder,Responder and to abort the EDHOC session if not.</t> <t>As required by <xref target="RFC7258"/>, IETF protocols need to mitigate pervasive monitoring when possible. Therefore, EDHOCthereforeonly supports methods with ephemeral Diffie-Hellman and provides a key update function (see <xref target="keyupdate"/>) for lightweight application protocol rekeying. Either of these provides forward secrecy, in the sense that compromise of the private authentication keys does not compromise past session keys(PRK_out),(PRK_out) and compromise of a session key does not compromise past session keys. Frequently re-running EDHOC with ephemeral Diffie-Hellman forces attackers to perform dynamic key exfiltration where the attacker must have continuous interactions with the collaborator, which is a significant sustained attack.</t> <t>To limit the effect of breaches, it is important to limit the use of symmetric group keys for bootstrapping. Therefore, EDHOCthereforestrives to make the additional cost of using raw public keys and self-signed certificates as small as possible. Raw public keys and self-signed certificates are not a replacement for a public key infrastructure butSHOULD<bcp14>SHOULD</bcp14> be used instead of symmetric group keys for bootstrapping.</t> <t>Compromise of the long-term keys (private signature or static DH keys) does not compromise the security of completed EDHOC sessions. Compromising the private authentication keys of one party lets an active attacker impersonate that compromised party in EDHOC sessions with other parties but does not let the attacker impersonate other parties in EDHOC sessions with the compromised party. Compromise of the long-term keys does not enable a passive attacker to compromise future session keys (PRK_out). Compromise of theHDKFHKDF input parameters (ECDH shared secret) leads to compromise of all session keys derived from that compromised shared secret. Compromise of one session key does not compromise other session keys. Compromise of PRK_out leads to compromise of all keying material derived with the EDHOC_Exporter.</t> <t>Based on the cryptographicalgorithmsalgorithm requirements<xref target="sec_algs"/>,(<xref target="sec_algs"/>), EDHOC provides a minimum of 64-bit security against online brute force attacks and a minimum of 128-bit security against offline brute force attacks. To break 64-bit security against online bruteforceforce, an attacker would on average have to send 4.3 billion messages per second for 68 years, which is infeasible in constrained IoT radio technologies. A forgery against a 64-bit MAC in EDHOC breaks the security of all future application data, while a forgery against a 64-bit MAC in the subsequent application protocol (e.g., OSCORE <xref target="RFC8613"/>) typically only breaks the security of the data in the forged packet.</t> <t>As the EDHOC session is aborted when verification fails, the security against online attacks is given by the sum of the strength of the verified signatures and MACs (including MAC in AEAD). As an example, if EDHOC is used with method 3, cipher suite 2, and message_4, the Responder is authenticated with 128-bit security against online attacks (the sum of the 64-bit MACs in message_2 and message_4). The same principle applies for MACs in an application protocol keyed by EDHOC as long as EDHOC isrerunre-run when verification of the first MACs in the application protocol fails. As an example, if EDHOC with method 3 and cipher suite 2 is used as in Figure 2 of <xref target="I-D.ietf-core-oscore-edhoc"/>, 128-bit mutual authentication against online attacks can be achieved after completion of the first OSCORE request and response.</t> <t>After sending message_3, the Initiator is assured that no other party than the Responder can compute the key PRK_out. While the Initiator can securely send protected application data, the InitiatorSHOULD NOT<bcp14>SHOULD NOT</bcp14> persistently store the keying material PRK_out until the Initiator has verified message_4 or a message protected with a derived application key, such as an OSCORE message, from the Responder. After verifying message_3, the Responder is assured that an honest Initiator has computed the key PRK_out. The Responder can securely derive and store the keying materialPRK_out,PRK_out and send protected application data.</t> <t>External authorization data sent in message_1 (EAD_1) or message_2 (EAD_2) should be considered unprotected byEDHOC,EDHOC; see <xref target="unprot-data"/>. EAD_2 isencryptedencrypted, but the Responder has not yet authenticated the Initiator and the encryption does not provide confidentiality against active attacks.</t> <t>External authorization data sent in message_3 (EAD_3) or message_4 (EAD_4) is protected between the Initiator and Responder by the protocol, but note that EAD fields may be used by the application before the message verification iscompleted,completed; see <xref target="AD"/>. Designing a secure mechanism that uses EAD is not necessarily straightforward. This document only provides the EAD transport mechanism, but the problem of agreeing on the surrounding context and the meaning of the information passed to and from the application remains. Any new uses of EAD should be subject to careful review.</t><t>Key compromise impersonation (KCI): In<dl newline="false" spacing="normal"> <dt>Key Compromise Impersonation (KCI):</dt> <dd>In EDHOC authenticated with signature keys, EDHOC provides KCI protection against an attacker having access to the long-term key or the ephemeral secret key. With static Diffie-Hellman key authentication, KCI protection would be provided against an attacker having access to the long-term Diffie-Hellmankey,key but not to an attacker having access to the ephemeral secret key. Note that the term KCI has typically been used for compromise of long-termkeys,keys and that an attacker with access to the ephemeral secret key can only attack that specific EDHOCsession.</t> <t>Repudiation: Ifsession.</dd> <dt>Repudiation:</dt> <dd>If an endpoint authenticates with a signature, the other endpoint can prove that the endpoint performed a run of the protocol by presenting the data being signed as well as the signature itself. With static Diffie-Hellman key authentication, the authenticating endpoint can deny having participated in theprotocol.</t>protocol.</dd> </dl> <t>Earlier versions of EDHOC have been formally analyzed <xref target="Bruni18"/> <xref target="Norrman20"/> <xref target="CottierPointcheval22"/> <xref target="Jacomme23"/> <xreftarget="GuentherIlunga22"/>target="GuentherIlunga22"/>, and the specification has been updated based on the analysis.</t> </section> <section anchor="crypto"> <name>Cryptographic Considerations</name> <t>The SIGMA protocol requires that the encryption of message_3 provides confidentiality against active attackers and EDHOC message_4 relies on the use of authenticated encryption. Hence, the message authenticating functionality of the authenticated encryption in EDHOC iscritical:critical, i.e., authenticated encryptionMUST NOT<bcp14>MUST NOT</bcp14> be replaced by plain encryption only, even if authentication is provided at another level or through a different mechanism.</t> <t>To reduce messageoverheadoverhead, EDHOC does not use explicit nonces and instead relies on the ephemeral public keys to provide randomness to each EDHOC session. A good amount of randomness is important for the keygeneration,generation to provideliveness,liveness and to protect against interleaving attacks. For this reason, the ephemeral keysMUST NOT<bcp14>MUST NOT</bcp14> be used in more than one EDHOC message, and both partiesSHALL<bcp14>SHALL</bcp14> generatefreshfresh, random ephemeral key pairs. Note that an ephemeral key may be used to calculate several ECDH shared secrets. When static Diffie-Hellman authentication isusedused, the same ephemeral key is used in both ephemeral-ephemeral and ephemeral-static ECDH.</t> <t>As discussed in <xref target="SIGMA"/>, the encryption of message_2doesonlyneedneeds to protect against a passive attackerassince active attackers can always get the Responder's identity by sending their own message_1. EDHOC uses the EDHOC_Expand function (typically HKDF-Expand) as a binary additive stream cipherwhichthat is proven secure as long as the expand function is aPRF.Pseudorandom Function (PRF). HKDF-Expand is not often used as a stream cipher as it is slow on long messages, and most applications require both confidentiality with indistinguishability under adaptive chosen ciphertext(IND-CCA)attack (IND-CCA2) as well as integrity protection. For the encryption of message_2, any speed difference is negligible,IND-CCAIND-CCA2 does not increase security, and integrity is provided by the inner MAC (and signature depending on method).</t> <t>Requirements for how to securely generate, validate, and process theephemeralpublic keys depend on the elliptic curve. For X25519 and X448, the requirements are defined in <xref target="RFC7748"/>. For X25519 and X448, the check for all-zero output as specified in <xref target="RFC7748" sectionFormat="of" section="6"/> <bcp14>MUST</bcp14> be done. For secp256r1, secp384r1, and secp521r1, the requirements are defined in Section 5 of <xref target="SP-800-56A"/>. For secp256r1, secp384r1, and secp521r1, at least partialpublic-keypublic key validationMUST<bcp14>MUST</bcp14> be done.</t> <t>The same authentication credentialMAY<bcp14>MAY</bcp14> be used for both the Initiator and Responder roles. As noted inSection 12 of<xreftarget="RFC9052"/>target="RFC9052" section="12" sectionFormat="of"/>, the use of a single key for multiple algorithms is strongly discouraged unless proven secure by a dedicated cryptographic analysis. Inparticularparticular, this recommendation applies to using the same private key for static Diffie-Hellman authentication and digital signature authentication. A preliminary conjecture is that a minor change to EDHOC may be sufficient to fit the analysis of a secure shared signature and ECDH key usage in <xref target="Degabriele11"/> and <xreftarget="Thormarker21"/>.</t>target="Thormarker21"/>. Note that Section 5.6.3.2 of <xref target="SP-800-56A"/> allows a key agreement key pair to be used with a signature algorithm in certificate requests.</t> <t>The property that a completed EDHOC session implies that another identity has been active is upheld as long as the Initiator does not have its own identity in the set of Responder identities it is allowed to communicate with. InTrust on first usetrust-on-first-use (TOFU) usecases, seecases (see <xreftarget="tofu"/>,target="tofu"/>), the Initiator should verify that the Responder's identity is not equal to its own. Any future EDHOC methodsusingusing, e.g.,pre-shared keysPSKs might need to mitigate this in other ways. However, an active attacker can gain information about the set of identities an Initiator is willing to communicate with. If the Initiator is willing to communicate with all identities except itsownown, an attacker can determine that a guessed Initiator identity is correct. To not leak any long-term identifiers, using a freshly generated authentication key as an identity in each initial TOFU session isRECOMMENDED.</t><bcp14>RECOMMENDED</bcp14>.</t> <t>NIST SP 800-56A <xref target="SP-800-56A"/> forbids deriving secret and non-secret randomness from the sameKDFKey Derivation Function (KDF) instance, but this decision has been criticized by Krawczyk in <xref target="HKDFpaper"/> and doing so is common practice. In addition to IVs, other examples are the challenge inEAP-TTLS,Extensible Authentication Protocol Tunneled Transport Layer Security (EAP-TTLS), the RAND in 3GPPAKAs,Authentication and Key Agreement (AKA), and the Session-Id in EAP-TLS 1.3. Note that part of KEYSTREAM_2 is also non-secretrandomnessrandomness, as it is known or predictable to an attacker. The more recent NIST SP 800-108 <xref target="SP-800-108"/> aligns with <xref target="HKDFpaper"/> and statesthatthat, for a secure KDF, the revelation of one portion of the derived keying material must not degrade the security of any other portion of that keying material.</t> </section> <section anchor="sec_algs"> <name>Cipher Suites and Cryptographic Algorithms</name> <t>When using a private cipher suite or registering new cipher suites, the choice of the key length used in the different algorithms needs to beharmonized,harmonized so that a sufficient security level is maintained for authentication credentials, the EDHOC session, and the protection of application data. The Initiator andtheResponder should enforce a minimum security level.</t> <t>The output size of the EDHOC hash algorithmMUST<bcp14>MUST</bcp14> be at least256-bits,256 bits, i.e., the hash algorithms SHA-1 and SHA-256/64 (SHA-256 truncated to64-bits) SHALL NOT64 bits) <bcp14>SHALL NOT</bcp14> be supported for use in EDHOC except for certificate identification with x5t and c5t. For security considerations of SHA-1, see <xref target="RFC6194"/>. As EDHOC integrity protects all thewholeauthentication credentials, the choice of hash algorithm in x5t and c5t does not affectsecurity,security and using the same hash algorithm as in the cipher suite, but with as much truncation as possible, isRECOMMENDED.<bcp14>RECOMMENDED</bcp14>. That is, when the EDHOC hash algorithm is SHA-256, using SHA-256/64 in x5t and c5t isRECOMMENDED.<bcp14>RECOMMENDED</bcp14>. The EDHOC MAC lengthMUST<bcp14>MUST</bcp14> be at least 8 bytes and the tag length of the EDHOC AEAD algorithmMUST<bcp14>MUST</bcp14> be at least64-bits.64 bits. Note that secp256k1 is only defined for use with ECDSA and not for ECDH. Note that some COSE algorithms are marked as not recommended in the COSE IANA registry.</t> </section> <section anchor="pqc"> <name>Post-Quantum Considerations</name> <t>As of the publication of this specification, it is unclear when or even if a quantum computer of sufficient size and power to exploit public key cryptography will exist. Deployments that need to consider risks decades into the future should transition to Post-Quantum Cryptography (PQC) in the not-too-distant future. Many other systems should take a slower wait-and-see approach where PQC is phased in when the quantum threat is more imminent. Current PQC algorithms have limitations compared to Elliptic Curve Cryptography(ECC)(ECC), and the data sizes would be problematic in many constrained IoT systems.</t> <t>Symmetric algorithms used inEDHOCEDHOC, such as SHA-256 andAES-CCM-16-64-128AES-CCM-16-64-128, are practically secure against even large quantum computers. Two of NIST's security levels for quantum-resistantpublic-keypublic key cryptography are based on AES-128 and SHA-256.QuantumA quantum computer will likely beexpensive,expensive and slow due to heavy errorcorrection, and Grover’scorrection. Grover's algorithm, which is proven to be optimal, cannot effectively be parallelized.Grover’s algorithmIt will provide little or no advantage in attacking AES, and AES-128 will remain secure for decades to come <xref target="NISTPQC"/>.</t> <t>EDHOC supports all signature algorithms defined by COSE, including PQC signature algorithms such as HSS-LMS. EDHOC is currently only specified for use with key exchange algorithms of type ECDH curves, but any Key Encapsulation Method (KEM), including PQC KEMs, can be used in method 0. While the key exchange in method 0 is specified with the terms of the Diffie-Hellman protocol, the key exchange adheres to a KEM interface: G_X is then the public key of the Initiator, G_Y is the encapsulation, and G_XY is the shared secret. Use of PQC KEMs to replace static DH authentication would likely require a specification updating EDHOC with new methods.</t> </section> <section anchor="unprot-data"> <name>Unprotected Data and Privacy</name> <t>The Initiator andtheResponder must make sure that unprotected data and metadata do not reveal any sensitive information. This also applies for encrypted data sent to an unauthenticated party. In particular, it applies to EAD_1, ID_CRED_R, EAD_2, and error messages. Using the same EAD_1 in several EDHOC sessions allows passive eavesdroppers to correlate the different sessions. Note that even if ead_value is encrypted outside of EDHOC, the ead_labels in EAD_1 is revealed to passive attackers and the ead_labels in EAD_2 is revealed to active attackers. Another consideration is that the list of supported cipher suites may potentially be used to identify the application. The Initiator andtheResponder must also make sure that unauthenticated data does not trigger any harmful actions. In particular, this applies to EAD_1 and error messages.</t> <t>An attacker observing network traffic may use connection identifiers sent in clear in EDHOC or the subsequent application protocol to correlate packets sent on different paths or at different times. The attacker may use this information for traffic flow analysis or to track an endpoint. Application protocols using connection identifiers from EDHOCSHOULD<bcp14>SHOULD</bcp14> provide mechanisms to update the connection identifiers andMAY<bcp14>MAY</bcp14> provide mechanisms to issue several simultaneously active connection identifiers. See <xref target="RFC9000"/> for a non-constrained example of such mechanisms. Connection identifierscancan, e.g., be chosen randomly among the set of unused 1-byte connection identifiers. Connection identity privacy mechanisms are only useful when there are not fixedidentifiersidentifiers, such as IP address or MAC address in the lower layers.</t> </section> <section anchor="internet-threat"> <name>Updated Internet Threat Model Considerations</name> <t>Since the publication of <xreftarget="RFC3552"/>target="RFC3552"/>, there has been an increased awareness of the need to protect against endpoints that arecompromised, malicious,compromised or malicious or whose interests simply do not align with the interests of users <xref target="I-D.arkko-arch-internet-threat-model-guidance"/>. <xref target="RFC7624"/> describes an updated threat model for Internetconfidentiality,confidentiality; see <xref target="sec-prop"/>. <xref target="I-D.arkko-arch-internet-threat-model-guidance"/> further expands the threat model. Implementations and users should take these threat models into account and consider actions to reduce the risk of tracking by other endpoints. In particular, even data sent protected to the otherendpointendpoint, such as ID_CRED fields and EADfieldsfields, can be used fortracking,tracking; seeSection 2.7 of<xreftarget="I-D.arkko-arch-internet-threat-model-guidance"/>.</t>target="I-D.arkko-arch-internet-threat-model-guidance" section="2.7" sectionFormat="of"/>.</t> <t>The fields ID_CRED_I, ID_CRED_R, EAD_2, EAD_3, and EAD_4 have variable length, and information regarding the length may leak to an attacker. A passive attacker may, e.g., be able to differentiate endpoints using identifiers of different length. To mitigate this informationleakageleakage, an implementation may ensure that the fields have a fixed length or use padding. An implementation may, e.g., only use fixed length identifiers like 'kid' of length 1. Alternatively, padding may be used (see <xref target="padding"/>) to hide the true length of, e.g., certificates by value in 'x5chain' or 'c5c'.</t> </section> <section anchor="dos"><name>Denial-of-Service</name><name>Denial of Service</name> <t>EDHOC itself does not provide countermeasures against denial-of-service attacks. In particular, by sending a number of new or replayedmessage_1message_1, an attacker may cause the Responder to allocate the state, perform cryptographic operations, and amplify messages. To mitigate such attacks, an implementationSHOULD<bcp14>SHOULD</bcp14> make use of available lower layer mechanisms. For instance, when EDHOC istransferred astransferred as an exchange of CoAP messages, the CoAP server can use the Echo option defined in <xreftarget="RFC9175"/>target="RFC9175"/>, which forces the CoAP client to demonstrate reachability at its apparent network address. To avoid an additionalroundtripround trip, the Initiator can reduce the amplification factor by padding message_1, i.e., usingEAD_1,EAD_1; see <xref target="padding"/>. Note that while the Echo option mitigates some resource exhaustion aspects of spoofing, it does not protect against a distributed denial-of-service attack made by real, potentially compromised, clients. Similarly, limiting amplification only reduces the impact, which still may be significant because of a large number of clients engaged in the attack.</t> <t>An attacker can also send a faked message_2, message_3, message_4, or error in an attempt to trick the receiving party to send an error message and abort the EDHOC session. EDHOC implementationsMAY<bcp14>MAY</bcp14> evaluate if a received message is likely to have been forged by an attacker and ignore it without sending an error message or aborting the EDHOC session.</t> </section> <section anchor="impl-cons"> <name>Implementation Considerations</name> <t>The availability of a secure random number generator is essential for the security of EDHOC. If no true random number generator is available, a random seedMUST<bcp14>MUST</bcp14> be provided from an external source and used with a cryptographically secure pseudorandom number generator. As each pseudorandom number must only be used once, an implementation needs to get a unique input to the pseudorandom number generator afterreboot,reboot or continuously store state in nonvolatile memory.Appendix B.1.1 in<xreftarget="RFC8613"/>target="RFC8613" sectionFormat="of" section="B.1.1"/> describes issues and solution approaches for writing to nonvolatile memory. Intentionally or unintentionally weak or predictable pseudorandom number generators can be abused or exploited for malicious purposes. <xref target="RFC8937"/> describes a way for security protocol implementations to augment their (pseudo)random number generators using a long-term private key and a deterministic signature function. This improves randomness from broken or otherwise subverted random number generators. The same idea can be used with other secrets andfunctionsfunctions, such as a Diffie-Hellman function or a symmetricsecretsecret, and a PRF like HMAC or KMAC. It isRECOMMENDED<bcp14>RECOMMENDED</bcp14> to not trust a single source of randomness and to not put unaugmented random numbers on the wire.</t> <t>For many constrained IoTdevicesdevices, it is problematic to support several crypto primitives. Existing devices can be expected to support either ECDSA orEdDSA.Edwards-curve Digital Signature Algorithm (EdDSA). If ECDSA is supported, "deterministicECDSA"ECDSA", as specified in <xreftarget="RFC6979"/> MAYtarget="RFC6979"/>, <bcp14>MAY</bcp14> be used. Pure deterministic elliptic-curvesignaturessignatures, such as deterministic ECDSA andEdDSAEdDSA, have gained popularity over randomized ECDSA as their securitydodoes not depend on a source of high-quality randomness. Recent research has however found that implementations of these signature algorithms may be vulnerable to certain side-channel and fault injection attacks due to their determinism.See e.g., Section 1 ofFor example, see <xreftarget="I-D.irtf-cfrg-det-sigs-with-noise"/>target="I-D.irtf-cfrg-det-sigs-with-noise" section="1" sectionFormat="of"/> for a list of attack papers. As suggested inSection 2.1.1 of<xreftarget="RFC9053"/>target="RFC9053" section="2.1.1" sectionFormat="of"/>, this can be addressed by combining randomness and determinism.</t><t>Appendix D of <xref target="I-D.ietf-lwig-curve-representations"/><t><xref target="I-D.ietf-lwig-curve-representations" sectionFormat="of" section="D"/> describes how Montgomerycurvescurves, such as X25519 andX448X448, and (twisted) Edwardscurves as curvescurves, such as Ed25519 andEd448Ed448, can be mapped to and from short-Weierstrass form forimplementationimplementations on platforms that accelerate elliptic curve group operations in short-Weierstrass form.</t> <t>All private keys, symmetric keys, and IVsMUST<bcp14>MUST</bcp14> be secret. Only the ResponderSHALL<bcp14>SHALL</bcp14> have access to the Responder's private authenticationkeykey, and only the InitiatorSHALL<bcp14>SHALL</bcp14> have access to the Initiator's private authentication key. Implementations should provide countermeasures to side-channelattacksattacks, such as timing attacks. Intermediate computedvaluesvalues, such as ephemeral ECDH keys and ECDH sharedsecrets MUSTsecrets, <bcp14>MUST</bcp14> be deleted after key derivation is completed.</t> <t>The Initiator andtheResponder are responsible for verifying the integrity and validity of certificates. Verification of validity may require the use of a Real-Time Clock (RTC). The selection of trustedCAscertification authorities (CAs) should be done very carefully and certificate revocation should be supported. The choice of revocation mechanism is left to the application. For example, in case of X.509 certificates, Certificate Revocation Lists <xref target="RFC5280"/> orOCSPthe Online Certificate Status Protocol (OCSP) <xref target="RFC6960"/> may be used.</t> <t>Similar considerations as for certificates are needed for CWT/CCS. The endpoints are responsible for verifying the integrity and validity ofCWT/CCS,CWT/CCS and to handle revocation. The application needs to determine what trust anchors arerelevant,relevant and have a well-defined trust-establishment process. A self-signedcertificate/CWTcertificate / CWT or CCS appearing in the protocol cannot be a trigger to modify the set of trust anchors. One common way for a new trust anchor to be added to (or removed from) a device is by means firmware upgrade. See <xref target="RFC9360"/> for a longer discussion on trust and validation in constrained devices.</t> <t>Just like for certificates, the contents of the COSE header parameters 'kcwt' and 'kccs' defined in <xref target="cwt-header-param"/> must be processed as untrustedinput.inputs. Endpoints that intend to rely on the assertions made by a CWT/CCS obtained from any of these methods need to validate the contents. For 'kccs', which enables transport of raw public keys, the data structure used does not include any protection or verification data. 'kccs' may be used for unauthenticated operations,e.g.e.g., trust on first use, with the limitations and caveatsentailed,entailed; see <xref target="tofu"/>.</t> <t>The Initiator andtheResponder are allowed to selecttheconnectionidentifieridentifiers C_I and C_R, respectively, for the other party to use in the ongoing EDHOC session as well as in a subsequent application protocol (e.g., OSCORE <xref target="RFC8613"/>). The choice of the connection identifier is not security critical in EDHOC but intended to simplify the retrieval of the right security context in combination with using short identifiers. If the wrong connection identifier of the other party is used in a protocolmessagemessage, it will result in the receiving party not being able to retrieve a security context (which will abort the EDHOC session) or retrieve the wrong security context (which also aborts the EDHOC session as the message cannot be verified).</t> <t>If two nodes unintentionally initiate two simultaneous EDHOC sessions with eachotherother, even if they only want to complete a single EDHOC session, theyMAY<bcp14>MAY</bcp14> abort the EDHOC session with the lexicographically smallest G_X. Note that in cases where several EDHOC sessions with different parameter sets (method, COSE headers, etc.) are used, an attacker can affect which parameter set will be used by blocking some of the parameter sets.</t> <t>If supported by the device, it isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that at least the long-term private keys are stored in a Trusted Execution Environment(TEE,(TEE) (for example, seefor example<xref target="RFC9397"/>) and that sensitive operations using these keys are performed inside the TEE. To achieve even highersecuritysecurity, it isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that additional operations such as ephemeral key generation, all computations of shared secrets, and storage of the PRK keys can be done inside the TEE. The use of a TEE aims at preventing code within that environment to be tamperedwith,with and preventing data used by such code to be read or tampered with by code outside that environment.</t> <t>Note that HKDF-Expand has a relatively small maximum output length of 255<contact fullname="⋅"/>⋅ hash_length, where hash_length is the output size in bytes of the EDHOC hash algorithm of the selected cipher suite. This means that when SHA-256 is used as a hash algorithm, PLAINTEXT_2 cannot be longer than 8160 bytes. This is probably not a limitation for most intended applications, but to be able tosupportsupport, forexampleexample, long certificate chains or large external authorization data, there is a backwards compatible method specified in <xref target="large-plaintext_2"/>.</t> <t>The sequence of transcript hashes in EDHOC (TH_2, TH_3, and TH_4) does not make use of a so-called running hash. This is a designchoicechoice, as running hashes are often not supported on constrained platforms.</t> <t>When parsing a received EDHOC message, implementationsMUST<bcp14>MUST</bcp14> abort the EDHOC session if the message does not comply with the CDDL for that message. Implementations are not required to support non-deterministic encodings and <bcp14>MAY</bcp14> abort the EDHOC session if the received EDHOC message is not encoded using deterministic CBOR. Implementations <bcp14>MUST</bcp14> abort the EDHOC session if validation of a received public key fails or if any cryptographic field has the wrong length. It isRECOMMENDED<bcp14>RECOMMENDED</bcp14> to abort the EDHOC session if the received EDHOC message is not encoded using deterministic CBOR.</t> </section> </section> <section anchor="iana"> <name>IANA Considerations</name> <t>ThisSectionsection gives IANAConsiderationsconsiderations and, unless otherwise noted, conforms with <xref target="RFC8126"/>.</t> <section anchor="exporter-label"> <name>EDHOC Exporter Label Registry</name> <t>IANAis requested to createhas created a new registry under the new registry group "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t><t>Registry Name: EDHOC<dl newline="false" spacing="normal"> <dt>Registry Name:</dt> <dd>EDHOC ExporterLabel</t> <t>Reference: [[this document]]</t> <figure anchor="fig-exporter-label">Labels</dd> <dt>Reference:</dt> <dd>RFC 9528</dd> </dl> <table anchor="tab-exporter-label"> <name>EDHOCexporter label.</name> <artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="288" width="536" viewBox="0 0 536 288" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,32 L 8,256" fill="none" stroke="black"/> <path d="M 120,32 L 120,256" fill="none" stroke="black"/> <path d="M 368,32 L 368,256" fill="none" stroke="black"/> <path d="M 528,32 L 528,256" fill="none" stroke="black"/> <path d="M 8,32 L 528,32" fill="none" stroke="black"/> <path d="M 8,62 L 528,62" fill="none" stroke="black"/> <path d="M 8,66 L 528,66" fill="none" stroke="black"/> <path d="M 8,96 L 528,96" fill="none" stroke="black"/> <path d="M 8,128 L 528,128" fill="none" stroke="black"/> <path d="M 8,160 L 528,160" fill="none" stroke="black"/> <path d="M 8,192 L 528,192" fill="none" stroke="black"/> <path d="M 8,224 L 528,224" fill="none" stroke="black"/> <path d="M 8,256 L 528,256" fill="none" stroke="black"/> <g class="text"> <text x="40" y="52">Label</text> <text x="176" y="52">Description</text> <text x="416" y="52">Reference</text> <text x="24" y="84">0</text> <text x="160" y="84">Derived</text> <text x="220" y="84">OSCORE</text> <text x="276" y="84">Master</text> <text x="332" y="84">Secret</text> <text x="404" y="84">[[this</text> <text x="476" y="84">document]]</text> <text x="24" y="116">1</text> <text x="160" y="116">Derived</text> <text x="220" y="116">OSCORE</text> <text x="276" y="116">Master</text> <text x="324" y="116">Salt</text> <text x="404" y="116">[[this</text> <text x="476" y="116">document]]</text> <text x="36" y="148">2-22</text> <text x="172" y="148">Unassigned</text> <text x="28" y="180">23</text> <text x="164" y="180">Reserved</text> <text x="404" y="180">[[this</text> <text x="476" y="180">document]]</text> <text x="52" y="212">24-32767</text> <text x="172" y="212">Unassigned</text> <text x="64" y="244">32768-65535</text> <text x="160" y="244">Private</text> <text x="208" y="244">Use</text> </g> </svg> </artwork> <artwork type="ascii-art"><![CDATA[ +-------------+------------------------------+-------------------+ | Label | Description | Reference | +=============+==============================+===================+ | 0 | DerivedExporter Labels</name> <thead> <tr> <th>Label</th> <th>Description</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>0</td> <td>Derived OSCORE MasterSecret | [[this document]] | +-------------+------------------------------+-------------------+ | 1 | DerivedSecret</td> <td>RFC 9528</td> </tr> <tr> <td>1</td> <td>Derived OSCORE MasterSalt | [[this document]] | +-------------+------------------------------+-------------------+ | 2-22 | Unassigned | | +-------------+------------------------------+-------------------+ | 23 | Reserved | [[this document]] | +-------------+------------------------------+-------------------+ | 24-32767 | Unassigned | | +-------------+------------------------------+-------------------+ | 32768-65535 |Salt</td> <td>RFC 9528</td> </tr><tr> <td>2-22</td> <td>Unassigned</td> <td></td> </tr> <tr> <td>23</td> <td>Reserved</td> <td>RFC 9528</td> </tr> <tr> <td>24-32767</td> <td>Unassigned</td> <td></td> </tr><tr> <td>32768-65535</td> <td>Reserved for PrivateUse | | +-------------+------------------------------+-------------------+ ]]></artwork> </artset> </figure> <artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="160" width="432" viewBox="0 0 432 160" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,32 L 8,128" fill="none" stroke="black"/> <path d="M 120,32 L 120,128" fill="none" stroke="black"/> <path d="M 424,32 L 424,128" fill="none" stroke="black"/> <path d="M 8,32 L 424,32" fill="none" stroke="black"/> <path d="M 8,62 L 424,62" fill="none" stroke="black"/> <path d="M 8,66 L 424,66" fill="none" stroke="black"/> <path d="M 8,96 L 424,96" fill="none" stroke="black"/> <path d="M 8,128 L 424,128" fill="none" stroke="black"/> <g class="text"> <text x="40" y="52">Range</text> <text x="180" y="52">Registration</text> <text x="276" y="52">Procedures</text> <text x="24" y="84">0</text> <text x="44" y="84">to</text> <text x="68" y="84">23</text> <text x="168" y="84">Standards</text> <text x="236" y="84">Action</text> <text x="28" y="116">24</text> <text x="52" y="116">to</text> <text x="88" y="116">32767</text> <text x="156" y="116">Expert</text> <text x="212" y="116">Review</text> </g> </svg> </artwork> <artwork type="ascii-art"><![CDATA[ +-------------+-------------------------------------+ | Range | RegistrationUse</td> <td></td> </tr> </tbody> </table> <t>This registry also has a "Change Controller" field. For registrations made by IETF documents, the IETF is listed.</t> <table> <name>Registration Procedures| +=============+=====================================+ | 0 to 23 | Standards Action | +-------------+-------------------------------------+ | 24 to 32767 | Expert Review | +-------------+-------------------------------------+ ]]></artwork> </artset>for EDHOC Exporter Labels</name> <thead> <tr> <th>Range</th> <th>Registration Procedures</th> </tr> </thead> <tbody> <tr> <td>0-23</td> <td>Standards Action</td> </tr> <tr> <td>24-32767</td> <td>Expert Review</td> </tr> <tr> <td>32768-65535</td> <td>Private Use</td> </tr> </tbody> </table> </section> <section anchor="suites-registry"> <name>EDHOC Cipher Suites Registry</name> <t>IANAis requested to createhas created a new registry under the new registry group "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t><t>Registry Name: EDHOC<dl newline="false" spacing="normal"> <dt>Registry Name:</dt> <dd>EDHOC CipherSuites</t> <t>Reference: [[this document]]</t>Suites</dd> <dt>Reference:</dt> <dd>RFC 9528</dd> </dl> <t>The columns of the registry are Value,Array andArray, Description, and Reference, where Value is an integer and the other columns are text strings. The initial contents of the registry are:</t><artwork><![CDATA[ Value: -24 Array: N/A Description: Private Use Reference: [[this document]] ]]></artwork> <artwork><![CDATA[ Value: -23 Array: N/A Description: Private Use Reference: [[this document]] ]]></artwork> <artwork><![CDATA[ Value: -22 Array: N/A Description: Private Use Reference: [[this document]] ]]></artwork> <artwork><![CDATA[ Value: -21 Array: N/A Description: Private Use Reference: [[this document]] ]]></artwork> <artwork><![CDATA[ Value: 0 Array: 10,<table> <name>EDHOC Cipher Suites</name> <thead> <tr> <th>Value</th> <th>Array</th> <th>Description</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>-24</td> <td>N/A</td> <td>Private Use</td> <td>RFC 9528</td> </tr> <tr> <td>-23</td> <td>N/A</td> <td>Private Use</td> <td>RFC 9528</td> </tr> <tr> <td>-22</td> <td>N/A</td> <td>Private Use</td> <td>RFC 9528</td> </tr> <tr> <td>-21</td> <td>N/A</td> <td>Private Use</td> <td>RFC 9528</td> </tr> <tr> <td>0</td> <td>10, -16, 8, 4, -8, 10,-16 Description: AES-CCM-16-64-128,-16</td> <td>AES-CCM-16-64-128, SHA-256, 8, X25519, EdDSA,AES-CCM-16-64-128, SHA-256 Reference: [[this document]] ]]></artwork> <artwork><![CDATA[ Value: 1 Array: 30,AES&nbhy;CCM&nbhy;16&nbhy;64&nbhy;128, SHA-256</td> <td>RFC 9528</td> </tr> <tr> <td>1</td> <td>30, -16, 16, 4, -8, 10,-16 Description: AES-CCM-16-128-128, SHA-256,-16</td> <td>AES-CCM-16-128-128, SHA&nbhy;256, 16, X25519, EdDSA,AES-CCM-16-64-128, SHA-256 Reference: [[this document]] ]]></artwork> <artwork><![CDATA[ Value: 2 Array: 10,AES&nbhy;CCM&nbhy;16&nbhy;64&nbhy;128, SHA-256</td> <td>RFC 9528</td> </tr> <tr> <td>2</td> <td>10, -16, 8, 1, -7, 10,-16 Description: AES-CCM-16-64-128,-16</td> <td>AES-CCM-16-64-128, SHA-256, 8, P-256, ES256,AES-CCM-16-64-128, SHA-256 Reference: [[this document]] ]]></artwork> <artwork><![CDATA[ Value: 3 Array: 30,AES&nbhy;CCM&nbhy;16&nbhy;64&nbhy;128, SHA-256</td> <td>RFC 9528</td> </tr> <tr> <td>3</td> <td>30, -16, 16, 1, -7, 10,-16 Description: AES-CCM-16-128-128, SHA-256,-16</td> <td>AES-CCM-16-128-128, SHA&nbhy;256, 16, P-256, ES256,AES-CCM-16-64-128, SHA-256 Reference: [[this document]] ]]></artwork> <artwork><![CDATA[ Value: 4 Array: 24,AES&nbhy;CCM&nbhy;16&nbhy;64&nbhy;128, SHA-256</td> <td>RFC 9528</td> </tr> <tr> <td>4</td> <td>24, -16, 16, 4, -8, 24,-16 Description: ChaCha20/Poly1305,-16</td> <td>ChaCha20/Poly1305, SHA-256, 16, X25519, EdDSA, ChaCha20/Poly1305,SHA-256 Reference: [[this document]] ]]></artwork> <artwork><![CDATA[ Value: 5 Array: 24,SHA-256</td> <td>RFC 9528</td> </tr> <tr> <td>5</td> <td>24, -16, 16, 1, -7, 24,-16 Description: ChaCha20/Poly1305,-16</td> <td>ChaCha20/Poly1305, SHA-256, 16, P-256, ES256,ChaCha20/Poly1305, SHA-256 Reference: [[this document]] ]]></artwork> <artwork><![CDATA[ Value: 6 Array: 1,ChaCha20/&wj;Poly1305, SHA-256</td> <td>RFC 9528</td> </tr> <tr> <td>6</td> <td>1, -16, 16, 4, -7, 1,-16 Description: A128GCM,-16</td> <td>A128GCM, SHA-256, 16, X25519, ES256, A128GCM,SHA-256 Reference: [[this document]] ]]></artwork> <artwork><![CDATA[ Value: 23 Reserved Reference: [[this document]] ]]></artwork> <artwork><![CDATA[ Value: 24 Array: 3,SHA-256</td> <td>RFC 9528</td> </tr> <tr> <td>23</td> <td>Reserved</td> <td></td> <td>RFC 9528</td> </tr> <tr> <td>24</td> <td>3, -43, 16, 2, -35, 3,-43 Description: A256GCM,-43</td> <td>A256GCM, SHA-384, 16, P-384, ES384, A256GCM,SHA-384 Reference: [[this document]] ]]></artwork> <artwork><![CDATA[ Value: 25 Array: 24,SHA-384</td> <td>RFC 9528</td> </tr> <tr> <td>25</td> <td>24, -45, 16, 5, -8, 24,-45 Description: ChaCha20/Poly1305,-45</td> <td>ChaCha20/Poly1305, SHAKE256, 16, X448, EdDSA, ChaCha20/Poly1305,SHAKE256 Reference: [[this document]] ]]></artwork> <artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="456" viewBox="0 0 456 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,32 L 8,160" fill="none" stroke="black"/> <path d="M 144,32 L 144,160" fill="none" stroke="black"/> <path d="M 448,32 L 448,160" fill="none" stroke="black"/> <path d="M 8,32 L 448,32" fill="none" stroke="black"/> <path d="M 8,62 L 448,62" fill="none" stroke="black"/> <path d="M 8,66 L 448,66" fill="none" stroke="black"/> <path d="M 8,96 L 448,96" fill="none" stroke="black"/> <path d="M 8,128 L 448,128" fill="none" stroke="black"/> <path d="M 8,160 L 448,160" fill="none" stroke="black"/> <g class="text"> <text x="40" y="52">Range</text> <text x="204" y="52">Registration</text> <text x="300" y="52">Procedures</text> <text x="44" y="84">-65536</text> <text x="84" y="84">to</text> <text x="112" y="84">-25</text> <text x="208" y="84">Specification</text> <text x="300" y="84">Required</text> <text x="32" y="116">-20</text> <text x="60" y="116">to</text> <text x="84" y="116">23</text> <text x="192" y="116">Standards</text> <text x="260" y="116">Action</text> <text x="308" y="116">with</text> <text x="356" y="116">Expert</text> <text x="412" y="116">Review</text> <text x="28" y="148">24</text> <text x="52" y="148">to</text> <text x="88" y="148">65535</text> <text x="208" y="148">Specification</text> <text x="300" y="148">Required</text> </g> </svg> </artwork> <artwork type="ascii-art"><![CDATA[ +----------------+-------------------------------------+ | Range | RegistrationSHAKE256</td> <td>RFC 9528</td> </tr> </tbody> </table> <table> <name>Registration Procedures| +================+=====================================+ | -65536 to -25 | Specification Required | +----------------+-------------------------------------+ | -20for EDHOC Cipher Suites</name> <thead> <tr> <th>Range</th> <th>Registration Procedures</th> </tr> </thead> <tbody> <tr> <td>-65536 to -25</td> <td>Specification Required</td> </tr> <tr> <td>-24 to -21</td> <td>Private Use</td> </tr> <tr> <td>-20 to23 | Standards23</td> <td>Standards Action with ExpertReview | +----------------+-------------------------------------+ | 24 to 65535 | Specification Required | +----------------+-------------------------------------+ ]]></artwork> </artset>Review</td> </tr> <tr> <td>24 to 65535</td> <td>Specification Required</td> </tr> </tbody> </table> </section> <section anchor="method-types"> <name>EDHOC Method Type Registry</name> <t>IANAis requested to createhas created a new registry under the new registry group "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t><t>Registry Name: EDHOC<dl newline="false" spacing="normal"> <dt>Registry Name:</dt> <dd>EDHOC MethodType</t> <t>Reference: [[this document]]</t>Types</dd> <dt>Reference:</dt> <dd>RFC 9528</dd> </dl> <t>The columns of the registry are Value, Initiator Authentication Key,andResponder Authentication Key, and Reference, where Value is an integer and the key columns are text strings describing the authentication keys.</t> <t>The initial contents of the registry are shown in <xreftarget="fig-method-types"/>.target="tab-method-types"/>. Method 23 is Reserved.</t><artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="456" viewBox="0 0 456 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,32 L 8,160" fill="none" stroke="black"/> <path d="M 144,32 L 144,160" fill="none" stroke="black"/> <path d="M 448,32 L 448,160" fill="none" stroke="black"/> <path d="M 8,32 L 448,32" fill="none" stroke="black"/> <path d="M 8,62 L 448,62" fill="none" stroke="black"/> <path d="M 8,66 L 448,66" fill="none" stroke="black"/> <path d="M 8,96 L 448,96" fill="none" stroke="black"/> <path d="M 8,128 L 448,128" fill="none" stroke="black"/> <path d="M 8,160 L 448,160" fill="none" stroke="black"/> <g class="text"> <text x="40" y="52">Range</text> <text x="204" y="52">Registration</text> <text x="300" y="52">Procedures</text> <text x="44" y="84">-65536</text> <text x="84" y="84">to</text> <text x="112" y="84">-25</text> <text x="208" y="84">Specification</text> <text x="300" y="84">Required</text> <text x="32" y="116">-24</text> <text x="60" y="116">to</text> <text x="84" y="116">23</text> <text x="192" y="116">Standards</text> <text x="260" y="116">Action</text> <text x="308" y="116">with</text> <text x="356" y="116">Expert</text> <text x="412" y="116">Review</text> <text x="28" y="148">24</text> <text x="52" y="148">to</text> <text x="88" y="148">65535</text> <text x="208" y="148">Specification</text> <text x="300" y="148">Required</text> </g> </svg> </artwork> <artwork type="ascii-art"><![CDATA[ +----------------+-------------------------------------+ | Range | Registration<table> <name>Registration Procedures| +================+=====================================+ | -65536 to -25 | Specification Required | +----------------+-------------------------------------+ | -24for EDHOC Method Types</name> <thead> <tr> <th>Range</th> <th>Registration Procedures</th> </tr> </thead> <tbody> <tr> <td>-65536 to -25</td> <td>Specification Required</td> </tr> <tr> <td>-24 to23 | Standards23</td> <td>Standards Action with ExpertReview | +----------------+-------------------------------------+ | 24 to 65535 | Specification Required | +----------------+-------------------------------------+ ]]></artwork> </artset>Review</td> </tr> <tr> <td>24 to 65535</td> <td>Specification Required</td> </tr> </tbody> </table> </section> <section anchor="error-code-reg"> <name>EDHOC Error Codes Registry</name> <t>IANAis requested to createhas created a new registry under the new registry group "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t><t>Registry Name: EDHOC<dl newline="false" spacing="normal"> <dt>Registry Name:</dt> <dd>EDHOC ErrorCodes</t> <t>Reference: [[this document]]</t>Codes</dd> <dt>Reference:</dt> <dd>RFC 9528</dd> </dl> <t>The columns of the registry are ERR_CODE, ERR_INFO Type, Description, Change Controller, and Reference, where ERR_CODE is an integer, ERR_INFO is a CDDL defined type, and Description is a text string. The initial contents of the registry are shown in <xreftarget="fig-error-codes"/>.target="tab-error-codes"/>. Error code 23 isReserved.</t> <artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="456" viewBox="0 0 456 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,32 L 8,160" fill="none" stroke="black"/> <path d="M 144,32 L 144,160" fill="none" stroke="black"/> <path d="M 448,32 L 448,160" fill="none" stroke="black"/> <path d="M 8,32 L 448,32" fill="none" stroke="black"/> <path d="M 8,62 L 448,62" fill="none" stroke="black"/> <path d="M 8,66 L 448,66" fill="none" stroke="black"/> <path d="M 8,96 L 448,96" fill="none" stroke="black"/> <path d="M 8,128 L 448,128" fill="none" stroke="black"/> <path d="M 8,160 L 448,160" fill="none" stroke="black"/> <g class="text"> <text x="40" y="52">Range</text> <text x="204" y="52">Registration</text> <text x="300" y="52">Procedures</text> <text x="44" y="84">-65536</text> <text x="84" y="84">to</text> <text x="112" y="84">-25</text> <text x="180" y="84">Expert</text> <text x="236" y="84">Review</text> <text x="32" y="116">-24</text> <text x="60" y="116">to</text> <text x="84" y="116">23</text> <text x="192" y="116">Standards</text> <text x="260" y="116">Action</text> <text x="28" y="148">24</text> <text x="52" y="148">to</text> <text x="88" y="148">65535</text> <text x="180" y="148">Expert</text> <text x="236" y="148">Review</text> </g> </svg> </artwork> <artwork type="ascii-art"><![CDATA[ +----------------+-------------------------------------+ | Range | RegistrationReserved. This registry also has a "Change Controller" field. For registrations made by IETF documents, the IETF is listed.</t> <table> <name>Registration Procedures| +================+=====================================+ | -65536 to -25 | Expert Review | +----------------+-------------------------------------+ | -24 to 23 | Standards Action | +----------------+-------------------------------------+ | 24 to 65535 | Expert Review | +----------------+-------------------------------------+ ]]></artwork> </artset>for EDHOC Error Codes</name> <thead> <tr> <th>Range</th> <th>Registration Procedures</th> </tr> </thead> <tbody> <tr> <td>-65536 to -25</td> <td>Expert Review</td> </tr><tr> <td>-24 to 23</td> <td>Standards Action</td> </tr><tr> <td>24 to 65535</td> <td>Expert Review</td> </tr> </tbody> </table> </section> <section anchor="iana-ead"> <name>EDHOC External Authorization Data Registry</name> <t>IANAis requested to createhas created a new registry under the new registry group "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t><t>Registry Name: EDHOC<dl newline="false" spacing="normal"> <dt>Registry Name:</dt> <dd>EDHOC External AuthorizationData</t> <t>Reference: [[this document]]</t>Data</dd> <dt>Reference:</dt> <dd>RFC 9528</dd> </dl> <t>The columns of the registry are Name, Label, Description, and Reference, where Label is anon-negativenonnegative integer and the other columns are text strings. The initial contents of the registryisare shown in <xreftarget="fig-ead-labels"/>.target="tab-ead-labels"/>. EAD label 23 is Reserved.</t><figure anchor="fig-ead-labels"> <name>EAD labels.</name> <artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="128" width="536" viewBox="0 0 536 128" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,32 L 8,112" fill="none" stroke="black"/> <path d="M 104,32 L 104,112" fill="none" stroke="black"/> <path d="M 168,32 L 168,112" fill="none" stroke="black"/> <path d="M 368,32 L 368,112" fill="none" stroke="black"/> <path d="M 528,32 L 528,112" fill="none" stroke="black"/> <path d="M 8,32 L 528,32" fill="none" stroke="black"/> <path d="M 8,62 L 528,62" fill="none" stroke="black"/> <path d="M 8,66 L 528,66" fill="none" stroke="black"/> <path d="M 8,112 L 528,112" fill="none" stroke="black"/> <g class="text"> <text x="36" y="52">Name</text> <text x="136" y="52">Label</text> <text x="224" y="52">Description</text> <text x="416" y="52">Reference</text> <text x="48" y="84">Padding</text> <text x="136" y="84">0</text> <text x="212" y="84">Randomly</text> <text x="288" y="84">generated</text> <text x="404" y="84">[[this</text> <text x="476" y="84">document]]</text> <text x="196" y="100">CBOR</text> <text x="236" y="100">byte</text> <text x="284" y="100">string</text> <text x="408" y="100">Section</text> <text x="464" y="100">3.8.1</text> </g> </svg> </artwork> <artwork type="ascii-art"><![CDATA[ +-----------+-------+------------------------+-------------------+ | Name | Label | Description | Reference | +===========+=======+========================+===================+ | Padding | 0 | Randomly<table anchor="tab-ead-labels"> <name>EDHOC EAD Labels</name> <thead> <tr> <th>Name</th> <th>Label</th> <th>Description</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>Padding</td> <td>0</td> <td>Randomly generated| [[this document]] | | | |CBOR bytestring | Section 3.8.1 | +-----------+-------+------------------------+-------------------+ ]]></artwork> </artset> </figure> <artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="160" width="432" viewBox="0 0 432 160" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,32 L 8,128" fill="none" stroke="black"/> <path d="M 120,32 L 120,128" fill="none" stroke="black"/> <path d="M 424,32 L 424,128" fill="none" stroke="black"/> <path d="M 8,32 L 424,32" fill="none" stroke="black"/> <path d="M 8,62 L 424,62" fill="none" stroke="black"/> <path d="M 8,66 L 424,66" fill="none" stroke="black"/> <path d="M 8,96 L 424,96" fill="none" stroke="black"/> <path d="M 8,128 L 424,128" fill="none" stroke="black"/> <g class="text"> <text x="40" y="52">Range</text> <text x="180" y="52">Registration</text> <text x="276" y="52">Procedures</text> <text x="24" y="84">0</text> <text x="44" y="84">to</text> <text x="68" y="84">23</text> <text x="168" y="84">Standards</text> <text x="236" y="84">Action</text> <text x="284" y="84">with</text> <text x="332" y="84">Expert</text> <text x="388" y="84">Review</text> <text x="28" y="116">24</text> <text x="52" y="116">to</text> <text x="88" y="116">65535</text> <text x="184" y="116">Specification</text> <text x="276" y="116">Required</text> </g> </svg> </artwork> <artwork type="ascii-art"><![CDATA[ +-------------+-------------------------------------+ | Range | Registration Procedures | +=============+=====================================+ | 0string</td> <td>RFC 9528, <xref target="padding"/></td> </tr> <tr> <td></td> <td>23</td> <td>Reserved</td> <td>RFC 9528</td> </tr> </tbody> </table> <table> <name>Registration procedures for EDHOC EAD Labels</name> <thead> <tr> <th>Range</th> <th>Registration Procedures</th> </tr> </thead> <tbody> <tr> <td>0 to23 | Standards23</td> <td>Standards Action with ExpertReview | +-------------+-------------------------------------+ | 24 to 65535 | Specification Required | +-------------+-------------------------------------+ ]]></artwork> </artset>Review</td> </tr><tr> <td>24 to 65535</td> <td>Specification Required</td> </tr> </tbody> </table> </section> <section anchor="cwt-header-param"> <name>COSE Header Parameters Registry</name> <t>IANAis requested to registerhas registered the following entries in the "COSE Header Parameters" registry under the registry group "CBOR Object Signing and Encryption (COSE)" (see <xreftarget="fig-header-params"/>):target="tab-header-params"/>). The value of the 'kcwt' header parameter is a COSE Web Token (CWT) <xref target="RFC8392"/>, and the value of the 'kccs' header parameter is a CWT Claims Set(CCS),(CCS); see <xref target="term"/>. The CWT/CCS must contain a COSE_Key in a 'cnf' claim <xref target="RFC8747"/>. The Value Registry column for this item is empty and omitted from the table below.</t><figure anchor="fig-header-params"><table anchor="tab-header-params"> <name>COSEheader parameter labels.</name> <artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="560" viewBox="0 0 560 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,32 L 8,240" fill="none" stroke="black"/> <path d="M 64,32 L 64,240" fill="none" stroke="black"/> <path d="M 128,32 L 128,240" fill="none" stroke="black"/> <path d="M 256,32 L 256,240" fill="none" stroke="black"/> <path d="M 552,32 L 552,240" fill="none" stroke="black"/> <path d="M 8,32 L 552,32" fill="none" stroke="black"/> <path d="M 8,62 L 552,62" fill="none" stroke="black"/> <path d="M 8,66 L 552,66" fill="none" stroke="black"/> <path d="M 8,160 L 552,160" fill="none" stroke="black"/> <path d="M 8,240 L 552,240" fill="none" stroke="black"/> <g class="text"> <text x="36" y="52">Name</text> <text x="96" y="52">Label</text> <text x="160" y="52">Value</text> <text x="204" y="52">Type</text> <text x="312" y="52">Description</text> <text x="36" y="84">kcwt</text> <text x="92" y="84">TBD1</text> <text x="192" y="84">COSE_Messages</text> <text x="272" y="84">A</text> <text x="300" y="84">CBOR</text> <text x="336" y="84">Web</text> <text x="376" y="84">Token</text> <text x="424" y="84">(CWT)</text> <text x="492" y="84">containing</text> <text x="272" y="100">a</text> <text x="316" y="100">COSE_Key</text> <text x="364" y="100">in</text> <text x="384" y="100">a</text> <text x="416" y="100">'cnf'</text> <text x="464" y="100">claim</text> <text x="504" y="100">and</text> <text x="300" y="116">possibly</text> <text x="360" y="116">other</text> <text x="416" y="116">claims.</text> <text x="464" y="116">CWT</text> <text x="492" y="116">is</text> <text x="296" y="132">defined</text> <text x="340" y="132">in</text> <text x="368" y="132">RFC</text> <text x="408" y="132">8392.</text> <text x="488" y="132">COSE_Messages</text> <text x="276" y="148">is</text> <text x="320" y="148">defined</text> <text x="364" y="148">in</text> <text x="392" y="148">RFC</text> <text x="432" y="148">9052.</text> <text x="36" y="180">kccs</text> <text x="92" y="180">TBD2</text> <text x="152" y="180">map</text> <text x="272" y="180">A</text> <text x="296" y="180">CWT</text> <text x="340" y="180">Claims</text> <text x="384" y="180">Set</text> <text x="424" y="180">(CCS)</text> <text x="492" y="180">containing</text> <text x="272" y="196">a</text> <text x="316" y="196">COSE_Key</text> <text x="364" y="196">in</text> <text x="384" y="196">a</text> <text x="416" y="196">'cnf'</text> <text x="464" y="196">claim</text> <text x="504" y="196">and</text> <text x="300" y="212">possibly</text> <text x="360" y="212">other</text> <text x="416" y="212">claims.</text> <text x="464" y="212">CCS</text> <text x="492" y="212">is</text> <text x="296" y="228">defined</text> <text x="340" y="228">in</text> <text x="368" y="228">RFC</text> <text x="408" y="228">8392.</text> </g> </svg> </artwork> <artwork type="ascii-art"><![CDATA[ +------+-------+---------------+------------------------------------+ | Name | Label | Value Type | Description | +======+=======+===============+====================================+ | kcwt | TBD1 | COSE_Messages | AHeader Parameter Labels</name> <thead> <tr> <th>Name</th> <th>Label</th> <th>Value Type</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>kcwt</td> <td>13</td> <td>COSE_Messages</td> <td>A CBOR Web Token (CWT) containing| | | | |a COSE_Key in a 'cnf' claim and| | | | |possibly other claims. CWT is| | | | |defined in RFC 8392. COSE_Messages| | | | |is defined in RFC9052. | +------+-------+---------------+------------------------------------+ | kccs | TBD2 | map | A9052.</td> </tr><tr> <td>kccs</td> <td>14</td> <td>map</td> <td>A CWT Claims Set (CCS) containing| | | | |a COSE_Key in a 'cnf' claim and| | | | |possibly other claims. CCS is| | | | |defined in RFC8392. | +------+-------+---------------+------------------------------------+ ]]></artwork> </artset> </figure>8392.</td> </tr> </tbody> </table> </section> <section anchor="well-known"><name>The Well-Known<name>Well-Known URI Registry</name> <t>IANAis requested to addhas added the well-known URI "edhoc" to the "Well-Known URIs" registry.</t><ul spacing="normal"> <li>URI suffix: edhoc</li> <li>Change controller: IETF</li> <li>Specification document(s): [[this document]]</li> <li>Related information: None</li> </ul><dl> <dt>URI Suffix:</dt><dd>edhoc</dd> <dt>Change Controller:</dt><dd>IETF</dd> <dt>Reference:</dt><dd>RFC 9528</dd> <dt>Related Information:</dt><dd> None</dd> </dl> </section> <section anchor="media-type"> <name>Media Types Registry</name> <t>IANAis requested to addhas added the media types "application/edhoc+cbor-seq" and "application/cid-edhoc+cbor-seq" to the "Media Types" registry.</t> <section anchor="applicationedhoccbor-seq-media-type-registration"> <name>application/edhoc+cbor-seq Media Type Registration</name><ul spacing="normal"> <li>Type name: application</li> <li>Subtype name: edhoc+cbor-seq</li> <li>Required parameters: N/A</li> <li>Optional parameters: N/A</li> <li>Encoding considerations: binary</li> <li>Security considerations: See Section 7<dl> <dt>Type name:</dt><dd> application</dd> <dt>Subtype name:</dt><dd> edhoc+cbor-seq</dd> <dt>Required parameters:</dt><dd> N/A</dd> <dt>Optional parameters:</dt><dd> N/A</dd> <dt>Encoding considerations:</dt><dd> binary</dd> <dt>Security considerations:</dt><dd>See <xref target="duplication"/> ofthis document.</li> <li>Interoperability considerations: N/A</li> <li>Published specification: [[this document]] (this document)</li> <li>ApplicationsRFC 9528.</dd> <dt>Interoperability considerations:</dt><dd> N/A</dd> <dt>Published specification:</dt><dd>RFC 9528</dd> <dt>Applications that use this mediatype:type:</dt><dd> To beidentified</li> <li>Fragmentidentified</dd> <dt>Fragment identifierconsiderations: N/A</li> <li> <t>Additionalconsiderations:</dt><dd> N/A</dd> <dt>Additional information:</t> <ul spacing="normal"> <li>Magic number(s): N/A</li> <li>File extension(s): N/A</li> <li>Macintosh</dt> <dd> <t><br/></t> <dl> <dt>Magic number(s):</dt><dd> N/A</dd> <dt>File extension(s):</dt><dd> N/A</dd> <dt>Macintosh file typecode(s): N/A</li> </ul> </li> <li>Personcode(s):</dt><dd> N/A</dd> </dl> </dd> <dt>Person & email address to contact for furtherinformation:information:</dt><dd> See "Authors' Addresses"section.</li> <li>Intended usage: COMMON</li> <li>Restrictions on usage: N/A</li> <li>Author:section in RFC 9528.</dd> <dt>Intended usage:</dt><dd> COMMON</dd> <dt>Restrictions on usage:</dt><dd> N/A</dd> <dt>Author:</dt><dd> See "Authors' Addresses"section.</li> <li>Change Controller: IESG</li> </ul>section.</dd> <dt>Change Controller:</dt><dd> IETF</dd> </dl> </section> <section anchor="applicationcid-edhoccbor-seq-media-type-registration"> <name>application/cid-edhoc+cbor-seq Media Type Registration</name><ul spacing="normal"> <li>Type name: application</li> <li>Subtype name: cid-edhoc+cbor-seq</li> <li>Required parameters: N/A</li> <li>Optional parameters: N/A</li> <li>Encoding considerations: binary</li> <li>Security considerations:<dl> <dt>Type name:</dt><dd> application</dd> <dt>Subtype name:</dt><dd> cid-edhoc+cbor-seq</dd> <dt>Required parameters:</dt><dd> N/A</dd> <dt>Optional parameters:</dt><dd> N/A</dd> <dt>Encoding considerations:</dt><dd> binary</dd> <dt>Security considerations:</dt><dd> SeeSection 7<xref target="duplication"/> ofthis document.</li> <li>Interoperability considerations: N/A</li> <li>Published specification: [[this document]] (this document)</li> <li>ApplicationsRFC 9528.</dd> <dt>Interoperability considerations:</dt><dd> N/A</dd> <dt>Published specification:</dt><dd>RFC 9528</dd> <dt>Applications that use this mediatype:type:</dt><dd> To beidentified</li> <li>Fragmentidentified</dd> <dt>Fragment identifierconsiderations: N/A</li> <li> <t>Additional information: </t> <ul spacing="normal"> <li>Magic number(s): N/A</li> <li>File extension(s): N/A</li> <li>Macintoshconsiderations:</dt><dd> N/A</dd> <dt>Additional information:</dt> <dd> <t><br/></t> <dl> <dt>Magic number(s):</dt><dd> N/A</dd> <dt>File extension(s):</dt><dd> N/A</dd> <dt>Macintosh file typecode(s): N/A</li> </ul> </li> <li>Personcode(s):</dt><dd> N/A</dd> </dl> </dd> <dt>Person & email address to contact for furtherinformation:information:</dt><dd> See "Authors' Addresses"section.</li> <li>Intended usage: COMMON</li> <li>Restrictions on usage: N/A</li> <li>Author:section in RFC 9528.</dd> <dt>Intended usage:</dt><dd> COMMON</dd> <dt>Restrictions on usage:</dt><dd> N/A</dd> <dt>Author:</dt><dd> See "Authors' Addresses"section.</li> <li>Change Controller: IESG</li> </ul>section.</dd> <dt>Change Controller:</dt><dd> IETF</dd> </dl> </section> </section> <section anchor="content-format"> <name>CoAP Content-Formats Registry</name> <t>IANAis requested to addhas added the media types "application/edhoc+cbor-seq" and "application/cid-edhoc+cbor-seq" to the "CoAP Content-Formats" registry under the registry group "Constrained RESTful Environments (CoRE) Parameters".</t><figure anchor="fig-format-ids"><table anchor="tab-format-ids"> <name>CoAP Content-Format IDs</name><artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="128" width="584" viewBox="0 0 584 128" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,32 L 8,112" fill="none" stroke="black"/> <path d="M 272,32 L 272,112" fill="none" stroke="black"/> <path d="M 360,32 L 360,112" fill="none" stroke="black"/> <path d="M 416,32 L 416,112" fill="none" stroke="black"/> <path d="M 576,32 L 576,112" fill="none" stroke="black"/> <path d="M 8,32 L 576,32" fill="none" stroke="black"/> <path d="M 8,62 L 576,62" fill="none" stroke="black"/> <path d="M 8,66 L 576,66" fill="none" stroke="black"/> <path d="M 8,112 L 576,112" fill="none" stroke="black"/> <g class="text"> <text x="40" y="52">Media</text> <text x="84" y="52">Type</text> <text x="316" y="52">Encoding</text> <text x="380" y="52">ID</text> <text x="464" y="52">Reference</text> <text x="124" y="84">application/edhoc+cbor-seq</text> <text x="288" y="84">-</text> <text x="388" y="84">TBD5</text> <text x="452" y="84">[[this</text> <text x="524" y="84">document]]</text> <text x="140" y="100">application/cid-edhoc+cbor-seq</text> <text x="288" y="100">-</text> <text x="388" y="100">TBD6</text> <text x="452" y="100">[[this</text> <text x="524" y="100">document]]</text> </g> </svg> </artwork> <artwork type="ascii-art"><![CDATA[ +--------------------------------+----------+------+-------------------+ | Media Type | Encoding | ID | Reference | +================================+==========+======+===================+ | application/edhoc+cbor-seq | - | TBD5 | [[this document]] | | application/cid-edhoc+cbor-seq | - | TBD6 | [[this document]] | +--------------------------------+----------+------+-------------------+ ]]></artwork> </artset> </figure><thead> <tr> <th>Content Type</th> <th>Content Coding</th> <th>ID</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>application/edhoc+cbor-seq</td> <td>-</td> <td>64</td> <td>RFC 9528</td> </tr><tr> <td>application/cid-edhoc+cbor-seq</td> <td>-</td> <td>65</td> <td>RFC 9528</td> </tr> </tbody> </table> </section> <section anchor="rt"> <name>Resource Type (rt=) Link Target Attribute Values Registry</name> <t>IANAis requested to addhas added the resource type "core.edhoc" to the "Resource Type (rt=) Link Target Attribute Values" registry under the registry group "Constrained RESTful Environments (CoRE) Parameters".</t><ul spacing="normal"> <li>Value: "core.edhoc"</li> <li>Description: EDHOC resource.</li> <li>Reference: [[this document]]</li> </ul><dl> <dt>Value:</dt><dd>"core.edhoc"</dd> <dt>Description:</dt><dd>EDHOC resource.</dd> <dt>Reference:</dt><dd>RFC 9528</dd> </dl> </section> <section anchor="expert-review-instructions"> <name>Expert Review Instructions</name> <t>The IANARegistriesregistries established in this document are defined as "Expert Review", "SpecificationRequired"Required", or "Standards Action with Expert Review". This section gives some general guidelines for what the experts should be looking for, but they are being designated as experts for a reason so they should be given substantial latitude.</t> <t>Expert reviewers should take into consideration the following points:</t> <ul spacing="normal"><li>Clarity<li>The clarity and correctness of registrations. Experts are expected to check the clarity of purpose and use of the requested entries. Expert needs to make sure the values of algorithms are taken from the rightregistry,registry when that is required. Experts should consider requesting an opinion on the correctness of registered parameters from relevant IETF working groups. Encodings that do not meet theseobjectiveobjectives of clarity and completeness should not be registered.</li><li>Experts should take into account the<li>The expected usage of fields when approving code point assignment. The length of the encoded value should be weighed against how many code points of that length are left, the size of device it will be used on, and the number of code points left that encode to that size.</li><li>Even for<li>The fact that even "Expert Review" specifications are recommended. When specifications are not provided for a request where Expert Review is the assignment policy, the description provided needs to have sufficient information to verify the code points above.</li> </ul> </section> </section> </middle> <back> <displayreference target="I-D.ietf-rats-eat" to="EAT"/> <displayreference target="I-D.ietf-lake-reqs" to="LAKE-REQS"/> <displayreference target="I-D.ietf-core-oscore-edhoc" to="EDHOC-CoAP-OSCORE"/> <displayreference target="I-D.ietf-cose-cbor-encoded-cert" to="C509-CERTS"/> <displayreference target="I-D.ietf-core-oscore-key-update" to="KUDOS"/> <displayreference target="I-D.ietf-lwig-curve-representations" to="CURVE-REPR"/> <displayreference target="I-D.ietf-iotops-security-protocol-comparison" to="CoAP-SEC-PROT"/> <displayreference target="I-D.irtf-cfrg-det-sigs-with-noise" to="HEDGED-ECC-SIGS"/> <displayreference target="I-D.ietf-lake-authz" to="LAKE-AUTHZ"/> <displayreference target="I-D.arkko-arch-internet-threat-model-guidance" to="THREAT-MODEL-GUIDANCE"/> <references> <name>References</name> <references> <name>Normative References</name><reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"> <front> <title>Key words for use in RFCs<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3552.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5116.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5869.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6090.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6960.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7959.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8392.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8410.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8613.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8724.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8742.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8747.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9052.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9053.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9175.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9360.xml"/> </references> <references> <name>Informative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2986.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6194.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7228.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7258.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7296.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7624.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8366.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8376.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8937.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9000.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9147.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9176.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9397.xml"/> <!-- [I-D.ietf-rats-eat] Approved-announcement toIndicate Requirement Levels</title> <author fullname="S. Bradner" initials="S." surname="Bradner"/> <date month="March" year="1997"/> <abstract> <t>In many standards track documents several words arebe sent::AD Followup --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-rats-eat.xml"/> <!-- [I-D.ietf-lake-reqs] IESG state Expired Long Way used tosignify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practicesto fix John Preuß Mattsson' last name--> <reference anchor="I-D.ietf-lake-reqs" target="https://datatracker.ietf.org/doc/html/draft-ietf-lake-reqs-04"> <front> <title>Requirements forthe Internet Community, and requests discussion and suggestionsa Lightweight AKE forimprovements.</t> </abstract>OSCORE</title> <author initials="M." surname="Vučinić" fullname="Mališa Vučinić"> <organization>Inria</organization> </author> <author initials="G." surname="Selander" fullname="Göran Selander"> <organization>Ericsson AB</organization> </author> <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson"> <organization>Ericsson AB</organization> </author> <author initials="D." surname="Garcia-Carillo" fullname="Dan Garcia-Carillo"> <organization>Odin Solutions S.L.</organization> </author> <date month="June" day="8" year="2020"/> </front> <seriesInfoname="BCP" value="14"/>name="Internet-Draft" value="draft-ietf-lake-reqs-04"/> </reference> <!-- [I-D.ietf-lake-traces] companion doc RFC 9529 --> <reference anchor="RFC9529" target="https://www.rfc-editor.org/info/rfc9529"> <front> <title>Traces of Ephemeral Diffie-Hellman Over COSE (EDHOC)</title> <author initials="G." surname="Selander" fullname="Göran Selander"> <organization>Ericsson</organization> </author> <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson"> <organization>Ericsson</organization> </author> <author initials="M." surname="Serafin" fullname="Marek Serafin"> <organization>ASSA ABLOY</organization> </author> <author initials="M." surname="Tiloca" fullname="Marco Tiloca"> <organization>RISE</organization> </author> <author initials="M." surname="Vučinić" fullname="Mališa Vučinić"> <organization>Inria</organization> </author> <date month="March" year="2024"/> </front> <seriesInfo name="RFC"value="2119"/>value="RFC9529"/> <seriesInfo name="DOI"value="10.17487/RFC2119"/>value="10.17487/RFC9529"/> </reference> <!-- [I-D.ietf-core-oscore-edhoc] Waiting for AD Go-Ahead --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-core-oscore-edhoc.xml"/> <!-- [I-D.ietf-cose-cbor-encoded-cert] IESG state I-D Exists Long Way used to fix John Preuß Mattsson's last name--> <referenceanchor="RFC3279" target="https://www.rfc-editor.org/info/rfc3279" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml">anchor="I-D.ietf-cose-cbor-encoded-cert" target="https://datatracker.ietf.org/doc/html/draft-ietf-cose-cbor-encoded-cert-07"> <front><title>Algorithms and Identifiers for the Internet<title> CBOR Encoded X.509Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>Certificates (C509 Certificates) </title> <authorfullname="L. Bassham" initials="L." surname="Bassham"/>initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson"> <organization>Ericsson AB</organization> </author> <author initials="G." surname="Selander" fullname="Göran Selander"> <organization>Ericsson AB</organization> </author> <authorfullname="W. Polk" initials="W." surname="Polk"/>initials="S." surname="Raza" fullname="Shahid Raza"> <organization>RISE AB</organization> </author> <authorfullname="R. Housley" initials="R." surname="Housley"/>initials="J." surname="Höglund" fullname="Joel Höglund"> <organization>RISE AB</organization> </author> <author initials="M." surname="Furuhed" fullname="Martin Furuhed"> <organization>Nexus Group</organization> </author> <datemonth="April" year="2002"/> <abstract> <t>This document specifies algorithm identifiers and ASN.1 encoding formats for digital signatures and subject public keys used in the Internet X.509 Public Key Infrastructure (PKI). Digital signatures aremonth="October" day="20" year="2023"/> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded-cert-07"/> </reference> <!-- [I-D.ietf-core-oscore-key-update] IESG state I-D Exists --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-core-oscore-key-update.xml"/> <!-- [I-D.ietf-lwig-curve-representations] IESG state IESG Evaluation::Revised I-D Needed --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-lwig-curve-representations.xml"/> <!-- [I-D.ietf-iotops-security-protocol-comparison] IESG state I-D Exists --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-iotops-security-protocol-comparison.xml"/> <!-- [I-D.irtf-cfrg-det-sigs-with-noise] IESG state Expired Long Way used tosign certificatesfix John Preuß Mattsson's last name--> <reference anchor="I-D.irtf-cfrg-det-sigs-with-noise" target="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-det-sigs-with-noise-00"> <front> <title> Deterministic ECDSA andcertificate revocation list (CRLs). Certificates include the public key of the named subject. [STANDARDS-TRACK]</t> </abstract>EdDSA Signatures with Additional Randomness </title> <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson"> <organization>Ericsson</organization> </author> <author initials="E." surname="Thormarker" fullname="Erik Thormarker"> <organization>Ericsson</organization> </author> <author initials="S." surname="Ruohomaa" fullname="Sini Ruohomaa"> <organization>Ericsson</organization> </author> <date month="August" day="8" year="2022"/> </front> <seriesInfoname="RFC" value="3279"/> <seriesInfo name="DOI" value="10.17487/RFC3279"/>name="Internet-Draft" value="draft-irtf-cfrg-det-sigs-with-noise-00"/> </reference> <!-- [I-D.ietf-lake-authz.xml] IESG state I-D Exists --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-lake-authz.xml"/> <!-- [I-D.arkko-arch-internet-threat-model-guidance] IESG state Expired --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.arkko-arch-internet-threat-model-guidance.xml"/> <referenceanchor="RFC3552" target="https://www.rfc-editor.org/info/rfc3552" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3552.xml">anchor="SP-800-56A"> <front><title>Guidelines<title>Recommendation forWriting RFC Text on Security Considerations</title>Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</title> <authorfullname="E. Rescorla"initials="E."surname="Rescorla"/>surname="Barker"> <organization/> </author> <authorfullname="B. Korver" initials="B." surname="Korver"/>initials="L." surname="Chen"> <organization/> </author> <author initials="A." surname="Roginsky"> <organization/> </author> <author initials="A." surname="Vassilev"> <organization/> </author> <author initials="R." surname="Davis"> <organization/> </author> <datemonth="July" year="2003"/> <abstract> <t>All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract>year="2018" month="April"/> </front> <seriesInfoname="BCP" value="72"/> <seriesInfo name="RFC" value="3552"/>name="NIST" value="Special Publication 800-56A Revision 3"/> <seriesInfo name="DOI"value="10.17487/RFC3552"/>value="10.6028/NIST.SP.800-56Ar3"/> </reference> <referenceanchor="RFC5116" target="https://www.rfc-editor.org/info/rfc5116" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5116.xml">anchor="SP-800-108" target="https://doi.org/10.6028/NIST.SP.800-108r1-upd1"> <front><title>An Interface and Algorithms<title>Recommendation forAuthenticated Encryption</title>Key Derivation Using Pseudorandom Functions</title> <authorfullname="D. McGrew" initials="D." surname="McGrew"/>initials="L." surname="Chen"> <organization/> </author> <datemonth="January" year="2008"/> <abstract> <t>This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK]</t> </abstract>year="2022" month="August"/> </front> <seriesInfoname="RFC" value="5116"/>name="NIST" value="Special Publication 800-108 Revision 1"/> <seriesInfo name="DOI"value="10.17487/RFC5116"/>value="10.6028/NIST.SP.800-108r1-upd1"/> </reference> <referenceanchor="RFC5869" target="https://www.rfc-editor.org/info/rfc5869" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5869.xml">anchor="SP800-185" target="https://doi.org/10.6028/NIST.SP.800-185"> <front><title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title><title>SHA-3 Derived Functions cSHAKE, KMAC, TupleHash and ParallelHash</title> <authorfullname="H. Krawczyk" initials="H." surname="Krawczyk"/>initials="J" surname="Kelsey"> <organization/> </author> <authorfullname="P. Eronen" initials="P." surname="Eronen"/>initials="S" surname="Chang"> <organization/> </author> <author initials="R" surname="Perlner"> <organization/> </author> <datemonth="May" year="2010"/> <abstract> <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t> </abstract>year="2016" month="December"/> </front> <seriesInfoname="RFC" value="5869"/>name="NIST" value="Special Publication 800-185"/> <seriesInfo name="DOI"value="10.17487/RFC5869"/>value="10.6028/NIST.SP.800-185"/> </reference> <referenceanchor="RFC6090" target="https://www.rfc-editor.org/info/rfc6090" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6090.xml">anchor="Degabriele11" target="https://eprint.iacr.org/2011/615"> <front><title>Fundamental Elliptic Curve Cryptography Algorithms</title><title>On the Joint Security of Encryption and Signature in EMV</title> <authorfullname="D. McGrew" initials="D." surname="McGrew"/>initials="J." surname="Degabriele"> <organization/> </author> <author initials="A." surname="Lehmann"> <organization/> </author> <authorfullname="K. Igoe"initials="K."surname="Igoe"/>surname="Paterson"> <organization/> </author> <author initials="N." surname="Smart"> <organization/> </author> <authorfullname="M. Salter"initials="M."surname="Salter"/>surname="Strefler"> <organization/> </author> <datemonth="February" year="2011"/> <abstract> <t>This note describes the fundamental algorithms of Elliptic Curveyear="2011" month="December"/> </front> </reference> <reference anchor="NISTPQC" target="https://csrc.nist.gov/Projects/post-quantum-cryptography/faqs"> <front> <title>Post-Quantum Cryptography(ECC) as they were defined in some seminal references from 1994FAQs</title> <author> <organization>National Institute Standards andearlier. These descriptions may be useful for implementing the fundamental algorithms without using any of the specialized methods that were developed in following years. Only elliptic curves defined over fields of characteristic greater than three are in scope; these curves are those used in Suite B. This document is not an Internet Standards Track specification; it is published for informational purposes.</t> </abstract> </front> <seriesInfo name="RFC" value="6090"/> <seriesInfo name="DOI" value="10.17487/RFC6090"/> </reference> <reference anchor="RFC6960" target="https://www.rfc-editor.org/info/rfc6960" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6960.xml"> <front> <title>X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP</title> <author fullname="S. Santesson" initials="S." surname="Santesson"/> <author fullname="M. Myers" initials="M." surname="Myers"/> <author fullname="R. Ankney" initials="R." surname="Ankney"/> <author fullname="A. Malpani" initials="A." surname="Malpani"/> <author fullname="S. Galperin" initials="S." surname="Galperin"/> <author fullname="C. Adams" initials="C." surname="Adams"/> <date month="June" year="2013"/> <abstract> <t>This document specifies a protocol useful in determining the current status of a digital certificate without requiring Certificate Revocation Lists (CRLs). Additional mechanisms addressing PKIX operational requirements are specified in separate documents. This document obsoletes RFCs 2560 and 6277. It also updates RFC 5912.</t> </abstract> </front> <seriesInfo name="RFC" value="6960"/> <seriesInfo name="DOI" value="10.17487/RFC6960"/> </reference> <reference anchor="RFC6979" target="https://www.rfc-editor.org/info/rfc6979" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml"> <front> <title>Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)</title> <author fullname="T. Pornin" initials="T." surname="Pornin"/> <date month="August" year="2013"/> <abstract> <t>This document defines a deterministic digital signature generation procedure. Such signatures are compatible with standard Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures and can be processed with unmodified verifiers, which need not be aware of the procedure described therein. Deterministic signatures retain the cryptographic security features associated with digital signatures but can be more easily implemented in various environments, since they do not need access to a source of high-quality randomness.</t> </abstract> </front> <seriesInfo name="RFC" value="6979"/> <seriesInfo name="DOI" value="10.17487/RFC6979"/> </reference> <reference anchor="RFC7252" target="https://www.rfc-editor.org/info/rfc7252" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml"> <front> <title>The Constrained Application Protocol (CoAP)</title> <author fullname="Z. Shelby" initials="Z." surname="Shelby"/> <author fullname="K. Hartke" initials="K." surname="Hartke"/> <author fullname="C. Bormann" initials="C." surname="Bormann"/> <date month="June" year="2014"/> <abstract> <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t> <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t> </abstract> </front> <seriesInfo name="RFC" value="7252"/> <seriesInfo name="DOI" value="10.17487/RFC7252"/> </reference> <reference anchor="RFC7748" target="https://www.rfc-editor.org/info/rfc7748" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml"> <front> <title>Elliptic Curves for Security</title> <author fullname="A. Langley" initials="A." surname="Langley"/> <author fullname="M. Hamburg" initials="M." surname="Hamburg"/> <author fullname="S. Turner" initials="S." surname="Turner"/> <date month="January" year="2016"/> <abstract> <t>This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties.</t> </abstract> </front> <seriesInfo name="RFC" value="7748"/> <seriesInfo name="DOI" value="10.17487/RFC7748"/> </reference> <reference anchor="RFC7959" target="https://www.rfc-editor.org/info/rfc7959" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7959.xml"> <front> <title>Block-Wise Transfers in the Constrained Application Protocol (CoAP)</title> <author fullname="C. Bormann" initials="C." surname="Bormann"/> <author fullname="Z. Shelby" initials="Z." role="editor" surname="Shelby"/> <date month="August" year="2016"/> <abstract> <t>The Constrained Application Protocol (CoAP) is a RESTful transfer protocol for constrained nodes and networks. Basic CoAP messages work well for small payloads from sensors and actuators; however, applications will need to transfer larger payloads occasionally -- for instance, for firmware updates. In contrast to HTTP, where TCP does the grunt work of segmenting and resequencing, CoAP is based on datagram transports such as UDP or Datagram Transport Layer Security (DTLS). These transports only offer fragmentation, which is even more problematic in constrained nodes and networks, limiting the maximum size of resource representations that can practically be transferred.</t> <t>Instead of relying on IP fragmentation, this specification extends basic CoAP with a pair of "Block" options for transferring multiple blocks of information from a resource representation in multiple request-response pairs. In many important cases, the Block options enable a server to be truly stateless: the server can handle each block transfer separately, with no need for a connection setup or other server-side memory of previous block transfers. Essentially, the Block options provide a minimal way to transfer larger representations in a block-wise fashion.</t> <t>A CoAP implementation that does not support these options generally is limited in the size of the representations that can be exchanged, so there is an expectation that the Block options will be widely used in CoAP implementations. Therefore, this specification updates RFC 7252.</t> </abstract> </front> <seriesInfo name="RFC" value="7959"/> <seriesInfo name="DOI" value="10.17487/RFC7959"/> </reference> <reference anchor="RFC8126" target="https://www.rfc-editor.org/info/rfc8126" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"> <front> <title>Guidelines for Writing an IANA Considerations Section in RFCs</title> <author fullname="M. Cotton" initials="M." surname="Cotton"/> <author fullname="B. Leiba" initials="B." surname="Leiba"/> <author fullname="T. Narten" initials="T." surname="Narten"/> <date month="June" year="2017"/> <abstract> <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t> <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t> <t>This is the third edition of this document; it obsoletes RFC 5226.</t> </abstract> </front> <seriesInfo name="BCP" value="26"/> <seriesInfo name="RFC" value="8126"/> <seriesInfo name="DOI" value="10.17487/RFC8126"/> </reference> <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author fullname="B. Leiba" initials="B." surname="Leiba"/> <date month="May" year="2017"/> <abstract> <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="8174"/> <seriesInfo name="DOI" value="10.17487/RFC8174"/> </reference> <reference anchor="RFC8392" target="https://www.rfc-editor.org/info/rfc8392" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8392.xml"> <front> <title>CBOR Web Token (CWT)</title> <author fullname="M. Jones" initials="M." surname="Jones"/> <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/> <author fullname="S. Erdtman" initials="S." surname="Erdtman"/> <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/> <date month="May" year="2018"/> <abstract> <t>CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.</t> </abstract> </front> <seriesInfo name="RFC" value="8392"/> <seriesInfo name="DOI" value="10.17487/RFC8392"/> </reference> <reference anchor="RFC8410" target="https://www.rfc-editor.org/info/rfc8410" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8410.xml"> <front> <title>Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure</title> <author fullname="S. Josefsson" initials="S." surname="Josefsson"/> <author fullname="J. Schaad" initials="J." surname="Schaad"/> <date month="August" year="2018"/> <abstract> <t>This document specifies algorithm identifiers and ASN.1 encoding formats for elliptic curve constructs using the curve25519 and curve448 curves. The signature algorithms covered are Ed25519 and Ed448. The key agreement algorithms covered are X25519 and X448. The encoding for public key, private key, and Edwards-curve Digital Signature Algorithm (EdDSA) structures is provided.</t> </abstract> </front> <seriesInfo name="RFC" value="8410"/> <seriesInfo name="DOI" value="10.17487/RFC8410"/> </reference> <reference anchor="RFC8610" target="https://www.rfc-editor.org/info/rfc8610" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml"> <front> <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title> <author fullname="H. Birkholz" initials="H." surname="Birkholz"/> <author fullname="C. Vigano" initials="C." surname="Vigano"/> <author fullname="C. Bormann" initials="C." surname="Bormann"/> <date month="June" year="2019"/> <abstract> <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t> </abstract> </front> <seriesInfo name="RFC" value="8610"/> <seriesInfo name="DOI" value="10.17487/RFC8610"/> </reference> <reference anchor="RFC8613" target="https://www.rfc-editor.org/info/rfc8613" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8613.xml"> <front> <title>Object Security for Constrained RESTful Environments (OSCORE)</title> <author fullname="G. Selander" initials="G." surname="Selander"/> <author fullname="J. Mattsson" initials="J." surname="Mattsson"/> <author fullname="F. Palombini" initials="F." surname="Palombini"/> <author fullname="L. Seitz" initials="L." surname="Seitz"/> <date month="July" year="2019"/> <abstract> <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t> <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.</t> </abstract> </front> <seriesInfo name="RFC" value="8613"/> <seriesInfo name="DOI" value="10.17487/RFC8613"/> </reference> <reference anchor="RFC8724" target="https://www.rfc-editor.org/info/rfc8724" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8724.xml"> <front> <title>SCHC: Generic Framework for Static Context Header Compression and Fragmentation</title> <author fullname="A. Minaburo" initials="A." surname="Minaburo"/> <author fullname="L. Toutain" initials="L." surname="Toutain"/> <author fullname="C. Gomez" initials="C." surname="Gomez"/> <author fullname="D. Barthel" initials="D." surname="Barthel"/> <author fullname="JC. Zuniga" initials="JC." surname="Zuniga"/> <date month="April" year="2020"/> <abstract> <t>This document defines the Static Context Header Compression and fragmentation (SCHC) framework, which provides both a header compression mechanism and an optional fragmentation mechanism. SCHC has been designed with Low-Power Wide Area Networks (LPWANs) in mind.</t> <t>SCHC compression is based on a common static context stored both in the LPWAN device and in the network infrastructure side. This document defines a generic header compression mechanism and its application to compress IPv6/UDP headers.</t> <t>This document also specifies an optional fragmentation and reassembly mechanism. It can be used to support the IPv6 MTU requirement over the LPWAN technologies. Fragmentation is needed for IPv6 datagrams that, after SCHC compression or when such compression was not possible, still exceed the Layer 2 maximum payload size.</t> <t>The SCHC header compression and fragmentation mechanisms are independent of the specific LPWAN technology over which they are used. This document defines generic functionalities and offers flexibility with regard to parameter settings and mechanism choices. This document standardizes the exchange over the LPWAN between two SCHC entities. Settings and choices specific to a technology or a product are expected to be grouped into profiles, which are specified in other documents. Data models for the context and profiles are out of scope.</t> </abstract> </front> <seriesInfo name="RFC" value="8724"/> <seriesInfo name="DOI" value="10.17487/RFC8724"/> </reference> <reference anchor="RFC8742" target="https://www.rfc-editor.org/info/rfc8742" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8742.xml"> <front> <title>Concise Binary Object Representation (CBOR) Sequences</title> <author fullname="C. Bormann" initials="C." surname="Bormann"/> <date month="February" year="2020"/> <abstract> <t>This document describes the Concise Binary Object Representation (CBOR) Sequence format and associated media type "application/cbor-seq". A CBOR Sequence consists of any number of encoded CBOR data items, simply concatenated in sequence.</t> <t>Structured syntax suffixes for media types allow other media types to build on them and make it explicit that they are built on an existing media type as their foundation. This specification defines and registers "+cbor-seq" as a structured syntax suffix for CBOR Sequences.</t> </abstract> </front> <seriesInfo name="RFC" value="8742"/> <seriesInfo name="DOI" value="10.17487/RFC8742"/> </reference> <reference anchor="RFC8747" target="https://www.rfc-editor.org/info/rfc8747" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8747.xml"> <front> <title>Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)</title> <author fullname="M. Jones" initials="M." surname="Jones"/> <author fullname="L. Seitz" initials="L." surname="Seitz"/> <author fullname="G. Selander" initials="G." surname="Selander"/> <author fullname="S. Erdtman" initials="S." surname="Erdtman"/> <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/> <date month="March" year="2020"/> <abstract> <t>This specification describes how to declare in a CBOR Web Token (CWT) (which is defined by RFC 8392) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as being the holder-of-key. This specification provides equivalent functionality to "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)" (RFC 7800) but using Concise Binary Object Representation (CBOR) and CWTs rather than JavaScript Object Notation (JSON) and JSON Web Tokens (JWTs).</t> </abstract> </front> <seriesInfo name="RFC" value="8747"/> <seriesInfo name="DOI" value="10.17487/RFC8747"/> </reference> <reference anchor="RFC8949" target="https://www.rfc-editor.org/info/rfc8949" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml"> <front> <title>Concise Binary Object Representation (CBOR)</title> <author fullname="C. Bormann" initials="C." surname="Bormann"/> <author fullname="P. Hoffman" initials="P." surname="Hoffman"/> <date month="December" year="2020"/> <abstract> <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t> <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t> </abstract> </front> <seriesInfo name="STD" value="94"/> <seriesInfo name="RFC" value="8949"/> <seriesInfo name="DOI" value="10.17487/RFC8949"/> </reference> <reference anchor="RFC9052" target="https://www.rfc-editor.org/info/rfc9052" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9052.xml"> <front> <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title> <author fullname="J. Schaad" initials="J." surname="Schaad"/> <date month="August" year="2022"/> <abstract> <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t> <t>This document, along with RFC 9053, obsoletes RFC 8152.</t> </abstract> </front> <seriesInfo name="STD" value="96"/> <seriesInfo name="RFC" value="9052"/> <seriesInfo name="DOI" value="10.17487/RFC9052"/> </reference> <reference anchor="RFC9053" target="https://www.rfc-editor.org/info/rfc9053" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9053.xml"> <front> <title>CBOR Object Signing and Encryption (COSE): Initial Algorithms</title> <author fullname="J. Schaad" initials="J." surname="Schaad"/> <date month="August" year="2022"/> <abstract> <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052).</t> <t>This document, along with RFC 9052, obsoletes RFC 8152.</t> </abstract> </front> <seriesInfo name="RFC" value="9053"/> <seriesInfo name="DOI" value="10.17487/RFC9053"/> </reference> <reference anchor="RFC9175" target="https://www.rfc-editor.org/info/rfc9175" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9175.xml"> <front> <title>Constrained Application Protocol (CoAP): Echo, Request-Tag, and Token Processing</title> <author fullname="C. Amsüss" initials="C." surname="Amsüss"/> <author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Mattsson"/> <author fullname="G. Selander" initials="G." surname="Selander"/> <date month="February" year="2022"/> <abstract> <t>This document specifies enhancements to the Constrained Application Protocol (CoAP) that mitigate security issues in particular use cases. The Echo option enables a CoAP server to verify the freshness of a request or to force a client to demonstrate reachability at its claimed network address. The Request-Tag option allows the CoAP server to match block-wise message fragments belonging to the same request. This document updates RFC 7252 with respect to the following: processing requirements for client Tokens, forbidding non-secure reuse of Tokens to ensure response-to-request binding when CoAP is used with a security protocol, and amplification mitigation (where the use of the Echo option is now recommended).</t> </abstract> </front> <seriesInfo name="RFC" value="9175"/> <seriesInfo name="DOI" value="10.17487/RFC9175"/> </reference> <reference anchor="RFC9360" target="https://www.rfc-editor.org/info/rfc9360" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9360.xml"> <front> <title>CBOR Object Signing and Encryption (COSE): Header Parameters for Carrying and Referencing X.509 Certificates</title> <author fullname="J. Schaad" initials="J." surname="Schaad"/> <date month="February" year="2023"/> <abstract> <t>The CBOR Object Signing and Encryption (COSE) message structure uses references to keys in general. For some algorithms, additional properties are defined that carry parameters relating to keys as needed. The COSE Key structure is used for transporting keys outside of COSE messages. This document extends the way that keys can be identified and transported by providing attributes that refer to or contain X.509 certificates.</t> </abstract> </front> <seriesInfo name="RFC" value="9360"/> <seriesInfo name="DOI" value="10.17487/RFC9360"/> </reference> </references> <references> <name>Informative References</name> <reference anchor="RFC2986" target="https://www.rfc-editor.org/info/rfc2986" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2986.xml"> <front> <title>PKCS #10: Certification Request Syntax Specification Version 1.7</title> <author fullname="M. Nystrom" initials="M." surname="Nystrom"/> <author fullname="B. Kaliski" initials="B." surname="Kaliski"/> <date month="November" year="2000"/> <abstract> <t>This memo represents a republication of PKCS #10 v1.7 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document, except for the security considerations section, is taken directly from the PKCS #9 v2.0 or the PKCS #10 v1.7 document. This memo provides information for the Internet community.</t> </abstract> </front> <seriesInfo name="RFC" value="2986"/> <seriesInfo name="DOI" value="10.17487/RFC2986"/> </reference> <reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5280" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"> <front> <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title> <author fullname="D. Cooper" initials="D." surname="Cooper"/> <author fullname="S. Santesson" initials="S." surname="Santesson"/> <author fullname="S. Farrell" initials="S." surname="Farrell"/> <author fullname="S. Boeyen" initials="S." surname="Boeyen"/> <author fullname="R. Housley" initials="R." surname="Housley"/> <author fullname="W. Polk" initials="W." surname="Polk"/> <date month="May" year="2008"/> <abstract> <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5280"/> <seriesInfo name="DOI" value="10.17487/RFC5280"/> </reference> <reference anchor="RFC6194" target="https://www.rfc-editor.org/info/rfc6194" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6194.xml"> <front> <title>Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms</title> <author fullname="T. Polk" initials="T." surname="Polk"/> <author fullname="L. Chen" initials="L." surname="Chen"/> <author fullname="S. Turner" initials="S." surname="Turner"/> <author fullname="P. Hoffman" initials="P." surname="Hoffman"/> <date month="March" year="2011"/> <abstract> <t>This document includes security considerations for the SHA-0 and SHA-1 message digest algorithm. This document is not an Internet Standards Track specification; it is published for informational purposes.</t> </abstract> </front> <seriesInfo name="RFC" value="6194"/> <seriesInfo name="DOI" value="10.17487/RFC6194"/> </reference> <reference anchor="RFC7228" target="https://www.rfc-editor.org/info/rfc7228" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7228.xml"> <front> <title>Terminology for Constrained-Node Networks</title> <author fullname="C. Bormann" initials="C." surname="Bormann"/> <author fullname="M. Ersue" initials="M." surname="Ersue"/> <author fullname="A. Keranen" initials="A." surname="Keranen"/> <date month="May" year="2014"/> <abstract> <t>The Internet Protocol Suite is increasingly used on small devices with severe constraints on power, memory, and processing resources, creating constrained-node networks. This document provides a number of basic terms that have been useful in the standardization work for constrained-node networks.</t> </abstract> </front> <seriesInfo name="RFC" value="7228"/> <seriesInfo name="DOI" value="10.17487/RFC7228"/> </reference> <reference anchor="RFC7258" target="https://www.rfc-editor.org/info/rfc7258" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7258.xml"> <front> <title>Pervasive Monitoring Is an Attack</title> <author fullname="S. Farrell" initials="S." surname="Farrell"/> <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/> <date month="May" year="2014"/> <abstract> <t>Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.</t> </abstract> </front> <seriesInfo name="BCP" value="188"/> <seriesInfo name="RFC" value="7258"/> <seriesInfo name="DOI" value="10.17487/RFC7258"/> </reference> <reference anchor="RFC7296" target="https://www.rfc-editor.org/info/rfc7296" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7296.xml"> <front> <title>Internet Key Exchange Protocol Version 2 (IKEv2)</title> <author fullname="C. Kaufman" initials="C." surname="Kaufman"/> <author fullname="P. Hoffman" initials="P." surname="Hoffman"/> <author fullname="Y. Nir" initials="Y." surname="Nir"/> <author fullname="P. Eronen" initials="P." surname="Eronen"/> <author fullname="T. Kivinen" initials="T." surname="Kivinen"/> <date month="October" year="2014"/> <abstract> <t>This document describes version 2 of the Internet Key Exchange (IKE) protocol. IKE is a component of IPsec used for performing mutual authentication and establishing and maintaining Security Associations (SAs). This document obsoletes RFC 5996, and includes all of the errata for it. It advances IKEv2 to be an Internet Standard.</t> </abstract> </front> <seriesInfo name="STD" value="79"/> <seriesInfo name="RFC" value="7296"/> <seriesInfo name="DOI" value="10.17487/RFC7296"/> </reference> <reference anchor="RFC7624" target="https://www.rfc-editor.org/info/rfc7624" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7624.xml"> <front> <title>Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement</title> <author fullname="R. Barnes" initials="R." surname="Barnes"/> <author fullname="B. Schneier" initials="B." surname="Schneier"/> <author fullname="C. Jennings" initials="C." surname="Jennings"/> <author fullname="T. Hardie" initials="T." surname="Hardie"/> <author fullname="B. Trammell" initials="B." surname="Trammell"/> <author fullname="C. Huitema" initials="C." surname="Huitema"/> <author fullname="D. Borkmann" initials="D." surname="Borkmann"/> <date month="August" year="2015"/> <abstract> <t>Since the initial revelations of pervasive surveillance in 2013, several classes of attacks on Internet communications have been discovered. In this document, we develop a threat model that describes these attacks on Internet confidentiality. We assume an attacker that is interested in undetected, indiscriminate eavesdropping. The threat model is based on published, verified attacks.</t> </abstract> </front> <seriesInfo name="RFC" value="7624"/> <seriesInfo name="DOI" value="10.17487/RFC7624"/> </reference> <reference anchor="RFC8366" target="https://www.rfc-editor.org/info/rfc8366" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8366.xml"> <front> <title>A Voucher Artifact for Bootstrapping Protocols</title> <author fullname="K. Watsen" initials="K." surname="Watsen"/> <author fullname="M. Richardson" initials="M." surname="Richardson"/> <author fullname="M. Pritikin" initials="M." surname="Pritikin"/> <author fullname="T. Eckert" initials="T." surname="Eckert"/> <date month="May" year="2018"/> <abstract> <t>This document defines a strategy to securely assign a pledge to an owner using an artifact signed, directly or indirectly, by the pledge's manufacturer. This artifact is known as a "voucher".</t> <t>This document defines an artifact format as a YANG-defined JSON document that has been signed using a Cryptographic Message Syntax (CMS) structure. Other YANG-derived formats are possible. The voucher artifact is normally generated by the pledge's manufacturer (i.e., the Manufacturer Authorized Signing Authority (MASA)).</t> <t>This document only defines the voucher artifact, leaving it to other documents to describe specialized protocols for accessing it.</t> </abstract> </front> <seriesInfo name="RFC" value="8366"/> <seriesInfo name="DOI" value="10.17487/RFC8366"/> </reference> <reference anchor="RFC8376" target="https://www.rfc-editor.org/info/rfc8376" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8376.xml"> <front> <title>Low-Power Wide Area Network (LPWAN) Overview</title> <author fullname="S. Farrell" initials="S." role="editor" surname="Farrell"/> <date month="May" year="2018"/> <abstract> <t>Low-Power Wide Area Networks (LPWANs) are wireless technologies with characteristics such as large coverage areas, low bandwidth, possibly very small packet and application-layer data sizes, and long battery life operation. This memo is an informational overview of the set of LPWAN technologies being considered in the IETF and of the gaps that exist between the needs of those technologies and the goal of running IP in LPWANs.</t> </abstract> </front> <seriesInfo name="RFC" value="8376"/> <seriesInfo name="DOI" value="10.17487/RFC8376"/> </reference> <reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8446" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"> <front> <title>The Transport Layer Security (TLS) Protocol Version 1.3</title> <author fullname="E. Rescorla" initials="E." surname="Rescorla"/> <date month="August" year="2018"/> <abstract> <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t> <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t> </abstract> </front> <seriesInfo name="RFC" value="8446"/> <seriesInfo name="DOI" value="10.17487/RFC8446"/> </reference> <reference anchor="RFC8937" target="https://www.rfc-editor.org/info/rfc8937" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8937.xml"> <front> <title>Randomness Improvements for Security Protocols</title> <author fullname="C. Cremers" initials="C." surname="Cremers"/> <author fullname="L. Garratt" initials="L." surname="Garratt"/> <author fullname="S. Smyshlyaev" initials="S." surname="Smyshlyaev"/> <author fullname="N. Sullivan" initials="N." surname="Sullivan"/> <author fullname="C. Wood" initials="C." surname="Wood"/> <date month="October" year="2020"/> <abstract> <t>Randomness is a crucial ingredient for Transport Layer Security (TLS) and related security protocols. Weak or predictable "cryptographically secure" pseudorandom number generators (CSPRNGs) can be abused or exploited for malicious purposes. An initial entropy source that seeds a CSPRNG might be weak or broken as well, which can also lead to critical and systemic security problems. This document describes a way for security protocol implementations to augment their CSPRNGs using long-term private keys. This improves randomness from broken or otherwise subverted CSPRNGs.</t> <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t> </abstract> </front> <seriesInfo name="RFC" value="8937"/> <seriesInfo name="DOI" value="10.17487/RFC8937"/> </reference> <reference anchor="RFC9000" target="https://www.rfc-editor.org/info/rfc9000" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9000.xml"> <front> <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title> <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/> <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/> <date month="May" year="2021"/> <abstract> <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t> </abstract> </front> <seriesInfo name="RFC" value="9000"/> <seriesInfo name="DOI" value="10.17487/RFC9000"/> </reference> <reference anchor="RFC9147" target="https://www.rfc-editor.org/info/rfc9147" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9147.xml"> <front> <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title> <author fullname="E. Rescorla" initials="E." surname="Rescorla"/> <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/> <author fullname="N. Modadugu" initials="N." surname="Modadugu"/> <date month="April" year="2022"/> <abstract> <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t> <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t> <t>This document obsoletes RFC 6347.</t> </abstract> </front> <seriesInfo name="RFC" value="9147"/> <seriesInfo name="DOI" value="10.17487/RFC9147"/> </reference> <reference anchor="RFC9176" target="https://www.rfc-editor.org/info/rfc9176" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9176.xml"> <front> <title>Constrained RESTful Environments (CoRE) Resource Directory</title> <author fullname="C. Amsüss" initials="C." role="editor" surname="Amsüss"/> <author fullname="Z. Shelby" initials="Z." surname="Shelby"/> <author fullname="M. Koster" initials="M." surname="Koster"/> <author fullname="C. Bormann" initials="C." surname="Bormann"/> <author fullname="P. van der Stok" initials="P." surname="van der Stok"/> <date month="April" year="2022"/> <abstract> <t>In many Internet of Things (IoT) applications, direct discovery of resources is not practical due to sleeping nodes or networks where multicast traffic is inefficient. These problems can be solved by employing an entity called a Resource Directory (RD), which contains information about resources held on other servers, allowing lookups to be performed for those resources. The input to an RD is composed of links, and the output is composed of links constructed from the information stored in the RD. This document specifies the web interfaces that an RD supports for web servers to discover the RD and to register, maintain, look up, and remove information on resources. Furthermore, new target attributes useful in conjunction with an RD are defined.</t> </abstract> </front> <seriesInfo name="RFC" value="9176"/> <seriesInfo name="DOI" value="10.17487/RFC9176"/> </reference> <reference anchor="RFC9397" target="https://www.rfc-editor.org/info/rfc9397" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9397.xml"> <front> <title>Trusted Execution Environment Provisioning (TEEP) Architecture</title> <author fullname="M. Pei" initials="M." surname="Pei"/> <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/> <author fullname="D. Thaler" initials="D." surname="Thaler"/> <author fullname="D. Wheeler" initials="D." surname="Wheeler"/> <date month="July" year="2023"/> <abstract> <t>A Trusted Execution Environment (TEE) is an environment that enforces the following: any code within the environment cannot be tampered with, and any data used by such code cannot be read or tampered with by any code outside the environment. This architecture document discusses the motivation for designing and standardizing a protocol for managing the lifecycle of Trusted Applications running inside such a TEE.</t> </abstract> </front> <seriesInfo name="RFC" value="9397"/> <seriesInfo name="DOI" value="10.17487/RFC9397"/> </reference> <reference anchor="I-D.ietf-rats-eat" target="https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-21" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-rats-eat.xml"> <front> <title>The Entity Attestation Token (EAT)</title> <author fullname="Laurence Lundblade" initials="L." surname="Lundblade"> <organization>Security Theory LLC</organization> </author> <author fullname="Giridhar Mandyam" initials="G." surname="Mandyam"> <organization>Qualcomm Technologies Inc.</organization> </author> <author fullname="Jeremy O'Donoghue" initials="J." surname="O'Donoghue"> <organization>Qualcomm Technologies Inc.</organization> </author> <author fullname="Carl Wallace" initials="C." surname="Wallace"> <organization>Red Hound Software, Inc.</organization> </author> <date day="30" month="June" year="2023"/> <abstract> <t>An Entity Attestation Token (EAT) provides an attested claims set that describes state and characteristics of an entity, a device like a smartphone, IoT device, network equipment or such. This claims set is used by a relying party, server or service to determine how much it wishes to trust the entity. An EAT is either a CBOR Web Token (CWT) or JSON Web Token (JWT) with attestation-oriented claims.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-rats-eat-21"/> </reference> <reference anchor="I-D.ietf-lake-reqs" target="https://datatracker.ietf.org/doc/html/draft-ietf-lake-reqs-04" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-lake-reqs.xml"> <front> <title>Requirements for a Lightweight AKE for OSCORE</title> <author fullname="Mališa Vučinić" initials="M." surname="Vučinić"> <organization>Inria</organization> </author> <author fullname="Göran Selander" initials="G." surname="Selander"> <organization>Ericsson AB</organization> </author> <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson"> <organization>Ericsson AB</organization> </author> <author fullname="Dan Garcia-Carillo" initials="D." surname="Garcia-Carillo"> <organization>Odin Solutions S.L.</organization> </author> <date day="8" month="June" year="2020"/> <abstract> <t>This document compiles the requirements for a lightweight authenticated key exchange protocol for OSCORE. This draft has completed a working group last call (WGLC) in the LAKE working group. Post-WGLC, the requirements are considered sufficiently stable for the working group to proceed with its work. It is not currently planned to publish this draft as an RFC.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-lake-reqs-04"/> </reference> <reference anchor="I-D.ietf-lake-traces" target="https://datatracker.ietf.org/doc/html/draft-ietf-lake-traces-05" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-lake-traces.xml"> <front> <title>Traces of EDHOC</title> <author fullname="Göran Selander" initials="G." surname="Selander"> <organization>Ericsson</organization> </author> <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson"> <organization>Ericsson</organization> </author> <author fullname="Marek Serafin" initials="M." surname="Serafin"> <organization>ASSA ABLOY</organization> </author> <author fullname="Marco Tiloca" initials="M." surname="Tiloca"> <organization>RISE</organization> </author> <date day="28" month="April" year="2023"/> <abstract> <t>This document contains some example traces of Ephemeral Diffie- Hellman Over COSE (EDHOC).</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-lake-traces-05"/> </reference> <reference anchor="I-D.ietf-core-oscore-edhoc" target="https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-edhoc-08" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-core-oscore-edhoc.xml"> <front> <title>Using EDHOC with CoAP and OSCORE</title> <author fullname="Francesca Palombini" initials="F." surname="Palombini"> <organization>Ericsson</organization> </author> <author fullname="Marco Tiloca" initials="M." surname="Tiloca"> <organization>RISE AB</organization> </author> <author fullname="Rikard Höglund" initials="R." surname="Höglund"> <organization>RISE AB</organization> </author> <author fullname="Stefan Hristozov" initials="S." surname="Hristozov"> <organization>Fraunhofer AISEC</organization> </author> <author fullname="Göran Selander" initials="G." surname="Selander"> <organization>Ericsson</organization> </author> <date day="8" month="August" year="2023"/> <abstract> <t>The lightweight authenticated key exchange protocol EDHOC can be run over CoAP and used by two peers to establish an OSCORE Security Context. This document details this use of the EDHOC protocol, by specifying a number of additional and optional mechanisms. These especially include an optimization approach for combining the execution of EDHOC with the first OSCORE transaction. This combination reduces the number of round trips required to set up an OSCORE Security Context and to complete an OSCORE transaction using that Security Context.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-edhoc-08"/> </reference> <reference anchor="I-D.ietf-cose-cbor-encoded-cert" target="https://datatracker.ietf.org/doc/html/draft-ietf-cose-cbor-encoded-cert-06" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-cose-cbor-encoded-cert.xml"> <front> <title>CBOR Encoded X.509 Certificates (C509 Certificates)</title> <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson"> <organization>Ericsson AB</organization> </author> <author fullname="Göran Selander" initials="G." surname="Selander"> <organization>Ericsson AB</organization>Technology (NIST)</organization> </author><author fullname="Shahid Raza" initials="S." surname="Raza"> <organization>RISE AB</organization> </author> <author fullname="Joel Höglund" initials="J." surname="Höglund"> <organization>RISE AB</organization> </author> <author fullname="Martin Furuhed" initials="M." surname="Furuhed"> <organization>Nexus Group</organization> </author> <date day="7" month="July" year="2023"/> <abstract> <t>This document specifies a CBOR encoding of X.509 certificates. The resulting certificates are called C509 Certificates. The CBOR encoding supports a large subset of RFC 5280 and all certificates compatible with the RFC 7925, IEEE 802.1AR (DevID), CNSA, RPKI, GSMA eUICC, and CA/Browser Forum Baseline Requirements profiles. When used to re-encode DER encoded X.509 certificates, the CBOR encoding can in many cases reduce the size of RFC 7925 profiled certificates with over 50%. The CBOR encoded structure can alternatively be signed directly ("natively signed"), which does not require re- encoding for the signature to be verified. The document also specifies C509 COSE headers, a C509 TLS certificate type, and a C509 file format.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded-cert-06"/> </reference> <reference anchor="I-D.ietf-core-oscore-key-update" target="https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-key-update-05" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-core-oscore-key-update.xml"> <front> <title>Key Update for OSCORE (KUDOS)</title> <author fullname="Rikard Höglund" initials="R." surname="Höglund"> <organization>RISE AB</organization> </author> <author fullname="Marco Tiloca" initials="M." surname="Tiloca"> <organization>RISE AB</organization> </author> <date day="10" month="July" year="2023"/> <abstract> <t>This document defines Key Update for OSCORE (KUDOS), a lightweight procedure that two CoAP endpoints can use to update their keying material by establishing a new OSCORE Security Context. Accordingly, it updates the use of the OSCORE flag bits in the CoAP OSCORE Option as well as the protection of CoAP response messages with OSCORE, and it deprecates the key update procedure specified in Appendix B.2 of RFC 8613. Thus, this document updates RFC 8613. Also, this document defines a procedure that two endpoints can use to update their OSCORE identifiers, run either stand-alone or during a KUDOS execution.</t> </abstract></front><seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-key-update-05"/></reference> <referenceanchor="I-D.ietf-lwig-curve-representations" target="https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-23" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-lwig-curve-representations.xml">anchor="SECG" target="https://www.secg.org/sec1-v2.pdf"> <front><title>Alternative<title>SEC 1: Elliptic CurveRepresentations</title> <author fullname="Rene Struik" initials="R." surname="Struik"> <organization>Struik Security Consultancy</organization> </author> <date day="21" month="January" year="2022"/> <abstract> <t>This document specifies how to represent Montgomery curves and (twisted) Edwards curves as curves in short-Weierstrass form and illustrates how this can be used to carry out elliptic curve computations leveraging existing implementations and specifications of, e.g., ECDSA and ECDH using NIST prime curves. We also provide extensive background material that may be useful for implementers of elliptic curve cryptography.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-lwig-curve-representations-23"/> </reference> <reference anchor="I-D.ietf-iotops-security-protocol-comparison" target="https://datatracker.ietf.org/doc/html/draft-ietf-iotops-security-protocol-comparison-02" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-iotops-security-protocol-comparison.xml"> <front> <title>Comparison of CoAP Security Protocols</title> <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson"> <organization>Ericsson AB</organization> </author> <author fullname="Francesca Palombini" initials="F." surname="Palombini"> <organization>Ericsson AB</organization> </author> <author fullname="Mališa Vučinić" initials="M." surname="Vučinić"> <organization>INRIA</organization> </author> <date day="11" month="April" year="2023"/> <abstract> <t>This document analyzes and compares the sizes of key exchange flights and the per-packet message size overheads when using different security protocols to secure CoAP. The described overheads are independent of the underlying transport. Small message sizes are very important for reducing energy consumption, latency, and time to completion in constrained radio network such as Low-Power Wide Area Networks (LPWANs). The analyzed security protocols are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, cTLS, EDHOC, OSCORE, and Group OSCORE. The DTLS and TLS record layers are analyzed with and without 6LoWPAN- GHC compression. DTLS is analyzed with and without Connection ID.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-iotops-security-protocol-comparison-02"/> </reference> <reference anchor="I-D.irtf-cfrg-det-sigs-with-noise" target="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-det-sigs-with-noise-00" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.irtf-cfrg-det-sigs-with-noise.xml"> <front> <title>Deterministic ECDSA and EdDSA Signatures with Additional Randomness</title> <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson"> <organization>Ericsson</organization> </author> <author fullname="Erik Thormarker" initials="E." surname="Thormarker"> <organization>Ericsson</organization> </author> <author fullname="Sini Ruohomaa" initials="S." surname="Ruohomaa"> <organization>Ericsson</organization> </author> <date day="8" month="August" year="2022"/> <abstract> <t>Deterministic elliptic-curve signatures such as deterministic ECDSA and EdDSA have gained popularity over randomized ECDSA as their security do not depend on a source of high-quality randomness. Recent research has however found that implementations of these signature algorithms may be vulnerable to certain side-channel and fault injection attacks due to their determinism. One countermeasure to such attacks is to re-add randomness to the otherwise deterministic calculation of the per-message secret number. This document updates RFC 6979 and RFC 8032 to recommend constructions with additional randomness for deployments where side-channel attacks and fault injection attacks are a concern. The updates are invisible to the validator of the signature and compatible with existing ECDSA and EdDSA validators.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-det-sigs-with-noise-00"/> </reference> <reference anchor="I-D.selander-lake-authz" target="https://datatracker.ietf.org/doc/html/draft-selander-lake-authz-03" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.selander-lake-authz.xml"> <front> <title>Lightweight Authorization using Ephemeral Diffie-Hellman Over COSE</title> <author fullname="Göran Selander" initials="G." surname="Selander"> <organization>Ericsson AB</organization> </author> <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson"> <organization>Ericsson AB</organization> </author> <author fullname="Mališa Vučinić" initials="M." surname="Vučinić"> <organization>INRIA</organization> </author> <author fullname="Michael Richardson" initials="M." surname="Richardson"> <organization>Sandelman Software Works</organization> </author> <author fullname="Aurelio Schellenbaum" initials="A." surname="Schellenbaum"> <organization>Institute of Embedded Systems, ZHAW</organization> </author> <date day="7" month="July" year="2023"/> <abstract> <t>This document describes a procedure for authorizing enrollment of new devices using the lightweight authenticated key exchange protocol Ephemeral Diffie-Hellman Over COSE (EDHOC). The procedure is applicable to zero-touch onboarding of new devices to a constrained network leveraging trust anchors installed at manufacture time.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-selander-lake-authz-03"/> </reference> <reference anchor="I-D.arkko-arch-internet-threat-model-guidance" target="https://datatracker.ietf.org/doc/html/draft-arkko-arch-internet-threat-model-guidance-00" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.arkko-arch-internet-threat-model-guidance.xml"> <front> <title>Internet Threat Model Guidance</title> <author fullname="Jari Arkko" initials="J." surname="Arkko"> <organization>Ericsson</organization> </author> <author fullname="Stephen Farrell" initials="S." surname="Farrell"> <organization>Trinity College Dublin</organization> </author> <date day="12" month="July" year="2021"/> <abstract> <t>Communications security has been at the center of many security improvements in the Internet. The goal has been to ensure that communications are protected against outside observers and attackers. This memo suggests that the existing RFC 3552 threat model, while important and still valid, is no longer alone sufficient to cater for the pressing security and privacy issues seen on the Internet today. For instance, it is often also necessary to protect against endpoints that are compromised, malicious, or whose interests simply do not align with the interests of users. While such protection is difficult, there are some measures that can be taken and we argue that investigation of these issues is warranted. It is particularly important to ensure that as we continue to develop Internet technology, non-communications security related threats, and privacy issues, are properly understood.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-arkko-arch-internet-threat-model-guidance-00"/> </reference> <reference anchor="SP-800-56A" target="https://doi.org/10.6028/NIST.SP.800-56Ar3"> <front> <title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete LogarithmCryptography</title><author initials="E." surname="Barker"> <organization/> </author> <author initials="L." surname="Chen"> <organization/> </author> <author initials="A." surname="Roginsky"> <organization/> </author> <author initials="A." surname="Vassilev"> <organization/> </author> <author initials="R." surname="Davis"> <organization/> </author> <date year="2018" month="April"/> </front> <seriesInfo name="NIST" value="Special Publication 800-56A Revision 3"/> </reference> <reference anchor="SP-800-108" target="https://doi.org/10.6028/NIST.SP.800-108r1"> <front> <title>Recommendation for Key Derivation Using Pseudorandom Functions</title> <author initials="L." surname="Chen"> <organization/> </author> <date year="2022" month="August"/> </front> <seriesInfo name="NIST" value="Special Publication 800-108 Revision 1"/> </reference> <reference anchor="SP800-185" target="https://doi.org/10.6028/NIST.SP.800-185"> <front> <title>SHA-3 Derived Functions cSHAKE, KMAC, TupleHash and ParallelHash</title> <author initials="" surname="John Kelsey"> <organization/> </author> <author initials="" surname="Shu-jen Chang"> <organization/> </author> <author initials="" surname="Ray Perlner"> <organization/> </author> <date year="2016" month="December"/> </front> <seriesInfo name="NIST" value="Special Publication 800-185"/> </reference> <reference anchor="Degabriele11" target="https://eprint.iacr.org/2011/615"> <front> <title>On the Joint Security of Encryption and Signature in EMV</title> <author initials="J. P." surname="Degabriele"> <organization/> </author> <author initials="A." surname="Lehmann"> <organization/> </author> <author initials="K. G." surname="Paterson"> <organization/> </author> <author initials="N. P." surname="Smart"> <organization/> </author> <author initials="M." surname="Strefler"> <organization/> </author> <date year="2011" month="December"/> </front> </reference> <reference anchor="NISTPQC" target="https://csrc.nist.gov/Projects/post-quantum-cryptography/faqs"> <front> <title>Post-Quantum Cryptography FAQs</title> <author> <organization/> </author> <date year="2023" month="August"/> </front> </reference> <reference anchor="SECG" target="https://www.secg.org/sec1-v2.pdf"> <front> <title>Standards for Efficient Cryptography 1 (SEC 1)</title><author><organization/><organization>Certicom Research</organization> </author> <date year="2009" month="May"/> </front> <refcontent>Standards for Efficient Cryptography</refcontent> </reference> <reference anchor="SIGMA" target="https://www.iacr.org/cryptodb/archive/2003/CRYPTO/1495/1495.pdf"> <front><title>SIGMA - The<title>SIGMA: the 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols</title> <author initials="H." surname="Krawczyk"> <organization/> </author> <date year="2003" month="June"/> </front> </reference> <reference anchor="HKDFpaper" target="https://eprint.iacr.org/2010/264.pdf"> <front> <title>Cryptographic Extraction and Key Derivation: The HKDF Scheme</title> <author initials="H." surname="Krawczyk"> <organization/> </author> <date year="2010" month="May"/> </front> </reference> <reference anchor="Thormarker21" target="https://eprint.iacr.org/2021/509.pdf"> <front> <title>On using the same key pair for Ed25519 and an X25519 based KEM</title> <author initials="E." surname="Thormarker"> <organization/> </author> <date year="2021" month="April"/> </front> </reference> <reference anchor="CNSA"target="https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite">target="https://en.wikipedia.org/w/index.php?title=Commercial_National_Security_Algorithm_Suite&oldid=1181333611"> <front> <title>Commercial National Security Algorithm Suite</title><author initials="" surname="NSA"> <organization/><author> <organization>Wikipedia</organization> </author> <dateyear="2015" month="August"/>year="2023" month="October"/> </front> </reference> <reference anchor="GuentherIlunga22" target="https://eprint.iacr.org/2022/1705"> <front> <title>Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol</title> <author initials="F." surname="Günther"> <organization/> </author> <author initials="M."surname="Ilunga">surname="Mukendi"> <organization/> </author> <date year="2022" month="December"/> </front> </reference> <reference anchor="Jacomme23" target="https://hal.inria.fr/hal-03810102/"> <front> <title>A comprehensive, formal and automated analysis of the EDHOC protocol</title> <author initials="C." surname="Jacomme"> <organization/> </author> <author initials="E." surname="Klein"> <organization/> </author> <author initials="S." surname="Kremer"> <organization/> </author> <author initials="M." surname="Racouchot"> <organization/> </author> <date year="2022" month="October"/> </front> </reference> <reference anchor="CottierPointcheval22" target="https://arxiv.org/abs/2209.03599"> <front> <title>Security Analysis of the EDHOC protocol</title> <author initials="B." surname="Cottier"> <organization/> </author> <author initials="D." surname="Pointcheval"> <organization/> </author> <date year="2022" month="September"/> </front> </reference> <reference anchor="Norrman20" target="https://arxiv.org/abs/2007.11427"> <front> <title>Formal Analysis of EDHOC Key Establishment for Constrained IoT Devices</title> <author initials="K." surname="Norrman"> <organization/> </author> <author initials="V." surname="Sundararajan"> <organization/> </author> <author initials="A." surname="Bruni"> <organization/> </author> <date year="2020" month="September"/> </front> </reference> <reference anchor="Bruni18" target="https://www.springerprofessional.de/en/formal-verification-of-ephemeral-diffie-hellman-over-cose-edhoc/16284348"> <front> <title>Formal Verification of Ephemeral Diffie-Hellman Over COSE (EDHOC)</title> <author initials="A." surname="Bruni"> <organization/> </author> <author initials="T." surname="Sahl Jørgensen"> <organization/> </author> <author initials="T." surname="Grønbech Petersen"> <organization/> </author> <author initials="C." surname="Schürmann"> <organization/> </author> <date year="2018" month="November"/> </front> </reference> <reference anchor="CborMe" target="https://cbor.me/"> <front> <title>CBOR Playground</title> <author initials="C." surname="Bormann"> <organization/> </author><date year="2018" month="May"/></front> </reference> <reference anchor="Noise" target="https://noiseprotocol.org/noise.html"> <front> <title>The Noise ProtocolFramework, Revision 34</title>Framework</title> <author initials="T." surname="Perrin"> <organization/> </author> <date year="2018" month="July"/> </front> <refcontent>Revision 34</refcontent> </reference> </references> </references> <?line 1918?> <section anchor="transfer"> <name>Use with OSCORE and Transfer over CoAP</name> <t>This appendix describes how to derive an OSCORE security context when EDHOC is used to keyOSCORE,OSCORE and how to transfer EDHOC messages over CoAP. The use of CoAP or OSCORE with EDHOC is optional, but if you are using CoAP or OSCORE, then certain normative requirements apply as detailed in the subsections.</t> <section anchor="oscore-ctx-derivation"> <name>Deriving the OSCORE Security Context</name> <t>This section specifies how to use EDHOC output to derive the OSCORE security context.</t> <t>After successful processing of EDHOC message_3, the Client and Server deriveSecurity Contextsecurity context parameters for OSCORE as follows (seeSection 3.2 of<xreftarget="RFC8613"/>):</t>target="RFC8613" section="3.2" sectionFormat="of"/>):</t> <ul spacing="normal"> <li> <t>The Master Secret and Master SaltSHALL<bcp14>SHALL</bcp14> be derived by using the EDHOC_Exporterinterface, seeinterface (see <xreftarget="exporter"/>:target="exporter"/>): </t> <ul spacing="normal"> <li>The EDHOC Exporter Labels for deriving the OSCORE Master Secret andtheOSCORE MasterSalt,Salt are the uints 0 and 1, respectively.</li> <li>The context parameter is h'' (0x40), the empty CBOR byte string.</li> <li>By default, oscore_key_length is the key length (in bytes) of the application AEADAlgorithmalgorithm of the selected cipher suite for the EDHOC session. Also by default, oscore_salt_length has value 8. The Initiator and ResponderMAY<bcp14>MAY</bcp14> agree out-of-band on a longer oscore_key_length than thedefault,default and on shorter or longer than the default oscore_salt_length.</li> </ul> </li> </ul> <artwork><![CDATA[ Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length ) Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length ) ]]></artwork> <ul spacing="normal"> <li>The AEADAlgorithm SHALLalgorithm <bcp14>SHALL</bcp14> be the application AEAD algorithm of the selected cipher suite for the EDHOC session.</li> <li>The HKDFAlgorithm SHALLalgorithm <bcp14>SHALL</bcp14> be the one based on the application hash algorithm of the selected cipher suite for the EDHOC session. For example, if SHA-256 is the application hash algorithm of the selected cipher suite, HKDF SHA-256 is used as the HKDFAlgorithmalgorithm in the OSCORESecurity Context.</li>security context.</li> <li>The relationship between identifiers in OSCORE and EDHOC is specified in <xref target="ci-oscore"/>. The OSCORE Sender ID and Recipient IDSHALL<bcp14>SHALL</bcp14> be determined bytheEDHOC connection identifiers C_R and C_I for the EDHOC session as shown in <xreftarget="fig-edhoc-oscore-id-mapping"/>.</li>target="tab-edhoc-oscore-id-mapping"/>.</li> </ul><figure anchor="fig-edhoc-oscore-id-mapping"><table anchor="tab-edhoc-oscore-id-mapping"> <name>Usage ofconnection identifiersConnection Identifiers inOSCORE.</name> <artset> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="144" width="488" viewBox="0 0 488 144" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,32 L 8,128" fill="none" stroke="black"/> <path d="M 152,32 L 152,128" fill="none" stroke="black"/> <path d="M 304,32 L 304,128" fill="none" stroke="black"/> <path d="M 480,32 L 480,128" fill="none" stroke="black"/> <path d="M 8,32 L 480,32" fill="none" stroke="black"/> <path d="M 8,62 L 480,62" fill="none" stroke="black"/> <path d="M 8,66 L 480,66" fill="none" stroke="black"/> <path d="M 8,96 L 480,96" fill="none" stroke="black"/> <path d="M 8,128 L 480,128" fill="none" stroke="black"/> <g class="text"> <text x="188" y="52">OSCORE</text> <text x="244" y="52">Sender</text> <text x="284" y="52">ID</text> <text x="340" y="52">OSCORE</text> <text x="408" y="52">Recipient</text> <text x="460" y="52">ID</text> <text x="40" y="84">EDHOC</text> <text x="104" y="84">Initiator</text> <text x="232" y="84">C_R</text> <text x="392" y="84">C_I</text> <text x="40" y="116">EDHOC</text> <text x="104" y="116">Responder</text> <text x="232" y="116">C_I</text> <text x="392" y="116">C_R</text> </g> </svg> </artwork> <artwork type="ascii-art" align="center"><![CDATA[ +-----------------+------------------+---------------------+ | | OSCOREOSCORE</name> <thead> <tr> <th></th> <th>OSCORE SenderID | OSCOREID</th> <th>OSCORE RecipientID | +=================+==================+=====================+ | EDHOC Initiator | C_R | C_I | +-----------------+------------------+---------------------+ | EDHOC Responder | C_I | C_R | +-----------------+------------------+---------------------+ ]]></artwork> </artset> </figure> <t>ClientID</th> </tr> </thead> <tbody> <tr> <td>EDHOC Initiator</td> <td align="center">C_R</td> <td align="center">C_I</td> </tr><tr> <td>EDHOC Responder</td> <td align="center">C_I</td> <td align="center">C_R</td> </tr> </tbody> </table> <t>The Client and ServerSHALL<bcp14>SHALL</bcp14> use the parameters above to establish an OSCORESecurity Context,security context, as perSection 3.2.1 of<xreftarget="RFC8613"/>.</t>target="RFC8613" section="3.2.1" sectionFormat="of"/>.</t> <t>From then on, the Client and Server retrieve the OSCORE protocol state using the RecipientID,ID and optionally other transport information such as the 5-tuple.</t> </section> <section anchor="coap"> <name>Transferring EDHOC over CoAP</name> <t>This section specifies how EDHOC can be transferred as an exchange of CoAP <xref target="RFC7252"/> messages. CoAP provides a reliable transport that can preserve packet ordering, provides flow and congestion control, and handles message duplication. CoAP can also perform fragmentation and mitigate certain denial-of-service attacks. The underlying CoAP transport should be used in reliable mode, inparticularparticular, when fragmentation is used, to avoid, e.g., situations with hanging endpoints waiting for each other.</t> <t>EDHOC may run with the Initiator either being a CoAP client or CoAP server. We denote the former by the "forward message flow" (see <xref target="forward"/>) and the latter by the "reverse message flow" (see <xref target="reverse"/>). By default, we assume the forward message flow, but the rolesSHOULD<bcp14>SHOULD</bcp14> be chosen to protect the most sensitiveidentity,identity; see <xref target="security"/>.</t> <t>According to this specification, EDHOC is transferred in POST requests to the Uri-Path: "/.well-known/edhoc" (see <xreftarget="well-known"/>),target="well-known"/>) and 2.04 (Changed) responses. An application may define its own path that can be discovered, e.g., using a resource directory <xref target="RFC9176"/>. Client applications can use the resource type "core.edhoc" to discover a server's EDHOC resource, i.e., where to send a request for executing the EDHOCprotocol,protocol; see <xref target="rt"/>. An alternative transfer of the forward message flow is specified in <xref target="I-D.ietf-core-oscore-edhoc"/>.</t> <t>In order for the server to correlate a message received from a client to a message previously sent in the same EDHOC session over CoAP, messages sent by the clientSHALL<bcp14>SHALL</bcp14> be prepended with the CBOR serialization of the connection identifierwhichthat the server hasselected,selected; see <xref target="ci-edhoc"/>. This applies both to the forward and the reverse message flows. To indicate a new EDHOC session in the forward message flow, message_1SHALL<bcp14>SHALL</bcp14> be prepended with the CBOR simple value <tt>true</tt> (0xf5). Even if CoAP is carried over a reliable transportprotocolprotocol, such as TCP, the prepending of identifiers specified hereSHALL<bcp14>SHALL</bcp14> be practiced to enable interoperability independent of how CoAP is transported.</t> <t>The prepended identifiers are encoded in CBOR and thus self-delimiting. The representation of identifiers described in <xref target="bstr-repr"/>SHALL<bcp14>SHALL</bcp14> be used. They are sent in front of the actual EDHOC message to keep track of messages in an EDHOC session, and only the part of the body following the identifier is used for EDHOC processing. In particular, the connection identifiers within the EDHOC messages are not impacted by the prepended identifiers.</t> <t>An EDHOC message has media typeapplication/edhoc+cbor-seq,"application/edhoc+cbor-seq", whereas an EDHOC message prepended by a connection identifier has media typeapplication/cid-edhoc+cbor-seq,"application/cid-edhoc+cbor-seq"; see <xref target="content-format"/>.</t> <t>To mitigate certain denial-of-service attacks, the CoAP serverMAY<bcp14>MAY</bcp14> respond to the first POST request with a 4.01 (Unauthorized) containing an Echo option <xref target="RFC9175"/>. This forces the Initiator to demonstrate reachability at its apparent network address. If message fragmentation is needed, the EDHOC messages may be fragmented using the CoAP Block-Wise Transfer mechanism <xref target="RFC7959"/>.</t> <t>EDHOC error messages need to be transported in response to a message that failed (see <xref target="error"/>). EDHOC error messages transported with CoAP are carried in the payload.</t> <t>Note that the transport over CoAP can serve as a blueprint for other client-server protocols:</t> <ul spacing="normal"> <li>The client prepends the connection identifier selected by the server (or, for message_1, the CBOR simple value <tt>true</tt>) to any request message it sends.</li> <li>The server does not send any such indicator, as responses are matched to request by the client-server protocol design.</li> </ul> <section anchor="forward"> <name>The Forward Message Flow</name> <t>In the forward messageflowflow, the CoAP client is the Initiator and the CoAP server is the Responder. This flow protects the client identity against active attackers and the server identity against passive attackers.</t> <t>In the forward message flow, the CoAP Token enables correlation on the Initiator (client) side, and the prepended C_R enables correlation on the Responder (server) side.</t> <ul spacing="normal"> <li>EDHOC message_1 is sent in the payload of a POST request from the client to the server's resource for EDHOC, prepended with the identifier <tt>true</tt>(0xf5)(0xf5), indicating a new EDHOC session.</li> <li>EDHOC message_2 or the EDHOC error message is sent from the server to the client in the payload of the response, in the former case with response code 2.04(Changed),(Changed) and in the latter with response code as specified in <xref target="edhoc-oscore-over-coap"/>.</li> <li>EDHOC message_3 or the EDHOC error message is sent from the client to the server's resource in the payload of a POST request, prepended withtheconnection identifier C_R.</li> <li>If EDHOC message_4 is used, or in case of an error message, it is sent from the server to the client in the payload of the response, with response codes analogously to message_2. In case of an error message sent in response to message_4, it is sent analogously to the error message sent in response to message_2.</li> </ul> <t>An example of a completed EDHOC session over CoAP in the forward message flow is shown in <xref target="fig-coap1"/>.</t> <figure anchor="fig-coap1"> <name>Example of theforward message flow.</name>Forward Message Flow</name> <artset> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1"height="352" width="496"height="" width="" viewBox="0 0 496 352" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 24,48 L 24,336" fill="none" stroke="black"/> <path d="M 112,48 L 112,336" fill="none" stroke="black"/> <path d="M 24,64 L 104,64" fill="none" stroke="black"/> <path d="M 32,144 L 112,144" fill="none" stroke="black"/> <path d="M 24,208 L 104,208" fill="none" stroke="black"/> <path d="M 32,288 L 112,288" fill="none" stroke="black"/> <polygon class="arrowhead" points="112,208 100,202.4 100,213.6" fill="black" transform="rotate(0,104,208)"/> <polygon class="arrowhead" points="112,64 100,58.4 100,69.6" fill="black" transform="rotate(0,104,64)"/> <polygon class="arrowhead" points="40,288 28,282.4 28,293.6" fill="black" transform="rotate(180,32,288)"/> <polygon class="arrowhead" points="40,144 28,138.4 28,149.6" fill="black" transform="rotate(180,32,144)"/> <g class="text"> <text x="28" y="36">Client</text> <text x="108" y="36">Server</text> <text x="152" y="68">Header:</text> <text x="204" y="68">POST</text> <text x="272" y="68">(Code=0.02)</text> <text x="68" y="84">POST</text> <text x="160" y="84">Uri-Path:</text> <text x="284" y="84">"/.well-known/edhoc"</text> <text x="184" y="100">Content-Format:</text> <text x="372" y="100">application/cid-edhoc+cbor-seq</text> <text x="156" y="116">Payload:</text> <text x="216" y="116">true,</text> <text x="264" y="116">EDHOC</text> <text x="328" y="116">message_1</text> <text x="152" y="148">Header:</text> <text x="204" y="148">2.04</text> <text x="256" y="148">Changed</text> <text x="68" y="164">2.04</text> <text x="184" y="164">Content-Format:</text> <text x="356" y="164">application/edhoc+cbor-seq</text> <text x="156" y="180">Payload:</text> <text x="216" y="180">EDHOC</text> <text x="280" y="180">message_2</text> <text x="152" y="212">Header:</text> <text x="204" y="212">POST</text> <text x="272" y="212">(Code=0.02)</text> <text x="68" y="228">POST</text> <text x="160" y="228">Uri-Path:</text> <text x="284" y="228">"/.well-known/edhoc"</text> <text x="184" y="244">Content-Format:</text> <text x="372" y="244">application/cid-edhoc+cbor-seq</text> <text x="156" y="260">Payload:</text> <text x="212" y="260">C_R,</text> <text x="256" y="260">EDHOC</text> <text x="320" y="260">message_3</text> <text x="152" y="292">Header:</text> <text x="204" y="292">2.04</text> <text x="256" y="292">Changed</text> <text x="68" y="308">2.04</text> <text x="184" y="308">Content-Format:</text> <text x="356" y="308">application/edhoc+cbor-seq</text> <text x="156" y="324">Payload:</text> <text x="216" y="324">EDHOC</text> <text x="280" y="324">message_4</text> </g> </svg> </artwork> <artwork type="ascii-art" align="center"><![CDATA[ Client Server | | +--------->| Header: POST (Code=0.02) | POST | Uri-Path: "/.well-known/edhoc" | | Content-Format: application/cid-edhoc+cbor-seq | | Payload: true, EDHOC message_1 | | |<---------+ Header: 2.04 Changed | 2.04 | Content-Format: application/edhoc+cbor-seq | | Payload: EDHOC message_2 | | +--------->| Header: POST (Code=0.02) | POST | Uri-Path: "/.well-known/edhoc" | | Content-Format: application/cid-edhoc+cbor-seq | | Payload: C_R, EDHOC message_3 | | |<---------+ Header: 2.04 Changed | 2.04 | Content-Format: application/edhoc+cbor-seq | | Payload: EDHOC message_4 | | ]]></artwork> </artset> </figure> <t>The forward message flow of EDHOC can be combined with an OSCORE exchange in a total of tworound-trips,round trips; see <xref target="I-D.ietf-core-oscore-edhoc"/>.</t> </section> <section anchor="reverse"> <name>The Reverse Message Flow</name> <t>In the reverse messageflowflow, the CoAP client is the Responder and the CoAP server is the Initiator. This flow protects the server identity against active attackers and the client identity against passive attackers.</t> <t>In the reverse message flow, the CoAP Token enables correlation on the Responder (client) side, and the prepended C_I enables correlation on the Initiator (server) side.</t> <ul spacing="normal"> <li>To trigger a new EDHOC session, the client makes an empty POST request to the server's resource for EDHOC.</li> <li>EDHOC message_1 is sent from the server to the client in the payload of the response with response code 2.04 (Changed).</li> <li>EDHOC message_2 or the EDHOC error message is sent from the client to the server's resource in the payload of a POST request, prepended withtheconnection identifier C_I.</li> <li>EDHOC message_3 or the EDHOC error message is sent from the server to the client in the payload of the response, in the former case with response code 2.04(Changed),(Changed) and in the latter with response code as specified in <xref target="edhoc-oscore-over-coap"/>.</li> <li>If EDHOC message_4 is used, or in case of an error message, it is sent from the client to the server's resource in the payload of a POST request, prepended withtheconnection identifier C_I. In case of an error message sent in response to message_4, it is sent analogously to an error message sent in response to message_2.</li> </ul> <t>An example of a completed EDHOC session over CoAP in the reverse message flow is shown in <xref target="fig-coap2"/>.</t> <figure anchor="fig-coap2"> <name>Example of thereverse message flow.</name>Reverse Message Flow</name> <artset> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1"height="320" width="496"height="" width="" viewBox="0 0 496 320" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 24,48 L 24,304" fill="none" stroke="black"/> <path d="M 112,48 L 112,304" fill="none" stroke="black"/> <path d="M 24,64 L 104,64" fill="none" stroke="black"/> <path d="M 32,112 L 112,112" fill="none" stroke="black"/> <path d="M 24,176 L 104,176" fill="none" stroke="black"/> <path d="M 32,256 L 112,256" fill="none" stroke="black"/> <polygon class="arrowhead" points="112,176 100,170.4 100,181.6" fill="black" transform="rotate(0,104,176)"/> <polygon class="arrowhead" points="112,64 100,58.4 100,69.6" fill="black" transform="rotate(0,104,64)"/> <polygon class="arrowhead" points="40,256 28,250.4 28,261.6" fill="black" transform="rotate(180,32,256)"/> <polygon class="arrowhead" points="40,112 28,106.4 28,117.6" fill="black" transform="rotate(180,32,112)"/> <g class="text"> <text x="28" y="36">Client</text> <text x="108" y="36">Server</text> <text x="152" y="68">Header:</text> <text x="204" y="68">POST</text> <text x="272" y="68">(Code=0.02)</text> <text x="68" y="84">POST</text> <text x="160" y="84">Uri-Path:</text> <text x="284" y="84">"/.well-known/edhoc"</text> <text x="152" y="116">Header:</text> <text x="204" y="116">2.04</text> <text x="256" y="116">Changed</text> <text x="68" y="132">2.04</text> <text x="184" y="132">Content-Format:</text> <text x="356" y="132">application/edhoc+cbor-seq</text> <text x="156" y="148">Payload:</text> <text x="216" y="148">EDHOC</text> <text x="280" y="148">message_1</text> <text x="152" y="180">Header:</text> <text x="204" y="180">POST</text> <text x="272" y="180">(Code=0.02)</text> <text x="68" y="196">POST</text> <text x="160" y="196">Uri-Path:</text> <text x="284" y="196">"/.well-known/edhoc"</text> <text x="184" y="212">Content-Format:</text> <text x="372" y="212">application/cid-edhoc+cbor-seq</text> <text x="156" y="228">Payload:</text> <text x="212" y="228">C_I,</text> <text x="256" y="228">EDHOC</text> <text x="320" y="228">message_2</text> <text x="152" y="260">Header:</text> <text x="204" y="260">2.04</text> <text x="256" y="260">Changed</text> <text x="68" y="276">2.04</text> <text x="184" y="276">Content-Format:</text> <text x="356" y="276">application/edhoc+cbor-seq</text> <text x="156" y="292">Payload:</text> <text x="216" y="292">EDHOC</text> <text x="280" y="292">message_3</text> </g> </svg> </artwork> <artwork type="ascii-art" align="center"><![CDATA[ Client Server | | +--------->| Header: POST (Code=0.02) | POST | Uri-Path: "/.well-known/edhoc" | | |<---------+ Header: 2.04 Changed | 2.04 | Content-Format: application/edhoc+cbor-seq | | Payload: EDHOC message_1 | | +--------->| Header: POST (Code=0.02) | POST | Uri-Path: "/.well-known/edhoc" | | Content-Format: application/cid-edhoc+cbor-seq | | Payload: C_I, EDHOC message_2 | | |<---------+ Header: 2.04 Changed | 2.04 | Content-Format: application/edhoc+cbor-seq | | Payload: EDHOC message_3 | | ]]></artwork> </artset> </figure> </section> <section anchor="edhoc-oscore-over-coap"> <name>Errors in EDHOC over CoAP</name> <t>When using EDHOC over CoAP, EDHOC error messages sent as CoAP responsesMUST<bcp14>MUST</bcp14> be sent in the payload of error responses, i.e., theyMUST<bcp14>MUST</bcp14> specify a CoAP error response code. In particular, it isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that such error responses have response code either 4.00 (Bad Request) in case of client error (e.g., due to a malformed EDHOCmessage),message) or 5.00 (Internal Server Error) in case of server error (e.g., due to failure in deriving EDHOC keying material). The Content-Format of the error responseMUST<bcp14>MUST</bcp14> be set toapplication/edhoc+cbor-seq,"application/edhoc+cbor-seq"; see <xref target="content-format"/>.</t> </section> </section> </section> <section anchor="comrep"> <name>Compact Representation</name> <t>This section defines a format for compact representation based on the Elliptic-Curve-Point-to-Octet-String Conversion defined in Section 2.3.3 of <xref target="SECG"/>.</t> <t>As described inSection 4.2 of<xreftarget="RFC6090"/>target="RFC6090" section="4.2" sectionFormat="of"/>, the x-coordinate of an elliptic curve public key is a suitable representative for the entire point whenever scalar multiplication is used as a one-way function. One example is ECDH with compact output, where only the x-coordinate of the computed value is used as the shared secret.</t> <t>In EDHOC, compact representation is used for the ephemeral public keys (G_X andG_Y),G_Y); see <xref target="cose_key"/>. Using the notation from <xref target="SECG"/>, the output is an octet string of length ceil( (log2 q) / 8 ), where ceil(x) is the smallest integer not less than x. See <xref target="SECG"/> for a definition of q, M, X, xp, and ~yp. The steps in Section 2.3.3 of <xref target="SECG"/> are replacedby:</t>with the following steps:</t> <ol spacing="normal" type="1"><li>Convert the field element xp to an octet string X of length ceil( (log2 q) / 8 ) octets using the conversion routine specified in Section 2.3.5 of <xref target="SECG"/>.</li> <li>Output M =X</li>X.</li> </ol> <t>The encoding of the point at infinity is not supported.</t> <t>Compact representation does not change any requirements onvalidation,validation; see <xref target="crypto"/>. Using compact representation has some security benefits. An implementation does not need to check that the point is not the point at infinity (the identity element). Similarly, as not even the sign of the y-coordinate is encoded, compact representation trivially avoids so-called "benign malleability" attacks where an attacker changes thesign,sign; see <xref target="SECG"/>.</t> <t>The following may be needed for validation or compatibility with APIs that do not support compact representation or do not support the full <xref target="SECG"/> format:</t> <ul spacing="normal"> <li>If a compressed y-coordinate is required, then the value ~yp set to zero can be used.TheIn such a case, the compact representation described above canin such a casebe transformed into theSECG point compressedStandards for Efficient Cryptography Group (SECG) point-compressed format by prepending it with the single byte 0x02 (i.e., M = 0x02 || X).</li> <li>If an uncompressed y-coordinate is required, then a y-coordinate has to be calculated following Section 2.3.4 of <xref target="SECG"/> orAppendix C of<xreftarget="RFC6090"/>.target="RFC6090" sectionFormat="of" section="C"/>. Any of the square roots (see <xref target="SECG"/> or <xref target="RFC6090"/>) can be used. The uncompressed SECG format is M = 0x04 || X || Y.</li> </ul> <t>For example: The curve P-256 has the parameters (using the notation in <xreftarget="RFC6090"/>)</t>target="RFC6090"/>):</t> <ul spacing="normal"> <li>p = 2<sup>256</sup>−- 2<sup>224</sup> + 2<sup>192</sup> + 2<sup>96</sup>−- 1</li> <li>a = -3</li> <li>b = 410583637251521421293261297800472684091144410159937255 54835256314039467401291</li> </ul> <t>Given an example x:</t> <ul spacing="normal"> <li>x = 115792089183396302095546807154740558443406795108653336 398970697772788799766525</li> </ul><t>we<t>We can calculate y as the square root w = (x<sup>3</sup> + a<contact fullname="⋅"/>⋅ x + b)<sup>((p + 1)/4)</sup> (modp)</t>p).</t> <ul spacing="normal"> <li>y = 834387180070192806820075864918626005281451259964015754 16632522940595860276856</li> </ul> <t>Note that this does not guarantee that (x, y) is on the correct elliptic curve. A full validation according to Section 5.6.2.3.3 of <xref target="SP-800-56A"/>can be achievedis done by also checking that 0<contact fullname="≤"/>≤ x < p and that y<sup>2</sup><contact fullname="≡"/>≡ x<sup>3</sup> + a<contact fullname="⋅"/>⋅ x + b (mod p).</t> </section> <section anchor="CBORandCOSE"> <name>Use of CBOR, CDDL, and COSE in EDHOC</name> <t>ThisAppendixappendix is intended to help implementors not familiar with CBOR <xref target="RFC8949"/>, CDDL <xref target="RFC8610"/>, COSE <xref target="RFC9052"/>, and HKDF <xref target="RFC5869"/>.</t> <section anchor="CBOR"> <name>CBOR and CDDL</name> <t>The Concise Binary Object Representation (CBOR) <xref target="RFC8949"/> is a data format designed for small code size and small message size. CBOR builds on the JSON data model but extends itbyby, e.g., encoding binary data directly without base64 conversion. In addition to the binary CBOR encoding, CBOR also has a diagnostic notation that is readable and editable by humans. The Concise Data Definition Language (CDDL) <xref target="RFC8610"/> provides a way to express structures for protocol messages and APIs that use CBOR. <xref target="RFC8610"/> also extends the diagnostic notation.</t> <t>CBOR data items are encoded to or decoded from byte strings using a type-length-value encoding scheme, where the three highest order bits of the initial byte contain information about the major type. CBOR supports several types of data items,in addition tointegers (int, uint), simple values, byte strings (bstr), and text strings(tstr),(tstr). CBOR also supports arrays [] of data items, maps {} of pairs of data items, and sequences <xref target="RFC8742"/> of data items. Some examples are given below.</t> <t>The EDHOC specification sometimes use CDDL names in CBOR diagnostic notation asinin, e.g., << ID_CRED_R, ? EAD_2 >>. This means that EAD_2 is optional and that ID_CRED_R and EAD_2 should be substituted with their values before evaluation.I.e.,That is, if ID_CRED_R = { 4 : h'' } and EAD_2 isomittedomitted, then << ID_CRED_R, ? EAD_2 >> = << { 4 : h'' } >>, which encodes to 0x43a10440. We also make use of the occurrence symbol "*", likeinin, e.g., 2* int, meaning two or more CBOR integers.</t> <t>For a complete specification and more examples, see <xref target="RFC8949"/> and <xref target="RFC8610"/>. We recommend implementors get used to CBOR by using the CBOR playground <xref target="CborMe"/>.</t><figure anchor="fig-cbor-examples"><table anchor="tab-cbor-examples"> <name>Examples ofuseUse of CBOR andCDDL.</name> <artset> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="304" width="480" viewBox="0 0 480 304" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,48 L 472,48" fill="none" stroke="black"/> <path d="M 8,288 L 472,288" fill="none" stroke="black"/> <g class="text"> <text x="52" y="36">Diagnostic</text> <text x="200" y="36">Encoded</text> <text x="356" y="36">Type</text> <text x="16" y="68">1</text> <text x="188" y="68">0x01</text> <text x="372" y="68">unsigned</text> <text x="440" y="68">integer</text> <text x="20" y="84">24</text> <text x="196" y="84">0x1818</text> <text x="372" y="84">unsigned</text> <text x="440" y="84">integer</text> <text x="24" y="100">-24</text> <text x="188" y="100">0x37</text> <text x="372" y="100">negative</text> <text x="440" y="100">integer</text> <text x="24" y="116">-25</text> <text x="196" y="116">0x3818</text> <text x="372" y="116">negative</text> <text x="440" y="116">integer</text> <text x="28" y="132">true</text> <text x="188" y="132">0xf5</text> <text x="364" y="132">simple</text> <text x="416" y="132">value</text> <text x="24" y="148">h''</text> <text x="188" y="148">0x40</text> <text x="356" y="148">byte</text> <text x="404" y="148">string</text> <text x="40" y="164">h'12cd'</text> <text x="204" y="164">0x4212cd</text> <text x="356" y="164">byte</text> <text x="404" y="164">string</text> <text x="36" y="180">'12cd'</text> <text x="220" y="180">0x4431326364</text> <text x="356" y="180">byte</text> <text x="404" y="180">string</text> <text x="36" y="196">"12cd"</text> <text x="220" y="196">0x6431326364</text> <text x="356" y="196">text</text> <text x="404" y="196">string</text> <text x="16" y="212">{</text> <text x="32" y="212">4</text> <text x="48" y="212">:</text> <text x="80" y="212">h'cd'</text> <text x="112" y="212">}</text> <text x="212" y="212">0xa10441cd</text> <text x="352" y="212">map</text> <text x="20" y="228"><<</text> <text x="44" y="228">1,</text> <text x="68" y="228">2,</text> <text x="100" y="228">true</text> <text x="132" y="228">>></text> <text x="212" y="228">0x430102f5</text> <text x="356" y="228">byte</text> <text x="404" y="228">string</text> <text x="16" y="244">[</text> <text x="36" y="244">1,</text> <text x="60" y="244">2,</text> <text x="92" y="244">true</text> <text x="120" y="244">]</text> <text x="212" y="244">0x830102f5</text> <text x="360" y="244">array</text> <text x="16" y="260">(</text> <text x="36" y="260">1,</text> <text x="60" y="260">2,</text> <text x="92" y="260">true</text> <text x="120" y="260">)</text> <text x="204" y="260">0x0102f5</text> <text x="372" y="260">sequence</text> <text x="20" y="276">1,</text> <text x="44" y="276">2,</text> <text x="76" y="276">true</text> <text x="204" y="276">0x0102f5</text> <text x="372" y="276">sequence</text> </g> </svg> </artwork> <artwork type="ascii-art" align="center"><![CDATA[ Diagnostic Encoded Type ----------------------------------------------------------- 1 0x01 unsigned integer 24 0x1818 unsigned integer -24 0x37 negative integer -25 0x3818 negative integer true 0xf5 simple value h'' 0x40 byte string h'12cd' 0x4212cd byte string '12cd' 0x4431326364 byte string "12cd" 0x6431326364 text string {CDDL</name> <thead> <tr> <th>Diagnostic</th> <th>Encoded</th> <th>Type</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>0x01</td> <td>unsigned integer</td> </tr><tr> <td>24</td> <td>0x1818</td> <td>unsigned integer</td> </tr><tr> <td>-24</td> <td>0x37</td> <td>negative integer</td> </tr><tr> <td>-25</td> <td>0x3818</td> <td>negative integer</td> </tr><tr> <td>true</td> <td>0xf5</td> <td>simple value</td> </tr><tr> <td>h''</td> <td>0x40</td> <td>byte string</td> </tr><tr> <td>h'12cd'</td> <td>0x4212cd</td> <td>byte string</td> </tr><tr> <td>'12cd'</td> <td>0x4431326364</td> <td>byte string</td> </tr><tr> <td>"12cd"</td> <td>0x6431326364</td> <td>text string</td> </tr><tr> <td>{ 4 : h'cd'} 0xa10441cd map <<}</td> <td>0xa10441cd</td> <td>map</td> </tr><tr> <td><< 1, 2, true>> 0x430102f5 byte string [>></td> <td>0x430102f5</td> <td>byte string</td> </tr><tr> <td>[ 1, 2, true] 0x830102f5 array (]</td> <td>0x830102f5</td> <td>array</td> </tr><tr> <td>( 1, 2, true) 0x0102f5 sequence)</td> <td>0x0102f5</td> <td>sequence</td> </tr><tr> <td> 1, 2,true 0x0102f5 sequence ----------------------------------------------------------- ]]></artwork> </artset> </figure>true</td> <td>0x0102f5</td> <td>sequence</td> </tr> </tbody> </table> </section> <section anchor="CDDL"> <name>CDDL Definitions</name> <t>This section compiles the CDDL definitions for ease of reference.</t> <sourcecode type="CDDL"><![CDATA[ suites = [ 2* int ] / int ead = ( ead_label : int, ? ead_value : bstr, ) EAD_1 = 1* ead EAD_2 = 1* ead EAD_3 = 1* ead EAD_4 = 1* ead message_1 = ( METHOD : int, SUITES_I : suites, G_X : bstr, C_I : bstr / -24..23, ? EAD_1, ) message_2 = ( G_Y_CIPHERTEXT_2 : bstr, ) PLAINTEXT_2 = ( C_R, ID_CRED_R : map / bstr / -24..23, Signature_or_MAC_2 : bstr, ? EAD_2, ) message_3 = ( CIPHERTEXT_3 : bstr, ) PLAINTEXT_3 = ( ID_CRED_I : map / bstr / -24..23, Signature_or_MAC_3 : bstr, ? EAD_3, ) message_4 = ( CIPHERTEXT_4 : bstr, ) PLAINTEXT_4 = ( ? EAD_4, ) error = ( ERR_CODE : int, ERR_INFO : any, ) info = ( info_label : int, context : bstr, length : uint, ) ]]></sourcecode> </section> <section anchor="COSE"> <name>COSE</name> <t>CBOR Object Signing and Encryption (COSE) <xref target="RFC9052"/> describes how to create and process signatures,message authentication codes,MACs, andencryptionencryptions using CBOR. COSE builds onJOSE,JSON Object Signing and Encryption (JOSE) but is adapted to allow more efficient processing in constrained devices. EDHOC makes use of COSE_Key, COSE_Encrypt0, and COSE_Sign1 objects in the message processing:</t> <ul spacing="normal"> <li>ECDH ephemeral public keys of type EC2 or OKP in message_1 and message_2 consist of the COSE_Key parameter named'x','x'; seeSection 7.1Sections <xref target="RFC9053" section="7.1" sectionFormat="bare"/> and7.2<xref target="RFC9053" section="7.2" sectionFormat="bare"/> of <xreftarget="RFC9053"/></li>target="RFC9053"/>.</li> <li> <t>The ciphertexts in message_3 and message_4 consist of a subset of the single recipient encrypted data object COSE_Encrypt0, which is described in Sections5.2-5.3<xref target="RFC9052" sectionFormat="bare" section="5.2"/> and <xref target="RFC9052" sectionFormat="bare" section="5.3"/> of <xref target="RFC9052"/>. The ciphertext is computed over the plaintext and associated data, using an encryption key and an initialization vector. The associated data is an Enc_structure consisting of protected headers and externally supplied data (external_aad). COSE constructs the input to the AEAD <xref target="RFC5116"/> for message_i (i = 3 or4,4; see Sections <xreftarget="m3"/>target="m3" format="counter"/> and <xreftarget="m4"/>,target="m4" format="counter"/>, respectively) as follows: </t> <ul spacing="normal"> <li>Secret key K = K_i</li> <li>Nonce N = IV_i</li> <li>Plaintext P for message_i</li> <li>Associated Data A = [ "Encrypt0", h'', TH_i ]</li> </ul> </li> <li> <t>Signatures in message_2 of method 0 and 2, and in message_3 of method 0 and 1, consist of a subset of the single signer data object COSE_Sign1, which is described in Sections4.2-4.4<xref target="RFC9052" sectionFormat="bare" section="4.2"/> and <xref target="RFC9052" sectionFormat="bare" section="4.4"/> of <xref target="RFC9052"/>. The signature is computed over a Sig_structure containing payload, protected headers and externally supplied data (external_aad) using a private signaturekeykey, and verified using the corresponding public signature key. For COSE_Sign1, the message to be signed is: </t> <artwork><![CDATA[ [ "Signature1", protected, external_aad, payload ] ]]></artwork> <t> where protected,external_aadexternal_aad, and payload are specified in Sections <xreftarget="m2"/>target="m2" format="counter"/> and <xreftarget="m3"/>.</t>target="m3" format="counter"/>.</t> </li> </ul> <t>Different header parameters to identify X.509 or C509 certificates by reference are defined in <xref target="RFC9360"/> and <xref target="I-D.ietf-cose-cbor-encoded-cert"/>:</t> <ul spacing="normal"> <li> <t>by a hash value with the 'x5t' or 'c5t' parameters, respectively: </t> <ul spacing="normal"> <li>ID_CRED_x = { 34 : COSE_CertHash }, for x = I orR,</li>R and</li> <li>ID_CRED_x = {TBD322 : COSE_CertHash }, for x = I orR;</li>R,</li> </ul> </li> <li> <t>or by a URI with the 'x5u' or 'c5u' parameters, respectively: </t> <ul spacing="normal"> <li>ID_CRED_x = { 35 : uri }, for x = I orR,</li>R, and</li> <li>ID_CRED_x = {TBD423 : uri }, for x = I or R.</li> </ul> </li> </ul> <t>When ID_CRED_x does not contain the actual credential, it may be very short, e.g., if the endpoints have agreed to use a key identifier parameter 'kid':</t> <ul spacing="normal"> <li>ID_CRED_x = { 4 : kid_x }, where kid_x : kid, for x = I or R. For further optimization, see <xref target="id_cred"/>.</li> </ul> <t>Note that ID_CRED_x can contain several header parameters, forexampleexample, { x5u, x5t } or { kid, kid_context }.</t> <t>ID_CRED_xMAY<bcp14>MAY</bcp14> also identify the credential by value. For example, a certificate chain can be transported in an ID_CRED field with COSE header parameter c5c or x5chain, as defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/> and <xreftarget="RFC9360"/> and credentialstarget="RFC9360"/>. Credentials of type CWT and CCS can be transported with the COSE header parameters registered in <xref target="cwt-header-param"/>.</t> </section> </section> <section anchor="auth-validation"><name>Authentication Related<name>Authentication-Related Verifications</name> <t>EDHOC performs certainauthentication related operations, seeauthentication-related operations (see <xreftarget="auth-key-id"/>,target="auth-key-id"/>), but ingeneralgeneral, it is necessary to make additional verifications beyond EDHOC message processing. Which verifications that are needed depend on the deployment, inparticularparticular, the trust model and the security policies, but mostcommonlycommonly, it can be expressed in terms of verifications of credential content.</t> <t>EDHOC assumes the existence of mechanisms (certification authority or other trusted third party, pre-provisioning, etc.) for generating and distributing authentication credentials and other credentials, as well as the existence of trust anchors (CA certificates, trusted public keys, etc.). For example, a public key certificate or CWT may rely on a trusted third party whose public key is pre-provisioned, whereas a CCS or a self-signedcertificate/CWTcertificate / CWT may be used when trust in the public key can be achieved by other means, or in the case ofTrusttrust on first use, see <xref target="tofu"/>.</t> <t>In thissectionsection, we provide some examples of such verifications. These verifications are the responsibility of the application but may be implemented as part of an EDHOC library.</t> <section anchor="validating-auth-credential"> <name>Validating the Authentication Credential</name><t>The authentication credential may contain, in<t>In addition to the authentication key, the authentication credential may contain other parameters thatneedsneed to be verified. For example:</t> <ul spacing="normal"> <li>In X.509 and C509 certificates, signature keys typically have key usage"digitalSignature""digitalSignature", and Diffie-Hellman public keys typically have key usage "keyAgreement" <xreftarget="RFC3279"/><xreftarget="RFC3279"/> <xref target="RFC8410"/>.</li> <li>In X.509 and C509certificatescertificates, validity is expressed using Not After and Not Before. In CWT and CCS, the“exp”"exp" and“nbf”"nbf" claims have similar meanings.</li> </ul> </section> <section anchor="identities"> <name>Identities</name> <t>The application must decide on allowing a connection ornotnot, depending on the intended endpoint, and in particular whether it is a specific identity or in a set of identities. To prevent misbinding attacks, the identity of the endpoint is included in a MAC verified through the protocol. More details and examples are provided in this section.</t> <t>Policies for what connections to allow are typically set based on the identity of the other endpoint, and endpoints typically only allow connections from a specific identity or a small restricted set of identities. For example, in the case of a device connecting to a network, the network may only allow connections from deviceswhichthat authenticate with certificates having a particular range of serial numbers and signed by a particular CA. Conversely, a device may only be allowed to connect to a networkwhichthat authenticates with a particular public key.</t> <ul spacing="normal"> <li>When a Public Key Infrastructure (PKI) is used with certificates, the identity is the subject whose unique name, e.g., a domain name, a Network Access Identifier (NAI), or an Extended Unique Identifier (EUI), is included in the endpoint's certificate.</li> <li>Similarly, when a PKI is used with CWTs, the identity is the subject identified by the relevant claim(s), such as 'sub' (subject).</li> <li>When PKI is not used (e.g., CCS, self-signedcertificate/CWT)certificate / CWT), the identity is typically directly associated with the authentication key of the other party. For example, if identities can be expressed in the form of unique subject names assigned to public keys, then a binding to identity is achieved by including both the public key and associated subject name in the authenticationcredential:credential. CRED_I or CRED_R may be a self-signedcertificate/CWTcertificate / CWT or CCS containing the authentication key and the subjectname,name; see <xref target="auth-cred"/>.EachThus, each endpointthusneeds to know the specific authenticationkey/uniquekey / unique associated subjectname,name or set of public authenticationkeys/uniquekeys / unique associated subject names, which it is allowed to communicate with.</li> </ul> <t>To prevent misbinding attacks in systems where an attacker can register public keys without proving knowledge of the private key, SIGMA <xref target="SIGMA"/> enforces a MAC to be calculated over the "identity". EDHOC follows SIGMA by calculating a MAC over the whole authentication credential, which in case of an X.509 or C509certificatecertificate, includes the "subject" and "subjectAltName"fields, andfields and, in the case of CWT orCCSCCS, includes the "sub" claim.</t> <t>(While the SIGMA paper only focuses on the identity, the same principle is true for other information such as policies associated with the public key.)</t> </section> <section anchor="cert-path"> <name>Certification Path and Trust Anchors</name> <t>When a Public Key Infrastructure (PKI) is used with certificates, the trust anchor is aCertification Authoritycertification authority (CA) certificate. Each party needs at least one CA public keycertificate,certificate or just the CA public key. The certification path contains proof that the subject of the certificate owns the public key in the certificate. Only validatedpublic-keypublic key certificates are to be accepted.</t> <t>Similarly, when a PKI is used with CWTs, each party needs to have at least one trustedthird partythird-party public key as a trust anchor to verify the end entity CWTs. The trustedthird partythird-party public key can, e.g., be stored in a self-signed CWT or in a CCS.</t> <t>The signature of the authentication credential needs to be verified with the public key of the issuer. X.509 and C509 certificates includes the“Issuer”"Issuer" field. In CWT and CCS, the“iss”"iss" claim has a similar meaning. The public key is either a trust anchor or the public key in another valid and trusted credential in a certification path from the trust anchor to the authentication credential.</t> <t>Similar verifications as made with the authentication credential (see <xref target="validating-auth-credential"/>) are also needed for the other credentials in the certification path.</t> <t>When PKI is not used(CCS,(CCS and self-signedcertificate/CWT),certificate / CWT), the trust anchor is the authentication key of the otherparty,party; in whichcasecase, there is no certification path.</t> </section> <section anchor="revocation"> <name>Revocation Status</name> <t>The application may need to verify that the credentials are notrevoked,revoked; see <xref target="impl-cons"/>. Some use cases may be served by short-lived credentials, for example, where the validity of the credential is on par with the interval between revocation checks. But, in general, credential lifetime and revocation checking are complementary measures to control credential status. Revocation information may be transported as ExternalAuthenticationAuthorization Data(EAD),(EAD); see <xref target="ead-appendix"/>.</t> </section> <section anchor="tofu"> <name>Unauthenticated Operation</name> <t>EDHOC might be used without authentication by allowing the Initiator or Responder to communicate with any identity except its own. Note that EDHOC without mutual authentication is vulnerable to active on-path attacks and therefore unsafe for general use. However, it is possible to later establish a trust relationship with an unknown or not-yet-trusted endpoint. Someexamples:</t>examples are listed below:</t> <ul spacing="normal"> <li>The EDHOC authentication credential can be verified out-of-band at a later stage.</li> <li>The EDHOC session key can be bound to an identity out-of-band at a later stage.</li> <li>Trust on first use (TOFU) can be used to verify that several EDHOC connections are made to the same identity. TOFU combined with proximity is a common IoT deployment modelwhichthat provides good security if done correctly. Note that secure proximity based on short range wireless technology requires very low signal strength or very low latency.</li> </ul> </section> </section> <section anchor="ead-appendix"> <name>Use of External Authorization Data</name> <t>In order to reduce the number of messages and round trips, or to simplify processing, external security applications may be integrated into EDHOC by transporting related external authorization data (EAD) in the messages.</t> <t>The EAD format is specified in <xreftarget="AD"/>, thistarget="AD"/>. This section contains examples and further details of how EAD may be used with an appropriate accompanying specification.</t> <ul spacing="normal"> <li>One example isthird party assistedthird-party-assisted authorization, requested with EAD_1, and an authorization artifact(“voucher”,("voucher", cf. <xref target="RFC8366"/>) returned inEAD_2,EAD_2; see <xreftarget="I-D.selander-lake-authz"/>.</li>target="I-D.ietf-lake-authz"/>.</li> <li>Another example is remote attestation, requested in EAD_2, and an Entity Attestation Token(EAT,(EAT) <xreftarget="I-D.ietf-rats-eat"/>)target="I-D.ietf-rats-eat"/> returned in EAD_3.</li> <li>A third example is certificateenrolment,enrollment, where a Certificate Signing Request(CSR,(CSR) <xreftarget="RFC2986"/>)target="RFC2986"/> is included in EAD_3, and the issued public key certificate (X.509 <xreftarget="RFC5280"/>,target="RFC5280"/> and C509 <xref target="I-D.ietf-cose-cbor-encoded-cert"/>) or a reference thereof is returned in EAD_4.</li> </ul> <t>External authorization data should be considered unprotected by EDHOC, and the protection of EAD is the responsibility of the security application(third party(third-party authorization, remote attestation, certificateenrolment,enrollment, etc.). The security properties of the EAD fields (after EDHOC processing) are discussed in <xref target="sec-prop"/>.</t> <t>The content of the EAD field may be used in the EDHOC processing of the message in which they are contained. For example,authentication related informationauthentication-related information, like assertions and revocation information, transported in EAD fields may provide input about trust anchors or validity of credentials relevant to the authentication processing. The EAD fields (like ID_CRED fields) are therefore made available to the application before the message isverified,verified; see details of message processing in <xref target="asym"/>. In the first example above, a voucher in EAD_2 made available to the application can enable the Initiator to verify the identity or the public key of the Responder before verifying the signature. An application allowing EAD fields containing authentication information thus may need to handleauthentication relatedauthentication-related verifications associated with EAD processing.</t> <t>Conversely, the security application may need to wait for EDHOC message verification to complete. In the third example above, the validation of a CSR carried in EAD_3 is not started by the Responder before EDHOC has successfully verified message_3 and proven the possession of the private key of the Initiator.</t> <t>The security application may reuse EDHOC protocol fieldswhichthat therefore need to be available to the application. For example, the security application may use the same crypto algorithms as in the EDHOC session and therefore needs access to the selected cipher suite (or the whole SUITES_I). The application may use the ephemeral public keys G_X andG_Y,G_Y as ephemeral keys or asnonces,nonces; see <xreftarget="I-D.selander-lake-authz"/>.</t>target="I-D.ietf-lake-authz"/>.</t> <t>The processing of the EAD item (ead_label, ? ead_value) by the security application needs to be described in the specification where the ead_label isregistered, seeregistered (see <xreftarget="iana-ead"/>,target="iana-ead"/>), including the optional ead_value for each message and actions in case of errors. An application may support multiple security applications that make use of EAD, which may result in multiple EAD items in one EADfield,field; see <xref target="AD"/>. Any dependencies on security applications with previously registered EAD itemsneedsneed to be documented, and the processing needs to consider their simultaneous use.</t> <t>Since data carried in EAD may not be protected, orbeprocessed by the application before the EDHOC message is verified, special considerations need to be made such that it does not violate security and privacy requirements of the servicewhichthat uses thisdata,data; see <xref target="unprot-data"/>. The content in an EAD item may impact the security properties provided by EDHOC. Security applications making use of the EAD items must perform the necessary security analysis.</t> </section> <section anchor="appl-temp"> <name>Application Profile Example</name> <t>This appendix contains a rudimentary example of an applicationprofile,profile; see <xref target="applicability"/>.</t> <t>For use of EDHOC with applicationXX, the following assumptions are made:</t> <ol spacing="normal" type="1"><li>Transfer in CoAP as specified in <xref target="coap"/> with requests expected by the CoAP server (= Responder) at /app1-edh, no Content-Format needed.</li> <li>METHOD = 1 (I uses signaturekey,key; R uses static DH key.)</li> <li> <t>CRED_I isanencoded with IEEE 802.1AR IDevIDencodedas a C509 certificate of type 0 <xref target="I-D.ietf-cose-cbor-encoded-cert"/>. </t> <ul spacing="normal"> <li>R acquires CRED_I out-of-band, indicated in EAD_1.</li> <li>ID_CRED_I = {4: h''} is a 'kid' with the value of the empty CBOR byte string.</li> </ul> </li> <li> <t>CRED_R is a CCS of type OKP as specified in <xref target="auth-cred"/>. </t> <ul spacing="normal"> <li>The CBOR map has parameters 1 (kty), -1 (crv), and -2 (x-coordinate).</li> <li>ID_CRED_R is{TBD2{14 :CCS}. Editor's note: TBD2 is the COSE header parameter value of 'kccs', see <xref target="cwt-header-param"/></li>CCS}.</li> </ul> </li> <li>External authorization data is defined and processed as specified in <xreftarget="I-D.selander-lake-authz"/>.</li>target="I-D.ietf-lake-authz"/>.</li> <li>EUI-64 is used as the identity of the endpoint (see an example in <xref target="auth-cred"/>).</li> <li>No use ofmessage_4: themessage_4. The application sends protected messages from R to I.</li> </ol> </section> <section anchor="large-plaintext_2"> <name>Long PLAINTEXT_2</name> <t>By the definition of encryption of PLAINTEXT_2 with KEYSTREAM_2, it is limited to lengths of PLAINTEXT_2 not exceeding the output ofEDHOC_KDF,EDHOC_KDF; see <xref target="expand"/>. If the EDHOC hash algorithm isSHA-2SHA-2, then HKDF-Expand is used, which limits the length of the EDHOC_KDF output to 255<contact fullname="⋅"/>⋅ hash_length, where hash_length is the length of the output of the EDHOC hash algorithm given by the cipher suite. For example, with SHA-256 as an EDHOC hash algorithm, the length of the hash output is 32 bytes and the maximum length of PLAINTEXT_2 is 255<contact fullname="⋅"/>⋅ 32 = 8160 bytes.</t> <t>While PLAINTEXT_2 is expected to be much shorter than 8 kB for the intended use cases, it seems nevertheless prudent to specify a solution for the event that this should turn out to be a limitation.</t> <t>A potential work-around is to use a cipher suite with a different hash function. In particular, the use of KMAC removes all practical limitations in this respect.</t> <t>This section specifies a solutionwhichthat works with any hashfunction,function by making use of multiple invocations of HKDF-Expand and negative values of info_label.</t> <t>Consider the PLAINTEXT_2 partitioned in parts P(i) of length equal to M = 255<contact fullname="⋅"/>⋅ hash_length, except possibly the last partP(last)P(last), which has 0 < length<contact fullname="≤"/>≤ M.</t> <artwork><![CDATA[ PLAINTEXT_2 = P(0) | P(1) | ... | P(last) ]]></artwork> <t>where|"|" indicates concatenation.</t> <t>The object is to define a matching KEYSTREAM_2 of the same length and perform the encryption in the same way as defined in <xref target="asym-msg2-proc"/>:</t> <artwork><![CDATA[ CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2 ]]></artwork> <t>Define the keystream as:</t> <artwork><![CDATA[ KEYSTREAM_2 = OKM(0) | OKM(1) | ... | OKM(last) ]]></artwork><t>where</t><t>where:</t> <artwork><![CDATA[ OKM(i) = EDHOC_KDF( PRK_2e, -i, TH_2, length(P(i)) ) ]]></artwork> <t>Note that if length(PLAINTEXT_2)<contact fullname="≤"/> M≤ M, then P(0) = PLAINTEXT_2 and the definition of KEYSTREAM_2 = OKM(0) coincides with <xref target="fig-edhoc-kdf"/>.</t> <t>This describes the processing of the Responder when sending message_2. The Initiator makes the same calculations when receivingmessage_2,message_2 but interchanging PLAINTEXT_2 and CIPHERTEXT_2.</t> <t>An application profile may specify if it supports or does not support the method described in this appendix.</t> </section> <section anchor="keyupdate"> <name>EDHOC_KeyUpdate</name> <t>To provide forward secrecy in an even more efficient way than re-running EDHOC, this section specifies the optional function EDHOC_KeyUpdate in terms of EDHOC_KDF and PRK_out.</t> <t>When EDHOC_KeyUpdate is called, a new PRK_out is calculated asa "hash" oftheold PRK_out usingoutput of the EDHOC_Expand functionas illustrated bywith thefollowing pseudocode.old PRK_out as input. The change of PRK_out causes a change toPRK_exporterPRK_exporter, which enables the derivation of new application keys superseding the old ones, usingEDHOC_Exporter,EDHOC_Exporter; see <xreftarget="exporter"/>.</t>target="exporter"/>. The process is illustrated by the following pseudocode.</t> <artwork><![CDATA[ EDHOC_KeyUpdate( context ): new PRK_out = EDHOC_KDF( old PRK_out, 11, context, hash_length ) new PRK_exporter = EDHOC_KDF( new PRK_out, 10, h'', hash_length ) ]]></artwork> <t>where hash_lengthdenotes thedenotes the output size in bytes of the EDHOC hash algorithm of the selected cipher suite.</t><t>The<t> The EDHOC_KeyUpdate takesathe context as input to enable binding of the updated PRK_out to some event that triggered the key update. The Initiator andtheResponder need to agree on the context, which can, e.g., be a counter, a pseudorandom number, or a hash. To provide forwardsecrecysecrecy, the old PRK_out and keys derived from it (old PRK_exporter and old application keys) must be deleted as soon as they are not needed. When to delete the old keys and how to verify that they are not needed is up to theapplication.</t>application. Note that the security properties depend on the type of context and the number of KeyUpdate iterations.</t> <t>An application using EDHOC_KeyUpdate needs to store PRK_out. Compromise of PRK_out leads to compromise of all keying material derived with the EDHOC_Exporter since the last invocation of the EDHOC_KeyUpdate function.</t> <t>While this key update method provides forwardsecrecysecrecy, it does not give as strong security properties as re-running EDHOC. EDHOC_KeyUpdate can be used to meet cryptographic limits and provide partial protection against key leakage, but it provides significantly weaker security properties than re-running EDHOC with ephemeral Diffie-Hellman. Even with frequent use of EDHOC_KeyUpdate, compromise of one session key compromises all future session keys, and an attacker therefore only needs to perform static key exfiltration <xref target="RFC7624"/>, which is less complicated and has a lower risk profile than the dynamiccase,case; see <xref target="sec-prop"/>.</t> <t>A similar method to do a key update for OSCORE isKUDOS,KUDOS; see <xref target="I-D.ietf-core-oscore-key-update"/>.</t> </section> <section anchor="example-protocol-state-machine"> <name>Example Protocol State Machine</name> <t>This appendix describes an example protocol state machine for the Initiator andfor theResponder. States are denoted in allcapitalscapitals, and parentheses denote actions taken only in some circumstances.</t> <t>Note that this state machine is just an example, and that details of processing areomitted, foromitted. For example:</t> <ul spacing="normal"><li>When<li>when error messages are being sent (with oneexception)</li> <li>Howexception);</li> <li>how credentials and EAD are processed by EDHOC and the application in the RCVDstate</li> <li>Whatstate; and</li> <li>what verifications are made, which includes not only MACs andsignatures</li>signatures.</li> </ul> <section anchor="initiator-state-machine"> <name>Initiator State Machine</name> <t>The Initiator sends message_1, triggering the state machine to transition from START to WAIT_M2, and waits for message_2.</t> <t>If the incoming message is an errormessagemessage, then the Initiator transitions from WAIT_M2 to ABORTED. In case of error code 2 (Wrong Selected Cipher Suite), the Initiator remembers the supported cipher suites for this particular Responder and transitions from ABORTED to START. The message_1 that the Initiator subsequently sends takes into account the cipher suites supported by the Responder.</t> <t>Upon receiving a non-error message, the Initiator transitions from WAIT_M2 to RCVD_M2 and processes the message. If a processing error occurs on message_2, then the Initiator transitions from RCVD_M2 to ABORTED. In case of successful processing of message_2, the Initiator transitions from RCVD_M2 to VRFD_M2.</t> <t>The Initiator prepares and processes message_3 for sending. If any processing error is encountered, the Initiator transitions from VRFD_M2 to ABORTED. If message_3 is successfully sent, the Initiator transitions from VRFD_M2 to COMPLETED.</t> <t>If the application profile includes message_4, then the Initiator waits for message_4. If the incoming message is an errormessagemessage, then the Initiator transitions from COMPLETED to ABORTED. Upon receiving a non-error message, the Initiator transitions from COMPLETED (="WAIT_M4") to RCVD_M4 and processes the message. If a processing error occurs on message_4, then the Initiator transitions from RCVD_M4 to ABORTED. In case of successful processing of message_4, the Initiator transitions from RCVD_M4 to PERSISTED (="VRFD_M4").</t> <t>If the application profile does not include message_4, then the Initiator waits for an incoming application message. If the decryption and verification of the application message is successful, then the Initiator transitions from COMPLETED to PERSISTED.</t> <figure> <name>Initiator State Machine</name> <artset> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1"height="528" width="536"height="" width="" viewBox="0 0 536 528" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 40,32 L 40,48" fill="none" stroke="black"/> <path d="M 40,128 L 40,432" fill="none" stroke="black"/> <path d="M 232,48 L 232,96" fill="none" stroke="black"/> <path d="M 232,128 L 232,176" fill="none" stroke="black"/> <path d="M 232,208 L 232,256" fill="none" stroke="black"/> <path d="M 232,288 L 232,336" fill="none" stroke="black"/> <path d="M 232,368 L 232,416" fill="none" stroke="black"/> <path d="M 232,448 L 232,496" fill="none" stroke="black"/> <path d="M 424,352 L 424,512" fill="none" stroke="black"/> <path d="M 72,112 L 200,112" fill="none" stroke="black"/> <path d="M 40,192 L 200,192" fill="none" stroke="black"/> <path d="M 40,272 L 200,272" fill="none" stroke="black"/> <path d="M 40,352 L 200,352" fill="none" stroke="black"/> <path d="M 296,352 L 424,352" fill="none" stroke="black"/> <path d="M 40,432 L 192,432" fill="none" stroke="black"/> <path d="M 296,512 L 424,512" fill="none" stroke="black"/> <polygon class="arrowhead" points="304,512 292,506.4 292,517.6" fill="black" transform="rotate(180,296,512)"/> <polygon class="arrowhead" points="240,496 228,490.4 228,501.6" fill="black" transform="rotate(90,232,496)"/> <polygon class="arrowhead" points="240,416 228,410.4 228,421.6" fill="black" transform="rotate(90,232,416)"/> <polygon class="arrowhead" points="240,336 228,330.4 228,341.6" fill="black" transform="rotate(90,232,336)"/> <polygon class="arrowhead" points="240,256 228,250.4 228,261.6" fill="black" transform="rotate(90,232,256)"/> <polygon class="arrowhead" points="240,176 228,170.4 228,181.6" fill="black" transform="rotate(90,232,176)"/> <polygon class="arrowhead" points="240,96 228,90.4 228,101.6" fill="black" transform="rotate(90,232,96)"/> <polygon class="arrowhead" points="80,112 68,106.4 68,117.6" fill="black" transform="rotate(180,72,112)"/> <polygon class="arrowhead" points="48,360 36,354.4 36,365.6" fill="black" transform="rotate(270,40,360)"/> <polygon class="arrowhead" points="48,280 36,274.4 36,285.6" fill="black" transform="rotate(270,40,280)"/> <polygon class="arrowhead" points="48,200 36,194.4 36,205.6" fill="black" transform="rotate(270,40,200)"/> <polygon class="arrowhead" points="48,128 36,122.4 36,133.6" fill="black" transform="rotate(270,40,128)"/> <g class="text"> <text x="48" y="36">-</text> <text x="64" y="36">-</text> <text x="80" y="36">-</text> <text x="96" y="36">-</text> <text x="112" y="36">-</text> <text x="128" y="36">-</text> <text x="144" y="36">-</text> <text x="160" y="36">-</text> <text x="176" y="36">-</text> <text x="196" y="36">-></text> <text x="232" y="36">START</text> <text x="260" y="68">Send</text> <text x="320" y="68">message_1</text> <text x="40" y="84">|</text> <text x="112" y="100">Receive</text> <text x="168" y="100">error</text> <text x="32" y="116">ABORTED</text> <text x="240" y="116">WAIT_M2</text> <text x="272" y="148">Receive</text> <text x="344" y="148">message_2</text> <text x="116" y="180">Processing</text> <text x="184" y="180">error</text> <text x="240" y="196">RCVD_M2</text> <text x="268" y="228">Verify</text> <text x="336" y="228">message_2</text> <text x="116" y="260">Processing</text> <text x="184" y="260">error</text> <text x="240" y="276">VRFD_M2</text> <text x="260" y="308">Send</text> <text x="320" y="308">message_3</text> <text x="108" y="340">(Receive</text> <text x="172" y="340">error)</text> <text x="248" y="356">COMPLETED</text> <text x="276" y="388">(Receive</text> <text x="356" y="388">message_4)</text> <text x="112" y="420">(Processing</text> <text x="188" y="420">error)</text> <text x="464" y="420">(Verify</text> <text x="240" y="436">(RCVD_M4)</text> <text x="488" y="436">application</text> <text x="476" y="452">message)</text> <text x="272" y="468">(Verify</text> <text x="348" y="468">message_4)</text> <text x="248" y="516">PERSISTED</text> </g> </svg> </artwork> <artwork type="ascii-art" align="center"><![CDATA[ +- - - - - - - - - -> START | | | Send message_1 | | Receive error v ABORTED <---------------- WAIT_M2 ^ | | | Receive message_2 | | | Processing error v +-------------------- RCVD_M2 ^ | | | Verify message_2 | | | Processing error v +-------------------- VRFD_M2 ^ | | | Send message_3 | | | (Receive error) v +-------------------- COMPLETED ----------------+ ^ | | | | (Receive message_4) | | | | | (Processing error) v | (Verify +------------------- (RCVD_M4) | application | | message) | (Verify message_4) | | | v | PERSISTED <---------------+ ]]></artwork> </artset> </figure> </section> <section anchor="responder-state-machine"> <name>Responder State Machine</name> <t>Upon receiving message_1, the Responder transitions from START to RCVD_M1.</t> <t>If a processing error occurs on message_1, the Responder transitions from RCVD_M1 to ABORTED. This includes sending an error message with error code 2 (Wrong Selected Cipher Suite) if the selected cipher suite in message_1 is not supported. In case of successful processing of message_1, the Responder transitions from RCVD_M1 to VRFD_M1.</t> <t>The Responder prepares and processes message_2 for sending. If any processing error is encountered, the Responder transitions from VRFD_M1 to ABORTED. If message_2 is successfully sent, the Initiator transitions from VRFD_M2 toWAIT_M3,WAIT_M3 and waits for message_3.</t> <t>If the incoming message is an errormessagemessage, then the Responder transitions from WAIT_M3 to ABORTED.</t> <t>Upon receiving message_3, the Responder transitions from WAIT_M3 to RCVD_M3. If a processing error occurs on message_3, the Responder transitions from RCVD_M3 to ABORTED. In case of successful processing of message_3, the Responder transitions from RCVD_M3 to COMPLETED (="VRFD_M3").</t> <t>If the application profile includes message_4, the Responder prepares and processes message_4 for sending. If any processing error is encountered, the Responder transitions from COMPLETED to ABORTED.</t> <t>If message_4 is successfully sent, or if the application profile does not include message_4, the Responder transitions from COMPLETED to PERSISTED.</t> <figure> <name>Responder State Machine</name> <artset> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1"height="528" width="384"height="" width="" viewBox="0 0 384 528" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 40,128 L 40,432" fill="none" stroke="black"/> <path d="M 232,48 L 232,96" fill="none" stroke="black"/> <path d="M 232,128 L 232,176" fill="none" stroke="black"/> <path d="M 232,208 L 232,256" fill="none" stroke="black"/> <path d="M 232,288 L 232,336" fill="none" stroke="black"/> <path d="M 232,368 L 232,416" fill="none" stroke="black"/> <path d="M 232,448 L 232,496" fill="none" stroke="black"/> <path d="M 72,112 L 200,112" fill="none" stroke="black"/> <path d="M 40,192 L 200,192" fill="none" stroke="black"/> <path d="M 40,272 L 200,272" fill="none" stroke="black"/> <path d="M 40,352 L 200,352" fill="none" stroke="black"/> <path d="M 40,432 L 192,432" fill="none" stroke="black"/> <polygon class="arrowhead" points="240,496 228,490.4 228,501.6" fill="black" transform="rotate(90,232,496)"/> <polygon class="arrowhead" points="240,416 228,410.4 228,421.6" fill="black" transform="rotate(90,232,416)"/> <polygon class="arrowhead" points="240,336 228,330.4 228,341.6" fill="black" transform="rotate(90,232,336)"/> <polygon class="arrowhead" points="240,256 228,250.4 228,261.6" fill="black" transform="rotate(90,232,256)"/> <polygon class="arrowhead" points="240,176 228,170.4 228,181.6" fill="black" transform="rotate(90,232,176)"/> <polygon class="arrowhead" points="240,96 228,90.4 228,101.6" fill="black" transform="rotate(90,232,96)"/> <polygon class="arrowhead" points="80,112 68,106.4 68,117.6" fill="black" transform="rotate(180,72,112)"/> <polygon class="arrowhead" points="48,360 36,354.4 36,365.6" fill="black" transform="rotate(270,40,360)"/> <polygon class="arrowhead" points="48,280 36,274.4 36,285.6" fill="black" transform="rotate(270,40,280)"/> <polygon class="arrowhead" points="48,200 36,194.4 36,205.6" fill="black" transform="rotate(270,40,200)"/> <polygon class="arrowhead" points="48,128 36,122.4 36,133.6" fill="black" transform="rotate(270,40,128)"/> <g class="text"> <text x="232" y="36">START</text> <text x="272" y="68">Receive</text> <text x="344" y="68">message_1</text> <text x="116" y="100">Processing</text> <text x="184" y="100">error</text> <text x="32" y="116">ABORTED</text> <text x="240" y="116">RCVD_M1</text> <text x="268" y="148">Verify</text> <text x="336" y="148">message_1</text> <text x="116" y="180">Processing</text> <text x="184" y="180">error</text> <text x="240" y="196">VRFD_M1</text> <text x="260" y="228">Send</text> <text x="320" y="228">message_2</text> <text x="112" y="260">Receive</text> <text x="168" y="260">error</text> <text x="240" y="276">WAIT_M3</text> <text x="272" y="308">Receive</text> <text x="344" y="308">message_3</text> <text x="116" y="340">Processing</text> <text x="184" y="340">error</text> <text x="240" y="356">RCVD_M3</text> <text x="268" y="388">Verify</text> <text x="336" y="388">message_3</text> <text x="112" y="420">(Processing</text> <text x="188" y="420">error)</text> <text x="240" y="436">COMPLETED</text> <text x="264" y="468">(Send</text> <text x="332" y="468">message_4)</text> <text x="240" y="516">PERSISTED</text> </g> </svg> </artwork> <artwork type="ascii-art" align="center"><![CDATA[ START | | Receive message_1 | Processing error v ABORTED <---------------- RCVD_M1 ^ | | | Verify message_1 | | | Processing error v +-------------------- VRFD_M1 ^ | | | Send message_2 | | | Receive error v +-------------------- WAIT_M3 ^ | | | Receive message_3 | | | Processing error v +-------------------- RCVD_M3 ^ | | | Verify message_3 | | | (Processing error) v +------------------- COMPLETED | | (Send message_4) | v PERSISTED ]]></artwork> </artset> </figure> </section> </section> <sectionanchor="change-log"> <name>Change Log</name> <t>RFC Editor: Please remove this appendix.</t> <ul spacing="normal"> <li> <t>From -21 to -22 </t> <ul spacing="normal"> <li>Normative text on transport capabilities.</li> </ul> </li> <li> <t>From -20 to -21 </t> <ul spacing="normal"> <li>Recommendation to use chain instead of bag</li> <li> <t>Improved text about </t> <ul spacing="normal"> <li>denial-of-service</li> <li>deriving secret and non-secret randomness from the same KDF instance</li> <li>practical security against quantum computers</li> </ul> </li> <li> <t>Clarifications, including </t> <ul spacing="normal"> <li>several updates section 3.4. Transport</li> <li>descriptions in COSE IANA registration</li> <li>encoding in Figure 5, reading of Figure 17</li> </ul> </li> <li>Removed term "dummy"</li> <li>Harmonizing captions</li> <li>Updated references</li> <li>Acknowledgments</li> </ul> </li> <li> <t>From -19 to -20 </t> <ul spacing="normal"> <li>C_R encrypted in message_2</li> <li>C_R removed from TH_2</li> <li>Error code for unknown referenced credential</li> <li>Error code 0 (success) explicitly reserved</li> <li>Message deduplication section moved from appendix to body</li> <li> <t>Terminology </t> <ul spacing="normal"> <li>discontinued -> aborted</li> <li>protocol run / exchange -> session</li> </ul> </li> <li> <t>Clarifications, in particular </t> <ul spacing="normal"> <li>when to derive application keys</li> <li>the role of the application for authentication</li> </ul> </li> <li>Security considerations for kccs and kcwt</li> <li>Updated references</li> </ul> </li> <li> <t>From -18 to -19 </t> <ul spacing="normal"> <li> <t>Clarifications: </t> <ul spacing="normal"> <li>Relation to SIGMA</li> <li>Role of Static DH</li> <li>Initiator and Responder roles</li> <li>Transport properties</li> <li>Construction of SUITES_I</li> <li>Message correlation, new subsection 3.4.1, replacing former appendix H</li> <li>Role of description about long PLAINTEXT_2</li> <li>ead_label and ead_value</li> <li>Message processing (Section 5)</li> <li>Padding</li> <li>Cipher suite negotiation example</li> </ul> </li> <li> <t>Other updates: </t> <ul spacing="normal"> <li>Improved and stricter normative text in Appendix A</li> <li>Naming and separate sections for the two message flows in Appendix A: Forward/Reverse message flow,</li> <li>Table index style captions</li> <li>Aligning with COSE terminology: header map -> header_map</li> <li>Aligning terminology, use of "_" instead of "-"</li> <li>Prefixing "EDHOC_" to functions</li> <li>Updated list of security analysis papers</li> <li>New appendix with example state machine</li> <li>Acknowledgements</li> <li>Language improvements by native English speakers</li> <li>Updated IANA section with registration procedures</li> <li>New and updated references</li> <li>Removed appendix H</li> </ul> </li> </ul> </li> <li> <t>From -17 to -18 </t> <ul spacing="normal"> <li>Padding realised as EAD with ead_label = 0, PAD fields removed</li> <li>Revised EAD syntax; ead is now EAD item; ead_value is now optional</li> <li> <t>Clarifications of </t> <ul spacing="normal"> <li>Identifier representation</li> <li>Authentication credentials</li> <li>RPK</li> <li>Encoding of ID_CRED with kid</li> <li>Representation of public keys, y-coordinate of ephemeral keys and validation</li> <li>Processing after completed protocol</li> <li>Making verifications available to the application</li> <li>Relation between EDHOC and OSCORE identifiers</li> </ul> </li> <li>Terminology alignment in particular session / protocol; discontinue / terminate</li> <li>Updated CDDL</li> <li>Additional unicode encodings</li> <li>Large number of nits from WGLC</li> </ul> </li> <li> <t>From -16 to -17 </t> <ul spacing="normal"> <li>EDHOC-KeyUpdate moved to appendix</li> <li>Updated peer awareness properties based on SIGMA</li> <li>Clarify use of random connection identifiers</li> <li>Editorials related to appendix about messages with long PLAINTEXT_2</li> <li>Updated acknowledgments (have we forgotten someone else? please send email)</li> </ul> </li> <li> <t>From -15 to -16 </t> <ul spacing="normal"> <li>TH_2 used as salt in the derivation of PRK_2e</li> <li>CRED_R/CRED_I included in TH_3/TH_4</li> <li>Distinguish label used in info, exporter or elsewhere</li> <li> <t>New appendix for optional handling arbitrarily large message_2 </t> <ul spacing="normal"> <li>info_label type changed to int to support this</li> </ul> </li> <li>Updated security considerations</li> <li>Implementation note about identifiers which are bstr/int</li> <li>Clarifications, especifically about compact representation</li> <li>Type bug fix in CDDL section</li> </ul> </li> <li> <t>From -14 to -15 </t> <ul spacing="normal"> <li> <t>Connection identifiers and key identifiers are now byte strings </t> <ul spacing="normal"> <li> <t>Represented as CBOR bstr in the EDHOC message </t> <ul spacing="normal"> <li>Unless they happen to encode a one-byte CBOR int</li> </ul> </li> <li>More examples</li> </ul> </li> <li> <t>EAD updates and details </t> <ul spacing="normal"> <li>Definition of EAD item</li> <li>Definition of critical / non-critical EAD item</li> </ul> </li> <li>New section in Appendix D: Unauthenticated Operation</li> <li> <t>Clarifications </t> <ul spacing="normal"> <li>Lengths used in EDHOC-KDF</li> <li> <t>Key derivation from PRK_out </t> <ul spacing="normal"> <li>EDHOC-KeyUpdate and EDHOC-Exporter</li> </ul> </li> <li>Padding</li> </ul> </li> <li> <t>Security considerations </t> <ul spacing="normal"> <li>When a change in a message is detected</li> <li>Confidentiality in case of active attacks</li> <li>Connection identifiers should be unpredictable</li> <li>Maximum length of message_2</li> </ul> </li> <li>Minor bugs</li> </ul> </li> <li> <t>From -13 to -14 </t> <ul spacing="normal"> <li>Merge of section 1.1 and 1.2</li> <li>Connection and key identifiers restricted to be byte strings</li> <li>Representation of byte strings as one-byte CBOR ints (-24..23)</li> <li>Simplified mapping between EDHOC and OSCORE identifiers</li> <li> <t>Rewrite of 3.5 </t> <ul spacing="normal"> <li>Clarification of authentication related operations performed by EDHOC</li> <li>Authentication related verifications, including old section 3.5.1, moved to new appendix D</li> </ul> </li> <li> <t>Rewrite of 3.8 </t> <ul spacing="normal"> <li>Move content about use of EAD to new appendix E</li> <li>ead_value changed to bstr</li> </ul> </li> <li> <t>EDHOC-KDF updated </t> <ul spacing="normal"> <li>transcript_hash argument removed</li> <li>TH included in context argument</li> <li>label argument is now type uint, all labels replaced</li> </ul> </li> <li> <t>Key schedule updated </t> <ul spacing="normal"> <li>New salts derived to avoid reuse of same key with expand and extract</li> <li>PRK_4x3m renamed PRK_4e3m</li> <li>K_4 and IV_4 derived from PRK_4e3m</li> <li>New PRK: PRK_out derived from PRK_4e3m and TH_4</li> <li>Clarified main output of EDHOC is the shared secret PRK_out</li> <li>Exporter defined by EDHOC-KDF and new PRK PRK_exporter derived from PRK_out</li> <li>Key update defined by Expand instead of Extract</li> </ul> </li> <li>All applications of EDHOC-KDF in one place</li> <li> <t>Update of processing </t> <ul spacing="normal"> <li>EAD and ID_CRED passed to application when available</li> <li>identity verification and credential retrieval omitted in protocol description</li> <li>Transcript hash defined by plaintext messages instead of ciphertext</li> <li>Changed order of input to TH_2</li> <li>Removed general G_X checking against selfie-attacks</li> </ul> </li> <li>Support for padding of plaintext</li> <li>Updated compliance requirements</li> <li> <t>Updated security considerations </t> <ul spacing="normal"> <li>Updated and more clear requirements on MAC length</li> <li>Clarification of key confirmation</li> <li>Forbid use of same key for signature and static DH</li> </ul> </li> <li>Updated appendix on message deduplication</li> <li> <t>Clarifications of </t> <ul spacing="normal"> <li>connection identifiers</li> <li>cipher suites, including negotiation</li> <li>EAD</li> <li>Error messages</li> </ul> </li> <li>Updated media types</li> <li>Applicability template renamed application profile</li> <li>Editorials</li> </ul> </li> <li> <t>From -12 to -13 </t> <ul spacing="normal"> <li>no changes</li> </ul> </li> <li> <t>From -12: </t> <ul spacing="normal"> <li>Shortened labels to derive OSCORE key and salt</li> <li>ead_value changed to bstr</li> <li>Removed general G_X checking against selfie-attacks</li> <li>Updated and more clear requirements on MAC length</li> <li>Clarifications from Kathleen, Stephen, Marco, Sean, Stefan,</li> <li>Authentication Related Verifications moved to appendix</li> <li>Updated MTI section and cipher suite</li> <li>Updated security considerations</li> </ul> </li> <li> <t>From -11 to -12: </t> <ul spacing="normal"> <li>Clarified applicability to KEMs</li> <li>Clarified use of COSE header parameters</li> <li>Updates on MTI</li> <li>Updated security considerations</li> <li>New section on PQC</li> <li>Removed duplicate definition of cipher suites</li> <li>Explanations of use of COSE moved to Appendix C.3</li> <li>Updated internal references</li> </ul> </li> <li> <t>From -10 to -11: </t> <ul spacing="normal"> <li>Restructured section on authentication parameters</li> <li>Changed UCCS to CCS</li> <li>Changed names and description of COSE header parameters for CWT/CCS</li> <li>Changed several of the KDF and Exporter labels</li> <li>Removed edhoc_aead_id from info (already in transcript_hash)</li> <li>Added MTI section</li> <li>EAD: changed CDDL names and added value type to registry</li> <li>Updated Figures 1, 2, and 3</li> <li>Some correction and clarifications</li> <li>Added core.edhoc to CoRE Resource Type registry</li> </ul> </li> <li> <t>From -09 to -10: </t> <ul spacing="normal"> <li>SUITES_I simplified to only contain the selected and more preferred suites</li> <li>Info is a CBOR sequence and context is a bstr</li> <li>Added kid to UCCS example</li> <li>Separate header parameters for CWT and UCCS</li> <li>CWT Confirmation Method kid extended to bstr / int</li> </ul> </li> <li> <t>From -08 to -09: </t> <ul spacing="normal"> <li>G_Y and CIPHERTEXT_2 are now included in one CBOR bstr</li> <li>MAC_2 and MAC_3 are now generated with EDHOC-KDF</li> <li>Info field “context” is now general and explicit in EDHOC-KDF</li> <li>Restructured Section 4, Key Derivation</li> <li>Added EDHOC MAC length to cipher suite for use with static DH</li> <li>More details on the use of CWT and UCCS</li> <li>Restructured and clarified Section 3.5, Authentication Parameters</li> <li>Replaced 'kid2' with extension of 'kid'</li> <li>EAD encoding now supports multiple ead types in one message</li> <li>Clarified EAD type</li> <li>Updated message sizes</li> <li>Replaced “perfect forward secrecy” with “forward secrecy”</li> <li>Updated security considerations</li> <li>Replaced prepended 'null' with 'true' in the CoAP transport of message_1</li> <li>Updated CDDL definitions</li> <li>Expanded on the use of COSE</li> </ul> </li> <li> <t>From -07 to -08: </t> <ul spacing="normal"> <li>Prepended C_x moved from the EDHOC protocol itself to the transport mapping</li> <li>METHOD_CORR renamed to METHOD, corr removed</li> <li>Removed bstr_identifier and use bstr / int instead; C_x can now be int without any implied bstr semantics</li> <li>Defined COSE header parameter 'kid2' with value type bstr / int for use with ID_CRED_x</li> <li>Updated message sizes</li> <li>New cipher suites with AES-GCM and ChaCha20 / Poly1305</li> <li>Changed from one- to two-byte identifier of CNSA compliant suite</li> <li>Separate sections on transport and connection id with further sub-structure</li> <li>Moved back key derivation for OSCORE from draft-ietf-core-oscore-edhoc</li> <li>OSCORE and CoAP specific processing moved to new appendix</li> <li>Message 4 section moved to message processing section</li> </ul> </li> <li> <t>From -06 to -07: </t> <ul spacing="normal"> <li>Changed transcript hash definition for TH_2 and TH_3</li> <li>Removed "EDHOC signature algorithm curve" from cipher suite</li> <li>New IANA registry "EDHOC Exporter Label"</li> <li>New application defined parameter "context" in EDHOC-Exporter</li> <li>Changed normative language for failure from MUST to SHOULD send error</li> <li>Made error codes non-negative and 0 for success</li> <li>Added detail on success error code</li> <li>Aligned terminology "protocol instance" -> "session"</li> <li>New appendix on compact EC point representation</li> <li>Added detail on use of ephemeral public keys</li> <li>Moved key derivation for OSCORE to draft-ietf-core-oscore-edhoc</li> <li>Additional security considerations</li> <li>Renamed "Auxililary Data" as "External Authorization Data"</li> <li>Added encrypted EAD_4 to message_4</li> </ul> </li> <li> <t>From -05 to -06: </t> <ul spacing="normal"> <li>New section 5.2 "Message Processing Outline"</li> <li>Optional inital byte C_1 = null in message_1</li> <li>New format of error messages, table of error codes, IANA registry</li> <li>Change of recommendation transport of error in CoAP</li> <li>Merge of content in 3.7 and appendix C into new section 3.7 "Applicability Statement"</li> <li>Requiring use of deterministic CBOR</li> <li>New section on message deduplication</li> <li>New appendix containin all CDDL definitions</li> <li>New appendix with change log</li> <li>Removed section "Other Documents Referencing EDHOC"</li> <li>Clarifications based on review comments</li> </ul> </li> <li> <t>From -04 to -05: </t> <ul spacing="normal"> <li>EDHOC-Rekey-FS -> EDHOC-KeyUpdate</li> <li>Clarification of cipher suite negotiation</li> <li>Updated security considerations</li> <li>Updated test vectors</li> <li>Updated applicability statement template</li> </ul> </li> <li> <t>From -03 to -04: </t> <ul spacing="normal"> <li>Restructure of section 1</li> <li>Added references to C509 Certificates</li> <li>Change in CIPHERTEXT_2 -> plaintext XOR KEYSTREAM_2 (test vector not updated)</li> <li>"K_2e", "IV_2e" -> KEYSTREAM_2</li> <li>Specified optional message 4</li> <li>EDHOC-Exporter-FS -> EDHOC-Rekey-FS</li> <li>Less constrained devices SHOULD implement both suite 0 and 2</li> <li>Clarification of error message</li> <li>Added exporter interface test vector</li> </ul> </li> <li> <t>From -02 to -03: </t> <ul spacing="normal"> <li>Rearrangements of section 3 and beginning of section 4</li> <li>Key derivation new section 4</li> <li>Cipher suites 4 and 5 added</li> <li>EDHOC-EXPORTER-FS - generate a new PRK_4x3m from an old one</li> <li>Change in CIPHERTEXT_2 -> COSE_Encrypt0 without tag (no change to test vector)</li> <li>Clarification of error message</li> <li>New appendix C applicability statement</li> </ul> </li> <li> <t>From -01 to -02: </t> <ul spacing="normal"> <li>New section 1.2 Use of EDHOC</li> <li>Clarification of identities</li> <li>New section 4.3 clarifying bstr_identifier</li> <li>Updated security considerations</li> <li>Updated text on cipher suite negotiation and key confirmation</li> <li>Test vector for static DH</li> </ul> </li> <li> <t>From -00 to -01: </t> <ul spacing="normal"> <li>Removed PSK method</li> <li>Removed references to certificate by value</li> </ul> </li> </ul> </section> <sectionnumbered="false" anchor="acknowledgments"> <name>Acknowledgments</name> <t>The authors want to thank <contact fullname="Christian Amsüss"/>, <contactfullname="Alessandro Bruni"/>, <contactfullname="Karthikeyan Bhargavan"/>, <contact fullname="Carsten Bormann"/>, <contact fullname="Alessandro Bruni"/>, <contact fullname="Timothy Claeys"/>, <contact fullname="Baptiste Cottier"/>, <contact fullname="Roman Danyliw"/>, <contact fullname="Martin Disch"/>, <contact fullname="Martin Duke"/>, <contact fullname="DonaldEastlake"/>,Eastlake 3rd"/>, <contact fullname="Lars Eggert"/>, <contact fullname="Stephen Farrell"/>, <contact fullname="Loïc Ferreira"/>, <contact fullname="Theis Grønbech Petersen"/>, <contact fullname="Felix Günther"/>, <contact fullname="Dan Harkins"/>, <contact fullname="Klaus Hartke"/>, <contact fullname="Russ Housley"/>, <contact fullname="Stefan Hristozov"/>, <contact fullname="Marc Ilunga"/>, <contact fullname="Charlie Jacomme"/>, <contact fullname="Elise Klein"/>, <contact fullname="Erik Kline"/>, <contact fullname="Steve Kremer"/>, <contact fullname="Alexandros Krontiris"/>, <contact fullname="Ilari Liusvaara"/>, <contact fullname="Rafa Marín-López"/>, <contact fullname="Kathleen Moriarty"/>, <contact fullname="David Navarro"/>, <contact fullname="Karl Norrman"/>, <contact fullname="Salvador Pérez"/>, <contact fullname="Radia Perlman"/>, <contact fullname="David Pointcheval"/>, <contact fullname="Maïwenn Racouchot"/>, <contact fullname="Eric Rescorla"/>, <contact fullname="Michael Richardson"/>, <contact fullname="Thorvald Sahl Jørgensen"/>, <contact fullname="Zaheduzzaman Sarker"/>, <contact fullname="Jim Schaad"/>, <contact fullname="Michael Scharf"/>, <contact fullname="Carsten Schürmann"/>, <contact fullname="John Scudder"/>, <contact fullname="Ludwig Seitz"/>, <contact fullname="Brian Sipos"/>, <contact fullname="Stanislav Smyshlyaev"/>, <contact fullname="Valery Smyslov"/>, <contact fullname="Peter van der Stok"/>, <contact fullname="Rene Struik"/>, <contact fullname="Vaishnavi Sundararajan"/>, <contact fullname="Erik Thormarker"/>, <contact fullname="Marco Tiloca"/>, <contact fullname="Sean Turner"/>, <contact fullname="Michel Veillette"/>, <contact fullname="Mališa Vučinić"/>, <contact fullname="Paul Wouters"/>, and <contact fullname="Lei Yan"/> for reviewing and commenting on intermediate draft versions ofthe draft.this document. We are especially indebted to the late <contact fullname="Jim Schaad"/> for his continuous reviewing and implementation of early draft versions of thisand other drafts.</t>document.</t> <t>Work on this document has in part been supported by the H2020 project SIFIS-Home (grant agreement 952652).</t> </section> </back><!-- ##markdown-source: H4sIAAAAAAAAA9y9y3Yb2ZUoOOdXxJUGAtMARACkRMlOVzNJKkVLSskk7cxc VbVUQSBAhgVEwBEBUrQye/WkR/0FPer+il53cEftP7lf0vt5zj7xAKl8uFzN cilJIOI89tlnvx+DwWCrSqtF8jw6Xl0ly6SIF9FROp+nyeBlslgs4yx6e50U 0eHbs+Ood3z08u3h9tYsn2bxEt6ZFfG8GqRJNR8s4g/JIJld5dPBeLwVX1wU yTUMii9sbaWr4nlUFeuyGu/sPNuB74skfh6dHR9u3eTFh8siX6+eR68PXh1H 38LfaXYZfY2fbU3j6nlUVrOtcn2xTMsyzbPqdgUznxyfv9ia5lmZZOW6pMGT LfhgBu8+j9awoP2tVfo8ehhNYQvrMonioohvo146j+LFIrpNyu0oL6KruLyK rpIi2YqiKp8+xy/g1zIvqiKZl+7v26X9E56cJavq6nk03tqK19VVXjzfGkQM lK///v8UMOdZsoizWVLg2+uCvzKf5QWs87hIp2WZZ9HBV/CRA5p8im/CKpIK ITUYPdmN9neiM5j7w1W+WMK303ydVcUtfH2TzBJ8PlnG6eJ5dJnDCoalzPa/ JDLgcJov3TL/kF9l0bsiWf/9/4rexFUlM6ZZWqXxArb6B7vy5oO/6gb+Aosb LmWy9vW/gC1Ok3IaR+/iRb68gIUHCzYf/qpLnes6hiudMlzwVpYXsJX0Onm+ Ba+dvjgcj0bPnvOvk/FT9+ve3lh+3RuNnuiv+0/0gSdwdfTXZ0/8r26Ep2M3 wtOnu/v667M9fWB/NH7ifn26q79Onulr+7sjHXf/if11or8+HbvXnu6O/a9P 9ddnuzrbsx23HPhVR3g2erqnv05wF1tpNm9A6Nm+A8B432119GzXbXW873ft f32mrz194hc6eeJ2PXnqft3ddb8+mzx1C93ZcQt1m4I1P3FrfkafngyOhkT4 irgqBwnQKfshUcMi+WvZ/LQqYkCX4PNpXiSDvKT/EAmtfVsmg+lFXgySDAhc MhtMk6LqHOBDcjtYr2ZxlYRz36SXg+m6uMZ1rYoECGcFIAcKGjyW5lW+Kgdl Ao+m1e1gVcAH03wBUyxXcZECUrvnC5x5XlwOZkk1KNPLcnCTVleDLE9LN7fS IN47ksq/6Vdx8eFDPoiL6dUgzaqkyGCU6goYQzVYwjYXg8t1OsO7BUgBr5y9 G+zv7Az2nhzgAECD4+ISr+tVVa3K548fz/J0CBf98Whn+GRnvP/4m5Oz8+HZ u6G8VEz4LWZ2pwnsZ5lkMwJBBPgHBCMtBt/C0qNXAMHjsoovFml5BQ9V0dkU eWMZ/alE1nSUltMiqZLodX4JIKmultFhcbuq8ssiXl3d0jwlkICkRMzm1UbR A1zQg+fRg7NVMgUKG71bwwRTXoAsEtZ1nSKTiyYP6DXlLTzEQP6LVBoI9PEw +gqASOyk5evXw+jwiihVy5cHw+g0v4RfP9x2PvDnGBjuIrluf+B0GB3FsFr6 lNAtOlgV6SIa74z2zYGNdvY//8DgpWJ0x4HBMUVHAOZr/ojP5l2ZrGfI/Wb5 MnqxzqaE4j/1SGAZ/khG9zgSC3OByfoSxB4ACkhFBBQad3/vJ8Bkf89C5Ozl wWDCAEhmfqvRFL54ddyPXr05OOxH5+vVInmJQg6ABHAc5LtFssAPfjJM9vfu AQiSLl4lizLpwK+zq/XgL0kG4Iqzyw4MA3ntXVIsMsFwBuhRMk2WFyCSAp49 QZAeJZfxBWxjkYxG7VAFegcUZpjG04KgC2+OHj8ZBeB8m0XVVQLrTvG+C/mL 8nl0nE3xcuP2EYRn6WUWV+sigTVGx2/+fA9QDKN3Q7PKzvv2OrkCebvjwr4a Rl/DQACCgsWVlme+oZnOlnFRtT/wBr5FuXbRCdERQhRR4N0fD9uBOS2L6TBL y2p4mV8/flfkf0mmVfl4lZfV4K/rOKvWy8HUkMPH8/ivpYX0O3zyj/xkQDij Fwd/LFuvzoSuzvHh1+1Lurm5AUYzvaTDhV9Gg+vxcDWbB9elgtOLi1lJtOMY NJxpiqQ9WMAo6sEs0WjbrOINYCFqLbSEk6/fdLAfXINDMN7/7OIxcje4n4Bx O5PHh6ffvzt/+3i0+2yP/mksEUePBtE54OEj+CMbwJIHbw6mj4CyAiOOp1eg eQBYAFGzCu8kXPyasoYoelIhpyIERZQ+eXU8eCdsvLwbXV8Oo1dFfDP92+0H A4U/rLMEwUAn8fLV0YtVvEqKe1+3ncfjJ7v1/T4wsE+n0fFHFI3cRQvJ+3OC Ck4szPgeNKh9J3yeox3cyPkVCp7IQsf3Jh3j0eO9nWeNvbxFLRM5EIK8BBUk AkEsWoFQwQg3G+/tjZ7RzuCYvuO/LuISjvDV8Zv7cXu/3BamO6are/jNWQeC JtnwJv2QrpJZGtNW8K/Hh8hVCyT0778hQMMvSv3eHyxAkUT55v3ZOq0Su1// XqTvearp3ov8exv3Botuu/dAoeHjr9eA7aCinyzW2WU8Ht/7oMaPR0939kKM i4H6rRcRCqoR3KwBXqUB3jWYFje1Wle6nQP457ZMS2QCeKhky4hep5dX1U2C /9ZuIiLs8ccp8rMk0gt3j4N9AZT97/+DtthJtXnv7TSbBYs/xCQgjSft4LmK F8M0K+Do5wX+MdiZ7I/gFowfW/gcRCjmFwnsqgSy1Y9IMVsw1q6rfEkbjVsB o5rC3Rs+HOpqOzH91SJJO5jcGd5qtFR1AusUBl9Pr/LKwOvttMotuA7zqkqT 4h2ye6An1/GiC7Hi4mN6TSgVX5SPx2O4+zuTvWfPAsrtMP9nguaroa6s/fsj 4PB+yWZ/Z8mqChHim7yAs8vGO/fa1s7O0+FotDt+arf1gk/fboo3RKgeaEhI 4w5B/AQSnmaAIyf5OeDodTpN7sFyQLaR1bZ//2cQW9bIveH//tL1EAhQXxVr sve0AoUIPj0x6lBISIxAMnKZFHBk84TsjXBxZglQz8d8FwbXwJPmIhAP8vkg UbvpYMas+IpZ8SCHJ1l5J53+8ejJeH93srvfAuE/mzEJyve3xd4J3AAujW/P AbTx1SL6w9//OwADzamdz31d/P2/ZxcJCCHvEpRCux6F6w0s+u//o3DCLJ/G NwAQFTNJQTy8yIs3SYeUCd8Nl0lAnQ6/ensavVvEt2gvzmb3IjRf5fVlCP/f 5zsipormAsiKoReX7gl9Mryqlgu7KBRLaBhH8tEyuUzQrt03+vzu3csFGIO6 U6R2tX9YL3S5g8EggrtKQtLW1vkVXMhZPl3T9StRWQNEKT8DdfpRHMFnt0Tz YUyi8gvD3uJNgiZKN4lyO2Kn7iLgd+XQ077rdAYLW66rNbISPyjAhTjMDYjl oIlOi2R626dVwAvwCNBTPICEZEIdD3aN1qJsBktCorMu40sSdaeG+pTTJIuL NC+Zc0VL+JicANMY5eISxehE6RfKY2/PDt+eHkdq9sLBquRjBfhzGxUJC3YE O5zSajd9xkr8mKxz8CBv4TA/eEcfw5qycpUXVZ84QjybpSJgoDEvKtO/JeSj uECJcVXxkSzymyGf+DKdzUBn3HoYnWRVkc/WBA34+2H0Jq9EOt7aehNnt/gE mdGQhAB+ZJdl1ANCvB3NktUiv0VMKWE7f12noL4CXK+yfJFfItbcgAAOgICP r+DoAeVAuCd6B7hVg22SXadFnvFgnz6JLfbHH4dE82dM8wHit7gj+yKMc42H sobp4tuyDx9MF2uEWLRMlnkBsCyrvIDj7OO5T5H8wnfTGJATzoTBuspvkmJI tw7GzhA3rvHACNJXCZxumQD/xK3jEuJFCSf98Sq9SCu/GFh4ucb9ltE6K5JF CoiQMPrnZQmnD1idJQtYokCjAGQp0ilegwt47CadVVe8ntltFi9BeanyFcLy lpeG3il0LUXx9EOW3yyS2SW8WuGVhZ3BZMvo4hZ2yypp+jfcZxwVdJfg7Owl VBLEqAxoDW8XcPOTMr3M5A6QlpefW4jiR5YfgwLprDiOUPUQSft6iHvjH38E ogBvTZGcfZXCFbqN3l6gfg+EzNqM4U3AenkTLf70JplH8IEpDoL3J3qZxDMk OyRVEjsFDfvw5aG++nS8C68OkZwlUZbIfkoxPfm9M3UmdKgJGRa1YUYgDCWf OlxxUsX0Ss9yogKfPjWN9IS8S7yjiO9w+khigSWXsJVyI/7jjcFZsjVxNjg7 Yk1w6dMVn5juAXC8JFKFFx4wi29cOudLD/ediADSnSK9WFcJrv8yz2f+Jk4T RBrCADphpSsRChqAPuUSHZtmJfEszdE9tcT5igRIB763AGqeTQEea5oDvr9c unMF4M/WSP9upwt8K6mmQ5D/clROotSDCCAK8IEXAKMdGdNNyd2HndO9A0UC rtACT5DJZwKDAFDtyclimHrQlb9IF/AqUBJ4A0gaslOAUgw3bo0SWjRPi+UN gp99HSBz5MukgRGECYRXMHq5XhG8YqJDCZv31uidWNyGELW0EYgR8KAMnaKw jeQ6yZjdAcDhpYWnQ8CjtrZoFQ7nynyxZqssoTXSHEeeko+AX7DAAq4IkA1i I3LZ0MZIJAHwx5gfe8iB5Oagbw1ujmH8F3EJFy/29xzw+xZOzS8mKZg2J2r8 wv2wSwmRHFfgDzv5GC9XC2KWuiodqC7rnx6fnaNSfWxvRo9Zql70J6MJLlew Hg4mIHKoDIKIKvTJrZjuMxENOD1iqMKJEVbEZAEgcHURb5HMBFydLs9fQeQg fh5YmlA+4RPRmTylUcZA3B7n0H3gNQc0BIjNVjnxEMRzkKxRfri/qKQzgeRT 5EsBSAkkJxEZqMLniSmirRfJoEgHMzb1oy6ES2wfFobK14sZIz68ZKD8W4QP kOFrFBgv4pCyIJFD2QjpRrJKaBsgMAEFGF4O+7X7WSQXeU7UGGA4R4EChywS WXgAWUDvEnDlt/gojBBf5+lMaBBiLcwbu/stbmBCAbolfNOWKNuoYGHlR7wi lTe4VekyGf5SknG3INwOd5ZzcUmEeBazAM4V71W5c0PobRF4mZ9O0xXexhLt aACnSwB7zOLwQSBIK5KwRRH+LuKbaEWuG0b33um7VxTx4j8kSsx6Z8LMSmTD kiVVIzIQ5pAgD7tYrSuc4Qp4FnxO+vAtvAFH4e8GMUYM+EGEpRORg9A7zrSY ZyqSeVIgQiBGzeGyJjMmuIQf7m4TC0scI0W2dwXEsx8BvwxeYskPZeFYuA9A BnXPmZA6nFSGKYdbrFjMctg3EL8IDq5g4qgMAy7NQK4ogq337gxAGSoySDJq nxDuliwP1TDOHszFrds/oRPuEWg0Ui5cAjH1QHag7fLFIIaSIp0uaGWztGTx QY3obYrUlmx4CeJPSVoRwBzF1MxjMws8rGsAB1SiyB6KT5/ovz/+yESRtd/v votWcYUwh+/pI/yeOBjb9cmZcfxxhR8RT8DIFpS8eDWwjrJdxTIbsTYSe+A9 f7VwiPevElXMvk0uovP8Q4Lc89tzFG+/PY8OF3G6hN0Are0dHp7Bp98N93ae ieKGrylbpM/hIfh3O7guAJMkgX3gmQ9wKSjG8vqdxsubiOLLlHiQl98Z6wXy 8zV5E2O1mfNN9LuLMODNSsAg47gzTGuagOgrgS7s9SEKrANFKBEBm1A8rUj7 wbdBCh2QgqUUWRQ8jJr58UfPGgGL1yDPsc7x5DwFiZ5h9zo/jb89+AaIE6vc OUkOcAXZB6JLrog13ZvG4rvKhdNhAuzIkKP6Ncxwx6xp0CANKyWKiGoK8Oy+ usrhs4t1uiDaRsKG0YuAaFzni2uE36OKNOtHYvRQqgJKIOisKL7nC9TQEEGy MsdfyAYxrdYxaLdlYFJwrCvU+NIlSc0lLkwsE6JwsQSIq9v+TGsCXFNUKpBK g8wBBx4IUcGkhQICKDkrUXUlBjblDhNJ5gUrPYDrQATgkkwJPZw8Deh6gGgM h7RwrD1FqwPcyzxL1Fru2QepFR6H4dhIULCfCYoyePFtkVtlDBYyMwRKLn5Q tY709NDjaJlfICxWV7CK7SEbTQZVPqAzJkOTuCRL1rJaFsAAI3mrSBbJNepH cLioreWIIG5PNySYIbbC6WTJHC4iiYC4tprGrxKDwMWZIQXqUxxJRTM4aRRC CZax06BYJymdeQDUJdA2UELqiyTmJWWQ4OBfYkbeDoTHirJivECjxy3eVpRH 2UGUL9PSndoiR5glxZLtfmyaEoZ1hvh4zKpECURLfvOehJCz4cQgwAInIk19 nl4O6AtkJXxj0MaOvBKk5BRVfRioRgFoHw6vr9gAAVgJ1wyt1gSRkJs87+DS NBLKsi7kAz8BuKesDmetLCZ63MpjlJI+I2oi8ytokVK5zwrZ6qMP6eyR1fb6 cg+YKQXCW31ACmu+jhfrRAf7uFfpYJMnO8h3D0q6URrW11fBSPUAEBgb1lrv 07IHx8hH1x0OpxB1EkmokCI4ciSx8Mfo8VPFm6Pz12fRaDiBxcJJXoE0Iusb 7T4FGBF5PT48eslqmNeyo5Mj5b5n8skYx/ycGEbY/9bW/9r+E8VxeX2Jxtef +OOs+sGPWMaOXqL3rHSfOtzCT1vfrA/f/mn7pIBC+isgQPunP2unggbvR3bW ydM7f/Vvju2bu3vu1719/W20454ZYdCWvjmxb46e+dH9F0/9nM92ftZGz/MK mFf4M9px2x6N3XLHoyfu193xz5m0A0G3Pj2PHjrayI6oLx/cRVvhSl7cAq0Y PgAyS5xrEAPbyb58ME2Qzz34kSj3kSrOZyT/A2aycbbAcHe0len1dRo2OoaL yziDWWbIVecgAOU35XO4nxfx9AM76+BC5+tqAYyzlNWFAh8rSzVC++kTMt3r NLmB10HOnYJuI8Kzk0iA5bLBSbfdD/VsTCIQvZJEDGcEMDoYzoRh07A7FHOd xQBfILXKhSHhk3F5uwweUzgbp4UXd+/cJnGYTv6DEwJJzYsGBOhTI5B9+jRb O4U9eJoXosps4JNigdCpvkiJF17DNgOymPXp07JKYWwQG6qSeMciJfORGA7o JKyo6VIfInIHpGKRXZfMI+LVCuQjtOsQ9zGy46dPyk6IVCNmnoOIkZJVlnWp UzNn9Bo0hTWu+dNDFEV+ZKTFwwNMBznhwZs/nZ0/6PN/o2/e0u+nx3/808np 8RH+fvby4PVr98uWPHH28u2fXh/53/ybh2/fvDn+5ohfhk+j4KOtB28Ovn/A QHvw9t35ydtvDl4/YA5rrVNkJiFtiGTNFYaV4yXa0tMjMH11+O7//b9HuwCU /ybZI3AG/AemcSCzBBzj2fIMtDr+E7DkdgtBHLP4vEBT4gr0PfRswUVlSQuT n4Zbv/sXvJvR4Mm//B6gfUpSE8tjyUdA9Iot6LDOebwEdRZGJFQmoyjAu1Qe PQWlo4yC1ZOQZDxFopmfkdkQbR3iCtolEYektlJpj/Oh6MUKxCG20XrFWb+c 0JcghJEYGApjRgzzqoP6vI7iKo6OQDTPSKvyWNU7PDp67W3ZO+TvcsZsQmcU qT+Sl4v3N8Ox/EaGkSXQXvmCcQnMos/OWPLF71FG+xYFKzIPkdMDzeCkB1ZN i1q8QK8qP0wq9hHKu3BjyI1Fyv6xWDV4djcATyqyVBntDsfDES0OfyPRypwe OzjF9QEkHY2BpMaEhC4xbovQK1kT16v4cpvUPQxMh8vCBk+kFg/6wkrcuWNa lJADIWpvmafArTesRo0jnkJ7raE2O+gEV/msbHAHH9WzyZj/vE7KyfrQScvV ECpCq+OHZAWwA4kVlxc3jF6sC1I4ZkkVpwtabJP90d2nxzq2WEeyqsnUDWVC VxYZ+3o2EHmbtWqiAbcCtBxoFin23oci/jF2+XmHJHrdYo4aEAPiMHqdfiDn w8mr4+uxWlyeobUJN9Q72lYlgVFwdxe+MlpC/95cNi29dSfWpei581a9a4b+ HpzoFXcWvRZzahRfAgjRk8eGLhA3ABNLNTogS7uVpMpKr4DX5w+QGy4QBgQA Z1ZBQsHnis+/OTiUQFXYU+vaBydm0HNv3Y7m6FnuAcLKDQRUzFdiMZrniFj6 KJ1tQ/m+XMZ1XUn0oxPeE0gTn/9zmoD0QYmwP9z16Nfvv7vrkR+2fvPThWz9 +f0Pd6/lHj9ulK/ff99HgtsDdfX9IQgZ74Fsw/n1otPf4oH2Iv0Qdoj/fB9t 0//JKL/7+Vv6zS+7oyg6OD448vs5kf2c2P2c9HnneGx+P/9sZ9SuTAGuqzL1 WTeO+f/FrVO7kOBGO0PQqGDwTmXrXMgDMijhKBwLxRI9iWyZCu9i0kYiLpzS 37/eybYIxHKrot4piSeJRKf4R0uKj/FKe4/tKF7NIiOoNb53KExTCpVHI37o u7a293enr94Dk5NAKfJeYyI9wKcIIxWYQqsUJbQ1eACFKaBCXxBe4XB4XzT4 Bo1E7esksxDDBiNgUCBghyCNxQjLYhjdRTdijYVaVxOa+IHgO1LOk7XZIDfO 7S4RZ+woiaAVKCDEqMfajlJt4LtWe0uCxQmC+vNWAdehRstS8BLDHR5G25rg 1jvlP2Fc1OQcJ0Uf0izxkv+K1OIGuPDsN24eySIgKJETiRtDCqITlkZ67HfL lSxleAcI4ggPpsyvfozoDBg4t5xxuCGmqdxAZyexFizZkocCVO2crNMG20lq RX0VVyZxSQF/39qysSlTzG3GK/Ngvl4sBnMOC3xgYjcweMjsqEXKKzhMDr3q IvnMZuVzBOo5YgVoXauKrL8AxZ78F87CafQAo+3o/OV7EDXg3wn9u8sYh4aB 0NrBnqvSLik8DXctg8yZBQo8swRVezLUNwDqLm1IO3A2t5LOY4fdeHHeO/Fh EQedsk10mZLvjoIe8gxjx1xcw0lUi0Vjupk5QoQKeY0UkahEDkXczikNw0to BO+ATgg3NSkkEhlXwBFr0VxSdhntaiEhfDPRgh2EfZDj24SE0GNvmOGQn7gv diGy5Lhg5BWeYHYpgy5UAZlbq7r3P4ACq2QRKFIQ06eGG8Y9S6M8ElexrOvc RyjOKZarUAyCi/e3gLA3vdmoTvOhs/8fuOZlYURvxEuKf3DVIzgIY5UDA7pY YECgYzVON5O8cHc44XbwcimesteEPn+PSYdMbGRKDKKiOOaOudU9gWIFl8T5 MJv7UAfY5pxVOiIpdsvoFi+7A/LtFKjCkeXFXG+JLfX2Em/i4IDKW46joXo4 HHnIcYgaVaceZhfBvkgvCgyWLL2qxkpZv05dU43lQU4Da+TphCOZC+SgoPgG hKqLwZWNMBvD7fpqG2LdDH7J55iQgyASKcT5T7v4FIaL5RxCg0hMvkHVvch3 bwI1Qoe5wxokBevlEoD0N2u9gQfxOTKYJCU64qc4ojFOs5UojS+zHC00aIAV TGqYg9oqiJBa9tAHcx8rj/j00IlzZDf9OslQLmKBM0xII3822XIJUgVg7RJj 0mGlt14Q7Tl5se+9Nv7XCbHwTtLr3t4VVg/PBrZrdGEDhick7jal2jiUa1m9 zWczvz7yGlNQ4210wkdGYbrw5ylmAMFiRBYhfyTKwDXr+ZBdHDla565iFFPp 2i1uDatpi+jT6E3y7Eu6A5wa8jR2ibpRKUag5Iuu5AFGRN/kCk/yYLEIvTb8 yiZLKQGH6EfdzifRS0MhQWgDQKfzYrHG4AUO9qv5iMhO4AS7rrMEAnSTwEpj vuuUJcN6UYLJ6fIYH1FTeBGjEyyJAp6ohAKntCieG3cPuxvY1zJ08QTGoVMz DBMSWHumc9TwSOJEwVCUOjP38erC7n1wTnxZJDX+b+TGHkqwfRK3tnV3JbHX pBa5KXrWtMQgaEeSzaiImBiQp8SGkFgjNJLZfRi1zpGSFvcG87w1dgxdMZaD G/cUIdBcE3Q+fVriewN8j4B1HqgTuMq7Fbl4ToEiKO06JuqphWK/CkZ4vO+6 JS2cElllMkdeeSE3nZ1FVMuEw1kuE7J9ctBAOOGw9sEusSqORoLLgn6vki2e /zgj15vj85dvAXXO/nRyfnzGVpPv+nic/QhwKnSni9HiH2FAaXXnt6zllzUs eVvZIRrEQoMZq57v8+I96IjIdxA+Y2NY+keYylqDFTbs6Of81EZpM7qFMJkw TCYOJjzKPxJfJhuf+lXgUvthMCEcdgM4tIzyu0H0c//vvviye8eO2gyRxIo1 qKPJpENvWgenvsv2yDF6pDZ+esgGS7FIsnpbJUuhUUhqG/ZC5KyDZXk5GiBD JmdoSkIFqWmJZPDNbzt8furYCgITOuLnnRfnjjCJuLR8jOQMgEiHM+x5tNOP QJodsxQ1sQobP0IcsHQuWJYI4u4VtG2Tsz1ZjKeoPJViaqkbh2iX6sFN3laz qthJUFJ2HkmZusVuwlKohpYjxMgrTCk5ki9cmmNkLdFGaVBMhsovrTtkh2SH Z5HYsyDAZ3pQGxJGw2DpsvdILhd5jHx44oMWczsrz6F044L0WahglbTDnRVS y1ba2f4hUAK5SeeAMtEPUYvM8IPZTws9+zMFav5QxwusstH+4dZvvrQ/4V8b Pwzo1g4MHwQg6mrbPgzeHHW+aaMc294cdzx095yTzjfb5vzp59lGky1RUNp8 0GLzn5NS6c1xd9HhWuoR4zgQspnYPR3lT5MF+wQy/ioMggO1qSTTylcgdFOW B18vigORmHGOxDUaF2agezLN6V+XoEQmZMfOkhu94BzSfWgCcI0G8ukhKBzO gEe8SUMa7mFo7JHEC1LftrMkMqE1zyNMmcSxdlEoGYB1HbYPa3UdNLznRZGg lb6hYsOm5/EU6YLCtEClBovrBGEWZNRUE3/DKydc0ZmtiCEiJoRGU6Pb2HBF DuNPXREKp8dJRVd1ynXBcJYb3Mnqua6rdbHKuRicaHwaJLZp4z5rHsWBuCzz aepDKwLcU3tvx1EE1lXEvjQrRfPCcFSMkMJ0GlBY87IK8is045MWKzdjDljp wVAa3Civ0NDcggTlWtOdKVOYfCyc+4M2k+V6GS2S7BJ2Zd9lPwvaFrAGAqHQ coWBdbh9TTysRT2+zG+Sa/SwkdHGbg4ERgc34HyJc2TQB8tVFcAiuvqf/9v/ Cf9zfB2NOZQLhI4oerC383F3ZxuGpQA9iepCo8xN7jxVHOwbneciGeDbA3pb C5XQvZRk/GC5nCCEoUHq6vRJcWRU5hN1dYRLN0wAQwmEE5nQhcTcAMiUM2M5 G6pHrFGeD0P/RDvRAWQzdg/yiWP6Fln82r2OUShlMGny5hN2i6dVKOxq7ozn 3VXOpeQxCMonbUqSlL2eWS2l3R2/WwMvyQ/tl3TauaSxr/bhtvJTl1T6NblF oL+yk1Q7zzSKsgEx87TAX0fGEG/BKpl4V2oV9Way9tkoCjeKZxzDkAuFMgG/ DIm4MlFbDbrJjsRMaxkMGcFqpUwAy75C5D/jyxfyNo+f5CiIF6SBmUc4DxcJ CRJOJQwBprdeMWt3U+FWladafW6Rkd01Yhqklzm4mTTsYLzbj4ZD4CnjQLGB AQb6Wl0I3jrh0Z9H+Dr+Axo9jBENRiP+BT4CuWowYrmRRED+fLQnv4wnW8eZ dmDgbI/JE/3uQH/BAcY4wA79o6PsvNDhnrYKYHbxKoC9bcIgmTk43Sf8pk71 AHGnOQgxqUY5xF2Axrwzr+5SUDkm4unJ8TWh0OL6a4S08uIwektmywZqkEfq 1pL2BlOBA3yRuzodFAKw8xHAm5b1ZdDHvZaFeJQbjEFioUxOfHx31PmC5VM4 7vaQ5t05ap0XPt4872gSztv5QjjvzpHMO9pvnXd3BF/cZ6DRvgw06Rpocr+B JjrQwVeH7bDYHdNX9xkMH8SiSIDgJMWgS4TDc4sG7QpRB7mADw9K3HWMgxkk qjUuSpYryJB0Hzzvcfq1/ikmA0pdQMHRUh4KJ/3LmmS6FbpkZkAMpxXFhgg9 d/6/ttU5nSgt7TWIGxfBBd6YbOMT9eEymNDS8ZwNOc67q6YpO5JJwQwB3UdG PCVAsAAJTAcE7OWSCypxkkAZXSWLFZdJQcJOhU1uSA8kbYCjs8O0AI0w7qHs VFEMXEGCOYx78O5kG4gKsoaSY4QDOHHZC3IzlhTNwGXEJEXAV5JogRhyxUA2 izhah77jhVDuqDDMP4n/u10BJDopqgsqg8p9mTzZ6jkgpGFucpc2iBLbeuH9 hC6TWxRJql1QYieAdEWluzUPVLNAJ8ORT1aggkN9I5EoGwYJCN2pmKcRCBQo 0NzWB5zUBiSpjX1R/btC7SJNNZINdIk6lI3OXKGqw4CKAwhw7caH0RmlmNeF PA9MCtQP0CWtJK3+GvMrOF0/axuci4+o1GXGGPoMbmrUEn1BFYPbpt/5+OJF 1LNEUHYUWrThRiORffGiRSHYbiwX329bL042vGs9yNLut57x6GeuZjzSlDVH ij899NYBUF+sio66sKpUjuphWk2AniJSmnJlVN4LNDyYPKGYpSByQFzjohde mTyuDDPx3IancFlnQjhCnd5ZT8UHfzIPMhwpFYUFbK3yROJ93/tW+41YD0LL qkKd1wU8kUNXb09oWMGnL9BLPLMxYveoOMHA4aQ0XAOFg3hLTFDDDwlYDuA+ eTeM/rSoUowOw7XXXfQYtoURMmgNuMrRpiIVkPysNfOSd9UQEMqwVBmXwlpn 3s7QkkiKBZv0VDjMwzMkWJBJOlRN0NWzNIVHXeUWDOlKM/8MNtoxiWy4ZWBe MZCg4HVWrPJ4RXiQRZccUiRF0dz2JUeSs0hJItUdYV3Nvvk7yCzl4cPsVdHc TBUnfJ0cYFJkBf+GXwHOEtzrPg1LGrJhM4arsLyAY4XvZ8kSNpgCGfvYiE8o JeSXeDWbe318XclvZ8BsMdBMCupFWDjlkvditqhGR7NFYI4UDkjaV+3Ca1lW vi6MaA6wXE8kFquu9eVoCA6FTkoMRXVV5OvLK384QVQwFVIp1xellG3zkZW2 snX98p8HB91YtYkQXibwFOu0QTJxkRDmI8Qvkmm8tgVEph/KKlkFeC/m0e7Y UKnZuqlwEHsQbQWt0qZFqP2vWYNEFsZX1cdNedciVVOBO7leZiwhmFIlIiMw pQL5/WNjEhOoJFqi3vHfspifMmXVGow+llq4AA3SLH0SlsSiPdxKJTY5OR98 RoWrMOk9nfkKrHoo7qDTWpJonSZimfR04UlIkMONqot4GEB+XaZiz2i4Irvd dCR+8vmr7/TQXysWN/lGof3Zf6EBhXV6XErwPBU+vb/dn+1xYWnoLmcA0Eef 544KAVbGbLUkXlLIu3p0KBqdnLGwFGHooWwi9PkiuUyzTHUzUjGCBfSNQJnl Pry3tidbo1G3hMDR6lwCD/GyeNCKVd3VGXTjLxO8dWm5dMKrRyNT9NKjdV9S r4Elcfmc+3ptiILRexJsnEiIOJED76uQR4DMldVGD4qrFH2P2dVG2kQ26kY6 XVMWaIByeRXEATBvETKp9lAPq4uUFTFhphyPixTCq2hzMcAW+arArXbIvD2u CXUNkhqXeHO5F0EQ8LYKs8FGSd7ztnCDpZu31P/Je/KTOcs06ahc4FCqGf0H Nnr9D3SAzPeIatkcA3VC8smv4lssGFwK6/AFCVSUsZVCRJSjwnAd9m+fWBTC g1aLM2LZO1hsirTPFlCkQBCJ26cLwOCaLlBjICki8VJeOXQh3RK4Kf49V/AO XXwG/Sh+g4vEonJD26xBljhMkhSPyg5MoXSohcVxHxzShuq1CykXN7+o2HOn ErURYKT4SF50gDegDFFarwdHPkDQVbCknYv8wLRrqj5SK5NGIJFaZ1R08SNe SzpYlVIwe50LyhVolYpKCbG2wh67vWte/ne+kNinh5aHuqIDGs2kte5d/UWq z4hodlWvVfeoEfvU47zCbZJnBLwBE/cFvyTFQ2qt6jKktm8pkVBaRqE2DVM4 zL0AcZ6YM0ntkt3jsjDCPJeLvFZuFdP3O9IZe7WLl87eu2KZXykLYZHHT9G/ KwezmbhZn8eW5dTQB0VPFw+sVN+jqdqIOsBUS/c51pSmgyCliYqIiBP/4IiE KwUpFTm9Y3PIPG9yapFQD7cbY7rANAiOx48n8vE29xX5glhd5wzcQQPtC0L2 2xUAEwT/5uCQA1DKYfcEkvS5cXOuVooj8PVYVh/oImWF75HVw2k87EjpODi7 MZHw18Qxyimgvg0YI0Hi3plMJ1bevQNtA+kKmFk6sxqFimAyS2v4i1OEEIaB HC/Dkeqs6E3WR3ZY1qV2ygGj+AURNDfd76hn4rHdPd8OpuHojOmUyvzlbXBA 9HB5D10gCvgOSRAYUdda4rGRfuZH8TlvzaLBBFu/NYkq4UIlKSfd5UF5aNJQ htGLutjagbipZAiS0qn5CD5s9KWEisamh4CpUoICRGvtyPqwNEKMduX5QHRi Uw7yMYzB3gHgo2wncuIHHb2LEgihIUuydTPJ7UCFKJ1cF1dMQSJYdda6LFiy eA6asYuWbZbihW1BFXE00TX39crbkoPhjW3nf63Bc2PMcD0mpMV+f/A9CYQ+ B8wZhFry/TWQC4N0iM7XFxPWqdVHOpfXCRuXgBRQFMoZreiMHXWVSESd+O7U pGEXZb//nEwVAjOMf5m9Va1bbsZOM5XjumJd83gI1yfxX7QOHJAaitrE8LOW 4SQH1H8jljY0xXr7Tds6OshdCE7NXArizDeUow18To/KsO7Ho3JDqqvGnGCF BXIKtEZKeeK5obKFHehrEcS+ft+s9IBUs6VYbQdQmk7zODpbUwVx7kEN5OME GBWTWqbJrsjb4ZkTlozot/05cz2aZvNHoJUB7XWJlliI1lT8iF15eVuIjuQA lR9qjRek7wIHx7csJHRt6+A3BZbtm4mlg8hpGz09NGKjkFXaeCvpCDKnGxJ0 X7dZbj78n1Bi5Fu2K+IzLsWZJv3ouBF5rXlJeKi0ouHWac3/JS9xtY6Sy2v7 F2P2B+nLm2Vgn/5HGoDbO9NmUy2azWhWciNR0t98I1d1imR9tU8Z42hT5PIS C0ibvQclo/6D7Xp1dNvGZZmWaluRwmO6CBkplURxjdgkyCEstdPCHY0VdDBV 20I9veVymxLTgGYtX7tcdmqNiX0eB3IJBviklG50nQeoXnazjmPZrKotJNQK fsmspn2QC4V6iqB3PL68S2YXlNNQFjmGSA6Jt48YW9sn1wAnulD5wAdnKNQl wAK6/Xiy1L44f2icoOR3xlvgwMyMfBUJM3vUbAWlAxmRjSGo7iZomQj7WUiU BJKpGbNc9I9xxQixrpB8z7U8qCy+6IcGImbIX1K+CmhXXczKuFJ5m3TV3usG axsSTMV4oFqpCWfa7BCzujh5Yi2B8P6SILAj1eqBWCrxhnk9UxEPIvifj8UF FYNMiQtpuCXZn+EqVPVvA7YHdL2MK6VPOF+SVBFtxKRtOoN2h424PgJkVlWO CA6XtHfktW8AYWvJbJy9b0qcxuLZ/gmb2AwxMVTTPbQm9G5K0TPmOZ/0oMbe G6wuSxZctGAks21nIy2Sga6ZTO7UPAtDzCSkwnx/t30FL34+na4L0dZi37uO or/RX6ODEVJRZBjZ4QITVElRP7RoJAJTl03CHlFeR1qEpSfc0GVXbVkpLVsr KIsWR0e5N9qO4pbeB32l0RwxfsGU8ujYBwQHDwfyFob3BD0R7r+SBslvXwc+ dWj4wj3Y32ctAnii92HEtvlRy2LWwBEusREp8qZ7zqIJXUY4JcOCxGZmvIjm fHEWTNcwaUgtXPgfmsSBgJc2l8WGrU9RM21E8pMZ8pv4QzJzC9NunMDZZoUL fULNwFOZ1AnqEnDJzqWSdEBqygqS1Tz9qKzNS+Sod+58PBjt7B9g2f8elg1Z qcnEqA7bwvXRcxKX6lvGoL4W+7uBtBNBs1x4mJMFyaxSM4XA2oGxdwh7Bw5Q FLfpZBiu7nqRLPKb52H4/6fOHPXWn8cAVWzNPY6eRw92x4O9ncFkNHjxYnD8 YjB5OpiMB5NnD/r1l0CixZf24aV7z/cYIMtNwEf3f+2xHttj6YqB747q62l9 80PlXsLNXT3a2Xl014uPgavJSwOcafdeM02La32JZ7oYxZMEaOKTnWR/fzaJ 92d7u+PRaDZ9tjffuXiG6RKPPz4O+nxM5vPxzl5y8XT0bDSePZld7M934/mz /Z3ZGH6fxI/o6R+38P9/bM2rgNul6RStlker/AL1He/tjZ5tyIKX+k7HfzoZ PNl1GDyUkgMPXeCw1zZCHVYVDUkLZ2uzOB/6tkym8TKBUFSLcQlzpqzjdlK3 dnyWg6Vdl9V1hOqs94hhzzFdeFOp9W/X9drQp2Y+EO02hM5nVg417P65rUd6 GjRYD8NkmslnEiTSUeahrkedbjKJYcOhWmXUu1fiBbbPW8nJHSvBYo7+YKw6 dR91kXXkj9GXER3+KdviyciIznvnEE4dHw1STcPyrt2TIe9RflbzUKSVL2qV DIzcSYrvlDBwhj4w9KxdEJJgDAK1abIpuIs0+4BRqx3e3c/MPPaK7Ab3p6QJ h8UejWP7s00YFLzlSoxgpES9taL3sHW0DAuLZKm41WL86BlhcrvN/NG7hwAo TSrF9JIlNwNe0YBWpAXE6tS682mDym3FhlGWRy+b2fp7kGzqBVVcSoST3rUJ hzT+EPuZKZXbDsxubEJzgF4zbxJoGQCJX/OQvElPI2VIjWq3s/FnTY+gz3B4 3na+WkThrm5rOCh3XDO6rs0s8V01GFkCGoyU41M02QWpgAQZVCBe4hQ/NiiL WS4iBKp0IO92LLO1yxwtta6Wd2XV8Jm3LBbXCoPAXz9qhC3/SR/Xlx04Xzru XBqwxjbeFnhpE/F/1BT8QsMmpX5clrtUhdxx8gcDfv1Bcxk+dB5OUx7r33Ev pL3eCZBR6k5MGIZxRsSrKBRTx3dWALeEYMK+2iEkLhFF+5LjN8PJG0fUD4tN uEykuCzXSwE8nzqhrUgPlBkl0a7XVLqH3T218g+xvIosRqvzoDfwKpmiPnbB oHbbJp96wjHN62w2jA7s0pZU2ZYMLT6G3F5ahQfOqWESjyLuVos8i7JgOOtO vHK+Wgiz01uO165NLFU7MbPpmvziVH7R4FzpABJU9nVMrHBJP2R2cWYeYocy sYUjmh2JSHNdWPE6kmmOc6rYaf6Qb8RLRsV3YePKrqZGDxuEv94HXWu7cJEI jBruuHiPPkxvAMA4C/w6LR/RxHhAHOjYbHnZt1b4du4EVCl8qq0+A7yEiiVj q3ICY3igvzq8dHrbRexBacQ3nrFdcnlR4vpTk6/MjKHO6HrQrxQURbM4aExR UeRGML5fqciqQaBkobRuAY7IJTha07Rpdr3NY75KClh7jroZ3KlKXvSxU6Wt bR0OMEQWEOwBz1Bbupqa5rJYTxzNsuvd47lmRluwCaO1DySn+rdyxRBxmugU 0zFRJ3k0XQDqD/A9F/D/kKrJYyjOsTF8qrbzgrUdHpoapD6UctmDDxSGeR4W a8HjfX3w6jhMwLCpdaoEhkWW4QlqO0slVUCDWkp4X+nXr1oI2XnogBz1aKoA TkRy4as1rgu7H8k9wCuG1qWAr4rPehFPvfPRJvXSY8OtMY/RTBQPUk7DQrkm zZHsitIOAfBABkV9s0xqcHBBN/J4Ove1hdJ5t4AQiH0fcQXvXh+cfHN+/N35 +1sbCA7q+S28PEYITj5XVY+CSLLG4vU+mL1qOHFp0A3Wx8yEiDpIDz5IzOKT OqWEPeHKBTe0I7xcOia3vhcciVIvjIXAQ+vq0YsXj1CcYheb3IQatER/rCzW kJVyF5NqSe903wUlhnBw7abOGbjDTUsZj+61FOmM3LoczKrN8qJrPTCDXQ8+ HaxeM9UluxapBEcxnWEUE9Uhw3iyA1U2gxgnW+Y8lhRMqp9IKoCp6OxSJB7Q wR24bx4QnvGnx4tFukID2OG6uE7gK+atWCW/XiFbYiSBVXCRKez4tbDRVHD3 WUWdua6D2kGVF7Ohx6HFcW6bCAoPhr2X7P+ES76mVo08iwpSx2fjvScc83p4 dHbAZPLs5cEAPu5HB9jJFr88OD4bwO+s4B3P2PLnSB7uPEpm2LKipK+GBlhW KvSkhuZJMkpNtHqbSF4w7FLczph/a4KsmKLVQenpTwWfxGUV7WvNq4OGLcJD 3Hp671Q91LZG7T4keM60NnE98NpD60y/B4BXIS8gefRACWSr9qi50unoVPuT QF/y7UAxByUjYJTxqlxLloaUo+y9On6zbXNc3uVlNfjjOs6qNeCVkRmi3rs/ Hm5H8Dx2doqDVGntZqX0d/VXoq5SE6KWJ9u1ATKMEusyobD1lAeZadQf9yfb 0Q1J5xh/urj1aaa1npfUScXn8BIQw8KF9RKzcPvagvycSgeMFbFiGP0B4z0W QcuLDX0ImafVexj2A+kwFZPVrxNAWM/r1ERU1C6AYZnekXcOyfit8QEdMdhW 0WbiozD2thtW4lhYK6vc90fqDi007TFU7EcwkC1GY1TCmBFPQillglFNxPuu rd4DsMP78BI2JWlyjSchJosG61L7Ud3HZDJqfmzIm/brjnquvum2e64jvrbn KYR/tgW1sFORyQdorNF+WVvp1jF2eggg4kJbPJmPyfDs7STMuxfxRbJwl9IS Gn7JskbpKEzEzt1OUoHpeoYVftgyJ9IHB22gMrK8kHIJ5GiqMVLui2TZkJTt 4dAG9JRqMK3dLUl2lCedmcQzv1f7LOXyNYdosyMyALJbj1XrQm0zVFZpgMXc BuMx/jPSDhsd05J0iz26Pas7OfjmQOWUWzRD85MD/QgVd1oDtypd+N4e3KV2 Rn2iCa8jlbxksp0BrMzlA6PYcHj4pu8M+eS+medF4Fg4yc/FTKhitKudR4EN 8MctytpAULCO9TyeUslEL+/INIPRk8GTXZRT6DzNp/ARf1y0x6mfHB8fg6b8 5t++oCIYQ/GrflHbHDdCnkhEHiWKFNizWG9pD+e5SKtt7+Ygd72AvfuWRT1Y N744bIPpLk27Z+B6eBXD/8Y7LYBtuG0C25/TyXALslqzg7Jl/uhJ7UC/xgOV ogRS+wNk+WzQNSlFgllCeZWi0Mc5iZSyaYUDynov8GxmyeLWSR4bJ2gD2pih Nt5rgojmd/nuAXxULL5EDKSSMEJB4E0gH9kUb0O4OdaGwysnvjCqzE4X2e9w GAIXlhnoIy3ax+E3IJePhjvyxqdP+IHrx2Lb33EF9h72baEi/nCN1axNtaOC RbLQyF0GDSEUVVjhTt+rBGVE7zYRRfTPUFj0JXW6sjAaZd9dAKVmZAF06r3u yGHqpIw088FoK5fSVK+q+tnjDl1LFm+xCR+WJ73o5nbR1/ZEYl0LSjCxAOby U2sNFHCJJXf7I/XK4otp/xc2ke96ik70MsWaRzRZ8nEA36p9LTp2hfk5rULT stAf+R4EC4zVIMGxtaOqI3M904p1WxLn2TjStD0lqjGz3shJ3b6u0BLekDQK bj/XMRKyhukVVaVA4JtmUKRrd7eBxTgwFyXmtSmyLL199S6sgnWmxaWfDpn6 Px2OrXuF6srhRWJLV9CO49FHY9FDWBkgsY8+NB5E9RV17h29oyot2X4Nuq+h CjgkBZP+ryPBTVxJAMIds1MEqtOM07CKoihhyJ4f3QbuQnyD3Z9or5vD8hI2 Y5v2qLdAywnGJA150a+BBYyjm1KrgY9uA74eHP0Y9lelbhfYcI1KgxXpqnSS vvcF+EJAXDzZ9f6zTRNds8p2liFOBg5TEGecK7R/YcJsNOTP70AzkrnNSpBq 6tVVytota+WQNjTQFJCwwcU4JzFDFI+pSkK9ua8VpslD4LsNiLXDiqC1Sg89 ak4lPZik7RD/Zxczgg+o9Gm+itFtRitTsAxFccBHaBp+66Ozk3M3lgmeym5f olup+odWZpAIB/yQkvqZhQpwbNwBraJKlmQIcn9FTrYMh2WLIHz5nrQTjWBz fXXwG8LtoKlnPBvgoKL447KOjl6LT4/uD/xpTXq1liP49RYu6MuoB4Knn/05 YlIfPvoXPzF8iAb6/tZ2awSfrsW1DJINU9AdViRpQWHCYPUINoBHS/GJRHEW 4yQa66EVnUiB9p5h24qvVi7JuIQk6j5QRoLEs/iizBdYrIO3rqlPCqB+9G8/ uD/+7YffekHHg0vj6BqGOpRGuFehDCA6vmKIUCVRI6ewfErWQPEERVH5u99h vWms1VWY1PFrEYr6naQzHiALj6l6EO9DW32UPonCDYUmRV0fN8nEJX7eAHZT XNUIL4ImmUltAEqZ0pn820EJuGl+mZEThGl+42kpIyOnbH37mhwDkBfnJOKQ KSHklkPGXurc6QpuhYUlL+Lph1rMkmv66JNaw/KSzoIsNSZZ2NVlh6ZGHldK adLMHuPp8Aw0GygF6AGXC+M3aIrWK2mbr0hZLx3FSbFa5YTLgIIGzYCdid+g E0UaKMzwWFOza+eyMZhr63Q4rMI952VKvyPGD80bX0Y77i0kgtJx2lmN+U9i 71E3DJAsiRVGSzSyKGM6VTjyrk43RwLc1mt9V7y+VCvlFb3RSShppkjU+xcb qoCKRmZualAtzBnyvbdKgWxqhmAxJiKS9nBsQtaF19hENXLT+U4xjK4kdAZm M0UcM34L8Q5VB5xNiv2RVaLRcRi5CuYgA259FKHsYfSOTxFkLz1PlVh8YSyX Pr7A9iFS0qSta3AQl72rNwUHtgViTJnIMIZKpAcWJWpCRD/aHbrFMsrAyqRM J5I0EvkU6SRxVgWMWV5SfIrpm65jeImHfGLUa/Aq1X5HWJlMzUJqGHRA0ERa LJWeJdUAmy3HFZVc0IUqNRJiwV7BtJzGxcxzGibLRCNMIZqtLbfb0pfhurjV YBWDzuyFC+4tM5DeqkzWs3ywzU3SAcvY0sOarikePg9Kz8mGgfIaSQmIOWtE wnZC8cr5dG1im+HfeLcwB1W8eYGv/K22wNGj6TUltSiHo4Zlcz2kLwRVvsS+ ATvYlv4mF8u6I1I+FLLZjUd67dgNtoy7SyNTB+3a2K4SXDLzBh6GdQuk/SZ2 PibPbLqaWVPb/KPk2dZWFz1zdKH1+Mmig9F0wAEPhcoqeMVI6Dxw5k46vyuG yJAVzUveNsBz5VEzYJJaBRaHdMY6qnefouZBATUe3VNigHw3YBIpzmZ4xzsu RYqFEIK0VB84Lurr1G3RGv8vXHPB9cpUuutIEB1GZ9QGwA8h9EvNMElYhtc3 w6ZadOTvdPIFVcoOfQy2XTSZGqpaXQIK3UZW4Jv6mORvqpAdLKbHvJIdaK19 HOuFpZxBcRh9n7SswPj4P2ToLbHpBFSht0RzFiAGSklYBVWc+6SA6nJY+gha MxNnI4lFqnYGPaGTKRFc7Y0l4iG8Fp6UK2ltmxuR00SyElwRzXotW8E0J2oF 6Kk8kw392hBItT5Q7pNr9FfUlKGw/BjDDCPI+oH1iHJC0OP8nCLBXkrhLrdH ru+s9vJ6A3eKDuNyXppbqbmbmGHZ0ls+qCcYVF+UbEOun8llZqmips4lLj69 SH8q0sG7GLlegU0i0G00eEEy/m/D0uFMts6vXGUiW2u4pRS3k7TcYUhL8KJI yQyWY7sQX+1IXnMOBSn2q8djEmuAYMFplHNlqjYnax628jOxXW1lQb0cpuDw FqZw83CmB60Xr8eddn/buHhbk6Eja82yV2GhDk2F42SK39poAFe6gzeyMiPa 4FROHrA46U3dmzzlKDlxrRIb1Gp8BFl3oQzYI4hq1Di1Ed8fbM8k+7mMEd2k KSq5tcehKUSDJHDhLsNZhz1LR5cSjk+GpuuJmGFZ7nN5urU6LX55Njn3aVBY dxcdRouFtkF4rEqBVIyZIxHsa3FaoaixDeK1ypOnBGTac8JGUHU68Fg4lNt1 zqU2iujuoQZlN5NqPKrUHODsqAZyOMO1z3PtdBfQRm36WYsqKKsUYCNuQ3Wj hHU+634Ujga9KYAyDDQoS+31LituirxbDL+ulA/Mh3xskcwuXeSWIymqnTiP jitx2w4yDWX0NodaU4ikraiqC7fBXXhNAhFE62/Wcru7WRjnejOQ4IkB9tyg Q36hBSZslgsFOjEZ6ruLEwTB4e2Fe9E3WogE17dwolhKDUoRT2L8Kfl9HbVu BZogva2ogn1GbMOABdp5qIWQjtnn4N15okyY8nturm5bLD5z8sEJFLQIr1St ECiIuAYLEs3ExylXGuxtirpQ+G1QmbeyIpgtvCjQoJeb29gImugmLu3u8B7h XuBOPY9O2gu4BknQ3lIGmjeuj+CKixSDggNwHNHtCQK8wuTSzFc28ELXxoo7 eMN82Ukp7liDnOazWnF5my2BlBHti0Gr5CnVWXxZnbC3Fnn9XAp2sjCqRgu0 bpDUIFAC3aUtRVfFCb8gFCfEKu6i+72woc/XjU8BUONomX7kLlsgaOE9eHl+ /i6wZLG4w5JZdaU2vJTFJCaVLI62Vew2PqZNVP6ipdlEnb+FtatNazNL0FRG 46L8wdYdMaazVWs9oaHwJ3SRga5xFZfeWuU0KC7vuKZuE34+od7ZMOqFkQXO To1ft+7Hs0fJXEMNFCDtKr0Z61WziNXd4/u13DH+ZLitdYyNUVcTuePC5au2 0k6NY7mRCq3ETDBeqQqel+g1aQ/C+ZFLzteL2dJpnn4Mj7r2AChHUUxlrIZU 5IozdsKt0/LKIRs8vSRvPtEJZ8ltWbYvW1BjLLailnKTeoKfpqpMYy2sH0vY Q60hhlVuXFzTn05PcFAeqnE/VYoi9N4kQSKzxMCKra2HFIp9lFDEH37/6SHW hgck+ZGMFa+0QXzY0OSd0xXVUkGk9JhrrA0A4wbHH1cs15y+ONzbf/IM5Jxa HdQwSFN5VXvBV4IkJT1SbISP3ak3nxI9shStRz0gNON7WR+GHkk5OM390+9p zfQ1/uZsqqbTAuKJWc6701fvUQyCd1bFB/iNghJtbyqKriLnYpFUjqkjs/El dkjsjV0mwSxEBvWxu/WrwcEvY55+TGYDEb/WWYpEBrPKjcmOIdeDBW/zfBR7 EqyuHIaACOYhDwd//erohQmrox28OTiU1vRIv3BRJIlwFAfMTN1WkERS3bG3 r97IImA5SN9dNVJbF82gtdceanp8fYdMqLVlgZRNZSDNhE24vnTtJqUgLq01 CIpE0t/9t8EgOgBSEmNTTaVyPtK5nF6B+rBwcSOUR4xjvEgvkdFLeM6f19M0 S6djqgV5/tXRcyDTN0UqDX509MHg96avkMODTw8VjcVO1Hrc5bZ3cYX0wpp8 qFwEg4kty8FUYekl+4P2EZgk+jJ8oReV8QIo0cmrN9F257tbvrEVl/dvYMoJ Ygo552G4oKgFEUgMz8DZqT6Uhhq6EAZn9nIQq2FAKyHalB5D9vx0voGKlZyW JP7gbpgAwF7CPRq0fmeo5r3me3VMWU93T/kK7ik8aj7uR5RC9eBBtH3Pqej5 +00FjwZT7Y3GMpU5+VfJdBp/8N0dawajfAacHwfbbnT2+vTp7N3+zs5gtL/n bAFFUlb+CEMuUPdi8B1BEj4GYQT/O0nGnMOCf+wmkyVFa6Qsf4QaKsWxYB+v wYfZXBNXMH7jI2skiJY+mkEa5SJnTjOWd8wtrGShrqeJVt/MrvMFWUcDwdut 1Dyi/BO0FcySEuzXOSZazVej22yfDPPcWPP5GSjtZEW+tJTVsXafWUIXmu4L uc7x+rpKe+cv34+H+hUiTFDzz8VDDnxkZJNZYZji91HPhOsRQ9Hgxe8R1F+/ /55TcbYbYRZah+LJUCpRmBTFc+8wokkuKagECA6mDvL009u+l1gyVa+RgcMi 0tKkWXTXNndiuHlthc4pIySUtrrLAVbC0JOTBVJ0KmUziuWmA1AijQhHltVJ bbT5OmNgcB7Y0919KpiygeLTkF/K+73o+z7Bfdt89F2foL+B9m/cluR2qhBP xJuUK/wSCadvFi3YGGsOankns8LHgfwC7g9knh6hZJ/3tWHN7m7g9dtwO/R2 6v0IFndS1+FsO8iy3n+jUbBOiK+bpsF5zw5en9NXuJ9TOBYpb4MXzn1nV6eS GJFBtq6qAEzyL7xHAwkOtaBY8xZy4bTv+nwN+U6eRr1g4xtr/7ckB273t7bI JmL2zsu2ZAvJ9oajwa/vOhrjl/upR0PTtB8NfoVHc/J982jqq3NHw+fZdTgn 33/W4XAZq+/7lkae8OHYRg0//XBk97rwoC2mahde78LrjLIs7YqPbqPmMDD+ Hm5jcvLnsu/ExBIesPKscyqgMGziJtzkppuw8gh1hNsVb6YrsDJ33jBmD2fr k71Hw0Cl0kJfzeTbWhfzy2Aa86Z59A4RGp+mCC0ffFFpyIrGDbfE89JrHNDr V+ojerXDk0bzRrqe59GaHgnDe7cEl6PoN3Y4roIMz/M3Omiq5Yz5Y00h5YV7 TwLCVfNKt7a+9XInYk1TE8bHN2k6ckXdItSzYVIjm/2HmTnAvxO6MvDLbktB rbKl1Men55Ly8eWDKWiAgMYPusp/tD26UaVZcQ2G/xyNphNTvWLT/cgvod9s WoBTc8zXr3+mknPXfCRFtMwnF/Q1PLYPG//0P/+P//3HH3+Ut/tWKDNJ1KAu wNE3lAzKBRPm4PI6ZuKGCciZ8BTc3XsZd2AulcyoPZl/Eubg+EB924avKSKm B0tbgvmds6TXXZNI5q9aN6+TKfUk+MlzvVgXZMuulR7ADXige5NgN6NSwkSl tUKd1ZmQukj6q+Pvz85Pjw/evB8b5qA8hYS0CItbMFWiHxe0+d4xDC/pRd2j jIJRLLZsbwFO0wKi9gFYIBn7AkIYKBtP5X14c3sLHjKFnztGmChhpR+DUNtb J3+2A3S8vxu871FFIECSyIbX94LXmxCYdM/PctwTD4FJAIEJjKDm4Y0jPKUl 7LYuAZ7ZBEIeYD8YoA7C3Tvffxa8b0GIz4Bchs7OouV12Fo/GgEqXj1yFcfD 9XfhuMsEUuKmqUCvgqtWBsZImHeIU+HtIskG7aNZTo0cXGlr5+qsR8VSkaYd TDGCyeOiusmLDwOgHZcZMNyE+a3EjMupfXooNn3JgWjVJwgGRpnoNhH1a0q4 9QWQyajb/u8dMWGefKfVVo6s5xQG+htN2k6j0A+d9CvtEdu0D4TGxr2xhaoK gxWNf8D60VhkZwtXuQYdakoVKdEjXaFXTyeEAe06h1Ev7LQJBziLHtA7D5ja Eqd1ZpWUKuq5x+0SrrCXRtD704e96/RaNTN2hakxt7W4dqUhhPFS0uI59zKO jl2s7HF2nRY5Jee7zAZfN3B72OZfs8U+pRhmlydLDhgPLSmWPuOCxGK1YHrQ HXAzyhX1MHf2nrRmFINn+BGXPlGbjrQ0RqWtrVc1nqc3zwJavB8hknrly+wD /p1jsSVdUFyz46CyFL7U07V0KFiiX1mqFeL9ne/b6Z1MFb7FaozJZ0HFqNa2 3m/zNb1ia5roaAMaDRADZmhoSLbUUw3C8LjXnGKefcPTpE50AW47WsVpEXYd 8WtfYnWpCy25q9FicL7dw7kavhoPQihyk5v0JiEXJQUPY+XZfj1ADFGIqsZw 0dsryZwiJ5uUquUCcnCnKdwk1jL1M1TquEQB1mutRwRR+0wjpgb1PcwsgsNF 4uNmTSmnHBMW2Gas54YvBP77xHCkeh1Bb+ClS2ySh2rwr1VIIC11jjQdr6pz zb/wBQaICngX36eHJHnW6IoKp6UtTSAL8KHXWZAsC5i+Ql+xTWYs20RdyWXE pGbiz6ipF7EmeFgeV7bkc4XFTflF7RXTCHwImiTZTGkWFCh1nbJJevTBmTyh FX6f7o6JKB/4srsdFVR90n69DNAQzRMYlVRrnG46HOFv2IZ5xNYq+vuYMXDH R4Fhoj+GFmGrsAsp+Eg8ytT7c0GZPi83iNVSnsOFmymyxRQdmGImV+JWF+UU C+3iWaRGtAvjt1WzMcspTENxo3BZQm2ztGF1YXhLsLXoEVzDR9QV0wErkhJa DlRScKEjJiV6y/WfSH4DAUXKQf3IEZTkM86Sm8dAKnIfwO8Cb6ogTI4SjagA OdeWTZIV0acgiZyDvKjGuW0+Y0Lu+3UFEZhPNR16okgHjSgZJGJQnRgZ3lZh cCHKdua0tCu9CDLdpVRXawxdr9EUTyNY5DoyFitxo9JE+c2GvAxfIqwf1pQZ 1lIvS+/3M3VnbF0TmpjrUNa2yyDw7kaiSY2ugTiyD8XmDHHnHK0H+XEOyxGl rETtGSsoN14kLsmrnoUCDHeZxBmRN4qj5BoefQzc6nM8K6gsHKzcAnaAz3gY nXJbGBfVa8+4ARxdmImfdDkcKQvodPtN5FyW10Z1nsyp+NdcZmxfsrqbmMYE ZFavXeQohouFozqpGqbrehIChsAlwNQrlKix0ahkulKWmSa0AjwmrryL7lQh L2blIKNeTHba9hOkgABgJrmePBX2OcmSV9zJENVdSEId6jVUZKmqJaqGkbIF ybUSVB+kKSqF5kvxc6sEt20z2pxMUvVmi7jjvu8k0m8AxYcFejqsqifFvcu1 dVnQ4WGDgIVX13feQy2VUurFEoYVDkxJEzOr12fxOdNjIYCuyQLrhytX0IkE iZtA7j9HNiEBqT5Vb3Fr4EsuBHSl6yQ9H0me29w9Np/T8lup43Y70NzOAGy0 HCaYcLWSFqEIqZfzdrlhxAogRZKWqH5yDnRCMt68bSifLle3VNbFpzAYg9jL 1BfXC6Szra0jJ84GBcWdFKxQtPJ8iMxZDUjDyBQ+NDjsQtbVCh+Mj9n7ccES HIYTk2Bv9GMzkAZfUBGFAK42R5dRuB6OjVR8mV9zTC2CA8Og+eqXXJAaExuJ RgydfAFwXXv00MR3UjFEz/Lh824msb+Y1DxsltCXLKlmXTb3YL8lccjM72pO BSLQCCSe5UiMWC8Ccd4+UktA2trylRB8L8woEJPrlYxMNA2F3rW4Fv2g7F/k TB3vW3Q1655rpb8tiisxzsZD+pYU4MdYUXQ4HE+40BCnwG1tb21Jhbsvo3+N xl/g2NG/w8PobOQKCl9Goy8webzFUUmuL1nWoD0atJ5YjC1I3cLRy1zEt83a fD4+2wcSuCKANre+3nMWiy2kFfkD6YB4QgTKIIyMsjkr9ZB9eOOQVncdg6SJ 3FYMBK3ZoLZAaUe6KJIWo7CWFGKrAbimF4+r/sY7kwq6Za1kmILUNHDATfJp DTbFreubmN0o5ikP30PDlWr4XoOplApssGk2pkqwL2G1J5X15LxGMUi+OMwa Ey9AhdElX2CqMR++x6KYxJgOTAoIxElHAUn+zofgYeOgWl6iBDzTJBeJ2uDI AMLjFDKFFwOIffpn2ZQiTjOakM19aVkn/CK4BAtomSkoUE9iW7OKJSfYEGra 0SQ23ar8FF/AnQpq5UOpxcdtvz47NQ8MPIG4Q1fPRLTXYdTD/keUSNqCBds+ O9wN4zJBXdbGjVqgPbpMWYekvlZclKfOCZxM/VvllP5t2ArWmyipyrxIwy2Z sw1BkAtp0EdkvR5bbVWgf6qkvr7ZbY1mxYfvKC/q1mDKYtm7Qg3CeGiKjK2h R3tibhQvOZkMb1jvAgQFkQOWKaEsALkmMYnZHhD1MpltUxknOS2/GCfSSGFy XE7bHSOTf4hZiIbudazfUk8H9jsSvSHANZO/qAda38CG06Xw2a+lBgsddRgr i5xBrLl6hbmQ6cY8G8ngWHIaYWx7aA+j1xxLqubMsG5o7otw0tNE7a7ynGpQ tzIW4lKkQFRcHyWarV25/boD7AturFQjrS2WPiUKxuLX5LL1FGxmJv7mvAtM MJaXYDWngJeE+i+zAdUr/VobAjmhGLGEo6S2r1DUor2/qw9IKjum16UY2VcE abrdp5vaqxrrpSF7QFpDbwSatpxJDWm2Q3DrW871NtzUa31WOXOJ0szoU9fP TEgE2QkQ55yNQO6MVcrmnNBt872kCOBtnZ+ztmzojz+kf0hdvhbxfIzi+Xij eD424vm4Lp6Pfw3xfCzi+dfvv39/ePLu5fEp9UYad1TwNJJz442B2gkxWNY3 McAA054vLbBJhnVnJB35zOjD+h3tEPhCCFJkXfslrctq47qs9p9BXL//BYnr aUhc1TsbBlA16SzCdS2+gVokJMUKYXxfD5fah/86grQdbUtzhJe9bReL/Lkh ZZpEg3YRuf70tnVY11Df6i/BesRrN+XtML2bxpiVB4spQCO8dUWDAmrvhgig wcFQpNWYAGwpoqMBUACa3/3O13rR2Cr9i9XWcfT734f3lY5G41dEpPyZOQKu MxFACWvRkAtlsu1orQnTCs7K9HLZfE73XJ+rpd+yph1c07hrTfQQV8F38UTc 8MI2fh9YlA/7rbMri0zp6Mybu2OoFeCRMd2A3LmNCqF64ZgYUWdX8zr1CqLj g1kYAe6t5QqD/fUw4UwP6H1evGccB9jTL7/CGbfPRuTOjfJIS7fMlTyKC1A8 lP4+16Q6TejaHe7WKt8bKt3WD2IToveFQHTlQbQcvYoHbT2WmIAgdetZ7ywH dmWkk16nyQ1hK1XGp0DxNirxXJQZnxj9ZRQQH6Ay8oji2vuYinfDQ11kSceU ImpfMiIQGbR8Hu3fPqVE0ADbFhW30rb2mmxFSbwUYGq1SurnLd/4+pEmepnD rFuBqPFZunPfx5FEGGR4ps5W9LhuN2zBPr/37S3XS+dkbka5swOqhsH4V2zn 0FNpQOkdJ5jH5rtRur6lpqOAawv7o+nvQ5Tpv5A9j49ImacNaK6zUG293ohg biSCmAP30Ybqsmy8nnycJsksUCcpNM5EvuvKqUPSwI8wNjuweP9lgHPfAZsw G2tRUce/hIoqWkDT4Nmuo47bDZN1jXT8GRrpuE0j3eSklrvuFLkWH7XW9iSp FqsHUWdu/ntvUK0pREsDSguu7jNDg0HTuc3rgTVjZEhwYF3tdz9Tb/Xqqb/k VCYknasOuy1k5E7lNeQgA63JHBQwIUerqToiAQx17oMZBquWeWh3b6me8h1i C9dfPN3e1FsQE6O99clup4fFgaSHPEc98En8mU0RLbzes+H7VX1hbSCoeKV4 XMt6Cp01jfOO3kizVim5olw7GHrT2d3fylAzLP76VoammWGCZobJRjPDxCjJ k7qZYfJrmBkmYmYw93PSZWK4n2cn3INR9O9yykyaTpmNGu+ENF6WmQwDUAHq n0DvpUX+XH133NB3J23M2iq8k1DhPdFUGv2LpasJSpaR1Wp/anp1XbsYd2m1 k5+o1d53gXeqPKOuRd1HrT35fLX2ZKNae/Kz1FrTK26TWjv5SWrtr4MKDeYz UbXWx5P9cmfcPtuvq9aO/yFqrTn6n6DW3qmkntyhpLaTkjYldWJpV1yLq2YY 11ity9neG465celwUgNwv16x7jNSSYP+DGEm7CvcV3XVlbxKSY8oW1JssDhU w5m35fx8ypJjS5Nf7qSuHj1qPRs8GHn8lbREoTXb4lwB12go7CQMGCy4h64+ 8SjgdPVQWT/5fGX9JFDWT36mso6rCsQbJQKMF3hQj9SyYyPZ7xRAdlUAmfTD k+ZN/GcJILRytQPZLMEACVrLZIWBEBh9J9k99TTBeySMmaIokuPY5i6eiL8l SAbZoHZPvNr9ReT1hw6LSo8008NAlzI7MYlFmx1Em1UQDnylyGtKJdCt9Wv8 DGEq/MRnqEpPK6lRyVTiFwV67WAlyANDI0CBxbaH3NOukeLZnB3AuqhtCSM2 G7Vnd7l5W62OmjdJuqTccAZfdhbg9Pbs8O3psclLaQujaZ4o5Y8asaFWYVe7 WZRYsT1FBz1WbY1TLvbJxl7Q/qR0O/Vv7h0cvqKG3HFLHOkG4JKG2V5cn/Dc Q/Nz1n+/gIjJ/cIfJp9hbJr8ExmbTu8yNvleAN4966SOX1zc2EQ6TPS+5/UB Ha5Xm/nZRrCTdiPY5L+kEezkLiPYyS9jBJv8w41gk1/SCPZPxgoN3taYoSdJ /4nM0NLFn88M7ybfjj9smP6XZBd+vn/eIKymeXQXzaO73WnQXrpwReHevjs/ efvNwWsqUcHRb0MqnA53YJ6acv4ZWlslE4kzcS5uXX5ULf1S93mPljdN0cYV JEpmNa7h8FNbJzH+ipxj81Eod3ybMoOBkizyW+4lxcqEJAn+Ih17+gamekJh HKJ+uqZMM2x2mJiUeBLX7BLjQnI1fTU4aiKJ0eIuo7ZGxznNp4nwso8hZl5+ 65o71J6gkcPt+sOR7VrhSZOzwkbS0jGHmkFINXkPmGb6ey07VIIBAGGRoq+c R7Ddwr9rrOO7dQv/7q9h4d9tWvh3uyz894rkC7fwGZF8u10G/rph6J/HIrR7 h0Vo96dbhHb/IRahXWcR2lWL0O4dFqHAJETYIyaeXVcZ8wv5+3PSgmoYeG8j TM1gsPuZBoPdz/PT797PT99A5Zq6tPtPpC7d6Zv/r6gu7Vp1iWTfhsaz++vF rP/DvcksV/v+dg7P6jYmKTZBuS2adODpMsqLJkQMvzTl0qLeh5rspLoCZyO4 tq0V194xlX8+UPDzQyk98xLeWnBpG95pR80spn0UeE3VGoIkmyDx3bXDqJXO IIWH61Asbh2MfSpVOYxM5RjzuS8dpgWinLaADw3woQF8SRj2BnHiQ5pxA3V6 QDqDIhioP7LmyNTzoWF+0qjwwpoSAOIUBnpweZlI7puMK/fDpRi5ajai2biN 1B6lzGgp84CNrrGgBoG11kDWlBPiYbTkW6vC7qQixfHgkIZAEFiIriVIoUe1 LEWV59YzF+vLS3zywufWlx/S1QrvxDwo19H3d0lvBMBLmuBxvxYccS3th+oV K7j+giu0QyUrGkWRUtfXhpxzNzHWewN2soADo7tmtINmKQv6VpUluqXNW8zK nmtCJboexlhWzQxATZWcKdjd5bWXDnsKApqT1sekoW3a6CtXJK+ed5deXlU+ 867WJgsPBYufVdybM83WScvwpspTuAVBaZLGEZvTyrZ2Y64NXIk7s+GFwgbe PERQy4W7FQuGxxawi/hWym3ZVn/G2oJ9xwt+rNTqiVoeKcmIEdQgIkmeWgjC VLvhuEpkoait8mu/oHTOA7Jkfnx6+v7w7dGxz8HHT06+efEWPsEc2ZqY7mp0 EqVS+EudzpajwdKaJj/ITTewOaeNpF2MKRUjF/eQ54IgptKiWCIloiXT7o9a p45pFWWYLRaCxxLF2ssSrClzTVSNdYzrxCWyyimVQ1ksQUIXaxr1DbVDNK3A OQQZIRAf/PZcExos5zHTzJ1WO8OdLEUJiz8C+pjKqbXzGgIQCnLEhz25tE0H hR85KTasQxzFcXl9ufWbgfsxv7b+3fnzm60fPAr84AFMjZN/AKGQvZy4pg0/ P2z95kv3Y35t/bvzB9ciPzvRD/Up2FnD2Gdxr2UtvxBc5GcEc1fo+TZr+VPm FQw+vS64/LJrGcPcks7t1vItNVVtN9D+mmuZIFyKtZkE4UK9Mq3p3iVnz375 tXTTQb5qLVTQ38EmBUHKSLbIM6ZlW1vHniTuqJxSI2gRNyK1UhJ1DRbiJWTR FeIsOV4qm2GTIsHmzAXIa2kiNQvCV6gRrhHftZU9LGiRX0bU5FIlGV1hvZIn TGfbe4Zl0pKPnE1PwVYohCh3FiGgWbmrUZtgR9QgkBk3ST9hEn678EiAt/eK dhYcwcgVbHcKgkjes5wq9VzF6BvwvQnNSoV0Dz2Jc3pVRLYYTrOwcXdxdLVe xtkAwzK5HpovZO0AQmKFiHMwGHYFrLj453F2uUjLq7D23IM3HKIW1BV6wJzV DF/VSm8hoyJUYyFEyovNqxsqpZeBKJ0kDhase3gZW4UewtkV9ppBEV8DaNgS FSaaCvyEr9bWpsvym3YWUa0FCPeiXk5aGqBU5jXA4kvNwWYidqZE7JCJ2BkR sU8Pa1UuAqQY80EG4gapKSReSjm4IMff9ZgOSKUtm9LQolvLQJl0Mnyqnofn agnF9SorhS060ZiO2uVuMIqwvFErccC1Q0mIwe31PZp/6WuGSEUWPGtk71oh I3RFarWFlsxCV7NbtrZplZWpFXPKRyTlWriJS8FwaC8iUrZM3gVOW/eAxcrN AIx6KPNJJ+oFuY3TDQbhsBwDJ/dtb9odjdReGsUu1bmtmkV3al5CPw3wH53F Bc+FUKeuhTgw4Thr8i0FeO4+WVTJutbuab7cZbcokOyxMkvHoZoxTtG6xv19 CqxgBFc0GN0Xd6nf02AUUn6BZ2JkLREsjnhD025AQb5JLnMEZ4q1tVmj92YS HawtQKveGLre7liq4/S4fNG2S9+n0olMTIt15q1T1v3UiHBm6l6qyh1P6wY7 DdBZY7BCfblyFqDUJFjNVBbc2agZ/VrejWxLPQKRdAVUpVF1pWUvwympW5xb HRUNFKMEbhq2kzPGUVskpPf5KvIdRU3VNVpk2VZkqFGaoUYUCGBOliA4d5IU PvjOBg51gOJ1c9Dspg8CSzgbPpdaxWybAdIoEQX/M6dbSuV/sWZiSdewUFG+ wCYMZAu91ayRFq0xX1c0DOBY2IrBdo3DHkXstm2/qzHZ1ZoVlmCV1MZarRx1 tiEO0HqFvG1XCxPJfj38g00pXE17SqZKw7DvIM50I1qLqTla22L7plphjqX0 2nkqLto544i3kklotiahC+3qZXR3MR+K+gmxulen8ts1WcSKGhdw/biKECKx KY9f+pCWQSbG6ZM7oIU0vgNivh5iC9O14PS1fTN/Tt3hIx06wQZBZm4qGWUW FVAQztIVOyzMjGSgAsn7NoyTsnlT9YSa1qIpvu6pkhp/V+m7LuuutOHQcAhs wEFHAtxG6sc1q8s52PJ5XNf53B51LXpKjYNwOc8QGDMqCl+66Mzwdg6lb3lp DVKjjf3t3GPjjsdKiu2rBXtoX62QW4r3xhdNlMhAx65VfQOsdkhC/O5SXUeW G3rCxiEZTVGg5WIrVFnAkBMBzbEXQmS7ToJ85U97J56Qg0IvjTj+Kcqk7X7t 1UO6iuQvxNj8jfPIrMXe1QzhqvapCMZGVV6FlZxqUcYhJZMXnLus4HLOymHN eEwmqH6vL6ZTG1scx2WNmjbqKD7xEk5Nu3H1HY1yotDqk2bGFcVRol3lldiM 4qpCR6mETAYwzrwo12oU9Yv//B93cFs16yOXn+17GHyJq//6/Xd99qhztbRN xr+f+vP7H+prqf14hNr0c9co9/tpH8WZj7/EPnPurn8JWNE1yu9+PmB+c+eO Nthl79jR5/7UR2lBl39Fav7vG3HmnwtfOk2rI7WqHnZcS2frGt3Vxc0Q6HFA oMf3JdBltC+80dLpGg26Q9piTouy+FOgf3kEfH5dVoWm8dqdLRO0mKbTMrrB mid1ji4kHuNP4uhyjd6wDRyqwWIcEzmTnmatb2XiS93DOFak9Gn1C/EZD0yr YvfIvn3L4sb2PbiPG0b7iuA56G5BlinzGjva/6XZ0f4d7KijQnMblxLkwI08 /QX4FeljoxYDzFVsC+p6BqkSbuNU8/Vi5m3epKyz6oQeKcKQvuuNZyfKL8hv JpgpE7Ed6nPNkoK/Ynmk+JeyPh2vk9boeg25SQ2WiaWHnaKlhH4BZvP7BAbZ 6DRfJuE6SFWl2F9bRruBTAJ9KUtEDYY8PGuqP+otl66yJKniXcUlQUSdXrkU 79bkkH+QnPLT2M4/Gd/51eSUTjHlX4FQ7f976yj/v5ZTutCFdc5upPnnwpdO OWV8bzllfHe3WefYPvSO7VPn2A78UZM2J6WEp8XedmI85KaKSM8XrzKWDyqb 4TP6XBbVduit9EY6msrM4E07zehAb/tn76n2W9VkcwqpEX6altalmhrxxo12 c5VzBBVxwtZNlldE1Fts5eouxsCzOGNvTscYPjOl3vappT/QUJrKmYjCth5r U1oXWUY/7nEc0cc9kPhQAgq8Gm1LkhDVUuq/xDyG7NWFDcyRqUlwnOsDp0D8 bri384xq/LENi7vFubBlecofIWatSBKzOZbqCkvUU4CbxC+ZAXk3JtCNGCf5 S9FNjFa1+9Tsjyn5qDJ5ByXZ+uPZNUACS0ziHjV+MGZnQ5YgauGXVMuvA4xy VoRU5lb1zSfWNOSi8PBrisMrU7rVHFvxHxih8h9Rb+fjfG87iJaYNKMlblTa uuOWkve07hWmNLZaFttR0I3o00PbG0i77F1QWFmMuZ6MEHKr1M1uR4A5rzCa OmlrRaTCqwaxJR8TAATHUtD95ahjrYoRc3JSuETMucBkAhu6G/Q38oVu9lyk /9MxRvoLIvL6BPFQHnRApSZQhxJPjvjcO3z7zXZbg7FoCdBIqekktYwV6rlM JW45zMkXqdusGx+iuE8XdZsvlxw4EfamMssPqJmCJOiT5qdFnRILAfRJdQsQ xjxPN8vHkObSA8attUSdAePJ9aCT2lGDMJyvC2q2vIw1/tha9cKoBKRSiwWP TVcAocM5bapSuiS8Ci9gJfEuqOxyWKNvhu3iwOH004KzJhA6PALFd644tpHk bgkHcCUROOpW+I4LzkHMaMNrWB5GnMAlm8bS/ZBoEfGx6zzFqIVyrVWfGodT +lRh00dUu/9crlMC3QqI2pSQSlssmqoPdOgB/G35tW4Ee25Zul9YGGfl2+NJ Tjdp1MzdtJObKkCGGboIaMZhelNC0LjtpZmw+ZrvJ+jzFbmXe4WOjAIUletY OTuqXdROc3Mvz5NMPI9l0m9H+/bWc0vuKEhBwVOvoDWawvmCHBhBBC8+CLcU nNADG3we4juBibO2cSLTiIdYXjiodGGVvCBKGUJQsf/AIU1f/ZCt87GWqsEC KYZJ0cUoEqdEkv9gxqmui9oSagvse8UXwZgDbGR1iC1JPAv2FiSO1TcjHYSR bMjO7gSIafGtLQ5bJlI3MOOBbkR2q75okAeLnJowayfuqeu7hk74Il9SL03s /Z1WLb2/cWwzpvHnTehAqNOJFJ1gGbiHeQTBQWyjvn52YKqv9cr4ti+FGKRI XD802kidOrY72IpYSJUBmLDuv5GoBOS/UV1LcRsb1McqmHIyOKc3Z1NpUy4U qh2FXbRkJYYZ7j1UbzVLJ3tpmmDUqIBpKQukKi0/GI+1tk7n5dPig/7vPYnS 2obzA1BmUyeVlENtzybLMnlJtRVakvABXfvY/V2jtKjpFrG6v67TQqbGwonA SIjdo5943oIVGjBLRNkIQVkejE839rvDlwfffH38/vXJi+PzkzeSX+8lmf3h uCbLbLMwhxnJi5TI8ykvkDPbPz1cVinbr0nhuCi1cnSHYsEBlRSM6GJpnhP5 aiNcwk1JfghiRegTG0J0jwFcoBjjO4ajZI7b8GfaNj2b4US3gyofuFGRDIay hCQ5yhy12m1lOD7zONN1PEhp3jTp5+zMCOncs/nw8KwfHX573meNCn6Hf7fD pdVe+jkwcGzBVXVoe8Ms3+VrWoWkjHpqotqORnQnx81CDHet5fjg6K5HapQO J5oMo8PAIzIGAff4bHB4+GYwejJ4sjsYjff7KMgMxntPKCLhHf92fEb/6X6Y k0YnwXjwfW3A0ZPPGZGOn1mKEyaAIOvR+kKy7GzgfbMkRxSKImr44dIrci6G sHKjJxQsWQMmze5iqvVLpgS+bo5IsGLkSK3FQm4dpcieCe+jnpOmCMWnh8oV 2f7knntX5KuEYoH4GS4zocokBu6pWKsDIBXSVyjjl4wProe2q5UB/w+0nuWT s5Ov3xwMTjwt//SJPpL4Lnz8mxx593ffwZWuMBcCHqGPuFkAsnjqquxlbCU2 O4wRfZU6QYBcAO+HjV1TxGHLqm3PT2/e5+di0EFuS5QDqFGVwM9knXgLVT3P C07gT67aA4sM+SK/vGWYuC33fR4vCtLU3PsG0zdKlK+mKEusq7VUPTDFTNjz toD9ZZQBQnVGsKjQVPqsrRKMRMMYfnyAkoNrzYTdCnzlNbeK8O1GgRM8hIWt QXDHiybi+KtbcdbcWX3YZR3XwqkMyCry9MWXWPOzio6cyuKqblGNHo78p7oG R2evzrYHGEgqAjMcMsgCg4tUdGB2tjkxBq77AJc3wBG5/UZGoY2KxKlt3H69 XqCsxBIyMppumDsaANQEcJQCn9yKZGcUnVQ0UyDCINngYIZ1dGobs17a1wEw pgsjQJA24d3vm4BHeX8Vg1TlBwCky8IxpRrXZbLJhNsYHnN84+uknMGtXRml GfYHlFeiuGazAhHOy5gqt9kiBiOFWOayrqnb542NBNROnSjByrCiJ+dofPJW V9ztZcbnIuARvzDAAsbnZFMHwsd+j32UC0SPI1xzEftk+Ay0MmRERDOKfF2x bclbKOWG2HTkodLrWjK2djfNGDTUbFOs+RnQ1lt6IEsWXNgDJru8gp3MfMTj xS2JoHKQwNVpwDIMo4yNWxQYfcLFAVpaQXjTnbur5RS9oI5nVpiYg/WcMkoi x2u1reRaSmHhGL5URXMWv8gq7xy0tS2Q3cdk46y24G8wX1jZ6R6v78LRoVoQ S7/YBpMAbOSA9I9I6NJK9UySTCntkKrrlIHeXKev2GJKbBOxSSJeiP7hKqM6 caO/ufSOxGGIBunKDzllju0uDWJtUImyqWJbbaTkGhQYeBJ8SvdAzVv1KFmB EQaNEKBKR/axqXZHIyQs+wfX/7IADcJ4HKwrD9/GCjU5PLSCe2r0DJd5mQUE DjEtBvou9EAHQxOxUWYOVMdQzxRMxHtwXjNNfqkvJ+xCjJaCtArcMkEptnu3 hnXEqyNHohG34chWM6j8DkYlQaR5Z1ZnigmrFTNRp8HD4KpJ7+O1ODk+f+Hk yNIJzi6OBoS865hY0jKHteTke6ILqDRWGaY3fEu0h0QdqWDJyakuTKPWjkAq OjDLZXMMp1v48tmSBgBf8TdYvQH51AKJ801CJLqm3rN0XCTwDtV3OebgLKdc dMuMTo7NStcIzJnEcjW6ddX+Lz0CmtdWMXE1Ph16qifVfLb7UnfAThHbZ+83 4DB6UVCdi4rMm4NinWW+0s3mEwAQoP1Pb2FpK8bObrN4KW1mk4/zdFEVNm+U hFC9vct1Kc5qqUyCVI2SW2OpR+WrAeWLBWIvFzh0VyG22h4gUlmxA4SnQNtW DoeOvcJJc2AyAQC7KDBsKHHOEdD+AANxjMq+IP3Cy9vlEot8TaNLYNUrPpA5 6Z85FhSISVJqYjdmIl8Lf9I6roYNTHPO3OEiYUV8Y1r0MrUE4jEfiNxjnL/c wAxLX1JeuLtdp581hPiduHxLPGXll0o52lbBIABhYl+xnpLYgOTPJ/5KBj3b su8PKOa84Q1BY98AVTdBd70xXmLB6EbpT0JRW+V2K6YHOiUxo9YksXIYuUWo drTplsJIaHSQij1JVXJR8VDeBjSC6wCHWzUowUxeTWs1kATHfT0g1JMRym5v Gp7aOkv4XsfgfIFqKzH77zoEtwSpshPXlA7meAb2kjjXTrjaJnx59OqF1EM0 BsUeBeaVVySbEZ2ttskGX9bmy7mgdjCf1mkVc0jtEIJB6yvCA76LkDLAQ0oa jqJl1zYsmJkMRhzCYoES3FFbFi7MVzG7nkWVsxKSsVUVgXEbi5e+h2/LFstH jCEh6XJNRTSf7IJOXhlLjIiNwJ0xY/aiwGqeRPQDdTUYA02B7YPM512jUJQ2 kuIPn7UEI/+xc40qabOgTdxE65rtDifRRbpYmEK65GXSkFKkTE/2o9sk9oWl kBmAGhizUphmgV/9JD8HOj1LQWlNpldkY6JcvgMuvVX4dce6I7RhumtJey0b JApRQq5OvRxuX6w/8Z0z0KDrC25/2SHeSKlJqU5M0t3+k9EExSOvI3MBhvaV kiWAynNqiwGsOAZ3F05D5McW6dLXNfP6mKvX6Gowdh6+4hyMg+llmYrG5dqX gK2KoOGYa17h2AejLMCqxEB4tYkJ7LCW5TaZ7eLMeKhURdA4QLqeogZO6p7G UI3drWc9pPWS3jRY960Jt96r7dcffWASGIdrkCB/Mq74qAluq8N8WQdoursY YYBQsSYg+l5JLAL/6yBTJJQY3zhYWSnHu+s8VTOsjyciNOg+gQDyLACHzg89 Im6hx8mTkXgDTwZHwzSp5oMpCGWDvKT/SMnUvjuCdtNvx3lo4N/0Ciu/wrTc K4ZFjcbu5b6RvF1W6sSn+HhXBFRNZJ1tZuolQGuVO52XtL0WP35jaoJi8e10 Uc/UxBcIExMOKNhUur6jakFHzX2ZPmB6yif/yRrQaHmBZlXWRrOD+pHA+Fcg Q8ARhztx3eYap3DeODAHf22QkM3uhqFErG4+MbTadNuWOIAkMC/2KFp8O/Lx omhlpNa728Yyq1XXYcp15qdXoqExXfzdAOeiwp3UwZermqA4g2+s2wrbovx1 CyLwhoYIzuJhCn072U1EHi6AKxZwS2lDO/xnAmnC8JgEQNrlD3epP5gBSFLd YHZPV9kN4WpKEvuaTqYBewdH3NTQFbm19cntYV+w9mntkgFlTkuvFAXVvLFK IKrTFIDDiKiZcqXI0jBnSUsRw7GGAqd01UFMuryqxEIixshZPl0vXYCyE0BJ TDg4MqGGbiYfjQlPgxRGXC++LJLE+CPg2hVYM1ZLfaEZVNEAO8NIAXD809rw UYGReMRs1t5khqtJkkPllhKGaM9oL4TlerQHWesvEmqHwY7zNVqPrtPkBlCI m1U4qd8rbGScenV4sv0cY/CEqTbFgqAbZtkQ3mGAwG3VYuUFOZgjbKfGMxio d1pT3Ft5WCmios/Rt7SMznagIZfs11fkY97Um/YT1tictu+TQ/O7R2rfWFhI hSbCxSOl8SIwZeE571aov4U6subnx+HWmCPduRxfX9X6Ql3Vu7rR/TRZgdhK IH9eL/W3uatq30TxuFdwcjwgAw/3nZjz8OSoBlBeCx68uNWq7Go8Ifp4kXA6 A5mbYsyuZRtV6HtKK7RKfTaS1R3YNveFazxlt4oKZBEBGTGufKSBa+8GND4u FikzebaTOHeAz8Kca3cZCkz4W4JFNr4CWKSj/R9/pCCJAh7Ixjv012FeVTDi O1zN9Aq7BY/H9MUfYgpaH0/or69ROYNTOFmss8uYHlGqFRTr85WbtJTQhbUA aKwE19w7DOwBjQAUNhdINw/yclmDN1kMggQgx0NtmKanPvdipOrvCbyjwBlB tEHdQ7bB9tWtkAL6BQyjl5zO2+Viw/Z+YvPntQiadg3oNXHkgaBw4X1/3v24 DXkUKylxXPK8BZDKsCCyhtk2u6Z5Olg5lxrFIlgHcGwCFRwzZBs2CFcYfeuC MwFvMQ6v7sJCeDp/JcWnSmCBmGhD6HuKZI3G7F///9p7k+ZIkixN7I5fYYIU YTgy3T18w1qV1YIEEJmo2NAAIjOLVUWMwd0AWIXDDeXmjqUio6UvFJJC4YW3 EZkRmRGZyxwoc+BlDn2aHP6R+iV8q+pTNXMAEZFZC9norgzA3UzXp0/f+j0S mThCVmNLKNE2CvPeTs4LUMnSS0SZwdU3rwRmdc0Rw3PtA4GbtjcfXyPeKnXz K4GRZ2CcCa9XExLnGJEiigDxzWhqNKdKghCKcCaWPQr05xFYuCYJ/XfhuWdw ZC5ksmFnlEscgIUhlw6esOIbSQ9a1LXEaG3NSw4slaVUS6pnljVV+kqRkUn3 D7vXr2ENaIru25Z/jvzb7nPpFYclgTZ5OZyXZSXQZjH/6DGRBiF38f5WjMuo ssVMBRm9APtrZIsToZ+YEBxTCWxGYXtB3In6aki0CwyuJBY6P6IXCb55vvus xd+vMPjvaT7BFDh26FyzDSq9VMOEsyZemXC4zFpQaLGiDsmldXD4rJ3YDlXY Ls5mKpcI/LDtEU0fnBgyLm4YN9+488U8hS4nI+w6kzGTQszaSYzAaC2M/Tmf 50CTXB8LND1SWC8KWOTEF/tJGvuvdls7O9sr9vb3qF5eRtSDu5BgGBwPLkVM yHFZB5xTdD7Oz9E+20yku8CLj4zAWxMFgcANwXJjUZ7yySQjW1jSID3aCSoM LypaB5ufVkgOM2Z25GxSNdPp7sonmpi8mI9SLYGj9YYWc1+Pck/PjMeI2T7E RJ7rjJfs+97qaneTmvt+MNjQ/B0zokodKHTirw82UMN7RiiNw6ve6tq026Rf +xsD/JUtCMOr1V532n24VY26l+zBo4PWRqfTWl3b/qBeUnKT0NmfUmgar0UL +ZQsnbuHgWWOgFVLwgJHjC2sM2ohvs80UrhqNDAIXwWhcG8TFYVT7PqsAq6F ZH3DLngdh4w9uZRHW3uz9MFQyDuLOTor0F4yRnIIWQSGfmGGlIgjkbNHBT/U H1nInVNYLt+Akh8ptksx9BKwpQO2EGMwOTp1zI+6Vih8B87dDFUYd0TCh1Ai uEIp45KZIzAUVJLnU59kTl4j1Ko4RA4GJ3evVEqYwxiGecau+DNxxLvYYHQy 8zLp/ehHguKmInrMOWkGqX83O09Pp3k2zrpdB2t5fIHS/RSulF7XZRhKpPKd DnSB65hixXOVmV0CoN48TnKXu4vgQC+y8Shm/p4Uw8x9jZJ0LboIExKxjP2R HyDPL3H+FDEuRaoASgBdhSJ0kY0TwRxP52TLFrs0knDj+PWzNyv0K6biuBTM WXE21yvdQB2y+SMOcqq9geXSAh6CqRmFTovtKgHEqsb9MJWyjwqoqCVbTIyR 4yorQUdE94gCRHuAYoFJe6vx0FNELArv9aiEssRmYdNJaINH9EhJBatZ4goS 8L0vMM6y70sCOHX/o0A3g2Es9EnIVOiW9P2ZxafSJMMZOVk5jiB9S3eqt2AE oAdSq45lW3OJjepqNKdlQJ6kGwiqYoIUZZ1/h3s7r1++3Hu1u4cpLa/2gZcf HSRyXUR3B7Kj03wkbnwyJrC1RDLuWvKn0TOcEY9YG0hNLhdXDYmU/TzMy0Cv ZvUP0/+Q4z6fpjfDP929heGg4HWVXmG5VglZpGEUYje9JLcV0tVQMmklogd3 eP/bsqlmFkXZ1FRCYHhjzGYhtrS3fdA6Pn5xJC6F7VcIvp30vz44SLafb5sq aUe8jq39kXvtxVHSbfetiqGlIZ7v/ebo+HBv+yWb1ik8s37RnLDIaCiMyQVX zkxTToPo4+MLAeDCPGHgzHYPu50Nv4fwB64a4q6IEaq6npRNKMyTw42Eo8Nz Kndca3FEDbvB2HLvVlNPT+wOoYAypPVRxkGmFU/7RKuHBy2ms7gpMawY7HHW pENTy7a/4imHh6MtlpZIV+PzpFdt4K+k3EiuUMd1HW7iMFMmmCLnbEQ8cZwI 5VQ3WgZnLojylbQCFvBPjMWkFNeyULZhrli3NmyMkAIVEkRXU9bXJIw0q57+ oLafSWCoeKJi7LkqHDjfM9lEQj5cpEk4YLm3gXtfUXE0nzrmsqguTI1KVyhE pU6QT9H360KL8c3wHdL8WxxqL2lrT9cGSUN+x7o5E/FIFeKVL1cMUEBQexkX VCDGpZKNL+cXgMUIW7bpR4pjM1ydOfmaVyKqeoz5MjhkvchBal3rbg6ojpVz 28cKGQskNxfF+L4coZgso+WFaZlReqFGorNDhSySSKOmUhctEJZFQH7ONydQ Knp1Zf3pFvehkM342gGCo/zkpk+FqKWQvPSpjDxCs+nR/KpdaKM+b7FKchtw 2ygzIQ9Eeq7PBqQblVettCO0Zm8B0bjedh1oieprSni0dJxFz/cp0x4ZdmxD iMxHyb7mHHBaLUjMJMfiqxaORXaLXtrffrUt/G16x4z0oChnrX+cp5MZnOGK gfrqj0MC2HZeBp8A6DP9rHXc1bacDGE1prypmFyuBtjkj9KXuN6njJDv+R6y CtLIKZkHrZu3V+MCWjWhr0bzumPU8OwW5oRuUl8cnWMxMhW6eWaUn09CR0p5 YRPxAWl8JHM3SQ0S0SFcItt14+Afd1Z0hWHhW7OiaKFNhgyr1GQ7eemvtvIO LpZLlzw1YxjTkvOWbtJ81oKZt5A7AGOeFii6cXA29EPmkYtULhl3WHQ5ZxdU 6FJRJvNLFEcxt3ZHkEawCUM0pM9QPLVs9tCk3OypdWMHrRvRnPd2dlbcIWHf O+xZGbgW0TdMiiuacwnQJIrVk5UAGjxykclmdHqXyiUmUSLK2rHzSvKy5AiS +CcA4mzXExsmUSCjYsUkiOGONwUSIopPT8roLmNLkrzUAhlcNthYRAKCxIE4 nxCOk0bnr6l28o/xGbCFPSRzeIIW1yabDCVF7SJLr+8cZBfpEO5u/xotFdM/ //O/NTlLzYqtk4UPxBW6TMdNTdLh6HtKEqb9S6coD49ROmnXNszj9e6B2Wyc ceEehCeDuYmKz3IqMmtYhqbbN1yPG4bIQaFGd4rL1vLBZJ0Mb0ncEqBdMgUo OWiZonFg7/Dk44qB3hHfa5pcWzwGte8okX1zdNR68fKobdxRrjglJ8W48mkB 8+a0CrGdmHa1FBQZQMhaKLlKeCwwHGEPrsmrci5itRQvazzfe7kSjxs+K5sa 4ea8JQKyYgPHgrGYZ5Lclm3nmGbQNh17j8xMPuCl0mg6Qr5UcuIkjItdQGfp MNtCUEtJo5qYS4MjGyI1HBEwf6M5V5ldCKHqk+/d11GA+BuJ6ZZ1YTAecgSa ZIQ4XVzQB7mAjtjX08i/S27dKOEG9QCDKYBglT58aBd5II72ADWK4R3cmzak Ki5wX5WpSTmiPBQMWZNwHtPBSDuAIaT0h+B9oTpGPqE7m2hrC7ZSoA8nA5rg Uh/Z5WOnWLOcT0KXqyQkBCZNuuONCZOC0ZoOPfOQwUwl7DZENcRtC6RLhj0l HiAetjBLguxmpXNA+QRoSW4iNjhW9CevdtXVBlIZJEtHJ67IqV8K0FVQRHAB B+I0g4fH6WnGefgy3FJWXrxlkXfMi5DVl3vxy7EbDY1wgspphbEAO++hwkJo sHXI2ePApSkKTCU07WHFj4iUKKlCqSHJCIGKiiEV14lGUenFaCzJIauQFYmT MWHVURGB1zgLHONts7pO8LIov6FASQtB9tP6tFeNGWRR1Ykb4v16KGQ/oD6O sy8V8NNQ4lU6u6BEXqwb6T4l1EVedJ90J6MVy6m3gkoiP03pDOUBb3RnaL0p RiiZmCMgopoRqxl3wWqQtY5XQEKG9YJ3IQ/sseCUTlIBF6cTo5un/n0CGnTn vczRLZNOMgZLk+NQ33A7OVLFebPT6bBNkhL3J60AZFFQh+mIEAa59k8VrOuG jJcqm7dPM3WeslEOB3VZOPBxzguc0HnqtlBjXDjYSlek1fMVYZYk1WxbaBNP h4r2eDVJJiCXAwtIV6SV/QOH+cBJA+7PekwEvLokbGmf6uvChI5ZdXhZjLJx VQXM5bEWaxhwnfnaCZE6SDvTX1VH3DQzHpeJ8/+ODDCKg2SsjztQelaHzjTI lmvCicGAGqAcKg96g9vGgkhWzkpGqb3Tu5JMnz6Pyz9GeZ64ppyPAIr026KV TocXrWjqrUtcoRaiXaING+027MFd6w1gxopxQp4JjQ0TtYzeJGp1qx559NUo 5PCGqPUPHBDonFMxcXsEBDuEKtQSW3yIpIxSOqPMavum6MoIBT2XAvBOp9ac 4JkLhyJbMSLh4QZPRQc4vYviHKs3AF3RXibxIpCo6VGcpDsFLHpoFDb5G31Q thWYhZXSgHjJ1Zfca6/7pJQPIQKW76QvByFeJw9RQHpTh3cyYCWc4HTQtq+A WhwV4dn/NDtPpw4oSExSeFmQ3yj2CGxXo3UuEYzRcTf1I7jLCDEZzFHjS8Iy G1gWC9SD/ZPvKvb1+SHjyCgksIIxh+Pmwn5enpG1o9VgVqd2N9avrtCRg2nc Vcg6MzXloWETdh4EeMRwehguzA90odkx5RWwBtzU7oJoMMEtkK8oLQ/08Vwc GVSj3dkKdUBBUvfpnS9F/kQgz5/gBJ8MV4dPmDPvZhNgBq3irHWEAs0Q6zKP itJBj3F0bl0CBVWSuwTuyvl0wj5Hrr1S2nOxedG5MzFZcJ3OqR4n1koHtadQ YBKT79MNPKC4TgxAHkqMSJkgvnON9hmF2igWQRg6gb59ZkdM/CmBat9Z8BRD bHzoeSLNGgoT4YWkVA0FcQDv5joMxIJnhQcKFlO0R3JGayADgfy3/5BKHpzo wTGaNysNDD6NRWDYP6xrsweShaA6V+KANrvrq8DB2WIjOA6ureFY4y5G2SVL OjP0xqVDF/eVsnsaRNWUzqnKwh67SZGe04nFOqBcDZDSryIHOY7bcHPeE58b OsRnMOBWD4uShnpsmI2IbhidnrapmnrjrBZ2dXS3SzZ5O5zu7PYCKE28Clfk HynOloDiijPi6PksOB6BNJESxipc0ZTxtehwAOGMKNQHVnfcDPSoQPbgLSHc b8LfQ85B9lQ6RMFqEWfiteQ9BYqFBVTzHMNFa5SNQc04zfhYUTATmy792ZT+ sTQ9RSxpDqfia2xHMQpcRgpD2M7St+Ys9wzynf91QBKV1gKQ455dXjGA9TSn jAhbKEFyHaULVwzLxYbjhwsqe9ai8zKcJ0brz8nxdmZhwA0AtxhzkBvb/IBz tv5ZNkXX6vmErOPsq8LYEsf24hGjZnEqwGnVMRO/DmWpGtEZvifFRGxAwoZy DYh3/nUJV5bNlfAODlLBOBIOnNNAbes1p0FRdMuk4FvonqYcF2ziWvJzJUre 6sJy0ZcCMOURr+T0ibDo8joDNm6N7ldlNh8VC8ZC7k6KS6l77JIDoYzZoiCe XGX0zp+O4cYpKGX5H+l+RY+zyIv3jkNyg6cZYqAQvXuwG5cfK1jcE1Qyrwu0 TRLi42UxvSMtG8nnNvmq3W13HSvnzH2jEAi2PsVYFOO5xgCSh0dMcjdT5hyE 0FbtaZ+KxORSDQDlokkefHSDsmAULHLv7H2q9Cmv8lQ9bSImO+UK1LzpFahW peg7G5v99VDfwfAuDlc00KJsJYlPNQoF83OFc82nSYNHubJwmBr95IOjbJAk w10EcOTGvq/h2wp7f0l+kLISpHQ6Ld6yo9LDWJbz0+uMrGuLhmaS+OHYpIGi YbBjJFEgsfHkBmGuguGkIeccgePcYybciiLRWZz9BnV+ePI5/AtkEju/FfFv RvGFLiRWznOYFiLJHXR1ztmuRxsVr4BLU7nJp1r3p9bJN8rwXtV4JusWnDnM YGcIYl6Ce3tJdmxY3b1bDm93DcXAuqYZKdnILnT0nI/gF+KM/JFFZ2smyyHB 0CPLhN3kvCN6mNc21zeB2k3Ycjs5mAuUoW9CA8Jb5OKx6Ba60TVdsiqII+Xb 65zX7qrA+tvM41GE9Hj4+loph8edNzFy+CD11OzxRX5+0cJgT3zSb3gbZHUK GsN0QdR1yVxzwTGacJznmj8Zn2EHvVbrSBNBJkCBJV2IXH1wUFoKsUkHIuVy HX/QlFnBcRCXJ0/TL90l2wBZwXJh4AZNYopoEmfTc6xQgOhaZQtPYmvCuMli MFQDukh8FAPHIebl/Byk+CjMvEfc3USa98nAlXsWyjI2yxwgJZ5yvbDobNlZ gHymd8duhIUxvsnPmYpaoHhxKicvfMB0MbPhJdxX5yAfYzw3eRYdsUW5CPRL Y3aDgW2jFSA5TAMv9aW0jF/fG/n390bYgMz0Eq6tKEu7vIBD1fouQxUbTn9J 99klrXR0YaMtGu41/FotesNhNubErTCjQmDKvGZIPqLannAtyRvtLgUMlXZs 0+cC739berR38SK+nozvIrWVQ8TCSm2VWOrFgGTUVaHNWhiOBc26R+5ttmq5 E3vdIiMA8sbgsMnB0i2e5ZdBtt4+vz0ia5DDxSCbhX+pWqGz9NH9YV6cTw3J OFKfpS1C78pomjHiQfthT2k6dQVMCQUKiczDgahd91xQy0ecqaJwc8Yc006+ jRBx3JPIvtQ1HGSTHII+2DrOMQBrXADXaBwe7yiOj8VYpasW5ruzbVGSMUEG h3qnmARjHqGNLpxm14WMyKIZaF0C6srH+JmnPRQEakTZmZN/Aw9fXPpFC3xU auLBedkxwzr0Hb3IS8IvAza42ttADwy0+Xrn6EDvyjX8zBjOMMBH8OmjaMi0 jKMrBfnQo/rvfHf8dGfniCfuDZSfQgTSpMtklYpZfi3FJ2fcZ07N8FH+VFNF RKoJ7MhUB8UVn7h1PuqUatdSYw+904ILBu7FvLy4FCP3kLHpF0FCPoVR40LD wHFkvnigBvSSpC3BPHgdOa8rJmQgePWd9V4FA0cWmGn0vIrxXI7XPqdlj0YC wN4gs+BloXh+KySEkxklJ2MnIn1gAaPp5Q0VvbmisG/rweuveQ+eFJSR7FW5 K7T/kU04i3DfRDIEMvs1PkwicUxWTfVVzshgIj6nBSVTnrwd3syeUK/w67B8 Ehrq4MsWv9Sil5DaseOgGFeK8Y/KBkgfBVk2dGWR8jZijwkFFvFxhdenfDzU CpUqySbFqUZ/s3Z+5+UwTdNRP5rmNgYTZwbAk1LTkwNLdlgvpBIEYKVNE+jn 0EZJx6kANOOgbID5NIS34QhzWVZrXadAqiiMwBqFUdwTcrApUk3vzrORjMRW 4fClZB3jmhZh8tQjbxqTtMUcfrHTG4v4choC+nts2Y2mM9wEoGCFxpvTN5Pz wkccaYJOkKdL2QEfiyEYXx31U1DEeRe+LjAMBiVxrpQrq5KLpZ5tgcB10GDn Ko1TYpiNhqdEZDrBKCKbGHrW8Um+C33okrd1gymaC4YdFEISKFcfQZr69XFW w5lGH2qpwDpTJvNSEpFcrTeaYKZ2OzupBp8naneBnXOFXSnShp/VorY4auuU Ih0rjWmmos7JM38FZ8N0aFy9G9QMMaQythhxUhgyiZsiCMOoRaole524X33N OgmJvBF8ZhXlvKEhykKhV1CVXoR37g90dpsPQ9MiYr4ghNvXJ9/bsC6RZEoJ lV4QSMZ1LU1UjnB8vBTLpMEctGlvBeQ7s2F7xRVtqwDca/4E71fQJFOCgQI7 RZmR09UuPfh4MAresABDnjgvXXEaWB/YdkiF0rwDjvaosZGxcELmTDkSx3I3 7d0C7dF52vN1SZPG8d4e80tTFk4v7c11dH46aCUfdmhUNZdBUpr+PW5RTnIg jRd6aifkmWK8RqYttFdkxrixaObeiWU6r6oqMbIJhg2zguPtGaHuonWmC0Ku lc06OHzOsxFVmCT6eC7HVmOAT5I0xxAfqiVwLZhMVBsZ6ZE4DwYmmsVnOWuW IjCZmBF9cQlpgO5iJSyaL1elLhgNJyVjbtAE2yVGmQtyjPvFanz+SFmEiwuy UVKYG0eIM7z5ZXrLAMOc4eUTZXqrq0Ar7/78v//P70E4wiyeEw1suNGYIP1I Q3ttmhiCn1Aezn35YgouW1fCQWy9LICKizGbuOQBg0caNto0ZSh7hqHaYocb 3bUOD88XUkW7JlwRd4LZ7iURtqIXpbkzLcCH5MAG5UTVmmkPHiWmVwqMU7wX +wTvrUsy86UpT4Fxid0Hcz1mpDxJaHhk96SGW66MyUmPZCaGdyARRMrphiWp LM554/gbdC3Cf/v034HBhA9c88AQW1KLVisdYFt+fVMqkHw+UfkFNs4+KGoj I7CE5ZqLUFdwtqe25IEC+xXfgvMsRmhDFZ8k2jTuqdVhr+QAo3x856+2nd3d FyIU+iLkC2z3D/RVP26X4D/BM68ZfaH9Geu4cwlOSgqr+i7TCYeuY+KdCF3n VDOh7nlgFE3FzPAeFMLroKJsbPKTtGOUS7u9NSKpz7SeuyKqJy8wXhoEcU5S g5Fk8k2LIqmxJigOQCqasq0WRQ8pw0uaq6a4CRgOhxiaj9m4uLy3qIzGazSA kyjQoNGtLLO5goLRtxBmRhp6Bdf3Vu0M8CFBxtlKfvvbmQXc/P3vl5b+yf8k aVpeny8tfdGyP+FflZ+6r79Y+kGWj39+QNhQOp64e5WfHxI3RP/Z0hdf2p/w r8pP3dc4ik7Qza4khYtm8jLF9GqkKvRn/VBdHRzFT7EW3ceMIgUVIPk5R9Fr 9Xp+FG8mrl5a3Y7UfPYTjaIfbjxFJ9WN4eddi0Gr31tfW//rrgUOYaO1trra X4VuDkRSxoSiv9woLANYereVfHaWn7dCVpfM8tk4+3JZM9KFvdB37WVghJ/M RMyaHFI4m6cPYnAsSBygYWtEToVoGT6EVQTcARi2EOQPyRGonSMSS7aH9Yzq g5fczKs3wM6Y6H5AHg2CFFq0c7gP6n8+tq9gR/3FFiJVmHuNk3Vaein97V5s wQweutfI0FSM55fOT+xHh3Lat+hQaibb02nK1nlzRamG8K0mZ1HWwCw7z7yF TnOjuAdCcEGbCcb1Tc4lIkPhbmKTrx3IVrBf9meJut9KWr3BEg1zK3n1dHvJ jHPL8oz712NRHw933v9rdt77a3be/et13tGuu51m0upyHe4B/Ar/yEfhiB4o 4c1u+CbHeDSXmMEsfufnmZRbz75OCv/3yFnVFxL/m5hXr26zuvDr+sdtVlAd /a80p37tXj1yUo8o+v5XmpbjpL1BlQTls3BaOxcp/H+v8/SgGN91+53Vx1Dg 4pd+nmmt1k5LduujplW3WX/pWa25cxXt1XpTPoooEOjn652XizYooLvo0Z+J MfSXVMH5mTpw9NyH9Rj0ecY9+L0Pm8OfRWsEk3UT728MdLfp170j/EeXKHry Z5pBSLqDVR7QqjmRg9XHkO7zPb/jBHr7iANJ73zkvB6j9XyQgmAVn4/WfT5I /SHNcw1lezgCpAEF+BOHWub3Xq3kg+bY6lmVq07nYvypQDv6pB5Z7WIVO/kL zDGkEad8CZrKMQKwGNWLjd4txGUp/3b1LjP4n0jr8gEP22GA4fNMwN98AMTi J2Qgj9HWCBtpga6msawatFVT21XiNB6jz2HwwM2EvRdoSgm2+H1bFxOOABrZ 5XZo/ys3+Yg5tvhw//+Fm3gXBeWH7VAwhfVP4Mct9LSgLedvl52Y4X8qO9k7 PDzZeb2716Tf9l89e01cqhkac2q5hb4aMgzTEHn8yEXmgiap6chWxM8ZfvJ4 00/MKvwGEqfYE3y1UVblFv+fYxYfYxD9oDk+zCx+6h4rzOJnnuMC0cMVK9wO vPIEFma4B/pZW1k6+hvmG4sn8ql8BLtpssvyMbyDfZt08BHyZ5Kdp4J49jPY iPOywifSETtmSimTya6YD+YSX0T/VmlqAWXjcukx4rVY6OF92Lf7RfRvlV8s 4CEHkvHPzrEOd6ZQSR6ankdR50n8IRin/osBCRRaI/vkvtDog357o92tOawf uZz22Dr/m9th53vTXS7J4/Yg//+7dLg9Qlz7OPb7cYLaRzvciLN9wyH9Bz6k 33DbSvj+Aq6rGPAMT0P8kYsaYvSuw9Zaru9wuY5PxzyayP01Fyo90tKumEnl ay41sHlg0YI9gwRqxw5caGWLeBkDywgDkwSGOLNB5Coc8HfZaXJM+c6Nne+O VyQip7/Zw6oiykPjNjFkf0Gb3x0nO2OKczzKZtDmztGKC7fPppfILHGUmsdA +RLIdlOKRcUhnSAOKv31ZDg5e5IMsTkZ1/pgXVtgTdNt55nWl8tnGWU+IT6F 5N9d5rNZZsrIckI8nOPippZBfxGSXkyCjyJJx6I9d+YRk/kheTAeJzrlixj0 o449jgUJAfo8/mq3SwwWF/ql4NTA39vMcmNqkJ0hDux4tWfT0WDv3UDcieRR rQg8vAKE0euIoAeklZe6Lg+2YjJ1gHISJOl2PO2HW8nLuCGsLdWu5VifTC94 sHiPetj3ZXoVjGW79nT9be0RHOlP3aPooZ9odetu+ICB6iVfmwpmr324W5D/ fIepfM+pLMubw317r1CSHxVsWXSjgNDEOR/uSWpjORtdFMNlzddcDrswVwlw rRa9QVj5t1sJvYgf7jASFdLEFG6qbLqV7O8dP8OvwttXhbBGCffG7377u1A0 +93vf/d7fOeQAE0DBLqt5FUxyWgZXmKCMDG0MjSowsdkbHto/vQkqfRlsmzC oZ/SfL4YnoIqXmZ/XCbCDB4Y5qNW/JAumxlWsGSfwZAXd2JmEwhguAz04YTU INMALer8dOa/DFvkBRQhx2cVcigDfPf6ShIWar7bw2hdwWc1sbVbUs6Suq6v LLJFWZUqJ6+7ygy6tUQ7lN9NeRICQBS3IcM4mFNqajYKYbEXUEzSCD5awRa2 bRVLrU3PI/K7v4VZH6e+oko2wlefTVPGhjH5XQvGue2zPyypLi0lyefJy/Q8 HwpcCZE7vYTfPENUHYyYn2Acdfjdy3SIIJflRXJGmGS4y2gH8k/B8lC9+OR/ SBC6fuzQVrnExCwdcuy+4nAGhwg3aZmVaBCmtgUzAgi2lMKbuk0TDtqGC2sr wWjw16+YrlAxEvQYxCnnB3Q5qN1HdiIsYydgGUdfV89L9cz9FGem2uq/npt/ PTd/3+eGcRp32JrUekajD1VP+Yon9te5JuvG+Dht1aTRHO4dHSNOtUkZLEEu LQ73VqwSfJ+adY/UVvl1kTHM8KG6nx88X/gh2d9NHpfuUKdJVX5dZBi7R9Dg EbX84EDgX11oHnuAA8cNrT0qYv8TFrtOkGYybmFBSJWiq8QFC1+K/HyoCJ60 Y43p7MuV5EU+eZscY6rZLNmeCTIn68zB0Zk+eFwcPijxnuVhMc3akWT9oQP4 Gc8FbJ+E4diR0udBxA3b33Vu/KIxuC8Q4ckFERjz9icM3IAcUJAPcDFlham+ qSKSKJCoaTWoL50COwoaX24myXK9lW8ZUxSXH2FtXJZkvzLIM6NEabYnjxPE 287GMARBS1To6IzasUA746KgPOszrC7DVUYzqcmUcRoco5bxZPR9hiFBfHoE 3yn4Jd8ojmhCAAxY+Qn9BpgOO5uPcFdkLlOaS4ykTqjpYSmP0KbIqCBw/36O er4DrZH6ToqSPzWiFiHj8bBxWhYNb3iRCTLrUAHkzhS+UdE7vadDD5KYNbVZ j3hjK31kigWFSZth8Tmc6MTb2hj3QY+KK+zH1ckEWmnk5yCr5Su08bgElLW4 yieKB0PepJplyUKpkUeiYDykDCcIhYwt0rnFmcrlIIKWwOddZtlM8tYLMs1S YvuZW0zeGMY4oCHI2CVT2I+mDbsZzc9Tg2LoK/3S5nFZbOhLwNBp0Qgj9Nrl jDPoPedMkXxKVomwRqHmfLL91lPwTYZJ9SMHhozwcQLaqC2XruSqNIl7i2hS jACjRTwV5ifCOLBFRg1KsWmdgak48VwT1hlEAFqmFbtm8N6YxYQStWItuRKH WPkKT2f1IQOSPnJHnKhLoxECPinZ6H6BYeRwEd8JAo6x3bpG3VEhtCdTx9Ci 4SMij9blzoIlSU+La2LsrRalZ1NC7hstKSaZiriqx4JBzoCQdNW++0yByTVP N1VIwRAlkKCrplQRYKJtVkBHQshzLReE8Vv8hmBacXPacZh2XPrBBUAINFrE CeOumf9rT4Vodsyr87PkrpgL4gbSffgubcTEgUlOeIWvM+UqfOei+HQniJsE /qP+GkbQkeJDgrgvtazxaxmfUxZ3ZGnefVaUeE+3hrPblseu01XXW0tT6N2i 4/SlohDjG/iNMN3FO4FwhoSUV84JJhBFCoGWwoEq6LMF7d5hdHgqMcig89JN ZSqWSfod8TEA7GvyHteeQ70UJCG6p3BvwyReqvhjEmoZ7PDU14M+vTN1ZWkC Jy5f2pWOU6+Rpjq+f7+FccSfmwKuYZJ1KTUDq5tYHV7NlzDSpisCPqcD2aFn uyGEU9uPYhgvJNLwxZMnSaNzO+isSM0w8kPFDm1p5Ssq/oqop82E6eoETlkE iGHKSjcUEGNFWbwFf6JitNuPwsVwOFQR+vo24gydVkdVwvLosBAEhG+UjbpK YT5qlLB9zqcZYXoguP5pqni0gqNRnTMhazCHlRHIO4QHha9MlywIh3m0Zqzt xbHvsP4hXXwZkWIj6TRxN+t2ZsW+zknj1de74et2CVcWx7QzaUVb6Y5Q7ZY/ DgplwZZrjwjzsqhHBLdxRUzjIXwAGssiqgvBKM8sPMsn9NbkOdVgvURzlRth Act3KzSVavflRX4FKzO7wfICtqRMPrG3tLvVIjiVYd5iilBPtuuXDs3+rpwi mApxcvjAcFBBnXSAUNzLgtprOyeHgkO3X7/0hHIdBTah/ikjBI2+hSC/Uqfj UTacGqtBve3hi6VqPv0P1cVwHwUrUmerqTHF1Bt0sGdeBs+53FhwzWJ/Ja5f xSH5sXPmnj2X/KHai+358KfquTbGqX6z1YrzRvWQBfTlCL69DFcnlZhpUWm1 L5cRSzybor2nKpAwOWsdHCOGkARMZb7VBGGk1PhcNqmUPPNvlVAMMjfLKIhI L6rohLSS6mgCFD7py8EEcsUHL61YIpSr6cqB6LEv3MNnWrHfIS1DI6ut2RxY HUudKsxPPeajFeuHRXp1v3ApHIBxyEx5omRBdSIuU9ejwny+qBJ9JZqMYHxx ITI/HVLPhlQKmMMbpdAlXMkodWHFHdeAVKYkTR4x1HOGX0JLuQLiItZu6QGS 5gacmMscaZ0arRN1Jn4NXlAqgatloFQJuKfIFekgeODGd06X8HPzurFiRboF wBpvBJHsa2SxghSOR66XJlkisbSSVv4q89lc1FDSdnA3OH5MQWCx2LtYqQy0 oitxTSDUcwOH6LmWFDpgY5YtDlVMbd0pUIrx7pgUggJL2HtTvUKW4U+EAnN7 gZvnI834Sw/0l6G5a2ZeRyy6aZnVvy5fEu6olXZvSLWeX7oBVUbgDHYJEE1W aikvX5LT1IgkLwmCq5nKx1Jl09RSJPZBPCHZHgLLG0mNFbJwBhaDZm3BLySC g9dHx2o3cKjtb6Z56yCdXWwly0/bPqjjqVidZSlMXMj7FT4FvXZnkDTYkzRa USDrjAr/BmIP0gCbXamwF97YWEvWn0kUDnLg49docVLSmztEMzF3j3I0mBVo SJcyY4i85Zii9TnaUmX3W9S1X4JCRXJ7UkbWai0DxnYWVxfK2V8Y4Y7gJ4MC S77muBDTDEeLS+OL9Hn7g8iCdbRUI4a5Egt098kVSJMiCtmfMFszlZbotggK /aauE4e9xnjMpkabfwZBG3MpJ8RWIW6YSl8HUpm7AJrenEKvyJGT1p1YCC1f scPT48qhwgljxoKif3LA9mxyqgPOZdhSM1HU8lSs1vUH0VVXKFEjE9VnPi2w 2yJYf+UWdeyBK9DlkxGDGHJCQwRqN7mHM/jagw+vAcH2icL6b7As1r9B/fxs FRjSnoDXEqukCh5wDaOWw9Rccwd6wUDu8+OdA9bzpX8xywTleR3hEfmbEWOt 1CEb1xh8m80fNsAA1ojnNSE4brzwdbRuVK5agl+DoALz1FuCYVVpVXhz5iWj zKM3hYvVtUXTsaVG4vmoQVEO0mk5m1JxEpAn3Ny4NM6xeluU3uF08DxIrRvC xTgOLVhsZ8yupIw1POkOAFeeizCEg/oaeEFr46fF6M44VvCjEN3aYY07ViNW tZpK5AuLWzvg1iy2fqrFmav7eX2tdovoRppEK4EH0Hv+73EoC19lcS9sw/dG 6PH1R/+ejqoOZ8cKwggGQlEvPkAgq9bGRGsRX4Cuwi+Du9srV4vNDdqdbtJ4 M1GUU7w9TSAsLoQpIGlqagrjMjU1vTT1SRU19888j4oFQy5j0ayjE0G+11cc QKdbna8QK7r1HUJoOru/L/HBwvzm6ibtgIDD2dKFvg7AaWY5Bou4LG6E1xSJ FGdsKxfJhVokEa62B9ss7Q8NnAp0C0PV8hTp3bhIkVt5eGEKyPcVB5zqg/IH axmEOXwK7Ptqii6vMy3MJtdgS+jHVbZ3Zmm5JuUQlPfcfs5+dHpn70CsbMGQ /aai6X03ywoXQ7pz5Gpg5lHmKdsyNOnAwcJKoUxBcJaLETtHgFuVCmlJ4bQN LzQxhTsJpIJ4OcTHLfGv2PczuVIlDj55hgLSu89U0CfZZ6Eg5ehSFjePD5Fe +/Zoy0PO5qGHEBsUEb60go3K7r5aK3tfFW+9dL1oB/ELcdlrYrH3zMuwI85/ 0GIYKuwZt7Ofa4PHu0LFlbzH03NdNN/c05I3AjV4ItwSWRxDx06XJFgjNcpR YtTkgEM617uXQf1KPSm9MO8uv2ad8GRORyA1KXFKeehYbqsZey8JTI9hZVWd lhu1l7MtQVQmLWoJHYymERYvCY1fnaaOw3EGd6BtubdEna15oVoDMDCYIbNq kYHmfc20+x807Yc266Ftr93DRdVJDmm4+7H3cOCNGFzpV4tCxfVwtf7AT7Bz 1VXHw52Oi3PWlDDwROmIJLNFY3Knw95qpoKxGXHU/uOb6XEpZQVjp01wFcsW 6XD3aTI1icVIT93Y2v5PVcu76Ozww3bMpSDB5gf40xuCf/WDJCZuMc00EPjh y06701uR1+hjguG915QRdRJF+G09IDvGbx8wUWxRseJmzPGqE/rhl96c7SZE h1rOtLxCHz00vEcOLWJlf8+rTNWIIh71t7jIg3hQi3yl6sWgI+OStP3hXHTq MI0L3l3osThedFpdvIVY3Lh0kXJc76pwNnfKsJsVM6mDdAMyG1ZSbc2m+VWp qtQDligntx2KISWS29TC6uS2OoPLIrnN1LhaLLc5gWeh3LZIDFsoty0S9O6T 2+rm9SFym5G2Hpbb9h8pAVbktuPCFdyrEY+advYYUck+GooRCaS4h6W2e6XE T7mUHxadPlnI+4tKO/ufLJz9HcukP7WQ9xfeuZ9H4vuglj5J6KvlxfVCX+/v ROj7m5ARaqTDvydBbD8WxGoEy7/+Ilekw8cIYr0FgljdSXhIECPRhyDYTDEp Gx2xgPVJSSe2pEZvNettmMwmSm7YW9x8ifBajs+NuMfVzzmjyob4KrNqqtyK DYfPE0OvuBsWFLgjw2DUHweah/eDhAQM2p1O0vgqHVEGDjDeFcvrhYtzc1Iq dDRXQ3A6luJ8ATms0IWxSu1SHixmjUoMDe1R0INcmXU9oG0Z00jIPSDRutzT 24xiM4B6yXEppUqjNDLNbQiX0m8Ue13v8ZYsdGBgvP1OQQ4bWLXABYaBOJdw ccWhOOyTRwM1t8P1hqWNyI0WRFDuSYX71g5WuG8dYCRIa1a0Xg9n2ax1xKhX MHM8NL4juvE13qnX7rf7HO90tLfzNU1hO3LP6bMDE7291tnEYss4ils4LxQH gf4OuWJlYMlwTiE+rvYvA/xgZCV5Ku3krn1kJ97eU81OwTAZPPZJOUwxbAbL iuY+qMFEZKYYY9qiktPzCefYUi1qvXXhUSorTyKDri9H0mtYgXMDxpNiCcPW sLc9kxhjCz6y818Mowu20voPadYOZM/USk4aX598T8rF1ye/WfF0V1IoMbqi 3jhXz6TQMoEoaOmGsrYgCQOMkVkgfSgqGkxOAoqHWT5uJA0QcnrJH1eSp8lG sqILQ9/drqg250qnKlIe+h+oWBsFVN9qWW4egmTKEPnl6g2GQ/SymXzfTG6v WHv6p7srPqvlLLsq7yVSSdi5GqdD8rdQsnm3LbQ+E79fNh4BJVIOB3QiMlsw 9+8fmD0/beqPopSppwm08BnG0gSStB3yanSu8JpNXvNGvEy+TL5nK0GmacVa w5WTsij0D9frztVR1jqE0NZOPU35EoFsO1A3kktlgWd87XNHTggQVnhiWkCw FM2BOZQuw+QUjuZZPuNQo7C0oR+K+g41lVD8dTxNmVr9vBvehwB/yVYCQz/K L3NgBVgKO5XChNeZBMJgXUdZyDt7hhHNi+MXFh7IGd4jFIRJsXelKSS5DDPF lonsxZ27rG5oOSJBLV9a/tINSVfa0QKbhzSyQBy47OKl02IK1OtlMMvFjUz8 a/tgP0w11EqfCyaHaS3hg3RI5uNxcExR6BOVjzWUKVegj9dSsy4lgQrbYq4I p1jvzz9l00KtXC6WY9H4/I3DAbxDwvKVEBmWCFxoqlb9FQUSRy/UY0Ysd+np nY2qyWdeYZSC0pRQ07nt9JIGC154NOnv3/3wux+S71fashwgC04evyJp+ACe HfafA0WhkEZgco4ALNsYBJwOodU1C28nun7x2N259IU/zokrFsWsVJ+7b8O8 tVLdk2BitJyyejAvWY6BLAf/8xuMifYJF4wayJc9FRzh+V4EgdmNefWmyifB yJDyrqC/3i+BSH8F7fzyKf6S/Pl//T/1s95APvtCPulu9qJPNu1rXWgyhSZb ffjlFH4ZdDurG/21/npvtbva6w563d5mv7cG/13f6HQG6721jUFns9sdDODJ 7urmJj65urQ62Oivwoj63UGnvzlYWx904JXu0tLXlMmdeuX+lg7QLXTV7a6u b/Y6G5vdjX5/c63f6XU2V1cHaxud9e7qAFpYXd0YDPqDztr65mq3s7G22u/3 15b6mxub6521zfX19d76xsb65ub62hr0vbR0w+fCkVBy56QPv/vJDXTduKWl 6LulSU0N5Vv4+3SFHmg0ruCP7srTwYo82rgsRskVbcUdNLTRH/Q31ruwNOsd WOqNztpGD35f3VgbwLTWemudzmpvoztY7fZgrdZgVVbXVwdL3bW1fm+119uE SW7Cwx2skLi6FgZtECaA3BLnMP4UhAn5snHbTO5I3AjztCPREk4A8zDDL1Mb lqsHa7W91rZixEELZtRaXduG5ZDjIBXDOcwJY8bpwmKShRF1aAH/t//EC/hL oFNXs/yOSVMWkB77j/TYQ3ugi93WLF2Mr//q9WGT8MpZLCIsOae4vvsMv4fP 8WNVJByDQOhKha3BFOJsfOWvZVSAcaXPUrg981QMgxSFwskOm4NNFBcJKl3T Hzr0CQ6B4586qw7UkxKg6FPY300tvusiA6kZGa/4Q0A8G2IM0leEo6RgpZGW 1MAXVuyQpGYz4lwLW+JwFLkquXw46a2UUU6V1rmkuFrmMB1c0ifnOSbDC1H9 +uj1K24YA/THFCxOkEQjxABFQmCl04lojADFr3ActNRhBlmQdLO1gRERSS3X ovJq7pQmaDTablOWDamOy6OP8vR8UlBhZccsPeJBOiL1CWeajUSXgsFezC/T SekUXlprggff9ZL3CxBM5rgoDdygFbvRNnUDtSh0a9/SrZAw3AcBCOOSu7gg H6oIQ/EiCcZ8Uz3ooHmani4vLkXNJFG0xaWgFUYY1jD0FIZE+bn8F+k5JiG2 dMHqGITYYsG+xXKJ28JyiGqWiyPHyLELTC+9QDiDUhJRYJc8grcie1NPijNr 83JAYpEsg8v0D6jNQe9CbyJsobJ/TbodIzAh6oGbIRnsLZmIUlViqi6opphI jKqfCRXDWu923g0MoJV8gKAkSmPGX3j6ciNKsVxTiaAvv0/iAV2moIG9e09g H2k+rQyYzpjUbS8dri5mAwUPgqiO+oLcjLyVjHyiwLnHzn0S5E6QnjHLgbyY lpCXINRb6YKP6w5ISl/zkf3lL5P93ZOdw71d9Fj/A6Krn/SSX/1K3I+XWaqY aPyNQQ7wjN21wMmY9KDP8iH0lnw2nxk3RD5VVJPTDAgE5o5/SkrSPsmX+Zlp 98vkXTJItijj+73pBYcjkMMkTi6aDjQAX9k2fvWrpgTi86EhubNzO+in3c5g 0KE0HiIEwmIx8C3FEK5URrMq7y5P4XQv/+7z5WYyzglnRNY16X2eEFXiCtLl eENn8hInSzuj1Csiond0RFtMyVe0REIeqiR5xo+PGA5CY3c4HeHNhohLCjIh ifI2ChY/uRqnd+fkO4dGd06L6cvsEe6SZNdTmvvZE34U/FBdpdrEycf9LAX1 xfUHZO/qx/OJXICy2EuIkl7zaneju/Hgq62adzu3/fXKh3F9hCUu+lF9tdpr 9VWM16m+elZtz/K9JSLy6muDTuVDwx/xrW5vOHoSv9XDTxe/VfMSvjXod0Fh 6K8N6t9axreW47fWqm8ZRr3kjjB2+N69RWe2G4wRWPMSnvku1QekVQQ2wCPr d7qdXrCEwch+a1/6vfaxUX2LroalpGGfX9HnK08n7ipYsi+Yyd/3yqccmAd9 SWivd7dP6FOiO23uZW4ntN6Xh4wCLt5FXqAqUcSFj2KjPjK9fCwmIF99SN7h LE3ufKoAbFFyPL60xDW9gcv/Vhgv7NtT/HdpCaRAVPSWEmhpdMKVQ7aIN8NH /0AfsuizlaB00FwCnQ6vjS5qpp/j90t8iwR/9sM/B/7PJR8hwt2+3Dv+5vWu 7/Pozf7x3tHJPnzCw8YP0XytA+D0dP4LZgF8p93u9Xm4NDIao48G4W6+PvnN yc7+wTd7h8d73x/Dx2Y+PhSDnzXP9eueG1SfG9jn2CHEz7jCUm6CrqTUFhpW 6QUUA+V5/DXeBkV38Ssg1uYtkuqwCUu3ruYE0BTrd4+u6mD1sypckxb9gTcl SSlh0DoU6V0qXFwxj8QHFvYy35/gKJF4T4P1OtWv4U/BXQJhb5ReKaoi2rnk sneAVgaDKKfEbgd8yIBgpWaKcIiTHlUBnmet9ETWoeN15RNcpq7ArbnKGj6Z STslKw35g+odLygVYSrT3g6FJb1+TvEY/gyQ+OJIlcDmSudYdPD4HtYHxddR 8uT2CYs5DiS4zU2tG+ca7GL//XuXgUJwJEhGpR1BPxjBwI4gZVwqNxqxdE4d 7oDsJi41yuq8VvGCshCZ1zsDy2S13Wutqj3FkV47GjJlRKrfjPznZBUcpzkf DJxDWpbFME91OC7leGKpDp2H9PBE9TFNSb2mbGTuOGpK/F0wpxOnwepCicdF QhApsRLDI1iVzaREFabZzik/VRps6DcnaTpakQPAtDvXQMZ8Ithc+AeB67CV pNtdE1+Y7loOGh5wDwokG6j4e9l3ku/lAI0tFjlqJayvlSAAlGAP4Qo9h9ae n+T8+asCZflX8NH+t/rZgVv5g3Ak/PW2Xz8yHGzDy7/7bbKsVLEscETH38DY ERv0c+JKzEcsdfY47ZJKZDIEVo+PaEDB8TPd5iPImMTXaZVy6dw/SLYDINuB 2tgjsnUssUq1Kc4zJCLNE5RQjuankZIzXVwRHJwdjJI+Qf7lQXYfWUUpIpVG wuwreJOBkewCWXbILglVCISi8Af23G1sd9nMrZnYYTddIMvv+VW2qix4mu8f eYFSesMgxMuep3zGXcFycxnlSsbVNEitlUC/u+T79mpnkwAr8F9MHGU9E/Xw Oy9hBciz6nvY7K91XL8mjrrMRH5kXa+FrSKAHPoRMBiHUKRYwnI+pSe3q7Mn OI4nQ/zFjzY8xXpyVaW/JTtAH0UR2qkd6OobbP49Zw7i9/vY7GGz9s3jr3b7 D7/7Cxx6MeXRY+UPO+y5Dnv+wcNeRWlmmn/AYAeL3mhL1JV/w3u0xfCG45Ws b2B7RAAI9pjP1IsKx+SOkd4UwiJXJFMFS6GQJ0KVGymuYsrhKT5y1N/cT97m oyfsFQ0mgrOAr+Cv92pO5D/p48rU6CAqHj3ami7lBlPGD+/ijIjwvZvE90mu H1kFNSdWjkVTgDDYF/UugZ1twn9mCbsBeWQ4TBVNCajC9UFwe2gdckeL2Ixb aCQeovkIcC21hw7d3xTGNalJGE7d7kqIBrshaivmDFeHOOrbVWqwGR7dB4+q Nx+ZI+6n4kU8LIlE4uPOUd2gPRZE3SBLixnM4GxxTTjOwIgLYGtdnG+JrStk yrvPUAhveX/We03JFgij0uXFR9L6VNoj5AdqTAmLWgTybuUjlCdIPp84JGyO FZxkKBejZ0JhmlNf1+E6GOJpdldMosC+APvgO7qCw5eIlgnQgIMcGJFCHTHw 17i4Q1tejJJEBvopVnhjF41P2pUYFELUzckiPp8xgA8aCCmSK3e4NuLIkDTy DJcRdj8cIsY0ekKX2D6M2+GZMtQQi3jZLe443igkwkgmfZk0/CkgEycjCyBq 9tQhe80Za/4inxLGNKILwdha5HxBrxH5g7LZsL1CR1kKYKriNyKE9VNGuYn1 NUPbBGpBPZpPKV4GI5TVbRzMg5c5nQyxZAWoldvBRdp0Qzdakgy0wgxMxJ/l C3hBw1kjMKoMwc4otam6IsBNEV88jBsMFglFC4dYQQe3YOyg8VlLxBnT8VPt VbG5GEGc5qsBuWbEVX8wryQ5DTTlgfiimHCOqSWMvCOwiXnpkGdnxdlcsYBm 1j50k6m7jWOqMmOVoqCXgDZJPi2ziGAVaVYCWDU+qAbVlY4Gz99ZzTl0UfFO HOzHOD+dplTrCq0R3wofEnkzYmE7/ri8++zaPdoihuPpTty/C6mVhiY3W8UZ Nqu++RbVf94SKw8ih3Hw2aeZk5cD6uR7fCISI3H9WGRshhJ0iZdEPiQJngQH pBFGV18e5ef5LB07UZnLp0RFkq1VYXFT8Os2SiS4Nct8bfV765vv37MDZEAO kIcHz5EQEjXouR6rDCBVJIwFje/iX1+Rl4oc1eYWZCXhz//876CBP//zv6eP 4a/J6Rn+xYX6BKCcQ/HUG1RyBPRnyT5H7SGu07vPcveHUoJFJcOjMwI9YJQR P9CQqABppuAI05GHR5qIqi3RDirbOSUzBNojWuGLLnVuKB9ayCc6TUTZ9OMl iCnE3KJUu7w8zbn7AIDGNxPKmRyOMRzPBTQpBelqx2txs4tpMT+/kKxBdqi3 k5cFqSiIM676o3GeOpj4PGQnsOwHcg/6chZ+/UpvhCOe4YgQJxyElMdz4VMW rq6Xo31DdN1yD7ZbQTKrXfFUojSmUk6Jgqcr6x/C+oZsN9XSAdolx/ykCqzD 26MoO8hk7humWB3FgGBYjuh3wSkD4hd13dPZVCEyGTJNihbwLsqdRKqXeWVn W4OW4ebCcFadkRssXkQ4Xomh5UEHs6wZcKkQR6Yrz4WIi3zHQYoH/CmaKvcn Z9PUWzgaB8/3V1yQemUFItLXuPA5G2T4/p5P8j/OuUabqmIwweKSoPbpwzR5 JZPYJmx64RukgDVebe9zvgjeTbdy0N9wm/a5vTf4XHTY7EF8Utqht9lq5UKI b2Qlnu+HswV++MAsfck0hc9xNUKIRzZKDNsQkLcn8NaTpCHvrvhNkI6Rv1Hn kuhCbPgeeWalOjR3Gl1okrGHOi2mepmGh50ksCqetj+U9TK1pKmSV433SJeJ Aze4CAaTcSBBSrisslZn1uFJWSmM95fisBAr0IhskRnZ9qyDWyh9bCWk+5KW LlEZIirdL0/i46gwekvggtV1KosZVaCaidaf7KUUtSG3B0HrOXkGUwq5FeWl 1Z6eysIvWAk6S8JiZe2qbZQPNFI6CyvfppY3XV7Cu45hMprb4suTwrvvSorx qomgTye+aLqVoDTaTgvZ4MKMs9G5i2NRAypJiUf7X7/cxoBP/Pf9e1hdQW3j y7gSku1cFMtKhMvqhtKKFtzk6Z17jS8CbM69DfxvfA/JuTUMEpMXGjGVsTH3 WZbtkFJ98tf2eIalwpel3I+Tg+x9aai20uIysyzYtAao72NWLHiqVykiZNNt dFYM55gzGEkLUs8HTxviqw1zSbeiOACPtVaHZa3qey2rMnfWCjtHA/Uak26l mA0Kkduiub77DNeuhdi2msX5yRed1Y2lSn0wlG2n6YPevBJcN3ysWa/l40wF kVLSGDMQARZoy3Rc/4Ddku3JPiZetmAEBOUrzAiV5UJrL1nWo5lsVie/mZSx Bqx0Y2fxGvdfdDxnBGhFYxadtGD9eZhdcbbSo2/bLF4qLYQULFmdxcBeBmW4 XWG1pIwkWLpesE9eygdaBGakAgy6S2bFVCV6e0HI8aLP4YxJdKPXJVUvX6gG 1ymvdYfBBaaW5RyB8O5TB4ODDjrcPr2DahwxioWaH7TtdD2JSY50PV650EYj icNpuAGS4BgSWDphpkAkxXekbIJZEVrLGjpnKIlokxcurKfA2ICC2JmjbKFs ZEYiGTX3GDkQ3HwqsZUmk8sLVtY8VzlhOjX1gFSkwgflwXpG9WiJj7Qrvpbo vpjRlUxDqB8mF+G8LuTToxlQeclYQvJZnbaf3rmEQHcohUkF5kuBvsXG3nrw aDRetdBFjOISxRaj7wbH61BQKWmcxEXyAbXGBKkdGEHPrGjr48Cd5US5pKFD uvKuNGlCTQ/Ta/SISBUXP2/OHAHW8tWc7dliam/aJsf5GUU4E+nH75JIMc0k dJaSKqd3ePBKcrRLkeNpYX1gVGdiDr2aTbE3rqyP9WwA/e+JfzY27ZH7v7G3 veuSjrN01NKCcAoqlTB6ruqdo+S1Oh+wmhzaPl0BAqrh6OyvIsRFlHl65+0/ uMYeIwk9aA56qUbYpExXnyp6i1ePoty3E+9N48Fo95dz8iNGo4DNvp6PcccI t7tQBKpiQjKFk19Frp9yoPd8UqZnmTHZj3Gq7eQbkI+B0hWT4aoAPUjaRZFz auuUyOkNigQpLNh8QqgiYgpr3WWzljJMVRmicHuHYSv+i4W8TfQ5d+XYSlvo tZGBwjjPs3bQpmLWGLP5KQVYc7K1N/c81GLFgJ40jl8/exPkKsY8Q32gcfki xbjVgpAimepg4N6CliPcNZCXbhG+XBAK2IOU7BfHxjUlHijmkS5X5rwoRt4b BYryCEUUSVcb31nio6cy05czvRGrEgPSTY5WBEylz4YXk2JcnLsc7pKd22i+ IrECz/xUqnVO/Xe4uJPhnc0qC445gl2bU/7us+Bom7oFhA88mg+ZP/oinEHa D0fUCxod38QUso375L2CPhLEL1ZQK0LdExgfPk1nmuDLm4vmFeVbyBzU1+na TINpjRzziuL/Sk052d41Ka5RGMr2LqMmBNG8Ild7ayzMWZ35aq4VbH1sPHA2 yQmm4qugH1Ek5pDyoCeEVRLkRZBhKIKtsGIp2lHo1AdTbprqu1wPk+JpNWQu XB40Cp5hDnYDBL3rAjQxkgjhejrTjK3+2hoKNNMMJFfxuFOwsMUbBGEkRX7c GqdvMxKH/iQuim2R7cwUptklngOEJCtnlSH75mXAe8w3tv3jgs0Hu3rctN5/ oJWylSH6SnW4fR6NrJ8ZjVWAsgnco+x6FjOE0e0yF3UrEDggiB0dNnmVepsb tErW9EjdejhAEtFHi/yhDZbcOTywt8HJlvzJg9ENK2xD97FNdBWh9bysrMOA ikovPio+p0mLJqPLaOID2uD8CZiJxzmk7wTMA0lehM16Z2TdmUd8B0PXMTlX 6WXBrokL+jiICqACGGStlBHQkedSyI2UfGBx0QaW37ESzVytmlTyB73OVw61 QeICKs0GRz6o5xAWWzXcyEvcMy1yIYwmclo2F8V6WPmO8rSAO+C06RIM5Urz aDOOyTFrg7NQxzQHskp2YxAcoAgVssNWcncm8HrfrY0TOY62hWYQBAeVK+rk FimLbvX0GtitCmcVVzc/GCxz6WQb5l+GYVfjV3jf0/IOA3cc3jvJJcpBCKIC vRfCPB3/esT4hqkCjEYibmimsJ6yqubvZWGZLr+pcrOzOVRqQDnx2qy7rXkR ScK25jSao636xtXXFlFmrGiHxj3s3VAC4tl4J9hCfmF7x3pnpvSKbqPtVvQE yj10GxleBbKRTvtztWrgDjg6tKUnODdGkXhAHTOVHiq7wWMivBxXcxmtZypg hzH8eNwEQwW1A4WBrFiz9SMPpSsWpkVrNc18xWiXsu3KwQvfkYNlKnzcR74R W7p3q7TyF0nfjDHkq66Wkq3r2aQrJxqoVWIxZe+gQwytqwvbKKztXZOR5GJY NLb63A+DuUUhU/4pTg2ZMu4QJj8/RiA6vshqLgG6M2fZZdJw+VtNm7e14guJ 1CywtRUGke7WR8SPeguHTxTLbdiis66kkxREKQoS9L42shNparTPKnOFBl3y EEpuooAZxwalVNUXo1MkIoF0q5+pBPbYbGVYOfWgMJmXWLkZMwu0IV1bGgnq Y47d6VxRyGf8HK2NRV4I1MVqByFaoqu+ZoI+fWfBphTDOYdZBUKTEoF7VCUu fCCfouoEk0gnGXRDBgS0XaJ4R4JayJCYIRYzLgTmQu4xxNv15bnUgksy5J/h VYlkxKGQNERZCsMq6LojVw6DU8x8vDYsFEHU+OUkVgfcbBhjkqmIyMWdeGPJ zcQQMZQTxLvGMmkLP3K5RiKPSWkvPVS4NFw3KzxDRjB0wTQq3bZ9fdhINSWD nMmV91tO4UtaXZS0ZBdIa2aeju9Aa5MwYLMPB9PiDJ1tinP67jPsuAUtO5RI 1cu9DgpCP5xMNQpaTOHwiF1x487VzF+xXM5VbYFS9Eg5u1jQxPfi13dBWRgD exUaWbaWlrptX1cKARqodFO1aDUhSisetVS/zG6vgqpJFjq+8aW/WlfQbvQU xtZFhNwmWqUjTE+2ubeXem3NTP0y6SaNfSalIKSvmRzKp6haDJPdb8TH2G9r MABnju3v7e0lG51eu7t9CJJpdr2/67BIOPI0dtVqTHnnMTpcm3JmPofRpEMx 8GgsgjeYIS8eiXlVBJGuvqiB+/uYkDAgCAiBy6GkBV5r5tfE/wkjXuARXGJ4 e2nQ1siH3IXTyjww77G6lTZsgXM88ChSw5fpFUk+JjITduHt7G6lmbTgt+H0 WoBKWr2kYXE2V9phugiN5t3xV7uY8gtjggOfJHugcxSIFo6FaLcS+lY0z/oc Ap49TOfJ2+GwfOIwDytB+kur7eQ+JZlSyjj/wOTRMiHU1AVdIAysQSdv9ltr DkJdQ7EXRhGS58nZLqLVhzVbRxOjnmOXD7pV4flUO8wkqTkjHjnTDpGj7zOH elHAUT94sb3/SjKu3302TqfnWcvlbZ70gD19xSc2hPU0KZvwl22EaPH53m+O jg/3tl+irYct4lQ2km8UTo4u4zcJ4fF2COfbySOMoqmM6+T57jPnpri9gnUn 1e3MXHCUreWkT+z36JttoEBUXgjKqrVHL3pke76HaHS8Q5K6XZhmsWMdDIy/ t7pqIL6wyxN+SU1L5iOl2rBVP7GFQxcAHcnMMRJwJJvTetMkV9fI01PTWLNm CPSEx4vt94hX+LIbl+ktyCiX5i27V/BGuAp9zOPf6K51uBnyb+KVF73k7gER LFCmIKs4SUbAijeSt185h6qL+3XuvyaXx2MpDEFgL9iIfgV3ZcbWCI+jXRbj OZGow96lGCUPSycGMbSiJQXvLcWDETWomXYb1LWZuFAYLoJN4Xnpk8oCDUWC Mkc+qRGX2oMV71drhsqxfo7RRWgSu84o5krrvpIfUYdUuqhgSdprL6z5bpaA yRzHX3pPWjAwxJqKZCAnaOcTNTDRqbUHCf/nYF8EFAnNkw4mgdV+J/wGFEHr MKNED43mLpODRr5iEHtBhEBArYIgKu85euINFM8bn5txSoViQPk4aODvK7IO eHN1kl9qFx7y72WIzrFkB/slNNJZQQz8Rhf/abfb9Ac1HAI8MBv43Q/uTifz C/4yUbLCm1TympmSpGZ3ymUbcRcMF3XSMyrZMmq6noxIaniyKoj4NGK8pWWY VIdmr9Zled5Do+eQ0l3t+AMcji+DHfse7n4zrnDauzwF7Bo16Nk0Sy+h76h1 O60vQfJ4yauKv8C6uoXFvxctbdggPgkk86Vn1o3k4PD5SQ/YYyunNHa4hnjV GkhdK0nUqHfe5WfuQT/rFUshfJcQKYRLo5wzvClrZzssMHxupBHcXNmDKxS8 HZ2JNcEkt5exXlkxEFLAVSlpE6YM3nFgfGSMDW+t0dBGUn0vKLoBi5MHbWgm IbBowjvOI6mBQooMwXANlBoNhY0Bwp0x1HjmUeok84PNuQQVEFk7jIrE0ovs dXb35gpD1UB4AZKb0+/vJSSVzdtanosg24cSlMRQ0hFUCaEhXlBEams6n0xc tYHITegZbGA0UUZaGZrNRfTyBK4bUilcPBoNVHkRg7ARmbopBaLkeflCo1lJ RVlGZrjsBIyxa9zgCHD7wrjdcNFCNx7PuZSx09C8NnhVZvNRwQUoSBW/0AwI 7WGYkpqV6lfAzfAruOz5ZlegOq6SxWeEDJ5yRnBqlmDI/Aa0gaZiLwyO0YeO IoAp1oGToT6MXEh/x5BvqHNEy9twuD0rWwKIYNc4YCdmPZtJlwEs8NVmIOut RM24BQjaMp1AWx3B2gjbqblN7AMg6wDHKv/bfzDCJKGi5hMR4+4TLZ0lpsa+ asEaDSXOuP6YWzGy6oo4LG4OjfuW1vkoeipEyYzCVowMxsXPspHeGPJSzLWU sXpup7YpSu732MGyJRreZqM5cejzCRFKKhQ9hXZBJeJ4B85AoZWSbLB67hEf LhwbkStRdCZopcDaGvqUIwLK1YUPY0pfYesSWXi5UhQh8PPJdC5DxdhHnyEx CxIZCHBRx0TjwF4EDiqKvIvbIR3oqs76X+Hg9sR5onDGTQqVdcyMCqPAKuRl wCTGoIaX6qzxX6OYGxVzcWvpovDCs44QMRKsQgKel04jrc2N1AnfqpYQP/cU p5eOC/epXBrG5Hmec6VxYJioQdfZHKkUd3iHtCuDimKeLrNsJv6T82l6BTSs Wql6j5AeSWJGP4Z3zGtBRJwOLPJbKshGd/bMTwgNY2S8mhCWMTxGtcyrQ6+9 AHknvH8kTH2FqeFtSs+ckclvMgssjn7SzWj30WgfRJe5b1kBOpuTMc88Uvpo F00i8W4kyl5wZKnCsZj/sP3sFiSRmcYuYkDG+lqP4JccoBDpk+RQFGscnSi6 YzEJZppM8/Ktk2louehGu5uklwhYnvq08CCqINk2odVEbXiCC0uFqKdKXVAY yPM3u6+P7q38iWAPIvIQLrczMB+oGxDDdbPkJaZXTbLY1OylS4Nr7zyIJb16 ya86FTrkyvqpKddOPZYCwYO3FIfQI3Z3eoVZ1ELPKarGmO1eynPOq4R3zYS3 MmeIYLihpsP5JYwIfXHtCrx8OFT44A8cxWACKxTr18QEGHEaRytAvEHc8JZL 34tqgOELpxlFdSGxN4j2CwrnQi0U5rECb36DCagRWgP6FCTH1ztuJHRT7jnL eUWTO9z5dpenSQOCiVQxAtBK71OOJB8AGRYt5cvtHZ+jykheksPtdrRCLHa7 2a7ogPGaenu7YIRgD/BSQVcBq0F0Jx4dbx8e4xffbe8fn7yUIDB08JcBRhkq EPsKyQ3n0CgjYq4PCzLOtDKJibFwXYvZU7rE3re/eg2Kym5QLpIb5CKbSeM7 YutHKh3tsHR0hNKRRN/7ntC5xem/tAZauicQqUo5JnlpE3WjcrrxiGWYVNwA F45lIo9L6MLpzQ4hjBoxX0r5Jvh1EtsowhJDEeeTWcWcWJpRx4EOsBNvrgqr FaboD29FxT8fv/hIxvirtayXiQniaXNJGnM0uS9CrSa/rdFLH7Pz2uOCnfeB G5F2HXbzyB6+PXyGv7bjs4OladJpVkbz9vEhZ3LAKF6KqtDcVddAahuRFCsF aO4blwwmnPmZ6TSP4lZKCrN7fKs7r18evNjDdt2BrdP6HSsy9VZrdq7KCAbO tv+T8QE35GBVfgIa9w03vlxmgh8sr3iSH/wUJF+/cAsIcvDRJD94JMlTDwd7 h0f7RzJxJg6Y+P0U4SRpIY1HUwahggopBFEmZiXZuuAsoR5RMdQQal4PD8Tj 1jogKLcWD6PNJ1iENqn836+Y2dP3ppxq8PPD0oIv+Fu4uAxgbPfRTR0S/Wux TPy5XtJL6JcxJLfydHr/f7q39YV9ux5tYduHxkrfHsRHBceKX3xRBx+uDPqT xvotq9I/91CFu37SUIP97z92oI1g/wkF/r6BerqPv/ri/sF/5KQaMbEMVh7x 1kN9NeLtgUavF4+BiWDhqsAgmS+u1I7FcJwHTvDCz7W87gPvNyJq5QE9xDcW fH7vWwsX6563/I0Rs5Uv7kP6v6/ysxGmIx0mutqt+hIYFCuM3WkrvKddvtEe dU0/3Li0GdzQpJo7WUk9OaGIw1aYRysriohaH0gbwJxXao9+kMTwQTNmHtcV Idm/84CQ3Pt4IfmecclgFgnJvU8Wkvmi7C9Sdvsfq+zeMyfp0s5p4UHoP7hC pjXexP7jBdaHW5cmP1pW/aAeAiGd96j/kKy6QHt5PN0Ofha6rVVkaCK+33rS xb4+WjR/9JA+TBSu//Gi8KKfh660WGjoPra1WrFtsTQs3O2nlDAfI7h/vIT5 aUMNJMxHi8K1GsbigQrf+Uk1jEdLwx+lYXzaWKP9f+xQa0XYxSKqO6SfdK4a AQUMHpBH75cgF3/reMhHioXJDkcjvCjOl5YOn+1IUPFWcjCmokwcaFeJLfk8 eYbsrNUjqaDV6yG8PZbZoBQ5fAEd4Ohz1uxK9GxwwH1O3gnXQodb6HILh1rS zqWtUVjjBdeZLGdY6QmuttP0nB7fv6SMMan0SOmZEg4+yiZ5OsbAcUmmcJ9P +XYvuVQIheYVk5b8yf7uCbq3GFhHw4AwGgUHkE5cUz7w0Kc3iJvxj/N0Mptf auWMaUmj3Rmnxh9hEoukQUVxYHeVj6XptweSVYAr6SaCjqkrF+1IId/726+2 JR9n6rWoz33JT3jwWX6O7sLVJlVPFVlBPuyuyy5cyqpOL5Pl0fzy8m6Zvvgm nV4Wk/xP+BZsKHVOX7yRSAaXg80fbw8Vk47yW/y2dzd52zu8MCeHphCPrZ3i vp7KkGhXMFiNvtnzcj5KEAoM4kZh0W7iFzqIQElX/wqG3CL22oyymRg2hx5/ KSLlKBvNbfg474sZkfMXYnhsMbqjt49h+XKGrdBNy0uMwMgnmAnf+hVSLGoS jqDErTidT5Kn6CbjwwkPinN3ARkZn4k0deOiH6bkiY/CKeQppO5pMc7qDH5k SwwSWpekwg6TepQJhY9jVgEHewxvZovIwpPABpFAd7NmUluaDSLwL+TiQQQ+ /VwGfaRJK5oEEnhevSCGk9RJu4NkPPry1Y5WLxIjqGZOytdKDYRoMpb8cYxU Iq+SP6tdPFpX43SIxwS96+jAUgL5JpqCOceSXz6Ocg70DLuMRUIe1uzDaGxG aG64it8r8tABook7drNjNd1Jdl7g0uHz4tilfXmNgQPKkXRbHNslXylDFmNw YsD9gSxdNW7dt1fppaL3l6gRSFacJyGkQiyjqrrcGeFMBk1tYWw/Bp48Pcwo UTp4uKm7TPFWOez+LYzwbpxZfkWsaSxoFr7oxsyf1y3NnsEcHjh//NcJVZwM XzcvNTWgY/lk2d5Wy61l3QA4CPktvrbMQR/LSNkaeaND01MzlupPlew5xqHU x19xZCAvD5s/JE4h8DfrwB1L5pxD+dgVw855bzkf8fQumfCW7k3OCZipvKKw mHiodPE4QH9Oa/O3EFPliPzpZsxABfO6e8NeQebcGNaxzqxjg4UGIWu8z2CM Aua1vStr4Y7Nl0mnmRz4ZH+5UuTGu6Y38bXybjJLb3+Bb7LN58YlOf7CZP3K VxraWsPFYO/0wHiM5mlQ4103ZWH1Cl2Og+fy255e5YUrnswTfZuP3NoFZeQ9 xi2HBt2ZRDPy7Icp3eQNcggAjnB9HAghhiiawMjdWsqIODsiCr24J48+ZvUK IufjPTTcxy1iGV+vCYm2l5L8aiIINCjqqRvmL+wlDJ/z+cWgEUvPVHGUdsaX fkGQNRQcVJjiUbzAdDADCDUh8xVZhb5+sWOJdo2Jdp2JlqbX8pFuInEVjuKD 8VxleIfcYEAQp/K4WDQHnKX3o1LhnXIjieE0NQTilWShXzFL0lk4ELmWXFwP UVvNJeVHm4ZiX9Ig4NIbEtLgmpllHLJEsUDjMvuH5Iq1jZIQSS+BVlbMuq3y uq1JCS0U/ly6YJmOXd2SMF6akxv4Fc6hfKr5rAYbHRrrP4X/DPjBXa6GOEdO x0xDMWwwVwfzZyS6EsOfYOScaFHlwgT0qzHvhA7CEVSnOXDEaQ5iJmURRgYC PgimeCqlnbIQSDuSS/aWgAWgVrYUsOGyXjpb0ltbABQZNoHiyWhrDT0ohD7G bgH7for1dZM6qTNzyApoN+N2CMhrOKvhcZ9TSfDkdA4CEawP6itYCFhuDLPZ A97s1SUVyGpoVgOKw88obvfGZvOWS7qmjiMy1XDaL5beDWA3ZDe8tg0LO2H8 OYwMvqDt5WhuYgQpRrO1qEMt9+56fGnLufNk8BJR1Y7qF3GY3ZK8sRukxOiN U/8tSIyseT4l5dX9ad9iktQ72YpQu1uLwSrrNlvH8EJyUvVMCAvbfaYPIKS0 OYXEBSW02RB4zPlSraDV0uBlbc/Iqws1D31WwK1FZSK0XOMkgLUm944+DYR1 lssdS2CFBn6cIS4F2tK8UEeJHi4M8RiyEUjCeM3pWy8rCaLBiYcH4AKb4rGw ilGfz8BAVNCpltLg7rtSJrfbFu3Yj6zuXJiaIpy6GR2QOnHBPoLnpULmwNKl ZPUKa4WMckiAPnBKqC7BY6/xw+xmmrMk0m+vuvW2FEjb8lCJNw1lNtGi2tj2 I4CZLM4LJgp4hW4VFTp3PU8sn9+tzmDD7T0azhSSg/mjB22ptLSnr3kB0zB+ 5FVWath9ppKzvkaGNlIkTziTZXpOmCtGypXbM7j/XK6KPK6PiaKpjYisS/fR nKvfjMf8UCm6rgjSyALK4QUI++MsHiPxI7iwfSIIShnXRT4SfCakcjS2IQ2L IuPyZ2GUaG9zrAHYyuC2fwlvcjlp+iDrO4YJf9F7+9/CL0HiSfzkK8412nJZ GLVPM7q+SAqGQonk80mch+8KpFyk02yk1saAGcJuqjihiadKuC1NfpM8qDBJ pjI+0+RzHylvG5WEfq+T7rnlRF12HKK86CRabPWkoG3aYyPlhdHhqpxg4DYu uigmV2lZOmHSmZYY+F5VAnnVgT4EkWhhnUpEc5zmGUJNSyQ6iftqNjOmFGvr oc84v8ssiS+87QRbszy+bLcaS+QwMhosJW9LapcYI63SqqjHCJ7lQazFNozA 5XnW8vcLsE8R6FBsvBJlFpdXhxgI15x2gXboADsoeOYeOdCK6eigQDllCOL3 NEIimlAZD764lgKK9zyZs1HgJhVkPHnuWQGC7iiJTzT5eB32DJuOvPnODEt5 ogk7DAyw96ja8MVCPYe/tWHdlucbA5g7ntu77tcgtSEYLjCfPCXWKDZvCy6U IH4RgT8pn6rxKEc6mJEEeiwJ9FlYQPh5IsPgkS0mIQKIQNoWruyNv3Lvav0d 5MBLD980H0vLH0Ncld0kzvY8nV2MQYRoJkcztFHALy/T6RDUsKMs5U/P4N+l mhu+vqDs/Sr2y+N9d+kT2zGU8qjD5feEvWK6Nf6iSEPSKJLney/L6Bk5NfUF ds04eBWP9x957kNtAPG2/nEn2Gc9X3FufnBgluTWGqcTf1XYEbsldsrGTrsf DJGS5CfEy2t8AuwN7Ha3ZGyuNs3Ijj0GUg3XR1n1GwRvwpCWnaPgcynCNRkF tveFa058a+e746dxO+quE+eJXtnuUueDGCwywRecpHjyck2DBXU/aaRjdMZx uZlQkltRM1RIokvCoLbc4SWF2s8tpTcE8ArlNkIwJ5vsXbAh7PorExByJd+I N4wA9AW83Z2JWC/UkWGqXZtmRyteAL+BzSvmU7ilSPN3Xbu97rALsNvZEv1O nC0KmZ4zIVFilq147iL1HIe5IlIiGlEqRXMHLiyDeKHWwmk/Q754VOylr4Xl ubm8zaljIh/vCiENVFwWC2mEGn/DhIKUAp/smPsRlDlKasQeMi3jJ0wXVHm0 H/jlYfdYZ1OW5+uT31RgJJzRw4r0VElJDRyiZW7vCAgF/tZ3r0lBZc0iDvR5 WUAGdP7zP/87WTKshCPagN4MLJ2zA7ViFogOsbqkBk2SVHedscBuAAvQ/oag hGjrrDoTtD4atRUi1PDiMhgnFjqoukHB2AyBm5GC/teMr5cDy3BYgyYNiKDm ek9Ud4ENVvxawqDzZiDnj8d1dAAfDkoIhVASKHQ/jWXK3hWkSMJzoRFQZSYE O4gHCBuJajIi6kTp27ixNG54pPrVB5gZXV8Y9Mck/mQyH49lWZ5gJbQnangj jEMfJGLjZcMuibv5m0lNaqTXZKN4o4GRG8t7h91FnQ05SgduYDsnt9aL702B TqfIZyjjqNvCj1TMHEJzBLJ4AmLWoZPzEIyJPm4SE7V6uL8P8IieeCmVXWJl ZhiCKiW/oLFiOjwZOQn3y9eOmRDC5ziXJmGDLlMkV1mmXVF76mEBLdGa+8KM IThvikl4+yDVocQRplFSA9t7R62vd14yN7tI4f97HejooBjfdfsdtfzKrUb7 gvYn2oKbgu1QZslwu18dbTu1aOYkNsuxnZM5iEmSq8CrC5KfL8Usyvlpy/EH 5S60bSDtkjxtjZ0+L51r6E7Ts1mrko5OdyS3JU/TMhDUp5azND78WrOTDEUW fBDFo8y899w05Czt/lSwP6qzvhWu+KxOZ87dHMn9IraQfkjNy4Je7XU8B6cC /OIaKzJiz5FgLYRiQ5futCknS71AWWrZP221KFXqPUUvy2W17K8ja1o2oqAL WRir/xvneAaXB46fhvvyzRElORx98/rNi13xUaE6KNuAuL8+34DAsFsO7A0X qsOaL8ca2XuObykCWuYvTTvy3FgKxRpX57LnTRKPtowRCsmy+DrDVXKatPpm 9oC5EZhmnZMmHpfw01pocHsgFp8FVEMfPAnGyfrA1cK8dXl7fgs61BhBf7Fu zzIaqZfvKeyzbKfnI82oIIg5MCcDczzY7dhZ2/LrqQdttd1LlvX8Gdf46/ls DKQovb1WByAeH6yORhb0k27yZYL3YZBc4vuQWjwu415tDs2EPAthKj58Gpwb S93k+o3CKe1FKzH1jFGsLEV8DQZJut9eZ33CKXScKz8x64HPLId2D8oxQm1/ WbcO9X+Dm4geGSRq9LgOSWCtrvM9BqCYwl3lBrJM10sL1UAZ8RbBuQo5mQ5g mcOfdgXAvIQHWGl1qC/LgUymlgbnlEeUdLwFaRcwANLTF3s6O6tCX8ymDjPE K3l2hCc68pPVdBTr57ER65ESmz6E9WWSa5h6MY2+CQ0Xpe6ts27ZebH3qjPY qojYgRfLnkhvCiDtEYGkTd2hMqBqJFirAsFCeVNuhLyYNMyUuIAkT2iFm1zG EIHlZrK8/y3+gm1Z3EYWIRyesXPoK00O7M7pBRNsnm4nP/iCUXMwxpAK20iF +1Kvllwd9FzUm7e0Q6evt2D3Ax4RMDm9OcnecpYiFpRfC7NdbGLs9N12pVMq vuYA6d0hp4GcAqdh0CPzlSxE5P61HEKe2AmkQXbQrLKpIljL7w8wjeSQ1tJp qQbfjzw/HHg7UdC7h6gEhd+TPeb9HSc6z9LzpOEMqyRk+mVaefyqB7xlZ9GB seeEjYSdXs390oX7RavVqR+zZhi+Dn21iUG7L8oswYZFisZHMQeO6F/Eb5zz OXYIYKCWP4QkCjmN3a8GG/463a2QER8cPRckqPDzkGNY1PnTO1ZiuMBAFH/+ bksitbLRl8uTYlnLspLAAOqJK9aUTt4uvXv3budiivcTENn2Zfnjv5Tl+/fv m/jFNoaFwIynRfLVdD7J9fPnKagOOSwDvPLVRTo9T6/TiX65k05LjH36Cq/4 ifv4OL+E436H+wtilX76FYarligxFDPY4ql+fljAuyDUTO7G+Y1++BIj3iYY vjS8iD+bv830o11kXyD2pOUModj14xcwrmQPgYpm+pFY3JNnKYY6j92TxY// ZZg8Q2NbPk3dBC6yvEy+nv74Xyen2fAiOSDTSOYm+Cwbw6H4+sd/QTArNxGY AuYTvM0nbs7Px+m8xA9nfnCHc2Ca32ClkezOjO4M38bNKf5UXJspD5P98Xxy 7sYG/GAKenHy65TuYP14DwNFk+fjLHej3Jvmb+ETYMymGxDhn6PXYmo2/pb2 vYQvMIoQxqDf7eN5S17k8/I6Tf3yHKZnKXoufvy/Jq0XP/7fV9mfPLWwhwON VjmWfvNrcw3K6CsgHuA0hrbGmGKDxOOGmI6v0xGcqYMf//PUN3yYok/qIJuO zbPc6AEK/8MLdKL6Zfvxv9xkk0lyCIs0H14UM7MmQ7zBQWAfu/m8zIFZZuPk EP+djsrCUzKcomuksKP0Ypz8+sf/CuLkxBDC/5hiYMCf/pQiCR/B3vt1/XV+ mRxBe1hyJ+wGP52exWcIPv3xX4Jj9OviAj+ew2XiWn0xH93kmPqdz9zafDXF 83yUXxWl3+gU5NBxep0cXd6VF+O7NHM09W06xmKi+MXYU9qBFFRA7RMT6ou3 bunhtoIPpvP8rW8iLy8msPrJ0RxE8Sn83x/SkO5w5S6DBSFXV3Kcj4uhW3n0 eyXHWM9walcJFunbLB+Ps9ks86+P8//nP6bJt/P//n+AFPzf/xc38nQ+Tr4r KCuJPgNqpqXK8uQ3NKqlMwLtQsFVg/VFfqVrf8IiBbk9Z1RmrFRPEEVhorbX Tr7LyMqcSeEcwqkbZacShsSwlIhIHO083Q+YbCYRulj6JxxKHkYx4m0M5+Iu GkfOThCuvUlDIrj9YvqWTYUYEiZCPeEWStQwiDcYmxqDfX3T6/Q6aE0hKPKj /Wf7R61v0D3SOJ/ilUEQq9TW5mpvbbWH+dKYSXg2np+dLf2/xGpO6kwMAwA= --></rfc>