rfc9528.original.xml | rfc9528.xml | |||
---|---|---|---|---|
<?xml version='1.0' encoding='utf-8'?> | <?xml version="1.0" encoding="utf-8"?> | |||
<!DOCTYPE rfc [ | <!DOCTYPE rfc [ | |||
<!ENTITY nbsp " "> | <!ENTITY nbsp " "> | |||
<!ENTITY zwsp "​"> | <!ENTITY zwsp "​"> | |||
<!ENTITY nbhy "‑"> | <!ENTITY nbhy "‑"> | |||
<!ENTITY wj "⁠"> | <!ENTITY wj "⁠"> | |||
]> | ]> | |||
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> | ||||
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.39 (Ruby 3.0. | <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft | |||
2) --> | -ietf-lake-edhoc-23" number="9528" submissionType="IETF" category="std" consensu | |||
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft | s="true" tocDepth="2" tocInclude="true" sortRefs="true" symRefs="true" updates=" | |||
-ietf-lake-edhoc-22" category="std" consensus="true" submissionType="IETF" tocDe | " obsoletes="" xml:lang="en" version="3"> | |||
pth="2" tocInclude="true" sortRefs="true" symRefs="true" version="3"> | ||||
<!-- xml2rfc v2v3 conversion 3.18.0 --> | <!-- xml2rfc v2v3 conversion 3.18.0 --> | |||
<front> | <front> | |||
<title abbrev="EDHOC">Ephemeral Diffie-Hellman Over COSE (EDHOC)</title> | <title abbrev="EDHOC">Ephemeral Diffie-Hellman Over COSE (EDHOC)</title> | |||
<seriesInfo name="Internet-Draft" value="draft-ietf-lake-edhoc-22"/> | <seriesInfo name="RFC" value="9528"/> | |||
<author initials="G." surname="Selander" fullname="Göran Selander"> | <author initials="G." surname="Selander" fullname="Göran Selander"> | |||
<organization abbrev="Ericsson">Ericsson AB</organization> | <organization abbrev="Ericsson">Ericsson AB</organization> | |||
<address> | <address> | |||
<postal> | <postal> | |||
<street>SE-164 80 Stockholm</street> | <code>164 80</code> | |||
<city>Stockholm</city> | ||||
<country>Sweden</country> | <country>Sweden</country> | |||
</postal> | </postal> | |||
<email>goran.selander@ericsson.com</email> | <email>goran.selander@ericsson.com</email> | |||
</address> | </address> | |||
</author> | </author> | |||
<author initials="J" surname="Preuß Mattsson" fullname="John Preuß Mattsson" > | <author initials="J" surname="Preuß Mattsson" fullname="John Preuß Mattsson" > | |||
<organization abbrev="Ericsson">Ericsson AB</organization> | <organization abbrev="Ericsson">Ericsson AB</organization> | |||
<address> | <address> | |||
<postal> | <postal> | |||
<street>SE-164 80 Stockholm</street> | <code>164 80 </code> | |||
<city>Stockholm</city> | ||||
<country>Sweden</country> | <country>Sweden</country> | |||
</postal> | </postal> | |||
<email>john.mattsson@ericsson.com</email> | <email>john.mattsson@ericsson.com</email> | |||
</address> | </address> | |||
</author> | </author> | |||
<author initials="F." surname="Palombini" fullname="Francesca Palombini"> | <author initials="F." surname="Palombini" fullname="Francesca Palombini"> | |||
<organization abbrev="Ericsson">Ericsson AB</organization> | <organization abbrev="Ericsson">Ericsson AB</organization> | |||
<address> | <address> | |||
<postal> | <postal> | |||
<street>SE-164 80 Stockholm</street> | <code>164 80 </code> | |||
<city>Stockholm</city> | ||||
<country>Sweden</country> | <country>Sweden</country> | |||
</postal> | </postal> | |||
<email>francesca.palombini@ericsson.com</email> | <email>francesca.palombini@ericsson.com</email> | |||
</address> | </address> | |||
</author> | </author> | |||
<date year="2023" month="August" day="25"/> | <date year="2024" month="March"/> | |||
<area>SEC</area> | <area>sec</area> | |||
<workgroup>LAKE Working Group</workgroup> | <workgroup>lake</workgroup> | |||
<keyword>AKE</keyword> | ||||
<keyword>LAKE</keyword> | ||||
<keyword>COSE</keyword> | ||||
<keyword>OSCORE</keyword> | ||||
<keyword>lightweight authenticated key exchange</keyword> | ||||
<keyword>constrained node networks</keyword> | ||||
<keyword>IoT security</keyword> | ||||
<abstract> | <abstract> | |||
<?line 278?> | ||||
<t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very co mpact and lightweight authenticated Diffie-Hellman key exchange with ephemeral k eys. EDHOC provides mutual authentication, forward secrecy, and identity protect ion. EDHOC is intended for usage in constrained scenarios and a main use case is to establish an OSCORE security context. By reusing COSE for cryptography, CBOR for encoding, and CoAP for transport, the additional code size can be kept very low.</t> | <t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very co mpact and lightweight authenticated Diffie-Hellman (DH) key exchange with epheme ral keys. EDHOC provides mutual authentication, forward secrecy, and identity pr otection. EDHOC is intended for usage in constrained scenarios, and a main use c ase is to establish an Object Security for Constrained RESTful Environments (OSC ORE) security context. By reusing CBOR Object Signing and Encryption (COSE) for cryptography, Concise Binary Object Representation (CBOR) for encoding, and Cons trained Application Protocol (CoAP) for transport, the additional code size can be kept very low.</t> | |||
</abstract> | </abstract> | |||
</front> | </front> | |||
<middle> | <middle> | |||
<?line 282?> | <?line 282?> | |||
<section anchor="introduction"> | <section anchor="introduction"> | |||
<name>Introduction</name> | <name>Introduction</name> | |||
<section anchor="motivation"> | <section anchor="motivation"> | |||
<name>Motivation</name> | <name>Motivation</name> | |||
<t>Many Internet of Things (IoT) deployments require technologies which | <t>Many Internet of Things (IoT) deployments require technologies that a | |||
are highly performant in constrained environments <xref target="RFC7228"/>. IoT | re highly performant in constrained environments <xref target="RFC7228"/>. IoT d | |||
devices may be constrained in various ways, including memory, storage, processin | evices may be constrained in various ways, including memory, storage, processing | |||
g capacity, and power. The connectivity for these settings may also exhibit cons | capacity, and power. The connectivity for these settings may also exhibit const | |||
traints such as unreliable and lossy channels, highly restricted bandwidth, and | raints, such as unreliable and lossy channels, highly restricted bandwidth, and | |||
dynamic topology. The IETF has acknowledged this problem by standardizing a rang | dynamic topology. The IETF has acknowledged this problem by standardizing a rang | |||
e of lightweight protocols and enablers designed for the IoT, including the Cons | e of lightweight protocols and enablers designed for the IoT, including the CoAP | |||
trained Application Protocol (CoAP, <xref target="RFC7252"/>), Concise Binary Ob | <xref target="RFC7252"/>, CBOR <xref target="RFC8949"/>, and Static Context Hea | |||
ject Representation (CBOR, <xref target="RFC8949"/>), and Static Context Header | der Compression (SCHC) <xref target="RFC8724"/>.</t> | |||
Compression (SCHC, <xref target="RFC8724"/>).</t> | <t>The need for special protocols targeting constrained IoT deployments | |||
<t>The need for special protocols targeting constrained IoT deployments | extends also to the security domain <xref target="I-D.ietf-lake-reqs"/>. Importa | |||
extends also to the security domain <xref target="I-D.ietf-lake-reqs"/>. Importa | nt characteristics in constrained environments are the number of round trips and | |||
nt characteristics in constrained environments are the number of round trips and | protocol message sizes, which (if kept low) can contribute to good performance | |||
protocol message sizes, which if kept low can contribute to good performance by | by enabling transport over a small number of radio frames, reducing latency due | |||
enabling transport over a small number of radio frames, reducing latency due to | to fragmentation, duty cycles, etc. Another important criterion is code size, wh | |||
fragmentation or duty cycles, etc. Another important criterion is code size, wh | ich may be prohibitively large for certain deployments due to device capabilitie | |||
ich may be prohibitively large for certain deployments due to device capabilitie | s or network load during firmware updates. Some IoT deployments also need to sup | |||
s or network load during firmware update. Some IoT deployments also need to supp | port a variety of underlying transport technologies, potentially even with a sin | |||
ort a variety of underlying transport technologies, potentially even with a sing | gle connection.</t> | |||
le connection.</t> | <t>Some security solutions for such settings exist already. COSE <xref t | |||
<t>Some security solutions for such settings exist already. CBOR Object | arget="RFC9052"/> specifies basic application-layer security services efficientl | |||
Signing and Encryption (COSE, <xref target="RFC9052"/>) specifies basic applicat | y encoded in CBOR. Another example is OSCORE <xref target="RFC8613"/>, which is | |||
ion-layer security services efficiently encoded in CBOR. Another example is Obje | a lightweight communication security extension to CoAP using CBOR and COSE. In | |||
ct Security for Constrained RESTful Environments (OSCORE, <xref target="RFC8613" | order to establish good quality cryptographic keys for security protocols such a | |||
/>) which is a lightweight communication security extension to CoAP using CBOR a | s COSE and OSCORE, the two endpoints may run an authenticated Diffie-Hellman key | |||
nd COSE. In order to establish good quality cryptographic keys for security prot | exchange protocol, from which shared secret keying material can be derived. Suc | |||
ocols such as COSE and OSCORE, the two endpoints may run an authenticated Diffie | h a key exchange protocol should also be lightweight to prevent bad performance | |||
-Hellman key exchange protocol, from which shared secret keying material can be | in case of repeated use, e.g., due to device rebooting or frequent rekeying for | |||
derived. Such a key exchange protocol should also be lightweight; to prevent bad | security reasons or to avoid latencies in a network formation setting with many | |||
performance in case of repeated use, e.g., due to device rebooting or frequent | devices authenticating at the same time.</t> | |||
rekeying for security reasons; or to avoid latencies in a network formation sett | <t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a | |||
ing with many devices authenticating at the same time.</t> | lightweight authenticated key exchange protocol providing good security propert | |||
<t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a | ies including forward secrecy, identity protection, and cipher suite negotiation | |||
lightweight authenticated key exchange protocol providing good security propert | . Authentication can be based on raw public keys (RPKs) or public key certificat | |||
ies including forward secrecy, identity protection, and cipher suite negotiation | es and requires the application to provide input on how to verify that endpoints | |||
. Authentication can be based on raw public keys (RPK) or public key certificate | are trusted. This specification supports the referencing of credentials in orde | |||
s and requires the application to provide input on how to verify that endpoints | r to reduce message overhead, but credentials may alternatively be embedded in t | |||
are trusted. This specification supports the referencing of credentials in order | he messages. | |||
to reduce message overhead, but credentials may alternatively be embedded in th | EDHOC does not currently support Pre-Shared Key (PSK) authentication as authenti | |||
e messages. | cation with static Diffie-Hellman public keys by reference produces equally smal | |||
EDHOC does not currently support pre-shared key (PSK) authentication as authenti | l message sizes but with much simpler key distribution and identity protection.< | |||
cation with static Diffie-Hellman public keys by reference produces equally smal | /t> | |||
l message sizes but with much simpler key distribution and identity protection.< | <t>EDHOC makes use of known protocol constructions, such as SIGn-and-MAc | |||
/t> | <xref target="SIGMA"/>, the Noise XX pattern <xref target="Noise"/>, and Extrac | |||
<t>EDHOC makes use of known protocol constructions, such as SIGMA <xref | t-and-Expand <xref target="RFC5869"/>. EDHOC uses COSE for cryptography and iden | |||
target="SIGMA"/>, the Noise XX pattern <xref target="Noise"/>, and Extract-and-E | tification of credentials (including COSE_Key, CBOR Web Token (CWT), CWT Claims | |||
xpand <xref target="RFC5869"/>. EDHOC uses COSE for cryptography and identificat | Set (CCS), X.509, and CBOR-encoded X.509 (C509) certificates; see <xref target=" | |||
ion of credentials (including COSE_Key, CBOR Web Token (CWT), CWT Claims Set (CC | auth-cred"/>). COSE provides crypto agility and enables the use of future algori | |||
S), X.509, and CBOR encoded X.509 (C509) certificates, see <xref target="auth-cr | thms and credential types targeting IoT.</t> | |||
ed"/>). COSE provides crypto agility and enables the use of future algorithms an | <t>EDHOC is designed for highly constrained settings, making it especial | |||
d credential types targeting IoT.</t> | ly suitable for low-power networks <xref target="RFC8376"/> such as Cellular IoT | |||
<t>EDHOC is designed for highly constrained settings making it especiall | , IPv6 over the TSCH mode of IEEE 802.15.4e (6TiSCH), and LoRaWAN. A main object | |||
y suitable for low-power networks <xref target="RFC8376"/> such as Cellular IoT, | ive for EDHOC is to be a lightweight authenticated key exchange for OSCORE, i.e. | |||
6TiSCH, and LoRaWAN. A main objective for EDHOC is to be a lightweight authenti | , to provide authentication and session key establishment for IoT use cases such | |||
cated key exchange for OSCORE, i.e., to provide authentication and session key e | as those built on CoAP <xref target="RFC7252"/> involving 'things' with embedde | |||
stablishment for IoT use cases such as those built on CoAP <xref target="RFC7252 | d microcontrollers, sensors, and actuators. By reusing the same lightweight prim | |||
"/> involving 'things' with embedded microcontrollers, sensors, and actuators. B | itives as OSCORE (CBOR, COSE, and CoAP), the additional code size can be kept ve | |||
y reusing the same lightweight primitives as OSCORE (CBOR, COSE, CoAP) the addit | ry low. Note that while CBOR and COSE primitives are built into the protocol mes | |||
ional code size can be kept very low. Note that while CBOR and COSE primitives a | sages, EDHOC is not bound to a particular transport.</t> | |||
re built into the protocol messages, EDHOC is not bound to a particular transpor | <t>A typical setting is when one of the endpoints is constrained or in a | |||
t.</t> | constrained network and the other endpoint is a node on the Internet (such as a | |||
<t>A typical setting is when one of the endpoints is constrained or in a | mobile phone). Thing-to-thing interactions over constrained networks are also r | |||
constrained network, and the other endpoint is a node on the Internet (such as | elevant since both endpoints would then benefit from the lightweight properties | |||
a mobile phone). Thing-to-thing interactions over constrained networks are also | of the protocol. EDHOC could, e.g., be run when a device connects for the first | |||
relevant since both endpoints would then benefit from the lightweight properties | time or to establish fresh keys that are not revealed by a later compromise of t | |||
of the protocol. EDHOC could, e.g., be run when a device connects for the first | he long-term keys.</t> | |||
time, or to establish fresh keys which are not revealed by a later compromise o | ||||
f the long-term keys.</t> | ||||
</section> | </section> | |||
<section anchor="message-size-examples"> | <section anchor="message-size-examples"> | |||
<name>Message Size Examples</name> | <name>Message Size Examples</name> | |||
<t>Examples of EDHOC message sizes are shown in <xref target="fig-sizes" | <t>Examples of EDHOC message sizes are shown in <xref target="tab-sizes" | |||
/>, using different kinds of authentication keys and COSE header parameters for | />, which use different kinds of authentication keys and COSE header parameters | |||
identification: static Diffie-Hellman keys or signature keys, either in CBOR Web | for identification, i.e., static Diffie-Hellman keys or signature keys, either i | |||
Token (CWT) / CWT Claims Set (CCS) <xref target="RFC8392"/> identified by a key | n CWT/CCS <xref target="RFC8392"/> identified by a key identifier using 'kid' <x | |||
identifier using 'kid' <xref target="RFC9052"/>, or in X.509 certificates ident | ref target="RFC9052"/> or in X.509 certificates identified by a hash value using | |||
ified by a hash value using 'x5t' <xref target="RFC9360"/>. As a comparison, in | 'x5t' <xref target="RFC9360"/>. EDHOC always uses ephemeral-ephemeral key excha | |||
the case of RPK authentication, the EDHOC message size when transferred in CoAP | nge. As a comparison, in the case of RPK authentication and when transferred in | |||
can be less than 1/7 of the DTLS 1.3 handshake <xref target="RFC9147"/> with ECD | CoAP, the EDHOC message size can be less than 1/7 of the DTLS 1.3 handshake <xre | |||
HE and connection ID, see <xref section="2" sectionFormat="of" target="I-D.ietf- | f target="RFC9147"/> with Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) and co | |||
iotops-security-protocol-comparison"/>.</t> | nnection ID; see <xref section="2" sectionFormat="of" target="I-D.ietf-iotops-se | |||
<figure anchor="fig-sizes"> | curity-protocol-comparison"/>.</t> | |||
<name>Examples of EDHOC message sizes in bytes.</name> | <table anchor="tab-sizes"> | |||
<artset> | <name>Examples of EDHOC Message Sizes in Bytes</name> | |||
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/200 | <thead> | |||
0/svg" version="1.1" height="208" width="472" viewBox="0 0 472 208" class="diagr | <tr> | |||
am" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap | <th></th> | |||
="round"> | <th colspan="2">Static DH Keys</th> | |||
<path d="M 8,32 L 464,32" fill="none" stroke="black"/> | <th colspan="2">Signature Keys</th> | |||
<path d="M 168,64 L 288,64" fill="none" stroke="black"/> | </tr> | |||
<path d="M 344,64 L 464,64" fill="none" stroke="black"/> | <tr> | |||
<path d="M 8,96 L 464,96" fill="none" stroke="black"/> | <th></th> | |||
<path d="M 8,160 L 464,160" fill="none" stroke="black"/> | <th align="right">kid</th> | |||
<path d="M 8,192 L 464,192" fill="none" stroke="black"/> | <th align="right">x5t</th> | |||
<g class="text"> | <th align="right">kid</th> | |||
<text x="196" y="52">Static</text> | <th align="right">x5t</th> | |||
<text x="236" y="52">DH</text> | ||||
<text x="268" y="52">Keys</text> | </tr> | |||
<text x="384" y="52">Signature</text> | </thead> | |||
<text x="444" y="52">Keys</text> | <tbody> | |||
<text x="184" y="84">kid</text> | <tr> | |||
<text x="272" y="84">x5t</text> | <td>message_1</td> | |||
<text x="360" y="84">kid</text> | <td align="right">37</td> | |||
<text x="448" y="84">x5t</text> | <td align="right">37</td> | |||
<text x="48" y="116">message_1</text> | <td align="right">37</td> | |||
<text x="188" y="116">37</text> | <td align="right">37</td> | |||
<text x="276" y="116">37</text> | </tr> | |||
<text x="364" y="116">37</text> | <tr> | |||
<text x="452" y="116">37</text> | <td>message_2</td> | |||
<text x="48" y="132">message_2</text> | <td align="right">45</td> | |||
<text x="188" y="132">45</text> | <td align="right">58</td> | |||
<text x="276" y="132">58</text> | <td align="right">102</td> | |||
<text x="360" y="132">102</text> | <td align="right">115</td> | |||
<text x="448" y="132">115</text> | </tr> | |||
<text x="48" y="148">message_3</text> | <tr> | |||
<text x="188" y="148">19</text> | <td>message_3</td> | |||
<text x="276" y="148">33</text> | <td align="right">19</td> | |||
<text x="364" y="148">77</text> | <td align="right">33</td> | |||
<text x="452" y="148">90</text> | <td align="right">77</td> | |||
<text x="32" y="180">Total</text> | <td align="right">90</td> | |||
<text x="184" y="180">101</text> | </tr> | |||
<text x="272" y="180">128</text> | <tr> | |||
<text x="360" y="180">216</text> | <td>Total</td> | |||
<text x="448" y="180">242</text> | <td align="right">101</td> | |||
</g> | <td align="right">128</td> | |||
</svg> | <td align="right">216</td> | |||
</artwork> | <td align="right">242</td> | |||
<artwork type="ascii-art" align="center"><![CDATA[ | </tr> | |||
Static DH Keys Signature Keys | </tbody> | |||
---------------- ---------------- | </table> | |||
kid x5t kid x5t | ||||
message_1 37 37 37 37 | ||||
message_2 45 58 102 115 | ||||
message_3 19 33 77 90 | ||||
Total 101 128 216 242 | ||||
]]></artwork> | ||||
</artset> | ||||
</figure> | ||||
</section> | </section> | |||
<section anchor="document-structure"> | <section anchor="document-structure"> | |||
<name>Document Structure</name> | <name>Document Structure</name> | |||
<t>The remainder of the document is organized as follows: <xref target=" background"/> outlines EDHOC authenticated with signature keys, <xref target="ov erview"/> describes the protocol elements of EDHOC, including formatting of the ephemeral public keys, <xref target="key-der"/> specifies the key derivation, <x ref target="asym"/> specifies message processing for EDHOC authenticated with si gnature keys or static Diffie-Hellman keys, <xref target="error"/> describes the error messages, <xref target="duplication"/> describes EDHOC support for transp ort that does not handle message duplication, and <xref target="mti"/> lists com pliance requirements. Note that normative text is also used in appendices, in pa rticular <xref target="transfer"/>.</t> | <t>The remainder of the document is organized as follows: <xref target=" background"/> outlines EDHOC authenticated with signature keys; <xref target="ov erview"/> describes the protocol elements of EDHOC, including formatting of the ephemeral public keys; <xref target="key-der"/> specifies the key derivation; <x ref target="asym"/> specifies message processing for EDHOC authenticated with si gnature keys or static Diffie-Hellman keys; <xref target="error"/> describes the error messages; <xref target="duplication"/> describes EDHOC support for transp ort that does not handle message duplication; and <xref target="mti"/> lists com pliance requirements. Note that normative text is also used in appendices, in pa rticular <xref target="transfer"/>.</t> | |||
</section> | </section> | |||
<section anchor="term"> | <section anchor="term"> | |||
<name>Terminology and Requirements Language</name> | <name>Terminology and Requirements Language</name> | |||
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL | <t> | |||
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", | The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU | |||
"MAY", and "OPTIONAL" in this document are to be interpreted as | IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL | |||
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and | NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14> | |||
only when, they | RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", | |||
appear in all capitals, as shown here. | "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to | |||
<?line -6?> | be interpreted as | |||
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> | ||||
when, and only when, they appear in all capitals, as shown here. | ||||
</t> | </t> | |||
<t>Readers are expected to be familiar with the terms and concepts descr | <t>Readers are expected to be familiar with the terms and | |||
ibed in CBOR <xref target="RFC8949"/>, CBOR Sequences <xref target="RFC8742"/>, | concepts described in CBOR <xref target="RFC8949"/>, CBOR | |||
COSE structures and processing <xref target="RFC9052"/>, COSE algorithms <xref t | Sequences <xref target="RFC8742"/>, COSE Structures and | |||
arget="RFC9053"/>, CWT and CWT Claims Set <xref target="RFC8392"/>, and the Conc | Processing <xref target="RFC9052"/>, COSE Algorithms <xref | |||
ise Data Definition Language (CDDL, <xref target="RFC8610"/>), which is used to | target="RFC9053"/>, CWT and CCS <xref | |||
express CBOR data structures. Examples of CBOR and CDDL are provided in <xref ta | target="RFC8392"/>, and the Concise Data Definition Language | |||
rget="CBOR"/>. When referring to CBOR, this specification always refers to Deter | (CDDL) <xref target="RFC8610"/>, which is used to express | |||
ministically Encoded CBOR as specified in Sections 4.2.1 and 4.2.2 of <xref targ | CBOR data structures. Examples of CBOR and CDDL are provided | |||
et="RFC8949"/>. The single output from authenticated encryption (including the a | in <xref target="CBOR"/>. When referring to CBOR, this | |||
uthentication tag) is called "ciphertext", following <xref target="RFC5116"/>.</ | specification always refers to Deterministically Encoded CBOR, | |||
t> | as specified in Sections <xref target="RFC8949" section="4.2.1" sectionF | |||
ormat="bare"/> and <xref target="RFC8949" section="4.2.2" sectionFormat="bare"/> | ||||
of <xref | ||||
target="RFC8949"/>. The single output from authenticated | ||||
encryption (including the authentication tag) is called | ||||
"ciphertext", following <xref target="RFC5116"/>.</t> | ||||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="background"> | <section anchor="background"> | |||
<name>EDHOC Outline</name> | <name>EDHOC Outline</name> | |||
<t>EDHOC specifies different authentication methods of the ephemeral-ephem | <t>EDHOC specifies different authentication methods of the ephemeral-ephem | |||
eral Diffie-Hellman key exchange: signature keys and static Diffie-Hellman keys. | eral Diffie-Hellman key exchange, i.e., signature keys and static Diffie-Hellman | |||
This section outlines the signature key based method. Further details of protoc | keys. This section outlines the signature-key-based method. Further details of | |||
ol elements and other authentication methods are provided in the remainder of th | protocol elements and other authentication methods are provided in the remainder | |||
is document.</t> | of this document.</t> | |||
<t>SIGMA (SIGn-and-MAc) is a family of theoretical protocols with a large | <t>SIGn-and-MAc (SIGMA) is a family of theoretical protocols with a number | |||
number of variants <xref target="SIGMA"/>. Like in IKEv2 <xref target="RFC7296"/ | of variants <xref target="SIGMA"/>. Like in Internet Key Exchange Protocol Vers | |||
> and (D)TLS 1.3 <xref target="RFC8446"/><xref target="RFC9147"/>, EDHOC authent | ion 2 (IKEv2) <xref target="RFC7296"/> and (D)TLS 1.3 <xref target="RFC8446"/> < | |||
icated with signature keys is built on a variant of the SIGMA protocol, SIGMA-I, | xref target="RFC9147"/>, EDHOC authenticated with signature keys is built on a v | |||
which provides identity protection against active attacks on the party initiati | ariant of the SIGMA protocol, SIGMA-I, which provides identity protection agains | |||
ng the protocol. Also like IKEv2, EDHOC implements the MAC-then-Sign variant of | t active attacks on the party initiating the protocol. Also like IKEv2, EDHOC im | |||
the SIGMA-I protocol. The message flow (excluding an optional fourth message) is | plements the MAC-then-Sign variant of the SIGMA-I protocol. The message flow (ex | |||
shown in <xref target="fig-sigma"/>.</t> | cluding an optional fourth message) is shown in <xref target="fig-sigma"/>.</t> | |||
<figure anchor="fig-sigma"> | <figure anchor="fig-sigma"> | |||
<name>MAC-then-Sign variant of the SIGMA-I protocol used by EDHOC method 0.</name> | <name>MAC-then-Sign Variant of the SIGMA-I Protocol Used by the EDHOC Me thod 0</name> | |||
<artset> | <artset> | |||
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="192" width="560" viewBox="0 0 560 192" class="diagram " text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap=" round"> | <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="" width="" viewBox="0 0 560 192" class="diagram" text -anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round" > | |||
<path d="M 8,48 L 8,176" fill="none" stroke="black"/> | <path d="M 8,48 L 8,176" fill="none" stroke="black"/> | |||
<path d="M 552,48 L 552,176" fill="none" stroke="black"/> | <path d="M 552,48 L 552,176" fill="none" stroke="black"/> | |||
<path d="M 8,64 L 544,64" fill="none" stroke="black"/> | <path d="M 8,64 L 544,64" fill="none" stroke="black"/> | |||
<path d="M 16,112 L 552,112" fill="none" stroke="black"/> | <path d="M 16,112 L 552,112" fill="none" stroke="black"/> | |||
<path d="M 8,160 L 544,160" fill="none" stroke="black"/> | <path d="M 8,160 L 544,160" fill="none" stroke="black"/> | |||
<polygon class="arrowhead" points="552,160 540,154.4 540,165.6" fi ll="black" transform="rotate(0,544,160)"/> | <polygon class="arrowhead" points="552,160 540,154.4 540,165.6" fi ll="black" transform="rotate(0,544,160)"/> | |||
<polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fill= "black" transform="rotate(0,544,64)"/> | <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fill= "black" transform="rotate(0,544,64)"/> | |||
<polygon class="arrowhead" points="24,112 12,106.4 12,117.6" fill= "black" transform="rotate(180,16,112)"/> | <polygon class="arrowhead" points="24,112 12,106.4 12,117.6" fill= "black" transform="rotate(180,16,112)"/> | |||
<g class="text"> | <g class="text"> | |||
<text x="40" y="36">Initiator</text> | <text x="40" y="36">Initiator</text> | |||
skipping to change at line 208 ¶ | skipping to change at line 221 ¶ | |||
| | | | | | |||
| G_Y, Enc( ID_CRED_R, Sig( R; MAC( CRED_R, G_X, G_Y ) ) ) | | | G_Y, Enc( ID_CRED_R, Sig( R; MAC( CRED_R, G_X, G_Y ) ) ) | | |||
|<------------------------------------------------------------------+ | |<------------------------------------------------------------------+ | |||
| | | | | | |||
| AEAD( ID_CRED_I, Sig( I; MAC( CRED_I, G_Y, G_X ) ) ) | | | AEAD( ID_CRED_I, Sig( I; MAC( CRED_I, G_Y, G_X ) ) ) | | |||
+------------------------------------------------------------------>| | +------------------------------------------------------------------>| | |||
| | | | | | |||
]]></artwork> | ]]></artwork> | |||
</artset> | </artset> | |||
</figure> | </figure> | |||
<t>The parties exchanging messages in an EDHOC session are called Initiato r (I) and Responder (R), where the Initiator sends message_1 (see <xref target=" overview"/>). They exchange ephemeral public keys, compute a shared secret sessi on key PRK_out, and derive symmetric application keys used to protect applicatio n data.</t> | <t>The parties exchanging messages in an EDHOC session are called the Init iator (I) and the Responder (R), where the Initiator sends message_1 (see <xref target="overview"/>). They exchange ephemeral public keys, compute a shared secr et session key PRK_out, and derive symmetric application keys used to protect ap plication data.</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>G_X and G_Y are the ECDH ephemeral public keys of I and R, respectiv ely.</li> | <li>G_X and G_Y are the Elliptic Curve Diffie-Hellman (ECDH) ephemeral p ublic keys of I and R, respectively.</li> | |||
<li>CRED_I and CRED_R are the authentication credentials containing the public authentication keys of I and R, respectively.</li> | <li>CRED_I and CRED_R are the authentication credentials containing the public authentication keys of I and R, respectively.</li> | |||
<li>ID_CRED_I and ID_CRED_R are used to identify and optionally transpor t the credentials of the Initiator and the Responder, respectively.</li> | <li>ID_CRED_I and ID_CRED_R are used to identify and optionally transpor t the credentials of I and R, respectively.</li> | |||
<li>Sig(I; . ) and Sig(R; . ) denote signatures made with the private au thentication key of I and R, respectively.</li> | <li>Sig(I; . ) and Sig(R; . ) denote signatures made with the private au thentication key of I and R, respectively.</li> | |||
<li>Enc(), AEAD(), and MAC() denotes encryption, authenticated encryptio n with additional data, and message authentication code - crypto algorithms appl ied with keys derived from one or more shared secrets calculated during the prot ocol.</li> | <li>Enc(), AEAD(), and MAC() denote encryption, Authenticated Encryption with Associated Data, and Message Authentication Code -- crypto algorithms appl ied with keys derived from one or more shared secrets calculated during the prot ocol.</li> | |||
</ul> | </ul> | |||
<t>In order to create a "full-fledged" protocol some additional protocol e lements are needed. EDHOC adds:</t> | <t>In order to create a "full-fledged" protocol, some additional protocol elements are needed. EDHOC adds:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>Transcript hashes (hashes of message data) TH_2, TH_3, TH_4 used for | <li>transcript hashes (hashes of message data), TH_2, TH_3, and TH_4, us | |||
key derivation and as additional authenticated data.</li> | ed for key derivation and as additional authenticated data,</li> | |||
<li>Computationally independent keys derived from the ECDH shared secret | <li>computationally independent keys derived from the ECDH shared secret | |||
and used for authenticated encryption of different messages.</li> | and used for authenticated encryption of different messages,</li> | |||
<li>An optional fourth message giving key confirmation to I in deploymen | <li>an optional fourth message giving key confirmation to I in deploymen | |||
ts where no protected application data is sent from R to I.</li> | ts where no protected application data is sent from R to I,</li> | |||
<li>A keying material exporter and a key update function with forward se | <li>a keying material exporter and a key update function with forward se | |||
crecy.</li> | crecy,</li> | |||
<li>Secure negotiation of cipher suite.</li> | <li>secure negotiation of the cipher suite,</li> | |||
<li>Method types, error handling, and padding.</li> | <li>method types, error handling, and padding,</li> | |||
<li>Selection of connection identifiers C_I and C_R which may be used in | <li>a selection of connection identifiers, C_I and C_R, which may be use | |||
EDHOC to identify protocol state.</li> | d in EDHOC to identify the protocol state, and</li> | |||
<li>Transport of external authorization data.</li> | <li>transport of external authorization data.</li> | |||
</ul> | </ul> | |||
<t>EDHOC is designed to encrypt and integrity protect as much information | <t>EDHOC is designed to encrypt and integrity protect as much information | |||
as possible. Symmetric keys and random material used in EDHOC are derived using | as possible. Symmetric keys and random material used in EDHOC are derived using | |||
EDHOC_KDF with as much previous information as possible, see <xref target="fig-e | EDHOC_KDF with as much previous information as possible; see <xref target="fig-e | |||
dhoc-kdf"/>. EDHOC is furthermore designed to be as compact and lightweight as p | dhoc-kdf"/>. EDHOC is furthermore designed to be as compact and lightweight as p | |||
ossible, in terms of message sizes, processing, and the ability to reuse already | ossible, in terms of message sizes, processing, and the ability to reuse already | |||
existing CBOR, COSE, and CoAP libraries. Like in (D)TLS, authentication is the | existing CBOR, COSE, and CoAP libraries. Like in (D)TLS, authentication is the | |||
responsibility of the application. EDHOC identifies (and optionally transports) | responsibility of the application. EDHOC identifies (and optionally transports) | |||
authentication credentials, and provides proof-of-possession of the private auth | authentication credentials and provides proof-of-possession of the private authe | |||
entication key.</t> | ntication key.</t> | |||
<t>To simplify for implementors, the use of CBOR and COSE in EDHOC is summ | <t>To simplify for implementors, the use of CBOR and COSE in EDHOC is summ | |||
arized in <xref target="CBORandCOSE"/>. Test vectors including CBOR diagnostic n | arized in <xref target="CBORandCOSE"/>. Test vectors, including CBOR diagnostic | |||
otation are provided in <xref target="I-D.ietf-lake-traces"/>.</t> | notation, are provided in <xref target="RFC9529"/>.</t> | |||
</section> | </section> | |||
<section anchor="overview"> | <section anchor="overview"> | |||
<name>Protocol Elements</name> | <name>Protocol Elements</name> | |||
<section anchor="general"> | <section anchor="general"> | |||
<name>General</name> | <name>General</name> | |||
<t>The EDHOC protocol consists of three mandatory messages (message_1, m | <t>The EDHOC protocol consists of three mandatory messages (message_1, m | |||
essage_2, message_3), an optional fourth message (message_4), and an error messa | essage_2, and message_3), an optional fourth message (message_4), and an error m | |||
ge, between an Initiator (I) and a Responder (R). The odd messages are sent by I | essage, between an Initiator (I) and a Responder (R). The odd messages are sent | |||
, the even by R. Both I and R can send error messages. | by I, the even by R. Both I and R can send error messages. | |||
The roles have slightly different security properties which should be considered | The roles have slightly different security properties that should be considered | |||
when the roles are assigned, see <xref target="sec-prop"/>. | when the roles are assigned; see <xref target="sec-prop"/>. | |||
All EDHOC messages are CBOR Sequences <xref target="RFC8742"/>, and are determin | All EDHOC messages are CBOR Sequences <xref target="RFC8742"/> and are defined t | |||
istically encoded. <xref target="fig-flow"/> illustrates an EDHOC message flow w | o be deterministically encoded CBOR as specified in <xref target="RFC8949" secti | |||
ith the optional fourth message as well as the content of each message. The prot | onFormat="of" section="4.2.1"/>. <xref target="fig-flow"/> illustrates an EDHOC | |||
ocol elements in the figure are introduced in <xref target="overview"/> and <xre | message flow with the optional fourth message as well as the content of each mes | |||
f target="asym"/>. Message formatting and processing are specified in <xref targ | sage. The protocol elements in the figure are introduced in Sections <xref targe | |||
et="asym"/> and <xref target="error"/>.</t> | t="overview" format="counter"/> and <xref target="asym" format="counter"/>. Mess | |||
<t>Application data may be protected using the agreed application algori | age formatting and processing are specified in Sections <xref target="asym" form | |||
thms (AEAD, hash) in the selected cipher suite (see <xref target="cs"/>) and the | at="counter"/> and <xref target="error" format="counter"/>.</t> | |||
application can make use of the established connection identifiers C_I and C_R | <t>Application data may be protected using the agreed application algori | |||
(see <xref target="ci"/>). Media types that may be used for EDHOC are defined in | thms (AEAD, hash) in the selected cipher suite (see <xref target="cs"/>), and th | |||
<xref target="media-type"/>.</t> | e application can make use of the established connection identifiers C_I and C_R | |||
<t>The Initiator can derive symmetric application keys after creating ED | (see <xref target="ci"/>). Media types that may be used for EDHOC are defined i | |||
HOC message_3, see <xref target="exporter"/>. Protected application data can the | n <xref target="media-type"/>.</t> | |||
refore be sent in parallel or together with EDHOC message_3. EDHOC message_4 is | <t>The Initiator can derive symmetric application keys after creating ED | |||
typically not sent.</t> | HOC message_3; see <xref target="exporter"/>. Protected application data can the | |||
refore be sent in parallel or together with EDHOC message_3. EDHOC message_4 is | ||||
typically not sent.</t> | ||||
<figure anchor="fig-flow"> | <figure anchor="fig-flow"> | |||
<name>EDHOC message flow including the optional fourth message.</name> | <name>EDHOC Message Flow Including the Optional Fourth Message</name> | |||
<artset> | <artset> | |||
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/200 0/svg" version="1.1" height="288" width="560" viewBox="0 0 560 288" class="diagr am" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap ="round"> | <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/200 0/svg" version="1.1" height="" width="" viewBox="0 0 560 288" class="diagram" te xt-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="roun d"> | |||
<path d="M 8,48 L 8,272" fill="none" stroke="black"/> | <path d="M 8,48 L 8,272" fill="none" stroke="black"/> | |||
<path d="M 552,48 L 552,272" fill="none" stroke="black"/> | <path d="M 552,48 L 552,272" fill="none" stroke="black"/> | |||
<path d="M 8,64 L 544,64" fill="none" stroke="black"/> | <path d="M 8,64 L 544,64" fill="none" stroke="black"/> | |||
<path d="M 16,128 L 552,128" fill="none" stroke="black"/> | <path d="M 16,128 L 552,128" fill="none" stroke="black"/> | |||
<path d="M 8,192 L 544,192" fill="none" stroke="black"/> | <path d="M 8,192 L 544,192" fill="none" stroke="black"/> | |||
<polygon class="arrowhead" points="552,192 540,186.4 540,197.6" fill="black" transform="rotate(0,544,192)"/> | <polygon class="arrowhead" points="552,192 540,186.4 540,197.6" fill="black" transform="rotate(0,544,192)"/> | |||
<polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fil l="black" transform="rotate(0,544,64)"/> | <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fil l="black" transform="rotate(0,544,64)"/> | |||
<polygon class="arrowhead" points="24,128 12,122.4 12,133.6" fil l="black" transform="rotate(180,16,128)"/> | <polygon class="arrowhead" points="24,128 12,122.4 12,133.6" fil l="black" transform="rotate(180,16,128)"/> | |||
<g class="text"> | <g class="text"> | |||
<text x="40" y="36">Initiator</text> | <text x="40" y="36">Initiator</text> | |||
skipping to change at line 337 ¶ | skipping to change at line 350 ¶ | |||
| | | | | | |||
| AEAD( EAD_4 ) | | | AEAD( EAD_4 ) | | |||
|<- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | |<- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | |||
| message_4 | | | message_4 | | |||
]]></artwork> | ]]></artwork> | |||
</artset> | </artset> | |||
</figure> | </figure> | |||
</section> | </section> | |||
<section anchor="method"> | <section anchor="method"> | |||
<name>Method</name> | <name>Method</name> | |||
<t>The data item METHOD in message_1 (see <xref target="asym-msg1-form"/ | <t>The data item METHOD in message_1 (see <xref target="asym-msg1-form"/ | |||
>), is an integer specifying the authentication method. EDHOC supports authentic | >) is an integer specifying the authentication method. EDHOC supports authentica | |||
ation with signature or static Diffie-Hellman keys, as defined in the four authe | tion with signature or static Diffie-Hellman keys, as defined in the four authen | |||
ntication methods: 0, 1, 2, and 3, see <xref target="fig-method-types"/>. When u | tication methods: 0, 1, 2, and 3; see <xref target="tab-method-types"/>. When us | |||
sing a static Diffie-Hellman key the authentication is provided by a Message Aut | ing a static Diffie-Hellman key, the authentication is provided by a Message Aut | |||
hentication Code (MAC) computed from an ephemeral-static ECDH shared secret whic | hentication Code (MAC) computed from an ephemeral-static ECDH shared secret that | |||
h enables significant reductions in message sizes. Note that also in the static | enables significant reductions in message sizes. Note that, also in the static | |||
Diffie-Hellman based authentication methods there is an ephemeral-ephemeral Diff | Diffie-Hellman-based authentication methods, there is an ephemeral-ephemeral Dif | |||
ie-Hellman key exchange.</t> | fie-Hellman key exchange.</t> | |||
<t>The Initiator and the Responder need to have agreed on a single metho | <t>The Initiator and Responder need to have agreed on a single method to | |||
d to be used for EDHOC, see <xref target="applicability"/>.</t> | be used for EDHOC; see <xref target="applicability"/>.</t> | |||
<figure anchor="fig-method-types"> | ||||
<name>Authentication keys for method types.</name> | <table anchor="tab-method-types"> | |||
<artset> | <name>Authentication Keys for Method Types</name> | |||
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/200 | <thead> | |||
0/svg" version="1.1" height="176" width="464" viewBox="0 0 464 176" class="diagr | <tr> | |||
am" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap | <th>Method Type Value</th> | |||
="round"> | <th>Initiator Authentication Key</th> | |||
<path d="M 8,32 L 8,160" fill="none" stroke="black"/> | <th>Responder Authentication Key</th> | |||
<path d="M 120,32 L 120,160" fill="none" stroke="black"/> | </tr> | |||
<path d="M 288,32 L 288,160" fill="none" stroke="black"/> | </thead> | |||
<path d="M 456,32 L 456,160" fill="none" stroke="black"/> | <tbody> | |||
<path d="M 8,32 L 456,32" fill="none" stroke="black"/> | ||||
<path d="M 8,78 L 456,78" fill="none" stroke="black"/> | <tr> | |||
<path d="M 8,82 L 456,82" fill="none" stroke="black"/> | <td align="right">0</td> | |||
<path d="M 8,160 L 456,160" fill="none" stroke="black"/> | <td>Signature Key</td> | |||
<g class="text"> | <td>Signature Key</td> | |||
<text x="44" y="52">Method</text> | </tr> | |||
<text x="92" y="52">Type</text> | <tr> | |||
<text x="168" y="52">Initiator</text> | <td align="right">1</td> | |||
<text x="336" y="52">Responder</text> | <td>Signature Key</td> | |||
<text x="88" y="68">Value</text> | <td>Static DH Key</td> | |||
<text x="188" y="68">Authentication</text> | </tr> | |||
<text x="264" y="68">Key</text> | <tr> | |||
<text x="356" y="68">Authentication</text> | <td align="right">2</td> | |||
<text x="432" y="68">Key</text> | <td>Static DH Key</td> | |||
<text x="104" y="100">0</text> | <td>Signature Key</td> | |||
<text x="168" y="100">Signature</text> | </tr> | |||
<text x="224" y="100">Key</text> | <tr> | |||
<text x="336" y="100">Signature</text> | <td align="right">3</td> | |||
<text x="392" y="100">Key</text> | <td>Static DH Key</td> | |||
<text x="104" y="116">1</text> | <td>Static DH Key</td> | |||
<text x="168" y="116">Signature</text> | </tr> | |||
<text x="224" y="116">Key</text> | <tr> | |||
<text x="324" y="116">Static</text> | <td align="right">23</td> | |||
<text x="364" y="116">DH</text> | <td>Reserved</td> | |||
<text x="392" y="116">Key</text> | <td>Reserved</td> | |||
<text x="104" y="132">2</text> | </tr> | |||
<text x="156" y="132">Static</text> | </tbody> | |||
<text x="196" y="132">DH</text> | </table> | |||
<text x="224" y="132">Key</text> | ||||
<text x="336" y="132">Signature</text> | <t>EDHOC does not have a dedicated message field to indicate the prot | |||
<text x="392" y="132">Key</text> | ocol version. Breaking changes to EDHOC can be introduced by specifying and regi | |||
<text x="104" y="148">3</text> | stering new methods.</t> | |||
<text x="156" y="148">Static</text> | ||||
<text x="196" y="148">DH</text> | ||||
<text x="224" y="148">Key</text> | ||||
<text x="324" y="148">Static</text> | ||||
<text x="364" y="148">DH</text> | ||||
<text x="392" y="148">Key</text> | ||||
</g> | ||||
</svg> | ||||
</artwork> | ||||
<artwork type="ascii-art" align="center"><![CDATA[ | ||||
+-------------+--------------------+--------------------+ | ||||
| Method Type | Initiator | Responder | | ||||
| Value | Authentication Key | Authentication Key | | ||||
+=============+====================+====================+ | ||||
| 0 | Signature Key | Signature Key | | ||||
| 1 | Signature Key | Static DH Key | | ||||
| 2 | Static DH Key | Signature Key | | ||||
| 3 | Static DH Key | Static DH Key | | ||||
+-------------+--------------------+--------------------+ | ||||
]]></artwork> | ||||
</artset> | ||||
</figure> | ||||
<t>EDHOC does not have a dedicated message field to indicate the protoco | ||||
l version. Breaking changes to EDHOC can be introduced by specifying and registe | ||||
ring new methods.</t> | ||||
</section> | </section> | |||
<section anchor="ci"> | <section anchor="ci"> | |||
<name>Connection Identifiers</name> | <name>Connection Identifiers</name> | |||
<t>EDHOC includes the selection of connection identifiers (C_I, C_R) ide | <t>EDHOC includes the selection of connection identifiers (C_I and C_R) | |||
ntifying a connection for which keys are agreed.</t> | identifying a connection for which keys are agreed.</t> | |||
<t>Connection identifiers may be used to correlate EDHOC messages and fa | <t>Connection identifiers may be used to correlate EDHOC messages and fa | |||
cilitate the retrieval of protocol state during an EDHOC session (see <xref targ | cilitate the retrieval of protocol state during an EDHOC session (see <xref targ | |||
et="transport"/>), or may be used in applications of EDHOC, e.g., in OSCORE (see | et="transport"/>) or may be used in applications of EDHOC, e.g., in OSCORE (see | |||
<xref target="ci-oscore"/>). The connection identifiers do not have any cryptog | <xref target="ci-oscore"/>). The connection identifiers do not have any cryptogr | |||
raphic purpose in EDHOC and only facilitate the retrieval of security data assoc | aphic purpose in EDHOC and only facilitate the retrieval of security data associ | |||
iated with the protocol state.</t> | ated with the protocol state.</t> | |||
<t>Connection identifiers in EDHOC are intrinsically byte strings. Most | <t>Connection identifiers in EDHOC are intrinsically byte strings. Most | |||
constrained devices only have a few connections for which short identifiers may | constrained devices only have a few connections for which short identifiers may | |||
be sufficient. In some cases minimum length identifiers are necessary to comply | be sufficient. In some cases, minimum length identifiers are necessary to comply | |||
with overhead requirements. However, CBOR byte strings - with the exception of t | with overhead requirements. However, CBOR byte strings -- with the exception of | |||
he empty byte string h’’ which encodes as one byte (0x40) - are encoded as two o | the empty byte string h'', which encodes as one byte (0x40) -- are encoded as t | |||
r more bytes. To enable one-byte encoding of certain byte strings while maintain | wo or more bytes. To enable one-byte encoding of certain byte strings while main | |||
ing CBOR encoding, EDHOC represents certain identifiers as CBOR integers on the | taining CBOR encoding, EDHOC represents certain identifiers as CBOR integers on | |||
wire, see <xref target="bstr-repr"/>.</t> | the wire; see <xref target="bstr-repr"/>.</t> | |||
<section anchor="selection-of-connection-identifiers"> | <section anchor="selection-of-connection-identifiers"> | |||
<name>Selection of Connection Identifiers</name> | <name>Selection of Connection Identifiers</name> | |||
<t>C_I and C_R are chosen by I and R, respectively. The Initiator sele | <t>C_I and C_R are chosen by I and R, respectively. The Initiator sele | |||
cts C_I and sends it in message_1 for the Responder to use as a reference to the | cts C_I and sends it in message_1 for the Responder to use as a reference to the | |||
connection in communication with the Initiator. The Responder selects C_R and s | connection in communications with the Initiator. The Responder selects C_R and | |||
ends it in message_2 for the Initiator to use as a reference to the connection i | sends it in message_2 for the Initiator to use as a reference to the connection | |||
n communications with the Responder.</t> | in communications with the Responder.</t> | |||
<t>If connection identifiers are used by an application protocol for w | <t>If connection identifiers are used by an application protocol for w | |||
hich EDHOC establishes keys then the selected connection identifiers SHALL adher | hich EDHOC establishes keys, then the selected connection identifiers <bcp14>SHA | |||
e to the requirements for that protocol, see <xref target="ci-oscore"/> for an e | LL</bcp14> adhere to the requirements for that protocol; see <xref target="ci-os | |||
xample.</t> | core"/> for an example.</t> | |||
</section> | </section> | |||
<section anchor="bstr-repr"> | <section anchor="bstr-repr"> | |||
<name>Representation of Byte String Identifiers</name> | <name>Representation of Byte String Identifiers</name> | |||
<t>To allow identifiers with minimal overhead on the wire, certain byt | <t>To allow identifiers with minimal overhead on the wire, certain byt | |||
e strings are defined to have integer representations.</t> | e strings used in connection identifiers and credential identifiers (see <xref t | |||
<t>The integers with one-byte CBOR encoding are -24, ..., 23, see <xre | arget="id_cred"/>) are defined to have integer representations.</t> | |||
f target="fig-int-one-byte"/>.</t> | <t>The integers with one-byte CBOR encoding are -24, ..., 23; see <xre | |||
f target="fig-int-one-byte"/>.</t> | ||||
<figure anchor="fig-int-one-byte"> | <figure anchor="fig-int-one-byte"> | |||
<name>One-byte CBOR encoded integers.</name> | <name>One-Byte CBOR-Encoded Integers</name> | |||
<artwork align="center"><![CDATA[ | <artwork align="center"><![CDATA[ | |||
Integer: -24 -23 ... -11 ... -2 -1 0 1 ... 15 ... 23 | Integer: -24 -23 ... -11 ... -2 -1 0 1 ... 15 ... 23 | |||
Encoding: 37 36 ... 2A ... 21 20 00 01 ... 0F ... 17 | Encoding: 37 36 ... 2A ... 21 20 00 01 ... 0F ... 17 | |||
]]></artwork> | ]]></artwork> | |||
</figure> | </figure> | |||
<t>The byte strings which coincide with a one-byte CBOR encoding of an integer MUST be represented by the CBOR encoding of that integer. Other byte st rings are simply encoded as CBOR byte strings.</t> | <t>The byte strings that coincide with a one-byte CBOR encoding of an integer <bcp14>MUST</bcp14> be represented by the CBOR encoding of that integer. Other byte strings are simply encoded as CBOR byte strings.</t> | |||
<t>For example:</t> | <t>For example:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>0x21 is represented by 0x21 (CBOR encoding of the integer -2), n ot by 0x4121 (CBOR encoding of the byte string 0x21).</li> | <li>0x21 is represented by 0x21 (CBOR encoding of the integer -2), n ot by 0x4121 (CBOR encoding of the byte string 0x21).</li> | |||
<li>0x0D is represented by 0x0D (CBOR encoding of the integer 13), n ot by 0x410D (CBOR encoding of the byte string 0x0D).</li> | <li>0x0D is represented by 0x0D (CBOR encoding of the integer 13), n ot by 0x410D (CBOR encoding of the byte string 0x0D).</li> | |||
<li>0x18 is represented by 0x4118 (CBOR encoding of the byte string 0x18).</li> | <li>0x18 is represented by 0x4118 (CBOR encoding of the byte string 0x18).</li> | |||
<li>0x38 is represented by 0x4138 (CBOR encoding of the byte string 0x38).</li> | <li>0x38 is represented by 0x4138 (CBOR encoding of the byte string 0x38).</li> | |||
<li>0xABCD is represented by 0x42ABCD (CBOR encoding of the byte str ing 0xABCD).</li> | <li>0xABCD is represented by 0x42ABCD (CBOR encoding of the byte str ing 0xABCD).</li> | |||
</ul> | </ul> | |||
<t>One may view this representation of byte strings as a transport enc | <t>One may view this representation of byte strings as a transport enc | |||
oding: a byte string which parses as the one-byte CBOR encoding of an integer (i | oding, i.e., a byte string that parses as the one-byte CBOR encoding of an integ | |||
.e., integer in the interval -24, ..., 23) is just copied directly into the mess | er (i.e., integer in the interval -24, ..., 23) is just copied directly into the | |||
age, a byte string which does not is encoded as a CBOR byte string during transp | message, and a byte string that does not is encoded as a CBOR byte string durin | |||
ort.</t> | g transport.</t> | |||
<t>Implementation Note: When implementing the byte string identifier r | <aside><t>Implementation Note: When implementing the byte string ident | |||
epresentation, it can in some programming languages help to define a new type, o | ifier representation, in some programming languages, it can help to define a new | |||
r other data structure, which (in its user facing API) behaves like a byte strin | type or other data structure, which (in its user-facing API) behaves like a byt | |||
g, but when serializing to CBOR produces a CBOR byte string or a CBOR integer de | e string but when serializing to CBOR produces a CBOR byte string or a CBOR inte | |||
pending on its value.</t> | ger depending on its value.</t></aside> | |||
</section> | </section> | |||
<section anchor="ci-oscore"> | <section anchor="ci-oscore"> | |||
<name>Use of Connection Identifiers with OSCORE</name> | <name>Use of Connection Identifiers with OSCORE</name> | |||
<t>For OSCORE, the choice of connection identifier results in the endp oint selecting its Recipient ID, see Section 3.1 of <xref target="RFC8613"/>, fo r which certain uniqueness requirements apply, see Section 3.3 of <xref target=" RFC8613"/>. Therefore, the Initiator and the Responder MUST NOT select connectio n identifiers such that it results in the same OSCORE Recipient ID. Since the co nnection identifier is a byte string, it is converted to an OSCORE Recipient ID equal to the byte string.</t> | <t>For OSCORE, the choice of connection identifier results in the endp oint selecting its Recipient ID (see <xref target="RFC8613" section="3.1" sectio nFormat="of"/>) for which certain uniqueness requirements apply (see <xref targe t="RFC8613" section="3.3" sectionFormat="of"/>). Therefore, the Initiator and Re sponder <bcp14>MUST NOT</bcp14> select connection identifiers such that it resul ts in the same OSCORE Recipient ID. Since the connection identifier is a byte st ring, it is converted to an OSCORE Recipient ID equal to the byte string.</t> | |||
<t>Examples:</t> | <t>Examples:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>A connection identifier 0xFF (represented in the EDHOC message a | <li>A connection identifier 0xFF (represented in the EDHOC message a | |||
s 0x41FF, see <xref target="bstr-repr"/>) is converted to the OSCORE Recipient I | s 0x41FF; see <xref target="bstr-repr"/>) is converted to the OSCORE Recipient I | |||
D 0xFF.</li> | D 0xFF.</li> | |||
<li>A connection identifier 0x21 (represented in the EDHOC message a | <li>A connection identifier 0x21 (represented in the EDHOC message a | |||
s 0x21, see <xref target="bstr-repr"/>) is converted to the OSCORE Recipient ID | s 0x21; see <xref target="bstr-repr"/>) is converted to the OSCORE Recipient ID | |||
0x21.</li> | 0x21.</li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="transport"> | <section anchor="transport"> | |||
<name>Transport</name> | <name>Transport</name> | |||
<t>Cryptographically, EDHOC does not put requirements on the underlying | <t>Cryptographically, EDHOC does not put requirements on the underlying | |||
layers. Received messages are processed as the expected next message according t | layers. Received messages are processed as the expected next message according t | |||
o protocol state, see <xref target="asym"/>. If processing fails for any reason | o the protocol state; see <xref target="asym"/>. If processing fails for any rea | |||
then, typically, an error message is attempted to be sent and the EDHOC session | son, then typically an error message is attempted to be sent and the EDHOC sessi | |||
is aborted.</t> | on is aborted.</t> | |||
<t>EDHOC is not bound to a particular transport layer and can even be us | <t>EDHOC is not bound to a particular transport layer and can even be us | |||
ed in environments without IP. Ultimately, the application is free to choose how | ed in environments without IP. Ultimately, the application is free to choose how | |||
to transport EDHOC messages including errors. In order to avoid unnecessary mes | to transport EDHOC messages including errors. In order to avoid unnecessary mes | |||
sage processing or protocol termination, it is RECOMMENDED to use reliable trans | sage processing or protocol termination, it is <bcp14>RECOMMENDED</bcp14> to use | |||
port, such as CoAP in reliable mode, which is the default transport, see <xref t | reliable transport, such as CoAP in reliable mode, which is the default transpo | |||
arget="coap"/>. In general, the transport SHOULD handle:</t> | rt; see <xref target="coap"/>. In general, the transport <bcp14>SHOULD</bcp14> h | |||
andle:</t> | ||||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>message loss,</li> | <li>message loss,</li> | |||
<li>message duplication, see <xref target="duplication"/> for an alter native,</li> | <li>message duplication (see <xref target="duplication"/> for an alter native),</li> | |||
<li>flow control,</li> | <li>flow control,</li> | |||
<li>congestion control,</li> | <li>congestion control,</li> | |||
<li>fragmentation and reassembly,</li> | <li>fragmentation and reassembly,</li> | |||
<li>demultiplexing EDHOC messages from other types of messages,</li> | <li>demultiplexing EDHOC messages from other types of messages,</li> | |||
<li>denial-of-service mitigation,</li> | <li>denial-of-service mitigation, and</li> | |||
<li>message correlation, see <xref target="ci-edhoc"/>.</li> | <li>message correlation (see <xref target="ci-edhoc"/>).</li> | |||
</ul> | </ul> | |||
<t>EDHOC does not require error free transport since a change in message | <t>EDHOC does not require error-free transport since a change in message | |||
content is detected through the transcript hashes in a subsequent integrity ver | content is detected through the transcript hashes in a subsequent integrity ver | |||
ification, see <xref target="asym"/>. The transport does not require additional | ification; see <xref target="asym"/>. The transport does not require additional | |||
means to handle message reordering because of the lockstep processing of EDHOC.< | means to handle message reordering because of the lockstep processing of EDHOC.< | |||
/t> | /t> | |||
<t>EDHOC is designed to enable an authenticated key exchange with small | <t>EDHOC is designed to enable an authenticated key exchange with small | |||
messages, where the minimum message sizes are of the order illustrated in the fi | messages, where the minimum message sizes are of the order illustrated in the fi | |||
rst column of <xref target="fig-sizes"/>. There is no maximum message size speci | rst column of <xref target="tab-sizes"/>. There is no maximum message size speci | |||
fied by the protocol; this is for example dependent on the size of authenticatio | fied by the protocol; for example, this is dependent on the size of the authenti | |||
n credentials (if they are transported, see <xref target="auth-key-id"/>).</t> | cation credentials (if they are transported, see <xref target="auth-key-id"/>).< | |||
<t>The use of transport is specified in the application profile, which i | /t> | |||
n particular may specify limitations in message sizes, see <xref target="applica | <t>The use of transport is specified in the application profile, which i | |||
bility"/>.</t> | n particular, may specify limitations in message sizes; see <xref target="applic | |||
ability"/>.</t> | ||||
<section anchor="ci-edhoc"> | <section anchor="ci-edhoc"> | |||
<name>EDHOC Message Correlation</name> | <name>EDHOC Message Correlation</name> | |||
<t>Correlation between EDHOC messages is needed to facilitate the retr | <t>Correlation between EDHOC messages is needed to facilitate the retr | |||
ieval of protocol state and security context during an EDHOC session. It is also | ieval of the protocol state and security context during an EDHOC session. It is | |||
helpful for the Responder to get an indication that a received EDHOC message is | also helpful for the Responder to get an indication that a received EDHOC messag | |||
the beginning of a new EDHOC session, such that no existing protocol state or s | e is the beginning of a new EDHOC session, such that no existing protocol state | |||
ecurity context needs to be retrieved.</t> | or security context needs to be retrieved.</t> | |||
<t>Correlation may be based on existing mechanisms in the transport pr | <t>Correlation may be based on existing mechanisms in the transport pr | |||
otocol, for example, the CoAP Token may be used to correlate EDHOC messages in a | otocol; for example, the CoAP Token may be used to correlate EDHOC messages in a | |||
CoAP response and in an associated CoAP request. The connection identifiers may | CoAP response and in an associated CoAP request. The connection identifiers may | |||
also be used to correlate EDHOC messages.</t> | also be used to correlate EDHOC messages.</t> | |||
<t>If correlation between consecutive messages is not provided by othe | <t>If correlation between consecutive messages is not provided by othe | |||
r means then the transport binding SHOULD mandate prepending of an appropriate c | r means, then the transport binding <bcp14>SHOULD</bcp14> mandate prepending of | |||
onnection identifier (when available from the EDHOC protocol) to the EDHOC messa | an appropriate connection identifier (when available from the EDHOC protocol) to | |||
ge. If message_1 indication is not provided by other means, then the transport b | the EDHOC message. If message_1 indication is not provided by other means, then | |||
inding SHOULD mandate prepending of message_1 with the CBOR simple value <tt>tru | the transport binding <bcp14>SHOULD</bcp14> mandate prepending of message_1 wit | |||
e</tt> (0xf5).</t> | h the CBOR simple value <tt>true</tt> (0xf5).</t> | |||
<t>Transport of EDHOC in CoAP payloads is described in <xref target="c oap"/>, including how to use connection identifiers and message_1 indication wit h CoAP. A similar construction is possible for other client-server protocols. Pr otocols that do not provide any correlation at all can prescribe prepending of t he peer's connection identifier to all messages.</t> | <t>Transport of EDHOC in CoAP payloads is described in <xref target="c oap"/>, including how to use connection identifiers and message_1 indication wit h CoAP. A similar construction is possible for other client-server protocols. Pr otocols that do not provide any correlation at all can prescribe prepending of t he peer's connection identifier to all messages.</t> | |||
<t>Note that correlation between EDHOC messages may be obtained withou t transport support or connection identifiers, for example if the endpoints only accept a single instance of the protocol at a time, and execute conditionally o n a correct sequence of messages.</t> | <t>Note that correlation between EDHOC messages may be obtained withou t transport support or connection identifiers, for example, if the endpoints onl y accept a single instance of the protocol at a time and execute conditionally o n a correct sequence of messages.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="auth-key-id"> | <section anchor="auth-key-id"> | |||
<name>Authentication Parameters</name> | <name>Authentication Parameters</name> | |||
<t>EDHOC supports various settings for how the other endpoint's authenti cation (public) key may be transported, identified, and trusted.</t> | <t>EDHOC supports various settings for how the other endpoint's authenti cation (public) key may be transported, identified, and trusted.</t> | |||
<t>EDHOC performs the following authentication related operations:</t> | <t>EDHOC performs the following authentication-related operations:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>EDHOC transports information about credentials in ID_CRED_I and ID _CRED_R (described in <xref target="id_cred"/>). Based on this information, the authentication credentials CRED_I and CRED_R (described in <xref target="auth-cr ed"/>) can be obtained. EDHOC may also transport certain authentication related information as External Authorization Data (see <xref target="AD"/>).</li> | <li>EDHOC transports information about credentials in ID_CRED_I and ID _CRED_R (described in <xref target="id_cred"/>). Based on this information, the authentication credentials CRED_I and CRED_R (described in <xref target="auth-cr ed"/>) can be obtained. EDHOC may also transport certain authentication-related information as external authorization data (see <xref target="AD"/>).</li> | |||
<li> | <li> | |||
<t>EDHOC uses the authentication credentials in two ways (see <xref target="asym-msg2-proc"/> and <xref target="asym-msg3-proc"/>): | <t>EDHOC uses the authentication credentials in two ways (see Sectio ns <xref target="asym-msg2-proc" format="counter"/> and <xref target="asym-msg3- proc" format="counter"/>): | |||
</t> | </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>The authentication credential is input to the integrity verifi cation using the MAC fields.</li> | <li>The authentication credential is input to the integrity verifi cation using the MAC fields.</li> | |||
<li>The authentication key of the authentication credential is use d with the Signature_or_MAC field to verify proof-of-possession of the private k ey.</li> | <li>The authentication key of the authentication credential is use d with the Signature_or_MAC field to verify proof-of-possession of the private k ey.</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
</ul> | </ul> | |||
<t>Other authentication related verifications are out of scope for EDHOC | <t>Other authentication-related verifications are out of scope for EDHOC | |||
, and is the responsibility of the application. In particular, the authenticatio | and are the responsibility of the application. In particular, the authenticatio | |||
n credential needs to be validated in the context of the connection for which ED | n credential needs to be validated in the context of the connection for which ED | |||
HOC is used, see <xref target="auth-validation"/>. EDHOC MUST allow the applicat | HOC is used; see <xref target="auth-validation"/>. EDHOC <bcp14>MUST</bcp14> all | |||
ion to read received information about credential (ID_CRED_R, ID_CRED_I). EDHOC | ow the application to read received information about credentials in ID_CRED_R a | |||
MUST have access to the authentication key and the authentication credential.</t | nd ID_CRED_I. EDHOC <bcp14>MUST</bcp14> have access to the authentication key an | |||
> | d the authentication credential.</t> | |||
<t>Note that the type of authentication key, authentication credential, | <t>Note that the type of authentication key, the type of authentication | |||
and the identification of the credential have a large impact on the message size | credential, and the identification of the credential have a large impact on the | |||
. For example, the Signature_or_MAC field is much smaller with a static DH key t | message size. For example, the Signature_or_MAC field is much smaller with a sta | |||
han with a signature key. A CWT Claims Set (CCS) is much smaller than a self-sig | tic DH key than with a signature key. A CWT Claims Set (CCS) is much smaller tha | |||
ned certificate/CWT, but if it is possible to reference the credential with a CO | n a self-signed certificate / CWT, but if it is possible to reference the creden | |||
SE header like 'kid', then that is in turn much smaller than a CCS.</t> | tial with a COSE header like 'kid', then that is in turn much smaller than a CCS | |||
.</t> | ||||
<section anchor="auth-keys"> | <section anchor="auth-keys"> | |||
<name>Authentication Keys</name> | <name>Authentication Keys</name> | |||
<t>The authentication key (i.e., the public key used for authenticatio | <t>The authentication key (i.e., the public key used for authenticatio | |||
n) MUST be a signature key or static Diffie-Hellman key. The Initiator and the R | n) <bcp14>MUST</bcp14> be a signature key or a static Diffie-Hellman key. The In | |||
esponder MAY use different types of authentication keys, e.g., one uses a signat | itiator and Responder <bcp14>MAY</bcp14> use different types of authentication k | |||
ure key and the other uses a static Diffie-Hellman key.</t> | eys, e.g., one uses a signature key and the other uses a static Diffie-Hellman k | |||
<t>The authentication key algorithm needs to be compatible with the me | ey.</t> | |||
thod and the selected cipher suite (see <xref target="cs"/>). The authentication | <t>The authentication key algorithm needs to be compatible with the me | |||
key algorithm needs to be compatible with the EDHOC key exchange algorithm when | thod and the selected cipher suite (see <xref target="cs"/>). The authentication | |||
static Diffie-Hellman authentication is used, and compatible with the EDHOC sig | key algorithm needs to be compatible with the EDHOC key exchange algorithm when | |||
nature algorithm when signature authentication is used.</t> | static Diffie-Hellman authentication is used and compatible with the EDHOC sign | |||
<t>Note that for most signature algorithms, the signature is determine | ature algorithm when signature authentication is used.</t> | |||
d by the signature algorithm and the authentication key algorithm together. When | <t>Note that for most signature algorithms, the signature is determine | |||
using static Diffie-Hellman keys the Initiator's and Responder's private authen | d by the signature algorithm and the authentication key algorithm together. When | |||
tication keys are denoted as I and R, respectively, and the public authenticatio | using static Diffie-Hellman keys, the Initiator's and the Responder's private a | |||
n keys are denoted G_I and G_R, respectively.</t> | uthentication keys are denoted as I and R, respectively, and the public authenti | |||
<t>For X.509 certificates the authentication key is represented by a S | cation keys are denoted G_I and G_R, respectively.</t> | |||
ubjectPublicKeyInfo field. For CWT and CCS (see <xref target="auth-cred"/>)) the | <t>For X.509 certificates, the authentication key is represented by a | |||
authentication key is represented by a 'cnf' claim <xref target="RFC8747"/> con | SubjectPublicKeyInfo field. For CWT and CCS (see <xref target="auth-cred"/>), th | |||
taining a COSE_Key <xref target="RFC9052"/>. In EDHOC, a raw public key (RPK) is | e authentication key is represented by a 'cnf' claim <xref target="RFC8747"/> co | |||
an authentication key encoded as a COSE_Key wrapped in a CCS.</t> | ntaining a COSE_Key <xref target="RFC9052"/>. In EDHOC, a raw public key (RPK) i | |||
s an authentication key encoded as a COSE_Key wrapped in a CCS.</t> | ||||
</section> | </section> | |||
<section anchor="auth-cred"> | <section anchor="auth-cred"> | |||
<name>Authentication Credentials</name> | <name>Authentication Credentials</name> | |||
<t>The authentication credentials, CRED_I and CRED_R, contains the pub lic authentication key of the Initiator and the Responder, respectively. | <t>The authentication credentials, CRED_I and CRED_R, contain the publ ic authentication key of the Initiator and Responder, respectively. | |||
We use the notation CRED_x to refer to CRED_I or CRED_R. | We use the notation CRED_x to refer to CRED_I or CRED_R. | |||
Requirements on CRED_x applies both to CRED_I and to CRED_R. | Requirements on CRED_x applies both to CRED_I and to CRED_R. | |||
The authentication credential typically also contains other parameters that need | The authentication credential typically also contains other parameters that need | |||
s to be verified by the application, see <xref target="auth-validation"/>, and i | s to be verified by the application (see <xref target="auth-validation"/>) and i | |||
n particular information about the identity ("subject") of the endpoint to preve | n particular information about the identity ("subject") of the endpoint to preve | |||
nt misbinding attacks, see <xref target="identities"/>.</t> | nt misbinding attacks (see <xref target="identities"/>).</t> | |||
<t>EDHOC relies on COSE for identification of credentials (see <xref t | <t>EDHOC relies on COSE for identification of credentials (see <xref t | |||
arget="id_cred"/>), for example X.509 certificates <xref target="RFC9360"/>, C50 | arget="id_cred"/>), for example, X.509 certificates <xref target="RFC9360"/>, C5 | |||
9 certificates <xref target="I-D.ietf-cose-cbor-encoded-cert"/>, CWTs <xref targ | 09 certificates <xref target="I-D.ietf-cose-cbor-encoded-cert"/>, CWTs <xref tar | |||
et="RFC8392"/> and CWT Claims Sets (CCS) <xref target="RFC8392"/>. When the iden | get="RFC8392"/>, and CCSs <xref target="RFC8392"/>. When the identified credenti | |||
tified credential is a chain or a bag, the authentication credential CRED_x is j | al is a chain or a bag, the authentication credential CRED_x is just the end ent | |||
ust the end entity X.509 or C509 certificate / CWT. In the choice between chain | ity X.509 or C509 certificate / CWT. In the choice between a chain or a bag, it | |||
or bag it is RECOMMENDED to use a chain, since the certificates in a bag are uno | is <bcp14>RECOMMENDED</bcp14> to use a chain, since the certificates in a bag ar | |||
rdered and may contain self-signed and extraneous certificates, which can add co | e unordered and may contain self-signed and extraneous certificates, which can a | |||
mplexity to the process of extracting the end entity certificate. The Initiator | dd complexity to the process of extracting the end entity certificate. The Initi | |||
and the Responder MAY use different types of authentication credentials, e.g., o | ator and Responder <bcp14>MAY</bcp14> use different types of authentication cred | |||
ne uses an RPK and the other uses a public key certificate.</t> | entials, e.g., one uses an RPK and the other uses a public key certificate.</t> | |||
<t>Since CRED_R is used in the integrity verification, see <xref targe | <t>Since CRED_R is used in the integrity verification (see <xref targe | |||
t="asym-msg2-proc"/>, it needs to be specified such that it is identical when us | t="asym-msg2-proc"/>), it needs to be specified such that it is identical when u | |||
ed by Initiator or Responder. Similarly for CRED_I, see <xref target="asym-msg3- | sed by the Initiator or Responder. Similarly for CRED_I, see <xref target="asym- | |||
proc"/>. The Initiator and Responder are expected to agree on the specific encod | msg3-proc"/>. The Initiator and Responder are expected to agree on the specific | |||
ing of the authentication credentials, see <xref target="applicability"/>. It is | encoding of the authentication credentials; see <xref target="applicability"/>. | |||
RECOMMENDED that the COSE 'kid' parameter, when used to identify the authentica | It is <bcp14>RECOMMENDED</bcp14> that the COSE 'kid' parameter, when used to ide | |||
tion credential, refers to a such a specific encoding of the authentication cred | ntify the authentication credential, refers to such a specific encoding of the a | |||
ential. The Initiator and Responder SHOULD use an available authentication crede | uthentication credential. The Initiator and Responder <bcp14>SHOULD</bcp14> use | |||
ntial (transported in EDHOC or otherwise provisioned) without re-encoding. If fo | an available authentication credential (transported in EDHOC or otherwise provis | |||
r some reason re-encoding of the authentication credential may occur, then a pot | ioned) without re-encoding. If for some reason re-encoding of an authentication | |||
ential common encoding for CBOR based credentials is bytewise lexicographic orde | credential passed by reference may occur, then a potential common encoding for C | |||
r of their deterministic encodings as specified in Section 4.2.1 of <xref target | BOR-based credentials is deterministically encoded CBOR, as specified in Section | |||
="RFC8949"/>.</t> | s <xref target="RFC8949" section="4.2.1" sectionFormat="bare"/> and <xref target | |||
="RFC8949" section="4.2.2" sectionFormat="bare"/> of <xref target="RFC8949"/>. A | ||||
uthentication credentials passed by value are used as is without re-encoding.</t | ||||
> | ||||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>When the authentication credential is an X.509 certificate, CRED | <li>When the authentication credential is an X.509 certificate, CRED | |||
_x SHALL be the DER encoded certificate, encoded as a bstr <xref target="RFC9360 | _x <bcp14>SHALL</bcp14> be the DER-encoded certificate, encoded as a bstr <xref | |||
"/>.</li> | target="RFC9360"/>.</li> | |||
<li>When the authentication credential is a C509 certificate, CRED_x | <li>When the authentication credential is a C509 certificate, CRED_x | |||
SHALL be the C509Certificate <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.< | <bcp14>SHALL</bcp14> be the C509 certificate <xref target="I-D.ietf-cose-cbor-e | |||
/li> | ncoded-cert"/>.</li> | |||
<li>When the authentication credential is a CWT including a COSE_Key | <li>When the authentication credential is a CWT including a COSE_Key | |||
, CRED_x SHALL be the untagged CWT.</li> | , CRED_x <bcp14>SHALL</bcp14> be the untagged CWT.</li> | |||
<li> | <li> | |||
<t>When the authentication credential includes a COSE_Key but is n ot in a CWT, CRED_x SHALL be an untagged CWT Claims Set (CCS). This is how RPKs are encoded, see <xref target="fig-ccs"/> for an example. | <t>When the authentication credential includes a COSE_Key but is n ot in a CWT, CRED_x <bcp14>SHALL</bcp14> be an untagged CCS. This is how RPKs ar e encoded, see <xref target="fig-ccs"/> for an example. | |||
</t> | </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>Naked COSE_Keys are thus dressed as CCS when used in EDHOC, in its simplest form by prefixing the COSE_Key with 0xA108A101 (a map with a 'cn f' claim). In that case the resulting authentication credential contains no othe r identity than the public key itself, see <xref target="identities"/>.</li> | <li>Naked COSE_Keys are thus dressed as CCS when used in EDHOC i n its simplest form by prefixing the COSE_Key with 0xA108A101 (a map with a 'cnf ' claim). In that case, the resulting authentication credential contains no othe r identity than the public key itself; see <xref target="identities"/>.</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
</ul> | </ul> | |||
<t>An example of CRED_x is shown below:</t> | <t>An example of CRED_x is shown below:</t> | |||
<figure anchor="fig-ccs"> | <figure anchor="fig-ccs"> | |||
<name>CWT Claims Set (CCS) containing an X25519 static Diffie-Hellma n key and an EUI-64 identity.</name> | <name>CCS Containing an X25519 Static Diffie-Hellman Key and an EUI- 64 Identity</name> | |||
<artwork><![CDATA[ | <artwork><![CDATA[ | |||
{ /CCS/ | { /CCS/ | |||
2 : "42-50-31-FF-EF-37-32-39", /sub/ | 2 : "42-50-31-FF-EF-37-32-39", /sub/ | |||
8 : { /cnf/ | 8 : { /cnf/ | |||
1 : { /COSE_Key/ | 1 : { /COSE_Key/ | |||
1 : 1, /kty/ | 1 : 1, /kty/ | |||
2 : h'00', /kid/ | 2 : h'00', /kid/ | |||
-1 : 4, /crv/ | -1 : 4, /crv/ | |||
-2 : h'b1a3e89460e88d3a8d54211dc95f0b90 /x/ | -2 : h'b1a3e89460e88d3a8d54211dc95f0b90 /x/ | |||
3ff205eb71912d6db8f4af980d2db83a' | 3ff205eb71912d6db8f4af980d2db83a' | |||
} | } | |||
} | } | |||
} | } | |||
]]></artwork> | ]]></artwork> | |||
</figure> | </figure> | |||
</section> | </section> | |||
<section anchor="id_cred"> | <section anchor="id_cred"> | |||
<name>Identification of Credentials</name> | <name>Identification of Credentials</name> | |||
<t>The ID_CRED fields, ID_CRED_R and ID_CRED_I, are transported in mes sage_2 and message_3, respectively, see <xref target="asym-msg2-proc"/> and <xre f target="asym-msg3-proc"/>. | <t>The ID_CRED fields, ID_CRED_R and ID_CRED_I, are transported in mes sage_2 and message_3, respectively; see Sections <xref target="asym-msg2-proc" f ormat="counter"/> and <xref target="asym-msg3-proc" format="counter"/>. | |||
We use the notation ID_CRED_x to refer to ID_CRED_I or ID_CRED_R. | We use the notation ID_CRED_x to refer to ID_CRED_I or ID_CRED_R. | |||
Requirements on ID_CRED_x applies both to ID_CRED_I and to ID_CRED_R. | Requirements on ID_CRED_x applies both to ID_CRED_I and to ID_CRED_R. | |||
The ID_CRED fields are used to identify and optionally transport credentials:</t > | The ID_CRED fields are used to identify and optionally transport credentials:</t > | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>ID_CRED_R is intended to facilitate for the Initiator retrieving the authentication credential CRED_R and the authentication key of R.</li> | <li>ID_CRED_R is intended to facilitate for the Initiator retrieving the authentication credential CRED_R and the authentication key of R.</li> | |||
<li>ID_CRED_I is intended to facilitate for the Responder retrieving the authentication credential CRED_I and the authentication key of I.</li> | <li>ID_CRED_I is intended to facilitate for the Responder retrieving the authentication credential CRED_I and the authentication key of I.</li> | |||
</ul> | </ul> | |||
<t>ID_CRED_x may contain the authentication credential CRED_x, for x = | <t>ID_CRED_x may contain the authentication credential CRED_x, for x = | |||
I or R, but for many settings it is not necessary to transport the authenticati | I or R, but for many settings, it is not necessary to transport the authenticat | |||
on credential within EDHOC. For example, it may be pre-provisioned or acquired o | ion credential within EDHOC. For example, it may be pre-provisioned or acquired | |||
ut-of-band over less constrained links. ID_CRED_I and ID_CRED_R do not have any | out-of-band over less constrained links. ID_CRED_I and ID_CRED_R do not have any | |||
cryptographic purpose in EDHOC since the authentication credentials are integrit | cryptographic purpose in EDHOC since the authentication credentials are integri | |||
y protected.</t> | ty protected by the Signature_or_MAC field.</t> | |||
<t>EDHOC relies on COSE for identification of credentials and supports | <t>EDHOC relies on COSE for identification of credentials and supports | |||
all credential types for which COSE header parameters are defined including X.5 | all credential types for which COSE header parameters are defined, including X. | |||
09 certificates (<xref target="RFC9360"/>), C509 certificates (<xref target="I-D | 509 certificates <xref target="RFC9360"/>, C509 certificates <xref target="I-D.i | |||
.ietf-cose-cbor-encoded-cert"/>), CWT (see <xref target="new-header-param"/>) an | etf-cose-cbor-encoded-cert"/>, CWTs (<xref target="new-header-param"/>) and CCSs | |||
d CWT Claims Set (see <xref target="new-header-param"/>).</t> | (<xref target="new-header-param"/>).</t> | |||
<t>ID_CRED_I and ID_CRED_R are of type COSE header_map, as defined in | <t>ID_CRED_I and ID_CRED_R are of type COSE header_map, as defined in | |||
Section 3 of <xref target="RFC9052"/>, and contains one or more COSE header para | <xref target="RFC9052" section="3" sectionFormat="of"/>, and contain one or more | |||
meters. ID_CRED_I and ID_CRED_R MAY contain different header parameters. The hea | COSE header parameters. If a map contains several header parameters, the labels | |||
der parameters typically provide some information about the format of the creden | do not need to be sorted in bytewise lexicographic order. ID_CRED_I and ID_CRED | |||
tial.</t> | _R <bcp14>MAY</bcp14> contain different header parameters. The header parameters | |||
<t>Example: X.509 certificates can be identified by a hash value using | typically provide some information about the format of the credential.</t> | |||
the 'x5t' parameter, see Section 2 of <xref target="RFC9360"/>:</t> | <t>Example: X.509 certificates can be identified by a hash value using | |||
the 'x5t' parameter; see <xref target="RFC9360" section="2" sectionFormat="of"/ | ||||
>:</t> | ||||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>ID_CRED_x = { 34 : COSE_CertHash }, for x = I or R,</li> | <li>ID_CRED_x = { 34 : COSE_CertHash }, for x = I or R</li> | |||
</ul> | </ul> | |||
<t>Example: CWT or CCS can be identified by a key identifier using the 'kid' parameter, see Section 3.1 of <xref target="RFC9052"/>:</t> | <t>Example: CWT or CCS can be identified by a key identifier using the 'kid' parameter; see <xref target="RFC9052" section="3.1" sectionFormat="of"/>: </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>ID_CRED_x = { 4 : kid_x }, where kid_x : kid, for x = I or R.</l i> | <li>ID_CRED_x = { 4 : kid_x }, where kid_x : kid, for x = I or R</li > | |||
</ul> | </ul> | |||
<t>Note that COSE header parameters in ID_CRED_x are used to identify | <t>Note that COSE header parameters in ID_CRED_x are used to identify | |||
the message sender's credential. There is therefore no reason to use the "-sende | the message sender's credential. Therefore, there is no reason to use the "-send | |||
r" header parameters, such as x5t-sender, defined in Section 3 of <xref target=" | er" header parameters, such as x5t-sender, defined in <xref target="RFC9360" sec | |||
RFC9360"/>. Instead, the corresponding parameter without "-sender", such as x5t, | tion="3" sectionFormat="of"/>. Instead, the corresponding parameter without "-se | |||
SHOULD be used.</t> | nder", such as x5t, <bcp14>SHOULD</bcp14> be used.</t> | |||
<t>As stated in Section 3.1 of <xref target="RFC9052"/>, applications | <t>As stated in <xref target="RFC9052" section="3.1" sectionFormat="of | |||
MUST NOT assume that 'kid' values are unique and several keys associated with a | "/>, applications <bcp14>MUST NOT</bcp14> assume that 'kid' values are unique an | |||
'kid' may need to be checked before the correct one is found. Applications might | d several keys associated with a 'kid' may need to be checked before the correct | |||
use additional information such as 'kid context' or lower layers to determine w | one is found. Applications might use additional information such as 'kid contex | |||
hich key to try first. Applications should strive to make ID_CRED_x as unique as | t' or lower layers to determine which key to try first. Applications should stri | |||
possible, since the recipient may otherwise have to try several keys.</t> | ve to make ID_CRED_x as unique as possible, since the recipient may otherwise ha | |||
ve to try several keys.</t> | ||||
<t>See <xref target="COSE"/> for more examples.</t> | <t>See <xref target="COSE"/> for more examples.</t> | |||
<section anchor="new-header-param"> | <section anchor="new-header-param"> | |||
<name>COSE Header Parameters for CWT and CWT Claims Set</name> | <name>COSE Header Parameters for CWT and CWT Claims Set</name> | |||
<t>This document registers two new COSE header parameters 'kcwt' and | <t>This document registers two new COSE header parameters, 'kcwt' an | |||
'kccs' for use with CBOR Web Token (CWT, <xref target="RFC8392"/>) and CWT Clai | d 'kccs', for use with CBOR Web Token (CWT) <xref target="RFC8392"/> and CWT Cla | |||
ms Set (CCS, <xref target="RFC8392"/>), respectively. The CWT/CCS MUST contain a | ims Set (CCS) <xref target="RFC8392"/>, respectively. The CWT/CCS <bcp14>MUST</b | |||
COSE_Key in a 'cnf' claim <xref target="RFC8747"/>. There may be any number of | cp14> contain a COSE_Key in a 'cnf' claim <xref target="RFC8747"/>. There may be | |||
additional claims present in the CWT/CCS.</t> | any number of additional claims present in the CWT/CCS.</t> | |||
<t>CWTs sent in 'kcwt' are protected using a MAC or a signature and | <t>CWTs sent in 'kcwt' are protected using a MAC or a signature and | |||
are similar to a certificate (when with public key cryptography) or a Kerberos t | are similar to a certificate (when used with public key cryptography) or a Kerbe | |||
icket (when used with symmetric key cryptography). CCSs sent in 'kccs' are not p | ros ticket (when used with symmetric key cryptography). CCSs sent in 'kccs' are | |||
rotected and are therefore similar to raw public keys or self-signed certificate | not protected and are therefore similar to raw public keys or self-signed certif | |||
s.</t> | icates.</t> | |||
<t>Security considerations for 'kcwt' and 'kccs' are made in <xref t arget="impl-cons"/>.</t> | <t>Security considerations for 'kcwt' and 'kccs' are made in <xref t arget="impl-cons"/>.</t> | |||
</section> | </section> | |||
<section anchor="compact-kid"> | <section anchor="compact-kid"> | |||
<name>Compact Encoding of ID_CRED Fields for 'kid'</name> | <name>Compact Encoding of ID_CRED Fields for 'kid'</name> | |||
<t>To comply with the LAKE message size requirements, see <xref targ et="I-D.ietf-lake-reqs"/>, two optimizations are made for the case when ID_CRED_ x, for x = I or R, contains a single 'kid' parameter.</t> | <t>To comply with the Lightweight Authenticated Key Exchange (LAKE) message size requirements (see <xref target="I-D.ietf-lake-reqs"/>), two optimiz ations are made for the case when ID_CRED_x, for x = I or R, contains a single ' kid' parameter.</t> | |||
<ol spacing="normal" type="1"><li>The CBOR map { 4 : kid_x } is repl aced by the byte string kid_x.</li> | <ol spacing="normal" type="1"><li>The CBOR map { 4 : kid_x } is repl aced by the byte string kid_x.</li> | |||
<li>The representation of identifiers specified in <xref target="b str-repr"/> is applied to kid_x.</li> | <li>The representation of identifiers specified in <xref target="b str-repr"/> is applied to kid_x.</li> | |||
</ol> | </ol> | |||
<t>These optimizations MUST be applied if and only if ID_CRED_x = { 4 : kid_x } and ID_CRED_x in PLAINTEXT_y of message_y, y = 2 or 3, see <xref tar get="asym-msg2-proc"/> and <xref target="asym-msg3-proc"/>. Note that these opti mizations are not applied to instances of ID_CRED_x which have no impact on mess age size, e.g., context_y, or the COSE protected header. Examples:</t> | <t>These optimizations <bcp14>MUST</bcp14> be applied if and only if ID_CRED_x = { 4 : kid_x } and ID_CRED_x in PLAINTEXT_y of message_y, y = 2 or 3 ; see Sections <xref target="asym-msg2-proc" format="counter"/> and <xref target ="asym-msg3-proc" format="counter"/>. Note that these optimizations are not appl ied to instances of ID_CRED_x that have no impact on message size, e.g., context _y, or the COSE protected header. For example:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>For ID_CRED_x = { 4 : h'FF' }, the encoding in PLAINTEXT_y is not the CBOR map 0xA10441FF but the CBOR byte string h'FF', i.e., 0x41FF.</li> | <li>For ID_CRED_x = { 4 : h'FF' }, the encoding in PLAINTEXT_y is not the CBOR map 0xA10441FF but the CBOR byte string h'FF', i.e., 0x41FF.</li> | |||
<li>For ID_CRED_x = { 4 : h'21' }, the encoding in PLAINTEXT_y is neither the CBOR map 0xA1044121, nor the CBOR byte string h'21', i.e., 0x4121, b ut the CBOR integer 0x21.</li> | <li>For ID_CRED_x = { 4 : h'21' }, the encoding in PLAINTEXT_y is neither the CBOR map 0xA1044121 nor the CBOR byte string h'21', i.e., 0x4121, bu t the CBOR integer 0x21.</li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="cs"> | <section anchor="cs"> | |||
<name>Cipher Suites</name> | <name>Cipher Suites</name> | |||
<t>An EDHOC cipher suite consists of an ordered set of algorithms from t | <t>An EDHOC cipher suite consists of an ordered set of algorithms from t | |||
he "COSE Algorithms" and "COSE Elliptic Curves" registries as well as the EDHOC | he "COSE Algorithms" and "COSE Elliptic Curves" registries as well as the EDHOC | |||
MAC length. All algorithm names and definitions follow from COSE algorithms <xre | MAC length. All algorithm names and definitions follow COSE Algorithms <xref tar | |||
f target="RFC9053"/>. Note that COSE sometimes uses peculiar names such as ES256 | get="RFC9053"/>. Note that COSE sometimes uses peculiar names such as ES256 for | |||
for ECDSA with SHA-256, A128 for AES-128, and Ed25519 for the curve edwards2551 | Elliptic Curve Digital Signature Algorithm (ECDSA) with SHA-256, A128 for AES-12 | |||
9. Algorithms need to be specified with enough parameters to make them completel | 8, and Ed25519 for the curve edwards25519. Algorithms need to be specified with | |||
y determined. The EDHOC MAC length MUST be at least 8 bytes. Any cryptographic a | enough parameters to make them completely determined. The EDHOC MAC length <bcp1 | |||
lgorithm used in the COSE header parameters in ID_CRED fields is selected indepe | 4>MUST</bcp14> be at least 8 bytes. Any cryptographic algorithm used in the COSE | |||
ndently of the selected cipher suite. EDHOC is currently only specified for use | header parameters in ID_CRED fields is selected independently of the selected c | |||
with key exchange algorithms of type ECDH curves, but any Key Encapsulation Meth | ipher suite. EDHOC is currently only specified for use with key exchange algorit | |||
od (KEM), including Post-Quantum Cryptography (PQC) KEMs, can be used in method | hms of type ECDH curves, but any Key Encapsulation Mechanism (KEM), including Po | |||
0, see <xref target="pqc"/>. Use of other types of key exchange algorithms to re | st-Quantum Cryptography (PQC) KEMs, can be used in method 0; see <xref target="p | |||
place static DH authentication (method 1,2,3) would likely require a specificati | qc"/>. Use of other types of key exchange algorithms to replace static DH authen | |||
on updating EDHOC with new methods.</t> | tication (methods 1, 2, and 3) would likely require a specification updating EDH | |||
<t>EDHOC supports all signature algorithms defined by COSE. Just like in | OC with new methods.</t> | |||
(D)TLS 1.3 <xref target="RFC8446"/><xref target="RFC9147"/> and IKEv2 <xref tar | <t>EDHOC supports all signature algorithms defined by COSE. Just like in | |||
get="RFC7296"/>, a signature in COSE is determined by the signature algorithm an | (D)TLS 1.3 <xref target="RFC8446"/> <xref target="RFC9147"/> and IKEv2 <xref ta | |||
d the authentication key algorithm together, see <xref target="auth-keys"/>. The | rget="RFC7296"/>, a signature in COSE is determined by the signature algorithm a | |||
exact details of the authentication key algorithm depend on the type of authent | nd the authentication key algorithm together; see <xref target="auth-keys"/>. Th | |||
ication credential. COSE supports different formats for storing the public authe | e exact details of the authentication key algorithm depend on the type of authen | |||
ntication keys including COSE_Key and X.509, which use different names and ways | tication credential. COSE supports different formats for storing the public auth | |||
to represent the authentication key and the authentication key algorithm.</t> | entication keys including COSE_Key and X.509, which use different names and ways | |||
to represent the authentication key and the authentication key algorithm.</t> | ||||
<t>An EDHOC cipher suite consists of the following parameters:</t> | <t>An EDHOC cipher suite consists of the following parameters:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>EDHOC AEAD algorithm</li> | <li>EDHOC AEAD algorithm,</li> | |||
<li>EDHOC hash algorithm</li> | <li>EDHOC hash algorithm,</li> | |||
<li>EDHOC MAC length in bytes (Static DH)</li> | <li>EDHOC MAC length in bytes (Static DH),</li> | |||
<li>EDHOC key exchange algorithm (ECDH curve)</li> | <li>EDHOC key exchange algorithm (ECDH curve),</li> | |||
<li>EDHOC signature algorithm</li> | <li>EDHOC signature algorithm,</li> | |||
<li>Application AEAD algorithm</li> | <li>application AEAD algorithm, and</li> | |||
<li>Application hash algorithm</li> | <li>application hash algorithm.</li> | |||
</ul> | </ul> | |||
<t>Each cipher suite is identified with a pre-defined integer label.</t> | <t>Each cipher suite is identified with a predefined integer label.</t> | |||
<t>EDHOC can be used with all algorithms and curves defined for COSE. Im | <t>EDHOC can be used with all algorithms and curves defined for COSE. Im | |||
plementations can either use any combination of COSE algorithms and parameters t | plementations can either use any combination of COSE algorithms and parameters t | |||
o define their own private cipher suite, or use one of the pre-defined cipher su | o define their own private cipher suite or use one of the predefined cipher suit | |||
ites. Private cipher suites can be identified with any of the four values -24, - | es. Private cipher suites can be identified with any of the four values: -24, -2 | |||
23, -22, -21. The pre-defined cipher suites are listed in the IANA registry (<xr | 3, -22, and -21. The predefined cipher suites are listed in the IANA registry (< | |||
ef target="suites-registry"/>) with initial content outlined here:</t> | xref target="suites-registry"/>) with the initial content outlined here:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li> | <li> | |||
<t>Cipher suites 0-3, based on AES-CCM, are intended for constrained IoT where message overhead is a very important factor. Note that AES-CCM-16-64- 128 and AES-CCM-16-128-128 are compatible with the IEEE CCM* mode. | <t>Cipher suites 0-3, based on AES-CCM, are intended for constrained IoT where a message overhead is a very important factor. Note that AES-CCM-16-6 4-128 and AES-CCM-16-128-128 are compatible with the IEEE Counter with CBC-MAC ( CCM)* mode. | |||
</t> | </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>Cipher suites 1 and 3 use a larger tag length (128-bit) in EDH OC than in the Application AEAD algorithm (64-bit).</li> | <li>Cipher suites 1 and 3 use a larger tag length (128 bits) in ED HOC than in the application AEAD algorithm (64 bits).</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
<li>Cipher suites 4 and 5, based on ChaCha20, are intended for less co nstrained applications and only use 128-bit tag lengths.</li> | <li>Cipher suites 4 and 5, based on ChaCha20, are intended for less co nstrained applications and only use 128-bit tag lengths.</li> | |||
<li>Cipher suite 6, based on AES-GCM, is for general non-constrained a | <li>Cipher suite 6, based on AES-GCM, is for general non-constrained a | |||
pplications. It consists of high performance algorithms that are widely used in | pplications. It consists of high-performance algorithms that are widely used in | |||
non-constrained applications.</li> | non-constrained applications.</li> | |||
<li>Cipher suites 24 and 25 are intended for high security application | <li>Cipher suites 24 and 25 are intended for high security application | |||
s such as government use and financial applications. These cipher suites do not | s such as government use and financial applications. These cipher suites do not | |||
share any algorithms. Cipher suite 24 consists of algorithms from the CNSA 1.0 s | share any algorithms. Cipher suite 24 consists of algorithms from the Commercial | |||
uite <xref target="CNSA"/>.</li> | National Security Algorithm (CNSA) 1.0 suite <xref target="CNSA"/>.</li> | |||
</ul> | </ul> | |||
<t>The different methods (<xref target="method"/>) use the same cipher s uites, but some algorithms are not used in some methods. The EDHOC signature alg orithm is not used in methods without signature authentication.</t> | <t>The different methods (<xref target="method"/>) use the same cipher s uites, but some algorithms are not used in some methods. The EDHOC signature alg orithm is not used in methods without signature authentication.</t> | |||
<t>The Initiator needs to have a list of cipher suites it supports in or der of preference. The Responder needs to have a list of cipher suites it suppor ts. SUITES_I contains cipher suites supported by the Initiator, formatted and pr ocessed as detailed in <xref target="asym-msg1-form"/> to secure the cipher suit e negotiation. Examples of cipher suite negotiation are given in <xref target="e x-neg"/>.</t> | <t>The Initiator needs to have a list of cipher suites it supports in or der of preference. The Responder needs to have a list of cipher suites it suppor ts. SUITES_I contains cipher suites supported by the Initiator and formatted and processed as detailed in <xref target="asym-msg1-form"/> to secure the cipher s uite negotiation. Examples of cipher suite negotiation are given in <xref target ="ex-neg"/>.</t> | |||
</section> | </section> | |||
<section anchor="cose_key"> | <section anchor="cose_key"> | |||
<name>Ephemeral Public Keys</name> | <name>Ephemeral Public Keys</name> | |||
<t>The ephemeral public keys in EDHOC (G_X and G_Y) use compact represen tation of elliptic curve points, see <xref target="comrep"/>. In COSE, compact r epresentation is achieved by formatting the ECDH ephemeral public keys as COSE_K eys of type EC2 or OKP according to Sections 7.1 and 7.2 of <xref target="RFC905 3"/>, but only including the 'x' parameter in G_X and G_Y. For Elliptic Curve Ke ys of type EC2, compact representation MAY be used also in the COSE_Key. COSE al ways uses compact output for Elliptic Curve Keys of type EC2. If the COSE implem entation requires a 'y' parameter, the value y = false or a calculated y-coordin ate can be used, see <xref target="comrep"/>.</t> | <t>The ephemeral public keys in EDHOC (G_X and G_Y) use compact represen tation of elliptic curve points; see <xref target="comrep"/>. In COSE, compact r epresentation is achieved by formatting the ECDH ephemeral public keys as COSE_K eys of type EC2 or Octet Key Pair (OKP) according to Sections <xref target="RFC9 053" section="7.1" sectionFormat="bare"/> and <xref target="RFC9053" section="7. 2" sectionFormat="bare"/> of <xref target="RFC9053"/> but only including the 'x' parameter in G_X and G_Y. For Elliptic Curve Keys of type EC2, compact represen tation <bcp14>MAY</bcp14> be used also in the COSE_Key. COSE always uses compact output for Elliptic Curve Keys of type EC2. If the COSE implementation requires a 'y' parameter, the value y = false or a calculated y-coordinate can be used; see <xref target="comrep"/>.</t> | |||
</section> | </section> | |||
<section anchor="AD"> | <section anchor="AD"> | |||
<name>External Authorization Data (EAD)</name> | <name>External Authorization Data (EAD)</name> | |||
<t>In order to reduce round trips and the number of messages, or to simp | <t>In order to reduce round trips and the number of messages or to simpl | |||
lify processing, external security applications may be integrated into EDHOC by | ify processing, external security applications may be integrated into EDHOC by t | |||
transporting authorization related data in the messages.</t> | ransporting authorization-related data in the messages.</t> | |||
<t>EDHOC allows processing of external authorization data (EAD) to be de | <t>EDHOC allows processing of external authorization data (EAD) to be de | |||
fined in a separate specification, and sent in dedicated fields of the four EDHO | fined in a separate specification and sent in dedicated fields of the four EDHOC | |||
C messages (EAD_1, EAD_2, EAD_3, EAD_4). EAD is opaque data to EDHOC.</t> | messages: EAD_1, EAD_2, EAD_3, and EAD_4. EAD is opaque data to EDHOC.</t> | |||
<t>Each EAD field, EAD_x for x = 1, 2, 3 or 4, is a CBOR sequence (see < | <t>Each EAD field, EAD_x, for x = 1, 2, 3, or 4, is a CBOR sequence (see | |||
xref target="CBOR"/>) consisting of one or more EAD items. An EAD item ead is a | <xref target="CBOR"/>) consisting of one or more EAD items. EAD item ead is a C | |||
CBOR sequence of an ead_label and an optional ead_value, see <xref target="fig-e | BOR sequence of an ead_label and an optional ead_value; see <xref target="fig-ea | |||
ad-item"/> and <xref target="CDDL"/> for the CDDL definitions.</t> | d-item"/> and <xref target="CDDL"/> for the CDDL definitions.</t> | |||
<figure anchor="fig-ead-item"> | <figure anchor="fig-ead-item"> | |||
<name>EAD item.</name> | <name>EAD Item</name> | |||
<sourcecode type="CDDL"><![CDATA[ | <sourcecode type="CDDL"><![CDATA[ | |||
ead = ( | ead = ( | |||
ead_label : int, | ead_label : int, | |||
? ead_value : bstr, | ? ead_value : bstr, | |||
) | ) | |||
]]></sourcecode> | ]]></sourcecode> | |||
</figure> | </figure> | |||
<t>A security application may register one or more EAD labels, see <xref | <t>A security application may register one or more EAD labels (see <xref | |||
target="iana-ead"/>, and specify the associated processing and security conside | target="iana-ead"/>) and specify the associated processing and security conside | |||
rations. The IANA registry contains the absolute value of the ead_label, |ead_la | rations. The IANA registry contains the absolute value of the ead_label, |ead_la | |||
bel|; the same ead_value applies independently of sign of ead_label.</t> | bel|; the same ead_value applies independently of the sign of the ead_label.</t> | |||
<t>An EAD item can be either critical or non-critical, determined by the | <t>An EAD item can be either critical or non-critical, determined by the | |||
sign of the ead_label in the EAD item transported in the EAD field. A negative | sign of the ead_label in the EAD item transported in the EAD field. A negative | |||
value indicates that the EAD item is critical and a non-negative value indicates | value indicates that the EAD item is critical, and a nonnegative value indicates | |||
that the EAD item is non-critical.</t> | that the EAD item is non-critical.</t> | |||
<t>If an endpoint receives a critical EAD item it does not recognize, or | <t>If an endpoint receives a critical EAD item it does not recognize or | |||
a critical EAD item that contains information that it cannot process, then the | a critical EAD item that contains information that it cannot process, then the e | |||
endpoint MUST send an EDHOC error message back as defined in <xref target="error | ndpoint <bcp14>MUST</bcp14> send an EDHOC error message back as defined in <xref | |||
"/>, and the EDHOC session MUST be aborted. The EAD item specification defines t | target="error"/>, and the EDHOC session <bcp14>MUST</bcp14> be aborted. The EAD | |||
he error processing. A non-critical EAD item can be ignored.</t> | item specification defines the error processing. A non-critical EAD item can be | |||
<t>The security application registering a new EAD item needs to describe | ignored.</t> | |||
under what conditions the EAD item is critical or non-critical, and thus whethe | <t>The security application registering a new EAD item needs to describe | |||
r the ead_label is used with negative or positive sign. ead_label = 0 is used fo | under what conditions the EAD item is critical or non-critical, and thus whethe | |||
r padding, see <xref target="padding"/>.</t> | r the ead_label is used with a negative or positive sign. ead_label = 0 is used | |||
for padding; see <xref target="padding"/>.</t> | ||||
<t>The security application may define multiple uses of certain EAD item s, e.g., the same EAD item may be used in different EDHOC messages. Multiple occ urrences of an EAD item in one EAD field may also be specified, but the critical ity of the repeated EAD item is expected to be the same.</t> | <t>The security application may define multiple uses of certain EAD item s, e.g., the same EAD item may be used in different EDHOC messages. Multiple occ urrences of an EAD item in one EAD field may also be specified, but the critical ity of the repeated EAD item is expected to be the same.</t> | |||
<t>The EAD fields of EDHOC MUST only be used with registered EAD items, see <xref target="iana-ead"/>. Examples of the use of EAD are provided in <xref target="ead-appendix"/>.</t> | <t>The EAD fields of EDHOC <bcp14>MUST</bcp14> only be used with registe red EAD items; see <xref target="iana-ead"/>. Examples of the use of EAD are pro vided in <xref target="ead-appendix"/>.</t> | |||
<section anchor="padding"> | <section anchor="padding"> | |||
<name>Padding</name> | <name>Padding</name> | |||
<t>EDHOC message_1 and the plaintext of message_2, message_3 and messa | <t>EDHOC message_1 and the plaintext of message_2, message_3, and mess | |||
ge_4 can be padded with the use of the corresponding EAD_x field, for x = 1, 2, | age_4 can be padded with the use of the corresponding EAD_x field, for x = 1, 2, | |||
3, 4. Padding in EAD_1 mitigates amplification attacks (see <xref target="dos"/> | 3, or 4. Padding in EAD_1 mitigates amplification attacks (see <xref target="do | |||
), and padding in EAD_2, EAD_3, and EAD_4 hides the true length of the plaintext | s"/>), and padding in EAD_2, EAD_3, and EAD_4 hides the true length of the plain | |||
(see <xref target="internet-threat"/>). Padding MUST be ignored and discarded b | text (see <xref target="internet-threat"/>). Padding <bcp14>MUST</bcp14> be igno | |||
y the receiving application.</t> | red and discarded by the receiving application.</t> | |||
<t>Padding is obtained by using an EAD item with ead_label = 0 and a ( | <t>Padding is obtained by using an EAD item with ead_label = 0 and a ( | |||
pseudo-)randomly generated byte string of appropriate length as ead_value, notin | pseudo)randomly generated byte string of appropriate length as ead_value, noting | |||
g that the ead_label and the CBOR encoding of ead_value also add bytes. Examples | that the ead_label and the CBOR encoding of ead_value also add bytes. For examp | |||
:</t> | le:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li> | <li> | |||
<t>One byte padding (optional ead_value omitted): | <t>One-byte padding (optional ead_value omitted): | |||
</t> | </t> | |||
<ul spacing="normal"> | <t>EAD_x = 0x00</t> | |||
<li>EAD_x = 0x00</li> | ||||
</ul> | ||||
</li> | </li> | |||
<li> | <li> | |||
<t>Two bytes padding, using the empty byte string (0x40) as ead_va lue: | <t>Two-byte padding, using the empty byte string (0x40) as ead_val ue: | |||
</t> | </t> | |||
<ul spacing="normal"> | <t>EAD_x = 0x0040</t> | |||
<li>EAD_x = 0x0040</li> | ||||
</ul> | ||||
</li> | </li> | |||
<li> | <li> | |||
<t>Three bytes padding, constructed from the pseudorandomly genera ted ead_value 0xe9 encoded as byte string: | <t>Three-byte padding, constructed from the pseudorandomly generat ed ead_value 0xe9 encoded as byte string: | |||
</t> | </t> | |||
<ul spacing="normal"> | <t>EAD_x = 0x0041e9</t> | |||
<li>EAD_x = 0x0041e9</li> | ||||
</ul> | ||||
</li> | </li> | |||
</ul> | </ul> | |||
<t>Multiple occurrences of EAD items with ead_label = 0 are allowed. C ertain padding lengths require the use of at least two such EAD items.</t> | <t>Multiple occurrences of EAD items with ead_label = 0 are allowed. C ertain padding lengths require the use of at least two such EAD items.</t> | |||
<t>Note that padding is non-critical because the intended behaviour wh en receiving is to ignore it.</t> | <t>Note that padding is non-critical because the intended behavior whe n receiving is to ignore it.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="applicability"> | <section anchor="applicability"> | |||
<name>Application Profile</name> | <name>Application Profile</name> | |||
<t>EDHOC requires certain parameters to be agreed upon between Initiator | <t>EDHOC requires certain parameters to be agreed upon between the Initi | |||
and Responder. Some parameters can be negotiated through the protocol execution | ator and Responder. Some parameters can be negotiated through the protocol execu | |||
(specifically, cipher suite, see <xref target="cs"/>) but other parameters are | tion (specifically, cipher suite; see <xref target="cs"/>), but other parameters | |||
only communicated and may not be negotiated (e.g., which authentication method i | are only communicated and may not be negotiated (e.g., which authentication met | |||
s used, see <xref target="method"/>). Yet other parameters need to be known out- | hod is used; see <xref target="method"/>). Yet, other parameters need to be know | |||
of-band to ensure successful completion, e.g., whether message_4 is used or not. | n out-of-band to ensure successful completion, e.g., whether message_4 is used o | |||
The application decides which endpoint is Initiator and which is Responder.</t> | r not. The application decides which endpoint is the Initiator and which is the | |||
<t>The purpose of an application profile is to describe the intended use | Responder.</t> | |||
of EDHOC to allow for the relevant processing and verifications to be made, inc | <t>The purpose of an application profile is to describe the intended use | |||
luding things like:</t> | of EDHOC to allow for the relevant processing and verifications to be made, inc | |||
luding things like the following:</t> | ||||
<ol spacing="normal" type="1"><li> | <ol spacing="normal" type="1"><li> | |||
<t>How the endpoint detects that an EDHOC message is received. This includes how EDHOC messages are transported, for example in the payload of a CoA P message with a certain Uri-Path or Content-Format; see <xref target="coap"/>. | <t>How the endpoint detects that an EDHOC message is received. This includes how EDHOC messages are transported, for example, in the payload of a Co AP message with a certain Uri-Path or Content-Format; see <xref target="coap"/>. | |||
</t> | </t> | |||
<ul spacing="normal"> | <t>The method of transporting EDHOC messages may also describe dat | |||
<li>The method of transporting EDHOC messages may also describe da | a carried along with the messages that are needed for the transport to satisfy t | |||
ta carried along with the messages that are needed for the transport to satisfy | he requirements of <xref target="transport"/>, e.g., connection identifiers used | |||
the requirements of <xref target="transport"/>, e.g., connection identifiers use | with certain messages; see <xref target="coap"/>.</t> | |||
d with certain messages, see <xref target="coap"/>.</li> | ||||
</ul> | ||||
</li> | </li> | |||
<li>Authentication method (METHOD; see <xref target="method"/>).</li> | <li>Authentication method (METHOD; see <xref target="method"/>).</li> | |||
<li>Profile for authentication credentials (CRED_I, CRED_R; see <xref | <li>Profile for authentication credentials (CRED_I and CRED_R; see <xr | |||
target="auth-cred"/>), e.g., profile for certificate or CCS, including supported | ef target="auth-cred"/>), e.g., profile for certificate or CCS, including suppor | |||
authentication key algorithms (subject public key algorithm in X.509 or C509 ce | ted authentication key algorithms (subject public key algorithm in X.509 or C509 | |||
rtificate).</li> | certificate).</li> | |||
<li>Type used to identify credentials (ID_CRED_I, ID_CRED_R; see <xref | <li>Type used to identify credentials (ID_CRED_I and ID_CRED_R; see <x | |||
target="id_cred"/>).</li> | ref target="id_cred"/>).</li> | |||
<li>Use and type of external authorization data (EAD_1, EAD_2, EAD_3, | <li>Use and type of external authorization data (EAD_1, EAD_2, EAD_3, | |||
EAD_4; see <xref target="AD"/>).</li> | and EAD_4; see <xref target="AD"/>).</li> | |||
<li>Identifier used as the identity of the endpoint; see <xref target= "identities"/>.</li> | <li>Identifier used as the identity of the endpoint; see <xref target= "identities"/>.</li> | |||
<li>If message_4 shall be sent/expected, and if not, how to ensure a p rotected application message is sent from the Responder to the Initiator; see <x ref target="m4"/>.</li> | <li>If message_4 shall be sent/expected, and if not, how to ensure a p rotected application message is sent from the Responder to the Initiator; see <x ref target="m4"/>.</li> | |||
</ol> | </ol> | |||
<t>The application profile may also contain information about supported cipher suites. The procedure for selecting and verifying a cipher suite is still performed as described in <xref target="asym-msg1-form"/> and <xref target="wro ng-selected"/>, but it may become simplified by this knowledge. EDHOC messages c an be processed without the application profile, i.e., the EDHOC messages includ es information about the type and length of all fields.</t> | <t>The application profile may also contain information about supported cipher suites. The procedure for selecting and verifying a cipher suite is still performed as described in Sections <xref target="asym-msg1-form" format="counte r"/> and <xref target="wrong-selected" format="counter"/>, but it may become sim plified by this knowledge. EDHOC messages can be processed without the applicati on profile, i.e., the EDHOC messages include information about the type and leng th of all fields.</t> | |||
<t>An example of an application profile is shown in <xref target="appl-t emp"/>.</t> | <t>An example of an application profile is shown in <xref target="appl-t emp"/>.</t> | |||
<t>For some parameters, like METHOD, type of ID_CRED field or EAD, the r | <t>For some parameters, like METHOD, the type of the ID_CRED field, or E | |||
eceiver of an EDHOC message is able to verify compliance with the application pr | AD, the receiver of an EDHOC message is able to verify compliance with the appli | |||
ofile, and if it needs to fail because of lack of compliance, to infer the reaso | cation profile and, if it needs to fail because of the lack of compliance, to in | |||
n why the EDHOC session failed.</t> | fer the reason why the EDHOC session failed.</t> | |||
<t>For other encodings, like the profiling of CRED_x in the case that it | <t>For other encodings, like the profiling of CRED_x in the case that it | |||
is not transported, it may not be possible to verify that lack of compliance wi | is not transported, it may not be possible to verify that the lack of complianc | |||
th the application profile was the reason for failure: Integrity verification in | e with the application profile was the reason for failure, i.e., integrity verif | |||
message_2 or message_3 may fail not only because of a wrong credential. For exa | ication in message_2 or message_3 may fail not only because of a wrong credentia | |||
mple, in case the Initiator uses a public key certificate by reference (i.e., no | l. For example, in case the Initiator uses a public key certificate by reference | |||
t transported within the protocol) then both endpoints need to use an identical | (i.e., not transported within the protocol), then both endpoints need to use an | |||
data structure as CRED_I or else the integrity verification will fail.</t> | identical data structure as CRED_I or else the integrity verification will fail | |||
.</t> | ||||
<t>Note that it is not necessary for the endpoints to specify a single t ransport for the EDHOC messages. For example, a mix of CoAP and HTTP may be used along the path, and this may still allow correlation between messages.</t> | <t>Note that it is not necessary for the endpoints to specify a single t ransport for the EDHOC messages. For example, a mix of CoAP and HTTP may be used along the path, and this may still allow correlation between messages.</t> | |||
<t>The application profile may be dependent on the identity of the other | <t>The application profile may be dependent on the identity of the other | |||
endpoint, or other information carried in an EDHOC message, but it then applies | endpoint or other information carried in an EDHOC message, but it then applies | |||
only to the later phases of the protocol when such information is known. (The I | only to the later phases of the protocol when such information is known. (The In | |||
nitiator does not know the identity of the Responder before having verified mess | itiator does not know the identity of the Responder before having verified messa | |||
age_2, and the Responder does not know the identity of the Initiator before havi | ge_2, and the Responder does not know the identity of the Initiator before havin | |||
ng verified message_3.)</t> | g verified message_3.)</t> | |||
<t>Other conditions may be part of the application profile, such as what | <t>Other conditions may be part of the application profile, such as what | |||
is the target application or use (if there is more than one application/use) to | is the target application or use (if there is more than one application/use) to | |||
the extent that EDHOC can distinguish between them. In case multiple applicatio | the extent that EDHOC can distinguish between them. In case multiple applicatio | |||
n profiles are used, the receiver needs to be able to determine which is applica | n profiles are used, the receiver needs to be able to determine which is applica | |||
ble for a given EDHOC session, for example based on URI to which the EDHOC messa | ble for a given EDHOC session, for example, based on the URI to which the EDHOC | |||
ge is sent, or external authorization data type.</t> | message is sent, or external authorization data type.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="key-der"> | <section anchor="key-der"> | |||
<name>Key Derivation</name> | <name>Key Derivation</name> | |||
<section anchor="keys-for-edhoc-message-processing"> | <section anchor="keys-for-edhoc-message-processing"> | |||
<name>Keys for EDHOC Message Processing</name> | <name>Keys for EDHOC Message Processing</name> | |||
<t>EDHOC uses Extract-and-Expand <xref target="RFC5869"/> with the EDHOC | <t>EDHOC uses Extract-and-Expand <xref target="RFC5869"/> with the EDHOC | |||
hash algorithm in the selected cipher suite to derive keys used in message proc | hash algorithm in the selected cipher suite to derive keys used in message proc | |||
essing. This section defines EDHOC_Extract (<xref target="extract"/>) and EDHOC_ | essing. This section defines EDHOC_Extract (<xref target="extract"/>) and EDHOC_ | |||
Expand (<xref target="expand"/>), and how to use them to derive PRK_out (<xref t | Expand (<xref target="expand"/>) and how to use them to derive PRK_out (<xref ta | |||
arget="prkout"/>) which is the shared secret session key resulting from a comple | rget="prkout"/>), which is the shared secret session key resulting from a comple | |||
ted EDHOC session.</t> | ted EDHOC session.</t> | |||
<t>EDHOC_Extract is used to derive fixed-length uniformly pseudorandom k | <t>EDHOC_Extract is used to derive fixed-length uniformly pseudorandom k | |||
eys (PRK) from ECDH shared secrets. EDHOC_Expand is used to define EDHOC_KDF for | eys (PRKs) from ECDH shared secrets. EDHOC_Expand is used to define EDHOC_KDF fo | |||
generating MACs and for deriving output keying material (OKM) from PRKs.</t> | r generating MACs and for deriving output keying material (OKM) from PRKs.</t> | |||
<t>In EDHOC a specific message is protected with a certain pseudorandom | <t>In EDHOC, a specific message is protected with a certain PRK, but how | |||
key, but how the key is derived depends on the authentication method (<xref targ | the key is derived depends on the authentication method (<xref target="method"/ | |||
et="method"/>) as detailed in <xref target="asym"/>.</t> | >), as detailed in <xref target="asym"/>.</t> | |||
<!-- A diagram of the EDHOC key schedule can be found in Figure 2 of {{V | ||||
ucinic22}}. TBD: Rewrite the diagram --> | ||||
<section anchor="extract"> | <section anchor="extract"> | |||
<name>EDHOC_Extract</name> | <name>EDHOC_Extract</name> | |||
<t>The pseudorandom keys (PRKs) used for EDHOC message processing are derived using EDHOC_Extract:</t> | <t>The pseudorandom keys (PRKs) used for EDHOC message processing are derived using EDHOC_Extract:</t> | |||
<artwork><![CDATA[ | <artwork><![CDATA[ | |||
PRK = EDHOC_Extract( salt, IKM ) | PRK = EDHOC_Extract( salt, IKM ) | |||
]]></artwork> | ]]></artwork> | |||
<t>where the input keying material (IKM) and salt are defined for each PRK below.</t> | <t>where the input keying material (IKM) and salt are defined for each PRK below.</t> | |||
<t>The definition of EDHOC_Extract depends on the EDHOC hash algorithm of the selected cipher suite:</t> | <t>The definition of EDHOC_Extract depends on the EDHOC hash algorithm of the selected cipher suite:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>if the EDHOC hash algorithm is SHA-2, then EDHOC_Extract( salt, | <li>If the EDHOC hash algorithm is SHA-2, then EDHOC_Extract( salt, | |||
IKM ) = HKDF-Extract( salt, IKM ) <xref target="RFC5869"/></li> | IKM ) = HKDF-Extract( salt, IKM ) <xref target="RFC5869"/>.</li> | |||
<li>if the EDHOC hash algorithm is SHAKE128, then EDHOC_Extract( sal | <li>If the EDHOC hash algorithm is SHAKE128, then EDHOC_Extract( sal | |||
t, IKM ) = KMAC128( salt, IKM, 256, "" )</li> | t, IKM ) = KMAC128( salt, IKM, 256, "" ).</li> | |||
<li>if the EDHOC hash algorithm is SHAKE256, then EDHOC_Extract( sal | <li>If the EDHOC hash algorithm is SHAKE256, then EDHOC_Extract( sal | |||
t, IKM ) = KMAC256( salt, IKM, 512, "" )</li> | t, IKM ) = KMAC256( salt, IKM, 512, "" ).</li> | |||
</ul> | </ul> | |||
<t>where the Keccak message authentication code (KMAC) is specified in | <t>where the Keccak Message Authentication Code (KMAC) is specified in | |||
<xref target="SP800-185"/>.</t> | <xref target="SP800-185"/>.</t> | |||
<t>The rest of the section defines the pseudorandom keys PRK_2e, PRK_3 | <t>The rest of the section defines the pseudorandom keys PRK_2e, PRK_3 | |||
e2m and PRK_4e3m; their use is shown in <xref target="fig-edhoc-kdf"/>. The inde | e2m, and PRK_4e3m; their use is shown in <xref target="fig-edhoc-kdf"/>. The ind | |||
x of a PRK indicates its use or in what message protection operation it is invol | ex of a PRK indicates its use or in what message protection operation it is invo | |||
ved. For example, PRK_3e2m is involved in the encryption of message 3 and in cal | lved. For example, PRK_3e2m is involved in the encryption of message 3 and in c | |||
culating the MAC of message 2.</t> | alculating the MAC of message 2.</t> | |||
<section anchor="prk2e"> | <section anchor="prk2e"> | |||
<name>PRK_2e</name> | <name>PRK_2e</name> | |||
<t>The pseudorandom key PRK_2e is derived with the following input:< /t> | <t>The pseudorandom key PRK_2e is derived with the following input:< /t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>The salt SHALL be TH_2.</li> | <li>The salt <bcp14>SHALL</bcp14> be TH_2.</li> | |||
<li>The IKM SHALL be the ephemeral-ephemeral ECDH shared secret G_ | <li>The IKM <bcp14>SHALL</bcp14> be the ephemeral-ephemeral ECDH s | |||
XY (calculated from G_X and Y or G_Y and X) as defined in <xref section="6.3.1" | hared secret G_XY (calculated from G_X and Y or G_Y and X) as defined in <xref s | |||
sectionFormat="of" target="RFC9053"/>. The use of G_XY gives forward secrecy, in | ection="6.3.1" sectionFormat="of" target="RFC9053"/>. The use of G_XY gives forw | |||
the sense that compromise of the private authentication keys does not compromis | ard secrecy in the sense that compromise of the private authentication keys does | |||
e past session keys.</li> | not compromise past session keys.</li> | |||
</ul> | </ul> | |||
<t>Example: Assuming the use of curve25519, the ECDH shared secret G _XY is the output of the X25519 function <xref target="RFC7748"/>:</t> | <t>Example: Assuming the use of curve25519, the ECDH shared secret G _XY is the output of the X25519 function <xref target="RFC7748"/>:</t> | |||
<artwork><![CDATA[ | <artwork><![CDATA[ | |||
G_XY = X25519( Y, G_X ) = X25519( X, G_Y ) | G_XY = X25519( Y, G_X ) = X25519( X, G_Y ) | |||
]]></artwork> | ]]></artwork> | |||
<t>Example: Assuming the use of SHA-256 the extract phase of HKDF pr oduces PRK_2e as follows:</t> | <t>Example: Assuming the use of SHA-256, the extract phase of the Ke y Derivation Function (HKDF) produces PRK_2e as follows:</t> | |||
<artwork><![CDATA[ | <artwork><![CDATA[ | |||
PRK_2e = HMAC-SHA-256( TH_2, G_XY ) | PRK_2e = HMAC-SHA-256( TH_2, G_XY ) | |||
]]></artwork> | ]]></artwork> | |||
</section> | </section> | |||
<section anchor="prk3e2m"> | <section anchor="prk3e2m"> | |||
<name>PRK_3e2m</name> | <name>PRK_3e2m</name> | |||
<t>The pseudorandom key PRK_3e2m is derived as follows:</t> | <t>The pseudorandom key PRK_3e2m is derived as follows:</t> | |||
<t>If the Responder authenticates with a static Diffie-Hellman key, then PRK_3e2m = EDHOC_Extract( SALT_3e2m, G_RX ), where</t> | <t>If the Responder authenticates with a static Diffie-Hellman key, then PRK_3e2m = EDHOC_Extract( SALT_3e2m, G_RX ), where</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>SALT_3e2m is derived from PRK_2e, see <xref target="expand"/>, | <li>SALT_3e2m is derived from PRK_2e (see <xref target="expand"/>) | |||
and</li> | and</li> | |||
<li>G_RX is the ECDH shared secret calculated from G_R and X, or G | <li>G_RX is the ECDH shared secret calculated from G_R and X, or G | |||
_X and R (the Responder's private authentication key, see <xref target="auth-key | _X and R (the Responder's private authentication key; see <xref target="auth-key | |||
s"/>),</li> | s"/>),</li> | |||
</ul> | </ul> | |||
<t>else PRK_3e2m = PRK_2e.</t> | <t>else PRK_3e2m = PRK_2e.</t> | |||
</section> | </section> | |||
<section anchor="prk4e3m"> | <section anchor="prk4e3m"> | |||
<name>PRK_4e3m</name> | <name>PRK_4e3m</name> | |||
<t>The pseudorandom key PRK_4e3m is derived as follows:</t> | <t>The pseudorandom key PRK_4e3m is derived as follows:</t> | |||
<t>If the Initiator authenticates with a static Diffie-Hellman key, then PRK_4e3m = EDHOC_Extract( SALT_4e3m, G_IY ), where</t> | <t>If the Initiator authenticates with a static Diffie-Hellman key, then PRK_4e3m = EDHOC_Extract( SALT_4e3m, G_IY ), where</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>SALT_4e3m is derived from PRK_3e2m, see <xref target="expand"/ | <li>SALT_4e3m is derived from PRK_3e2m (see <xref target="expand"/ | |||
>, and</li> | >) and</li> | |||
<li>G_IY is the ECDH shared secret calculated from G_I and Y, or G | <li>G_IY is the ECDH shared secret calculated from G_I and Y, or G | |||
_Y and I (the Initiator's private authentication key, see <xref target="auth-key | _Y and I (the Initiator's private authentication key; see <xref target="auth-key | |||
s"/>),</li> | s"/>),</li> | |||
</ul> | </ul> | |||
<t>else PRK_4e3m = PRK_3e2m.</t> | <t>else PRK_4e3m = PRK_3e2m.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="expand"> | <section anchor="expand"> | |||
<name>EDHOC_Expand and EDHOC_KDF</name> | <name>EDHOC_Expand and EDHOC_KDF</name> | |||
<t>The output keying material (OKM) - including keys, IVs, and salts - are derived from the PRKs using the EDHOC_KDF, which is defined through EDHOC_E xpand:</t> | <t>The output keying material (OKM) -- including keys, initialization vectors (IVs), and salts -- are derived from the PRKs using the EDHOC_KDF, which is defined through EDHOC_Expand:</t> | |||
<artwork><![CDATA[ | <artwork><![CDATA[ | |||
OKM = EDHOC_KDF( PRK, info_label, context, length ) | OKM = EDHOC_KDF( PRK, info_label, context, length ) | |||
= EDHOC_Expand( PRK, info, length ) | = EDHOC_Expand( PRK, info, length ) | |||
]]></artwork> | ]]></artwork> | |||
<t>where info is encoded as the CBOR sequence</t> | <t>where info is encoded as the CBOR sequence:</t> | |||
<sourcecode type="CDDL"><![CDATA[ | <sourcecode type="cbor"><![CDATA[ | |||
info = ( | info = ( | |||
info_label : int, | info_label : int, | |||
context : bstr, | context : bstr, | |||
length : uint, | length : uint, | |||
) | ) | |||
]]></sourcecode> | ]]></sourcecode> | |||
<t>where</t> | <t>where:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>info_label is an int</li> | <li>info_label is an int,</li> | |||
<li>context is a bstr</li> | <li>context is a bstr, and</li> | |||
<li>length is the length of OKM in bytes</li> | <li>length is the length of OKM in bytes.</li> | |||
</ul> | </ul> | |||
<t>When EDHOC_KDF is used to derive OKM for EDHOC message processing, then context includes one of the transcript hashes TH_2, TH_3, or TH_4 defined i n Sections <xref target="asym-msg2-proc" format="counter"/> and <xref target="as ym-msg3-proc" format="counter"/>.</t> | <t>When EDHOC_KDF is used to derive OKM for EDHOC message processing, then the context includes one of the transcript hashes, TH_2, TH_3, or TH_4, def ined in Sections <xref target="asym-msg2-proc" format="counter"/> and <xref targ et="asym-msg3-proc" format="counter"/>.</t> | |||
<t>The definition of EDHOC_Expand depends on the EDHOC hash algorithm of the selected cipher suite:</t> | <t>The definition of EDHOC_Expand depends on the EDHOC hash algorithm of the selected cipher suite:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>if the EDHOC hash algorithm is SHA-2, then EDHOC_Expand( PRK, in | <li>If the EDHOC hash algorithm is SHA-2, then EDHOC_Expand( PRK, in | |||
fo, length ) = HKDF-Expand( PRK, info, length ) <xref target="RFC5869"/></li> | fo, length ) = HKDF-Expand( PRK, info, length ) <xref target="RFC5869"/>.</li> | |||
<li>if the EDHOC hash algorithm is SHAKE128, then EDHOC_Expand( PRK, | <li>If the EDHOC hash algorithm is SHAKE128, then EDHOC_Expand( PRK, | |||
info, length ) = KMAC128( PRK, info, L, "" )</li> | info, length ) = KMAC128( PRK, info, L, "" ).</li> | |||
<li>if the EDHOC hash algorithm is SHAKE256, then EDHOC_Expand( PRK, | <li>If the EDHOC hash algorithm is SHAKE256, then EDHOC_Expand( PRK, | |||
info, length ) = KMAC256( PRK, info, L, "" )</li> | info, length ) = KMAC256( PRK, info, L, "" ).</li> | |||
</ul> | </ul> | |||
<t>where L = 8 <contact fullname="⋅"/> length, the output length in bi | <t>where L = 8 ⋅ length, the output length in bits.</t> | |||
ts.</t> | <t><xref target="fig-edhoc-kdf"/> lists derivations made with EDHOC_KD | |||
<t><xref target="fig-edhoc-kdf"/> lists derivations made with EDHOC_KD | F, where:</t> | |||
F, where</t> | ||||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>hash_length - length of output size of the EDHOC hash algorithm | <li>hash_length is the length of output size of the EDHOC hash algor | |||
of the selected cipher suite</li> | ithm of the selected cipher suite,</li> | |||
<li>key_length - length of the encryption key of the EDHOC AEAD algo | <li>key_length is the length of the encryption key of the EDHOC AEAD | |||
rithm of the selected cipher suite</li> | algorithm of the selected cipher suite, and</li> | |||
<li>iv_length - length of the initialization vector of the EDHOC AEA | <li>iv_length is the length of the initialization vector of the EDHO | |||
D algorithm of the selected cipher suite</li> | C AEAD algorithm of the selected cipher suite</li> | |||
</ul> | </ul> | |||
<t>Further details of the key derivation and how the output keying mat erial is used are specified in <xref target="asym"/>.</t> | <t>Further details of the key derivation and how the output keying mat erial is used are specified in <xref target="asym"/>.</t> | |||
<figure anchor="fig-edhoc-kdf"> | <figure anchor="fig-edhoc-kdf"> | |||
<name>Key derivations using EDHOC_KDF. h'' is CBOR diagnostic notati on for the empty byte string, 0x40.</name> | <name>Key Derivations Using EDHOC_KDF</name> | |||
<artwork align="center"><![CDATA[ | <artwork align="center"><![CDATA[ | |||
KEYSTREAM_2 = EDHOC_KDF( PRK_2e, 0, TH_2, plaintext_length ) | KEYSTREAM_2 = EDHOC_KDF( PRK_2e, 0, TH_2, plaintext_length ) | |||
SALT_3e2m = EDHOC_KDF( PRK_2e, 1, TH_2, hash_length ) | SALT_3e2m = EDHOC_KDF( PRK_2e, 1, TH_2, hash_length ) | |||
MAC_2 = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 ) | MAC_2 = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 ) | |||
K_3 = EDHOC_KDF( PRK_3e2m, 3, TH_3, key_length ) | K_3 = EDHOC_KDF( PRK_3e2m, 3, TH_3, key_length ) | |||
IV_3 = EDHOC_KDF( PRK_3e2m, 4, TH_3, iv_length ) | IV_3 = EDHOC_KDF( PRK_3e2m, 4, TH_3, iv_length ) | |||
SALT_4e3m = EDHOC_KDF( PRK_3e2m, 5, TH_3, hash_length ) | SALT_4e3m = EDHOC_KDF( PRK_3e2m, 5, TH_3, hash_length ) | |||
MAC_3 = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 ) | MAC_3 = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 ) | |||
PRK_out = EDHOC_KDF( PRK_4e3m, 7, TH_4, hash_length ) | PRK_out = EDHOC_KDF( PRK_4e3m, 7, TH_4, hash_length ) | |||
K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length ) | K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length ) | |||
IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length ) | IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length ) | |||
PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) | PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) | |||
]]></artwork> | ]]></artwork> | |||
</figure> | </figure> | |||
<t>h'' is CBOR diagnostic notation for the empty byte string, 0x40.</t> | ||||
</section> | </section> | |||
<section anchor="prkout"> | <section anchor="prkout"> | |||
<name>PRK_out</name> | <name>PRK_out</name> | |||
<t>The pseudorandom key PRK_out, derived as shown in <xref target="fig -edhoc-kdf"/>, is the output session key of a completed EDHOC session.</t> | <t>The pseudorandom key PRK_out, derived as shown in <xref target="fig -edhoc-kdf"/>, is the output session key of a completed EDHOC session.</t> | |||
<t>Keys for applications are derived using EDHOC_Exporter (see <xref t arget="exporter"/>) from PRK_exporter, which in turn is derived from PRK_out as shown in <xref target="fig-edhoc-kdf"/>. For the purpose of generating applicati on keys, it is sufficient to store PRK_out or PRK_exporter. (Note that the word "store" used here does not imply that the application has access to the plaintex t PRK_out since that may be reserved for code within a Trusted Execution Environ ment, see <xref target="impl-cons"/>).</t> | <t>Keys for applications are derived using EDHOC_Exporter (see <xref t arget="exporter"/>) from PRK_exporter, which in turn is derived from PRK_out as shown in <xref target="fig-edhoc-kdf"/>. For the purpose of generating applicati on keys, it is sufficient to store PRK_out or PRK_exporter. (Note that the word "store" used here does not imply that the application has access to the plaintex t PRK_out since that may be reserved for code within a Trusted Execution Environ ment (TEE); see <xref target="impl-cons"/>.)</t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="keys-for-edhoc-applications"> | <section anchor="keys-for-edhoc-applications"> | |||
<name>Keys for EDHOC Applications</name> | <name>Keys for EDHOC Applications</name> | |||
<t>This section defines EDHOC_Exporter in terms of EDHOC_KDF and PRK_exp orter. A key update function is defined in <xref target="keyupdate"/>.</t> | <t>This section defines EDHOC_Exporter in terms of EDHOC_KDF and PRK_exp orter. A key update function is defined in <xref target="keyupdate"/>.</t> | |||
<section anchor="exporter"> | <section anchor="exporter"> | |||
<name>EDHOC_Exporter</name> | <name>EDHOC_Exporter</name> | |||
<t>Keying material for the application can be derived using the EDHOC_ Exporter interface defined as:</t> | <t>Keying material for the application can be derived using the EDHOC_ Exporter interface defined as:</t> | |||
<artwork><![CDATA[ | <artwork><![CDATA[ | |||
EDHOC_Exporter(exporter_label, context, length) | EDHOC_Exporter(exporter_label, context, length) | |||
= EDHOC_KDF(PRK_exporter, exporter_label, context, length) | = EDHOC_KDF(PRK_exporter, exporter_label, context, length) | |||
]]></artwork> | ]]></artwork> | |||
<t>where</t> | <t>where:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>exporter_label is a registered uint from the EDHOC_Exporter Labe | <li>exporter_label is a registered uint from the "EDHOC Exporter Lab | |||
l registry (<xref target="exporter-label"/>)</li> | els" registry (<xref target="exporter-label"/>),</li> | |||
<li>context is a bstr defined by the application</li> | <li>context is a bstr defined by the application, and</li> | |||
<li>length is a uint defined by the application</li> | <li>length is a uint defined by the application.</li> | |||
</ul> | </ul> | |||
<t>The (exporter_label, context) pair used in EDHOC_Exporter must be u nique, i.e., an (exporter_label, context) MUST NOT be used for two different pur poses. However, an application can re-derive the same key several times as long as it is done securely. For example, in most encryption algorithms the same key can be reused with different nonces. The context can for example be the empty CB OR byte string.</t> | <t>The (exporter_label, context) pair used in EDHOC_Exporter must be u nique, i.e., an (exporter_label, context) <bcp14>MUST NOT</bcp14> be used for tw o different purposes. However, an application can re-derive the same key several times as long as it is done securely. For example, in most encryption algorithm s, the same key can be reused with different nonces. The context can, for exampl e, be the empty CBOR byte string.</t> | |||
<t>Examples of use of the EDHOC_Exporter are given in <xref target="tr ansfer"/>.</t> | <t>Examples of use of the EDHOC_Exporter are given in <xref target="tr ansfer"/>.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="asym"> | <section anchor="asym"> | |||
<name>Message Formatting and Processing</name> | <name>Message Formatting and Processing</name> | |||
<t>This section specifies formatting of the messages and processing steps. | <t>This section specifies formatting of the messages and processing steps. | |||
Error messages are specified in <xref target="error"/>. Annotated traces of EDH | Error messages are specified in <xref target="error"/>. Annotated traces of EDH | |||
OC sessions are provided in <xref target="I-D.ietf-lake-traces"/>.</t> | OC sessions are provided in <xref target="RFC9529"/>.</t> | |||
<t>An EDHOC message is encoded as a sequence of CBOR data items (CBOR Sequ | <t>An EDHOC message is encoded as a sequence of CBOR data items (CBOR Sequ | |||
ence, <xref target="RFC8742"/>). | ence <xref target="RFC8742"/>). | |||
Additional optimizations are made to reduce message overhead.</t> | Additional optimizations are made to reduce message overhead.</t> | |||
<t>While EDHOC uses the COSE_Key, COSE_Sign1, and COSE_Encrypt0 structures , only a subset of the parameters is included in the EDHOC messages, see <xref t arget="COSE"/>. In order to recreate the COSE object, the recipient endpoint may need to add parameters to the COSE headers not included in the EDHOC message, f or example the parameter 'alg' to COSE_Sign1 or COSE_Encrypt0.</t> | <t>While EDHOC uses the COSE_Key, COSE_Sign1, and COSE_Encrypt0 structures , only a subset of the parameters is included in the EDHOC messages; see <xref t arget="COSE"/>. In order to recreate the COSE object, the recipient endpoint may need to add parameters to the COSE headers not included in the EDHOC message, f or example, the parameter 'alg' to COSE_Sign1 or COSE_Encrypt0.</t> | |||
<section anchor="proc-outline"> | <section anchor="proc-outline"> | |||
<name>EDHOC Message Processing Outline</name> | <name>EDHOC Message Processing Outline</name> | |||
<t>For each new/ongoing EDHOC session, the endpoints are assumed to keep | <t>For each new/ongoing EDHOC session, the endpoints are assumed to keep | |||
an associated protocol state containing identifiers, keying material, etc. used | an associated protocol state containing identifiers, keying material, etc. used | |||
for subsequent processing of protocol related data. The protocol state is assum | for subsequent processing of protocol-related data. The protocol state is assum | |||
ed to be associated with an application profile (<xref target="applicability"/>) | ed to be associated with an application profile (<xref target="applicability"/>) | |||
which provides the context for how messages are transported, identified, and pr | that provides the context for how messages are transported, identified, and pro | |||
ocessed.</t> | cessed.</t> | |||
<t>EDHOC messages SHALL be processed according to the current protocol s | <t>EDHOC messages <bcp14>SHALL</bcp14> be processed according to the cur | |||
tate. The following steps are expected to be performed at reception of an EDHOC | rent protocol state. The following steps are expected to be performed at recepti | |||
message:</t> | on of an EDHOC message:</t> | |||
<ol spacing="normal" type="1"><li>Detect that an EDHOC message has been | <ol spacing="normal" type="1"><li>Detect that an EDHOC message has been | |||
received, for example by means of port number, URI, or media type (<xref target= | received, for example, by means of a port number, URI, or media type (<xref targ | |||
"applicability"/>).</li> | et="applicability"/>).</li> | |||
<li>Retrieve the protocol state according to the message correlation, | <li>Retrieve the protocol state according to the message correlation; | |||
see <xref target="ci-edhoc"/>. If there is no protocol state, in the case of mes | see <xref target="ci-edhoc"/>. If there is no protocol state, in the case of mes | |||
sage_1, a new protocol state is created. The Responder endpoint needs to make us | sage_1, a new protocol state is created. The Responder endpoint needs to make us | |||
e of available denial-of-service mitigation (<xref target="dos"/>).</li> | e of available denial-of-service mitigation (<xref target="dos"/>).</li> | |||
<li>If the message received is an error message, then process it accor ding to <xref target="error"/>, else process it as the expected next message acc ording to the protocol state.</li> | <li>If the message received is an error message, then process it accor ding to <xref target="error"/>, else process it as the expected next message acc ording to the protocol state.</li> | |||
</ol> | </ol> | |||
<t>The message processing steps SHALL be processed in order, unless othe | <t>The message processing steps <bcp14>SHALL</bcp14> be processed in ord | |||
rwise stated. If the processing fails for some reason then, typically, an error | er, unless otherwise stated. If the processing fails for some reason, then typic | |||
message is sent, the EDHOC session is aborted, and the protocol state erased. Wh | ally an error message is sent, the EDHOC session is aborted, and the protocol st | |||
en the composition and sending of one message is completed and before the next m | ate is erased. When the composition and sending of one message is completed and | |||
essage is received, error messages SHALL NOT be sent.</t> | before the next message is received, error messages <bcp14>SHALL NOT</bcp14> be | |||
<t>After having successfully processed the last message (message_3 or me | sent.</t> | |||
ssage_4 depending on application profile) the EDHOC session is completed, after | <t>After having successfully processed the last message (message_3 or me | |||
which no error messages are sent and EDHOC session output MAY be maintained even | ssage_4 depending on application profile), the EDHOC session is completed; after | |||
if error messages are received. Further details are provided in the following s | which, no error messages are sent and EDHOC session output <bcp14>MAY</bcp14> b | |||
ubsections and in <xref target="error"/>.</t> | e maintained even if error messages are received. Further details are provided i | |||
<t>Different instances of the same message MUST NOT be processed in one | n the following subsections and in <xref target="error"/>.</t> | |||
EDHOC session. Note that processing will fail if the same message appears a sec | <t>Different instances of the same message <bcp14>MUST NOT</bcp14> be pr | |||
ond time for EDHOC processing in the same EDHOC session because the state of the | ocessed in one EDHOC session. Note that processing will fail if the same messag | |||
protocol has moved on and now expects something else. Message deduplication MUS | e appears a second time for EDHOC processing in the same EDHOC session because t | |||
T be done by the transport protocol (see <xref target="transport"/>) or, if not | he state of the protocol has moved on and now expects something else. Message de | |||
supported by the transport, as described in <xref target="duplication"/>.</t> | duplication <bcp14>MUST</bcp14> be done by the transport protocol (see <xref tar | |||
get="transport"/>) or, if not supported by the transport, as described in <xref | ||||
target="duplication"/>.</t> | ||||
</section> | </section> | |||
<section anchor="m1"> | <section anchor="m1"> | |||
<name>EDHOC Message 1</name> | <name>EDHOC Message 1</name> | |||
<section anchor="asym-msg1-form"> | <section anchor="asym-msg1-form"> | |||
<name>Formatting of Message 1</name> | <name>Formatting of Message 1</name> | |||
<t>message_1 SHALL be a CBOR Sequence (see <xref target="CBOR"/>) as d | <t>message_1 <bcp14>SHALL</bcp14> be a CBOR Sequence (see <xref target | |||
efined below</t> | ="CBOR"/>), as defined below.</t> | |||
<sourcecode type="CDDL"><![CDATA[ | <sourcecode type="cbor"><![CDATA[ | |||
message_1 = ( | message_1 = ( | |||
METHOD : int, | METHOD : int, | |||
SUITES_I : suites, | SUITES_I : suites, | |||
G_X : bstr, | G_X : bstr, | |||
C_I : bstr / -24..23, | C_I : bstr / -24..23, | |||
? EAD_1, | ? EAD_1, | |||
) | ) | |||
suites = [ 2* int ] / int | suites = [ 2* int ] / int | |||
EAD_1 = 1* ead | EAD_1 = 1* ead | |||
]]></sourcecode> | ]]></sourcecode> | |||
<t>where:</t> | <t>where:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>METHOD - authentication method, see <xref target="method"/>.</li | <li>METHOD is an authentication method; see <xref target="method"/>, | |||
> | </li> | |||
<li>SUITES_I - array of cipher suites which the Initiator supports c | <li>SUITES_I is an array of cipher suites that the Initiator support | |||
onstructed as specified in <xref target="init-proc-msg1"/>.</li> | s constructed as specified in <xref target="init-proc-msg1"/>,</li> | |||
<li>G_X - the ephemeral public key of the Initiator</li> | <li>G_X is the ephemeral public key of the Initiator, and</li> | |||
<li>C_I - variable length connection identifier. Note that connectio | <li>C_I is the variable-length connection identifier (note that conn | |||
n identifiers are byte strings but certain values are represented as integers in | ection identifiers are byte strings but certain values are represented as intege | |||
the message, see <xref target="bstr-repr"/>.</li> | rs in the message; see <xref target="bstr-repr"/>), and</li> | |||
<li>EAD_1 - external authorization data, see <xref target="AD"/>.</l | <li>EAD_1 is the external authorization data; see <xref target="AD"/ | |||
i> | >.</li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
<section anchor="init-proc-msg1"> | <section anchor="init-proc-msg1"> | |||
<name>Initiator Composition of Message 1</name> | <name>Initiator Composition of Message 1</name> | |||
<t>The processing steps are detailed below and in <xref target="wrong- selected"/>.</t> | <t>The processing steps are detailed below and in <xref target="wrong- selected"/>.</t> | |||
<t>The Initiator SHALL compose message_1 as follows:</t> | <t>The Initiator <bcp14>SHALL</bcp14> compose message_1 as follows:</t > | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li> | <li> | |||
<t>Construct SUITES_I as an array of cipher suites supported by I in order of preference by I with the first cipher suite in the array being the m ost preferred by I, and the last being the one selected by I for this EDHOC sess ion. If the cipher suite most preferred by I is selected then SUITES_I contains only that cipher suite and is encoded as an int. All cipher suites, if any, pref erred by I over the selected one MUST be included. (See also <xref target="wrong -selected"/>.) | <t>Construct SUITES_I as an array of cipher suites supported by I in order of preference by I with the first cipher suite in the array being the m ost preferred by I and the last being the one selected by I for this EDHOC sessi on. If the cipher suite most preferred by I is selected, then SUITES_I contains only that cipher suite and is encoded as an int. All cipher suites, if any, pref erred by I over the selected one <bcp14>MUST</bcp14> be included. (See also <xre f target="wrong-selected"/>.) | |||
</t> | </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>The selected suite is based on what the Initiator can assume | <li>The selected suite is based on what the Initiator can assume | |||
to be supported by the Responder; if the Initiator previously received from the | to be supported by the Responder; if the Initiator previously received from the | |||
Responder an error message with error code 2 containing SUITES_R (see <xref tar | Responder has an error message with error code 2 containing SUITES_R (see <xref | |||
get="wrong-selected"/>) indicating cipher suites supported by the Responder, the | target="wrong-selected"/>) indicating cipher suites supported by the Responder, | |||
n the Initiator SHOULD select its most preferred supported cipher suite among th | then the Initiator <bcp14>SHOULD</bcp14> select its most preferred supported ci | |||
ose (bearing in mind that error messages may be forged).</li> | pher suite among those (bearing in mind that error messages may be forged).</li> | |||
<li>The Initiator MUST NOT change its order of preference for ci | <li>The Initiator <bcp14>MUST NOT</bcp14> change its order of pr | |||
pher suites, and MUST NOT omit a cipher suite preferred to the selected one beca | eference for cipher suites and <bcp14>MUST NOT</bcp14> omit a cipher suite prefe | |||
use of previous error messages received from the Responder.</li> | rred to the selected one because of previous error messages received from the Re | |||
sponder.</li> | ||||
</ul> | </ul> | |||
</li> | </li> | |||
<li>Generate an ephemeral ECDH key pair using the curve in the selec ted cipher suite and format it as a COSE_Key. Let G_X be the 'x' parameter of th e COSE_Key.</li> | <li>Generate an ephemeral ECDH key pair using the curve in the selec ted cipher suite and format it as a COSE_Key. Let G_X be the 'x' parameter of th e COSE_Key.</li> | |||
<li>Choose a connection identifier C_I and store it during the EDHOC session.</li> | <li>Choose a connection identifier C_I and store it during the EDHOC session.</li> | |||
<li>Encode message_1 as a sequence of CBOR encoded data items as spe cified in <xref target="asym-msg1-form"/></li> | <li>Encode message_1 as a sequence of CBOR-encoded data items as spe cified in <xref target="asym-msg1-form"/></li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
<section anchor="resp-proc-msg1"> | <section anchor="resp-proc-msg1"> | |||
<name>Responder Processing of Message 1</name> | <name>Responder Processing of Message 1</name> | |||
<t>The Responder SHALL process message_1 in the following order:</t> | <t>The Responder <bcp14>SHALL</bcp14> process message_1 in the followi | |||
<ul spacing="normal"> | ng order:</t> | |||
<ol spacing="normal"> | ||||
<li>Decode message_1 (see <xref target="CBOR"/>).</li> | <li>Decode message_1 (see <xref target="CBOR"/>).</li> | |||
<li>Process message_1, in particular verify that the selected cipher suite is supported and that no prior cipher suite as ordered in SUITES_I is sup ported.</li> | <li>Process message_1. In particular, verify that the selected ciphe r suite is supported and that no prior cipher suite as ordered in SUITES_I is su pported.</li> | |||
<li>If all processing completed successfully, and if EAD_1 is presen t, then make it available to the application for EAD processing.</li> | <li>If all processing completed successfully, and if EAD_1 is presen t, then make it available to the application for EAD processing.</li> | |||
</ul> | </ol> | |||
<t>If any processing step fails, then the Responder MUST send an EDHOC | <t>If any processing step fails, then the Responder <bcp14>MUST</bcp14 | |||
error message back as defined in <xref target="error"/>, and the EDHOC session | > send an EDHOC error message back as defined in <xref target="error"/>, and the | |||
MUST be aborted.</t> | EDHOC session <bcp14>MUST</bcp14> be aborted.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="m2"> | <section anchor="m2"> | |||
<name>EDHOC Message 2</name> | <name>EDHOC Message 2</name> | |||
<section anchor="asym-msg2-form"> | <section anchor="asym-msg2-form"> | |||
<name>Formatting of Message 2</name> | <name>Formatting of Message 2</name> | |||
<t>message_2 SHALL be a CBOR Sequence (see <xref target="CBOR"/>) as d | <t>message_2 <bcp14>SHALL</bcp14> be a CBOR Sequence (see <xref target | |||
efined below</t> | ="CBOR"/>), as defined below.</t> | |||
<sourcecode type="CDDL"><![CDATA[ | <sourcecode type="cbor"><![CDATA[ | |||
message_2 = ( | message_2 = ( | |||
G_Y_CIPHERTEXT_2 : bstr, | G_Y_CIPHERTEXT_2 : bstr, | |||
) | ) | |||
]]></sourcecode> | ]]></sourcecode> | |||
<t>where:</t> | <t>where:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>G_Y_CIPHERTEXT_2 - the concatenation of G_Y (i.e., the ephemeral public key of the Responder) and CIPHERTEXT_2.</li> | <li>G_Y_CIPHERTEXT_2 is the concatenation of G_Y (i.e., the ephemera l public key of the Responder) and CIPHERTEXT_2.</li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
<section anchor="asym-msg2-proc"> | <section anchor="asym-msg2-proc"> | |||
<name>Responder Composition of Message 2</name> | <name>Responder Composition of Message 2</name> | |||
<t>The Responder SHALL compose message_2 as follows:</t> | <t>The Responder <bcp14>SHALL</bcp14> compose message_2 as follows:</t > | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>Generate an ephemeral ECDH key pair using the curve in the selec ted cipher suite and format it as a COSE_Key. Let G_Y be the 'x' parameter of th e COSE_Key.</li> | <li>Generate an ephemeral ECDH key pair using the curve in the selec ted cipher suite and format it as a COSE_Key. Let G_Y be the 'x' parameter of th e COSE_Key.</li> | |||
<li>Choose a connection identifier C_R and store it for the length o f the EDHOC session.</li> | <li>Choose a connection identifier C_R and store it for the length o f the EDHOC session.</li> | |||
<li>Compute the transcript hash TH_2 = H( G_Y, H(message_1) ) where H() is the EDHOC hash algorithm of the selected cipher suite. The input to the h ash function is a CBOR Sequence. Note that H(message_1) can be computed and cach ed already in the processing of message_1.</li> | <li>Compute the transcript hash TH_2 = H( G_Y, H(message_1) ), where H() is the EDHOC hash algorithm of the selected cipher suite. The input to the hash function is a CBOR Sequence. Note that H(message_1) can be computed and cac hed already in the processing of message_1.</li> | |||
<li> | <li> | |||
<t>Compute MAC_2 as in <xref target="expand"/> with context_2 = &l t;< ID_CRED_R, TH_2, CRED_R, ? EAD_2 >> (see <xref target="CBOR"/> for notation) | <t>Compute MAC_2 as in <xref target="expand"/> with context_2 = &l t;< C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 >> (see <xref target="CBOR"/> for notation). | |||
</t> | </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>If the Responder authenticates with a static Diffie-Hellman key (method equals 1 or 3), then mac_length_2 is the EDHOC MAC length of the sel ected cipher suite. If the Responder authenticates with a signature key (method equals 0 or 2), then mac_length_2 is equal to hash_length.</li> | <li>If the Responder authenticates with a static Diffie-Hellman key (method equals 1 or 3), then mac_length_2 is the EDHOC MAC length of the sel ected cipher suite. If the Responder authenticates with a signature key (method equals 0 or 2), then mac_length_2 is equal to hash_length.</li> | |||
<li>ID_CRED_R - identifier to facilitate the retrieval of CRED_R | <li>C_R is a variable-length connection identifier. Note that co | |||
, see <xref target="id_cred"/></li> | nnection identifiers are byte strings but certain values are represented as inte | |||
<li>CRED_R - CBOR item containing the authentication credential | gers in the message; see <xref target="bstr-repr"/>.</li> | |||
of the Responder, see <xref target="auth-cred"/></li> | <li>ID_CRED_R is the identifier to facilitate the retrieval of C | |||
<li>EAD_2 - external authorization data, see <xref target="AD"/> | RED_R; see <xref target="id_cred"/>.</li> | |||
</li> | <li>CRED_R is the CBOR item containing the authentication creden | |||
tial of the Responder; see <xref target="auth-cred"/>.</li> | ||||
<li>EAD_2 is the external authorization data; see <xref target=" | ||||
AD"/>.</li> | ||||
</ul> | </ul> | |||
</li> | </li> | |||
<li> | <li> | |||
<t>If the Responder authenticates with a static Diffie-Hellman key (method equals 1 or 3), then Signature_or_MAC_2 is MAC_2. If the Responder auth enticates with a signature key (method equals 0 or 2), then Signature_or_MAC_2 i s the 'signature' field of a COSE_Sign1 object, computed as specified in Section 4.4 of <xref target="RFC9053"/> using the signature algorithm of the selected c ipher suite, the private authentication key of the Responder, and the following parameters as input (see <xref target="COSE"/> for an overview of COSE and <xref target="CBOR"/> for notation): </t> | <t>If the Responder authenticates with a static Diffie-Hellman key (method equals 1 or 3), then Signature_or_MAC_2 is MAC_2. If the Responder auth enticates with a signature key (method equals 0 or 2), then Signature_or_MAC_2 i s the 'signature' field of a COSE_Sign1 object, computed as specified in <xref t arget="RFC9052" section="4.4" sectionFormat="of"/> and using the signature algor ithm of the selected cipher suite, the private authentication key of the Respond er, and the following parameters as input (see <xref target="COSE"/> for an over view of COSE and <xref target="CBOR"/> for notation): </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>protected = << ID_CRED_R >></li> | <li>protected = << ID_CRED_R >></li> | |||
<li>external_aad = << TH_2, CRED_R, ? EAD_2 >></li> | <li>external_aad = << TH_2, CRED_R, ? EAD_2 >></li> | |||
<li>payload = MAC_2</li> | <li>payload = MAC_2</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
<li> | <li> | |||
<t>CIPHERTEXT_2 is calculated with a binary additive stream cipher , using a keystream generated with EDHOC_Expand, and the following plaintext: < /t> | <t>CIPHERTEXT_2 is calculated with a binary additive stream cipher , using a keystream generated with EDHOC_Expand and the following plaintext: </ t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li> | <li> | |||
<t>PLAINTEXT_2 = ( C_R, ID_CRED_R / bstr / -24..23, Signature_ or_MAC_2, ? EAD_2 ) </t> | <t>PLAINTEXT_2 = ( C_R, ID_CRED_R / bstr / -24..23, Signature_ or_MAC_2, ? EAD_2 ) </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>If ID_CRED_R contains a single 'kid' parameter, i.e., ID | <li>If ID_CRED_R contains a single 'kid' parameter, i.e., ID | |||
_CRED_R = { 4 : kid_R }, then the compact encoding is applied, see <xref target= | _CRED_R = { 4 : kid_R }, then the compact encoding is applied; see <xref target= | |||
"compact-kid"/>.</li> | "compact-kid"/>.</li> | |||
<li>C_R - variable length connection identifier. Note that c | <li>C_R is the variable-length connection identifier. Note t | |||
onnection identifiers are byte strings but certain values are represented as int | hat connection identifiers are byte strings, but certain values are represented | |||
egers in the message, see <xref target="bstr-repr"/>.</li> | as integers in the message; see <xref target="bstr-repr"/>.</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
<li>Compute KEYSTREAM_2 as in <xref target="expand"/>, where pla intext_length is the length of PLAINTEXT_2. For the case of plaintext_length exc eeding the EDHOC_KDF output size, see <xref target="large-plaintext_2"/>.</li> | <li>Compute KEYSTREAM_2 as in <xref target="expand"/>, where pla intext_length is the length of PLAINTEXT_2. For the case of plaintext_length exc eeding the EDHOC_KDF output size, see <xref target="large-plaintext_2"/>.</li> | |||
<li>CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2</li> | <li>CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
<li>Encode message_2 as a sequence of CBOR encoded data items as spe cified in <xref target="asym-msg2-form"/>.</li> | <li>Encode message_2 as a sequence of CBOR-encoded data items as spe cified in <xref target="asym-msg2-form"/>.</li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
<section anchor="initiator-processing-of-message-2"> | <section anchor="initiator-processing-of-message-2"> | |||
<name>Initiator Processing of Message 2</name> | <name>Initiator Processing of Message 2</name> | |||
<t>The Initiator SHALL process message_2 in the following order:</t> | <t>The Initiator <bcp14>SHALL</bcp14> process message_2 in the followi | |||
<ul spacing="normal"> | ng order:</t> | |||
<ol spacing="normal"> | ||||
<li>Decode message_2 (see <xref target="CBOR"/>).</li> | <li>Decode message_2 (see <xref target="CBOR"/>).</li> | |||
<li>Retrieve the protocol state using available message correlation | <li>Retrieve the protocol state using available message correlation | |||
(e.g., the CoAP Token, the 5-tuple, or the prepended C_I, see <xref target="ci-e | (e.g., the CoAP Token, the 5-tuple, or the prepended C_I; see <xref target="ci-e | |||
dhoc"/>).</li> | dhoc"/>).</li> | |||
<li>Decrypt CIPHERTEXT_2, see <xref target="asym-msg2-proc"/>.</li> | <li>Decrypt CIPHERTEXT_2; see <xref target="asym-msg2-proc"/>.</li> | |||
<li>If all processing completed successfully, then make ID_CRED_R an | <li>If all processing is completed successfully, then make ID_CRED_R | |||
d (if present) EAD_2 available to the application for authentication- and EAD pr | and (if present) EAD_2 available to the application for authentication and EAD | |||
ocessing. When and how to perform authentication is up to the application.</li> | processing. When and how to perform authentication is up to the application.</li | |||
> | ||||
<li>Obtain the authentication credential (CRED_R) and the authentica tion key of R from the application (or by other means).</li> | <li>Obtain the authentication credential (CRED_R) and the authentica tion key of R from the application (or by other means).</li> | |||
<li>Verify Signature_or_MAC_2 using the algorithm in the selected ci | <li>Verify Signature_or_MAC_2 using the algorithm in the selected ci | |||
pher suite. The verification process depends on the method, see <xref target="as | pher suite. The verification process depends on the method; see <xref target="as | |||
ym-msg2-proc"/>. Make the result of the verification available to the applicatio | ym-msg2-proc"/>. Make the result of the verification available to the applicatio | |||
n.</li> | n.</li> | |||
</ul> | </ol> | |||
<t>If any processing step fails, then the Initiator MUST send an EDHOC | <t>If any processing step fails, then the Initiator <bcp14>MUST</bcp14 | |||
error message back as defined in <xref target="error"/>, and the EDHOC session | > send an EDHOC error message back as defined in <xref target="error"/>, and the | |||
MUST be aborted.</t> | EDHOC session <bcp14>MUST</bcp14> be aborted.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="m3"> | <section anchor="m3"> | |||
<name>EDHOC Message 3</name> | <name>EDHOC Message 3</name> | |||
<section anchor="asym-msg3-form"> | <section anchor="asym-msg3-form"> | |||
<name>Formatting of Message 3</name> | <name>Formatting of Message 3</name> | |||
<t>message_3 SHALL be a CBOR Sequence (see <xref target="CBOR"/>) as d | <t>message_3 <bcp14>SHALL</bcp14> be a CBOR Sequence (see <xref target | |||
efined below</t> | ="CBOR"/>), as defined below.</t> | |||
<sourcecode type="CDDL"><![CDATA[ | <sourcecode type="cbor"><![CDATA[ | |||
message_3 = ( | message_3 = ( | |||
CIPHERTEXT_3 : bstr, | CIPHERTEXT_3 : bstr, | |||
) | ) | |||
]]></sourcecode> | ]]></sourcecode> | |||
</section> | </section> | |||
<section anchor="asym-msg3-proc"> | <section anchor="asym-msg3-proc"> | |||
<name>Initiator Composition of Message 3</name> | <name>Initiator Composition of Message 3</name> | |||
<t>The Initiator SHALL compose message_3 as follows:</t> | <t>The Initiator <bcp14>SHALL</bcp14> compose message_3 as follows:</t > | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>Compute the transcript hash TH_3 = H(TH_2, PLAINTEXT_2, CRED_R) where H() is the EDHOC hash algorithm of the selected cipher suite. The input to the hash function is a CBOR Sequence. Note that TH_3 can be computed and cached already in the processing of message_2.</li> | <li>Compute the transcript hash TH_3 = H(TH_2, PLAINTEXT_2, CRED_R), where H() is the EDHOC hash algorithm of the selected cipher suite. The input t o the hash function is a CBOR Sequence. Note that TH_3 can be computed and cache d already in the processing of message_2.</li> | |||
<li> | <li> | |||
<t>Compute MAC_3 as in <xref target="expand"/>, with context_3 = & lt;< ID_CRED_I, TH_3, CRED_I, ? EAD_3 >> | <t>Compute MAC_3 as in <xref target="expand"/>, with context_3 = & lt;< ID_CRED_I, TH_3, CRED_I, ? EAD_3 >> | |||
</t> | </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>If the Initiator authenticates with a static Diffie-Hellman key (method equals 2 or 3), then mac_length_3 is the EDHOC MAC length of the sel ected cipher suite. If the Initiator authenticates with a signature key (method equals 0 or 1), then mac_length_3 is equal to hash_length.</li> | <li>If the Initiator authenticates with a static Diffie-Hellman key (method equals 2 or 3), then mac_length_3 is the EDHOC MAC length of the sel ected cipher suite. If the Initiator authenticates with a signature key (method equals 0 or 1), then mac_length_3 is equal to hash_length.</li> | |||
<li>ID_CRED_I - identifier to facilitate the retrieval of CRED_I | <li>ID_CRED_I is the identifier to facilitate the retrieval of C | |||
, see <xref target="id_cred"/></li> | RED_I; see <xref target="id_cred"/>.</li> | |||
<li>CRED_I - CBOR item containing the authentication credential | <li>CRED_I is the CBOR item containing the authentication creden | |||
of the Initiator, see <xref target="auth-cred"/></li> | tial of the Initiator; see <xref target="auth-cred"/>.</li> | |||
<li>EAD_3 - external authorization data, see <xref target="AD"/> | <li>EAD_3 is the external authorization data; see <xref target=" | |||
</li> | AD"/>.</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
<li> | <li> | |||
<t>If the Initiator authenticates with a static Diffie-Hellman key (method equals 2 or 3), then Signature_or_MAC_3 is MAC_3. If the Initiator auth enticates with a signature key (method equals 0 or 1), then Signature_or_MAC_3 i s the 'signature' field of a COSE_Sign1 object, computed as specified in Section 4.4 of <xref target="RFC9052"/> using the signature algorithm of the selected c ipher suite, the private authentication key of the Initiator, and the following parameters as input (see <xref target="COSE"/>): </t> | <t>If the Initiator authenticates with a static Diffie-Hellman key (method equals 2 or 3), then Signature_or_MAC_3 is MAC_3. If the Initiator auth enticates with a signature key (method equals 0 or 1), then Signature_or_MAC_3 i s the 'signature' field of a COSE_Sign1 object, computed as specified in <xref t arget="RFC9052" section="4.4" sectionFormat="of"/> and using the signature algor ithm of the selected cipher suite, the private authentication key of the Initiat or, and the following parameters as input (see <xref target="COSE"/>): </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>protected = << ID_CRED_I >></li> | <li>protected = << ID_CRED_I >></li> | |||
<li>external_aad = << TH_3, CRED_I, ? EAD_3 >></li> | <li>external_aad = << TH_3, CRED_I, ? EAD_3 >></li> | |||
<li>payload = MAC_3</li> | <li>payload = MAC_3</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
<li> | <li> | |||
<t>Compute a COSE_Encrypt0 object as defined in Sections 5.2 and 5 .3 of <xref target="RFC9052"/>, with the EDHOC AEAD algorithm of the selected ci pher suite, using the encryption key K_3, the initialization vector IV_3 (if use d by the AEAD algorithm), the plaintext PLAINTEXT_3, and the following parameter s as input (see <xref target="COSE"/>): </t> | <t>Compute a COSE_Encrypt0 object as defined in Sections <xref tar get="RFC9052" section="5.2" sectionFormat="bare"/> and <xref target="RFC9052" se ction="5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the EDHOC A EAD algorithm of the selected cipher suite, using the encryption key K_3, the in itialization vector IV_3 (if used by the AEAD algorithm), the plaintext PLAINTEX T_3, and the following parameters as input (see <xref target="COSE"/>): </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>protected = h''</li> | <li>protected = h''</li> | |||
<li>external_aad = TH_3</li> | <li>external_aad = TH_3</li> | |||
<li>K_3 and IV_3 are defined in <xref target="expand"/></li> | <li>K_3 and IV_3 are defined in <xref target="expand"/></li> | |||
<li> | <li> | |||
<t>PLAINTEXT_3 = ( ID_CRED_I / bstr / -24..23, Signature_or_MA C_3, ? EAD_3 ) </t> | <t>PLAINTEXT_3 = ( ID_CRED_I / bstr / -24..23, Signature_or_MA C_3, ? EAD_3 ) </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>If ID_CRED_I contains a single 'kid' parameter, i.e., ID _CRED_I = { 4 : kid_I }, then the compact encoding is applied, see <xref target= "compact-kid"/>.</li> | <li>If ID_CRED_I contains a single 'kid' parameter, i.e., ID _CRED_I = { 4 : kid_I }, then the compact encoding is applied; see <xref target= "compact-kid"/>.</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
</ul> | </ul> | |||
<t> | <t> | |||
CIPHERTEXT_3 is the 'ciphertext' of COSE_Encrypt0.</t> | CIPHERTEXT_3 is the 'ciphertext' of COSE_Encrypt0.</t> | |||
</li> | </li> | |||
<li>Compute the transcript hash TH_4 = H(TH_3, PLAINTEXT_3, CRED_I) | <li>Compute the transcript hash TH_4 = H(TH_3, PLAINTEXT_3, CRED_I), | |||
where H() is the EDHOC hash algorithm of the selected cipher suite. The input to | where H() is the EDHOC hash algorithm of the selected cipher suite. The input t | |||
the hash function is a CBOR Sequence.</li> | o the hash function is a CBOR Sequence.</li> | |||
<li>Calculate PRK_out as defined in <xref target="fig-edhoc-kdf"/>. | <li>Calculate PRK_out as defined in <xref target="fig-edhoc-kdf"/>. | |||
The Initiator can now derive application keys using the EDHOC_Exporter interface | The Initiator can now derive application keys using the EDHOC_Exporter interface | |||
, see <xref target="exporter"/>.</li> | ; see <xref target="exporter"/>.</li> | |||
<li>Encode message_3 as a CBOR data item as specified in <xref targe t="asym-msg3-form"/>.</li> | <li>Encode message_3 as a CBOR data item as specified in <xref targe t="asym-msg3-form"/>.</li> | |||
<li>Make the connection identifiers (C_I, C_R) and the application a lgorithms in the selected cipher suite available to the application.</li> | <li>Make the connection identifiers (C_I and C_R) and the applicatio n algorithms in the selected cipher suite available to the application.</li> | |||
</ul> | </ul> | |||
<t>After creating message_3, the Initiator can compute PRK_out, see <x ref target="prkout"/>, and derive application keys using the EDHOC_Exporter inte rface, see <xref target="exporter"/>. The Initiator SHOULD NOT persistently stor e PRK_out or application keys until the Initiator has verified message_4 or a me ssage protected with a derived application key, such as an OSCORE message, from the Responder and the application has authenticated the Responder. This is simil ar to waiting for an acknowledgment (ACK) in a transport protocol. The Initiator SHOULD NOT send protected application data until the application has authentica ted the Responder.</t> | <t>After creating message_3, the Initiator can compute PRK_out (see <x ref target="prkout"/>) and derive application keys using the EDHOC_Exporter inte rface (see <xref target="exporter"/>). The Initiator <bcp14>SHOULD NOT</bcp14> p ersistently store PRK_out or application keys until the Initiator has verified m essage_4 or a message protected with a derived application key, such as an OSCOR E message, from the Responder and the application has authenticated the Responde r. This is similar to waiting for an acknowledgment (ACK) in a transport protoco l. The Initiator <bcp14>SHOULD NOT</bcp14> send protected application data until the application has authenticated the Responder.</t> | |||
</section> | </section> | |||
<section anchor="responder-processing-of-message-3"> | <section anchor="responder-processing-of-message-3"> | |||
<name>Responder Processing of Message 3</name> | <name>Responder Processing of Message 3</name> | |||
<t>The Responder SHALL process message_3 in the following order:</t> | <t>The Responder <bcp14>SHALL</bcp14> process message_3 in the followi | |||
<ul spacing="normal"> | ng order:</t> | |||
<ol spacing="normal"> | ||||
<li>Decode message_3 (see <xref target="CBOR"/>).</li> | <li>Decode message_3 (see <xref target="CBOR"/>).</li> | |||
<li>Retrieve the protocol state using available message correlation | <li>Retrieve the protocol state using available message correlation | |||
(e.g., the CoAP Token, the 5-tuple, or the prepended C_R, see <xref target="ci-e | (e.g., the CoAP Token, the 5-tuple, or the prepended C_R; see <xref target="ci-e | |||
dhoc"/>).</li> | dhoc"/>).</li> | |||
<li>Decrypt and verify the COSE_Encrypt0 as defined in Sections 5.2 | <li>Decrypt and verify the COSE_Encrypt0 as defined in Sections <xre | |||
and 5.3 of <xref target="RFC9052"/>, with the EDHOC AEAD algorithm in the select | f target="RFC9052" section="5.2" sectionFormat="bare"/> and <xref target="RFC905 | |||
ed cipher suite, and the parameters defined in <xref target="asym-msg3-proc"/>.< | 2" section="5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the ED | |||
/li> | HOC AEAD algorithm in the selected cipher suite and the parameters defined in <x | |||
<li>If all processing completed successfully, then make ID_CRED_I an | ref target="asym-msg3-proc"/>.</li> | |||
d (if present) EAD_3 available to the application for authentication- and EAD pr | <li>If all processing completed successfully, then make ID_CRED_I an | |||
ocessing. When and how to perform authentication is up to the application.</li> | d (if present) EAD_3 available to the application for authentication and EAD pro | |||
cessing. When and how to perform authentication is up to the application.</li> | ||||
<li>Obtain the authentication credential (CRED_I) and the authentica tion key of I from the application (or by other means).</li> | <li>Obtain the authentication credential (CRED_I) and the authentica tion key of I from the application (or by other means).</li> | |||
<li>Verify Signature_or_MAC_3 using the algorithm in the selected ci | <li>Verify Signature_or_MAC_3 using the algorithm in the selected ci | |||
pher suite. The verification process depends on the method, see <xref target="as | pher suite. The verification process depends on the method; see <xref target="as | |||
ym-msg3-proc"/>. Make the result of the verification available to the applicatio | ym-msg3-proc"/>. Make the result of the verification available to the applicatio | |||
n.</li> | n.</li> | |||
<li>Make the connection identifiers (C_I, C_R) and the application a | <li>Make the connection identifiers (C_I and C_R) and the applicatio | |||
lgorithms in the selected cipher suite available to the application.</li> | n algorithms in the selected cipher suite available to the application.</li> | |||
</ul> | </ol> | |||
<t>After processing message_3, the Responder can compute PRK_out, see | <t>After processing message_3, the Responder can compute PRK_out (see | |||
<xref target="prkout"/>, and derive application keys using the EDHOC_Exporter in | <xref target="prkout"/>) and derive application keys using the EDHOC_Exporter in | |||
terface, see <xref target="exporter"/>. The Responder SHOULD NOT persistently st | terface (see <xref target="exporter"/>). The Responder <bcp14>SHOULD NOT</bcp14> | |||
ore PRK_out or application keys until the application has authenticated the Init | persistently store PRK_out or application keys until the application has authen | |||
iator. The Responder SHOULD NOT send protected application data until the applic | ticated the Initiator. The Responder <bcp14>SHOULD NOT</bcp14> send protected ap | |||
ation has authenticated the Initiator.</t> | plication data until the application has authenticated the Initiator.</t> | |||
<t>If any processing step fails, then the Responder MUST send an EDHOC | <t>If any processing step fails, then the Responder <bcp14>MUST</bcp14 | |||
error message back as defined in <xref target="error"/>, and the EDHOC session | > send an EDHOC error message back as defined in <xref target="error"/>, and the | |||
MUST be aborted.</t> | EDHOC session <bcp14>MUST</bcp14> be aborted.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="m4"> | <section anchor="m4"> | |||
<name>EDHOC Message 4</name> | <name>EDHOC Message 4</name> | |||
<t>This section specifies message_4 which is OPTIONAL to support. Key co | <t>This section specifies message_4, which is <bcp14>OPTIONAL</bcp14> to | |||
nfirmation is normally provided by sending an application message from the Respo | support. Key confirmation is normally provided by sending an application messag | |||
nder to the Initiator protected with a key derived with the EDHOC_Exporter, e.g. | e from the Responder to the Initiator protected with a key derived with the EDHO | |||
, using OSCORE (see <xref target="transfer"/>). In deployments where no protecte | C_Exporter, e.g., using OSCORE (see <xref target="transfer"/>). In deployments w | |||
d application message is sent from the Responder to the Initiator, message_4 MUS | here no protected application message is sent from the Responder to the Initiato | |||
T be supported and MUST be used. Two examples of such deployments are:</t> | r, message_4 <bcp14>MUST</bcp14> be supported and <bcp14>MUST</bcp14> be used. T | |||
<ol spacing="normal" type="1"><li>When EDHOC is only used for authentica | wo examples of such deployments are:</t> | |||
tion and no application data is sent.</li> | <ol spacing="normal" type="1"><li>when EDHOC is only used for authentica | |||
<li>When application data is only sent from the Initiator to the Respo | tion and no application data is sent and</li> | |||
nder.</li> | <li>when application data is only sent from the Initiator to the Respo | |||
nder.</li> | ||||
</ol> | </ol> | |||
<t>Further considerations about when to use message_4 are provided in <x ref target="applicability"/> and <xref target="sec-prop"/>.</t> | <t>Further considerations about when to use message_4 are provided in Se ctions <xref target="applicability" format="counter"/> and <xref target="sec-pro p" format="counter"/>.</t> | |||
<section anchor="asym-msg4-form"> | <section anchor="asym-msg4-form"> | |||
<name>Formatting of Message 4</name> | <name>Formatting of Message 4</name> | |||
<t>message_4 SHALL be a CBOR Sequence (see <xref target="CBOR"/>) as d | <t>message_4 <bcp14>SHALL</bcp14> be a CBOR Sequence (see <xref target | |||
efined below</t> | ="CBOR"/>), as defined below.</t> | |||
<sourcecode type="CDDL"><![CDATA[ | <sourcecode type="cbor"><![CDATA[ | |||
message_4 = ( | message_4 = ( | |||
CIPHERTEXT_4 : bstr, | CIPHERTEXT_4 : bstr, | |||
) | ) | |||
]]></sourcecode> | ]]></sourcecode> | |||
</section> | </section> | |||
<section anchor="asym-msg4-proc"> | <section anchor="asym-msg4-proc"> | |||
<name>Responder Composition of Message 4</name> | <name>Responder Composition of Message 4</name> | |||
<t>The Responder SHALL compose message_4 as follows:</t> | <t>The Responder <bcp14>SHALL</bcp14> compose message_4 as follows:</t > | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li> | <li> | |||
<t>Compute a COSE_Encrypt0 as defined in Sections 5.2 and 5.3 of < xref target="RFC9052"/>, with the EDHOC AEAD algorithm of the selected cipher su ite, using the encryption key K_4, the initialization vector IV_4 (if used by th e AEAD algorithm), the plaintext PLAINTEXT_4, and the following parameters as in put (see <xref target="COSE"/>): </t> | <t>Compute a COSE_Encrypt0 as defined in Sections <xref target="RF C9052" section="5.2" sectionFormat="bare"/> and <xref target="RFC9052" section=" 5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the EDHOC AEAD alg orithm of the selected cipher suite, using the encryption key K_4, the initializ ation vector IV_4 (if used by the AEAD algorithm), the plaintext PLAINTEXT_4, an d the following parameters as input (see <xref target="COSE"/>): </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>protected = h''</li> | <li>protected = h''</li> | |||
<li>external_aad = TH_4</li> | <li>external_aad = TH_4</li> | |||
<li>K_4 and IV_4 are defined in <xref target="expand"/></li> | <li>K_4 and IV_4 are defined in <xref target="expand"/></li> | |||
<li> | <li> | |||
<t>PLAINTEXT_4 = ( ? EAD_4 ) | <t>PLAINTEXT_4 = ( ? EAD_4 ) | |||
</t> | </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>EAD_4 - external authorization data, see <xref target="A D"/>.</li> | <li>EAD_4 is the external authorization data; see <xref targ et="AD"/>.</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
</ul> | </ul> | |||
<t> | <t> | |||
CIPHERTEXT_4 is the 'ciphertext' of COSE_Encrypt0.</t> | CIPHERTEXT_4 is the 'ciphertext' of COSE_Encrypt0.</t> | |||
</li> | </li> | |||
<li>Encode message_4 as a CBOR data item as specified in <xref targe t="asym-msg4-form"/>.</li> | <li>Encode message_4 as a CBOR data item as specified in <xref targe t="asym-msg4-form"/>.</li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
<section anchor="initiator-processing-of-message-4"> | <section anchor="initiator-processing-of-message-4"> | |||
<name>Initiator Processing of Message 4</name> | <name>Initiator Processing of Message 4</name> | |||
<t>The Initiator SHALL process message_4 as follows:</t> | <t>The Initiator <bcp14>SHALL</bcp14> process message_4 as follows:</t > | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>Decode message_4 (see <xref target="CBOR"/>).</li> | <li>Decode message_4 (see <xref target="CBOR"/>).</li> | |||
<li>Retrieve the protocol state using available message correlation | <li>Retrieve the protocol state using available message correlation | |||
(e.g., the CoAP Token, the 5-tuple, or the prepended C_I, see <xref target="ci-e | (e.g., the CoAP Token, the 5-tuple, or the prepended C_I; see <xref target="ci-e | |||
dhoc"/>).</li> | dhoc"/>).</li> | |||
<li>Decrypt and verify the COSE_Encrypt0 as defined in Sections 5.2 | <li>Decrypt and verify the COSE_Encrypt0 as defined in Sections <xre | |||
and 5.3 of <xref target="RFC9052"/>, with the EDHOC AEAD algorithm in the select | f target="RFC9052" section="5.2" sectionFormat="bare"/> and <xref target="RFC905 | |||
ed cipher suite, and the parameters defined in <xref target="asym-msg4-proc"/>.< | 2" section="5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the ED | |||
/li> | HOC AEAD algorithm in the selected cipher suite and the parameters defined in <x | |||
ref target="asym-msg4-proc"/>.</li> | ||||
<li>Make (if present) EAD_4 available to the application for EAD pro cessing.</li> | <li>Make (if present) EAD_4 available to the application for EAD pro cessing.</li> | |||
</ul> | </ul> | |||
<t>If any processing step fails, then the Initiator MUST send an EDHOC error message back as defined in <xref target="error"/>, and the EDHOC session MUST be aborted.</t> | <t>If any processing step fails, then the Initiator <bcp14>MUST</bcp14 > send an EDHOC error message back as defined in <xref target="error"/>, and the EDHOC session <bcp14>MUST</bcp14> be aborted.</t> | |||
<t>After verifying message_4, the Initiator is assured that the Respon der has calculated the key PRK_out (key confirmation) and that no other party ca n derive the key.</t> | <t>After verifying message_4, the Initiator is assured that the Respon der has calculated the key PRK_out (key confirmation) and that no other party ca n derive the key.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="error"> | <section anchor="error"> | |||
<name>Error Handling</name> | <name>Error Handling</name> | |||
<t>This section defines the format for error messages, and the processing | <t>This section defines the format for error messages and the processing a | |||
associated with the currently defined error codes. Additional error codes may be | ssociated with the currently defined error codes. Additional error codes may be | |||
registered, see <xref target="error-code-reg"/>.</t> | registered; see <xref target="error-code-reg"/>.</t> | |||
<t>Many kinds of errors that can occur during EDHOC processing. As in CoAP | <t>Many kinds of errors can occur during EDHOC processing. As in CoAP, an | |||
, an error can be triggered by errors in the received message or internal errors | error can be triggered by errors in the received message or internal errors in t | |||
in the receiving endpoint. Except for processing and formatting errors, it is u | he receiving endpoint. Except for processing and formatting errors, it is up to | |||
p to the application when to send an error message. Sending error messages is es | the application when to send an error message. Sending error messages is essenti | |||
sential for debugging but MAY be skipped if, for example, an EDHOC session canno | al for debugging but <bcp14>MAY</bcp14> be skipped if, for example, an EDHOC ses | |||
t be found or due to denial-of-service reasons, see <xref target="dos"/>. Error | sion cannot be found or due to denial-of-service reasons; see <xref target="dos" | |||
messages in EDHOC are always fatal. After sending an error message, the sender M | />. Error messages in EDHOC are always fatal. After sending an error message, th | |||
UST abort the EDHOC session. The receiver SHOULD treat an error message as an in | e sender <bcp14>MUST</bcp14> abort the EDHOC session. The receiver <bcp14>SHOULD | |||
dication that the other party likely has aborted the EDHOC session. But since e | </bcp14> treat an error message as an indication that the other party likely has | |||
rror messages might be forged, the receiver MAY try to continue the EDHOC sessio | aborted the EDHOC session. But since error messages might be forged, the recei | |||
n.</t> | ver <bcp14>MAY</bcp14> try to continue the EDHOC session.</t> | |||
<t>An EDHOC error message can be sent by either endpoint as a reply to any non-error EDHOC message. How errors at the EDHOC layer are transported depends on lower layers, which need to enable error messages to be sent and processed as intended.</t> | <t>An EDHOC error message can be sent by either endpoint as a reply to any non-error EDHOC message. How errors at the EDHOC layer are transported depends on lower layers, which need to enable error messages to be sent and processed as intended.</t> | |||
<t>error SHALL be a CBOR Sequence (see <xref target="CBOR"/>) as defined b elow</t> | <t>error <bcp14>SHALL</bcp14> be a CBOR Sequence (see <xref target="CBOR"/ >), as defined below.</t> | |||
<figure anchor="fig-error-message"> | <figure anchor="fig-error-message"> | |||
<name>EDHOC error message.</name> | <name>EDHOC Error Message</name> | |||
<sourcecode type="CDDL"><![CDATA[ | <sourcecode type="cbor"><![CDATA[ | |||
error = ( | error = ( | |||
ERR_CODE : int, | ERR_CODE : int, | |||
ERR_INFO : any, | ERR_INFO : any, | |||
) | ) | |||
]]></sourcecode> | ]]></sourcecode> | |||
</figure> | </figure> | |||
<t>where:</t> | <t>where:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>ERR_CODE - error code encoded as an integer. The value 0 is reserved | <li>ERR_CODE is an error code encoded as an integer. The value 0 is rese | |||
for success and can only be used internally, all other values (negative or posi | rved for success and can only be used internally; all other values (negative or | |||
tive) indicate errors.</li> | positive) indicate errors.</li> | |||
<li>ERR_INFO - error information. Content and encoding depend on error c | <li>ERR_INFO is the error information. Content and encoding depend on th | |||
ode.</li> | e error code.</li> | |||
</ul> | </ul> | |||
<t>The remainder of this section specifies the currently defined error cod | <t>The remainder of this section specifies the currently defined error cod | |||
es, see <xref target="fig-error-codes"/>. Additional error codes and correspondi | es; see <xref target="tab-error-codes"/>. Additional error codes and correspondi | |||
ng error information may be specified.</t> | ng error information may be specified.</t> | |||
<figure anchor="fig-error-codes"> | ||||
<name>EDHOC error codes and error information.</name> | <table anchor="tab-error-codes"> | |||
<artset> | <name>EDHOC Error Codes and Error Information</name> | |||
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 | <thead> | |||
.1" height="208" width="560" viewBox="0 0 560 208" class="diagram" text-anchor=" | <tr> | |||
middle" font-family="monospace" font-size="13px" stroke-linecap="round"> | <th>ERR_CODE</th> | |||
<path d="M 8,32 L 8,192" fill="none" stroke="black"/> | <th>ERR_INFO Type</th> | |||
<path d="M 96,32 L 96,192" fill="none" stroke="black"/> | <th>Description</th> | |||
<path d="M 224,32 L 224,192" fill="none" stroke="black"/> | </tr> | |||
<path d="M 552,32 L 552,192" fill="none" stroke="black"/> | </thead> | |||
<path d="M 8,32 L 552,32" fill="none" stroke="black"/> | <tbody> | |||
<path d="M 8,62 L 552,62" fill="none" stroke="black"/> | <tr> | |||
<path d="M 8,66 L 552,66" fill="none" stroke="black"/> | <td align="right">0</td> | |||
<path d="M 8,96 L 552,96" fill="none" stroke="black"/> | <td></td> | |||
<path d="M 8,128 L 552,128" fill="none" stroke="black"/> | <td>Reserved for success</td> | |||
<path d="M 8,160 L 552,160" fill="none" stroke="black"/> | </tr> | |||
<path d="M 8,192 L 552,192" fill="none" stroke="black"/> | <tr> | |||
<g class="text"> | <td align="right">1</td> | |||
<text x="52" y="52">ERR_CODE</text> | <td>tstr</td> | |||
<text x="140" y="52">ERR_INFO</text> | <td>Unspecified error</td> | |||
<text x="196" y="52">Type</text> | </tr> | |||
<text x="280" y="52">Description</text> | <tr> | |||
<text x="80" y="84">0</text> | <td align="right">2</td> | |||
<text x="252" y="84">This</text> | <td>suites</td> | |||
<text x="296" y="84">value</text> | <td>Wrong selected cipher suite</td> | |||
<text x="332" y="84">is</text> | </tr> | |||
<text x="380" y="84">reserved</text> | <tr> | |||
<text x="80" y="116">1</text> | <td align="right">3</td> | |||
<text x="124" y="116">tstr</text> | <td>true</td> | |||
<text x="280" y="116">Unspecified</text> | <td>Unknown credential referenced</td> | |||
<text x="352" y="116">error</text> | </tr> | |||
<text x="80" y="148">2</text> | <tr> | |||
<text x="132" y="148">suites</text> | <td align="right">23</td> | |||
<text x="256" y="148">Wrong</text> | <td></td> | |||
<text x="316" y="148">selected</text> | <td>Reserved</td> | |||
<text x="380" y="148">cipher</text> | </tr> | |||
<text x="432" y="148">suite</text> | </tbody> | |||
<text x="80" y="180">3</text> | </table> | |||
<text x="124" y="180">true</text> | ||||
<text x="264" y="180">Unknown</text> | ||||
<text x="340" y="180">credential</text> | ||||
<text x="428" y="180">referenced</text> | ||||
</g> | ||||
</svg> | ||||
</artwork> | ||||
<artwork type="ascii-art"><![CDATA[ | ||||
+----------+---------------+----------------------------------------+ | ||||
| ERR_CODE | ERR_INFO Type | Description | | ||||
+==========+===============+========================================+ | ||||
| 0 | | This value is reserved | | ||||
+----------+---------------+----------------------------------------+ | ||||
| 1 | tstr | Unspecified error | | ||||
+----------+---------------+----------------------------------------+ | ||||
| 2 | suites | Wrong selected cipher suite | | ||||
+----------+---------------+----------------------------------------+ | ||||
| 3 | true | Unknown credential referenced | | ||||
+----------+---------------+----------------------------------------+ | ||||
]]></artwork> | ||||
</artset> | ||||
</figure> | ||||
<section anchor="success"> | <section anchor="success"> | |||
<name>Success</name> | <name>Success</name> | |||
<t>Error code 0 MAY be used internally in an application to indicate suc cess, i.e., as a standard value in case of no error, e.g., in status reporting o r log files. Error code 0 MUST NOT be used as part of the EDHOC message exchange . If an endpoint receives an error message with error code 0, then it MUST abort the EDHOC session and MUST NOT send an error message.</t> | <t>Error code 0 <bcp14>MAY</bcp14> be used internally in an application to indicate success, i.e., as a standard value in case of no error, e.g., in sta tus reporting or log files. Error code 0 <bcp14>MUST NOT</bcp14> be used as part of the EDHOC message exchange. If an endpoint receives an error message with er ror code 0, then it <bcp14>MUST</bcp14> abort the EDHOC session and <bcp14>MUST NOT</bcp14> send an error message.</t> | |||
</section> | </section> | |||
<section anchor="unspecified-error"> | <section anchor="unspecified-error"> | |||
<name>Unspecified Error</name> | <name>Unspecified Error</name> | |||
<t>Error code 1 is used for errors that do not have a specific error cod e defined. ERR_INFO MUST be a text string containing a human-readable diagnostic message which SHOULD be written in English, for example "Method not supported". The diagnostic text message is mainly intended for software engineers that duri ng debugging need to interpret it in the context of the EDHOC specification. The diagnostic message SHOULD be provided to the calling application where it SHOUL D be logged.</t> | <t>Error code 1 is used for errors that do not have a specific error cod e defined. ERR_INFO <bcp14>MUST</bcp14> be a text string containing a human-read able diagnostic message that <bcp14>SHOULD</bcp14> be written in English, for ex ample, "Method not supported". The diagnostic text message is mainly intended fo r software engineers who during debugging need to interpret it in the context of the EDHOC specification. The diagnostic message <bcp14>SHOULD</bcp14> be provid ed to the calling application where it <bcp14>SHOULD</bcp14> be logged.</t> | |||
</section> | </section> | |||
<section anchor="wrong-selected"> | <section anchor="wrong-selected"> | |||
<name>Wrong Selected Cipher Suite</name> | <name>Wrong Selected Cipher Suite</name> | |||
<t>Error code 2 MUST only be used when replying to message_1 in case the cipher suite selected by the Initiator is not supported by the Responder, or if the Responder supports a cipher suite more preferred by the Initiator than the selected cipher suite, see <xref target="resp-proc-msg1"/>. In this case, ERR_IN FO = SUITES_R and is of type suites, see <xref target="asym-msg1-form"/>. If the Responder does not support the selected cipher suite, then SUITES_R MUST includ e one or more supported cipher suites. If the Responder supports a cipher suite in SUITES_I other than the selected cipher suite (independently of if the select ed cipher suite is supported or not) then SUITES_R MUST include the supported ci pher suite in SUITES_I which is most preferred by the Initiator. SUITES_R MAY in clude a single cipher suite, in which case it is encoded as an int. If the Respo nder does not support any cipher suite in SUITES_I, then it SHOULD include all i ts supported cipher suites in SUITES_R.</t> | <t>Error code 2 <bcp14>MUST</bcp14> only be used when replying to messag e_1 in case the cipher suite selected by the Initiator is not supported by the R esponder or if the Responder supports a cipher suite more preferred by the Initi ator than the selected cipher suite; see <xref target="resp-proc-msg1"/>. In thi s case, ERR_INFO = SUITES_R and is of type suites; see <xref target="asym-msg1-f orm"/>. If the Responder does not support the selected cipher suite, then SUITES _R <bcp14>MUST</bcp14> include one or more supported cipher suites. If the Respo nder supports a cipher suite in SUITES_I other than the selected cipher suite (i ndependently of if the selected cipher suite is supported or not), then SUITES_R <bcp14>MUST</bcp14> include the supported cipher suite in SUITES_I, which is mo st preferred by the Initiator. SUITES_R <bcp14>MAY</bcp14> include a single ciph er suite; in which case, it is encoded as an int. If the Responder does not supp ort any cipher suite in SUITES_I, then it <bcp14>SHOULD</bcp14> include all its supported cipher suites in SUITES_R.</t> | |||
<t>In contrast to SUITES_I, the order of the cipher suites in SUITES_R h as no significance.</t> | <t>In contrast to SUITES_I, the order of the cipher suites in SUITES_R h as no significance.</t> | |||
<section anchor="cipher-suite-negotiation"> | <section anchor="cipher-suite-negotiation"> | |||
<name>Cipher Suite Negotiation</name> | <name>Cipher Suite Negotiation</name> | |||
<t>After receiving SUITES_R, the Initiator can determine which cipher suite to select (if any) for the next EDHOC run with the Responder.</t> | <t>After receiving SUITES_R, the Initiator can determine which cipher suite to select (if any) for the next EDHOC run with the Responder.</t> | |||
<t>If the Initiator intends to contact the Responder in the future, th | <t>The Initiator needs to remember which selected cipher suite to use | |||
e Initiator SHOULD remember which selected cipher suite to use until the next me | until the next message_1 has been sent; otherwise, the Initiator and Responder w | |||
ssage_1 has been sent, otherwise the Initiator and Responder will likely run int | ill run into an infinite loop where the Initiator selects its most preferred cip | |||
o an infinite loop where the Initiator selects its most preferred cipher suite a | her suite and the Responder sends an error with supported cipher suites. After | |||
nd the Responder sends an error with supported cipher suites. After a completed | a completed EDHOC session, the Initiator <bcp14>MAY</bcp14> remember the selecte | |||
EDHOC session, the Initiator MAY remember the selected cipher suite to use in fu | d cipher suite to use in future EDHOC sessions. Note that if the Initiator or Re | |||
ture EDHOC sessions. Note that if the Initiator or Responder is updated with new | sponder is updated with new cipher suite policies, any cached information may be | |||
cipher suite policies, any cached information may be outdated.</t> | outdated.</t> | |||
<t>Note that the Initiator's list of supported cipher suites and order | <t>Note that the Initiator's list of supported cipher suites and order | |||
of preference is fixed (see <xref target="asym-msg1-form"/> and <xref target="i | of preference is fixed (see Sections <xref target="asym-msg1-form" format="coun | |||
nit-proc-msg1"/>). Furthermore, the Responder SHALL only accept message_1 if the | ter"/> and <xref target="init-proc-msg1" format="counter"/>). Furthermore, the R | |||
selected cipher suite is the first cipher suite in SUITES_I that the Responder | esponder <bcp14>SHALL</bcp14> only accept message_1 if the selected cipher suite | |||
also supports (see <xref target="resp-proc-msg1"/>). Following this procedure en | is the first cipher suite in SUITES_I that the Responder also supports (see <xr | |||
sures that the selected cipher suite is the most preferred (by the Initiator) ci | ef target="resp-proc-msg1"/>). Following this procedure ensures that the selecte | |||
pher suite supported by both parties. For examples, see <xref target="ex-neg"/>. | d cipher suite is the most preferred (by the Initiator) cipher suite supported b | |||
</t> | y both parties. For examples, see <xref target="ex-neg"/>.</t> | |||
<t>If the selected cipher suite is not the first cipher suite which th | <t>If the selected cipher suite is not the first cipher suite that the | |||
e Responder supports in SUITES_I received in message_1, then the Responder MUST | Responder supports in SUITES_I received in message_1, then the Responder <bcp14 | |||
abort the EDHOC session, see <xref target="resp-proc-msg1"/>. If SUITES_I in mes | >MUST</bcp14> abort the EDHOC session; see <xref target="resp-proc-msg1"/>. If S | |||
sage_1 is manipulated, then the integrity verification of message_2 containing t | UITES_I in message_1 is manipulated, then the integrity verification of message_ | |||
he transcript hash TH_2 will fail and the Initiator will abort the EDHOC session | 2 containing the transcript hash TH_2 will fail and the Initiator will abort the | |||
.</t> | EDHOC session.</t> | |||
</section> | </section> | |||
<section anchor="ex-neg"> | <section anchor="ex-neg"> | |||
<name>Examples</name> | <name>Examples</name> | |||
<t>Assume that the Initiator supports the five cipher suites 5, 6, 7, | <t>Assume that the Initiator supports the five cipher suites, 5, 6, 7, | |||
8, and 9 in decreasing order of preference. Figures <xref target="fig-error1" fo | 8, and 9, in decreasing order of preference. Figures <xref target="fig-error1" | |||
rmat="counter"/> and <xref target="fig-error2" format="counter"/> show two examp | format="counter"/> and <xref target="fig-error2" format="counter"/> show two exa | |||
les of how the Initiator can format SUITES_I and how SUITES_R is used by Respond | mples of how the Initiator can format SUITES_I and how SUITES_R is used by Respo | |||
ers to give the Initiator information about the cipher suites that the Responder | nders to give the Initiator information about the cipher suites that the Respond | |||
supports.</t> | er supports.</t> | |||
<t>In Example 1 (<xref target="fig-error1"/>), the Responder supports | <t>In Example 1 (<xref target="fig-error1"/>), the Responder supports | |||
cipher suite 6 but not the initially selected cipher suite 5. The Responder reje | cipher suite 6 but not the initially selected cipher suite 5. The Responder reje | |||
cts the first message_1 with an error indicating support for suite 6 in SUITES_R | cts the first message_1 with an error indicating support for suite 6 in SUITES_R | |||
. The Initiator also supports suite 6, and therefore selects suite 6 in the seco | . The Initiator also supports suite 6 and therefore selects suite 6 in the secon | |||
nd message_1. The Initiator prepends in SUITES_I the selected suite 6 with the m | d message_1. The Initiator prepends in SUITES_I the selected suite 6 with the mo | |||
ore preferred suites, in this case suite 5, to mitigate a potential attack on th | re preferred suites, in this case suite 5, to mitigate a potential attack on the | |||
e cipher suite negotiation.</t> | cipher suite negotiation.</t> | |||
<figure anchor="fig-error1"> | <figure anchor="fig-error1"> | |||
<name>Cipher suite negotiation example 1.</name> | <name>Cipher Suite Negotiation Example 1</name> | |||
<artset> | <artset> | |||
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="224" width="560" viewBox="0 0 560 224" class="dia gram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linec ap="round"> | <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="" width="" viewBox="0 0 560 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="ro und"> | |||
<path d="M 8,48 L 8,208" fill="none" stroke="black"/> | <path d="M 8,48 L 8,208" fill="none" stroke="black"/> | |||
<path d="M 552,48 L 552,208" fill="none" stroke="black"/> | <path d="M 552,48 L 552,208" fill="none" stroke="black"/> | |||
<path d="M 8,64 L 544,64" fill="none" stroke="black"/> | <path d="M 8,64 L 544,64" fill="none" stroke="black"/> | |||
<path d="M 16,128 L 552,128" fill="none" stroke="black"/> | <path d="M 16,128 L 552,128" fill="none" stroke="black"/> | |||
<path d="M 8,192 L 544,192" fill="none" stroke="black"/> | <path d="M 8,192 L 544,192" fill="none" stroke="black"/> | |||
<polygon class="arrowhead" points="552,192 540,186.4 540,197.6 " fill="black" transform="rotate(0,544,192)"/> | <polygon class="arrowhead" points="552,192 540,186.4 540,197.6 " fill="black" transform="rotate(0,544,192)"/> | |||
<polygon class="arrowhead" points="552,64 540,58.4 540,69.6" f ill="black" transform="rotate(0,544,64)"/> | <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" f ill="black" transform="rotate(0,544,64)"/> | |||
<polygon class="arrowhead" points="24,128 12,122.4 12,133.6" f ill="black" transform="rotate(180,16,128)"/> | <polygon class="arrowhead" points="24,128 12,122.4 12,133.6" f ill="black" transform="rotate(180,16,128)"/> | |||
<g class="text"> | <g class="text"> | |||
<text x="40" y="36">Initiator</text> | <text x="40" y="36">Initiator</text> | |||
skipping to change at line 1264 ¶ | skipping to change at line 1229 ¶ | |||
| ERR_CODE = 2, SUITES_R = 6 | | | ERR_CODE = 2, SUITES_R = 6 | | |||
|<------------------------------------------------------------------+ | |<------------------------------------------------------------------+ | |||
| error | | | error | | |||
| | | | | | |||
| METHOD, SUITES_I = [5, 6], G_X, C_I, EAD_1 | | | METHOD, SUITES_I = [5, 6], G_X, C_I, EAD_1 | | |||
+------------------------------------------------------------------>| | +------------------------------------------------------------------>| | |||
| message_1 | | | message_1 | | |||
]]></artwork> | ]]></artwork> | |||
</artset> | </artset> | |||
</figure> | </figure> | |||
<t>In Example 2 (<xref target="fig-error2"/>), the Responder supports | <t>In Example 2 (<xref target="fig-error2"/>), the Responder supports | |||
cipher suites 8 and 9 but not the more preferred (by the Initiator) cipher suite | cipher suites 8 and 9 but not the more preferred (by the Initiator) cipher suite | |||
s 5, 6 or 7. To illustrate the negotiation mechanics we let the Initiator first | s 5, 6 or 7. To illustrate the negotiation mechanics, we let the Initiator first | |||
make a guess that the Responder supports suite 6 but not suite 5. Since the Resp | make a guess that the Responder supports suite 6 but not suite 5. Since the Res | |||
onder supports neither 5 nor 6, it rejects the first message_1 with an error ind | ponder supports neither 5 nor 6, it rejects the first message_1 with an error in | |||
icating support for suites 8 and 9 in SUITES_R (in any order). The Initiator als | dicating support for suites 8 and 9 in SUITES_R (in any order). The Initiator al | |||
o supports suites 8 and 9, and prefers suite 8, so selects suite 8 in the second | so supports suites 8 and 9, and prefers suite 8, so it selects suite 8 in the s | |||
message_1. The Initiator prepends in SUITES_I the selected suite 8 with the mor | econd message_1. The Initiator prepends in SUITES_I the selected suite 8 with th | |||
e preferred suites in order of preference, in this case suites 5, 6 and 7, to mi | e more preferred suites in order of preference, in this case, suites 5, 6 and 7, | |||
tigate a potential attack on the cipher suite negotiation.</t> | to mitigate a potential attack on the cipher suite negotiation.</t> | |||
<t>Note 1. If the Responder had supported suite 5, then the first mess | <ol type="Note %d."> | |||
age_1 would not have been accepted either, since the Responder observes that sui | <li>If the Responder had supported suite 5, then the first message_1 w | |||
te 5 is more preferred by the Initiator than the selected suite 6. In that case | ould not have been accepted either, since the Responder observes that suite 5 is | |||
the Responder would have included suite 5 in SUITES_R of the response, and it wo | more preferred by the Initiator than the selected suite 6. In that case, the Re | |||
uld then have become the selected and only suite in the second message_1.</t> | sponder would have included suite 5 in SUITES_R of the response, and it would th | |||
<t>Note 2. For each message_1 the Initiator MUST generate a new epheme | en have become the selected and only suite in the second message_1.</li> | |||
ral ECDH key pair matching the selected cipher suite.</t> | <li>For each message_1, the Initiator <bcp14>MUST</bcp14> generate a n | |||
ew ephemeral ECDH key pair matching the selected cipher suite.</li> | ||||
</ol> | ||||
<figure anchor="fig-error2"> | <figure anchor="fig-error2"> | |||
<name>Cipher suite negotiation example 2.</name> | <name>Cipher Suite Negotiation Example 2</name> | |||
<artset> | <artset> | |||
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="224" width="560" viewBox="0 0 560 224" class="dia gram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linec ap="round"> | <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="" width="" viewBox="0 0 560 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="ro und"> | |||
<path d="M 8,48 L 8,208" fill="none" stroke="black"/> | <path d="M 8,48 L 8,208" fill="none" stroke="black"/> | |||
<path d="M 552,48 L 552,208" fill="none" stroke="black"/> | <path d="M 552,48 L 552,208" fill="none" stroke="black"/> | |||
<path d="M 8,64 L 544,64" fill="none" stroke="black"/> | <path d="M 8,64 L 544,64" fill="none" stroke="black"/> | |||
<path d="M 16,128 L 552,128" fill="none" stroke="black"/> | <path d="M 16,128 L 552,128" fill="none" stroke="black"/> | |||
<path d="M 8,192 L 544,192" fill="none" stroke="black"/> | <path d="M 8,192 L 544,192" fill="none" stroke="black"/> | |||
<polygon class="arrowhead" points="552,192 540,186.4 540,197.6 " fill="black" transform="rotate(0,544,192)"/> | <polygon class="arrowhead" points="552,192 540,186.4 540,197.6 " fill="black" transform="rotate(0,544,192)"/> | |||
<polygon class="arrowhead" points="552,64 540,58.4 540,69.6" f ill="black" transform="rotate(0,544,64)"/> | <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" f ill="black" transform="rotate(0,544,64)"/> | |||
<polygon class="arrowhead" points="24,128 12,122.4 12,133.6" f ill="black" transform="rotate(180,16,128)"/> | <polygon class="arrowhead" points="24,128 12,122.4 12,133.6" f ill="black" transform="rotate(180,16,128)"/> | |||
<g class="text"> | <g class="text"> | |||
<text x="40" y="36">Initiator</text> | <text x="40" y="36">Initiator</text> | |||
skipping to change at line 1333 ¶ | skipping to change at line 1300 ¶ | |||
| METHOD, SUITES_I = [5, 6, 7, 8], G_X, C_I, EAD_1 | | | METHOD, SUITES_I = [5, 6, 7, 8], G_X, C_I, EAD_1 | | |||
+------------------------------------------------------------------>| | +------------------------------------------------------------------>| | |||
| message_1 | | | message_1 | | |||
]]></artwork> | ]]></artwork> | |||
</artset> | </artset> | |||
</figure> | </figure> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="unknown-credential-referenced"> | <section anchor="unknown-credential-referenced"> | |||
<name>Unknown Credential Referenced</name> | <name>Unknown Credential Referenced</name> | |||
<t>Error code 3 is used for errors due to a received credential identifi | <t>Error code 3 is used for errors due to a received credential identifi | |||
er (ID_CRED_R in message_2 or ID_CRED_I message_3) containing a reference to a c | er (ID_CRED_R in message_2 or ID_CRED_I message_3) containing a reference to a c | |||
redential which the receiving endpoint does not have access to. The intent with | redential that the receiving endpoint does not have access to. The intent with t | |||
this error code is that the endpoint who sent the credential identifier should f | his error code is that the endpoint who sent the credential identifier should, f | |||
or the next EDHOC session try another credential identifier supported according | or the next EDHOC session, try another credential identifier supported according | |||
to the application profile.</t> | to the application profile.</t> | |||
<t>For example, an application profile could list x5t and x5chain as sup | <t>For example, an application profile could list x5t and x5chain as sup | |||
ported credential identifiers, and state that x5t should be used if it can be as | ported credential identifiers and state that x5t should be used if it can be ass | |||
sumed that the X.509 certificate is available at the receiving side. This error | umed that the X.509 certificate is available at the receiving side. This error c | |||
code thus enables the certificate chain to be sent only when needed, bearing in | ode thus enables the certificate chain to be sent only when needed, bearing in m | |||
mind that error messages are not protected so an adversary can try to cause unne | ind that error messages are not protected so an adversary can try to cause unnec | |||
cessary large credential identifiers.</t> | essary, large credential identifiers.</t> | |||
<t>For the error code 3, the error information SHALL be the CBOR simple | <t>For the error code 3, the error information <bcp14>SHALL</bcp14> be t | |||
value <tt>true</tt> (0xf5). Error code 3 MUST NOT be used when the received cred | he CBOR simple value <tt>true</tt> (0xf5). Error code 3 <bcp14>MUST NOT</bcp14> | |||
ential identifier type is not supported.</t> | be used when the received credential identifier type is not supported.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="duplication"> | <section anchor="duplication"> | |||
<name>EDHOC Message Deduplication</name> | <name>EDHOC Message Deduplication</name> | |||
<t>EDHOC by default assumes that message duplication is handled by the tra | <t>By default, EDHOC assumes that message duplication is handled by the tr | |||
nsport, in this section exemplified with CoAP, see <xref target="coap"/>.</t> | ansport (which is exemplified by CoAP in this section); see <xref target="coap"/ | |||
<t>Deduplication of CoAP messages is described in Section 4.5 of <xref tar | >.</t> | |||
get="RFC7252"/>. This handles the case when the same Confirmable (CON) message i | <t>Deduplication of CoAP messages is described in <xref target="RFC7252" s | |||
s received multiple times due to missing acknowledgment on the CoAP messaging la | ection="4.5" sectionFormat="of"/>. This handles the case when the same Confirmab | |||
yer. The recommended processing in <xref target="RFC7252"/> is that the duplicat | le (CON) message is received multiple times due to missing acknowledgment on the | |||
e message is acknowledged (ACK), but the received message is only processed once | CoAP messaging layer. The recommended processing in <xref target="RFC7252"/> is | |||
by the CoAP stack.</t> | that the duplicate message is acknowledged, but the received message is only pr | |||
<t>Message deduplication is resource demanding and therefore not supported | ocessed once by the CoAP stack.</t> | |||
in all CoAP implementations. Since EDHOC is targeting constrained environments, | <t>Message deduplication is resource demanding and therefore not supported | |||
it is desirable that EDHOC can optionally support transport layers which do not | in all CoAP implementations. Since EDHOC is targeting constrained environments, | |||
handle message duplication. Special care is needed to avoid issues with duplica | it is desirable that EDHOC can optionally support transport layers that do not | |||
te messages, see <xref target="proc-outline"/>.</t> | handle message duplication. Special care is needed to avoid issues with duplicat | |||
<t>The guiding principle here is similar to the deduplication processing o | e messages; see <xref target="proc-outline"/>.</t> | |||
n the CoAP messaging layer: a received duplicate EDHOC message SHALL NOT result | <t>The guiding principle here is similar to the deduplication processing o | |||
in another instance of the next EDHOC message. The result MAY be that a duplicat | n the CoAP messaging layer, i.e., a received duplicate EDHOC message <bcp14>SHAL | |||
e next EDHOC message is sent, provided it is still relevant with respect to the | L NOT</bcp14> result in another instance of the next EDHOC message. The result < | |||
current protocol state. In any case, the received message MUST NOT be processed | bcp14>MAY</bcp14> be that a duplicate next EDHOC message is sent, provided it is | |||
more than once in the same EDHOC session. This is called "EDHOC message deduplic | still relevant with respect to the current protocol state. In any case, the rec | |||
ation".</t> | eived message <bcp14>MUST NOT</bcp14> be processed more than once in the same ED | |||
<t>An EDHOC implementation MAY store the previously sent EDHOC message to | HOC session. This is called "EDHOC message deduplication".</t> | |||
be able to resend it.</t> | <t>An EDHOC implementation <bcp14>MAY</bcp14> store the previously sent ED | |||
<t>In principle, if the EDHOC implementation would deterministically regen | HOC message to be able to resend it.</t> | |||
erate the identical EDHOC message previously sent, it would be possible to inste | <t>In principle, if the EDHOC implementation would deterministically regen | |||
ad store the protocol state to be able to recreate and resend the previously sen | erate the identical EDHOC message previously sent, it would be possible to inste | |||
t EDHOC message. However, even if the protocol state is fixed, the message gener | ad store the protocol state to be able to recreate and resend the previously sen | |||
ation may introduce differences which compromise security. For example, in the g | t EDHOC message. However, even if the protocol state is fixed, the message gener | |||
eneration of message_3, if I is performing a (non-deterministic) ECDSA signature | ation may introduce differences that compromise security. For example, in the ge | |||
(say, method 0 or 1, cipher suite 2 or 3) then PLAINTEXT_3 is randomized, but K | neration of message_3, if I is performing a (non-deterministic) ECDSA signature | |||
_3 and IV_3 are the same, leading to a key and nonce reuse.</t> | (say, method 0 or 1 and cipher suite 2 or 3), then PLAINTEXT_3 is randomized, bu | |||
<t>The EDHOC implementation MUST NOT store previous protocol state and reg | t K_3 and IV_3 are the same, leading to a key and nonce reuse.</t> | |||
enerate an EDHOC message if there is a risk that the same key and IV are used fo | <t>The EDHOC implementation <bcp14>MUST NOT</bcp14> store the previous pro | |||
r two (or more) distinct messages.</t> | tocol state and regenerate an EDHOC message if there is a risk that the same key | |||
<t>The previous message or protocol state MUST NOT be kept longer than wha | and IV are used for two (or more) distinct messages.</t> | |||
t is required for retransmission, for example, in the case of CoAP transport, no | <t>The previous message or protocol state <bcp14>MUST NOT</bcp14> be kept | |||
longer than the EXCHANGE_LIFETIME (see Section 4.8.2 of <xref target="RFC7252"/ | longer than what is required for retransmission, for example, in the case of CoA | |||
>).</t> | P transport, no longer than the EXCHANGE_LIFETIME (see <xref target="RFC7252" se | |||
ction="4.8.2" sectionFormat="of"/>).</t> | ||||
</section> | </section> | |||
<section anchor="mti"> | <section anchor="mti"> | |||
<name>Compliance Requirements</name> | <name>Compliance Requirements</name> | |||
<t>In the absence of an application profile specifying otherwise:</t> | <t>In the absence of an application profile specifying otherwise:</t> | |||
<t>An implementation MAY support only Initiator or only Responder.</t> | <ul spacing="normal"> | |||
<t>An implementation MAY support only a single method. None of the methods | <li>An implementation <bcp14>MAY</bcp14> support only an Initiator or only | |||
are mandatory-to-implement.</t> | a Responder.</li> | |||
<t>Implementations MUST support 'kid' parameters. None of the other COSE h | <li>An implementation <bcp14>MAY</bcp14> support only a single method. Non | |||
eader parameters are mandatory-to-implement.</t> | e of the methods are mandatory to implement.</li> | |||
<t>An implementation MAY support only a single credential type (CCS, CWT, | <li>Implementations <bcp14>MUST</bcp14> support 'kid' parameters. None of | |||
X.509, C509). None of the credential types are mandatory-to-implement.</t> | the other COSE header parameters are mandatory to implement.</li> | |||
<t>Implementations MUST support the EDHOC_Exporter.</t> | <li>An implementation <bcp14>MAY</bcp14> support only a single credential | |||
<t>Implementations MAY support message_4. Error codes (ERR_CODE) 1 and 2 M | type (CCS, CWT, X.509, or C509). None of the credential types are mandatory to i | |||
UST be supported.</t> | mplement.</li> | |||
<t>Implementations MUST support EAD.</t> | <li>Implementations <bcp14>MUST</bcp14> support the EDHOC_Exporter.</li> | |||
<t>Implementations MUST support cipher suite 2 and 3. Cipher suites 2 (AES | <li>Implementations <bcp14>MAY</bcp14> support message_4. Error codes (ERR | |||
-CCM-16-64-128, SHA-256, 8, P-256, ES256, AES-CCM-16-64-128, SHA-256) and 3 (AES | _CODE) 1 and 2 <bcp14>MUST</bcp14> be supported.</li> | |||
-CCM-16-128-128, SHA-256, 16, P-256, ES256, AES-CCM-16-64-128, SHA-256) only dif | <li>Implementations <bcp14>MUST</bcp14> support EAD.</li> | |||
fer in the size of the MAC length, so supporting one or both of these is not sig | <li>Implementations <bcp14>MUST</bcp14> support cipher suites 2 and 3. Cip | |||
nificantly different. Implementations only need to implement the algorithms need | her suites 2 (AES-CCM-16-64-128, SHA-256, 8, P-256, ES256, AES-CCM-16-64-128, SH | |||
ed for their supported methods.</t> | A-256) and 3 (AES-CCM-16-128-128, SHA-256, 16, P-256, ES256, AES-CCM-16-64-128, | |||
SHA-256) only differ in the size of the MAC length, so supporting one or both of | ||||
these is not significantly different. Implementations only need to implement th | ||||
e algorithms needed for their supported methods.</li> | ||||
</ul> | ||||
</section> | </section> | |||
<section anchor="security"> | <section anchor="security"> | |||
<name>Security Considerations</name> | <name>Security Considerations</name> | |||
<section anchor="sec-prop"> | <section anchor="sec-prop"> | |||
<name>Security Properties</name> | <name>Security Properties</name> | |||
<t>EDHOC has similar security properties as can be expected from the the oretical SIGMA-I protocol <xref target="SIGMA"/> and the Noise XX pattern <xref target="Noise"/>, which are similar to methods 0 and 3, respectively. Proven sec urity properties are detailed in the security analysis publications referenced a t the end of this section.</t> | <t>EDHOC has similar security properties as can be expected from the the oretical SIGMA-I protocol <xref target="SIGMA"/> and the Noise XX pattern <xref target="Noise"/>, which are similar to methods 0 and 3, respectively. Proven sec urity properties are detailed in the security analysis publications referenced a t the end of this section.</t> | |||
<t>Using the terminology from <xref target="SIGMA"/>, EDHOC provides for | <t>Using the terminology from <xref target="SIGMA"/>, EDHOC provides for | |||
ward secrecy, mutual authentication with aliveness, consistency, and peer awaren | ward secrecy, mutual authentication with aliveness, consistency, and peer awaren | |||
ess. As described in <xref target="SIGMA"/>, message_3 provides peer awareness t | ess. As described in <xref target="SIGMA"/>, message_3 provides peer awareness t | |||
o the Responder while message_4 provides peer awareness to the Initiator. By inc | o the Responder, while message_4 provides peer awareness to the Initiator. B | |||
luding the authentication credentials in the transcript hash, EDHOC protects aga | y including the authentication credentials in the transcript hash, EDHOC protect | |||
inst Duplicate Signature Key Selection (DSKS)-like identity mis-binding attack t | s against an identity misbinding attack like the Duplicate Signature Key Selecti | |||
hat the MAC-then-Sign variant of SIGMA-I is otherwise vulnerable to.</t> | on (DSKS) that the MAC-then-Sign variant of SIGMA-I is otherwise vulnerable to.< | |||
<t>As described in <xref target="SIGMA"/>, different levels of identity | /t> | |||
protection are provided to the Initiator and the Responder. EDHOC provides ident | <t>As described in <xref target="SIGMA"/>, different levels of identity | |||
ity protection of the Initiator against active attacks and identity protection o | protection are provided to the Initiator and Responder. EDHOC provides identity | |||
f the Responder against passive attacks. An active attacker can get the credenti | protection of the Initiator against active attacks and identity protection of th | |||
al identifier of the Responder by eavesdropping on the destination address used | e Responder against passive attacks. An active attacker can get the credential i | |||
for transporting message_1 and then sending its own message_1 to the same addres | dentifier of the Responder by eavesdropping on the destination address used for | |||
s. The roles should be assigned to protect the most sensitive identity/identifie | transporting message_1 and then sending its own message_1 to the same address. T | |||
r, typically that which is not possible to infer from routing information in the | he roles should be assigned to protect the most sensitive identity/identifier, t | |||
lower layers.</t> | ypically that which is not possible to infer from routing information in the low | |||
<t>EDHOC messages might change in transit due to a noisy channel or thro | er layers.</t> | |||
ugh modification by an attacker. Changes in message_1 and message_2 (except Sign | <t>EDHOC messages might change in transit due to a noisy channel or thro | |||
ature_or_MAC_2 when the signature scheme is not strongly unforgeable) are detect | ugh modification by an attacker. Changes in message_1 and message_2 (except Sign | |||
ed when verifying Signature_or_MAC_2. Changes to not strongly unforgeable Signat | ature_or_MAC_2 when the signature scheme is not strongly unforgeable) are detect | |||
ure_or_MAC_2, and message_3 are detected when verifying CIPHERTEXT_3. Changes to | ed when verifying Signature_or_MAC_2. Changes to not strongly unforgeable Signat | |||
message_4 are detected when verifying CIPHERTEXT_4.</t> | ure_or_MAC_2 and message_3 are detected when verifying CIPHERTEXT_3. Changes to | |||
message_4 are detected when verifying CIPHERTEXT_4.</t> | ||||
<t>Compared to <xref target="SIGMA"/>, EDHOC adds an explicit method typ e and expands the message authentication coverage to additional elements such as algorithms, external authorization data, and previous plaintext messages. This protects against an attacker replaying messages or injecting messages from anoth er EDHOC session.</t> | <t>Compared to <xref target="SIGMA"/>, EDHOC adds an explicit method typ e and expands the message authentication coverage to additional elements such as algorithms, external authorization data, and previous plaintext messages. This protects against an attacker replaying messages or injecting messages from anoth er EDHOC session.</t> | |||
<t>EDHOC also adds selection of connection identifiers and downgrade pro | <t>EDHOC also adds a selection of connection identifiers and downgrades | |||
tected negotiation of cryptographic parameters, i.e., an attacker cannot affect | protected negotiation of cryptographic parameters, i.e., an attacker cannot affe | |||
the negotiated parameters. A single session of EDHOC does not include negotiatio | ct the negotiated parameters. A single session of EDHOC does not include negotia | |||
n of cipher suites, but it enables the Responder to verify that the selected cip | tion of cipher suites, but it enables the Responder to verify that the selected | |||
her suite is the most preferred cipher suite by the Initiator which is supported | cipher suite is the most preferred cipher suite by the Initiator that is support | |||
by both the Initiator and the Responder, and to abort the EDHOC session if not. | ed by both the Initiator and Responder and to abort the EDHOC session if not.</t | |||
</t> | > | |||
<t>As required by <xref target="RFC7258"/>, IETF protocols need to mitig | <t>As required by <xref target="RFC7258"/>, IETF protocols need to mitig | |||
ate pervasive monitoring when possible. EDHOC therefore only supports methods wi | ate pervasive monitoring when possible. Therefore, EDHOC only supports methods w | |||
th ephemeral Diffie-Hellman and provides a key update function (see <xref target | ith ephemeral Diffie-Hellman and provides a key update function (see <xref targe | |||
="keyupdate"/>) for lightweight application protocol rekeying. Either of these p | t="keyupdate"/>) for lightweight application protocol rekeying. Either of these | |||
rovides forward secrecy, in the sense that compromise of the private authenticat | provides forward secrecy, in the sense that compromise of the private authentica | |||
ion keys does not compromise past session keys (PRK_out), and compromise of a se | tion keys does not compromise past session keys (PRK_out) and compromise of a se | |||
ssion key does not compromise past session keys. Frequently re-running EDHOC wit | ssion key does not compromise past session keys. Frequently re-running EDHOC wit | |||
h ephemeral Diffie-Hellman forces attackers to perform dynamic key exfiltration | h ephemeral Diffie-Hellman forces attackers to perform dynamic key exfiltration | |||
where the attacker must have continuous interactions with the collaborator, whic | where the attacker must have continuous interactions with the collaborator, whic | |||
h is a significant sustained attack.</t> | h is a significant sustained attack.</t> | |||
<t>To limit the effect of breaches, it is important to limit the use of | <t>To limit the effect of breaches, it is important to limit the use of | |||
symmetric group keys for bootstrapping. EDHOC therefore strives to make the addi | symmetric group keys for bootstrapping. Therefore, EDHOC strives to make the add | |||
tional cost of using raw public keys and self-signed certificates as small as po | itional cost of using raw public keys and self-signed certificates as small as p | |||
ssible. Raw public keys and self-signed certificates are not a replacement for a | ossible. Raw public keys and self-signed certificates are not a replacement for | |||
public key infrastructure but SHOULD be used instead of symmetric group keys fo | a public key infrastructure but <bcp14>SHOULD</bcp14> be used instead of symmetr | |||
r bootstrapping.</t> | ic group keys for bootstrapping.</t> | |||
<t>Compromise of the long-term keys (private signature or static DH keys | <t>Compromise of the long-term keys (private signature or static DH keys | |||
) does not compromise the security of completed EDHOC sessions. Compromising the | ) does not compromise the security of completed EDHOC sessions. Compromising the | |||
private authentication keys of one party lets an active attacker impersonate th | private authentication keys of one party lets an active attacker impersonate th | |||
at compromised party in EDHOC sessions with other parties but does not let the a | at compromised party in EDHOC sessions with other parties but does not let the a | |||
ttacker impersonate other parties in EDHOC sessions with the compromised party. | ttacker impersonate other parties in EDHOC sessions with the compromised party. | |||
Compromise of the long-term keys does not enable a passive attacker to compromis | Compromise of the long-term keys does not enable a passive attacker to compromis | |||
e future session keys (PRK_out). Compromise of the HDKF input parameters (ECDH s | e future session keys (PRK_out). Compromise of the HKDF input parameters (ECDH s | |||
hared secret) leads to compromise of all session keys derived from that compromi | hared secret) leads to compromise of all session keys derived from that compromi | |||
sed shared secret. Compromise of one session key does not compromise other sessi | sed shared secret. Compromise of one session key does not compromise other sessi | |||
on keys. Compromise of PRK_out leads to compromise of all keying material derive | on keys. Compromise of PRK_out leads to compromise of all keying material derive | |||
d with the EDHOC_Exporter.</t> | d with the EDHOC_Exporter.</t> | |||
<t>Based on the cryptographic algorithms requirements <xref target="sec_ | <t>Based on the cryptographic algorithm requirements (<xref target="sec_ | |||
algs"/>, EDHOC provides a minimum of 64-bit security against online brute force | algs"/>), EDHOC provides a minimum of 64-bit security against online brute force | |||
attacks and a minimum of 128-bit security against offline brute force attacks. T | attacks and a minimum of 128-bit security against offline brute force attacks. | |||
o break 64-bit security against online brute force an attacker would on average | To break 64-bit security against online brute force, an attacker would on averag | |||
have to send 4.3 billion messages per second for 68 years, which is infeasible i | e have to send 4.3 billion messages per second for 68 years, which is infeasible | |||
n constrained IoT radio technologies. A forgery against a 64-bit MAC in EDHOC br | in constrained IoT radio technologies. A forgery against a 64-bit MAC in EDHOC | |||
eaks the security of all future application data, while a forgery against a 64-b | breaks the security of all future application data, while a forgery against a 64 | |||
it MAC in the subsequent application protocol (e.g., OSCORE <xref target="RFC861 | -bit MAC in the subsequent application protocol (e.g., OSCORE <xref target="RFC8 | |||
3"/>) typically only breaks the security of the data in the forged packet.</t> | 613"/>) typically only breaks the security of the data in the forged packet.</t> | |||
<t>As the EDHOC session is aborted when verification fails, the security | <t>As the EDHOC session is aborted when verification fails, the security | |||
against online attacks is given by the sum of the strength of the verified sign | against online attacks is given by the sum of the strength of the verified sign | |||
atures and MACs (including MAC in AEAD). As an example, if EDHOC is used with me | atures and MACs (including MAC in AEAD). As an example, if EDHOC is used with me | |||
thod 3, cipher suite 2, and message_4, the Responder is authenticated with 128-b | thod 3, cipher suite 2, and message_4, the Responder is authenticated with 128-b | |||
it security against online attacks (the sum of the 64-bit MACs in message_2 and | it security against online attacks (the sum of the 64-bit MACs in message_2 and | |||
message_4). The same principle applies for MACs in an application protocol keyed | message_4). The same principle applies for MACs in an application protocol keyed | |||
by EDHOC as long as EDHOC is rerun when verification of the first MACs in the a | by EDHOC as long as EDHOC is re-run when verification of the first MACs in the | |||
pplication protocol fails. As an example, if EDHOC with method 3 and cipher suit | application protocol fails. As an example, if EDHOC with method 3 and cipher sui | |||
e 2 is used as in Figure 2 of <xref target="I-D.ietf-core-oscore-edhoc"/>, 128-b | te 2 is used as in Figure 2 of <xref target="I-D.ietf-core-oscore-edhoc"/>, 128- | |||
it mutual authentication against online attacks can be achieved after completion | bit mutual authentication against online attacks can be achieved after completio | |||
of the first OSCORE request and response.</t> | n of the first OSCORE request and response.</t> | |||
<t>After sending message_3, the Initiator is assured that no other party | <t>After sending message_3, the Initiator is assured that no other party | |||
than the Responder can compute the key PRK_out. While the Initiator can securel | than the Responder can compute the key PRK_out. While the Initiator can securel | |||
y send protected application data, the Initiator SHOULD NOT persistently store t | y send protected application data, the Initiator <bcp14>SHOULD NOT</bcp14> persi | |||
he keying material PRK_out until the Initiator has verified message_4 or a messa | stently store the keying material PRK_out until the Initiator has verified messa | |||
ge protected with a derived application key, such as an OSCORE message, from the | ge_4 or a message protected with a derived application key, such as an OSCORE me | |||
Responder. After verifying message_3, the Responder is assured that an honest I | ssage, from the Responder. After verifying message_3, the Responder is assured t | |||
nitiator has computed the key PRK_out. The Responder can securely derive and sto | hat an honest Initiator has computed the key PRK_out. The Responder can securely | |||
re the keying material PRK_out, and send protected application data.</t> | derive and store the keying material PRK_out and send protected application dat | |||
<t>External authorization data sent in message_1 (EAD_1) or message_2 (E | a.</t> | |||
AD_2) should be considered unprotected by EDHOC, see <xref target="unprot-data"/ | <t>External authorization data sent in message_1 (EAD_1) or message_2 (E | |||
>. EAD_2 is encrypted but the Responder has not yet authenticated the Initiator | AD_2) should be considered unprotected by EDHOC; see <xref target="unprot-data"/ | |||
and the encryption does not provide confidentiality against active attacks.</t> | >. EAD_2 is encrypted, but the Responder has not yet authenticated the Initiator | |||
<t>External authorization data sent in message_3 (EAD_3) or message_4 (E | and the encryption does not provide confidentiality against active attacks.</t> | |||
AD_4) is protected between Initiator and Responder by the protocol, but note tha | <t>External authorization data sent in message_3 (EAD_3) or message_4 (E | |||
t EAD fields may be used by the application before the message verification is c | AD_4) is protected between the Initiator and Responder by the protocol, but note | |||
ompleted, see <xref target="AD"/>. Designing a secure mechanism that uses EAD is | that EAD fields may be used by the application before the message verification | |||
not necessarily straightforward. This document only provides the EAD transport | is completed; see <xref target="AD"/>. Designing a secure mechanism that uses EA | |||
mechanism, but the problem of agreeing on the surrounding context and the meanin | D is not necessarily straightforward. This document only provides the EAD transp | |||
g of the information passed to and from the application remains. Any new uses of | ort mechanism, but the problem of agreeing on the surrounding context and the me | |||
EAD should be subject to careful review.</t> | aning of the information passed to and from the application remains. Any new use | |||
<t>Key compromise impersonation (KCI): In EDHOC authenticated with signa | s of EAD should be subject to careful review.</t> | |||
ture keys, EDHOC provides KCI protection against an attacker having access to th | <dl newline="false" spacing="normal"> | |||
e long-term key or the ephemeral secret key. With static Diffie-Hellman key auth | <dt>Key Compromise Impersonation (KCI):</dt> <dd>In EDHOC authenticate | |||
entication, KCI protection would be provided against an attacker having access t | d with signature keys, EDHOC provides KCI protection against an attacker having | |||
o the long-term Diffie-Hellman key, but not to an attacker having access to the | access to the long-term key or the ephemeral secret key. With static Diffie-Hell | |||
ephemeral secret key. Note that the term KCI has typically been used for comprom | man key authentication, KCI protection would be provided against an attacker hav | |||
ise of long-term keys, and that an attacker with access to the ephemeral secret | ing access to the long-term Diffie-Hellman key but not to an attacker having acc | |||
key can only attack that specific EDHOC session.</t> | ess to the ephemeral secret key. Note that the term KCI has typically been used | |||
<t>Repudiation: If an endpoint authenticates with a signature, the other | for compromise of long-term keys and that an attacker with access to the ephemer | |||
endpoint can prove that the endpoint performed a run of the protocol by present | al secret key can only attack that specific EDHOC session.</dd> | |||
ing the data being signed as well as the signature itself. With static Diffie-He | <dt>Repudiation:</dt> <dd>If an endpoint authenticates with a signatur | |||
llman key authentication, the authenticating endpoint can deny having participat | e, the other endpoint can prove that the endpoint performed a run of the protoco | |||
ed in the protocol.</t> | l by presenting the data being signed as well as the signature itself. With stat | |||
<t>Earlier versions of EDHOC have been formally analyzed <xref target="B | ic Diffie-Hellman key authentication, the authenticating endpoint can deny havin | |||
runi18"/> <xref target="Norrman20"/> <xref target="CottierPointcheval22"/> <xref | g participated in the protocol.</dd> | |||
target="Jacomme23"/> <xref target="GuentherIlunga22"/> and the specification ha | </dl> | |||
s been updated based on the analysis.</t> | <t>Earlier versions of EDHOC have been formally analyzed <xref target="B | |||
runi18"/> <xref target="Norrman20"/> <xref target="CottierPointcheval22"/> <xref | ||||
target="Jacomme23"/> <xref target="GuentherIlunga22"/>, and the specification h | ||||
as been updated based on the analysis.</t> | ||||
</section> | </section> | |||
<section anchor="crypto"> | <section anchor="crypto"> | |||
<name>Cryptographic Considerations</name> | <name>Cryptographic Considerations</name> | |||
<t>The SIGMA protocol requires that the encryption of message_3 provides confidentiality against active attackers and EDHOC message_4 relies on the use of | <t>The SIGMA protocol requires that the encryption of message_3 provides confidentiality against active attackers and EDHOC message_4 relies on the use of | |||
authenticated encryption. Hence, the message authenticating functionality of the | authenticated encryption. Hence, the message authenticating functionality of the | |||
authenticated encryption in EDHOC is critical: authenticated encryption MUST NO | authenticated encryption in EDHOC is critical, i.e., authenticated encryption < | |||
T be replaced by plain encryption only, even if authentication is provided at an | bcp14>MUST NOT</bcp14> be replaced by plain encryption only, even if authenticat | |||
other level or through a different mechanism.</t> | ion is provided at another level or through a different mechanism.</t> | |||
<t>To reduce message overhead EDHOC does not use explicit nonces and ins | <t>To reduce message overhead, EDHOC does not use explicit nonces and in | |||
tead relies on the ephemeral public keys to provide randomness to each EDHOC ses | stead relies on the ephemeral public keys to provide randomness to each EDHOC se | |||
sion. A good amount of randomness is important for the key generation, to provid | ssion. A good amount of randomness is important for the key generation to provid | |||
e liveness, and to protect against interleaving attacks. For this reason, the ep | e liveness and to protect against interleaving attacks. For this reason, the eph | |||
hemeral keys MUST NOT be used in more than one EDHOC message, and both parties S | emeral keys <bcp14>MUST NOT</bcp14> be used in more than one EDHOC message, and | |||
HALL generate fresh random ephemeral key pairs. Note that an ephemeral key may b | both parties <bcp14>SHALL</bcp14> generate fresh, random ephemeral key pairs. No | |||
e used to calculate several ECDH shared secrets. When static Diffie-Hellman auth | te that an ephemeral key may be used to calculate several ECDH shared secrets. W | |||
entication is used the same ephemeral key is used in both ephemeral-ephemeral an | hen static Diffie-Hellman authentication is used, the same ephemeral key is used | |||
d ephemeral-static ECDH.</t> | in both ephemeral-ephemeral and ephemeral-static ECDH.</t> | |||
<t>As discussed in <xref target="SIGMA"/>, the encryption of message_2 d | <t>As discussed in <xref target="SIGMA"/>, the encryption of message_2 o | |||
oes only need to protect against passive attacker as active attackers can always | nly needs to protect against a passive attacker since active attackers can alway | |||
get the Responder's identity by sending their own message_1. EDHOC uses the EDH | s get the Responder's identity by sending their own message_1. EDHOC uses the ED | |||
OC_Expand function (typically HKDF-Expand) as a binary additive stream cipher wh | HOC_Expand function (typically HKDF-Expand) as a binary additive stream cipher t | |||
ich is proven secure as long as the expand function is a PRF. HKDF-Expand is no | hat is proven secure as long as the expand function is a Pseudorandom Function ( | |||
t often used as a stream cipher as it is slow on long messages, and most applica | PRF). HKDF-Expand is not often used as a stream cipher as it is slow on long mes | |||
tions require both confidentiality with indistinguishability under chosen cipher | sages, and most applications require both confidentiality with indistinguishabil | |||
text (IND-CCA) as well as integrity protection. For the encryption of message_2, | ity under adaptive chosen ciphertext attack (IND-CCA2) as well as integrity prot | |||
any speed difference is negligible, IND-CCA does not increase security, and int | ection. For the encryption of message_2, any speed difference is negligible, IND | |||
egrity is provided by the inner MAC (and signature depending on method).</t> | -CCA2 does not increase security, and integrity is provided by the inner MAC (an | |||
<t>Requirements for how to securely generate, validate, and process the | d signature depending on method).</t> | |||
ephemeral public keys depend on the elliptic curve. For X25519 and X448, the req | <t>Requirements for how to securely generate, validate, and process the | |||
uirements are defined in <xref target="RFC7748"/>. For secp256r1, secp384r1, and | public keys depend on the elliptic curve. For X25519 and X448, the requirements | |||
secp521r1, the requirements are defined in Section 5 of <xref target="SP-800-56 | are defined in <xref target="RFC7748"/>. For X25519 and X448, the check for all- | |||
A"/>. For secp256r1, secp384r1, and secp521r1, at least partial public-key valid | zero output as specified in <xref target="RFC7748" sectionFormat="of" section="6 | |||
ation MUST be done.</t> | "/> <bcp14>MUST</bcp14> be done. For secp256r1, secp384r1, and secp521r1, the re | |||
<t>The same authentication credential MAY be used for both the Initiator | quirements are defined in Section 5 of <xref target="SP-800-56A"/>. For secp256r | |||
and Responder roles. As noted in Section 12 of <xref target="RFC9052"/> the use | 1, secp384r1, and secp521r1, at least partial public key validation <bcp14>MUST< | |||
of a single key for multiple algorithms is strongly discouraged unless proven s | /bcp14> be done.</t> | |||
ecure by a dedicated cryptographic analysis. In particular this recommendation a | <t>The same authentication credential <bcp14>MAY</bcp14> be used for bot | |||
pplies to using the same private key for static Diffie-Hellman authentication an | h the Initiator | |||
d digital signature authentication. A preliminary conjecture is that a minor cha | and Responder roles. As noted in <xref target="RFC9052" section="12" section | |||
nge to EDHOC may be sufficient to fit the analysis of secure shared signature an | Format="of"/>, the use of a single key for multiple algorithms is strongly disco | |||
d ECDH key usage in <xref target="Degabriele11"/> and <xref target="Thormarker21 | uraged unless proven secure by a dedicated cryptographic analysis. In particula | |||
"/>.</t> | r, this recommendation applies to using the same private key for static Diffie-H | |||
<t>The property that a completed EDHOC session implies that another iden | ellman authentication and digital signature authentication. A preliminary conjec | |||
tity has been active is upheld as long as the Initiator does not have its own id | ture is that a minor change to EDHOC may be sufficient to fit the analysis of a | |||
entity in the set of Responder identities it is allowed to communicate with. In | secure shared signature and ECDH key usage in <xref target="Degabriele11"/> and | |||
Trust on first use (TOFU) use cases, see <xref target="tofu"/>, the Initiator sh | <xref target="Thormarker21"/>. Note that Section 5.6.3.2 of <xref target="SP-800 | |||
ould verify that the Responder's identity is not equal to its own. Any future ED | -56A"/> allows a key agreement key pair to be used with a signature algorithm in | |||
HOC methods using e.g., pre-shared keys might need to mitigate this in other way | certificate requests.</t> | |||
s. However, an active attacker can gain information about the set of identities | <t>The property that a completed EDHOC session implies that another iden | |||
an Initiator is willing to communicate with. If the Initiator is willing to comm | tity has been active is upheld as long as the Initiator does not have its own id | |||
unicate with all identities except its own an attacker can determine that a gues | entity in the set of Responder identities it is allowed to communicate with. In | |||
sed Initiator identity is correct. To not leak any long-term identifiers, using | trust-on-first-use (TOFU) use cases (see <xref target="tofu"/>), the Initiator s | |||
a freshly generated authentication key as identity in each initial TOFU session | hould verify that the Responder's identity is not equal to its own. Any future E | |||
is RECOMMENDED.</t> | DHOC methods using, e.g., PSKs might need to mitigate this in other ways. Howeve | |||
<t>NIST SP 800-56A <xref target="SP-800-56A"/> forbids deriving secret a | r, an active attacker can gain information about the set of identities an Initia | |||
nd non-secret randomness from the same KDF instance, but this decision has been | tor is willing to communicate with. If the Initiator is willing to communicate w | |||
criticized by Krawczyk <xref target="HKDFpaper"/> and doing so is common practic | ith all identities except its own, an attacker can determine that a guessed Init | |||
e. In addition to IVs, other examples are the challenge in EAP-TTLS, the RAND in | iator identity is correct. To not leak any long-term identifiers, using a freshl | |||
3GPP AKAs, and the Session-Id in EAP-TLS 1.3. Note that part of KEYSTREAM_2 is | y generated authentication key as an identity in each initial TOFU session is <b | |||
also non-secret randomness as it is known or predictable to an attacker. The mor | cp14>RECOMMENDED</bcp14>.</t> | |||
e recent NIST SP 800-108 <xref target="SP-800-108"/> aligns with <xref target="H | <t>NIST SP 800-56A <xref target="SP-800-56A"/> forbids deriving secret a | |||
KDFpaper"/> and states that for a secure KDF, the revelation of one portion of t | nd non-secret randomness from the same Key Derivation Function (KDF) instance, b | |||
he derived keying material must not degrade the security of any other portion of | ut this decision has been criticized by Krawczyk in <xref target="HKDFpaper"/> a | |||
that keying material.</t> | nd doing so is common practice. In addition to IVs, other examples are the chall | |||
enge in Extensible Authentication Protocol Tunneled Transport Layer Security (EA | ||||
P-TTLS), the RAND in 3GPP Authentication and Key Agreement (AKA), and the Sessio | ||||
n-Id in EAP-TLS 1.3. Note that part of KEYSTREAM_2 is also non-secret randomness | ||||
, as it is known or predictable to an attacker. The more recent NIST SP 800-108 | ||||
<xref target="SP-800-108"/> aligns with <xref target="HKDFpaper"/> and states th | ||||
at, for a secure KDF, the revelation of one portion of the derived keying materi | ||||
al must not degrade the security of any other portion of that keying material.</ | ||||
t> | ||||
</section> | </section> | |||
<section anchor="sec_algs"> | <section anchor="sec_algs"> | |||
<name>Cipher Suites and Cryptographic Algorithms</name> | <name>Cipher Suites and Cryptographic Algorithms</name> | |||
<t>When using private cipher suite or registering new cipher suites, the | <t>When using a private cipher suite or registering new cipher suites, t | |||
choice of key length used in the different algorithms needs to be harmonized, s | he choice of the key length used in the different algorithms needs to be harmoni | |||
o that a sufficient security level is maintained for authentication credentials, | zed so that a sufficient security level is maintained for authentication credent | |||
the EDHOC session, and the protection of application data. The Initiator and th | ials, the EDHOC session, and the protection of application data. The Initiator a | |||
e Responder should enforce a minimum security level.</t> | nd Responder should enforce a minimum security level.</t> | |||
<t>The output size of the EDHOC hash algorithm MUST be at least 256-bits | <t>The output size of the EDHOC hash algorithm <bcp14>MUST</bcp14> be at | |||
, i.e., the hash algorithms SHA-1 and SHA-256/64 (SHA-256 truncated to 64-bits) | least 256 bits, i.e., the hash algorithms SHA-1 and SHA-256/64 (SHA-256 truncat | |||
SHALL NOT be supported for use in EDHOC except for certificate identification wi | ed to 64 bits) <bcp14>SHALL NOT</bcp14> be supported for use in EDHOC except for | |||
th x5t and c5t. For security considerations of SHA-1, see <xref target="RFC6194" | certificate identification with x5t and c5t. For security considerations of SHA | |||
/>. As EDHOC integrity protects the whole authentication credentials, the choice | -1, see <xref target="RFC6194"/>. As EDHOC integrity protects all the authentica | |||
of hash algorithm in x5t and c5t does not affect security, and using the same h | tion credentials, the choice of hash algorithm in x5t and c5t does not affect se | |||
ash algorithm as in the cipher suite, but with as much truncation as possible, i | curity and using the same hash algorithm as in the cipher suite, but with as muc | |||
s RECOMMENDED. That is, when the EDHOC hash algorithm is SHA-256, using SHA-256/ | h truncation as possible, is <bcp14>RECOMMENDED</bcp14>. That is, when the EDHOC | |||
64 in x5t and c5t is RECOMMENDED. The EDHOC MAC length MUST be at least 8 bytes | hash algorithm is SHA-256, using SHA-256/64 in x5t and c5t is <bcp14>RECOMMENDE | |||
and the tag length of the EDHOC AEAD algorithm MUST be at least 64-bits. Note th | D</bcp14>. The EDHOC MAC length <bcp14>MUST</bcp14> be at least 8 bytes and the | |||
at secp256k1 is only defined for use with ECDSA and not for ECDH. Note that some | tag length of the EDHOC AEAD algorithm <bcp14>MUST</bcp14> be at least 64 bits. | |||
COSE algorithms are marked as not recommended in the COSE IANA registry.</t> | Note that secp256k1 is only defined for use with ECDSA and not for ECDH. Note th | |||
at some COSE algorithms are marked as not recommended in the COSE IANA registry. | ||||
</t> | ||||
</section> | </section> | |||
<section anchor="pqc"> | <section anchor="pqc"> | |||
<name>Post-Quantum Considerations</name> | <name>Post-Quantum Considerations</name> | |||
<t>As of the publication of this specification, it is unclear when or ev | <t>As of the publication of this specification, it is unclear when or ev | |||
en if a quantum computer of sufficient size and power to exploit public key cryp | en if a quantum computer of sufficient size and power to exploit public key cryp | |||
tography will exist. Deployments that need to consider risks decades into the fu | tography will exist. Deployments that need to consider risks decades into the fu | |||
ture should transition to Post-Quantum Cryptography (PQC) in the not-too-distant | ture should transition to Post-Quantum Cryptography (PQC) in the not-too-distant | |||
future. Many other systems should take a slower wait-and-see approach where PQC | future. Many other systems should take a slower wait-and-see approach where PQC | |||
is phased in when the quantum threat is more imminent. Current PQC algorithms h | is phased in when the quantum threat is more imminent. Current PQC algorithms h | |||
ave limitations compared to Elliptic Curve Cryptography (ECC) and the data sizes | ave limitations compared to Elliptic Curve Cryptography (ECC), and the data size | |||
would be problematic in many constrained IoT systems.</t> | s would be problematic in many constrained IoT systems.</t> | |||
<t>Symmetric algorithms used in EDHOC such as SHA-256 and AES-CCM-16-64- | <t>Symmetric algorithms used in EDHOC, such as SHA-256 and AES-CCM-16-64 | |||
128 are practically secure against even large quantum computers. Two of NIST's s | -128, are practically secure against even large quantum computers. Two of NIST's | |||
ecurity levels for quantum-resistant public-key cryptography are based on AES-12 | security levels for quantum-resistant public key cryptography are based on AES- | |||
8 and SHA-256. Quantum computer will likely be expensive, slow due to heavy erro | 128 and SHA-256. A quantum computer will likely be expensive and slow due to hea | |||
r correction, and Grover’s algorithm, which is proven to be optimal, cannot effe | vy error correction. Grover's algorithm, which is proven to be optimal, cannot e | |||
ctively be parallelized. Grover’s algorithm will provide little or no advantage | ffectively be parallelized. It will provide little or no advantage in attacking | |||
in attacking AES, and AES-128 will remain secure for decades to come <xref targe | AES, and AES-128 will remain secure for decades to come <xref target="NISTPQC"/> | |||
t="NISTPQC"/>.</t> | .</t> | |||
<t>EDHOC supports all signature algorithms defined by COSE, including PQ | <t>EDHOC supports all signature algorithms defined by COSE, including PQ | |||
C signature algorithms such as HSS-LMS. EDHOC is currently only specified for us | C signature algorithms such as HSS-LMS. EDHOC is currently only specified for us | |||
e with key exchange algorithms of type ECDH curves, but any Key Encapsulation Me | e with key exchange algorithms of type ECDH curves, but any Key Encapsulation Me | |||
thod (KEM), including PQC KEMs, can be used in method 0. While the key exchange | thod (KEM), including PQC KEMs, can be used in method 0. While the key exchange | |||
in method 0 is specified with terms of the Diffie-Hellman protocol, the key exch | in method 0 is specified with the terms of the Diffie-Hellman protocol, the key | |||
ange adheres to a KEM interface: G_X is then the public key of the Initiator, G_ | exchange adheres to a KEM interface: G_X is then the public key of the Initiator | |||
Y is the encapsulation, and G_XY is the shared secret. Use of PQC KEMs to replac | , G_Y is the encapsulation, and G_XY is the shared secret. Use of PQC KEMs to re | |||
e static DH authentication would likely require a specification updating EDHOC w | place static DH authentication would likely require a specification updating EDH | |||
ith new methods.</t> | OC with new methods.</t> | |||
</section> | </section> | |||
<section anchor="unprot-data"> | <section anchor="unprot-data"> | |||
<name>Unprotected Data and Privacy</name> | <name>Unprotected Data and Privacy</name> | |||
<t>The Initiator and the Responder must make sure that unprotected data | <t>The Initiator and Responder must make sure that unprotected data and | |||
and metadata do not reveal any sensitive information. This also applies for encr | metadata do not reveal any sensitive information. This also applies for encrypte | |||
ypted data sent to an unauthenticated party. In particular, it applies to EAD_1, | d data sent to an unauthenticated party. In particular, it applies to EAD_1, ID_ | |||
ID_CRED_R, EAD_2, and error messages. Using the same EAD_1 in several EDHOC ses | CRED_R, EAD_2, and error messages. Using the same EAD_1 in several EDHOC session | |||
sions allows passive eavesdroppers to correlate the different sessions. Note tha | s allows passive eavesdroppers to correlate the different sessions. Note that ev | |||
t even if ead_value is encrypted outside of EDHOC, the ead_labels in EAD_1 is re | en if ead_value is encrypted outside of EDHOC, the ead_labels in EAD_1 is reveal | |||
vealed to passive attackers and the ead_labels in EAD_2 is revealed to active at | ed to passive attackers and the ead_labels in EAD_2 is revealed to active attack | |||
tackers. Another consideration is that the list of supported cipher suites may p | ers. Another consideration is that the list of supported cipher suites may poten | |||
otentially be used to identify the application. The Initiator and the Responder | tially be used to identify the application. The Initiator and Responder must als | |||
must also make sure that unauthenticated data does not trigger any harmful actio | o make sure that unauthenticated data does not trigger any harmful actions. In p | |||
ns. In particular, this applies to EAD_1 and error messages.</t> | articular, this applies to EAD_1 and error messages.</t> | |||
<t>An attacker observing network traffic may use connection identifiers | <t>An attacker observing network traffic may use connection identifiers | |||
sent in clear in EDHOC or the subsequent application protocol to correlate packe | sent in clear in EDHOC or the subsequent application protocol to correlate packe | |||
ts sent on different paths or at different times. The attacker may use this info | ts sent on different paths or at different times. The attacker may use this info | |||
rmation for traffic flow analysis or to track an endpoint. Application protocols | rmation for traffic flow analysis or to track an endpoint. Application protocols | |||
using connection identifiers from EDHOC SHOULD provide mechanisms to update the | using connection identifiers from EDHOC <bcp14>SHOULD</bcp14> provide mechanism | |||
connection identifiers and MAY provide mechanisms to issue several simultaneous | s to update the connection identifiers and <bcp14>MAY</bcp14> provide mechanisms | |||
ly active connection identifiers. See <xref target="RFC9000"/> for a non-constra | to issue several simultaneously active connection identifiers. See <xref target | |||
ined example of such mechanisms. Connection identifiers can e.g., be chosen rand | ="RFC9000"/> for a non-constrained example of such mechanisms. Connection identi | |||
omly among the set of unused 1-byte connection identifiers. Connection identity | fiers can, e.g., be chosen randomly among the set of unused 1-byte connection id | |||
privacy mechanisms are only useful when there are not fixed identifiers such as | entifiers. Connection identity privacy mechanisms are only useful when there are | |||
IP address or MAC address in the lower layers.</t> | not fixed identifiers, such as IP address or MAC address in the lower layers.</ | |||
t> | ||||
</section> | </section> | |||
<section anchor="internet-threat"> | <section anchor="internet-threat"> | |||
<name>Updated Internet Threat Model Considerations</name> | <name>Updated Internet Threat Model Considerations</name> | |||
<t>Since the publication of <xref target="RFC3552"/> there has been an i | <t>Since the publication of <xref target="RFC3552"/>, there has been an | |||
ncreased awareness of the need to protect against endpoints that are compromised | increased awareness of the need to protect against endpoints that are compromise | |||
, malicious, or whose interests simply do not align with the interests of users | d or malicious or whose interests simply do not align with the interests of user | |||
<xref target="I-D.arkko-arch-internet-threat-model-guidance"/>. <xref target="RF | s <xref target="I-D.arkko-arch-internet-threat-model-guidance"/>. <xref target=" | |||
C7624"/> describes an updated threat model for Internet confidentiality, see <xr | RFC7624"/> describes an updated threat model for Internet confidentiality; see < | |||
ef target="sec-prop"/>. <xref target="I-D.arkko-arch-internet-threat-model-guida | xref target="sec-prop"/>. <xref target="I-D.arkko-arch-internet-threat-model-gui | |||
nce"/> further expands the threat model. Implementations and users should take t | dance"/> further expands the threat model. Implementations and users should take | |||
hese threat models into account and consider actions to reduce the risk of track | these threat models into account and consider actions to reduce the risk of tra | |||
ing by other endpoints. In particular, even data sent protected to the other end | cking by other endpoints. In particular, even data sent protected to the other e | |||
point such as ID_CRED fields and EAD fields can be used for tracking, see Sectio | ndpoint, such as ID_CRED fields and EAD fields, can be used for tracking; see <x | |||
n 2.7 of <xref target="I-D.arkko-arch-internet-threat-model-guidance"/>.</t> | ref target="I-D.arkko-arch-internet-threat-model-guidance" section="2.7" section | |||
<t>The fields ID_CRED_I, ID_CRED_R, EAD_2, EAD_3, and EAD_4 have variabl | Format="of"/>.</t> | |||
e length, and information regarding the length may leak to an attacker. A passiv | <t>The fields ID_CRED_I, ID_CRED_R, EAD_2, EAD_3, and EAD_4 have variabl | |||
e attacker may, e.g., be able to differentiate endpoints using identifiers of di | e length, and information regarding the length may leak to an attacker. A passiv | |||
fferent length. To mitigate this information leakage an implementation may ensur | e attacker may, e.g., be able to differentiate endpoints using identifiers of di | |||
e that the fields have fixed length or use padding. An implementation may, e.g., | fferent length. To mitigate this information leakage, an implementation may ensu | |||
only use fixed length identifiers like 'kid' of length 1. Alternatively, paddin | re that the fields have a fixed length or use padding. An implementation may, e. | |||
g may be used (see <xref target="padding"/>) to hide the true length of, e.g., c | g., only use fixed length identifiers like 'kid' of length 1. Alternatively, pad | |||
ertificates by value in 'x5chain' or 'c5c'.</t> | ding may be used (see <xref target="padding"/>) to hide the true length of, e.g. | |||
, certificates by value in 'x5chain' or 'c5c'.</t> | ||||
</section> | </section> | |||
<section anchor="dos"> | <section anchor="dos"> | |||
<name>Denial-of-Service</name> | <name>Denial of Service</name> | |||
<t>EDHOC itself does not provide countermeasures against denial-of-servi | <t>EDHOC itself does not provide countermeasures against denial-of-servi | |||
ce attacks. In particular, by sending a number of new or replayed message_1 an a | ce attacks. In particular, by sending a number of new or replayed message_1, an | |||
ttacker may cause the Responder to allocate state, perform cryptographic operati | attacker may cause the Responder to allocate the state, perform cryptographic op | |||
ons, and amplify messages. To mitigate such attacks, an implementation SHOULD ma | erations, and amplify messages. To mitigate such attacks, an implementation <bcp | |||
ke use of available lower layer mechanisms. For instance, when EDHOC is transfer | 14>SHOULD</bcp14> make use of available lower layer mechanisms. For instance, wh | |||
red as an exchange of CoAP messages, the CoAP server can use the Echo option def | en EDHOC is transferred as an exchange of CoAP messages, the CoAP server can use | |||
ined in <xref target="RFC9175"/> which forces the CoAP client to demonstrate rea | the Echo option defined in <xref target="RFC9175"/>, which forces the CoAP clie | |||
chability at its apparent network address. To avoid an additional roundtrip the | nt to demonstrate reachability at its apparent network address. To avoid an addi | |||
Initiator can reduce the amplification factor by padding message_1, i.e., using | tional round trip, the Initiator can reduce the amplification factor by padding | |||
EAD_1, see <xref target="padding"/>. | message_1, i.e., using EAD_1; see <xref target="padding"/>. | |||
Note that while the Echo option mitigates some resource exhaustion aspects of | Note that while the Echo option mitigates some resource exhaustion aspects of | |||
spoofing, it does not protect against a distributed denial-of-service attack mad e by real, potentially compromised, clients. Similarly, limiting amplification o nly reduces the impact, which still may be significant because of a large number of clients engaged in the attack.</t> | spoofing, it does not protect against a distributed denial-of-service attack mad e by real, potentially compromised, clients. Similarly, limiting amplification o nly reduces the impact, which still may be significant because of a large number of clients engaged in the attack.</t> | |||
<t>An attacker can also send faked message_2, message_3, message_4, or e rror in an attempt to trick the receiving party to send an error message and abo rt the EDHOC session. EDHOC implementations MAY evaluate if a received message i s likely to have been forged by an attacker and ignore it without sending an err or message or aborting the EDHOC session.</t> | <t>An attacker can also send a faked message_2, message_3, message_4, or error in an attempt to trick the receiving party to send an error message and a bort the EDHOC session. EDHOC implementations <bcp14>MAY</bcp14> evaluate if a r eceived message is likely to have been forged by an attacker and ignore it witho ut sending an error message or aborting the EDHOC session.</t> | |||
</section> | </section> | |||
<section anchor="impl-cons"> | <section anchor="impl-cons"> | |||
<name>Implementation Considerations</name> | <name>Implementation Considerations</name> | |||
<t>The availability of a secure random number generator is essential for | <t>The availability of a secure random number generator is essential for | |||
the security of EDHOC. If no true random number generator is available, a rando | the security of EDHOC. If no true random number generator is available, a rando | |||
m seed MUST be provided from an external source and used with a cryptographicall | m seed <bcp14>MUST</bcp14> be provided from an external source and used with a c | |||
y secure pseudorandom number generator. As each pseudorandom number must only be | ryptographically secure pseudorandom number generator. As each pseudorandom numb | |||
used once, an implementation needs to get a unique input to the pseudorandom nu | er must only be used once, an implementation needs to get a unique input to the | |||
mber generator after reboot, or continuously store state in nonvolatile memory. | pseudorandom number generator after reboot or continuously store state in nonvol | |||
Appendix B.1.1 in <xref target="RFC8613"/> describes issues and solution approac | atile memory. <xref target="RFC8613" sectionFormat="of" section="B.1.1"/> descri | |||
hes for writing to nonvolatile memory. Intentionally or unintentionally weak or | bes issues and solution approaches for writing to nonvolatile memory. Intentiona | |||
predictable pseudorandom number generators can be abused or exploited for malici | lly or unintentionally weak or predictable pseudorandom number generators can be | |||
ous purposes. <xref target="RFC8937"/> describes a way for security protocol imp | abused or exploited for malicious purposes. <xref target="RFC8937"/> describes | |||
lementations to augment their (pseudo)random number generators using a long-term | a way for security protocol implementations to augment their (pseudo)random numb | |||
private key and a deterministic signature function. This improves randomness fr | er generators using a long-term private key and a deterministic signature functi | |||
om broken or otherwise subverted random number generators. The same idea can be | on. This improves randomness from broken or otherwise subverted random number ge | |||
used with other secrets and functions such as a Diffie-Hellman function or a sym | nerators. The same idea can be used with other secrets and functions, such as a | |||
metric secret and a PRF like HMAC or KMAC. It is RECOMMENDED to not trust a sing | Diffie-Hellman function or a symmetric secret, and a PRF like HMAC or KMAC. It i | |||
le source of randomness and to not put unaugmented random numbers on the wire.</ | s <bcp14>RECOMMENDED</bcp14> to not trust a single source of randomness and to n | |||
t> | ot put unaugmented random numbers on the wire.</t> | |||
<t>For many constrained IoT devices it is problematic to support several | <t>For many constrained IoT devices, it is problematic to support severa | |||
crypto primitives. Existing devices can be expected to support either ECDSA or | l crypto primitives. Existing devices can be expected to support either ECDSA or | |||
EdDSA. If ECDSA is supported, "deterministic ECDSA" as specified in <xref target | Edwards-curve Digital Signature Algorithm (EdDSA). If ECDSA is supported, "dete | |||
="RFC6979"/> MAY be used. Pure deterministic elliptic-curve signatures such as d | rministic ECDSA", as specified in <xref target="RFC6979"/>, <bcp14>MAY</bcp14> b | |||
eterministic ECDSA and EdDSA have gained popularity over randomized ECDSA as the | e used. Pure deterministic elliptic-curve signatures, such as deterministic ECDS | |||
ir security do not depend on a source of high-quality randomness. Recent researc | A and EdDSA, have gained popularity over randomized ECDSA as their security does | |||
h has however found that implementations of these signature algorithms may be vu | not depend on a source of high-quality randomness. Recent research has however | |||
lnerable to certain side-channel and fault injection attacks due to their determ | found that implementations of these signature algorithms may be vulnerable to ce | |||
inism. See e.g., Section 1 of <xref target="I-D.irtf-cfrg-det-sigs-with-noise"/> | rtain side-channel and fault injection attacks due to their determinism. For exa | |||
for a list of attack papers. As suggested in Section 2.1.1 of <xref target="RFC | mple, see <xref target="I-D.irtf-cfrg-det-sigs-with-noise" section="1" sectionFo | |||
9053"/> this can be addressed by combining randomness and determinism.</t> | rmat="of"/> for a list of attack papers. As suggested in <xref target="RFC9053" | |||
<t>Appendix D of <xref target="I-D.ietf-lwig-curve-representations"/> de | section="2.1.1" sectionFormat="of"/>, this can be addressed by combining randomn | |||
scribes how Montgomery curves such as X25519 and X448 and (twisted) Edwards curv | ess and determinism.</t> | |||
es as curves such as Ed25519 and Ed448 can be mapped to and from short-Weierstra | <t><xref target="I-D.ietf-lwig-curve-representations" sectionFormat="of" | |||
ss form for implementation on platforms that accelerate elliptic curve group ope | section="D"/> describes how Montgomery curves, such as X25519 and X448, and (tw | |||
rations in short-Weierstrass form.</t> | isted) Edwards curves, such as Ed25519 and Ed448, can be mapped to and from shor | |||
<t>All private keys, symmetric keys, and IVs MUST be secret. Only the Re | t-Weierstrass form for implementations on platforms that accelerate elliptic cur | |||
sponder SHALL have access to the Responder's private authentication key and only | ve group operations in short-Weierstrass form.</t> | |||
the Initiator SHALL have access to the Initiator's private authentication key. | <t>All private keys, symmetric keys, and IVs <bcp14>MUST</bcp14> be secr | |||
Implementations should provide countermeasures to side-channel attacks such as t | et. Only the Responder <bcp14>SHALL</bcp14> have access to the Responder's priva | |||
iming attacks. Intermediate computed values such as ephemeral ECDH keys and ECDH | te authentication key, and only the Initiator <bcp14>SHALL</bcp14> have access t | |||
shared secrets MUST be deleted after key derivation is completed.</t> | o the Initiator's private authentication key. Implementations should provide cou | |||
<t>The Initiator and the Responder are responsible for verifying the int | ntermeasures to side-channel attacks, such as timing attacks. Intermediate compu | |||
egrity and validity of certificates. Verification of validity may require the us | ted values, such as ephemeral ECDH keys and ECDH shared secrets, <bcp14>MUST</bc | |||
e of a Real-Time Clock (RTC). The selection of trusted CAs should be done very c | p14> be deleted after key derivation is completed.</t> | |||
arefully and certificate revocation should be supported. The choice of revocatio | <t>The Initiator and Responder are responsible for verifying the integri | |||
n mechanism is left to the application. For example, in case of X.509 certificat | ty and validity of certificates. Verification of validity may require the use of | |||
es, Certificate Revocation Lists <xref target="RFC5280"/> or OCSP <xref target=" | a Real-Time Clock (RTC). The selection of trusted certification authorities (CA | |||
RFC6960"/> may be used.</t> | s) should be done very carefully and certificate revocation should be supported. | |||
<t>Similar considerations as for certificates are needed for CWT/CCS. Th | The choice of revocation mechanism is left to the application. For example, in | |||
e endpoints are responsible for verifying the integrity and validity of CWT/CCS, | case of X.509 certificates, Certificate Revocation Lists <xref target="RFC5280"/ | |||
and to handle revocation. The application needs to determine what trust anchors | > or the Online Certificate Status Protocol (OCSP) <xref target="RFC6960"/> may | |||
are relevant, and have a well-defined trust-establishment process. A self-signe | be used.</t> | |||
d certificate/CWT or CCS appearing in the protocol cannot be a trigger to modify | <t>Similar considerations as for certificates are needed for CWT/CCS. Th | |||
the set of trust anchors. One common way for a new trust anchor to be added to | e endpoints are responsible for verifying the integrity and validity of CWT/CCS | |||
(or removed from) a device is by means firmware upgrade. See <xref target="RFC93 | and to handle revocation. The application needs to determine what trust anchors | |||
60"/> for a longer discussion on trust and validation in constrained devices.</t | are relevant and have a well-defined trust-establishment process. A self-signed | |||
> | certificate / CWT or CCS appearing in the protocol cannot be a trigger to modify | |||
<t>Just like for certificates, the contents of the COSE header parameter | the set of trust anchors. One common way for a new trust anchor to be added to | |||
s 'kcwt' and 'kccs' defined in <xref target="cwt-header-param"/> must be process | (or removed from) a device is by means firmware upgrade. See <xref target="RFC93 | |||
ed as untrusted input. Endpoints that intend to rely on the assertions made by a | 60"/> for a longer discussion on trust and validation in constrained devices.</t | |||
CWT/CCS obtained from any of these methods need to validate the contents. For ' | > | |||
kccs', which enables transport of raw public keys, the data structure used does | <t>Just like for certificates, the contents of the COSE header parameter | |||
not include any protection or verification data. 'kccs' may be used for unauthen | s 'kcwt' and 'kccs' defined in <xref target="cwt-header-param"/> must be process | |||
ticated operations, e.g. trust on first use, with the limitations and caveats en | ed as untrusted inputs. Endpoints that intend to rely on the assertions made by | |||
tailed, see <xref target="tofu"/>.</t> | a CWT/CCS obtained from any of these methods need to validate the contents. For | |||
<t>The Initiator and the Responder are allowed to select the connection | 'kccs', which enables transport of raw public keys, the data structure used does | |||
identifier C_I and C_R, respectively, for the other party to use in the ongoing | not include any protection or verification data. 'kccs' may be used for unauthe | |||
EDHOC session as well as in a subsequent application protocol (e.g., OSCORE <xre | nticated operations, e.g., trust on first use, with the limitations and caveats | |||
f target="RFC8613"/>). The choice of connection identifier is not security criti | entailed; see <xref target="tofu"/>.</t> | |||
cal in EDHOC but intended to simplify the retrieval of the right security contex | <t>The Initiator and Responder are allowed to select connection identifi | |||
t in combination with using short identifiers. If the wrong connection identifie | ers C_I and C_R, respectively, for the other party to use in the ongoing EDHOC s | |||
r of the other party is used in a protocol message it will result in the receivi | ession as well as in a subsequent application protocol (e.g., OSCORE <xref targe | |||
ng party not being able to retrieve a security context (which will abort the EDH | t="RFC8613"/>). The choice of the connection identifier is not security critical | |||
OC session) or retrieve the wrong security context (which also aborts the EDHOC | in EDHOC but intended to simplify the retrieval of the right security context i | |||
session as the message cannot be verified).</t> | n combination with using short identifiers. If the wrong connection identifier o | |||
<t>If two nodes unintentionally initiate two simultaneous EDHOC sessions | f the other party is used in a protocol message, it will result in the receiving | |||
with each other even if they only want to complete a single EDHOC session, they | party not being able to retrieve a security context (which will abort the EDHOC | |||
MAY abort the EDHOC session with the lexicographically smallest G_X. Note that | session) or retrieve the wrong security context (which also aborts the EDHOC se | |||
in cases where several EDHOC sessions with different parameter sets (method, COS | ssion as the message cannot be verified).</t> | |||
E headers, etc.) are used, an attacker can affect which parameter set will be us | <t>If two nodes unintentionally initiate two simultaneous EDHOC sessions | |||
ed by blocking some of the parameter sets.</t> | with each other, even if they only want to complete a single EDHOC session, the | |||
<t>If supported by the device, it is RECOMMENDED that at least the long- | y <bcp14>MAY</bcp14> abort the EDHOC session with the lexicographically smallest | |||
term private keys are stored in a Trusted Execution Environment (TEE, see for ex | G_X. Note that in cases where several EDHOC sessions with different parameter s | |||
ample <xref target="RFC9397"/>) and that sensitive operations using these keys a | ets (method, COSE headers, etc.) are used, an attacker can affect which paramete | |||
re performed inside the TEE. To achieve even higher security it is RECOMMENDED | r set will be used by blocking some of the parameter sets.</t> | |||
that additional operations such as ephemeral key generation, all computations of | <t>If supported by the device, it is <bcp14>RECOMMENDED</bcp14> that at | |||
shared secrets, and storage of the PRK keys can be done inside the TEE. The use | least the long-term private keys are stored in a Trusted Execution Environment ( | |||
of a TEE aims at preventing code within that environment to be tampered with, a | TEE) (for example, see <xref target="RFC9397"/>) and that sensitive operations u | |||
nd preventing data used by such code to be read or tampered with by code outside | sing these keys are performed inside the TEE. To achieve even higher security, | |||
that environment.</t> | it is <bcp14>RECOMMENDED</bcp14> that additional operations such as ephemeral ke | |||
<t>Note that HKDF-Expand has a relatively small maximum output length of | y generation, all computations of shared secrets, and storage of the PRK keys ca | |||
255 <contact fullname="⋅"/> hash_length, where hash_length is the output size i | n be done inside the TEE. The use of a TEE aims at preventing code within that e | |||
n bytes of the EDHOC hash algorithm of the selected cipher suite. This means tha | nvironment to be tampered with and preventing data used by such code to be read | |||
t when SHA-256 is used as hash algorithm, PLAINTEXT_2 cannot be longer than 8160 | or tampered with by code outside that environment.</t> | |||
bytes. This is probably not a limitation for most intended applications, but to | <t>Note that HKDF-Expand has a relatively small maximum output length of | |||
be able to support for example long certificate chains or large external author | 255 ⋅ hash_length, where hash_length is the output size in bytes of the EDHOC h | |||
ization data, there is a backwards compatible method specified in <xref target=" | ash algorithm of the selected cipher suite. This means that when SHA-256 is used | |||
large-plaintext_2"/>.</t> | as a hash algorithm, PLAINTEXT_2 cannot be longer than 8160 bytes. This is prob | |||
<t>The sequence of transcript hashes in EDHOC (TH_2, TH_3, TH_4) does no | ably not a limitation for most intended applications, but to be able to support, | |||
t make use of a so-called running hash. This is a design choice as running hashe | for example, long certificate chains or large external authorization data, ther | |||
s are often not supported on constrained platforms.</t> | e is a backwards compatible method specified in <xref target="large-plaintext_2" | |||
<t>When parsing a received EDHOC message, implementations MUST abort the | />.</t> | |||
EDHOC session if the message does not comply with the CDDL for that message. It | <t>The sequence of transcript hashes in EDHOC (TH_2, TH_3, and TH_4) doe | |||
is RECOMMENDED to abort the EDHOC session if the received EDHOC message is not | s not make use of a so-called running hash. This is a design choice, as running | |||
encoded using deterministic CBOR.</t> | hashes are often not supported on constrained platforms.</t> | |||
<t>When parsing a received EDHOC message, implementations <bcp14>MUST</b | ||||
cp14> abort the EDHOC session if the message does not comply with the CDDL for t | ||||
hat message. Implementations are not required to support non-deterministic encod | ||||
ings and <bcp14>MAY</bcp14> abort the EDHOC session if the received EDHOC messag | ||||
e is not encoded using deterministic CBOR. Implementations <bcp14>MUST</bcp14> a | ||||
bort the EDHOC session if validation of a received public key fails or if any cr | ||||
yptographic field has the wrong length. It is <bcp14>RECOMMENDED</bcp14> to abor | ||||
t the EDHOC session if the received EDHOC message is not encoded using determini | ||||
stic CBOR.</t> | ||||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="iana"> | <section anchor="iana"> | |||
<name>IANA Considerations</name> | <name>IANA Considerations</name> | |||
<t>This Section gives IANA Considerations and, unless otherwise noted, con forms with <xref target="RFC8126"/>.</t> | <t>This section gives IANA considerations and, unless otherwise noted, con forms with <xref target="RFC8126"/>.</t> | |||
<section anchor="exporter-label"> | <section anchor="exporter-label"> | |||
<name>EDHOC Exporter Label Registry</name> | <name>EDHOC Exporter Label Registry</name> | |||
<t>IANA is requested to create a new registry under the new registry gro | <t>IANA has created a new registry under the new registry group "Ephemer | |||
up "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t> | al Diffie-Hellman Over COSE (EDHOC)" as follows:</t> | |||
<t>Registry Name: EDHOC Exporter Label</t> | <dl newline="false" spacing="normal"> | |||
<t>Reference: [[this document]]</t> | <dt>Registry Name:</dt> <dd>EDHOC Exporter Labels</dd> | |||
<figure anchor="fig-exporter-label"> | <dt>Reference:</dt> <dd>RFC 9528</dd> | |||
<name>EDHOC exporter label.</name> | </dl> | |||
<artset> | ||||
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= | ||||
"1.1" height="288" width="536" viewBox="0 0 536 288" class="diagram" text-anchor | ||||
="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> | ||||
<path d="M 8,32 L 8,256" fill="none" stroke="black"/> | ||||
<path d="M 120,32 L 120,256" fill="none" stroke="black"/> | ||||
<path d="M 368,32 L 368,256" fill="none" stroke="black"/> | ||||
<path d="M 528,32 L 528,256" fill="none" stroke="black"/> | ||||
<path d="M 8,32 L 528,32" fill="none" stroke="black"/> | ||||
<path d="M 8,62 L 528,62" fill="none" stroke="black"/> | ||||
<path d="M 8,66 L 528,66" fill="none" stroke="black"/> | ||||
<path d="M 8,96 L 528,96" fill="none" stroke="black"/> | ||||
<path d="M 8,128 L 528,128" fill="none" stroke="black"/> | ||||
<path d="M 8,160 L 528,160" fill="none" stroke="black"/> | ||||
<path d="M 8,192 L 528,192" fill="none" stroke="black"/> | ||||
<path d="M 8,224 L 528,224" fill="none" stroke="black"/> | ||||
<path d="M 8,256 L 528,256" fill="none" stroke="black"/> | ||||
<g class="text"> | ||||
<text x="40" y="52">Label</text> | ||||
<text x="176" y="52">Description</text> | ||||
<text x="416" y="52">Reference</text> | ||||
<text x="24" y="84">0</text> | ||||
<text x="160" y="84">Derived</text> | ||||
<text x="220" y="84">OSCORE</text> | ||||
<text x="276" y="84">Master</text> | ||||
<text x="332" y="84">Secret</text> | ||||
<text x="404" y="84">[[this</text> | ||||
<text x="476" y="84">document]]</text> | ||||
<text x="24" y="116">1</text> | ||||
<text x="160" y="116">Derived</text> | ||||
<text x="220" y="116">OSCORE</text> | ||||
<text x="276" y="116">Master</text> | ||||
<text x="324" y="116">Salt</text> | ||||
<text x="404" y="116">[[this</text> | ||||
<text x="476" y="116">document]]</text> | ||||
<text x="36" y="148">2-22</text> | ||||
<text x="172" y="148">Unassigned</text> | ||||
<text x="28" y="180">23</text> | ||||
<text x="164" y="180">Reserved</text> | ||||
<text x="404" y="180">[[this</text> | ||||
<text x="476" y="180">document]]</text> | ||||
<text x="52" y="212">24-32767</text> | ||||
<text x="172" y="212">Unassigned</text> | ||||
<text x="64" y="244">32768-65535</text> | ||||
<text x="160" y="244">Private</text> | ||||
<text x="208" y="244">Use</text> | ||||
</g> | ||||
</svg> | ||||
</artwork> | ||||
<artwork type="ascii-art"><![CDATA[ | ||||
+-------------+------------------------------+-------------------+ | ||||
| Label | Description | Reference | | ||||
+=============+==============================+===================+ | ||||
| 0 | Derived OSCORE Master Secret | [[this document]] | | ||||
+-------------+------------------------------+-------------------+ | ||||
| 1 | Derived OSCORE Master Salt | [[this document]] | | ||||
+-------------+------------------------------+-------------------+ | ||||
| 2-22 | Unassigned | | | ||||
+-------------+------------------------------+-------------------+ | ||||
| 23 | Reserved | [[this document]] | | ||||
+-------------+------------------------------+-------------------+ | ||||
| 24-32767 | Unassigned | | | ||||
+-------------+------------------------------+-------------------+ | ||||
| 32768-65535 | Private Use | | | ||||
+-------------+------------------------------+-------------------+ | ||||
]]></artwork> | <table anchor="tab-exporter-label"> | |||
</artset> | <name>EDHOC Exporter Labels</name> | |||
</figure> | <thead> | |||
<artset> | <tr> | |||
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 | <th>Label</th> | |||
.1" height="160" width="432" viewBox="0 0 432 160" class="diagram" text-anchor=" | <th>Description</th> | |||
middle" font-family="monospace" font-size="13px" stroke-linecap="round"> | <th>Reference</th> | |||
<path d="M 8,32 L 8,128" fill="none" stroke="black"/> | </tr> | |||
<path d="M 120,32 L 120,128" fill="none" stroke="black"/> | </thead> | |||
<path d="M 424,32 L 424,128" fill="none" stroke="black"/> | <tbody> | |||
<path d="M 8,32 L 424,32" fill="none" stroke="black"/> | <tr> | |||
<path d="M 8,62 L 424,62" fill="none" stroke="black"/> | <td>0</td> | |||
<path d="M 8,66 L 424,66" fill="none" stroke="black"/> | <td>Derived OSCORE Master Secret</td> | |||
<path d="M 8,96 L 424,96" fill="none" stroke="black"/> | <td>RFC 9528</td> | |||
<path d="M 8,128 L 424,128" fill="none" stroke="black"/> | </tr> <tr> | |||
<g class="text"> | <td>1</td> | |||
<text x="40" y="52">Range</text> | <td>Derived OSCORE Master Salt</td> | |||
<text x="180" y="52">Registration</text> | <td>RFC 9528</td> | |||
<text x="276" y="52">Procedures</text> | </tr><tr> | |||
<text x="24" y="84">0</text> | <td>2-22</td> | |||
<text x="44" y="84">to</text> | <td>Unassigned</td> | |||
<text x="68" y="84">23</text> | <td></td> | |||
<text x="168" y="84">Standards</text> | </tr> | |||
<text x="236" y="84">Action</text> | <tr> | |||
<text x="28" y="116">24</text> | <td>23</td> | |||
<text x="52" y="116">to</text> | <td>Reserved</td> | |||
<text x="88" y="116">32767</text> | <td>RFC 9528</td> | |||
<text x="156" y="116">Expert</text> | </tr> <tr> | |||
<text x="212" y="116">Review</text> | <td>24-32767</td> | |||
</g> | <td>Unassigned</td> | |||
</svg> | <td></td> | |||
</artwork> | </tr><tr> | |||
<artwork type="ascii-art"><![CDATA[ | <td>32768-65535</td> | |||
+-------------+-------------------------------------+ | <td>Reserved for Private Use</td> | |||
| Range | Registration Procedures | | <td></td> | |||
+=============+=====================================+ | </tr> | |||
| 0 to 23 | Standards Action | | </tbody> | |||
+-------------+-------------------------------------+ | </table> | |||
| 24 to 32767 | Expert Review | | ||||
+-------------+-------------------------------------+ | <t>This registry also has a "Change Controller" field. For registrations made by | |||
IETF documents, the IETF is listed.</t> | ||||
<table> | ||||
<name>Registration Procedures for EDHOC Exporter Labels</name> | ||||
<thead> | ||||
<tr> | ||||
<th>Range</th> | ||||
<th>Registration Procedures</th> | ||||
</tr> | ||||
</thead> | ||||
<tbody> | ||||
<tr> | ||||
<td>0-23</td> | ||||
<td>Standards Action</td> | ||||
</tr> | ||||
<tr> | ||||
<td>24-32767</td> | ||||
<td>Expert Review</td> | ||||
</tr> | ||||
<tr> | ||||
<td>32768-65535</td> | ||||
<td>Private Use</td> | ||||
</tr> | ||||
</tbody> | ||||
</table> | ||||
]]></artwork> | ||||
</artset> | ||||
</section> | </section> | |||
<section anchor="suites-registry"> | <section anchor="suites-registry"> | |||
<name>EDHOC Cipher Suites Registry</name> | <name>EDHOC Cipher Suites Registry</name> | |||
<t>IANA is requested to create a new registry under the new registry gro | <t>IANA has created a new registry under the new registry group "Ephemer | |||
up "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t> | al Diffie-Hellman Over COSE (EDHOC)" as follows:</t> | |||
<t>Registry Name: EDHOC Cipher Suites</t> | <dl newline="false" spacing="normal"> | |||
<t>Reference: [[this document]]</t> | <dt>Registry Name:</dt> <dd>EDHOC Cipher Suites</dd> | |||
<t>The columns of the registry are Value, Array and Description, where V | <dt>Reference:</dt> <dd>RFC 9528</dd> | |||
alue is an integer and the other columns are text strings. The initial contents | </dl> | |||
of the registry are:</t> | <t>The columns of the registry are Value, Array, Description, and Refere | |||
<artwork><![CDATA[ | nce, where Value is an integer and the other columns are text strings. The initi | |||
Value: -24 | al contents of the registry are:</t> | |||
Array: N/A | ||||
Description: Private Use | <table> | |||
Reference: [[this document]] | <name>EDHOC Cipher Suites</name> | |||
]]></artwork> | <thead> | |||
<artwork><![CDATA[ | <tr> | |||
Value: -23 | <th>Value</th> | |||
Array: N/A | <th>Array</th> | |||
Description: Private Use | <th>Description</th> | |||
Reference: [[this document]] | <th>Reference</th> | |||
]]></artwork> | </tr> | |||
<artwork><![CDATA[ | </thead> | |||
Value: -22 | <tbody> | |||
Array: N/A | <tr> | |||
Description: Private Use | <td>-24</td> | |||
Reference: [[this document]] | <td>N/A</td> | |||
]]></artwork> | <td>Private Use</td> | |||
<artwork><![CDATA[ | <td>RFC 9528</td> | |||
Value: -21 | </tr> | |||
Array: N/A | <tr> | |||
Description: Private Use | <td>-23</td> | |||
Reference: [[this document]] | <td>N/A</td> | |||
]]></artwork> | <td>Private Use</td> | |||
<artwork><![CDATA[ | <td>RFC 9528</td> | |||
Value: 0 | </tr> | |||
Array: 10, -16, 8, 4, -8, 10, -16 | <tr> | |||
Description: AES-CCM-16-64-128, SHA-256, 8, X25519, EdDSA, | <td>-22</td> | |||
AES-CCM-16-64-128, SHA-256 | <td>N/A</td> | |||
Reference: [[this document]] | <td>Private Use</td> | |||
]]></artwork> | <td>RFC 9528</td> | |||
<artwork><![CDATA[ | </tr> | |||
Value: 1 | <tr> | |||
Array: 30, -16, 16, 4, -8, 10, -16 | <td>-21</td> | |||
Description: AES-CCM-16-128-128, SHA-256, 16, X25519, EdDSA, | <td>N/A</td> | |||
AES-CCM-16-64-128, SHA-256 | <td>Private Use</td> | |||
Reference: [[this document]] | <td>RFC 9528</td> | |||
]]></artwork> | </tr> | |||
<artwork><![CDATA[ | <tr> | |||
Value: 2 | <td>0</td> | |||
Array: 10, -16, 8, 1, -7, 10, -16 | <td>10, -16, 8, 4, -8, 10, -16</td> | |||
Description: AES-CCM-16-64-128, SHA-256, 8, P-256, ES256, | <td>AES-CCM-16-64-128, SHA-256, 8, X25519, EdDSA, AES&nbhy;CCM&nbhy;16&nbh | |||
AES-CCM-16-64-128, SHA-256 | y;64&nbhy;128, SHA-256</td> | |||
Reference: [[this document]] | <td>RFC 9528</td> | |||
]]></artwork> | </tr> | |||
<artwork><![CDATA[ | <tr> | |||
Value: 3 | <td>1</td> | |||
Array: 30, -16, 16, 1, -7, 10, -16 | <td>30, -16, 16, 4, -8, 10, -16</td> | |||
Description: AES-CCM-16-128-128, SHA-256, 16, P-256, ES256, | <td>AES-CCM-16-128-128, SHA&nbhy;256, 16, X25519, EdDSA, AES&nbhy;CCM&nbhy | |||
AES-CCM-16-64-128, SHA-256 | ;16&nbhy;64&nbhy;128, SHA-256</td> | |||
Reference: [[this document]] | <td>RFC 9528</td> | |||
]]></artwork> | </tr> | |||
<artwork><![CDATA[ | <tr> | |||
Value: 4 | <td>2</td> | |||
Array: 24, -16, 16, 4, -8, 24, -16 | <td>10, -16, 8, 1, -7, 10, -16</td> | |||
Description: ChaCha20/Poly1305, SHA-256, 16, X25519, EdDSA, | <td>AES-CCM-16-64-128, SHA-256, 8, P-256, ES256, AES&nbhy;CCM&nbhy;16&nbhy | |||
ChaCha20/Poly1305, SHA-256 | ;64&nbhy;128, SHA-256</td> | |||
Reference: [[this document]] | <td>RFC 9528</td> | |||
]]></artwork> | </tr> | |||
<artwork><![CDATA[ | <tr> | |||
Value: 5 | <td>3</td> | |||
Array: 24, -16, 16, 1, -7, 24, -16 | <td>30, -16, 16, 1, -7, 10, -16</td> | |||
Description: ChaCha20/Poly1305, SHA-256, 16, P-256, ES256, | <td>AES-CCM-16-128-128, SHA&nbhy;256, 16, P-256, ES256, AES&nbhy;CCM&nbhy; | |||
ChaCha20/Poly1305, SHA-256 | 16&nbhy;64&nbhy;128, SHA-256</td> | |||
Reference: [[this document]] | <td>RFC 9528</td> | |||
]]></artwork> | </tr> | |||
<artwork><![CDATA[ | <tr> | |||
Value: 6 | <td>4</td> | |||
Array: 1, -16, 16, 4, -7, 1, -16 | <td>24, -16, 16, 4, -8, 24, -16</td> | |||
Description: A128GCM, SHA-256, 16, X25519, ES256, | <td>ChaCha20/Poly1305, SHA-256, 16, X25519, EdDSA, ChaCha20/Poly1305, SHA- | |||
A128GCM, SHA-256 | 256</td> | |||
Reference: [[this document]] | <td>RFC 9528</td> | |||
]]></artwork> | </tr> | |||
<artwork><![CDATA[ | <tr> | |||
Value: 23 | <td>5</td> | |||
Reserved | <td>24, -16, 16, 1, -7, 24, -16</td> | |||
Reference: [[this document]] | <td>ChaCha20/Poly1305, SHA-256, 16, P-256, ES256, ChaCha20/&wj;Poly1305, S | |||
]]></artwork> | HA-256</td> | |||
<artwork><![CDATA[ | <td>RFC 9528</td> | |||
Value: 24 | </tr> | |||
Array: 3, -43, 16, 2, -35, 3, -43 | <tr> | |||
Description: A256GCM, SHA-384, 16, P-384, ES384, | <td>6</td> | |||
A256GCM, SHA-384 | <td>1, -16, 16, 4, -7, 1, -16</td> | |||
Reference: [[this document]] | <td>A128GCM, SHA-256, 16, X25519, ES256, A128GCM, SHA-256</td> | |||
]]></artwork> | <td>RFC 9528</td> | |||
<artwork><![CDATA[ | </tr> | |||
Value: 25 | <tr> | |||
Array: 24, -45, 16, 5, -8, 24, -45 | ||||
Description: ChaCha20/Poly1305, SHAKE256, 16, X448, EdDSA, | <td>23</td> | |||
ChaCha20/Poly1305, SHAKE256 | <td>Reserved</td> | |||
Reference: [[this document]] | <td></td> | |||
]]></artwork> | <td>RFC 9528</td> | |||
<artset> | </tr> | |||
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 | <tr> | |||
.1" height="176" width="456" viewBox="0 0 456 176" class="diagram" text-anchor=" | ||||
middle" font-family="monospace" font-size="13px" stroke-linecap="round"> | <td>24</td> | |||
<path d="M 8,32 L 8,160" fill="none" stroke="black"/> | <td>3, -43, 16, 2, -35, 3, -43</td> | |||
<path d="M 144,32 L 144,160" fill="none" stroke="black"/> | <td>A256GCM, SHA-384, 16, P-384, ES384, | |||
<path d="M 448,32 L 448,160" fill="none" stroke="black"/> | A256GCM, SHA-384</td> | |||
<path d="M 8,32 L 448,32" fill="none" stroke="black"/> | <td>RFC 9528</td> | |||
<path d="M 8,62 L 448,62" fill="none" stroke="black"/> | </tr> | |||
<path d="M 8,66 L 448,66" fill="none" stroke="black"/> | <tr> | |||
<path d="M 8,96 L 448,96" fill="none" stroke="black"/> | <td>25</td> | |||
<path d="M 8,128 L 448,128" fill="none" stroke="black"/> | <td>24, -45, 16, 5, -8, 24, -45</td> | |||
<path d="M 8,160 L 448,160" fill="none" stroke="black"/> | <td>ChaCha20/Poly1305, SHAKE256, 16, X448, EdDSA, | |||
<g class="text"> | ChaCha20/Poly1305, SHAKE256</td> | |||
<text x="40" y="52">Range</text> | <td>RFC 9528</td> | |||
<text x="204" y="52">Registration</text> | </tr> | |||
<text x="300" y="52">Procedures</text> | </tbody> | |||
<text x="44" y="84">-65536</text> | </table> | |||
<text x="84" y="84">to</text> | ||||
<text x="112" y="84">-25</text> | <table> | |||
<text x="208" y="84">Specification</text> | <name>Registration Procedures for EDHOC Cipher Suites</name> | |||
<text x="300" y="84">Required</text> | <thead> | |||
<text x="32" y="116">-20</text> | <tr> | |||
<text x="60" y="116">to</text> | <th>Range</th> | |||
<text x="84" y="116">23</text> | <th>Registration Procedures</th> | |||
<text x="192" y="116">Standards</text> | </tr> | |||
<text x="260" y="116">Action</text> | </thead> | |||
<text x="308" y="116">with</text> | <tbody> | |||
<text x="356" y="116">Expert</text> | <tr> | |||
<text x="412" y="116">Review</text> | <td>-65536 to -25</td> | |||
<text x="28" y="148">24</text> | <td>Specification Required</td> | |||
<text x="52" y="148">to</text> | </tr> | |||
<text x="88" y="148">65535</text> | <tr> | |||
<text x="208" y="148">Specification</text> | <td>-24 to -21</td> | |||
<text x="300" y="148">Required</text> | <td>Private Use</td> | |||
</g> | </tr> | |||
</svg> | <tr> | |||
</artwork> | <td>-20 to 23</td> | |||
<artwork type="ascii-art"><![CDATA[ | <td>Standards Action with Expert Review</td> | |||
+----------------+-------------------------------------+ | </tr> | |||
| Range | Registration Procedures | | <tr> | |||
+================+=====================================+ | <td>24 to 65535</td> | |||
| -65536 to -25 | Specification Required | | <td>Specification Required</td> | |||
+----------------+-------------------------------------+ | </tr> | |||
| -20 to 23 | Standards Action with Expert Review | | </tbody> | |||
+----------------+-------------------------------------+ | </table> | |||
| 24 to 65535 | Specification Required | | ||||
+----------------+-------------------------------------+ | ||||
]]></artwork> | ||||
</artset> | ||||
</section> | </section> | |||
<section anchor="method-types"> | <section anchor="method-types"> | |||
<name>EDHOC Method Type Registry</name> | <name>EDHOC Method Type Registry</name> | |||
<t>IANA is requested to create a new registry under the new registry gro | <t>IANA has created a new registry under the new registry group "Ephemer | |||
up "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t> | al Diffie-Hellman Over COSE (EDHOC)" as follows:</t> | |||
<t>Registry Name: EDHOC Method Type</t> | <dl newline="false" spacing="normal"> | |||
<t>Reference: [[this document]]</t> | <dt>Registry Name:</dt> <dd>EDHOC Method Types</dd> | |||
<t>The columns of the registry are Value, Initiator Authentication Key, | <dt>Reference:</dt> <dd>RFC 9528</dd> | |||
and Responder Authentication Key, and Reference, where Value is an integer and t | </dl> | |||
he key columns are text strings describing the authentication keys.</t> | <t>The columns of the registry are Value, Initiator Authentication Key, | |||
<t>The initial contents of the registry are shown in <xref target="fig-m | Responder Authentication Key, and Reference, where Value is an integer and the k | |||
ethod-types"/>. Method 23 is Reserved.</t> | ey columns are text strings describing the authentication keys.</t> | |||
<artset> | <t>The initial contents of the registry are shown in <xref target="tab-m | |||
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 | ethod-types"/>. Method 23 is Reserved.</t> | |||
.1" height="176" width="456" viewBox="0 0 456 176" class="diagram" text-anchor=" | ||||
middle" font-family="monospace" font-size="13px" stroke-linecap="round"> | <table> | |||
<path d="M 8,32 L 8,160" fill="none" stroke="black"/> | <name>Registration Procedures for EDHOC Method Types</name> | |||
<path d="M 144,32 L 144,160" fill="none" stroke="black"/> | <thead> | |||
<path d="M 448,32 L 448,160" fill="none" stroke="black"/> | <tr> | |||
<path d="M 8,32 L 448,32" fill="none" stroke="black"/> | <th>Range</th> | |||
<path d="M 8,62 L 448,62" fill="none" stroke="black"/> | <th>Registration Procedures</th> | |||
<path d="M 8,66 L 448,66" fill="none" stroke="black"/> | </tr> | |||
<path d="M 8,96 L 448,96" fill="none" stroke="black"/> | </thead> | |||
<path d="M 8,128 L 448,128" fill="none" stroke="black"/> | <tbody> | |||
<path d="M 8,160 L 448,160" fill="none" stroke="black"/> | <tr> | |||
<g class="text"> | <td>-65536 to -25</td> | |||
<text x="40" y="52">Range</text> | <td>Specification Required</td> | |||
<text x="204" y="52">Registration</text> | </tr> | |||
<text x="300" y="52">Procedures</text> | <tr> | |||
<text x="44" y="84">-65536</text> | <td>-24 to 23</td> | |||
<text x="84" y="84">to</text> | <td>Standards Action with Expert Review</td> | |||
<text x="112" y="84">-25</text> | </tr> | |||
<text x="208" y="84">Specification</text> | <tr> | |||
<text x="300" y="84">Required</text> | <td>24 to 65535</td> | |||
<text x="32" y="116">-24</text> | <td>Specification Required</td> | |||
<text x="60" y="116">to</text> | </tr> | |||
<text x="84" y="116">23</text> | </tbody> | |||
<text x="192" y="116">Standards</text> | </table> | |||
<text x="260" y="116">Action</text> | ||||
<text x="308" y="116">with</text> | ||||
<text x="356" y="116">Expert</text> | ||||
<text x="412" y="116">Review</text> | ||||
<text x="28" y="148">24</text> | ||||
<text x="52" y="148">to</text> | ||||
<text x="88" y="148">65535</text> | ||||
<text x="208" y="148">Specification</text> | ||||
<text x="300" y="148">Required</text> | ||||
</g> | ||||
</svg> | ||||
</artwork> | ||||
<artwork type="ascii-art"><![CDATA[ | ||||
+----------------+-------------------------------------+ | ||||
| Range | Registration Procedures | | ||||
+================+=====================================+ | ||||
| -65536 to -25 | Specification Required | | ||||
+----------------+-------------------------------------+ | ||||
| -24 to 23 | Standards Action with Expert Review | | ||||
+----------------+-------------------------------------+ | ||||
| 24 to 65535 | Specification Required | | ||||
+----------------+-------------------------------------+ | ||||
]]></artwork> | ||||
</artset> | ||||
</section> | </section> | |||
<section anchor="error-code-reg"> | <section anchor="error-code-reg"> | |||
<name>EDHOC Error Codes Registry</name> | <name>EDHOC Error Codes Registry</name> | |||
<t>IANA is requested to create a new registry under the new registry gro | <t>IANA has created a new registry under the new registry group "Ephemer | |||
up "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t> | al Diffie-Hellman Over COSE (EDHOC)" as follows:</t> | |||
<t>Registry Name: EDHOC Error Codes</t> | <dl newline="false" spacing="normal"> | |||
<t>Reference: [[this document]]</t> | <dt>Registry Name:</dt> <dd>EDHOC Error Codes</dd> | |||
<t>The columns of the registry are ERR_CODE, ERR_INFO Type, Description, | <dt>Reference:</dt> <dd>RFC 9528</dd> | |||
and Reference, where ERR_CODE is an integer, ERR_INFO is a CDDL defined type, a | </dl> | |||
nd Description is a text string. The initial contents of the registry are shown | <t>The columns of the registry are ERR_CODE, ERR_INFO Type, Description, | |||
in <xref target="fig-error-codes"/>. Error code 23 is Reserved.</t> | Change Controller, and Reference, where ERR_CODE is an integer, ERR_INFO is a C | |||
<artset> | DDL defined type, and Description is a text string. The initial contents of the | |||
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 | registry are shown in <xref target="tab-error-codes"/>. Error code 23 is Reserve | |||
.1" height="176" width="456" viewBox="0 0 456 176" class="diagram" text-anchor=" | d. This registry also has a "Change Controller" field. For registrations made by | |||
middle" font-family="monospace" font-size="13px" stroke-linecap="round"> | IETF documents, the IETF is listed.</t> | |||
<path d="M 8,32 L 8,160" fill="none" stroke="black"/> | ||||
<path d="M 144,32 L 144,160" fill="none" stroke="black"/> | <table> | |||
<path d="M 448,32 L 448,160" fill="none" stroke="black"/> | <name>Registration Procedures for EDHOC Error Codes</name> | |||
<path d="M 8,32 L 448,32" fill="none" stroke="black"/> | <thead> | |||
<path d="M 8,62 L 448,62" fill="none" stroke="black"/> | <tr> | |||
<path d="M 8,66 L 448,66" fill="none" stroke="black"/> | <th>Range</th> | |||
<path d="M 8,96 L 448,96" fill="none" stroke="black"/> | <th>Registration Procedures</th> | |||
<path d="M 8,128 L 448,128" fill="none" stroke="black"/> | </tr> | |||
<path d="M 8,160 L 448,160" fill="none" stroke="black"/> | </thead> | |||
<g class="text"> | <tbody> | |||
<text x="40" y="52">Range</text> | <tr> | |||
<text x="204" y="52">Registration</text> | <td>-65536 to -25</td> | |||
<text x="300" y="52">Procedures</text> | <td>Expert Review</td> | |||
<text x="44" y="84">-65536</text> | </tr><tr> | |||
<text x="84" y="84">to</text> | <td>-24 to 23</td> | |||
<text x="112" y="84">-25</text> | <td>Standards Action</td> | |||
<text x="180" y="84">Expert</text> | </tr><tr> | |||
<text x="236" y="84">Review</text> | <td>24 to 65535</td> | |||
<text x="32" y="116">-24</text> | <td>Expert Review</td> | |||
<text x="60" y="116">to</text> | </tr> | |||
<text x="84" y="116">23</text> | </tbody> | |||
<text x="192" y="116">Standards</text> | </table> | |||
<text x="260" y="116">Action</text> | ||||
<text x="28" y="148">24</text> | ||||
<text x="52" y="148">to</text> | ||||
<text x="88" y="148">65535</text> | ||||
<text x="180" y="148">Expert</text> | ||||
<text x="236" y="148">Review</text> | ||||
</g> | ||||
</svg> | ||||
</artwork> | ||||
<artwork type="ascii-art"><![CDATA[ | ||||
+----------------+-------------------------------------+ | ||||
| Range | Registration Procedures | | ||||
+================+=====================================+ | ||||
| -65536 to -25 | Expert Review | | ||||
+----------------+-------------------------------------+ | ||||
| -24 to 23 | Standards Action | | ||||
+----------------+-------------------------------------+ | ||||
| 24 to 65535 | Expert Review | | ||||
+----------------+-------------------------------------+ | ||||
]]></artwork> | ||||
</artset> | ||||
</section> | </section> | |||
<section anchor="iana-ead"> | <section anchor="iana-ead"> | |||
<name>EDHOC External Authorization Data Registry</name> | <name>EDHOC External Authorization Data Registry</name> | |||
<t>IANA is requested to create a new registry under the new registry gro | <t>IANA has created a new registry under the new registry group "Ephemer | |||
up "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t> | al Diffie-Hellman Over COSE (EDHOC)" as follows:</t> | |||
<t>Registry Name: EDHOC External Authorization Data</t> | <dl newline="false" spacing="normal"> | |||
<t>Reference: [[this document]]</t> | <dt>Registry Name:</dt> <dd>EDHOC External Authorization Data</dd> | |||
<t>The columns of the registry are Name, Label, Description, and Referen | <dt>Reference:</dt> <dd>RFC 9528</dd> | |||
ce, where Label is a non-negative integer and the other columns are text strings | </dl> | |||
. The initial contents of the registry is shown in <xref target="fig-ead-labels" | <t>The columns of the registry are Name, Label, Description, and Referen | |||
/>. EAD label 23 is Reserved.</t> | ce, where Label is a nonnegative integer and the other columns are text strings. | |||
<figure anchor="fig-ead-labels"> | The initial contents of the registry are shown in <xref target="tab-ead-labels" | |||
<name>EAD labels.</name> | />. EAD label 23 is Reserved.</t> | |||
<artset> | ||||
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= | <table anchor="tab-ead-labels"> | |||
"1.1" height="128" width="536" viewBox="0 0 536 128" class="diagram" text-anchor | <name>EDHOC EAD Labels</name> | |||
="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> | <thead> | |||
<path d="M 8,32 L 8,112" fill="none" stroke="black"/> | <tr> | |||
<path d="M 104,32 L 104,112" fill="none" stroke="black"/> | <th>Name</th> | |||
<path d="M 168,32 L 168,112" fill="none" stroke="black"/> | <th>Label</th> | |||
<path d="M 368,32 L 368,112" fill="none" stroke="black"/> | <th>Description</th> | |||
<path d="M 528,32 L 528,112" fill="none" stroke="black"/> | <th>Reference</th> | |||
<path d="M 8,32 L 528,32" fill="none" stroke="black"/> | </tr> | |||
<path d="M 8,62 L 528,62" fill="none" stroke="black"/> | </thead> | |||
<path d="M 8,66 L 528,66" fill="none" stroke="black"/> | <tbody> | |||
<path d="M 8,112 L 528,112" fill="none" stroke="black"/> | <tr> | |||
<g class="text"> | <td>Padding</td> | |||
<text x="36" y="52">Name</text> | <td>0</td> | |||
<text x="136" y="52">Label</text> | <td>Randomly generated CBOR byte string</td> | |||
<text x="224" y="52">Description</text> | <td>RFC 9528, <xref target="padding"/></td> | |||
<text x="416" y="52">Reference</text> | </tr> | |||
<text x="48" y="84">Padding</text> | <tr> | |||
<text x="136" y="84">0</text> | <td></td> | |||
<text x="212" y="84">Randomly</text> | <td>23</td> | |||
<text x="288" y="84">generated</text> | <td>Reserved</td> | |||
<text x="404" y="84">[[this</text> | <td>RFC 9528</td> | |||
<text x="476" y="84">document]]</text> | </tr> | |||
<text x="196" y="100">CBOR</text> | </tbody> | |||
<text x="236" y="100">byte</text> | </table> | |||
<text x="284" y="100">string</text> | ||||
<text x="408" y="100">Section</text> | <table> | |||
<text x="464" y="100">3.8.1</text> | <name>Registration procedures for EDHOC EAD Labels</name> | |||
</g> | <thead> | |||
</svg> | <tr> | |||
</artwork> | <th>Range</th> | |||
<artwork type="ascii-art"><![CDATA[ | <th>Registration Procedures</th> | |||
+-----------+-------+------------------------+-------------------+ | </tr> | |||
| Name | Label | Description | Reference | | </thead> | |||
+===========+=======+========================+===================+ | <tbody> | |||
| Padding | 0 | Randomly generated | [[this document]] | | <tr> | |||
| | | CBOR byte string | Section 3.8.1 | | <td>0 to 23</td> | |||
+-----------+-------+------------------------+-------------------+ | <td>Standards Action with Expert Review</td> | |||
]]></artwork> | </tr><tr> | |||
</artset> | <td>24 to 65535</td> | |||
</figure> | <td>Specification Required</td> | |||
<artset> | </tr> | |||
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 | </tbody> | |||
.1" height="160" width="432" viewBox="0 0 432 160" class="diagram" text-anchor=" | </table> | |||
middle" font-family="monospace" font-size="13px" stroke-linecap="round"> | ||||
<path d="M 8,32 L 8,128" fill="none" stroke="black"/> | ||||
<path d="M 120,32 L 120,128" fill="none" stroke="black"/> | ||||
<path d="M 424,32 L 424,128" fill="none" stroke="black"/> | ||||
<path d="M 8,32 L 424,32" fill="none" stroke="black"/> | ||||
<path d="M 8,62 L 424,62" fill="none" stroke="black"/> | ||||
<path d="M 8,66 L 424,66" fill="none" stroke="black"/> | ||||
<path d="M 8,96 L 424,96" fill="none" stroke="black"/> | ||||
<path d="M 8,128 L 424,128" fill="none" stroke="black"/> | ||||
<g class="text"> | ||||
<text x="40" y="52">Range</text> | ||||
<text x="180" y="52">Registration</text> | ||||
<text x="276" y="52">Procedures</text> | ||||
<text x="24" y="84">0</text> | ||||
<text x="44" y="84">to</text> | ||||
<text x="68" y="84">23</text> | ||||
<text x="168" y="84">Standards</text> | ||||
<text x="236" y="84">Action</text> | ||||
<text x="284" y="84">with</text> | ||||
<text x="332" y="84">Expert</text> | ||||
<text x="388" y="84">Review</text> | ||||
<text x="28" y="116">24</text> | ||||
<text x="52" y="116">to</text> | ||||
<text x="88" y="116">65535</text> | ||||
<text x="184" y="116">Specification</text> | ||||
<text x="276" y="116">Required</text> | ||||
</g> | ||||
</svg> | ||||
</artwork> | ||||
<artwork type="ascii-art"><![CDATA[ | ||||
+-------------+-------------------------------------+ | ||||
| Range | Registration Procedures | | ||||
+=============+=====================================+ | ||||
| 0 to 23 | Standards Action with Expert Review | | ||||
+-------------+-------------------------------------+ | ||||
| 24 to 65535 | Specification Required | | ||||
+-------------+-------------------------------------+ | ||||
]]></artwork> | ||||
</artset> | ||||
</section> | </section> | |||
<section anchor="cwt-header-param"> | <section anchor="cwt-header-param"> | |||
<name>COSE Header Parameters Registry</name> | <name>COSE Header Parameters Registry</name> | |||
<t>IANA is requested to register the following entries in the "COSE Head | <t>IANA has registered the following entries in the "COSE Header Paramet | |||
er Parameters" registry under the registry group "CBOR Object Signing and Encryp | ers" registry under the registry group "CBOR Object Signing and Encryption (COSE | |||
tion (COSE)" (see <xref target="fig-header-params"/>): The value of the 'kcwt' h | )" (see <xref target="tab-header-params"/>). The value of the 'kcwt' header para | |||
eader parameter is a COSE Web Token (CWT) <xref target="RFC8392"/>, and the valu | meter is a COSE Web Token (CWT) <xref target="RFC8392"/>, and the value of the ' | |||
e of the 'kccs' header parameter is a CWT Claims Set (CCS), see <xref target="te | kccs' header parameter is a CWT Claims Set (CCS); see <xref target="term"/>. The | |||
rm"/>. The CWT/CCS must contain a COSE_Key in a 'cnf' claim <xref target="RFC874 | CWT/CCS must contain a COSE_Key in a 'cnf' claim <xref target="RFC8747"/>. The | |||
7"/>. The Value Registry for this item is empty and omitted from the table below | Value Registry column for this item is empty and omitted from the table below.</ | |||
.</t> | t> | |||
<figure anchor="fig-header-params"> | ||||
<name>COSE header parameter labels.</name> | <table anchor="tab-header-params"> | |||
<artset> | <name>COSE Header Parameter Labels</name> | |||
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= | ||||
"1.1" height="256" width="560" viewBox="0 0 560 256" class="diagram" text-anchor | <thead> | |||
="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> | <tr> | |||
<path d="M 8,32 L 8,240" fill="none" stroke="black"/> | <th>Name</th> | |||
<path d="M 64,32 L 64,240" fill="none" stroke="black"/> | <th>Label</th> | |||
<path d="M 128,32 L 128,240" fill="none" stroke="black"/> | <th>Value Type</th> | |||
<path d="M 256,32 L 256,240" fill="none" stroke="black"/> | <th>Description</th> | |||
<path d="M 552,32 L 552,240" fill="none" stroke="black"/> | </tr> | |||
<path d="M 8,32 L 552,32" fill="none" stroke="black"/> | </thead> | |||
<path d="M 8,62 L 552,62" fill="none" stroke="black"/> | <tbody> | |||
<path d="M 8,66 L 552,66" fill="none" stroke="black"/> | <tr> | |||
<path d="M 8,160 L 552,160" fill="none" stroke="black"/> | <td>kcwt</td> | |||
<path d="M 8,240 L 552,240" fill="none" stroke="black"/> | <td>13</td> | |||
<g class="text"> | <td>COSE_Messages</td> | |||
<text x="36" y="52">Name</text> | <td>A CBOR Web Token (CWT) containing | |||
<text x="96" y="52">Label</text> | a COSE_Key in a 'cnf' claim and | |||
<text x="160" y="52">Value</text> | possibly other claims. CWT is | |||
<text x="204" y="52">Type</text> | defined in RFC 8392. COSE_Messages | |||
<text x="312" y="52">Description</text> | is defined in RFC 9052.</td> | |||
<text x="36" y="84">kcwt</text> | </tr><tr> | |||
<text x="92" y="84">TBD1</text> | <td>kccs</td> | |||
<text x="192" y="84">COSE_Messages</text> | <td>14</td> | |||
<text x="272" y="84">A</text> | <td>map</td> | |||
<text x="300" y="84">CBOR</text> | <td>A CWT Claims Set (CCS) containing | |||
<text x="336" y="84">Web</text> | a COSE_Key in a 'cnf' claim and | |||
<text x="376" y="84">Token</text> | possibly other claims. CCS is | |||
<text x="424" y="84">(CWT)</text> | defined in RFC 8392.</td> | |||
<text x="492" y="84">containing</text> | </tr> | |||
<text x="272" y="100">a</text> | </tbody> | |||
<text x="316" y="100">COSE_Key</text> | </table> | |||
<text x="364" y="100">in</text> | ||||
<text x="384" y="100">a</text> | ||||
<text x="416" y="100">'cnf'</text> | ||||
<text x="464" y="100">claim</text> | ||||
<text x="504" y="100">and</text> | ||||
<text x="300" y="116">possibly</text> | ||||
<text x="360" y="116">other</text> | ||||
<text x="416" y="116">claims.</text> | ||||
<text x="464" y="116">CWT</text> | ||||
<text x="492" y="116">is</text> | ||||
<text x="296" y="132">defined</text> | ||||
<text x="340" y="132">in</text> | ||||
<text x="368" y="132">RFC</text> | ||||
<text x="408" y="132">8392.</text> | ||||
<text x="488" y="132">COSE_Messages</text> | ||||
<text x="276" y="148">is</text> | ||||
<text x="320" y="148">defined</text> | ||||
<text x="364" y="148">in</text> | ||||
<text x="392" y="148">RFC</text> | ||||
<text x="432" y="148">9052.</text> | ||||
<text x="36" y="180">kccs</text> | ||||
<text x="92" y="180">TBD2</text> | ||||
<text x="152" y="180">map</text> | ||||
<text x="272" y="180">A</text> | ||||
<text x="296" y="180">CWT</text> | ||||
<text x="340" y="180">Claims</text> | ||||
<text x="384" y="180">Set</text> | ||||
<text x="424" y="180">(CCS)</text> | ||||
<text x="492" y="180">containing</text> | ||||
<text x="272" y="196">a</text> | ||||
<text x="316" y="196">COSE_Key</text> | ||||
<text x="364" y="196">in</text> | ||||
<text x="384" y="196">a</text> | ||||
<text x="416" y="196">'cnf'</text> | ||||
<text x="464" y="196">claim</text> | ||||
<text x="504" y="196">and</text> | ||||
<text x="300" y="212">possibly</text> | ||||
<text x="360" y="212">other</text> | ||||
<text x="416" y="212">claims.</text> | ||||
<text x="464" y="212">CCS</text> | ||||
<text x="492" y="212">is</text> | ||||
<text x="296" y="228">defined</text> | ||||
<text x="340" y="228">in</text> | ||||
<text x="368" y="228">RFC</text> | ||||
<text x="408" y="228">8392.</text> | ||||
</g> | ||||
</svg> | ||||
</artwork> | ||||
<artwork type="ascii-art"><![CDATA[ | ||||
+------+-------+---------------+------------------------------------+ | ||||
| Name | Label | Value Type | Description | | ||||
+======+=======+===============+====================================+ | ||||
| kcwt | TBD1 | COSE_Messages | A CBOR Web Token (CWT) containing | | ||||
| | | | a COSE_Key in a 'cnf' claim and | | ||||
| | | | possibly other claims. CWT is | | ||||
| | | | defined in RFC 8392. COSE_Messages | | ||||
| | | | is defined in RFC 9052. | | ||||
+------+-------+---------------+------------------------------------+ | ||||
| kccs | TBD2 | map | A CWT Claims Set (CCS) containing | | ||||
| | | | a COSE_Key in a 'cnf' claim and | | ||||
| | | | possibly other claims. CCS is | | ||||
| | | | defined in RFC 8392. | | ||||
+------+-------+---------------+------------------------------------+ | ||||
]]></artwork> | ||||
</artset> | ||||
</figure> | ||||
</section> | </section> | |||
<section anchor="well-known"> | <section anchor="well-known"> | |||
<name>The Well-Known URI Registry</name> | <name>Well-Known URI Registry</name> | |||
<t>IANA is requested to add the well-known URI "edhoc" to the "Well-Know | <t>IANA has added the well-known URI "edhoc" to the "Well-Known URIs" re | |||
n URIs" registry.</t> | gistry.</t> | |||
<ul spacing="normal"> | <dl> | |||
<li>URI suffix: edhoc</li> | <dt>URI Suffix:</dt><dd>edhoc</dd> | |||
<li>Change controller: IETF</li> | <dt>Change Controller:</dt><dd>IETF</dd> | |||
<li>Specification document(s): [[this document]]</li> | <dt>Reference:</dt><dd>RFC 9528</dd> | |||
<li>Related information: None</li> | <dt>Related Information:</dt><dd> None</dd> | |||
</ul> | </dl> | |||
</section> | </section> | |||
<section anchor="media-type"> | <section anchor="media-type"> | |||
<name>Media Types Registry</name> | <name>Media Types Registry</name> | |||
<t>IANA is requested to add the media types "application/edhoc+cbor-seq" and "application/cid-edhoc+cbor-seq" to the "Media Types" registry.</t> | <t>IANA has added the media types "application/edhoc+cbor-seq" and "appl ication/cid-edhoc+cbor-seq" to the "Media Types" registry.</t> | |||
<section anchor="applicationedhoccbor-seq-media-type-registration"> | <section anchor="applicationedhoccbor-seq-media-type-registration"> | |||
<name>application/edhoc+cbor-seq Media Type Registration</name> | <name>application/edhoc+cbor-seq Media Type Registration</name> | |||
<ul spacing="normal"> | <dl> | |||
<li>Type name: application</li> | <dt>Type name:</dt><dd> application</dd> | |||
<li>Subtype name: edhoc+cbor-seq</li> | <dt>Subtype name:</dt><dd> edhoc+cbor-seq</dd> | |||
<li>Required parameters: N/A</li> | <dt>Required parameters:</dt><dd> N/A</dd> | |||
<li>Optional parameters: N/A</li> | <dt>Optional parameters:</dt><dd> N/A</dd> | |||
<li>Encoding considerations: binary</li> | <dt>Encoding considerations:</dt><dd> binary</dd> | |||
<li>Security considerations: See Section 7 of this document.</li> | <dt>Security considerations:</dt><dd>See <xref target="duplication"/ | |||
<li>Interoperability considerations: N/A</li> | > of RFC 9528.</dd> | |||
<li>Published specification: [[this document]] (this document)</li> | <dt>Interoperability considerations:</dt><dd> N/A</dd> | |||
<li>Applications that use this media type: To be identified</li> | <dt>Published specification:</dt><dd>RFC 9528</dd> | |||
<li>Fragment identifier considerations: N/A</li> | <dt>Applications that use this media type:</dt><dd> To be identified | |||
<li> | </dd> | |||
<t>Additional information: </t> | <dt>Fragment identifier considerations:</dt><dd> N/A</dd> | |||
<ul spacing="normal"> | ||||
<li>Magic number(s): N/A</li> | <dt>Additional information: </dt> | |||
<li>File extension(s): N/A</li> | <dd> | |||
<li>Macintosh file type code(s): N/A</li> | <t><br/></t> | |||
</ul> | <dl> | |||
</li> | <dt>Magic number(s):</dt><dd> N/A</dd> | |||
<li>Person & email address to contact for further information: S | <dt>File extension(s):</dt><dd> N/A</dd> | |||
ee "Authors' Addresses" section.</li> | <dt>Macintosh file type code(s):</dt><dd> N/A</dd> | |||
<li>Intended usage: COMMON</li> | </dl> | |||
<li>Restrictions on usage: N/A</li> | </dd> | |||
<li>Author: See "Authors' Addresses" section.</li> | ||||
<li>Change Controller: IESG</li> | <dt>Person & email address to contact for further information:</ | |||
</ul> | dt><dd> See "Authors' Addresses" section in RFC 9528.</dd> | |||
</section> | <dt>Intended usage:</dt><dd> COMMON</dd> | |||
<dt>Restrictions on usage:</dt><dd> N/A</dd> | ||||
<dt>Author:</dt><dd> See "Authors' Addresses" section.</dd> | ||||
<dt>Change Controller:</dt><dd> IETF</dd> | ||||
</dl> | ||||
</section> | ||||
<section anchor="applicationcid-edhoccbor-seq-media-type-registration"> | <section anchor="applicationcid-edhoccbor-seq-media-type-registration"> | |||
<name>application/cid-edhoc+cbor-seq Media Type Registration</name> | <name>application/cid-edhoc+cbor-seq Media Type Registration</name> | |||
<ul spacing="normal"> | <dl> | |||
<li>Type name: application</li> | <dt>Type name:</dt><dd> application</dd> | |||
<li>Subtype name: cid-edhoc+cbor-seq</li> | <dt>Subtype name:</dt><dd> cid-edhoc+cbor-seq</dd> | |||
<li>Required parameters: N/A</li> | <dt>Required parameters:</dt><dd> N/A</dd> | |||
<li>Optional parameters: N/A</li> | <dt>Optional parameters:</dt><dd> N/A</dd> | |||
<li>Encoding considerations: binary</li> | <dt>Encoding considerations:</dt><dd> binary</dd> | |||
<li>Security considerations: See Section 7 of this document.</li> | <dt>Security considerations:</dt><dd> See <xref target="duplication" | |||
<li>Interoperability considerations: N/A</li> | /> of RFC 9528.</dd> | |||
<li>Published specification: [[this document]] (this document)</li> | <dt>Interoperability considerations:</dt><dd> N/A</dd> | |||
<li>Applications that use this media type: To be identified</li> | <dt>Published specification:</dt><dd>RFC 9528</dd> | |||
<li>Fragment identifier considerations: N/A</li> | <dt>Applications that use this media type:</dt><dd> To be identified | |||
<li> | </dd> | |||
<t>Additional information: </t> | <dt>Fragment identifier considerations:</dt><dd> N/A</dd> | |||
<ul spacing="normal"> | ||||
<li>Magic number(s): N/A</li> | <dt>Additional information:</dt> | |||
<li>File extension(s): N/A</li> | <dd> | |||
<li>Macintosh file type code(s): N/A</li> | <t><br/></t> | |||
</ul> | <dl> | |||
</li> | <dt>Magic number(s):</dt><dd> N/A</dd> | |||
<li>Person & email address to contact for further information: S | <dt>File extension(s):</dt><dd> N/A</dd> | |||
ee "Authors' Addresses" section.</li> | <dt>Macintosh file type code(s):</dt><dd> N/A</dd> | |||
<li>Intended usage: COMMON</li> | </dl> | |||
<li>Restrictions on usage: N/A</li> | </dd> | |||
<li>Author: See "Authors' Addresses" section.</li> | ||||
<li>Change Controller: IESG</li> | <dt>Person & email address to contact for further information:</ | |||
</ul> | dt><dd> See "Authors' Addresses" section in RFC 9528.</dd> | |||
<dt>Intended usage:</dt><dd> COMMON</dd> | ||||
<dt>Restrictions on usage:</dt><dd> N/A</dd> | ||||
<dt>Author:</dt><dd> See "Authors' Addresses" section.</dd> | ||||
<dt>Change Controller:</dt><dd> IETF</dd> | ||||
</dl> | ||||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="content-format"> | <section anchor="content-format"> | |||
<name>CoAP Content-Formats Registry</name> | <name>CoAP Content-Formats Registry</name> | |||
<t>IANA is requested to add the media types "application/edhoc+cbor-seq" | <t>IANA has added the media types "application/edhoc+cbor-seq" and "appl | |||
and "application/cid-edhoc+cbor-seq" to the "CoAP Content-Formats" registry und | ication/cid-edhoc+cbor-seq" to the "CoAP Content-Formats" registry under the reg | |||
er the registry group "Constrained RESTful Environments (CoRE) Parameters".</t> | istry group "Constrained RESTful Environments (CoRE) Parameters".</t> | |||
<figure anchor="fig-format-ids"> | ||||
<name>CoAP Content-Format IDs</name> | <table anchor="tab-format-ids"> | |||
<artset> | <name>CoAP Content-Format IDs</name> | |||
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= | <thead> | |||
"1.1" height="128" width="584" viewBox="0 0 584 128" class="diagram" text-anchor | <tr> | |||
="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> | <th>Content Type</th> | |||
<path d="M 8,32 L 8,112" fill="none" stroke="black"/> | <th>Content Coding</th> | |||
<path d="M 272,32 L 272,112" fill="none" stroke="black"/> | <th>ID</th> | |||
<path d="M 360,32 L 360,112" fill="none" stroke="black"/> | <th>Reference</th> | |||
<path d="M 416,32 L 416,112" fill="none" stroke="black"/> | </tr> | |||
<path d="M 576,32 L 576,112" fill="none" stroke="black"/> | </thead> | |||
<path d="M 8,32 L 576,32" fill="none" stroke="black"/> | <tbody> | |||
<path d="M 8,62 L 576,62" fill="none" stroke="black"/> | <tr> | |||
<path d="M 8,66 L 576,66" fill="none" stroke="black"/> | <td>application/edhoc+cbor-seq</td> | |||
<path d="M 8,112 L 576,112" fill="none" stroke="black"/> | <td>-</td> | |||
<g class="text"> | <td>64</td> | |||
<text x="40" y="52">Media</text> | <td>RFC 9528</td> | |||
<text x="84" y="52">Type</text> | </tr><tr> | |||
<text x="316" y="52">Encoding</text> | <td>application/cid-edhoc+cbor-seq</td> | |||
<text x="380" y="52">ID</text> | <td>-</td> | |||
<text x="464" y="52">Reference</text> | <td>65</td> | |||
<text x="124" y="84">application/edhoc+cbor-seq</text> | <td>RFC 9528</td> | |||
<text x="288" y="84">-</text> | </tr> | |||
<text x="388" y="84">TBD5</text> | </tbody> | |||
<text x="452" y="84">[[this</text> | </table> | |||
<text x="524" y="84">document]]</text> | ||||
<text x="140" y="100">application/cid-edhoc+cbor-seq</text> | ||||
<text x="288" y="100">-</text> | ||||
<text x="388" y="100">TBD6</text> | ||||
<text x="452" y="100">[[this</text> | ||||
<text x="524" y="100">document]]</text> | ||||
</g> | ||||
</svg> | ||||
</artwork> | ||||
<artwork type="ascii-art"><![CDATA[ | ||||
+--------------------------------+----------+------+-------------------+ | ||||
| Media Type | Encoding | ID | Reference | | ||||
+================================+==========+======+===================+ | ||||
| application/edhoc+cbor-seq | - | TBD5 | [[this document]] | | ||||
| application/cid-edhoc+cbor-seq | - | TBD6 | [[this document]] | | ||||
+--------------------------------+----------+------+-------------------+ | ||||
]]></artwork> | ||||
</artset> | ||||
</figure> | ||||
</section> | </section> | |||
<section anchor="rt"> | <section anchor="rt"> | |||
<name>Resource Type (rt=) Link Target Attribute Values Registry</name> | <name>Resource Type (rt=) Link Target Attribute Values Registry</name> | |||
<t>IANA is requested to add the resource type "core.edhoc" to the "Resou | <t>IANA has added the resource type "core.edhoc" to the "Resource Type ( | |||
rce Type (rt=) Link Target Attribute Values" registry under the registry group " | rt=) Link Target Attribute Values" registry under the registry group "Constraine | |||
Constrained RESTful Environments (CoRE) Parameters".</t> | d RESTful Environments (CoRE) Parameters".</t> | |||
<ul spacing="normal"> | <dl> | |||
<li>Value: "core.edhoc"</li> | <dt>Value:</dt><dd>"core.edhoc"</dd> | |||
<li>Description: EDHOC resource.</li> | <dt>Description:</dt><dd>EDHOC resource.</dd> | |||
<li>Reference: [[this document]]</li> | <dt>Reference:</dt><dd>RFC 9528</dd> | |||
</ul> | </dl> | |||
</section> | </section> | |||
<section anchor="expert-review-instructions"> | <section anchor="expert-review-instructions"> | |||
<name>Expert Review Instructions</name> | <name>Expert Review Instructions</name> | |||
<t>The IANA Registries established in this document are defined as "Expe rt Review", "Specification Required" or "Standards Action with Expert Review". This section gives some general guidelines for what the experts should be lookin g for, but they are being designated as experts for a reason so they should be g iven substantial latitude.</t> | <t>The IANA registries established in this document are defined as "Expe rt Review", "Specification Required", or "Standards Action with Expert Review". This section gives some general guidelines for what the experts should be looki ng for, but they are being designated as experts for a reason so they should be given substantial latitude.</t> | |||
<t>Expert reviewers should take into consideration the following points: </t> | <t>Expert reviewers should take into consideration the following points: </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>Clarity and correctness of registrations. Experts are expected to | <li>The clarity and correctness of registrations. Experts are expected | |||
check the clarity of purpose and use of the requested entries. Expert needs to m | to check the clarity of purpose and use of the requested entries. Expert needs | |||
ake sure the values of algorithms are taken from the right registry, when that i | to make sure the values of algorithms are taken from the right registry when tha | |||
s required. Experts should consider requesting an opinion on the correctness of | t is required. Experts should consider requesting an opinion on the correctness | |||
registered parameters from relevant IETF working groups. Encodings that do not m | of registered parameters from relevant IETF working groups. Encodings that do no | |||
eet these objective of clarity and completeness should not be registered.</li> | t meet these objectives of clarity and completeness should not be registered.</l | |||
<li>Experts should take into account the expected usage of fields when | i> | |||
approving code point assignment. The length of the encoded value should be weig | <li>The expected usage of fields when approving code point assignment. | |||
hed against how many code points of that length are left, the size of device it | The length of the encoded value should be weighed against how many code points | |||
will be used on, and the number of code points left that encode to that size.</l | of that length are left, the size of device it will be used on, and the number o | |||
i> | f code points left that encode to that size.</li> | |||
<li>Even for "Expert Review" specifications are recommended. When spec | <li>The fact that even "Expert Review" specifications are recommended. | |||
ifications are not provided for a request where Expert Review is the assignment | When specifications are not provided for a request where Expert Review is the a | |||
policy, the description provided needs to have sufficient information to verify | ssignment policy, the description provided needs to have sufficient information | |||
the code points above.</li> | to verify the code points above.</li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
</section> | </section> | |||
</middle> | </middle> | |||
<back> | <back> | |||
<displayreference target="I-D.ietf-rats-eat" to="EAT"/> | ||||
<displayreference target="I-D.ietf-lake-reqs" to="LAKE-REQS"/> | ||||
<displayreference target="I-D.ietf-core-oscore-edhoc" to="EDHOC-CoAP-OSCORE"/> | ||||
<displayreference target="I-D.ietf-cose-cbor-encoded-cert" to="C509-CERTS"/> | ||||
<displayreference target="I-D.ietf-core-oscore-key-update" to="KUDOS"/> | ||||
<displayreference target="I-D.ietf-lwig-curve-representations" to="CURVE-REPR"/> | ||||
<displayreference target="I-D.ietf-iotops-security-protocol-comparison" to="CoAP | ||||
-SEC-PROT"/> | ||||
<displayreference target="I-D.irtf-cfrg-det-sigs-with-noise" to="HEDGED-ECC-SIGS | ||||
"/> | ||||
<displayreference target="I-D.ietf-lake-authz" to="LAKE-AUTHZ"/> | ||||
<displayreference target="I-D.arkko-arch-internet-threat-model-guidance" to="THR | ||||
EAT-MODEL-GUIDANCE"/> | ||||
<references> | <references> | |||
<name>References</name> | <name>References</name> | |||
<references> | <references> | |||
<name>Normative References</name> | <name>Normative References</name> | |||
<reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2 | ||||
119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml" | |||
<front> | /> | |||
<title>Key words for use in RFCs to Indicate Requirement Levels</tit | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml" | |||
le> | /> | |||
<author fullname="S. Bradner" initials="S." surname="Bradner"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3552.xml" | |||
<date month="March" year="1997"/> | /> | |||
<abstract> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5116.xml" | |||
<t>In many standards track documents several words are used to sig | /> | |||
nify the requirements in the specification. These words are often capitalized. T | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5869.xml" | |||
his document defines these words as they should be interpreted in IETF documents | /> | |||
. This document specifies an Internet Best Current Practices for the Internet Co | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6090.xml" | |||
mmunity, and requests discussion and suggestions for improvements.</t> | /> | |||
</abstract> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6960.xml" | |||
</front> | /> | |||
<seriesInfo name="BCP" value="14"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml" | |||
<seriesInfo name="RFC" value="2119"/> | /> | |||
<seriesInfo name="DOI" value="10.17487/RFC2119"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml" | |||
</reference> | /> | |||
<reference anchor="RFC3279" target="https://www.rfc-editor.org/info/rfc3 | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml" | |||
279" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml"> | /> | |||
<front> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7959.xml" | |||
<title>Algorithms and Identifiers for the Internet X.509 Public Key | /> | |||
Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml" | |||
<author fullname="L. Bassham" initials="L." surname="Bassham"/> | /> | |||
<author fullname="W. Polk" initials="W." surname="Polk"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml" | |||
<author fullname="R. Housley" initials="R." surname="Housley"/> | /> | |||
<date month="April" year="2002"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8392.xml" | |||
<abstract> | /> | |||
<t>This document specifies algorithm identifiers and ASN.1 encodin | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8410.xml" | |||
g formats for digital signatures and subject public keys used in the Internet X. | /> | |||
509 Public Key Infrastructure (PKI). Digital signatures are used to sign certifi | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml" | |||
cates and certificate revocation list (CRLs). Certificates include the public ke | /> | |||
y of the named subject. [STANDARDS-TRACK]</t> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8613.xml" | |||
</abstract> | /> | |||
</front> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8724.xml" | |||
<seriesInfo name="RFC" value="3279"/> | /> | |||
<seriesInfo name="DOI" value="10.17487/RFC3279"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8742.xml" | |||
</reference> | /> | |||
<reference anchor="RFC3552" target="https://www.rfc-editor.org/info/rfc3 | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8747.xml" | |||
552" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3552.xml"> | /> | |||
<front> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml" | |||
<title>Guidelines for Writing RFC Text on Security Considerations</t | /> | |||
itle> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9052.xml" | |||
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/> | /> | |||
<author fullname="B. Korver" initials="B." surname="Korver"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9053.xml" | |||
<date month="July" year="2003"/> | /> | |||
<abstract> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9175.xml" | |||
<t>All RFCs are required to have a Security Considerations section | /> | |||
. Historically, such sections have been relatively weak. This document provides | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9360.xml" | |||
guidelines to RFC authors on how to write a good Security Considerations section | /> | |||
. This document specifies an Internet Best Current Practices for the Internet Co | ||||
mmunity, and requests discussion and suggestions for improvements.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="72"/> | ||||
<seriesInfo name="RFC" value="3552"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC3552"/> | ||||
</reference> | ||||
<reference anchor="RFC5116" target="https://www.rfc-editor.org/info/rfc5 | ||||
116" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5116.xml"> | ||||
<front> | ||||
<title>An Interface and Algorithms for Authenticated Encryption</tit | ||||
le> | ||||
<author fullname="D. McGrew" initials="D." surname="McGrew"/> | ||||
<date month="January" year="2008"/> | ||||
<abstract> | ||||
<t>This document defines algorithms for Authenticated Encryption w | ||||
ith Associated Data (AEAD), and defines a uniform interface and a registry for s | ||||
uch algorithms. The interface and registry can be used as an application-indepen | ||||
dent set of cryptoalgorithm suites. This approach provides advantages in efficie | ||||
ncy and security, and promotes the reuse of crypto implementations. [STANDARDS-T | ||||
RACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="5116"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC5116"/> | ||||
</reference> | ||||
<reference anchor="RFC5869" target="https://www.rfc-editor.org/info/rfc5 | ||||
869" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5869.xml"> | ||||
<front> | ||||
<title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)< | ||||
/title> | ||||
<author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/> | ||||
<author fullname="P. Eronen" initials="P." surname="Eronen"/> | ||||
<date month="May" year="2010"/> | ||||
<abstract> | ||||
<t>This document specifies a simple Hashed Message Authentication | ||||
Code (HMAC)-based key derivation function (HKDF), which can be used as a buildin | ||||
g block in various protocols and applications. The key derivation function (KDF) | ||||
is intended to support a wide range of applications and requirements, and is co | ||||
nservative in its use of cryptographic hash functions. This document is not an I | ||||
nternet Standards Track specification; it is published for informational purpose | ||||
s.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="5869"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC5869"/> | ||||
</reference> | ||||
<reference anchor="RFC6090" target="https://www.rfc-editor.org/info/rfc6 | ||||
090" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6090.xml"> | ||||
<front> | ||||
<title>Fundamental Elliptic Curve Cryptography Algorithms</title> | ||||
<author fullname="D. McGrew" initials="D." surname="McGrew"/> | ||||
<author fullname="K. Igoe" initials="K." surname="Igoe"/> | ||||
<author fullname="M. Salter" initials="M." surname="Salter"/> | ||||
<date month="February" year="2011"/> | ||||
<abstract> | ||||
<t>This note describes the fundamental algorithms of Elliptic Curv | ||||
e Cryptography (ECC) as they were defined in some seminal references from 1994 a | ||||
nd earlier. These descriptions may be useful for implementing the fundamental al | ||||
gorithms without using any of the specialized methods that were developed in fol | ||||
lowing years. Only elliptic curves defined over fields of characteristic greater | ||||
than three are in scope; these curves are those used in Suite B. This document | ||||
is not an Internet Standards Track specification; it is published for informatio | ||||
nal purposes.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="6090"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6090"/> | ||||
</reference> | ||||
<reference anchor="RFC6960" target="https://www.rfc-editor.org/info/rfc6 | ||||
960" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6960.xml"> | ||||
<front> | ||||
<title>X.509 Internet Public Key Infrastructure Online Certificate S | ||||
tatus Protocol - OCSP</title> | ||||
<author fullname="S. Santesson" initials="S." surname="Santesson"/> | ||||
<author fullname="M. Myers" initials="M." surname="Myers"/> | ||||
<author fullname="R. Ankney" initials="R." surname="Ankney"/> | ||||
<author fullname="A. Malpani" initials="A." surname="Malpani"/> | ||||
<author fullname="S. Galperin" initials="S." surname="Galperin"/> | ||||
<author fullname="C. Adams" initials="C." surname="Adams"/> | ||||
<date month="June" year="2013"/> | ||||
<abstract> | ||||
<t>This document specifies a protocol useful in determining the cu | ||||
rrent status of a digital certificate without requiring Certificate Revocation L | ||||
ists (CRLs). Additional mechanisms addressing PKIX operational requirements are | ||||
specified in separate documents. This document obsoletes RFCs 2560 and 6277. It | ||||
also updates RFC 5912.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="6960"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6960"/> | ||||
</reference> | ||||
<reference anchor="RFC6979" target="https://www.rfc-editor.org/info/rfc6 | ||||
979" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml"> | ||||
<front> | ||||
<title>Deterministic Usage of the Digital Signature Algorithm (DSA) | ||||
and Elliptic Curve Digital Signature Algorithm (ECDSA)</title> | ||||
<author fullname="T. Pornin" initials="T." surname="Pornin"/> | ||||
<date month="August" year="2013"/> | ||||
<abstract> | ||||
<t>This document defines a deterministic digital signature generat | ||||
ion procedure. Such signatures are compatible with standard Digital Signature Al | ||||
gorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) digital sig | ||||
natures and can be processed with unmodified verifiers, which need not be aware | ||||
of the procedure described therein. Deterministic signatures retain the cryptogr | ||||
aphic security features associated with digital signatures but can be more easil | ||||
y implemented in various environments, since they do not need access to a source | ||||
of high-quality randomness.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="6979"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6979"/> | ||||
</reference> | ||||
<reference anchor="RFC7252" target="https://www.rfc-editor.org/info/rfc7 | ||||
252" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml"> | ||||
<front> | ||||
<title>The Constrained Application Protocol (CoAP)</title> | ||||
<author fullname="Z. Shelby" initials="Z." surname="Shelby"/> | ||||
<author fullname="K. Hartke" initials="K." surname="Hartke"/> | ||||
<author fullname="C. Bormann" initials="C." surname="Bormann"/> | ||||
<date month="June" year="2014"/> | ||||
<abstract> | ||||
<t>The Constrained Application Protocol (CoAP) is a specialized we | ||||
b transfer protocol for use with constrained nodes and constrained (e.g., low-po | ||||
wer, lossy) networks. The nodes often have 8-bit microcontrollers with small amo | ||||
unts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wire | ||||
less Personal Area Networks (6LoWPANs) often have high packet error rates and a | ||||
typical throughput of 10s of kbit/s. The protocol is designed for machine- to-ma | ||||
chine (M2M) applications such as smart energy and building automation.</t> | ||||
<t>CoAP provides a request/response interaction model between appl | ||||
ication endpoints, supports built-in discovery of services and resources, and in | ||||
cludes key concepts of the Web such as URIs and Internet media types. CoAP is de | ||||
signed to easily interface with HTTP for integration with the Web while meeting | ||||
specialized requirements such as multicast support, very low overhead, and simpl | ||||
icity for constrained environments.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="7252"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7252"/> | ||||
</reference> | ||||
<reference anchor="RFC7748" target="https://www.rfc-editor.org/info/rfc7 | ||||
748" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml"> | ||||
<front> | ||||
<title>Elliptic Curves for Security</title> | ||||
<author fullname="A. Langley" initials="A." surname="Langley"/> | ||||
<author fullname="M. Hamburg" initials="M." surname="Hamburg"/> | ||||
<author fullname="S. Turner" initials="S." surname="Turner"/> | ||||
<date month="January" year="2016"/> | ||||
<abstract> | ||||
<t>This memo specifies two elliptic curves over prime fields that | ||||
offer a high level of practical security in cryptographic applications, includin | ||||
g Transport Layer Security (TLS). These curves are intended to operate at the ~1 | ||||
28-bit and ~224-bit security level, respectively, and are generated deterministi | ||||
cally based on a list of required properties.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="7748"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7748"/> | ||||
</reference> | ||||
<reference anchor="RFC7959" target="https://www.rfc-editor.org/info/rfc7 | ||||
959" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7959.xml"> | ||||
<front> | ||||
<title>Block-Wise Transfers in the Constrained Application Protocol | ||||
(CoAP)</title> | ||||
<author fullname="C. Bormann" initials="C." surname="Bormann"/> | ||||
<author fullname="Z. Shelby" initials="Z." role="editor" surname="Sh | ||||
elby"/> | ||||
<date month="August" year="2016"/> | ||||
<abstract> | ||||
<t>The Constrained Application Protocol (CoAP) is a RESTful transf | ||||
er protocol for constrained nodes and networks. Basic CoAP messages work well fo | ||||
r small payloads from sensors and actuators; however, applications will need to | ||||
transfer larger payloads occasionally -- for instance, for firmware updates. In | ||||
contrast to HTTP, where TCP does the grunt work of segmenting and resequencing, | ||||
CoAP is based on datagram transports such as UDP or Datagram Transport Layer Sec | ||||
urity (DTLS). These transports only offer fragmentation, which is even more prob | ||||
lematic in constrained nodes and networks, limiting the maximum size of resource | ||||
representations that can practically be transferred.</t> | ||||
<t>Instead of relying on IP fragmentation, this specification exte | ||||
nds basic CoAP with a pair of "Block" options for transferring multiple blocks o | ||||
f information from a resource representation in multiple request-response pairs. | ||||
In many important cases, the Block options enable a server to be truly stateles | ||||
s: the server can handle each block transfer separately, with no need for a conn | ||||
ection setup or other server-side memory of previous block transfers. Essentiall | ||||
y, the Block options provide a minimal way to transfer larger representations in | ||||
a block-wise fashion.</t> | ||||
<t>A CoAP implementation that does not support these options gener | ||||
ally is limited in the size of the representations that can be exchanged, so the | ||||
re is an expectation that the Block options will be widely used in CoAP implemen | ||||
tations. Therefore, this specification updates RFC 7252.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="7959"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7959"/> | ||||
</reference> | ||||
<reference anchor="RFC8126" target="https://www.rfc-editor.org/info/rfc8 | ||||
126" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"> | ||||
<front> | ||||
<title>Guidelines for Writing an IANA Considerations Section in RFCs | ||||
</title> | ||||
<author fullname="M. Cotton" initials="M." surname="Cotton"/> | ||||
<author fullname="B. Leiba" initials="B." surname="Leiba"/> | ||||
<author fullname="T. Narten" initials="T." surname="Narten"/> | ||||
<date month="June" year="2017"/> | ||||
<abstract> | ||||
<t>Many protocols make use of points of extensibility that use con | ||||
stants to identify various protocol parameters. To ensure that the values in the | ||||
se fields do not have conflicting uses and to promote interoperability, their al | ||||
locations are often coordinated by a central record keeper. For IETF protocols, | ||||
that role is filled by the Internet Assigned Numbers Authority (IANA).</t> | ||||
<t>To make assignments in a given registry prudently, guidance des | ||||
cribing the conditions under which new values should be assigned, as well as whe | ||||
n and how modifications to existing values can be made, is needed. This document | ||||
defines a framework for the documentation of these guidelines by specification | ||||
authors, in order to assure that the provided guidance for the IANA Consideratio | ||||
ns is clear and addresses the various issues that are likely in the operation of | ||||
a registry.</t> | ||||
<t>This is the third edition of this document; it obsoletes RFC 52 | ||||
26.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="26"/> | ||||
<seriesInfo name="RFC" value="8126"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8126"/> | ||||
</reference> | ||||
<reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8 | ||||
174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"> | ||||
<front> | ||||
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti | ||||
tle> | ||||
<author fullname="B. Leiba" initials="B." surname="Leiba"/> | ||||
<date month="May" year="2017"/> | ||||
<abstract> | ||||
<t>RFC 2119 specifies common key words that may be used in protoco | ||||
l specifications. This document aims to reduce the ambiguity by clarifying that | ||||
only UPPERCASE usage of the key words have the defined special meanings.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="14"/> | ||||
<seriesInfo name="RFC" value="8174"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8174"/> | ||||
</reference> | ||||
<reference anchor="RFC8392" target="https://www.rfc-editor.org/info/rfc8 | ||||
392" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8392.xml"> | ||||
<front> | ||||
<title>CBOR Web Token (CWT)</title> | ||||
<author fullname="M. Jones" initials="M." surname="Jones"/> | ||||
<author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/ | ||||
> | ||||
<author fullname="S. Erdtman" initials="S." surname="Erdtman"/> | ||||
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/ | ||||
> | ||||
<date month="May" year="2018"/> | ||||
<abstract> | ||||
<t>CBOR Web Token (CWT) is a compact means of representing claims | ||||
to be transferred between two parties. The claims in a CWT are encoded in the Co | ||||
ncise Binary Object Representation (CBOR), and CBOR Object Signing and Encryptio | ||||
n (COSE) is used for added application-layer security protection. A claim is a p | ||||
iece of information asserted about a subject and is represented as a name/value | ||||
pair consisting of a claim name and a claim value. CWT is derived from JSON Web | ||||
Token (JWT) but uses CBOR rather than JSON.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8392"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8392"/> | ||||
</reference> | ||||
<reference anchor="RFC8410" target="https://www.rfc-editor.org/info/rfc8 | ||||
410" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8410.xml"> | ||||
<front> | ||||
<title>Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 fo | ||||
r Use in the Internet X.509 Public Key Infrastructure</title> | ||||
<author fullname="S. Josefsson" initials="S." surname="Josefsson"/> | ||||
<author fullname="J. Schaad" initials="J." surname="Schaad"/> | ||||
<date month="August" year="2018"/> | ||||
<abstract> | ||||
<t>This document specifies algorithm identifiers and ASN.1 encodin | ||||
g formats for elliptic curve constructs using the curve25519 and curve448 curves | ||||
. The signature algorithms covered are Ed25519 and Ed448. The key agreement algo | ||||
rithms covered are X25519 and X448. The encoding for public key, private key, an | ||||
d Edwards-curve Digital Signature Algorithm (EdDSA) structures is provided.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8410"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8410"/> | ||||
</reference> | ||||
<reference anchor="RFC8610" target="https://www.rfc-editor.org/info/rfc8 | ||||
610" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml"> | ||||
<front> | ||||
<title>Concise Data Definition Language (CDDL): A Notational Convent | ||||
ion to Express Concise Binary Object Representation (CBOR) and JSON Data Structu | ||||
res</title> | ||||
<author fullname="H. Birkholz" initials="H." surname="Birkholz"/> | ||||
<author fullname="C. Vigano" initials="C." surname="Vigano"/> | ||||
<author fullname="C. Bormann" initials="C." surname="Bormann"/> | ||||
<date month="June" year="2019"/> | ||||
<abstract> | ||||
<t>This document proposes a notational convention to express Conci | ||||
se Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal | ||||
is to provide an easy and unambiguous way to express structures for protocol me | ||||
ssages and data formats that use CBOR or JSON.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8610"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8610"/> | ||||
</reference> | ||||
<reference anchor="RFC8613" target="https://www.rfc-editor.org/info/rfc8 | ||||
613" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8613.xml"> | ||||
<front> | ||||
<title>Object Security for Constrained RESTful Environments (OSCORE) | ||||
</title> | ||||
<author fullname="G. Selander" initials="G." surname="Selander"/> | ||||
<author fullname="J. Mattsson" initials="J." surname="Mattsson"/> | ||||
<author fullname="F. Palombini" initials="F." surname="Palombini"/> | ||||
<author fullname="L. Seitz" initials="L." surname="Seitz"/> | ||||
<date month="July" year="2019"/> | ||||
<abstract> | ||||
<t>This document defines Object Security for Constrained RESTful E | ||||
nvironments (OSCORE), a method for application-layer protection of the Constrain | ||||
ed Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). | ||||
OSCORE provides end-to-end protection between endpoints communicating using CoA | ||||
P or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks s | ||||
upporting a range of proxy operations, including translation between different t | ||||
ransport protocols.</t> | ||||
<t>Although an optional functionality of CoAP, OSCORE alters CoAP | ||||
options processing and IANA registration. Therefore, this document updates RFC 7 | ||||
252.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8613"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8613"/> | ||||
</reference> | ||||
<reference anchor="RFC8724" target="https://www.rfc-editor.org/info/rfc8 | ||||
724" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8724.xml"> | ||||
<front> | ||||
<title>SCHC: Generic Framework for Static Context Header Compression | ||||
and Fragmentation</title> | ||||
<author fullname="A. Minaburo" initials="A." surname="Minaburo"/> | ||||
<author fullname="L. Toutain" initials="L." surname="Toutain"/> | ||||
<author fullname="C. Gomez" initials="C." surname="Gomez"/> | ||||
<author fullname="D. Barthel" initials="D." surname="Barthel"/> | ||||
<author fullname="JC. Zuniga" initials="JC." surname="Zuniga"/> | ||||
<date month="April" year="2020"/> | ||||
<abstract> | ||||
<t>This document defines the Static Context Header Compression and | ||||
fragmentation (SCHC) framework, which provides both a header compression mechan | ||||
ism and an optional fragmentation mechanism. SCHC has been designed with Low-Pow | ||||
er Wide Area Networks (LPWANs) in mind.</t> | ||||
<t>SCHC compression is based on a common static context stored bot | ||||
h in the LPWAN device and in the network infrastructure side. This document defi | ||||
nes a generic header compression mechanism and its application to compress IPv6/ | ||||
UDP headers.</t> | ||||
<t>This document also specifies an optional fragmentation and reas | ||||
sembly mechanism. It can be used to support the IPv6 MTU requirement over the LP | ||||
WAN technologies. Fragmentation is needed for IPv6 datagrams that, after SCHC co | ||||
mpression or when such compression was not possible, still exceed the Layer 2 ma | ||||
ximum payload size.</t> | ||||
<t>The SCHC header compression and fragmentation mechanisms are in | ||||
dependent of the specific LPWAN technology over which they are used. This docume | ||||
nt defines generic functionalities and offers flexibility with regard to paramet | ||||
er settings and mechanism choices. This document standardizes the exchange over | ||||
the LPWAN between two SCHC entities. Settings and choices specific to a technolo | ||||
gy or a product are expected to be grouped into profiles, which are specified in | ||||
other documents. Data models for the context and profiles are out of scope.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8724"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8724"/> | ||||
</reference> | ||||
<reference anchor="RFC8742" target="https://www.rfc-editor.org/info/rfc8 | ||||
742" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8742.xml"> | ||||
<front> | ||||
<title>Concise Binary Object Representation (CBOR) Sequences</title> | ||||
<author fullname="C. Bormann" initials="C." surname="Bormann"/> | ||||
<date month="February" year="2020"/> | ||||
<abstract> | ||||
<t>This document describes the Concise Binary Object Representatio | ||||
n (CBOR) Sequence format and associated media type "application/cbor-seq". A CBO | ||||
R Sequence consists of any number of encoded CBOR data items, simply concatenate | ||||
d in sequence.</t> | ||||
<t>Structured syntax suffixes for media types allow other media ty | ||||
pes to build on them and make it explicit that they are built on an existing med | ||||
ia type as their foundation. This specification defines and registers "+cbor-seq | ||||
" as a structured syntax suffix for CBOR Sequences.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8742"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8742"/> | ||||
</reference> | ||||
<reference anchor="RFC8747" target="https://www.rfc-editor.org/info/rfc8 | ||||
747" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8747.xml"> | ||||
<front> | ||||
<title>Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)< | ||||
/title> | ||||
<author fullname="M. Jones" initials="M." surname="Jones"/> | ||||
<author fullname="L. Seitz" initials="L." surname="Seitz"/> | ||||
<author fullname="G. Selander" initials="G." surname="Selander"/> | ||||
<author fullname="S. Erdtman" initials="S." surname="Erdtman"/> | ||||
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/ | ||||
> | ||||
<date month="March" year="2020"/> | ||||
<abstract> | ||||
<t>This specification describes how to declare in a CBOR Web Token | ||||
(CWT) (which is defined by RFC 8392) that the presenter of the CWT possesses a | ||||
particular proof-of-possession key. Being able to prove possession of a key is a | ||||
lso sometimes described as being the holder-of-key. This specification provides | ||||
equivalent functionality to "Proof-of-Possession Key Semantics for JSON Web Toke | ||||
ns (JWTs)" (RFC 7800) but using Concise Binary Object Representation (CBOR) and | ||||
CWTs rather than JavaScript Object Notation (JSON) and JSON Web Tokens (JWTs).</ | ||||
t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8747"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8747"/> | ||||
</reference> | ||||
<reference anchor="RFC8949" target="https://www.rfc-editor.org/info/rfc8 | ||||
949" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml"> | ||||
<front> | ||||
<title>Concise Binary Object Representation (CBOR)</title> | ||||
<author fullname="C. Bormann" initials="C." surname="Bormann"/> | ||||
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/> | ||||
<date month="December" year="2020"/> | ||||
<abstract> | ||||
<t>The Concise Binary Object Representation (CBOR) is a data forma | ||||
t whose design goals include the possibility of extremely small code size, fairl | ||||
y small message size, and extensibility without the need for version negotiation | ||||
. These design goals make it different from earlier binary serializations such a | ||||
s ASN.1 and MessagePack.</t> | ||||
<t>This document obsoletes RFC 7049, providing editorial improveme | ||||
nts, new details, and errata fixes while keeping full compatibility with the int | ||||
erchange format of RFC 7049. It does not create a new version of the format.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="STD" value="94"/> | ||||
<seriesInfo name="RFC" value="8949"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8949"/> | ||||
</reference> | ||||
<reference anchor="RFC9052" target="https://www.rfc-editor.org/info/rfc9 | ||||
052" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9052.xml"> | ||||
<front> | ||||
<title>CBOR Object Signing and Encryption (COSE): Structures and Pro | ||||
cess</title> | ||||
<author fullname="J. Schaad" initials="J." surname="Schaad"/> | ||||
<date month="August" year="2022"/> | ||||
<abstract> | ||||
<t>Concise Binary Object Representation (CBOR) is a data format de | ||||
signed for small code size and small message size. There is a need to be able to | ||||
define basic security services for this data format. This document defines the | ||||
CBOR Object Signing and Encryption (COSE) protocol. This specification describes | ||||
how to create and process signatures, message authentication codes, and encrypt | ||||
ion using CBOR for serialization. This specification additionally describes how | ||||
to represent cryptographic keys using CBOR.</t> | ||||
<t>This document, along with RFC 9053, obsoletes RFC 8152.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="STD" value="96"/> | ||||
<seriesInfo name="RFC" value="9052"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9052"/> | ||||
</reference> | ||||
<reference anchor="RFC9053" target="https://www.rfc-editor.org/info/rfc9 | ||||
053" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9053.xml"> | ||||
<front> | ||||
<title>CBOR Object Signing and Encryption (COSE): Initial Algorithms | ||||
</title> | ||||
<author fullname="J. Schaad" initials="J." surname="Schaad"/> | ||||
<date month="August" year="2022"/> | ||||
<abstract> | ||||
<t>Concise Binary Object Representation (CBOR) is a data format de | ||||
signed for small code size and small message size. There is a need to be able to | ||||
define basic security services for this data format. This document defines a se | ||||
t of algorithms that can be used with the CBOR Object Signing and Encryption (CO | ||||
SE) protocol (RFC 9052).</t> | ||||
<t>This document, along with RFC 9052, obsoletes RFC 8152.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="9053"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9053"/> | ||||
</reference> | ||||
<reference anchor="RFC9175" target="https://www.rfc-editor.org/info/rfc9 | ||||
175" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9175.xml"> | ||||
<front> | ||||
<title>Constrained Application Protocol (CoAP): Echo, Request-Tag, a | ||||
nd Token Processing</title> | ||||
<author fullname="C. Amsüss" initials="C." surname="Amsüss"/> | ||||
<author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Ma | ||||
ttsson"/> | ||||
<author fullname="G. Selander" initials="G." surname="Selander"/> | ||||
<date month="February" year="2022"/> | ||||
<abstract> | ||||
<t>This document specifies enhancements to the Constrained Applica | ||||
tion Protocol (CoAP) that mitigate security issues in particular use cases. The | ||||
Echo option enables a CoAP server to verify the freshness of a request or to for | ||||
ce a client to demonstrate reachability at its claimed network address. The Requ | ||||
est-Tag option allows the CoAP server to match block-wise message fragments belo | ||||
nging to the same request. This document updates RFC 7252 with respect to the fo | ||||
llowing: processing requirements for client Tokens, forbidding non-secure reuse | ||||
of Tokens to ensure response-to-request binding when CoAP is used with a securit | ||||
y protocol, and amplification mitigation (where the use of the Echo option is no | ||||
w recommended).</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="9175"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9175"/> | ||||
</reference> | ||||
<reference anchor="RFC9360" target="https://www.rfc-editor.org/info/rfc9 | ||||
360" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9360.xml"> | ||||
<front> | ||||
<title>CBOR Object Signing and Encryption (COSE): Header Parameters | ||||
for Carrying and Referencing X.509 Certificates</title> | ||||
<author fullname="J. Schaad" initials="J." surname="Schaad"/> | ||||
<date month="February" year="2023"/> | ||||
<abstract> | ||||
<t>The CBOR Object Signing and Encryption (COSE) message structure | ||||
uses references to keys in general. For some algorithms, additional properties | ||||
are defined that carry parameters relating to keys as needed. The COSE Key struc | ||||
ture is used for transporting keys outside of COSE messages. This document exten | ||||
ds the way that keys can be identified and transported by providing attributes t | ||||
hat refer to or contain X.509 certificates.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="9360"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9360"/> | ||||
</reference> | ||||
</references> | </references> | |||
<references> | <references> | |||
<name>Informative References</name> | <name>Informative References</name> | |||
<reference anchor="RFC2986" target="https://www.rfc-editor.org/info/rfc2 | ||||
986" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2986.xml"> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2986.xml" | |||
<front> | /> | |||
<title>PKCS #10: Certification Request Syntax Specification Version | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml" | |||
1.7</title> | /> | |||
<author fullname="M. Nystrom" initials="M." surname="Nystrom"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6194.xml" | |||
<author fullname="B. Kaliski" initials="B." surname="Kaliski"/> | /> | |||
<date month="November" year="2000"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7228.xml" | |||
<abstract> | /> | |||
<t>This memo represents a republication of PKCS #10 v1.7 from RSA | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7258.xml" | |||
Laboratories' Public-Key Cryptography Standards (PKCS) series, and change contro | /> | |||
l is retained within the PKCS process. The body of this document, except for the | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7296.xml" | |||
security considerations section, is taken directly from the PKCS #9 v2.0 or the | /> | |||
PKCS #10 v1.7 document. This memo provides information for the Internet communi | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7624.xml" | |||
ty.</t> | /> | |||
</abstract> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8366.xml" | |||
</front> | /> | |||
<seriesInfo name="RFC" value="2986"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8376.xml" | |||
<seriesInfo name="DOI" value="10.17487/RFC2986"/> | /> | |||
</reference> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml" | |||
<reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5 | /> | |||
280" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8937.xml" | |||
<front> | /> | |||
<title>Internet X.509 Public Key Infrastructure Certificate and Cert | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9000.xml" | |||
ificate Revocation List (CRL) Profile</title> | /> | |||
<author fullname="D. Cooper" initials="D." surname="Cooper"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9147.xml" | |||
<author fullname="S. Santesson" initials="S." surname="Santesson"/> | /> | |||
<author fullname="S. Farrell" initials="S." surname="Farrell"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9176.xml" | |||
<author fullname="S. Boeyen" initials="S." surname="Boeyen"/> | /> | |||
<author fullname="R. Housley" initials="R." surname="Housley"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9397.xml" | |||
<author fullname="W. Polk" initials="W." surname="Polk"/> | /> | |||
<date month="May" year="2008"/> | ||||
<abstract> | <!-- [I-D.ietf-rats-eat] Approved-announcement to be sent::AD Followup --> | |||
<t>This memo profiles the X.509 v3 certificate and X.509 v2 certif | ||||
icate revocation list (CRL) for use in the Internet. An overview of this approac | <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-ra | |||
h and model is provided as an introduction. The X.509 v3 certificate format is d | ts-eat.xml"/> | |||
escribed in detail, with additional information regarding the format and semanti | ||||
cs of Internet name forms. Standard certificate extensions are described and two | <!-- [I-D.ietf-lake-reqs] IESG state Expired | |||
Internet-specific extensions are defined. A set of required certificate extensi | Long Way used to to fix John Preuß Mattsson' last name--> | |||
ons is specified. The X.509 v2 CRL format is described in detail along with stan | ||||
dard and Internet-specific extensions. An algorithm for X.509 certification path | <reference anchor="I-D.ietf-lake-reqs" target="https://datatracker.ietf.org/doc/ | |||
validation is described. An ASN.1 module and examples are provided in the appen | html/draft-ietf-lake-reqs-04"> | |||
dices. [STANDARDS-TRACK]</t> | <front> | |||
</abstract> | <title>Requirements for a Lightweight AKE for OSCORE</title> | |||
</front> | <author initials="M." surname="Vučinić" fullname="Mališa Vučinić"> | |||
<seriesInfo name="RFC" value="5280"/> | <organization>Inria</organization> | |||
<seriesInfo name="DOI" value="10.17487/RFC5280"/> | </author> | |||
</reference> | <author initials="G." surname="Selander" fullname="Göran Selander"> | |||
<reference anchor="RFC6194" target="https://www.rfc-editor.org/info/rfc6 | <organization>Ericsson AB</organization> | |||
194" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6194.xml"> | </author> | |||
<front> | <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson"> | |||
<title>Security Considerations for the SHA-0 and SHA-1 Message-Diges | <organization>Ericsson AB</organization> | |||
t Algorithms</title> | </author> | |||
<author fullname="T. Polk" initials="T." surname="Polk"/> | <author initials="D." surname="Garcia-Carillo" fullname="Dan Garcia-Carillo"> | |||
<author fullname="L. Chen" initials="L." surname="Chen"/> | <organization>Odin Solutions S.L.</organization> | |||
<author fullname="S. Turner" initials="S." surname="Turner"/> | </author> | |||
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/> | <date month="June" day="8" year="2020"/> | |||
<date month="March" year="2011"/> | </front> | |||
<abstract> | <seriesInfo name="Internet-Draft" value="draft-ietf-lake-reqs-04"/> | |||
<t>This document includes security considerations for the SHA-0 an | </reference> | |||
d SHA-1 message digest algorithm. This document is not an Internet Standards Tra | ||||
ck specification; it is published for informational purposes.</t> | <!-- [I-D.ietf-lake-traces] companion doc RFC 9529 --> | |||
</abstract> | ||||
</front> | <reference anchor="RFC9529" target="https://www.rfc-editor.org/info/rfc9529"> | |||
<seriesInfo name="RFC" value="6194"/> | <front> | |||
<seriesInfo name="DOI" value="10.17487/RFC6194"/> | <title>Traces of Ephemeral Diffie-Hellman Over COSE (EDHOC)</title> | |||
</reference> | <author initials="G." surname="Selander" fullname="Göran Selander"> | |||
<reference anchor="RFC7228" target="https://www.rfc-editor.org/info/rfc7 | <organization>Ericsson</organization> | |||
228" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7228.xml"> | </author> | |||
<front> | <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson"> | |||
<title>Terminology for Constrained-Node Networks</title> | <organization>Ericsson</organization> | |||
<author fullname="C. Bormann" initials="C." surname="Bormann"/> | </author> | |||
<author fullname="M. Ersue" initials="M." surname="Ersue"/> | <author initials="M." surname="Serafin" fullname="Marek Serafin"> | |||
<author fullname="A. Keranen" initials="A." surname="Keranen"/> | <organization>ASSA ABLOY</organization> | |||
<date month="May" year="2014"/> | </author> | |||
<abstract> | <author initials="M." surname="Tiloca" fullname="Marco Tiloca"> | |||
<t>The Internet Protocol Suite is increasingly used on small devic | <organization>RISE</organization> | |||
es with severe constraints on power, memory, and processing resources, creating | </author> | |||
constrained-node networks. This document provides a number of basic terms that h | <author initials="M." surname="Vučinić" fullname="Mališa Vučinić"> | |||
ave been useful in the standardization work for constrained-node networks.</t> | <organization>Inria</organization> | |||
</abstract> | </author> | |||
</front> | <date month="March" year="2024"/> | |||
<seriesInfo name="RFC" value="7228"/> | </front> | |||
<seriesInfo name="DOI" value="10.17487/RFC7228"/> | <seriesInfo name="RFC" value="RFC9529"/> | |||
</reference> | <seriesInfo name="DOI" value="10.17487/RFC9529"/> | |||
<reference anchor="RFC7258" target="https://www.rfc-editor.org/info/rfc7 | </reference> | |||
258" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7258.xml"> | ||||
<front> | <!-- [I-D.ietf-core-oscore-edhoc] Waiting for AD Go-Ahead --> | |||
<title>Pervasive Monitoring Is an Attack</title> | ||||
<author fullname="S. Farrell" initials="S." surname="Farrell"/> | <xi:include | |||
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/ | href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-core-oscore-ed | |||
> | hoc.xml"/> | |||
<date month="May" year="2014"/> | ||||
<abstract> | <!-- [I-D.ietf-cose-cbor-encoded-cert] IESG state I-D Exists | |||
<t>Pervasive monitoring is a technical attack that should be mitig | Long Way used to fix John Preuß Mattsson's last name--> | |||
ated in the design of IETF protocols, where possible.</t> | ||||
</abstract> | <reference anchor="I-D.ietf-cose-cbor-encoded-cert" target="https://datatracker. | |||
</front> | ietf.org/doc/html/draft-ietf-cose-cbor-encoded-cert-07"> | |||
<seriesInfo name="BCP" value="188"/> | <front> | |||
<seriesInfo name="RFC" value="7258"/> | <title> | |||
<seriesInfo name="DOI" value="10.17487/RFC7258"/> | CBOR Encoded X.509 Certificates (C509 Certificates) | |||
</reference> | </title> | |||
<reference anchor="RFC7296" target="https://www.rfc-editor.org/info/rfc7 | <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson"> | |||
296" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7296.xml"> | <organization>Ericsson AB</organization> | |||
<front> | </author> | |||
<title>Internet Key Exchange Protocol Version 2 (IKEv2)</title> | <author initials="G." surname="Selander" fullname="Göran Selander"> | |||
<author fullname="C. Kaufman" initials="C." surname="Kaufman"/> | <organization>Ericsson AB</organization> | |||
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/> | </author> | |||
<author fullname="Y. Nir" initials="Y." surname="Nir"/> | <author initials="S." surname="Raza" fullname="Shahid Raza"> | |||
<author fullname="P. Eronen" initials="P." surname="Eronen"/> | <organization>RISE AB</organization> | |||
<author fullname="T. Kivinen" initials="T." surname="Kivinen"/> | </author> | |||
<date month="October" year="2014"/> | <author initials="J." surname="Höglund" fullname="Joel Höglund"> | |||
<abstract> | <organization>RISE AB</organization> | |||
<t>This document describes version 2 of the Internet Key Exchange | </author> | |||
(IKE) protocol. IKE is a component of IPsec used for performing mutual authentic | <author initials="M." surname="Furuhed" fullname="Martin Furuhed"> | |||
ation and establishing and maintaining Security Associations (SAs). This documen | <organization>Nexus Group</organization> | |||
t obsoletes RFC 5996, and includes all of the errata for it. It advances IKEv2 t | </author> | |||
o be an Internet Standard.</t> | <date month="October" day="20" year="2023"/> | |||
</abstract> | </front> | |||
</front> | <seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded-cert-07"/> | |||
<seriesInfo name="STD" value="79"/> | </reference> | |||
<seriesInfo name="RFC" value="7296"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7296"/> | <!-- [I-D.ietf-core-oscore-key-update] IESG state I-D Exists --> | |||
</reference> | ||||
<reference anchor="RFC7624" target="https://www.rfc-editor.org/info/rfc7 | <xi:include | |||
624" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7624.xml"> | href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-core-oscore-ke | |||
<front> | y-update.xml"/> | |||
<title>Confidentiality in the Face of Pervasive Surveillance: A Thre | ||||
at Model and Problem Statement</title> | <!-- [I-D.ietf-lwig-curve-representations] IESG state IESG Evaluation::Revised I | |||
<author fullname="R. Barnes" initials="R." surname="Barnes"/> | -D Needed --> | |||
<author fullname="B. Schneier" initials="B." surname="Schneier"/> | ||||
<author fullname="C. Jennings" initials="C." surname="Jennings"/> | <xi:include | |||
<author fullname="T. Hardie" initials="T." surname="Hardie"/> | href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-lwig-curve-rep | |||
<author fullname="B. Trammell" initials="B." surname="Trammell"/> | resentations.xml"/> | |||
<author fullname="C. Huitema" initials="C." surname="Huitema"/> | ||||
<author fullname="D. Borkmann" initials="D." surname="Borkmann"/> | <!-- [I-D.ietf-iotops-security-protocol-comparison] IESG state I-D Exists --> | |||
<date month="August" year="2015"/> | ||||
<abstract> | <xi:include | |||
<t>Since the initial revelations of pervasive surveillance in 2013 | href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-iotops-securit | |||
, several classes of attacks on Internet communications have been discovered. In | y-protocol-comparison.xml"/> | |||
this document, we develop a threat model that describes these attacks on Intern | ||||
et confidentiality. We assume an attacker that is interested in undetected, indi | <!-- [I-D.irtf-cfrg-det-sigs-with-noise] IESG state Expired | |||
scriminate eavesdropping. The threat model is based on published, verified attac | Long Way used to fix John Preuß Mattsson's last name--> | |||
ks.</t> | <reference anchor="I-D.irtf-cfrg-det-sigs-with-noise" target="https://datatracke | |||
</abstract> | r.ietf.org/doc/html/draft-irtf-cfrg-det-sigs-with-noise-00"> | |||
</front> | <front> | |||
<seriesInfo name="RFC" value="7624"/> | <title> | |||
<seriesInfo name="DOI" value="10.17487/RFC7624"/> | Deterministic ECDSA and EdDSA Signatures with Additional Randomness | |||
</reference> | </title> | |||
<reference anchor="RFC8366" target="https://www.rfc-editor.org/info/rfc8 | <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson"> | |||
366" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8366.xml"> | <organization>Ericsson</organization> | |||
<front> | </author> | |||
<title>A Voucher Artifact for Bootstrapping Protocols</title> | <author initials="E." surname="Thormarker" fullname="Erik Thormarker"> | |||
<author fullname="K. Watsen" initials="K." surname="Watsen"/> | <organization>Ericsson</organization> | |||
<author fullname="M. Richardson" initials="M." surname="Richardson"/ | </author> | |||
> | <author initials="S." surname="Ruohomaa" fullname="Sini Ruohomaa"> | |||
<author fullname="M. Pritikin" initials="M." surname="Pritikin"/> | <organization>Ericsson</organization> | |||
<author fullname="T. Eckert" initials="T." surname="Eckert"/> | </author> | |||
<date month="May" year="2018"/> | <date month="August" day="8" year="2022"/> | |||
<abstract> | </front> | |||
<t>This document defines a strategy to securely assign a pledge to | <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-det-sigs-with-noise-00" | |||
an owner using an artifact signed, directly or indirectly, by the pledge's manu | /> | |||
facturer. This artifact is known as a "voucher".</t> | </reference> | |||
<t>This document defines an artifact format as a YANG-defined JSON | ||||
document that has been signed using a Cryptographic Message Syntax (CMS) struct | <!-- [I-D.ietf-lake-authz.xml] IESG state I-D Exists --> | |||
ure. Other YANG-derived formats are possible. The voucher artifact is normally g | ||||
enerated by the pledge's manufacturer (i.e., the Manufacturer Authorized Signing | <xi:include | |||
Authority (MASA)).</t> | href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-lake-authz.xml | |||
<t>This document only defines the voucher artifact, leaving it to | "/> | |||
other documents to describe specialized protocols for accessing it.</t> | ||||
</abstract> | <!-- [I-D.arkko-arch-internet-threat-model-guidance] IESG state Expired - | |||
</front> | -> | |||
<seriesInfo name="RFC" value="8366"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8366"/> | <xi:include | |||
</reference> | href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.arkko-arch-internet | |||
<reference anchor="RFC8376" target="https://www.rfc-editor.org/info/rfc8 | -threat-model-guidance.xml"/> | |||
376" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8376.xml"> | ||||
<front> | <reference anchor="SP-800-56A"> | |||
<title>Low-Power Wide Area Network (LPWAN) Overview</title> | ||||
<author fullname="S. Farrell" initials="S." role="editor" surname="F | ||||
arrell"/> | ||||
<date month="May" year="2018"/> | ||||
<abstract> | ||||
<t>Low-Power Wide Area Networks (LPWANs) are wireless technologies | ||||
with characteristics such as large coverage areas, low bandwidth, possibly very | ||||
small packet and application-layer data sizes, and long battery life operation. | ||||
This memo is an informational overview of the set of LPWAN technologies being c | ||||
onsidered in the IETF and of the gaps that exist between the needs of those tech | ||||
nologies and the goal of running IP in LPWANs.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8376"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8376"/> | ||||
</reference> | ||||
<reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8 | ||||
446" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"> | ||||
<front> | ||||
<title>The Transport Layer Security (TLS) Protocol Version 1.3</titl | ||||
e> | ||||
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/> | ||||
<date month="August" year="2018"/> | ||||
<abstract> | ||||
<t>This document specifies version 1.3 of the Transport Layer Secu | ||||
rity (TLS) protocol. TLS allows client/server applications to communicate over t | ||||
he Internet in a way that is designed to prevent eavesdropping, tampering, and m | ||||
essage forgery.</t> | ||||
<t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 50 | ||||
77, 5246, and 6961. This document also specifies new requirements for TLS 1.2 im | ||||
plementations.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8446"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8446"/> | ||||
</reference> | ||||
<reference anchor="RFC8937" target="https://www.rfc-editor.org/info/rfc8 | ||||
937" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8937.xml"> | ||||
<front> | ||||
<title>Randomness Improvements for Security Protocols</title> | ||||
<author fullname="C. Cremers" initials="C." surname="Cremers"/> | ||||
<author fullname="L. Garratt" initials="L." surname="Garratt"/> | ||||
<author fullname="S. Smyshlyaev" initials="S." surname="Smyshlyaev"/ | ||||
> | ||||
<author fullname="N. Sullivan" initials="N." surname="Sullivan"/> | ||||
<author fullname="C. Wood" initials="C." surname="Wood"/> | ||||
<date month="October" year="2020"/> | ||||
<abstract> | ||||
<t>Randomness is a crucial ingredient for Transport Layer Security | ||||
(TLS) and related security protocols. Weak or predictable "cryptographically se | ||||
cure" pseudorandom number generators (CSPRNGs) can be abused or exploited for ma | ||||
licious purposes. An initial entropy source that seeds a CSPRNG might be weak or | ||||
broken as well, which can also lead to critical and systemic security problems. | ||||
This document describes a way for security protocol implementations to augment | ||||
their CSPRNGs using long-term private keys. This improves randomness from broken | ||||
or otherwise subverted CSPRNGs.</t> | ||||
<t>This document is a product of the Crypto Forum Research Group ( | ||||
CFRG) in the IRTF.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8937"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8937"/> | ||||
</reference> | ||||
<reference anchor="RFC9000" target="https://www.rfc-editor.org/info/rfc9 | ||||
000" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9000.xml"> | ||||
<front> | ||||
<title>QUIC: A UDP-Based Multiplexed and Secure Transport</title> | ||||
<author fullname="J. Iyengar" initials="J." role="editor" surname="I | ||||
yengar"/> | ||||
<author fullname="M. Thomson" initials="M." role="editor" surname="T | ||||
homson"/> | ||||
<date month="May" year="2021"/> | ||||
<abstract> | ||||
<t>This document defines the core of the QUIC transport protocol. | ||||
QUIC provides applications with flow-controlled streams for structured communica | ||||
tion, low-latency connection establishment, and network path migration. QUIC inc | ||||
ludes security measures that ensure confidentiality, integrity, and availability | ||||
in a range of deployment circumstances. Accompanying documents describe the int | ||||
egration of TLS for key negotiation, loss detection, and an exemplary congestion | ||||
control algorithm.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="9000"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9000"/> | ||||
</reference> | ||||
<reference anchor="RFC9147" target="https://www.rfc-editor.org/info/rfc9 | ||||
147" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9147.xml"> | ||||
<front> | ||||
<title>The Datagram Transport Layer Security (DTLS) Protocol Version | ||||
1.3</title> | ||||
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/> | ||||
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/ | ||||
> | ||||
<author fullname="N. Modadugu" initials="N." surname="Modadugu"/> | ||||
<date month="April" year="2022"/> | ||||
<abstract> | ||||
<t>This document specifies version 1.3 of the Datagram Transport L | ||||
ayer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to com | ||||
municate over the Internet in a way that is designed to prevent eavesdropping, t | ||||
ampering, and message forgery.</t> | ||||
<t>The DTLS 1.3 protocol is based on the Transport Layer Security | ||||
(TLS) 1.3 protocol and provides equivalent security guarantees with the exceptio | ||||
n of order protection / non-replayability. Datagram semantics of the underlying | ||||
transport are preserved by the DTLS protocol.</t> | ||||
<t>This document obsoletes RFC 6347.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="9147"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9147"/> | ||||
</reference> | ||||
<reference anchor="RFC9176" target="https://www.rfc-editor.org/info/rfc9 | ||||
176" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9176.xml"> | ||||
<front> | ||||
<title>Constrained RESTful Environments (CoRE) Resource Directory</t | ||||
itle> | ||||
<author fullname="C. Amsüss" initials="C." role="editor" surname="Am | ||||
süss"/> | ||||
<author fullname="Z. Shelby" initials="Z." surname="Shelby"/> | ||||
<author fullname="M. Koster" initials="M." surname="Koster"/> | ||||
<author fullname="C. Bormann" initials="C." surname="Bormann"/> | ||||
<author fullname="P. van der Stok" initials="P." surname="van der St | ||||
ok"/> | ||||
<date month="April" year="2022"/> | ||||
<abstract> | ||||
<t>In many Internet of Things (IoT) applications, direct discovery | ||||
of resources is not practical due to sleeping nodes or networks where multicast | ||||
traffic is inefficient. These problems can be solved by employing an entity cal | ||||
led a Resource Directory (RD), which contains information about resources held o | ||||
n other servers, allowing lookups to be performed for those resources. The input | ||||
to an RD is composed of links, and the output is composed of links constructed | ||||
from the information stored in the RD. This document specifies the web interface | ||||
s that an RD supports for web servers to discover the RD and to register, mainta | ||||
in, look up, and remove information on resources. Furthermore, new target attrib | ||||
utes useful in conjunction with an RD are defined.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="9176"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9176"/> | ||||
</reference> | ||||
<reference anchor="RFC9397" target="https://www.rfc-editor.org/info/rfc9 | ||||
397" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9397.xml"> | ||||
<front> | ||||
<title>Trusted Execution Environment Provisioning (TEEP) Architectur | ||||
e</title> | ||||
<author fullname="M. Pei" initials="M." surname="Pei"/> | ||||
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/ | ||||
> | ||||
<author fullname="D. Thaler" initials="D." surname="Thaler"/> | ||||
<author fullname="D. Wheeler" initials="D." surname="Wheeler"/> | ||||
<date month="July" year="2023"/> | ||||
<abstract> | ||||
<t>A Trusted Execution Environment (TEE) is an environment that en | ||||
forces the following: any code within the environment cannot be tampered with, a | ||||
nd any data used by such code cannot be read or tampered with by any code outsid | ||||
e the environment. This architecture document discusses the motivation for desig | ||||
ning and standardizing a protocol for managing the lifecycle of Trusted Applicat | ||||
ions running inside such a TEE.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="9397"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9397"/> | ||||
</reference> | ||||
<reference anchor="I-D.ietf-rats-eat" target="https://datatracker.ietf.o | ||||
rg/doc/html/draft-ietf-rats-eat-21" xml:base="https://bib.ietf.org/public/rfc/bi | ||||
bxml3/reference.I-D.ietf-rats-eat.xml"> | ||||
<front> | ||||
<title>The Entity Attestation Token (EAT)</title> | ||||
<author fullname="Laurence Lundblade" initials="L." surname="Lundbla | ||||
de"> | ||||
<organization>Security Theory LLC</organization> | ||||
</author> | ||||
<author fullname="Giridhar Mandyam" initials="G." surname="Mandyam"> | ||||
<organization>Qualcomm Technologies Inc.</organization> | ||||
</author> | ||||
<author fullname="Jeremy O'Donoghue" initials="J." surname="O'Donogh | ||||
ue"> | ||||
<organization>Qualcomm Technologies Inc.</organization> | ||||
</author> | ||||
<author fullname="Carl Wallace" initials="C." surname="Wallace"> | ||||
<organization>Red Hound Software, Inc.</organization> | ||||
</author> | ||||
<date day="30" month="June" year="2023"/> | ||||
<abstract> | ||||
<t>An Entity Attestation Token (EAT) provides an attested claims s | ||||
et that describes state and characteristics of an entity, a device like a smartp | ||||
hone, IoT device, network equipment or such. This claims set is used by a relyin | ||||
g party, server or service to determine how much it wishes to trust the entity. | ||||
An EAT is either a CBOR Web Token (CWT) or JSON Web Token (JWT) with attestation | ||||
-oriented claims.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="Internet-Draft" value="draft-ietf-rats-eat-21"/> | ||||
</reference> | ||||
<reference anchor="I-D.ietf-lake-reqs" target="https://datatracker.ietf. | ||||
org/doc/html/draft-ietf-lake-reqs-04" xml:base="https://bib.ietf.org/public/rfc/ | ||||
bibxml3/reference.I-D.ietf-lake-reqs.xml"> | ||||
<front> | ||||
<title>Requirements for a Lightweight AKE for OSCORE</title> | ||||
<author fullname="Mališa Vučinić" initials="M." surname="Vučinić"> | ||||
<organization>Inria</organization> | ||||
</author> | ||||
<author fullname="Göran Selander" initials="G." surname="Selander"> | ||||
<organization>Ericsson AB</organization> | ||||
</author> | ||||
<author fullname="John Preuß Mattsson" initials="J. P." surname="Mat | ||||
tsson"> | ||||
<organization>Ericsson AB</organization> | ||||
</author> | ||||
<author fullname="Dan Garcia-Carillo" initials="D." surname="Garcia- | ||||
Carillo"> | ||||
<organization>Odin Solutions S.L.</organization> | ||||
</author> | ||||
<date day="8" month="June" year="2020"/> | ||||
<abstract> | ||||
<t>This document compiles the requirements for a lightweight authe | ||||
nticated key exchange protocol for OSCORE. This draft has completed a working gr | ||||
oup last call (WGLC) in the LAKE working group. Post-WGLC, the requirements are | ||||
considered sufficiently stable for the working group to proceed with its work. I | ||||
t is not currently planned to publish this draft as an RFC.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="Internet-Draft" value="draft-ietf-lake-reqs-04"/> | ||||
</reference> | ||||
<reference anchor="I-D.ietf-lake-traces" target="https://datatracker.iet | ||||
f.org/doc/html/draft-ietf-lake-traces-05" xml:base="https://bib.ietf.org/public/ | ||||
rfc/bibxml3/reference.I-D.ietf-lake-traces.xml"> | ||||
<front> | ||||
<title>Traces of EDHOC</title> | ||||
<author fullname="Göran Selander" initials="G." surname="Selander"> | ||||
<organization>Ericsson</organization> | ||||
</author> | ||||
<author fullname="John Preuß Mattsson" initials="J. P." surname="Mat | ||||
tsson"> | ||||
<organization>Ericsson</organization> | ||||
</author> | ||||
<author fullname="Marek Serafin" initials="M." surname="Serafin"> | ||||
<organization>ASSA ABLOY</organization> | ||||
</author> | ||||
<author fullname="Marco Tiloca" initials="M." surname="Tiloca"> | ||||
<organization>RISE</organization> | ||||
</author> | ||||
<date day="28" month="April" year="2023"/> | ||||
<abstract> | ||||
<t>This document contains some example traces of Ephemeral Diffie- | ||||
Hellman Over COSE (EDHOC).</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="Internet-Draft" value="draft-ietf-lake-traces-05"/> | ||||
</reference> | ||||
<reference anchor="I-D.ietf-core-oscore-edhoc" target="https://datatrack | ||||
er.ietf.org/doc/html/draft-ietf-core-oscore-edhoc-08" xml:base="https://bib.ietf | ||||
.org/public/rfc/bibxml3/reference.I-D.ietf-core-oscore-edhoc.xml"> | ||||
<front> | ||||
<title>Using EDHOC with CoAP and OSCORE</title> | ||||
<author fullname="Francesca Palombini" initials="F." surname="Palomb | ||||
ini"> | ||||
<organization>Ericsson</organization> | ||||
</author> | ||||
<author fullname="Marco Tiloca" initials="M." surname="Tiloca"> | ||||
<organization>RISE AB</organization> | ||||
</author> | ||||
<author fullname="Rikard Höglund" initials="R." surname="Höglund"> | ||||
<organization>RISE AB</organization> | ||||
</author> | ||||
<author fullname="Stefan Hristozov" initials="S." surname="Hristozov | ||||
"> | ||||
<organization>Fraunhofer AISEC</organization> | ||||
</author> | ||||
<author fullname="Göran Selander" initials="G." surname="Selander"> | ||||
<organization>Ericsson</organization> | ||||
</author> | ||||
<date day="8" month="August" year="2023"/> | ||||
<abstract> | ||||
<t>The lightweight authenticated key exchange protocol EDHOC can b | ||||
e run over CoAP and used by two peers to establish an OSCORE Security Context. T | ||||
his document details this use of the EDHOC protocol, by specifying a number of a | ||||
dditional and optional mechanisms. These especially include an optimization appr | ||||
oach for combining the execution of EDHOC with the first OSCORE transaction. Thi | ||||
s combination reduces the number of round trips required to set up an OSCORE Sec | ||||
urity Context and to complete an OSCORE transaction using that Security Context. | ||||
</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-edhoc- | ||||
08"/> | ||||
</reference> | ||||
<reference anchor="I-D.ietf-cose-cbor-encoded-cert" target="https://data | ||||
tracker.ietf.org/doc/html/draft-ietf-cose-cbor-encoded-cert-06" xml:base="https: | ||||
//bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-cose-cbor-encoded-cert.xml" | ||||
> | ||||
<front> | ||||
<title>CBOR Encoded X.509 Certificates (C509 Certificates)</title> | ||||
<author fullname="John Preuß Mattsson" initials="J. P." surname="Mat | ||||
tsson"> | ||||
<organization>Ericsson AB</organization> | ||||
</author> | ||||
<author fullname="Göran Selander" initials="G." surname="Selander"> | ||||
<organization>Ericsson AB</organization> | ||||
</author> | ||||
<author fullname="Shahid Raza" initials="S." surname="Raza"> | ||||
<organization>RISE AB</organization> | ||||
</author> | ||||
<author fullname="Joel Höglund" initials="J." surname="Höglund"> | ||||
<organization>RISE AB</organization> | ||||
</author> | ||||
<author fullname="Martin Furuhed" initials="M." surname="Furuhed"> | ||||
<organization>Nexus Group</organization> | ||||
</author> | ||||
<date day="7" month="July" year="2023"/> | ||||
<abstract> | ||||
<t>This document specifies a CBOR encoding of X.509 certificates. | ||||
The resulting certificates are called C509 Certificates. The CBOR encoding suppo | ||||
rts a large subset of RFC 5280 and all certificates compatible with the RFC 7925 | ||||
, IEEE 802.1AR (DevID), CNSA, RPKI, GSMA eUICC, and CA/Browser Forum Baseline Re | ||||
quirements profiles. When used to re-encode DER encoded X.509 certificates, the | ||||
CBOR encoding can in many cases reduce the size of RFC 7925 profiled certificate | ||||
s with over 50%. The CBOR encoded structure can alternatively be signed directly | ||||
("natively signed"), which does not require re- encoding for the signature to b | ||||
e verified. The document also specifies C509 COSE headers, a C509 TLS certificat | ||||
e type, and a C509 file format.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded- | ||||
cert-06"/> | ||||
</reference> | ||||
<reference anchor="I-D.ietf-core-oscore-key-update" target="https://data | ||||
tracker.ietf.org/doc/html/draft-ietf-core-oscore-key-update-05" xml:base="https: | ||||
//bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-core-oscore-key-update.xml" | ||||
> | ||||
<front> | ||||
<title>Key Update for OSCORE (KUDOS)</title> | ||||
<author fullname="Rikard Höglund" initials="R." surname="Höglund"> | ||||
<organization>RISE AB</organization> | ||||
</author> | ||||
<author fullname="Marco Tiloca" initials="M." surname="Tiloca"> | ||||
<organization>RISE AB</organization> | ||||
</author> | ||||
<date day="10" month="July" year="2023"/> | ||||
<abstract> | ||||
<t>This document defines Key Update for OSCORE (KUDOS), a lightwei | ||||
ght procedure that two CoAP endpoints can use to update their keying material by | ||||
establishing a new OSCORE Security Context. Accordingly, it updates the use of | ||||
the OSCORE flag bits in the CoAP OSCORE Option as well as the protection of CoAP | ||||
response messages with OSCORE, and it deprecates the key update procedure speci | ||||
fied in Appendix B.2 of RFC 8613. Thus, this document updates RFC 8613. Also, th | ||||
is document defines a procedure that two endpoints can use to update their OSCOR | ||||
E identifiers, run either stand-alone or during a KUDOS execution.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-key-up | ||||
date-05"/> | ||||
</reference> | ||||
<reference anchor="I-D.ietf-lwig-curve-representations" target="https:// | ||||
datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-23" xml:base | ||||
="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-lwig-curve-represen | ||||
tations.xml"> | ||||
<front> | ||||
<title>Alternative Elliptic Curve Representations</title> | ||||
<author fullname="Rene Struik" initials="R." surname="Struik"> | ||||
<organization>Struik Security Consultancy</organization> | ||||
</author> | ||||
<date day="21" month="January" year="2022"/> | ||||
<abstract> | ||||
<t>This document specifies how to represent Montgomery curves and | ||||
(twisted) Edwards curves as curves in short-Weierstrass form and illustrates how | ||||
this can be used to carry out elliptic curve computations leveraging existing i | ||||
mplementations and specifications of, e.g., ECDSA and ECDH using NIST prime curv | ||||
es. We also provide extensive background material that may be useful for impleme | ||||
nters of elliptic curve cryptography.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="Internet-Draft" value="draft-ietf-lwig-curve-represe | ||||
ntations-23"/> | ||||
</reference> | ||||
<reference anchor="I-D.ietf-iotops-security-protocol-comparison" target= | ||||
"https://datatracker.ietf.org/doc/html/draft-ietf-iotops-security-protocol-compa | ||||
rison-02" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-i | ||||
otops-security-protocol-comparison.xml"> | ||||
<front> | ||||
<title>Comparison of CoAP Security Protocols</title> | ||||
<author fullname="John Preuß Mattsson" initials="J. P." surname="Mat | ||||
tsson"> | ||||
<organization>Ericsson AB</organization> | ||||
</author> | ||||
<author fullname="Francesca Palombini" initials="F." surname="Palomb | ||||
ini"> | ||||
<organization>Ericsson AB</organization> | ||||
</author> | ||||
<author fullname="Mališa Vučinić" initials="M." surname="Vučinić"> | ||||
<organization>INRIA</organization> | ||||
</author> | ||||
<date day="11" month="April" year="2023"/> | ||||
<abstract> | ||||
<t>This document analyzes and compares the sizes of key exchange f | ||||
lights and the per-packet message size overheads when using different security p | ||||
rotocols to secure CoAP. The described overheads are independent of the underlyi | ||||
ng transport. Small message sizes are very important for reducing energy consump | ||||
tion, latency, and time to completion in constrained radio network such as Low-P | ||||
ower Wide Area Networks (LPWANs). The analyzed security protocols are DTLS 1.2, | ||||
DTLS 1.3, TLS 1.2, TLS 1.3, cTLS, EDHOC, OSCORE, and Group OSCORE. The DTLS and | ||||
TLS record layers are analyzed with and without 6LoWPAN- GHC compression. DTLS i | ||||
s analyzed with and without Connection ID.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="Internet-Draft" value="draft-ietf-iotops-security-pr | ||||
otocol-comparison-02"/> | ||||
</reference> | ||||
<reference anchor="I-D.irtf-cfrg-det-sigs-with-noise" target="https://da | ||||
tatracker.ietf.org/doc/html/draft-irtf-cfrg-det-sigs-with-noise-00" xml:base="ht | ||||
tps://bib.ietf.org/public/rfc/bibxml3/reference.I-D.irtf-cfrg-det-sigs-with-nois | ||||
e.xml"> | ||||
<front> | ||||
<title>Deterministic ECDSA and EdDSA Signatures with Additional Rand | ||||
omness</title> | ||||
<author fullname="John Preuß Mattsson" initials="J. P." surname="Mat | ||||
tsson"> | ||||
<organization>Ericsson</organization> | ||||
</author> | ||||
<author fullname="Erik Thormarker" initials="E." surname="Thormarker | ||||
"> | ||||
<organization>Ericsson</organization> | ||||
</author> | ||||
<author fullname="Sini Ruohomaa" initials="S." surname="Ruohomaa"> | ||||
<organization>Ericsson</organization> | ||||
</author> | ||||
<date day="8" month="August" year="2022"/> | ||||
<abstract> | ||||
<t>Deterministic elliptic-curve signatures such as deterministic E | ||||
CDSA and EdDSA have gained popularity over randomized ECDSA as their security do | ||||
not depend on a source of high-quality randomness. Recent research has however | ||||
found that implementations of these signature algorithms may be vulnerable to ce | ||||
rtain side-channel and fault injection attacks due to their determinism. One cou | ||||
ntermeasure to such attacks is to re-add randomness to the otherwise determinist | ||||
ic calculation of the per-message secret number. This document updates RFC 6979 | ||||
and RFC 8032 to recommend constructions with additional randomness for deploymen | ||||
ts where side-channel attacks and fault injection attacks are a concern. The upd | ||||
ates are invisible to the validator of the signature and compatible with existin | ||||
g ECDSA and EdDSA validators.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-det-sigs-with | ||||
-noise-00"/> | ||||
</reference> | ||||
<reference anchor="I-D.selander-lake-authz" target="https://datatracker. | ||||
ietf.org/doc/html/draft-selander-lake-authz-03" xml:base="https://bib.ietf.org/p | ||||
ublic/rfc/bibxml3/reference.I-D.selander-lake-authz.xml"> | ||||
<front> | ||||
<title>Lightweight Authorization using Ephemeral Diffie-Hellman Over | ||||
COSE</title> | ||||
<author fullname="Göran Selander" initials="G." surname="Selander"> | ||||
<organization>Ericsson AB</organization> | ||||
</author> | ||||
<author fullname="John Preuß Mattsson" initials="J. P." surname="Mat | ||||
tsson"> | ||||
<organization>Ericsson AB</organization> | ||||
</author> | ||||
<author fullname="Mališa Vučinić" initials="M." surname="Vučinić"> | ||||
<organization>INRIA</organization> | ||||
</author> | ||||
<author fullname="Michael Richardson" initials="M." surname="Richard | ||||
son"> | ||||
<organization>Sandelman Software Works</organization> | ||||
</author> | ||||
<author fullname="Aurelio Schellenbaum" initials="A." surname="Schel | ||||
lenbaum"> | ||||
<organization>Institute of Embedded Systems, ZHAW</organization> | ||||
</author> | ||||
<date day="7" month="July" year="2023"/> | ||||
<abstract> | ||||
<t>This document describes a procedure for authorizing enrollment | ||||
of new devices using the lightweight authenticated key exchange protocol Ephemer | ||||
al Diffie-Hellman Over COSE (EDHOC). The procedure is applicable to zero-touch o | ||||
nboarding of new devices to a constrained network leveraging trust anchors insta | ||||
lled at manufacture time.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="Internet-Draft" value="draft-selander-lake-authz-03" | ||||
/> | ||||
</reference> | ||||
<reference anchor="I-D.arkko-arch-internet-threat-model-guidance" target | ||||
="https://datatracker.ietf.org/doc/html/draft-arkko-arch-internet-threat-model-g | ||||
uidance-00" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.arkk | ||||
o-arch-internet-threat-model-guidance.xml"> | ||||
<front> | ||||
<title>Internet Threat Model Guidance</title> | ||||
<author fullname="Jari Arkko" initials="J." surname="Arkko"> | ||||
<organization>Ericsson</organization> | ||||
</author> | ||||
<author fullname="Stephen Farrell" initials="S." surname="Farrell"> | ||||
<organization>Trinity College Dublin</organization> | ||||
</author> | ||||
<date day="12" month="July" year="2021"/> | ||||
<abstract> | ||||
<t>Communications security has been at the center of many security | ||||
improvements in the Internet. The goal has been to ensure that communications a | ||||
re protected against outside observers and attackers. This memo suggests that th | ||||
e existing RFC 3552 threat model, while important and still valid, is no longer | ||||
alone sufficient to cater for the pressing security and privacy issues seen on t | ||||
he Internet today. For instance, it is often also necessary to protect against e | ||||
ndpoints that are compromised, malicious, or whose interests simply do not align | ||||
with the interests of users. While such protection is difficult, there are some | ||||
measures that can be taken and we argue that investigation of these issues is w | ||||
arranted. It is particularly important to ensure that as we continue to develop | ||||
Internet technology, non-communications security related threats, and privacy is | ||||
sues, are properly understood.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="Internet-Draft" value="draft-arkko-arch-internet-thr | ||||
eat-model-guidance-00"/> | ||||
</reference> | ||||
<reference anchor="SP-800-56A" target="https://doi.org/10.6028/NIST.SP.8 | ||||
00-56Ar3"> | ||||
<front> | <front> | |||
<title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</title> | <title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</title> | |||
<author initials="E." surname="Barker"> | <author initials="E." surname="Barker"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<author initials="L." surname="Chen"> | <author initials="L." surname="Chen"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<author initials="A." surname="Roginsky"> | <author initials="A." surname="Roginsky"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<author initials="A." surname="Vassilev"> | <author initials="A." surname="Vassilev"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<author initials="R." surname="Davis"> | <author initials="R." surname="Davis"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<date year="2018" month="April"/> | <date year="2018" month="April"/> | |||
</front> | </front> | |||
<seriesInfo name="NIST" value="Special Publication 800-56A Revision 3" /> | <seriesInfo name="NIST" value="Special Publication 800-56A Revision 3" /> | |||
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-56Ar3"/> | ||||
</reference> | </reference> | |||
<reference anchor="SP-800-108" target="https://doi.org/10.6028/NIST.SP.8 | ||||
00-108r1"> | <reference anchor="SP-800-108" target="https://doi.org/10.6028/NIST.SP.8 | |||
00-108r1-upd1"> | ||||
<front> | <front> | |||
<title>Recommendation for Key Derivation Using Pseudorandom Function s</title> | <title>Recommendation for Key Derivation Using Pseudorandom Function s</title> | |||
<author initials="L." surname="Chen"> | <author initials="L." surname="Chen"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<date year="2022" month="August"/> | <date year="2022" month="August"/> | |||
</front> | </front> | |||
<seriesInfo name="NIST" value="Special Publication 800-108 Revision 1" /> | <seriesInfo name="NIST" value="Special Publication 800-108 Revision 1" /> | |||
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-108r1-upd1"/> | ||||
</reference> | </reference> | |||
<reference anchor="SP800-185" target="https://doi.org/10.6028/NIST.SP.80 0-185"> | <reference anchor="SP800-185" target="https://doi.org/10.6028/NIST.SP.80 0-185"> | |||
<front> | <front> | |||
<title>SHA-3 Derived Functions cSHAKE, KMAC, TupleHash and ParallelH ash</title> | <title>SHA-3 Derived Functions cSHAKE, KMAC, TupleHash and ParallelH ash</title> | |||
<author initials="" surname="John Kelsey"> | <author initials="J" surname="Kelsey"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<author initials="" surname="Shu-jen Chang"> | <author initials="S" surname="Chang"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<author initials="" surname="Ray Perlner"> | <author initials="R" surname="Perlner"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<date year="2016" month="December"/> | <date year="2016" month="December"/> | |||
</front> | </front> | |||
<seriesInfo name="NIST" value="Special Publication 800-185"/> | <seriesInfo name="NIST" value="Special Publication 800-185"/> | |||
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-185"/> | ||||
</reference> | </reference> | |||
<reference anchor="Degabriele11" target="https://eprint.iacr.org/2011/61 5"> | <reference anchor="Degabriele11" target="https://eprint.iacr.org/2011/61 5"> | |||
<front> | <front> | |||
<title>On the Joint Security of Encryption and Signature in EMV</tit le> | <title>On the Joint Security of Encryption and Signature in EMV</tit le> | |||
<author initials="J. P." surname="Degabriele"> | <author initials="J." surname="Degabriele"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<author initials="A." surname="Lehmann"> | <author initials="A." surname="Lehmann"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<author initials="K. G." surname="Paterson"> | <author initials="K." surname="Paterson"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<author initials="N. P." surname="Smart"> | <author initials="N." surname="Smart"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<author initials="M." surname="Strefler"> | <author initials="M." surname="Strefler"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<date year="2011" month="December"/> | <date year="2011" month="December"/> | |||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="NISTPQC" target="https://csrc.nist.gov/Projects/post- quantum-cryptography/faqs"> | <reference anchor="NISTPQC" target="https://csrc.nist.gov/Projects/post- quantum-cryptography/faqs"> | |||
<front> | <front> | |||
<title>Post-Quantum Cryptography FAQs</title> | <title>Post-Quantum Cryptography FAQs</title> | |||
<author> | <author> | |||
<organization/> | <organization>National Institute Standards and Technology (NIST)</ organization> | |||
</author> | </author> | |||
<date year="2023" month="August"/> | ||||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="SECG" target="https://www.secg.org/sec1-v2.pdf"> | <reference anchor="SECG" target="https://www.secg.org/sec1-v2.pdf"> | |||
<front> | <front> | |||
<title>Standards for Efficient Cryptography 1 (SEC 1)</title> | <title>SEC 1: Elliptic Curve Cryptography</title> | |||
<author> | <author> | |||
<organization/> | <organization>Certicom Research</organization> | |||
</author> | </author> | |||
<date year="2009" month="May"/> | <date year="2009" month="May"/> | |||
</front> | </front> | |||
<refcontent>Standards for Efficient Cryptography</refcontent> | ||||
</reference> | </reference> | |||
<reference anchor="SIGMA" target="https://www.iacr.org/cryptodb/archive/ 2003/CRYPTO/1495/1495.pdf"> | <reference anchor="SIGMA" target="https://www.iacr.org/cryptodb/archive/ 2003/CRYPTO/1495/1495.pdf"> | |||
<front> | <front> | |||
<title>SIGMA - The 'SIGn-and-MAc' Approach to Authenticated Diffie-H ellman and Its Use in the IKE-Protocols</title> | <title>SIGMA: the 'SIGn-and-MAc' Approach to Authenticated Diffie-He llman and Its Use in the IKE-Protocols</title> | |||
<author initials="H." surname="Krawczyk"> | <author initials="H." surname="Krawczyk"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<date year="2003" month="June"/> | <date year="2003" month="June"/> | |||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="HKDFpaper" target="https://eprint.iacr.org/2010/264.p df"> | <reference anchor="HKDFpaper" target="https://eprint.iacr.org/2010/264.p df"> | |||
<front> | <front> | |||
<title>Cryptographic Extraction and Key Derivation: The HKDF Scheme< /title> | <title>Cryptographic Extraction and Key Derivation: The HKDF Scheme< /title> | |||
<author initials="H." surname="Krawczyk"> | <author initials="H." surname="Krawczyk"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<date year="2010" month="May"/> | <date year="2010" month="May"/> | |||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="Thormarker21" target="https://eprint.iacr.org/2021/50 9.pdf"> | <reference anchor="Thormarker21" target="https://eprint.iacr.org/2021/50 9.pdf"> | |||
<front> | <front> | |||
<title>On using the same key pair for Ed25519 and an X25519 based KE M</title> | <title>On using the same key pair for Ed25519 and an X25519 based KE M</title> | |||
<author initials="E." surname="Thormarker"> | <author initials="E." surname="Thormarker"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<date year="2021" month="April"/> | <date year="2021" month="April"/> | |||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="CNSA" target="https://en.wikipedia.org/wiki/Commercia | ||||
l_National_Security_Algorithm_Suite"> | <reference anchor="CNSA" target="https://en.wikipedia.org/w/index.php?ti | |||
tle=Commercial_National_Security_Algorithm_Suite&oldid=1181333611"> | ||||
<front> | <front> | |||
<title>Commercial National Security Algorithm Suite</title> | <title>Commercial National Security Algorithm Suite</title> | |||
<author initials="" surname="NSA"> | <author> | |||
<organization/> | <organization>Wikipedia</organization> | |||
</author> | </author> | |||
<date year="2015" month="August"/> | <date year="2023" month="October"/> | |||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="GuentherIlunga22" target="https://eprint.iacr.org/202 2/1705"> | <reference anchor="GuentherIlunga22" target="https://eprint.iacr.org/202 2/1705"> | |||
<front> | <front> | |||
<title>Careful with MAc-then-SIGn: A Computational Analysis of the E DHOC Lightweight Authenticated Key Exchange Protocol</title> | <title>Careful with MAc-then-SIGn: A Computational Analysis of the E DHOC Lightweight Authenticated Key Exchange Protocol</title> | |||
<author initials="F." surname="Günther"> | <author initials="F." surname="Günther"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<author initials="M." surname="Ilunga"> | <author initials="M." surname="Mukendi"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<date year="2022" month="December"/> | <date year="2022" month="December"/> | |||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="Jacomme23" target="https://hal.inria.fr/hal-03810102/ "> | <reference anchor="Jacomme23" target="https://hal.inria.fr/hal-03810102/ "> | |||
<front> | <front> | |||
<title>A comprehensive, formal and automated analysis of the EDHOC p rotocol</title> | <title>A comprehensive, formal and automated analysis of the EDHOC p rotocol</title> | |||
<author initials="C." surname="Jacomme"> | <author initials="C." surname="Jacomme"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<author initials="E." surname="Klein"> | <author initials="E." surname="Klein"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<author initials="S." surname="Kremer"> | <author initials="S." surname="Kremer"> | |||
skipping to change at line 3152 ¶ | skipping to change at line 2327 ¶ | |||
</author> | </author> | |||
<author initials="T." surname="Grønbech Petersen"> | <author initials="T." surname="Grønbech Petersen"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<author initials="C." surname="Schürmann"> | <author initials="C." surname="Schürmann"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<date year="2018" month="November"/> | <date year="2018" month="November"/> | |||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="CborMe" target="https://cbor.me/"> | <reference anchor="CborMe" target="https://cbor.me/"> | |||
<front> | <front> | |||
<title>CBOR Playground</title> | <title>CBOR Playground</title> | |||
<author initials="C." surname="Bormann"> | <author initials="C." surname="Bormann"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<date year="2018" month="May"/> | ||||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="Noise" target="https://noiseprotocol.org/noise.html"> | <reference anchor="Noise" target="https://noiseprotocol.org/noise.html"> | |||
<front> | <front> | |||
<title>The Noise Protocol Framework, Revision 34</title> | <title>The Noise Protocol Framework</title> | |||
<author initials="T." surname="Perrin"> | <author initials="T." surname="Perrin"> | |||
<organization/> | <organization/> | |||
</author> | </author> | |||
<date year="2018" month="July"/> | <date year="2018" month="July"/> | |||
</front> | </front> | |||
<refcontent>Revision 34</refcontent> | ||||
</reference> | </reference> | |||
</references> | </references> | |||
</references> | </references> | |||
<?line 1918?> | <?line 1918?> | |||
<section anchor="transfer"> | <section anchor="transfer"> | |||
<name>Use with OSCORE and Transfer over CoAP</name> | <name>Use with OSCORE and Transfer over CoAP</name> | |||
<t>This appendix describes how to derive an OSCORE security context when E DHOC is used to key OSCORE, and how to transfer EDHOC messages over CoAP. The us e of CoAP or OSCORE with EDHOC is optional, but if you are using CoAP or OSCORE, then certain normative requirements apply as detailed in the subsections.</t> | <t>This appendix describes how to derive an OSCORE security context when E DHOC is used to key OSCORE and how to transfer EDHOC messages over CoAP. The use of CoAP or OSCORE with EDHOC is optional, but if you are using CoAP or OSCORE, then certain normative requirements apply as detailed in the subsections.</t> | |||
<section anchor="oscore-ctx-derivation"> | <section anchor="oscore-ctx-derivation"> | |||
<name>Deriving the OSCORE Security Context</name> | <name>Deriving the OSCORE Security Context</name> | |||
<t>This section specifies how to use EDHOC output to derive the OSCORE s ecurity context.</t> | <t>This section specifies how to use EDHOC output to derive the OSCORE s ecurity context.</t> | |||
<t>After successful processing of EDHOC message_3, Client and Server der ive Security Context parameters for OSCORE as follows (see Section 3.2 of <xref target="RFC8613"/>):</t> | <t>After successful processing of EDHOC message_3, the Client and Server derive security context parameters for OSCORE as follows (see <xref target="RFC 8613" section="3.2" sectionFormat="of"/>):</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li> | <li> | |||
<t>The Master Secret and Master Salt SHALL be derived by using the E DHOC_Exporter interface, see <xref target="exporter"/>: | <t>The Master Secret and Master Salt <bcp14>SHALL</bcp14> be derived by using the EDHOC_Exporter interface (see <xref target="exporter"/>): | |||
</t> | </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>The EDHOC Exporter Labels for deriving the OSCORE Master Secre t and the OSCORE Master Salt, are the uints 0 and 1, respectively.</li> | <li>The EDHOC Exporter Labels for deriving the OSCORE Master Secre t and OSCORE Master Salt are the uints 0 and 1, respectively.</li> | |||
<li>The context parameter is h'' (0x40), the empty CBOR byte strin g.</li> | <li>The context parameter is h'' (0x40), the empty CBOR byte strin g.</li> | |||
<li>By default, oscore_key_length is the key length (in bytes) of the application AEAD Algorithm of the selected cipher suite for the EDHOC sessio n. Also by default, oscore_salt_length has value 8. The Initiator and Responder MAY agree out-of-band on a longer oscore_key_length than the default, and on sho rter or | <li>By default, oscore_key_length is the key length (in bytes) of the application AEAD algorithm of the selected cipher suite for the EDHOC sessio n. Also by default, oscore_salt_length has value 8. The Initiator and Responder <bcp14>MAY</bcp14> agree out-of-band on a longer oscore_key_length than the defa ult and on shorter or | |||
longer than the default oscore_salt_length.</li> | longer than the default oscore_salt_length.</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
</ul> | </ul> | |||
<artwork><![CDATA[ | <artwork><![CDATA[ | |||
Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length ) | Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length ) | |||
Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length ) | Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length ) | |||
]]></artwork> | ]]></artwork> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>The AEAD Algorithm SHALL be the application AEAD algorithm of the | <li>The AEAD algorithm <bcp14>SHALL</bcp14> be the application AEAD al | |||
selected cipher suite for the EDHOC session.</li> | gorithm of the selected cipher suite for the EDHOC session.</li> | |||
<li>The HKDF Algorithm SHALL be the one based on the application hash | <li>The HKDF algorithm <bcp14>SHALL</bcp14> be the one based on the ap | |||
algorithm of the selected cipher suite for the EDHOC session. For example, if SH | plication hash algorithm of the selected cipher suite for the EDHOC session. For | |||
A-256 is the application hash algorithm of the selected cipher suite, HKDF SHA-2 | example, if SHA-256 is the application hash algorithm of the selected cipher su | |||
56 is used as HKDF Algorithm in the OSCORE Security Context.</li> | ite, HKDF SHA-256 is used as the HKDF algorithm in the OSCORE security context.< | |||
<li>The relationship between identifiers in OSCORE and EDHOC is specif | /li> | |||
ied in <xref target="ci-oscore"/>. The OSCORE Sender ID and Recipient ID SHALL b | <li>The relationship between identifiers in OSCORE and EDHOC is specif | |||
e determined by the EDHOC connection identifiers C_R and C_I for the EDHOC sessi | ied in <xref target="ci-oscore"/>. The OSCORE Sender ID and Recipient ID <bcp14> | |||
on as shown in <xref target="fig-edhoc-oscore-id-mapping"/>.</li> | SHALL</bcp14> be determined by EDHOC connection identifiers C_R and C_I for the | |||
EDHOC session as shown in <xref target="tab-edhoc-oscore-id-mapping"/>.</li> | ||||
</ul> | </ul> | |||
<figure anchor="fig-edhoc-oscore-id-mapping"> | ||||
<name>Usage of connection identifiers in OSCORE.</name> | <table anchor="tab-edhoc-oscore-id-mapping"> | |||
<artset> | <name>Usage of Connection Identifiers in OSCORE</name> | |||
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/200 | <thead> | |||
0/svg" version="1.1" height="144" width="488" viewBox="0 0 488 144" class="diagr | <tr> | |||
am" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap | <th></th> | |||
="round"> | <th>OSCORE Sender ID</th> | |||
<path d="M 8,32 L 8,128" fill="none" stroke="black"/> | <th>OSCORE Recipient ID</th> | |||
<path d="M 152,32 L 152,128" fill="none" stroke="black"/> | </tr> | |||
<path d="M 304,32 L 304,128" fill="none" stroke="black"/> | </thead> | |||
<path d="M 480,32 L 480,128" fill="none" stroke="black"/> | <tbody> | |||
<path d="M 8,32 L 480,32" fill="none" stroke="black"/> | <tr> | |||
<path d="M 8,62 L 480,62" fill="none" stroke="black"/> | <td>EDHOC Initiator</td> | |||
<path d="M 8,66 L 480,66" fill="none" stroke="black"/> | <td align="center">C_R</td> | |||
<path d="M 8,96 L 480,96" fill="none" stroke="black"/> | <td align="center">C_I</td> | |||
<path d="M 8,128 L 480,128" fill="none" stroke="black"/> | </tr><tr> | |||
<g class="text"> | <td>EDHOC Responder</td> | |||
<text x="188" y="52">OSCORE</text> | <td align="center">C_I</td> | |||
<text x="244" y="52">Sender</text> | <td align="center">C_R</td> | |||
<text x="284" y="52">ID</text> | </tr> | |||
<text x="340" y="52">OSCORE</text> | </tbody> | |||
<text x="408" y="52">Recipient</text> | </table> | |||
<text x="460" y="52">ID</text> | ||||
<text x="40" y="84">EDHOC</text> | <t>The Client and Server <bcp14>SHALL</bcp14> use the parameters above t | |||
<text x="104" y="84">Initiator</text> | o establish an OSCORE security context, as per <xref target="RFC8613" section="3 | |||
<text x="232" y="84">C_R</text> | .2.1" sectionFormat="of"/>.</t> | |||
<text x="392" y="84">C_I</text> | <t>From then on, the Client and Server retrieve the OSCORE protocol stat | |||
<text x="40" y="116">EDHOC</text> | e using the Recipient ID and optionally other transport information such as the | |||
<text x="104" y="116">Responder</text> | 5-tuple.</t> | |||
<text x="232" y="116">C_I</text> | ||||
<text x="392" y="116">C_R</text> | ||||
</g> | ||||
</svg> | ||||
</artwork> | ||||
<artwork type="ascii-art" align="center"><![CDATA[ | ||||
+-----------------+------------------+---------------------+ | ||||
| | OSCORE Sender ID | OSCORE Recipient ID | | ||||
+=================+==================+=====================+ | ||||
| EDHOC Initiator | C_R | C_I | | ||||
+-----------------+------------------+---------------------+ | ||||
| EDHOC Responder | C_I | C_R | | ||||
+-----------------+------------------+---------------------+ | ||||
]]></artwork> | ||||
</artset> | ||||
</figure> | ||||
<t>Client and Server SHALL use the parameters above to establish an OSCO | ||||
RE Security Context, as per Section 3.2.1 of <xref target="RFC8613"/>.</t> | ||||
<t>From then on, Client and Server retrieve the OSCORE protocol state us | ||||
ing the Recipient ID, and optionally other transport information such as the 5-t | ||||
uple.</t> | ||||
</section> | </section> | |||
<section anchor="coap"> | <section anchor="coap"> | |||
<name>Transferring EDHOC over CoAP</name> | <name>Transferring EDHOC over CoAP</name> | |||
<t>This section specifies how EDHOC can be transferred as an exchange of | <t>This section specifies how EDHOC can be transferred as an exchange of | |||
CoAP <xref target="RFC7252"/> messages. CoAP provides a reliable transport that | CoAP <xref target="RFC7252"/> messages. CoAP provides a reliable transport that | |||
can preserve packet ordering, provides flow and congestion control, and handles | can preserve packet ordering, provides flow and congestion control, and handles | |||
message duplication. CoAP can also perform fragmentation and mitigate certain d | message duplication. CoAP can also perform fragmentation and mitigate certain d | |||
enial-of-service attacks. The underlying CoAP transport should be used in reliab | enial-of-service attacks. The underlying CoAP transport should be used in reliab | |||
le mode, in particular when fragmentation is used, to avoid, e.g., situations wi | le mode, in particular, when fragmentation is used, to avoid, e.g., situations w | |||
th hanging endpoints waiting for each other.</t> | ith hanging endpoints waiting for each other.</t> | |||
<t>EDHOC may run with the Initiator either being CoAP client or CoAP ser | <t>EDHOC may run with the Initiator either being a CoAP client or CoAP s | |||
ver. We denote the former by the "forward message flow" (see <xref target="forwa | erver. We denote the former by the "forward message flow" (see <xref target="for | |||
rd"/>) and the latter by the "reverse message flow" (see <xref target="reverse"/ | ward"/>) and the latter by the "reverse message flow" (see <xref target="reverse | |||
>). By default, we assume the forward message flow, but the roles SHOULD be chos | "/>). By default, we assume the forward message flow, but the roles <bcp14>SHOUL | |||
en to protect the most sensitive identity, see <xref target="security"/>.</t> | D</bcp14> be chosen to protect the most sensitive identity; see <xref target="se | |||
<t>According to this specification, EDHOC is transferred in POST request | curity"/>.</t> | |||
s to the Uri-Path: "/.well-known/edhoc" (see <xref target="well-known"/>), and 2 | <t>According to this specification, EDHOC is transferred in POST request | |||
.04 (Changed) responses. An application may define its own path that can be disc | s to the Uri-Path: "/.well-known/edhoc" (see <xref target="well-known"/>) and 2. | |||
overed, e.g., using a resource directory <xref target="RFC9176"/>. Client applic | 04 (Changed) responses. An application may define its own path that can be disco | |||
ations can use the resource type "core.edhoc" to discover a server's EDHOC resou | vered, e.g., using a resource directory <xref target="RFC9176"/>. Client applica | |||
rce, i.e., where to send a request for executing the EDHOC protocol, see <xref t | tions can use the resource type "core.edhoc" to discover a server's EDHOC resour | |||
arget="rt"/>. An alternative transfer of the forward message flow is specified i | ce, i.e., where to send a request for executing the EDHOC protocol; see <xref ta | |||
n <xref target="I-D.ietf-core-oscore-edhoc"/>.</t> | rget="rt"/>. An alternative transfer of the forward message flow is specified in | |||
<t>In order for the server to correlate a message received from a client | <xref target="I-D.ietf-core-oscore-edhoc"/>.</t> | |||
to a message previously sent in the same EDHOC session over CoAP, messages sent | <t>In order for the server to correlate a message received from a client | |||
by the client SHALL be prepended with the CBOR serialization of the connection | to a message previously sent in the same EDHOC session over CoAP, messages sent | |||
identifier which the server has selected, see <xref target="ci-edhoc"/>. This ap | by the client <bcp14>SHALL</bcp14> be prepended with the CBOR serialization of | |||
plies both to the forward and the reverse message flows. To indicate a new EDHOC | the connection identifier that the server has selected; see <xref target="ci-edh | |||
session in the forward message flow, message_1 SHALL be prepended with the CBOR | oc"/>. This applies both to the forward and the reverse message flows. To indica | |||
simple value <tt>true</tt> (0xf5). Even if CoAP is carried over a reliable tran | te a new EDHOC session in the forward message flow, message_1 <bcp14>SHALL</bcp1 | |||
sport protocol such as TCP, the prepending of identifiers specified here SHALL b | 4> be prepended with the CBOR simple value <tt>true</tt> (0xf5). Even if CoAP is | |||
e practiced to enable interoperability independent of how CoAP is transported.</ | carried over a reliable transport protocol, such as TCP, the prepending of iden | |||
t> | tifiers specified here <bcp14>SHALL</bcp14> be practiced to enable interoperabil | |||
<t>The prepended identifiers are encoded in CBOR and thus self-delimitin | ity independent of how CoAP is transported.</t> | |||
g. The representation of identifiers described in <xref target="bstr-repr"/> SHA | <t>The prepended identifiers are encoded in CBOR and thus self-delimitin | |||
LL be used. They are sent in front of the actual EDHOC message to keep track of | g. The representation of identifiers described in <xref target="bstr-repr"/> <bc | |||
messages in an EDHOC session, and only the part of the body following the identi | p14>SHALL</bcp14> be used. They are sent in front of the actual EDHOC message to | |||
fier is used for EDHOC processing. In particular, the connection identifiers wit | keep track of messages in an EDHOC session, and only the part of the body follo | |||
hin the EDHOC messages are not impacted by the prepended identifiers.</t> | wing the identifier is used for EDHOC processing. In particular, the connection | |||
<t>An EDHOC message has media type application/edhoc+cbor-seq, whereas a | identifiers within the EDHOC messages are not impacted by the prepended identifi | |||
n EDHOC message prepended by a connection identifier has media type application/ | ers.</t> | |||
cid-edhoc+cbor-seq, see <xref target="content-format"/>.</t> | <t>An EDHOC message has media type "application/edhoc+cbor-seq", whereas | |||
<t>To mitigate certain denial-of-service attacks, the CoAP server MAY re | an EDHOC message prepended by a connection identifier has media type "applicati | |||
spond to the first POST request with a 4.01 (Unauthorized) containing an Echo op | on/cid-edhoc+cbor-seq"; see <xref target="content-format"/>.</t> | |||
tion <xref target="RFC9175"/>. This forces the Initiator to demonstrate reachabi | <t>To mitigate certain denial-of-service attacks, the CoAP server <bcp14 | |||
lity at its apparent network address. If message fragmentation is needed, the ED | >MAY</bcp14> respond to the first POST request with a 4.01 (Unauthorized) contai | |||
HOC messages may be fragmented using the CoAP Block-Wise Transfer mechanism <xre | ning an Echo option <xref target="RFC9175"/>. This forces the Initiator to demon | |||
f target="RFC7959"/>.</t> | strate reachability at its apparent network address. If message fragmentation is | |||
needed, the EDHOC messages may be fragmented using the CoAP Block-Wise Transfer | ||||
mechanism <xref target="RFC7959"/>.</t> | ||||
<t>EDHOC error messages need to be transported in response to a message that failed (see <xref target="error"/>). EDHOC error messages transported with CoAP are carried in the payload.</t> | <t>EDHOC error messages need to be transported in response to a message that failed (see <xref target="error"/>). EDHOC error messages transported with CoAP are carried in the payload.</t> | |||
<t>Note that the transport over CoAP can serve as a blueprint for other client-server protocols:</t> | <t>Note that the transport over CoAP can serve as a blueprint for other client-server protocols:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>The client prepends the connection identifier selected by the serv er (or, for message_1, the CBOR simple value <tt>true</tt>) to any request mess age it sends.</li> | <li>The client prepends the connection identifier selected by the serv er (or, for message_1, the CBOR simple value <tt>true</tt>) to any request mess age it sends.</li> | |||
<li>The server does not send any such indicator, as responses are matc hed to request by the client-server protocol design.</li> | <li>The server does not send any such indicator, as responses are matc hed to request by the client-server protocol design.</li> | |||
</ul> | </ul> | |||
<section anchor="forward"> | <section anchor="forward"> | |||
<name>The Forward Message Flow</name> | <name>The Forward Message Flow</name> | |||
<t>In the forward message flow the CoAP client is the Initiator and th e CoAP server is the Responder. This flow protects the client identity against a ctive attackers and the server identity against passive attackers.</t> | <t>In the forward message flow, the CoAP client is the Initiator and t he CoAP server is the Responder. This flow protects the client identity against active attackers and the server identity against passive attackers.</t> | |||
<t>In the forward message flow, the CoAP Token enables correlation on the Initiator (client) side, and the prepended C_R enables correlation on the Re sponder (server) side.</t> | <t>In the forward message flow, the CoAP Token enables correlation on the Initiator (client) side, and the prepended C_R enables correlation on the Re sponder (server) side.</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>EDHOC message_1 is sent in the payload of a POST request from th | <li>EDHOC message_1 is sent in the payload of a POST request from th | |||
e client to the server's resource for EDHOC, prepended with the identifier <tt>t | e client to the server's resource for EDHOC, prepended with the identifier <tt>t | |||
rue</tt> (0xf5) indicating a new EDHOC session.</li> | rue</tt> (0xf5), indicating a new EDHOC session.</li> | |||
<li>EDHOC message_2 or the EDHOC error message is sent from the serv | <li>EDHOC message_2 or the EDHOC error message is sent from the serv | |||
er to the client in the payload of the response, in the former case with respons | er to the client in the payload of the response, in the former case with respons | |||
e code 2.04 (Changed), in the latter with response code as specified in <xref ta | e code 2.04 (Changed) and in the latter with response code as specified in <xref | |||
rget="edhoc-oscore-over-coap"/>.</li> | target="edhoc-oscore-over-coap"/>.</li> | |||
<li>EDHOC message_3 or the EDHOC error message is sent from the clie | <li>EDHOC message_3 or the EDHOC error message is sent from the clie | |||
nt to the server's resource in the payload of a POST request, prepended with the | nt to the server's resource in the payload of a POST request, prepended with con | |||
connection identifier C_R.</li> | nection identifier C_R.</li> | |||
<li>If EDHOC message_4 is used, or in case of an error message, it i | <li>If EDHOC message_4 is used, or in case of an error message, it i | |||
s sent from the server to the client in the payload of the response, with respon | s sent from the server to the client in the payload of the response, with respon | |||
se codes analogously to message_2. In case of an error message sent in response | se codes analogously to message_2. In case of an error message sent in response | |||
to message_4, it is sent analogously to error message sent in response to messag | to message_4, it is sent analogously to the error message sent in response to me | |||
e_2.</li> | ssage_2.</li> | |||
</ul> | </ul> | |||
<t>An example of a completed EDHOC session over CoAP in the forward me ssage flow is shown in <xref target="fig-coap1"/>.</t> | <t>An example of a completed EDHOC session over CoAP in the forward me ssage flow is shown in <xref target="fig-coap1"/>.</t> | |||
<figure anchor="fig-coap1"> | <figure anchor="fig-coap1"> | |||
<name>Example of the forward message flow.</name> | <name>Example of the Forward Message Flow</name> | |||
<artset> | <artset> | |||
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="352" width="496" viewBox="0 0 496 352" class="dia gram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linec ap="round"> | <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="" width="" viewBox="0 0 496 352" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="ro und"> | |||
<path d="M 24,48 L 24,336" fill="none" stroke="black"/> | <path d="M 24,48 L 24,336" fill="none" stroke="black"/> | |||
<path d="M 112,48 L 112,336" fill="none" stroke="black"/> | <path d="M 112,48 L 112,336" fill="none" stroke="black"/> | |||
<path d="M 24,64 L 104,64" fill="none" stroke="black"/> | <path d="M 24,64 L 104,64" fill="none" stroke="black"/> | |||
<path d="M 32,144 L 112,144" fill="none" stroke="black"/> | <path d="M 32,144 L 112,144" fill="none" stroke="black"/> | |||
<path d="M 24,208 L 104,208" fill="none" stroke="black"/> | <path d="M 24,208 L 104,208" fill="none" stroke="black"/> | |||
<path d="M 32,288 L 112,288" fill="none" stroke="black"/> | <path d="M 32,288 L 112,288" fill="none" stroke="black"/> | |||
<polygon class="arrowhead" points="112,208 100,202.4 100,213.6 " fill="black" transform="rotate(0,104,208)"/> | <polygon class="arrowhead" points="112,208 100,202.4 100,213.6 " fill="black" transform="rotate(0,104,208)"/> | |||
<polygon class="arrowhead" points="112,64 100,58.4 100,69.6" f ill="black" transform="rotate(0,104,64)"/> | <polygon class="arrowhead" points="112,64 100,58.4 100,69.6" f ill="black" transform="rotate(0,104,64)"/> | |||
<polygon class="arrowhead" points="40,288 28,282.4 28,293.6" f ill="black" transform="rotate(180,32,288)"/> | <polygon class="arrowhead" points="40,288 28,282.4 28,293.6" f ill="black" transform="rotate(180,32,288)"/> | |||
<polygon class="arrowhead" points="40,144 28,138.4 28,149.6" f ill="black" transform="rotate(180,32,144)"/> | <polygon class="arrowhead" points="40,144 28,138.4 28,149.6" f ill="black" transform="rotate(180,32,144)"/> | |||
skipping to change at line 3359 ¶ | skipping to change at line 2517 ¶ | |||
| | Content-Format: application/cid-edhoc+cbor-seq | | | Content-Format: application/cid-edhoc+cbor-seq | |||
| | Payload: C_R, EDHOC message_3 | | | Payload: C_R, EDHOC message_3 | |||
| | | | | | |||
|<---------+ Header: 2.04 Changed | |<---------+ Header: 2.04 Changed | |||
| 2.04 | Content-Format: application/edhoc+cbor-seq | | 2.04 | Content-Format: application/edhoc+cbor-seq | |||
| | Payload: EDHOC message_4 | | | Payload: EDHOC message_4 | |||
| | | | | | |||
]]></artwork> | ]]></artwork> | |||
</artset> | </artset> | |||
</figure> | </figure> | |||
<t>The forward message flow of EDHOC can be combined with an OSCORE ex change in a total of two round-trips, see <xref target="I-D.ietf-core-oscore-edh oc"/>.</t> | <t>The forward message flow of EDHOC can be combined with an OSCORE ex change in a total of two round trips; see <xref target="I-D.ietf-core-oscore-edh oc"/>.</t> | |||
</section> | </section> | |||
<section anchor="reverse"> | <section anchor="reverse"> | |||
<name>The Reverse Message Flow</name> | <name>The Reverse Message Flow</name> | |||
<t>In the reverse message flow the CoAP client is the Responder and th e CoAP server is the Initiator. This flow protects the server identity against a ctive attackers and the client identity against passive attackers.</t> | <t>In the reverse message flow, the CoAP client is the Responder and t he CoAP server is the Initiator. This flow protects the server identity against active attackers and the client identity against passive attackers.</t> | |||
<t>In the reverse message flow, the CoAP Token enables correlation on the Responder (client) side, and the prepended C_I enables correlation on the In itiator (server) side.</t> | <t>In the reverse message flow, the CoAP Token enables correlation on the Responder (client) side, and the prepended C_I enables correlation on the In itiator (server) side.</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>To trigger a new EDHOC session, the client makes an empty POST r equest to the server's resource for EDHOC.</li> | <li>To trigger a new EDHOC session, the client makes an empty POST r equest to the server's resource for EDHOC.</li> | |||
<li>EDHOC message_1 is sent from the server to the client in the pay load of the response with response code 2.04 (Changed).</li> | <li>EDHOC message_1 is sent from the server to the client in the pay load of the response with response code 2.04 (Changed).</li> | |||
<li>EDHOC message_2 or the EDHOC error message is sent from the clie | <li>EDHOC message_2 or the EDHOC error message is sent from the clie | |||
nt to the server's resource in the payload of a POST request, prepended with the | nt to the server's resource in the payload of a POST request, prepended with con | |||
connection identifier C_I.</li> | nection identifier C_I.</li> | |||
<li>EDHOC message_3 or the EDHOC error message is sent from the serv | <li>EDHOC message_3 or the EDHOC error message is sent from the serv | |||
er to the client in the payload of the response, in the former case with respons | er to the client in the payload of the response, in the former case with respons | |||
e code 2.04 (Changed), in the latter with response code as specified in <xref ta | e code 2.04 (Changed) and in the latter with response code as specified in <xref | |||
rget="edhoc-oscore-over-coap"/>.</li> | target="edhoc-oscore-over-coap"/>.</li> | |||
<li>If EDHOC message_4 is used, or in case of an error message, it i | <li>If EDHOC message_4 is used, or in case of an error message, it i | |||
s sent from the client to the server's resource in the payload of a POST request | s sent from the client to the server's resource in the payload of a POST request | |||
, prepended with the connection identifier C_I. In case of an error message sent | , prepended with connection identifier C_I. In case of an error message sent in | |||
in response to message_4, it is sent analogously to an error message sent in re | response to message_4, it is sent analogously to an error message sent in respon | |||
sponse to message_2.</li> | se to message_2.</li> | |||
</ul> | </ul> | |||
<t>An example of a completed EDHOC session over CoAP in the reverse me ssage flow is shown in <xref target="fig-coap2"/>.</t> | <t>An example of a completed EDHOC session over CoAP in the reverse me ssage flow is shown in <xref target="fig-coap2"/>.</t> | |||
<figure anchor="fig-coap2"> | <figure anchor="fig-coap2"> | |||
<name>Example of the reverse message flow.</name> | <name>Example of the Reverse Message Flow</name> | |||
<artset> | <artset> | |||
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="320" width="496" viewBox="0 0 496 320" class="dia gram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linec ap="round"> | <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="" width="" viewBox="0 0 496 320" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="ro und"> | |||
<path d="M 24,48 L 24,304" fill="none" stroke="black"/> | <path d="M 24,48 L 24,304" fill="none" stroke="black"/> | |||
<path d="M 112,48 L 112,304" fill="none" stroke="black"/> | <path d="M 112,48 L 112,304" fill="none" stroke="black"/> | |||
<path d="M 24,64 L 104,64" fill="none" stroke="black"/> | <path d="M 24,64 L 104,64" fill="none" stroke="black"/> | |||
<path d="M 32,112 L 112,112" fill="none" stroke="black"/> | <path d="M 32,112 L 112,112" fill="none" stroke="black"/> | |||
<path d="M 24,176 L 104,176" fill="none" stroke="black"/> | <path d="M 24,176 L 104,176" fill="none" stroke="black"/> | |||
<path d="M 32,256 L 112,256" fill="none" stroke="black"/> | <path d="M 32,256 L 112,256" fill="none" stroke="black"/> | |||
<polygon class="arrowhead" points="112,176 100,170.4 100,181.6 " fill="black" transform="rotate(0,104,176)"/> | <polygon class="arrowhead" points="112,176 100,170.4 100,181.6 " fill="black" transform="rotate(0,104,176)"/> | |||
<polygon class="arrowhead" points="112,64 100,58.4 100,69.6" f ill="black" transform="rotate(0,104,64)"/> | <polygon class="arrowhead" points="112,64 100,58.4 100,69.6" f ill="black" transform="rotate(0,104,64)"/> | |||
<polygon class="arrowhead" points="40,256 28,250.4 28,261.6" f ill="black" transform="rotate(180,32,256)"/> | <polygon class="arrowhead" points="40,256 28,250.4 28,261.6" f ill="black" transform="rotate(180,32,256)"/> | |||
<polygon class="arrowhead" points="40,112 28,106.4 28,117.6" f ill="black" transform="rotate(180,32,112)"/> | <polygon class="arrowhead" points="40,112 28,106.4 28,117.6" f ill="black" transform="rotate(180,32,112)"/> | |||
skipping to change at line 3454 ¶ | skipping to change at line 2612 ¶ | |||
|<---------+ Header: 2.04 Changed | |<---------+ Header: 2.04 Changed | |||
| 2.04 | Content-Format: application/edhoc+cbor-seq | | 2.04 | Content-Format: application/edhoc+cbor-seq | |||
| | Payload: EDHOC message_3 | | | Payload: EDHOC message_3 | |||
| | | | | | |||
]]></artwork> | ]]></artwork> | |||
</artset> | </artset> | |||
</figure> | </figure> | |||
</section> | </section> | |||
<section anchor="edhoc-oscore-over-coap"> | <section anchor="edhoc-oscore-over-coap"> | |||
<name>Errors in EDHOC over CoAP</name> | <name>Errors in EDHOC over CoAP</name> | |||
<t>When using EDHOC over CoAP, EDHOC error messages sent as CoAP respo nses MUST be sent in the payload of error responses, i.e., they MUST specify a C oAP error response code. In particular, it is RECOMMENDED that such error respon ses have response code either 4.00 (Bad Request) in case of client error (e.g., due to a malformed EDHOC message), or 5.00 (Internal Server Error) in case of se rver error (e.g., due to failure in deriving EDHOC keying material). The Content -Format of the error response MUST be set to application/edhoc+cbor-seq, see <xr ef target="content-format"/>.</t> | <t>When using EDHOC over CoAP, EDHOC error messages sent as CoAP respo nses <bcp14>MUST</bcp14> be sent in the payload of error responses, i.e., they < bcp14>MUST</bcp14> specify a CoAP error response code. In particular, it is <bcp 14>RECOMMENDED</bcp14> that such error responses have response code either 4.00 (Bad Request) in case of client error (e.g., due to a malformed EDHOC message) o r 5.00 (Internal Server Error) in case of server error (e.g., due to failure in deriving EDHOC keying material). The Content-Format of the error response <bcp14 >MUST</bcp14> be set to "application/edhoc+cbor-seq"; see <xref target="content- format"/>.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="comrep"> | <section anchor="comrep"> | |||
<name>Compact Representation</name> | <name>Compact Representation</name> | |||
<t>This section defines a format for compact representation based on the E lliptic-Curve-Point-to-Octet-String Conversion defined in Section 2.3.3 of <xref target="SECG"/>.</t> | <t>This section defines a format for compact representation based on the E lliptic-Curve-Point-to-Octet-String Conversion defined in Section 2.3.3 of <xref target="SECG"/>.</t> | |||
<t>As described in Section 4.2 of <xref target="RFC6090"/> the x-coordinat | <t>As described in <xref target="RFC6090" section="4.2" sectionFormat="of" | |||
e of an elliptic curve public key is a suitable representative for the entire po | />, the x-coordinate of an elliptic curve public key is a suitable representativ | |||
int whenever scalar multiplication is used as a one-way function. One example is | e for the entire point whenever scalar multiplication is used as a one-way funct | |||
ECDH with compact output, where only the x-coordinate of the computed value is | ion. One example is ECDH with compact output, where only the x-coordinate of the | |||
used as the shared secret.</t> | computed value is used as the shared secret.</t> | |||
<t>In EDHOC, compact representation is used for the ephemeral public keys | <t>In EDHOC, compact representation is used for the ephemeral public keys | |||
(G_X and G_Y), see <xref target="cose_key"/>. Using the notation from <xref targ | (G_X and G_Y); see <xref target="cose_key"/>. Using the notation from <xref targ | |||
et="SECG"/>, the output is an octet string of length ceil( (log2 q) / 8 ), where | et="SECG"/>, the output is an octet string of length ceil( (log2 q) / 8 ), where | |||
ceil(x) is the smallest integer not less than x. See <xref target="SECG"/> for | ceil(x) is the smallest integer not less than x. See <xref target="SECG"/> for | |||
a definition of q, M, X, xp, and ~yp. The steps in Section 2.3.3 of <xref target | a definition of q, M, X, xp, and ~yp. The steps in Section 2.3.3 of <xref target | |||
="SECG"/> are replaced by:</t> | ="SECG"/> are replaced with the following steps:</t> | |||
<ol spacing="normal" type="1"><li>Convert the field element xp to an octet string X of length ceil( (log2 q) / 8 ) octets using the conversion routine spe cified in Section 2.3.5 of <xref target="SECG"/>.</li> | <ol spacing="normal" type="1"><li>Convert the field element xp to an octet string X of length ceil( (log2 q) / 8 ) octets using the conversion routine spe cified in Section 2.3.5 of <xref target="SECG"/>.</li> | |||
<li>Output M = X</li> | <li>Output M = X.</li> | |||
</ol> | </ol> | |||
<t>The encoding of the point at infinity is not supported.</t> | <t>The encoding of the point at infinity is not supported.</t> | |||
<t>Compact representation does not change any requirements on validation, see <xref target="crypto"/>. Using compact representation has some security bene fits. An implementation does not need to check that the point is not the point a t infinity (the identity element). Similarly, as not even the sign of the y-coor dinate is encoded, compact representation trivially avoids so-called "benign mal leability" attacks where an attacker changes the sign, see <xref target="SECG"/> .</t> | <t>Compact representation does not change any requirements on validation; see <xref target="crypto"/>. Using compact representation has some security bene fits. An implementation does not need to check that the point is not the point a t infinity (the identity element). Similarly, as not even the sign of the y-coor dinate is encoded, compact representation trivially avoids so-called "benign mal leability" attacks where an attacker changes the sign; see <xref target="SECG"/> .</t> | |||
<t>The following may be needed for validation or compatibility with APIs t hat do not support compact representation or do not support the full <xref targe t="SECG"/> format:</t> | <t>The following may be needed for validation or compatibility with APIs t hat do not support compact representation or do not support the full <xref targe t="SECG"/> format:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>If a compressed y-coordinate is required, then the value ~yp set to | <li>If a compressed y-coordinate is required, then the value ~yp set to | |||
zero can be used. The compact representation described above can in such a case | zero can be used. In such a case, the compact representation described above can | |||
be transformed into the SECG point compressed format by prepending it with the s | be transformed into the Standards for Efficient Cryptography Group (SECG) point | |||
ingle byte 0x02 (i.e., M = 0x02 || X).</li> | -compressed format by prepending it with the single byte 0x02 (i.e., M = 0x02 || | |||
<li>If an uncompressed y-coordinate is required, then a y-coordinate has | X).</li> | |||
to be calculated following Section 2.3.4 of <xref target="SECG"/> or Appendix C | <li>If an uncompressed y-coordinate is required, then a y-coordinate has | |||
of <xref target="RFC6090"/>. Any of the square roots (see <xref target="SECG"/> | to be calculated following Section 2.3.4 of <xref target="SECG"/> or <xref targ | |||
or <xref target="RFC6090"/>) can be used. The uncompressed SECG format is M = 0 | et="RFC6090" sectionFormat="of" section="C"/>. Any of the square roots (see <xre | |||
x04 || X || Y.</li> | f target="SECG"/> or <xref target="RFC6090"/>) can be used. The uncompressed SEC | |||
G format is M = 0x04 || X || Y.</li> | ||||
</ul> | </ul> | |||
<t>For example: The curve P-256 has the parameters (using the notation in <xref target="RFC6090"/>)</t> | <t>For example: The curve P-256 has the parameters (using the notation in <xref target="RFC6090"/>):</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>p = 2<sup>256</sup> − 2<sup>224</sup> + 2<sup>192</sup> + 2<sup>96</ sup> − 1</li> | <li>p = 2<sup>256</sup> - 2<sup>224</sup> + 2<sup>192</sup> + 2<sup>96</ sup> - 1</li> | |||
<li>a = -3</li> | <li>a = -3</li> | |||
<li>b = 410583637251521421293261297800472684091144410159937255 | <li>b = 410583637251521421293261297800472684091144410159937255 | |||
54835256314039467401291</li> | 54835256314039467401291</li> | |||
</ul> | </ul> | |||
<t>Given an example x:</t> | <t>Given an example x:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>x = 115792089183396302095546807154740558443406795108653336 | <li>x = 115792089183396302095546807154740558443406795108653336 | |||
398970697772788799766525</li> | 398970697772788799766525</li> | |||
</ul> | </ul> | |||
<t>we can calculate y as the square root w = (x<sup>3</sup> + a <contact f ullname="⋅"/> x + b)<sup>((p + 1)/4)</sup> (mod p)</t> | <t>We can calculate y as the square root w = (x<sup>3</sup> + a ⋅ x + b)<s up>((p + 1)/4)</sup> (mod p).</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>y = 834387180070192806820075864918626005281451259964015754 | <li>y = 834387180070192806820075864918626005281451259964015754 | |||
16632522940595860276856</li> | 16632522940595860276856</li> | |||
</ul> | </ul> | |||
<t>Note that this does not guarantee that (x, y) is on the correct ellipti c curve. A full validation according to Section 5.6.2.3.3 of <xref target="SP-80 0-56A"/> can be achieved by also checking that 0 <contact fullname="≤"/> x < p and that y<sup>2</sup> <contact fullname="≡"/> x<sup>3</sup> + a <contact full name="⋅"/> x + b (mod p).</t> | <t>Note that this does not guarantee that (x, y) is on the correct ellipti c curve. A full validation according to Section 5.6.2.3.3 of <xref target="SP-80 0-56A"/> is done by also checking that 0 ≤ x < p and that y<sup>2</sup> ≡ x<s up>3</sup> + a ⋅ x + b (mod p).</t> | |||
</section> | </section> | |||
<section anchor="CBORandCOSE"> | <section anchor="CBORandCOSE"> | |||
<name>Use of CBOR, CDDL, and COSE in EDHOC</name> | <name>Use of CBOR, CDDL, and COSE in EDHOC</name> | |||
<t>This Appendix is intended to help implementors not familiar with CBOR < xref target="RFC8949"/>, CDDL <xref target="RFC8610"/>, COSE <xref target="RFC90 52"/>, and HKDF <xref target="RFC5869"/>.</t> | <t>This appendix is intended to help implementors not familiar with CBOR < xref target="RFC8949"/>, CDDL <xref target="RFC8610"/>, COSE <xref target="RFC90 52"/>, and HKDF <xref target="RFC5869"/>.</t> | |||
<section anchor="CBOR"> | <section anchor="CBOR"> | |||
<name>CBOR and CDDL</name> | <name>CBOR and CDDL</name> | |||
<t>The Concise Binary Object Representation (CBOR) <xref target="RFC8949 | <t>The Concise Binary Object Representation (CBOR) <xref target="RFC8949 | |||
"/> is a data format designed for small code size and small message size. CBOR b | "/> is a data format designed for small code size and small message size. CBOR b | |||
uilds on the JSON data model but extends it by e.g., encoding binary data direct | uilds on the JSON data model but extends it by, e.g., encoding binary data direc | |||
ly without base64 conversion. In addition to the binary CBOR encoding, CBOR also | tly without base64 conversion. In addition to the binary CBOR encoding, CBOR als | |||
has a diagnostic notation that is readable and editable by humans. The Concise | o has a diagnostic notation that is readable and editable by humans. The Concise | |||
Data Definition Language (CDDL) <xref target="RFC8610"/> provides a way to expre | Data Definition Language (CDDL) <xref target="RFC8610"/> provides a way to expr | |||
ss structures for protocol messages and APIs that use CBOR. <xref target="RFC861 | ess structures for protocol messages and APIs that use CBOR. <xref target="RFC86 | |||
0"/> also extends the diagnostic notation.</t> | 10"/> also extends the diagnostic notation.</t> | |||
<t>CBOR data items are encoded to or decoded from byte strings using a t | <t>CBOR data items are encoded to or decoded from byte strings using a t | |||
ype-length-value encoding scheme, where the three highest order bits of the init | ype-length-value encoding scheme, where the three highest order bits of the init | |||
ial byte contain information about the major type. CBOR supports several types o | ial byte contain information about the major type. CBOR supports several types o | |||
f data items, in addition to integers (int, uint), simple values, byte strings ( | f data items, integers (int, uint), simple values, byte strings (bstr), and text | |||
bstr), and text strings (tstr), CBOR also supports arrays [] of data items, map | strings (tstr). CBOR also supports arrays [] of data items, maps {} of pairs o | |||
s {} of pairs of data items, and sequences <xref target="RFC8742"/> of data item | f data items, and sequences <xref target="RFC8742"/> of data items. Some example | |||
s. Some examples are given below.</t> | s are given below.</t> | |||
<t>The EDHOC specification sometimes use CDDL names in CBOR diagnostic n | <t>The EDHOC specification sometimes use CDDL names in CBOR diagnostic n | |||
otation as in e.g., << ID_CRED_R, ? EAD_2 >>. This means that EAD_2 | otation as in, e.g., << ID_CRED_R, ? EAD_2 >>. This means that EAD_2 | |||
is optional and that ID_CRED_R and EAD_2 should be substituted with their values | is optional and that ID_CRED_R and EAD_2 should be substituted with their value | |||
before evaluation. I.e., if ID_CRED_R = { 4 : h'' } and EAD_2 is omitted then & | s before evaluation. That is, if ID_CRED_R = { 4 : h'' } and EAD_2 is omitted, t | |||
lt;< ID_CRED_R, ? EAD_2 >> = << { 4 : h'' } >>, which encod | hen << ID_CRED_R, ? EAD_2 >> = << { 4 : h'' } >>, which | |||
es to 0x43a10440. We also make use of the occurrence symbol "*", like in e.g., | encodes to 0x43a10440. We also make use of the occurrence symbol "*", like in, e | |||
2* int, meaning two or more CBOR integers.</t> | .g., 2* int, meaning two or more CBOR integers.</t> | |||
<t>For a complete specification and more examples, see <xref target="RFC 8949"/> and <xref target="RFC8610"/>. We recommend implementors get used to CBOR by using the CBOR playground <xref target="CborMe"/>.</t> | <t>For a complete specification and more examples, see <xref target="RFC 8949"/> and <xref target="RFC8610"/>. We recommend implementors get used to CBOR by using the CBOR playground <xref target="CborMe"/>.</t> | |||
<figure anchor="fig-cbor-examples"> | ||||
<name>Examples of use of CBOR and CDDL.</name> | <table anchor="tab-cbor-examples"> | |||
<artset> | <name>Examples of Use of CBOR and CDDL</name> | |||
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/200 | <thead> | |||
0/svg" version="1.1" height="304" width="480" viewBox="0 0 480 304" class="diagr | <tr> | |||
am" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap | <th>Diagnostic</th> | |||
="round"> | <th>Encoded</th> | |||
<path d="M 8,48 L 472,48" fill="none" stroke="black"/> | <th>Type</th> | |||
<path d="M 8,288 L 472,288" fill="none" stroke="black"/> | </tr> | |||
<g class="text"> | </thead> | |||
<text x="52" y="36">Diagnostic</text> | <tbody> | |||
<text x="200" y="36">Encoded</text> | <tr> | |||
<text x="356" y="36">Type</text> | <td>1</td> | |||
<text x="16" y="68">1</text> | <td>0x01</td> | |||
<text x="188" y="68">0x01</text> | <td>unsigned integer</td> | |||
<text x="372" y="68">unsigned</text> | </tr><tr> | |||
<text x="440" y="68">integer</text> | <td>24</td> | |||
<text x="20" y="84">24</text> | <td>0x1818</td> | |||
<text x="196" y="84">0x1818</text> | <td>unsigned integer</td> | |||
<text x="372" y="84">unsigned</text> | </tr><tr> | |||
<text x="440" y="84">integer</text> | <td>-24</td> | |||
<text x="24" y="100">-24</text> | <td>0x37</td> | |||
<text x="188" y="100">0x37</text> | <td>negative integer</td> | |||
<text x="372" y="100">negative</text> | </tr><tr> | |||
<text x="440" y="100">integer</text> | <td>-25</td> | |||
<text x="24" y="116">-25</text> | <td>0x3818</td> | |||
<text x="196" y="116">0x3818</text> | <td>negative integer</td> | |||
<text x="372" y="116">negative</text> | </tr><tr> | |||
<text x="440" y="116">integer</text> | <td>true</td> | |||
<text x="28" y="132">true</text> | <td>0xf5</td> | |||
<text x="188" y="132">0xf5</text> | <td>simple value</td> | |||
<text x="364" y="132">simple</text> | </tr><tr> | |||
<text x="416" y="132">value</text> | <td>h''</td> | |||
<text x="24" y="148">h''</text> | <td>0x40</td> | |||
<text x="188" y="148">0x40</text> | <td>byte string</td> | |||
<text x="356" y="148">byte</text> | </tr><tr> | |||
<text x="404" y="148">string</text> | <td>h'12cd'</td> | |||
<text x="40" y="164">h'12cd'</text> | <td>0x4212cd</td> | |||
<text x="204" y="164">0x4212cd</text> | <td>byte string</td> | |||
<text x="356" y="164">byte</text> | </tr><tr> | |||
<text x="404" y="164">string</text> | <td>'12cd'</td> | |||
<text x="36" y="180">'12cd'</text> | <td>0x4431326364</td> | |||
<text x="220" y="180">0x4431326364</text> | <td>byte string</td> | |||
<text x="356" y="180">byte</text> | </tr><tr> | |||
<text x="404" y="180">string</text> | <td>"12cd"</td> | |||
<text x="36" y="196">"12cd"</text> | <td>0x6431326364</td> | |||
<text x="220" y="196">0x6431326364</text> | <td>text string</td> | |||
<text x="356" y="196">text</text> | </tr><tr> | |||
<text x="404" y="196">string</text> | <td>{ 4 : h'cd' }</td> | |||
<text x="16" y="212">{</text> | <td>0xa10441cd</td> | |||
<text x="32" y="212">4</text> | <td>map</td> | |||
<text x="48" y="212">:</text> | </tr><tr> | |||
<text x="80" y="212">h'cd'</text> | <td><< 1, 2, true >></td> | |||
<text x="112" y="212">}</text> | <td>0x430102f5</td> | |||
<text x="212" y="212">0xa10441cd</text> | <td>byte string</td> | |||
<text x="352" y="212">map</text> | </tr><tr> | |||
<text x="20" y="228"><<</text> | <td>[ 1, 2, true ]</td> | |||
<text x="44" y="228">1,</text> | <td>0x830102f5</td> | |||
<text x="68" y="228">2,</text> | <td>array</td> | |||
<text x="100" y="228">true</text> | </tr><tr> | |||
<text x="132" y="228">>></text> | <td>( 1, 2, true )</td> | |||
<text x="212" y="228">0x430102f5</text> | <td>0x0102f5</td> | |||
<text x="356" y="228">byte</text> | <td>sequence</td> | |||
<text x="404" y="228">string</text> | </tr><tr> | |||
<text x="16" y="244">[</text> | <td> 1, 2, true</td> | |||
<text x="36" y="244">1,</text> | <td>0x0102f5</td> | |||
<text x="60" y="244">2,</text> | <td>sequence</td> | |||
<text x="92" y="244">true</text> | </tr> | |||
<text x="120" y="244">]</text> | </tbody> | |||
<text x="212" y="244">0x830102f5</text> | </table> | |||
<text x="360" y="244">array</text> | ||||
<text x="16" y="260">(</text> | </section> | |||
<text x="36" y="260">1,</text> | ||||
<text x="60" y="260">2,</text> | ||||
<text x="92" y="260">true</text> | ||||
<text x="120" y="260">)</text> | ||||
<text x="204" y="260">0x0102f5</text> | ||||
<text x="372" y="260">sequence</text> | ||||
<text x="20" y="276">1,</text> | ||||
<text x="44" y="276">2,</text> | ||||
<text x="76" y="276">true</text> | ||||
<text x="204" y="276">0x0102f5</text> | ||||
<text x="372" y="276">sequence</text> | ||||
</g> | ||||
</svg> | ||||
</artwork> | ||||
<artwork type="ascii-art" align="center"><![CDATA[ | ||||
Diagnostic Encoded Type | ||||
1 0x01 unsigned integer | ||||
24 0x1818 unsigned integer | ||||
-24 0x37 negative integer | ||||
-25 0x3818 negative integer | ||||
true 0xf5 simple value | ||||
h'' 0x40 byte string | ||||
h'12cd' 0x4212cd byte string | ||||
'12cd' 0x4431326364 byte string | ||||
"12cd" 0x6431326364 text string | ||||
{ 4 : h'cd' } 0xa10441cd map | ||||
<< 1, 2, true >> 0x430102f5 byte string | ||||
[ 1, 2, true ] 0x830102f5 array | ||||
( 1, 2, true ) 0x0102f5 sequence | ||||
1, 2, true 0x0102f5 sequence | ||||
]]></artwork> | ||||
</artset> | ||||
</figure> | ||||
</section> | ||||
<section anchor="CDDL"> | <section anchor="CDDL"> | |||
<name>CDDL Definitions</name> | <name>CDDL Definitions</name> | |||
<t>This section compiles the CDDL definitions for ease of reference.</t> | <t>This section compiles the CDDL definitions for ease of reference.</t> | |||
<sourcecode type="CDDL"><![CDATA[ | <sourcecode type="CDDL"><![CDATA[ | |||
suites = [ 2* int ] / int | suites = [ 2* int ] / int | |||
ead = ( | ead = ( | |||
ead_label : int, | ead_label : int, | |||
? ead_value : bstr, | ? ead_value : bstr, | |||
) | ) | |||
skipping to change at line 3634 ¶ | skipping to change at line 2760 ¶ | |||
SUITES_I : suites, | SUITES_I : suites, | |||
G_X : bstr, | G_X : bstr, | |||
C_I : bstr / -24..23, | C_I : bstr / -24..23, | |||
? EAD_1, | ? EAD_1, | |||
) | ) | |||
message_2 = ( | message_2 = ( | |||
G_Y_CIPHERTEXT_2 : bstr, | G_Y_CIPHERTEXT_2 : bstr, | |||
) | ) | |||
PLAINTEXT_2 = ( | ||||
C_R, | ||||
ID_CRED_R : map / bstr / -24..23, | ||||
Signature_or_MAC_2 : bstr, | ||||
? EAD_2, | ||||
) | ||||
message_3 = ( | message_3 = ( | |||
CIPHERTEXT_3 : bstr, | CIPHERTEXT_3 : bstr, | |||
) | ) | |||
PLAINTEXT_3 = ( | ||||
ID_CRED_I : map / bstr / -24..23, | ||||
Signature_or_MAC_3 : bstr, | ||||
? EAD_3, | ||||
) | ||||
message_4 = ( | message_4 = ( | |||
CIPHERTEXT_4 : bstr, | CIPHERTEXT_4 : bstr, | |||
) | ) | |||
PLAINTEXT_4 = ( | ||||
? EAD_4, | ||||
) | ||||
error = ( | error = ( | |||
ERR_CODE : int, | ERR_CODE : int, | |||
ERR_INFO : any, | ERR_INFO : any, | |||
) | ) | |||
info = ( | info = ( | |||
info_label : int, | info_label : int, | |||
context : bstr, | context : bstr, | |||
length : uint, | length : uint, | |||
) | ) | |||
]]></sourcecode> | ]]></sourcecode> | |||
</section> | </section> | |||
<section anchor="COSE"> | <section anchor="COSE"> | |||
<name>COSE</name> | <name>COSE</name> | |||
<t>CBOR Object Signing and Encryption (COSE) <xref target="RFC9052"/> de scribes how to create and process signatures, message authentication codes, and encryption using CBOR. COSE builds on JOSE, but is adapted to allow more efficie nt processing in constrained devices. EDHOC makes use of COSE_Key, COSE_Encrypt0 , and COSE_Sign1 objects in the message processing:</t> | <t>CBOR Object Signing and Encryption (COSE) <xref target="RFC9052"/> de scribes how to create and process signatures, MACs, and encryptions using CBOR. COSE builds on JSON Object Signing and Encryption (JOSE) but is adapted to allow more efficient processing in constrained devices. EDHOC makes use of COSE_Key, COSE_Encrypt0, and COSE_Sign1 objects in the message processing:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>ECDH ephemeral public keys of type EC2 or OKP in message_1 and mes sage_2 consist of the COSE_Key parameter named 'x', see Section 7.1 and 7.2 of < xref target="RFC9053"/></li> | <li>ECDH ephemeral public keys of type EC2 or OKP in message_1 and mes sage_2 consist of the COSE_Key parameter named 'x'; see Sections <xref target="R FC9053" section="7.1" sectionFormat="bare"/> and <xref target="RFC9053" section= "7.2" sectionFormat="bare"/> of <xref target="RFC9053"/>.</li> | |||
<li> | <li> | |||
<t>The ciphertexts in message_3 and message_4 consist of a subset of the single recipient encrypted data object COSE_Encrypt0, which is described in Sections 5.2-5.3 of <xref target="RFC9052"/>. The ciphertext is computed over t he plaintext and associated data, using an encryption key and an initialization vector. The associated data is an Enc_structure consisting of protected headers and externally supplied data (external_aad). COSE constructs the input to the AE AD <xref target="RFC5116"/> for message_i (i = 3 or 4, see <xref target="m3"/> a nd <xref target="m4"/>, respectively) as follows: </t> | <t>The ciphertexts in message_3 and message_4 consist of a subset of the single recipient encrypted data object COSE_Encrypt0, which is described in Sections <xref target="RFC9052" sectionFormat="bare" section="5.2"/> and <xref target="RFC9052" sectionFormat="bare" section="5.3"/> of <xref target="RFC9052"/ >. The ciphertext is computed over the plaintext and associated data, using an e ncryption key and an initialization vector. The associated data is an Enc_struct ure consisting of protected headers and externally supplied data (external_aad). COSE constructs the input to the AEAD <xref target="RFC5116"/> for message_i (i = 3 or 4; see Sections <xref target="m3" format="counter"/> and <xref target="m 4" format="counter"/>, respectively) as follows: </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>Secret key K = K_i</li> | <li>Secret key K = K_i</li> | |||
<li>Nonce N = IV_i</li> | <li>Nonce N = IV_i</li> | |||
<li>Plaintext P for message_i</li> | <li>Plaintext P for message_i</li> | |||
<li>Associated Data A = [ "Encrypt0", h'', TH_i ]</li> | <li>Associated Data A = [ "Encrypt0", h'', TH_i ]</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
<li> | <li> | |||
<t>Signatures in message_2 of method 0 and 2, and in message_3 of me thod 0 and 1, consist of a subset of the single signer data object COSE_Sign1, w hich is described in Sections 4.2-4.4 of <xref target="RFC9052"/>. The signature is computed over a Sig_structure containing payload, protected headers and exte rnally supplied data (external_aad) using a private signature key and verified u sing the corresponding public signature key. For COSE_Sign1, the message to be s igned is: </t> | <t>Signatures in message_2 of method 0 and 2, and in message_3 of me thod 0 and 1, consist of a subset of the single signer data object COSE_Sign1, w hich is described in Sections <xref target="RFC9052" sectionFormat="bare" secti on="4.2"/> and <xref target="RFC9052" sectionFormat="bare" section="4.4"/> of <x ref target="RFC9052"/>. The signature is computed over a Sig_structure containin g payload, protected headers and externally supplied data (external_aad) using a private signature key, and verified using the corresponding public signature ke y. For COSE_Sign1, the message to be signed is: </t> | |||
<artwork><![CDATA[ | <artwork><![CDATA[ | |||
[ "Signature1", protected, external_aad, payload ] | [ "Signature1", protected, external_aad, payload ] | |||
]]></artwork> | ]]></artwork> | |||
<t> | <t> | |||
where protected, external_aad and payload are specified in <xref target="m2"/> a nd <xref target="m3"/>.</t> | where protected, external_aad, and payload are specified in Sections <xref targe t="m2" format="counter"/> and <xref target="m3" format="counter"/>.</t> | |||
</li> | </li> | |||
</ul> | </ul> | |||
<t>Different header parameters to identify X.509 or C509 certificates by reference are defined in <xref target="RFC9360"/> and <xref target="I-D.ietf-co se-cbor-encoded-cert"/>:</t> | <t>Different header parameters to identify X.509 or C509 certificates by reference are defined in <xref target="RFC9360"/> and <xref target="I-D.ietf-co se-cbor-encoded-cert"/>:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li> | <li> | |||
<t>by a hash value with the 'x5t' or 'c5t' parameters, respectively: </t> | <t>by a hash value with the 'x5t' or 'c5t' parameters, respectively: </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>ID_CRED_x = { 34 : COSE_CertHash }, for x = I or R,</li> | <li>ID_CRED_x = { 34 : COSE_CertHash }, for x = I or R and</li> | |||
<li>ID_CRED_x = { TBD3 : COSE_CertHash }, for x = I or R;</li> | <li>ID_CRED_x = { 22 : COSE_CertHash }, for x = I or R,</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
<li> | <li> | |||
<t>or by a URI with the 'x5u' or 'c5u' parameters, respectively: </ t> | <t>or by a URI with the 'x5u' or 'c5u' parameters, respectively: </ t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>ID_CRED_x = { 35 : uri }, for x = I or R,</li> | <li>ID_CRED_x = { 35 : uri }, for x = I or R, and</li> | |||
<li>ID_CRED_x = { TBD4 : uri }, for x = I or R.</li> | <li>ID_CRED_x = { 23 : uri }, for x = I or R.</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
</ul> | </ul> | |||
<t>When ID_CRED_x does not contain the actual credential, it may be very short, e.g., if the endpoints have agreed to use a key identifier parameter 'ki d':</t> | <t>When ID_CRED_x does not contain the actual credential, it may be very short, e.g., if the endpoints have agreed to use a key identifier parameter 'ki d':</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>ID_CRED_x = { 4 : kid_x }, where kid_x : kid, for x = I or R. For further optimization, see <xref target="id_cred"/>.</li> | <li>ID_CRED_x = { 4 : kid_x }, where kid_x : kid, for x = I or R. For further optimization, see <xref target="id_cred"/>.</li> | |||
</ul> | </ul> | |||
<t>Note that ID_CRED_x can contain several header parameters, for exampl | <t>Note that ID_CRED_x can contain several header parameters, for exampl | |||
e { x5u, x5t } or { kid, kid_context }.</t> | e, { x5u, x5t } or { kid, kid_context }.</t> | |||
<t>ID_CRED_x MAY also identify the credential by value. For example, a c | <t>ID_CRED_x <bcp14>MAY</bcp14> also identify the credential by value. F | |||
ertificate chain can be transported in an ID_CRED field with COSE header paramet | or example, a certificate chain can be transported in an ID_CRED field with COSE | |||
er c5c or x5chain, defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/> a | header parameter c5c or x5chain, as defined in <xref target="I-D.ietf-cose-cbor | |||
nd <xref target="RFC9360"/> and credentials of type CWT and CCS can be transport | -encoded-cert"/> and <xref target="RFC9360"/>. Credentials of type CWT and CCS c | |||
ed with the COSE header parameters registered in <xref target="cwt-header-param" | an be transported with the COSE header parameters registered in <xref target="cw | |||
/>.</t> | t-header-param"/>.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="auth-validation"> | <section anchor="auth-validation"> | |||
<name>Authentication Related Verifications</name> | <name>Authentication-Related Verifications</name> | |||
<t>EDHOC performs certain authentication related operations, see <xref tar | <t>EDHOC performs certain authentication-related operations (see <xref tar | |||
get="auth-key-id"/>, but in general it is necessary to make additional verificat | get="auth-key-id"/>), but in general, it is necessary to make additional verific | |||
ions beyond EDHOC message processing. Which verifications that are needed depend | ations beyond EDHOC message processing. Which verifications that are needed depe | |||
on the deployment, in particular the trust model and the security policies, but | nd on the deployment, in particular, the trust model and the security policies, | |||
most commonly it can be expressed in terms of verifications of credential conte | but most commonly, it can be expressed in terms of verifications of credential c | |||
nt.</t> | ontent.</t> | |||
<t>EDHOC assumes the existence of mechanisms (certification authority or o | <t>EDHOC assumes the existence of mechanisms (certification authority or o | |||
ther trusted third party, pre-provisioning, etc.) for generating and distributin | ther trusted third party, pre-provisioning, etc.) for generating and distributin | |||
g authentication credentials and other credentials, as well as the existence of | g authentication credentials and other credentials, as well as the existence of | |||
trust anchors (CA certificates, trusted public keys, etc.). For example, a publi | trust anchors (CA certificates, trusted public keys, etc.). For example, a publi | |||
c key certificate or CWT may rely on a trusted third party whose public key is p | c key certificate or CWT may rely on a trusted third party whose public key is p | |||
re-provisioned, whereas a CCS or a self-signed certificate/CWT may be used when | re-provisioned, whereas a CCS or a self-signed certificate / CWT may be used whe | |||
trust in the public key can be achieved by other means, or in the case of Trust | n trust in the public key can be achieved by other means, or in the case of trus | |||
on first use, see <xref target="tofu"/>.</t> | t on first use, see <xref target="tofu"/>.</t> | |||
<t>In this section we provide some examples of such verifications. These v | <t>In this section, we provide some examples of such verifications. These | |||
erifications are the responsibility of the application but may be implemented as | verifications are the responsibility of the application but may be implemented a | |||
part of an EDHOC library.</t> | s part of an EDHOC library.</t> | |||
<section anchor="validating-auth-credential"> | <section anchor="validating-auth-credential"> | |||
<name>Validating the Authentication Credential</name> | <name>Validating the Authentication Credential</name> | |||
<t>The authentication credential may contain, in addition to the authent ication key, other parameters that needs to be verified. For example:</t> | <t>In addition to the authentication key, the authentication credential may contain other parameters that need to be verified. For example:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>In X.509 and C509 certificates, signature keys typically have key | <li>In X.509 and C509 certificates, signature keys typically have key | |||
usage "digitalSignature" and Diffie-Hellman public keys typically have key usage | usage "digitalSignature", and Diffie-Hellman public keys typically have key usag | |||
"keyAgreement" <xref target="RFC3279"/><xref target="RFC8410"/>.</li> | e "keyAgreement" <xref target="RFC3279"/> <xref target="RFC8410"/>.</li> | |||
<li>In X.509 and C509 certificates validity is expressed using Not Aft | <li>In X.509 and C509 certificates, validity is expressed using Not Af | |||
er and Not Before. In CWT and CCS, the “exp” and “nbf” claims have similar meani | ter and Not Before. In CWT and CCS, the "exp" and "nbf" claims have similar mean | |||
ngs.</li> | ings.</li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
<section anchor="identities"> | <section anchor="identities"> | |||
<name>Identities</name> | <name>Identities</name> | |||
<t>The application must decide on allowing a connection or not depending | <t>The application must decide on allowing a connection or not, dependin | |||
on the intended endpoint, and in particular whether it is a specific identity o | g on the intended endpoint, and in particular whether it is a specific identity | |||
r in a set of identities. To prevent misbinding attacks, the identity of the end | or in a set of identities. To prevent misbinding attacks, the identity of the en | |||
point is included in a MAC verified through the protocol. More details and examp | dpoint is included in a MAC verified through the protocol. More details and exam | |||
les are provided in this section.</t> | ples are provided in this section.</t> | |||
<t>Policies for what connections to allow are typically set based on the | <t>Policies for what connections to allow are typically set based on the | |||
identity of the other endpoint, and endpoints typically only allow connections | identity of the other endpoint, and endpoints typically only allow connections | |||
from a specific identity or a small restricted set of identities. For example, i | from a specific identity or a small restricted set of identities. For example, i | |||
n the case of a device connecting to a network, the network may only allow conne | n the case of a device connecting to a network, the network may only allow conne | |||
ctions from devices which authenticate with certificates having a particular ran | ctions from devices that authenticate with certificates having a particular rang | |||
ge of serial numbers and signed by a particular CA. Conversely, a device may onl | e of serial numbers and signed by a particular CA. Conversely, a device may only | |||
y be allowed to connect to a network which authenticates with a particular publi | be allowed to connect to a network that authenticates with a particular public | |||
c key.</t> | key.</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>When a Public Key Infrastructure (PKI) is used with certificates, the identity is the subject whose unique name, e.g., a domain name, a Network Ac cess Identifier (NAI), or an Extended Unique Identifier (EUI), is included in th e endpoint's certificate.</li> | <li>When a Public Key Infrastructure (PKI) is used with certificates, the identity is the subject whose unique name, e.g., a domain name, a Network Ac cess Identifier (NAI), or an Extended Unique Identifier (EUI), is included in th e endpoint's certificate.</li> | |||
<li>Similarly, when a PKI is used with CWTs, the identity is the subje ct identified by the relevant claim(s), such as 'sub' (subject).</li> | <li>Similarly, when a PKI is used with CWTs, the identity is the subje ct identified by the relevant claim(s), such as 'sub' (subject).</li> | |||
<li>When PKI is not used (e.g., CCS, self-signed certificate/CWT) the identity is typically directly associated with the authentication key of the oth er party. For example, if identities can be expressed in the form of unique subj ect names assigned to public keys, then a binding to identity is achieved by inc luding both public key and associated subject name in the authentication credent ial: CRED_I or CRED_R may be a self-signed certificate/CWT or CCS containing the authentication key and the subject name, see <xref target="auth-cred"/>. Each e ndpoint thus needs to know the specific authentication key/unique associated sub ject name, or set of public authentication keys/unique associated subject names, which it is allowed to communicate with.</li> | <li>When PKI is not used (e.g., CCS, self-signed certificate / CWT), t he identity is typically directly associated with the authentication key of the other party. For example, if identities can be expressed in the form of unique s ubject names assigned to public keys, then a binding to identity is achieved by including both the public key and associated subject name in the authentication credential. CRED_I or CRED_R may be a self-signed certificate / CWT or CCS conta ining the authentication key and the subject name; see <xref target="auth-cred"/ >. Thus, each endpoint needs to know the specific authentication key / unique as sociated subject name or set of public authentication keys / unique associated s ubject names, which it is allowed to communicate with.</li> | |||
</ul> | </ul> | |||
<t>To prevent misbinding attacks in systems where an attacker can regist er public keys without proving knowledge of the private key, SIGMA <xref target= "SIGMA"/> enforces a MAC to be calculated over the "identity". EDHOC follows SIG MA by calculating a MAC over the whole authentication credential, which in case of an X.509 or C509 certificate includes the "subject" and "subjectAltName" fiel ds, and in the case of CWT or CCS includes the "sub" claim.</t> | <t>To prevent misbinding attacks in systems where an attacker can regist er public keys without proving knowledge of the private key, SIGMA <xref target= "SIGMA"/> enforces a MAC to be calculated over the "identity". EDHOC follows SIG MA by calculating a MAC over the whole authentication credential, which in case of an X.509 or C509 certificate, includes the "subject" and "subjectAltName" fie lds and, in the case of CWT or CCS, includes the "sub" claim.</t> | |||
<t>(While the SIGMA paper only focuses on the identity, the same princip le is true for other information such as policies associated with the public key .)</t> | <t>(While the SIGMA paper only focuses on the identity, the same princip le is true for other information such as policies associated with the public key .)</t> | |||
</section> | </section> | |||
<section anchor="cert-path"> | <section anchor="cert-path"> | |||
<name>Certification Path and Trust Anchors</name> | <name>Certification Path and Trust Anchors</name> | |||
<t>When a Public Key Infrastructure (PKI) is used with certificates, the | <t>When a Public Key Infrastructure (PKI) is used with certificates, the | |||
trust anchor is a Certification Authority (CA) certificate. Each party needs at | trust anchor is a certification authority (CA) certificate. Each party needs at | |||
least one CA public key certificate, or just the CA public key. The certificati | least one CA public key certificate or just the CA public key. The certificatio | |||
on path contains proof that the subject of the certificate owns the public key i | n path contains proof that the subject of the certificate owns the public key in | |||
n the certificate. Only validated public-key certificates are to be accepted.</t | the certificate. Only validated public key certificates are to be accepted.</t> | |||
> | <t>Similarly, when a PKI is used with CWTs, each party needs to have at | |||
<t>Similarly, when a PKI is used with CWTs, each party needs to have at | least one trusted third-party public key as a trust anchor to verify the end ent | |||
least one trusted third party public key as trust anchor to verify the end entit | ity CWTs. The trusted third-party public key can, e.g., be stored in a self-sign | |||
y CWTs. The trusted third party public key can, e.g., be stored in a self-signed | ed CWT or in a CCS.</t> | |||
CWT or in a CCS.</t> | <t>The signature of the authentication credential needs to be verified w | |||
<t>The signature of the authentication credential needs to be verified w | ith the public key of the issuer. X.509 and C509 certificates includes the "Issu | |||
ith the public key of the issuer. X.509 and C509 certificates includes the “Issu | er" field. In CWT and CCS, the "iss" claim has a similar meaning. The public key | |||
er” field. In CWT and CCS, the “iss” claim has a similar meaning. The public key | is either a trust anchor or the public key in another valid and trusted credent | |||
is either a trust anchor or the public key in another valid and trusted credent | ial in a certification path from the trust anchor to the authentication credenti | |||
ial in a certification path from trust anchor to authentication credential.</t> | al.</t> | |||
<t>Similar verifications as made with the authentication credential (see <xref target="validating-auth-credential"/>) are also needed for the other cred entials in the certification path.</t> | <t>Similar verifications as made with the authentication credential (see <xref target="validating-auth-credential"/>) are also needed for the other cred entials in the certification path.</t> | |||
<t>When PKI is not used (CCS, self-signed certificate/CWT), the trust an chor is the authentication key of the other party, in which case there is no cer tification path.</t> | <t>When PKI is not used (CCS and self-signed certificate / CWT), the tru st anchor is the authentication key of the other party; in which case, there is no certification path.</t> | |||
</section> | </section> | |||
<section anchor="revocation"> | <section anchor="revocation"> | |||
<name>Revocation Status</name> | <name>Revocation Status</name> | |||
<t>The application may need to verify that the credentials are not revok ed, see <xref target="impl-cons"/>. Some use cases may be served by short-lived credentials, for example, where the validity of the credential is on par with th e interval between revocation checks. But, in general, credential lifetime and r evocation checking are complementary measures to control credential status. Revo cation information may be transported as External Authentication Data (EAD), see <xref target="ead-appendix"/>.</t> | <t>The application may need to verify that the credentials are not revok ed; see <xref target="impl-cons"/>. Some use cases may be served by short-lived credentials, for example, where the validity of the credential is on par with th e interval between revocation checks. But, in general, credential lifetime and r evocation checking are complementary measures to control credential status. Revo cation information may be transported as External Authorization Data (EAD); see <xref target="ead-appendix"/>.</t> | |||
</section> | </section> | |||
<section anchor="tofu"> | <section anchor="tofu"> | |||
<name>Unauthenticated Operation</name> | <name>Unauthenticated Operation</name> | |||
<t>EDHOC might be used without authentication by allowing the Initiator or Responder to communicate with any identity except its own. Note that EDHOC wi thout mutual authentication is vulnerable to active on-path attacks and therefor e unsafe for general use. However, it is possible to later establish a trust rel ationship with an unknown or not-yet-trusted endpoint. Some examples:</t> | <t>EDHOC might be used without authentication by allowing the Initiator or Responder to communicate with any identity except its own. Note that EDHOC wi thout mutual authentication is vulnerable to active on-path attacks and therefor e unsafe for general use. However, it is possible to later establish a trust rel ationship with an unknown or not-yet-trusted endpoint. Some examples are listed below:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>The EDHOC authentication credential can be verified out-of-band at a later stage.</li> | <li>The EDHOC authentication credential can be verified out-of-band at a later stage.</li> | |||
<li>The EDHOC session key can be bound to an identity out-of-band at a later stage.</li> | <li>The EDHOC session key can be bound to an identity out-of-band at a later stage.</li> | |||
<li>Trust on first use (TOFU) can be used to verify that several EDHOC connections are made to the same identity. TOFU combined with proximity is a co mmon IoT deployment model which provides good security if done correctly. Note t hat secure proximity based on short range wireless technology requires very low signal strength or very low latency.</li> | <li>Trust on first use (TOFU) can be used to verify that several EDHOC connections are made to the same identity. TOFU combined with proximity is a co mmon IoT deployment model that provides good security if done correctly. Note th at secure proximity based on short range wireless technology requires very low s ignal strength or very low latency.</li> | |||
</ul> | </ul> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="ead-appendix"> | <section anchor="ead-appendix"> | |||
<name>Use of External Authorization Data</name> | <name>Use of External Authorization Data</name> | |||
<t>In order to reduce the number of messages and round trips, or to simpli fy processing, external security applications may be integrated into EDHOC by tr ansporting related external authorization data (EAD) in the messages.</t> | <t>In order to reduce the number of messages and round trips, or to simpli fy processing, external security applications may be integrated into EDHOC by tr ansporting related external authorization data (EAD) in the messages.</t> | |||
<t>The EAD format is specified in <xref target="AD"/>, this section contai ns examples and further details of how EAD may be used with an appropriate accom panying specification.</t> | <t>The EAD format is specified in <xref target="AD"/>. This section contai ns examples and further details of how EAD may be used with an appropriate accom panying specification.</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>One example is third party assisted authorization, requested with EA | <li>One example is third-party-assisted authorization, requested with EA | |||
D_1, and an authorization artifact (“voucher”, cf. <xref target="RFC8366"/>) ret | D_1, and an authorization artifact ("voucher", cf. <xref target="RFC8366"/>) ret | |||
urned in EAD_2, see <xref target="I-D.selander-lake-authz"/>.</li> | urned in EAD_2; see <xref target="I-D.ietf-lake-authz"/>.</li> | |||
<li>Another example is remote attestation, requested in EAD_2, and an En | <li>Another example is remote attestation, requested in EAD_2, and an En | |||
tity Attestation Token (EAT, <xref target="I-D.ietf-rats-eat"/>) returned in EAD | tity Attestation Token (EAT) <xref target="I-D.ietf-rats-eat"/> returned in EAD_ | |||
_3.</li> | 3.</li> | |||
<li>A third example is certificate enrolment, where a Certificate Signin | <li>A third example is certificate enrollment, where a Certificate Signi | |||
g Request (CSR, <xref target="RFC2986"/>) is included EAD_3, and the issued publ | ng Request (CSR) <xref target="RFC2986"/> is included in EAD_3, and the issued p | |||
ic key certificate (X.509 <xref target="RFC5280"/>, C509 <xref target="I-D.ietf- | ublic key certificate (X.509 <xref target="RFC5280"/> and C509 <xref target="I-D | |||
cose-cbor-encoded-cert"/>) or a reference thereof is returned in EAD_4.</li> | .ietf-cose-cbor-encoded-cert"/>) or a reference thereof is returned in EAD_4.</l | |||
i> | ||||
</ul> | </ul> | |||
<t>External authorization data should be considered unprotected by EDHOC, | <t>External authorization data should be considered unprotected by EDHOC, | |||
and the protection of EAD is the responsibility of the security application (thi | and the protection of EAD is the responsibility of the security application (thi | |||
rd party authorization, remote attestation, certificate enrolment, etc.). The se | rd-party authorization, remote attestation, certificate enrollment, etc.). The s | |||
curity properties of the EAD fields (after EDHOC processing) are discussed in <x | ecurity properties of the EAD fields (after EDHOC processing) are discussed in < | |||
ref target="sec-prop"/>.</t> | xref target="sec-prop"/>.</t> | |||
<t>The content of the EAD field may be used in the EDHOC processing of the | <t>The content of the EAD field may be used in the EDHOC processing of the | |||
message in which they are contained. For example, authentication related inform | message in which they are contained. For example, authentication-related inform | |||
ation like assertions and revocation information, transported in EAD fields may | ation, like assertions and revocation information, transported in EAD fields may | |||
provide input about trust anchors or validity of credentials relevant to the aut | provide input about trust anchors or validity of credentials relevant to the au | |||
hentication processing. The EAD fields (like ID_CRED fields) are therefore made | thentication processing. The EAD fields (like ID_CRED fields) are therefore made | |||
available to the application before the message is verified, see details of mess | available to the application before the message is verified; see details of mes | |||
age processing in <xref target="asym"/>. In the first example above, a voucher i | sage processing in <xref target="asym"/>. In the first example above, a voucher | |||
n EAD_2 made available to the application can enable the Initiator to verify the | in EAD_2 made available to the application can enable the Initiator to verify th | |||
identity or public key of the Responder before verifying the signature. An appl | e identity or the public key of the Responder before verifying the signature. An | |||
ication allowing EAD fields containing authentication information thus may need | application allowing EAD fields containing authentication information thus may | |||
to handle authentication related verifications associated with EAD processing.</ | need to handle authentication-related verifications associated with EAD processi | |||
t> | ng.</t> | |||
<t>Conversely, the security application may need to wait for EDHOC message verification to complete. In the third example above, the validation of a CSR c arried in EAD_3 is not started by the Responder before EDHOC has successfully ve rified message_3 and proven the possession of the private key of the Initiator.< /t> | <t>Conversely, the security application may need to wait for EDHOC message verification to complete. In the third example above, the validation of a CSR c arried in EAD_3 is not started by the Responder before EDHOC has successfully ve rified message_3 and proven the possession of the private key of the Initiator.< /t> | |||
<t>The security application may reuse EDHOC protocol fields which therefor | <t>The security application may reuse EDHOC protocol fields that therefore | |||
e need to be available to the application. For example, the security application | need to be available to the application. For example, the security application | |||
may use the same crypto algorithms as in the EDHOC session and therefore needs | may use the same crypto algorithms as in the EDHOC session and therefore needs a | |||
access to the selected cipher suite (or the whole SUITES_I). The application may | ccess to the selected cipher suite (or the whole SUITES_I). The application may | |||
use the ephemeral public keys G_X and G_Y, as ephemeral keys or as nonces, see | use the ephemeral public keys G_X and G_Y as ephemeral keys or as nonces; see <x | |||
<xref target="I-D.selander-lake-authz"/>.</t> | ref target="I-D.ietf-lake-authz"/>.</t> | |||
<t>The processing of the EAD item (ead_label, ? ead_value) by the security | <t>The processing of the EAD item (ead_label, ? ead_value) by the security | |||
application needs to be described in the specification where the ead_label is r | application needs to be described in the specification where the ead_label is r | |||
egistered, see <xref target="iana-ead"/>, including the optional ead_value for e | egistered (see <xref target="iana-ead"/>), including the optional ead_value for | |||
ach message and actions in case of errors. An application may support multiple s | each message and actions in case of errors. An application may support multiple | |||
ecurity applications that make use of EAD, which may result in multiple EAD item | security applications that make use of EAD, which may result in multiple EAD ite | |||
s in one EAD field, see <xref target="AD"/>. Any dependencies on security applic | ms in one EAD field; see <xref target="AD"/>. Any dependencies on security appli | |||
ations with previously registered EAD items needs to be documented, and the proc | cations with previously registered EAD items need to be documented, and the proc | |||
essing needs to consider their simultaneous use.</t> | essing needs to consider their simultaneous use.</t> | |||
<t>Since data carried in EAD may not be protected, or be processed by the | <t>Since data carried in EAD may not be protected, or processed by the app | |||
application before the EDHOC message is verified, special considerations need to | lication before the EDHOC message is verified, special considerations need to be | |||
be made such that it does not violate security and privacy requirements of the | made such that it does not violate security and privacy requirements of the ser | |||
service which uses this data, see <xref target="unprot-data"/>. The content in a | vice that uses this data; see <xref target="unprot-data"/>. The content in an EA | |||
n EAD item may impact the security properties provided by EDHOC. Security applic | D item may impact the security properties provided by EDHOC. Security applicatio | |||
ations making use of the EAD items must perform the necessary security analysis. | ns making use of the EAD items must perform the necessary security analysis.</t> | |||
</t> | ||||
</section> | </section> | |||
<section anchor="appl-temp"> | <section anchor="appl-temp"> | |||
<name>Application Profile Example</name> | <name>Application Profile Example</name> | |||
<t>This appendix contains a rudimentary example of an application profile, | <t>This appendix contains a rudimentary example of an application profile; | |||
see <xref target="applicability"/>.</t> | see <xref target="applicability"/>.</t> | |||
<t>For use of EDHOC with application X the following assumptions are made: | <t>For use of EDHOC with application X, the following assumptions are made | |||
</t> | :</t> | |||
<ol spacing="normal" type="1"><li>Transfer in CoAP as specified in <xref t arget="coap"/> with requests expected by the CoAP server (= Responder) at /app1- edh, no Content-Format needed.</li> | <ol spacing="normal" type="1"><li>Transfer in CoAP as specified in <xref t arget="coap"/> with requests expected by the CoAP server (= Responder) at /app1- edh, no Content-Format needed.</li> | |||
<li>METHOD = 1 (I uses signature key, R uses static DH key.)</li> | <li>METHOD = 1 (I uses signature key; R uses static DH key.)</li> | |||
<li> | <li> | |||
<t>CRED_I is an IEEE 802.1AR IDevID encoded as a C509 certificate of t ype 0 <xref target="I-D.ietf-cose-cbor-encoded-cert"/>. | <t>CRED_I is encoded with IEEE 802.1AR IDevID as a C509 certificate of type 0 <xref target="I-D.ietf-cose-cbor-encoded-cert"/>. | |||
</t> | </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>R acquires CRED_I out-of-band, indicated in EAD_1.</li> | <li>R acquires CRED_I out-of-band, indicated in EAD_1.</li> | |||
<li>ID_CRED_I = {4: h''} is a 'kid' with value the empty CBOR byte s tring.</li> | <li>ID_CRED_I = {4: h''} is a 'kid' with the value of the empty CBOR byte string.</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
<li> | <li> | |||
<t>CRED_R is a CCS of type OKP as specified in <xref target="auth-cred "/>. | <t>CRED_R is a CCS of type OKP as specified in <xref target="auth-cred "/>. | |||
</t> | </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>The CBOR map has parameters 1 (kty), -1 (crv), and -2 (x-coordin ate).</li> | <li>The CBOR map has parameters 1 (kty), -1 (crv), and -2 (x-coordin ate).</li> | |||
<li>ID_CRED_R is {TBD2 : CCS}. Editor's note: TBD2 is the COSE hea der parameter value of 'kccs', see <xref target="cwt-header-param"/></li> | <li>ID_CRED_R is {14 : CCS}.</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
<li>External authorization data is defined and processed as specified in | <li>External authorization data is defined and processed as specified in | |||
<xref target="I-D.selander-lake-authz"/>.</li> | <xref target="I-D.ietf-lake-authz"/>.</li> | |||
<li>EUI-64 is used as the identity of the endpoint (see example in <xref | <li>EUI-64 is used as the identity of the endpoint (see an example in <x | |||
target="auth-cred"/>).</li> | ref target="auth-cred"/>).</li> | |||
<li>No use of message_4: the application sends protected messages from R | <li>No use of message_4. The application sends protected messages from R | |||
to I.</li> | to I.</li> | |||
</ol> | </ol> | |||
</section> | </section> | |||
<section anchor="large-plaintext_2"> | <section anchor="large-plaintext_2"> | |||
<name>Long PLAINTEXT_2</name> | <name>Long PLAINTEXT_2</name> | |||
<t>By the definition of encryption of PLAINTEXT_2 with KEYSTREAM_2, it is limited to lengths of PLAINTEXT_2 not exceeding the output of EDHOC_KDF, see <xr ef target="expand"/>. If the EDHOC hash algorithm is SHA-2 then HKDF-Expand is u sed, which limits the length of the EDHOC_KDF output to 255 <contact fullname="⋅ "/> hash_length, where hash_length is the length of the output of the EDHOC hash algorithm given by the cipher suite. For example, with SHA-256 as EDHOC hash al gorithm, the length of the hash output is 32 bytes and the maximum length of PLA INTEXT_2 is 255 <contact fullname="⋅"/> 32 = 8160 bytes.</t> | <t>By the definition of encryption of PLAINTEXT_2 with KEYSTREAM_2, it is limited to lengths of PLAINTEXT_2 not exceeding the output of EDHOC_KDF; see <xr ef target="expand"/>. If the EDHOC hash algorithm is SHA-2, then HKDF-Expand is used, which limits the length of the EDHOC_KDF output to 255 ⋅ hash_length, wher e hash_length is the length of the output of the EDHOC hash algorithm given by t he cipher suite. For example, with SHA-256 as an EDHOC hash algorithm, the lengt h of the hash output is 32 bytes and the maximum length of PLAINTEXT_2 is 255 ⋅ 32 = 8160 bytes.</t> | |||
<t>While PLAINTEXT_2 is expected to be much shorter than 8 kB for the inte nded use cases, it seems nevertheless prudent to specify a solution for the even t that this should turn out to be a limitation.</t> | <t>While PLAINTEXT_2 is expected to be much shorter than 8 kB for the inte nded use cases, it seems nevertheless prudent to specify a solution for the even t that this should turn out to be a limitation.</t> | |||
<t>A potential work-around is to use a cipher suite with a different hash function. In particular, the use of KMAC removes all practical limitations in th is respect.</t> | <t>A potential work-around is to use a cipher suite with a different hash function. In particular, the use of KMAC removes all practical limitations in th is respect.</t> | |||
<t>This section specifies a solution which works with any hash function, b | <t>This section specifies a solution that works with any hash function by | |||
y making use of multiple invocations of HKDF-Expand and negative values of info_ | making use of multiple invocations of HKDF-Expand and negative values of info_la | |||
label.</t> | bel.</t> | |||
<t>Consider the PLAINTEXT_2 partitioned in parts P(i) of length equal to M | <t>Consider the PLAINTEXT_2 partitioned in parts P(i) of length equal to M | |||
= 255 <contact fullname="⋅"/> hash_length, except possibly the last part P(last | = 255 ⋅ hash_length, except possibly the last part P(last), which has 0 < le | |||
) which has 0 < length <contact fullname="≤"/> M.</t> | ngth ≤ M.</t> | |||
<artwork><![CDATA[ | <artwork><![CDATA[ | |||
PLAINTEXT_2 = P(0) | P(1) | ... | P(last) | PLAINTEXT_2 = P(0) | P(1) | ... | P(last) | |||
]]></artwork> | ]]></artwork> | |||
<t>where | indicates concatenation.</t> | <t>where "|" indicates concatenation.</t> | |||
<t>The object is to define a matching KEYSTREAM_2 of the same length and p erform the encryption in the same way as defined in <xref target="asym-msg2-proc "/>:</t> | <t>The object is to define a matching KEYSTREAM_2 of the same length and p erform the encryption in the same way as defined in <xref target="asym-msg2-proc "/>:</t> | |||
<artwork><![CDATA[ | <artwork><![CDATA[ | |||
CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2 | CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2 | |||
]]></artwork> | ]]></artwork> | |||
<t>Define the keystream as:</t> | <t>Define the keystream as:</t> | |||
<artwork><![CDATA[ | <artwork><![CDATA[ | |||
KEYSTREAM_2 = OKM(0) | OKM(1) | ... | OKM(last) | KEYSTREAM_2 = OKM(0) | OKM(1) | ... | OKM(last) | |||
]]></artwork> | ]]></artwork> | |||
<t>where</t> | <t>where:</t> | |||
<artwork><![CDATA[ | <artwork><![CDATA[ | |||
OKM(i) = EDHOC_KDF( PRK_2e, -i, TH_2, length(P(i)) ) | OKM(i) = EDHOC_KDF( PRK_2e, -i, TH_2, length(P(i)) ) | |||
]]></artwork> | ]]></artwork> | |||
<t>Note that if length(PLAINTEXT_2) <contact fullname="≤"/> M then P(0) = | <t>Note that if length(PLAINTEXT_2) ≤ M, then P(0) = PLAINTEXT_2 and the d | |||
PLAINTEXT_2 and the definition of KEYSTREAM_2 = OKM(0) coincides with <xref targ | efinition of KEYSTREAM_2 = OKM(0) coincides with <xref target="fig-edhoc-kdf"/>. | |||
et="fig-edhoc-kdf"/>.</t> | </t> | |||
<t>This describes the processing of the Responder when sending message_2. | <t>This describes the processing of the Responder when sending message_2. | |||
The Initiator makes the same calculations when receiving message_2, but intercha | The Initiator makes the same calculations when receiving message_2 but interchan | |||
nging PLAINTEXT_2 and CIPHERTEXT_2.</t> | ging PLAINTEXT_2 and CIPHERTEXT_2.</t> | |||
<t>An application profile may specify if it supports or not the method des | <t>An application profile may specify if it supports or does not support t | |||
cribed in this appendix.</t> | he method described in this appendix.</t> | |||
</section> | </section> | |||
<section anchor="keyupdate"> | <section anchor="keyupdate"> | |||
<name>EDHOC_KeyUpdate</name> | <name>EDHOC_KeyUpdate</name> | |||
<t>To provide forward secrecy in an even more efficient way than re-runnin g EDHOC, this section specifies the optional function EDHOC_KeyUpdate in terms o f EDHOC_KDF and PRK_out.</t> | <t>To provide forward secrecy in an even more efficient way than re-runnin g EDHOC, this section specifies the optional function EDHOC_KeyUpdate in terms o f EDHOC_KDF and PRK_out.</t> | |||
<t>When EDHOC_KeyUpdate is called, a new PRK_out is calculated as a "hash" of the old PRK_out using the EDHOC_Expand function as illustrated by the follow ing pseudocode. The change of PRK_out causes a change to PRK_exporter which enab les the derivation of new application keys superseding the old ones, using EDHOC _Exporter, see <xref target="exporter"/>.</t> | <t>When EDHOC_KeyUpdate is called, a new PRK_out is calculated as the outp ut of the EDHOC_Expand function with the old PRK_out as input. The change of PRK _out causes a change to PRK_exporter, which enables the derivation of new applic ation keys superseding the old ones, using EDHOC_Exporter; see <xref target="exp orter"/>. The process is illustrated by the following pseudocode.</t> | |||
<artwork><![CDATA[ | <artwork><![CDATA[ | |||
EDHOC_KeyUpdate( context ): | EDHOC_KeyUpdate( context ): | |||
new PRK_out = EDHOC_KDF( old PRK_out, 11, context, hash_length ) | new PRK_out = EDHOC_KDF( old PRK_out, 11, context, hash_length ) | |||
new PRK_exporter = EDHOC_KDF( new PRK_out, 10, h'', hash_length ) | new PRK_exporter = EDHOC_KDF( new PRK_out, 10, h'', hash_length ) | |||
]]></artwork> | ]]></artwork> | |||
<t>where hash_length denotes the output size in bytes of the EDHOC hash al | <t>where hash_length denotes the output size in bytes of the EDHOC hash al | |||
gorithm of the selected cipher suite.</t> | gorithm of the selected cipher suite.</t> | |||
<t>The EDHOC_KeyUpdate takes a context as input to enable binding of the u | <t> The EDHOC_KeyUpdate takes the context as input to enable binding of | |||
pdated PRK_out to some event that triggered the key update. The Initiator and th | the updated PRK_out to some event that triggered the key update. The | |||
e Responder need to agree on the context, which can, e.g., be a counter, a pseud | Initiator and Responder need to agree on the context, which can, | |||
orandom number, or a hash. To provide forward secrecy the old PRK_out and keys d | e.g., be a counter, a pseudorandom number, or a hash. To provide | |||
erived from it (old PRK_exporter and old application keys) must be deleted as so | forward secrecy, the old PRK_out and keys derived from it (old | |||
on as they are not needed. When to delete the old keys and how to verify that th | PRK_exporter and old application keys) must be deleted as soon as | |||
ey are not needed is up to the application.</t> | they are not needed. When to delete the old keys and how to verify | |||
that they are not needed is up to the application. Note that the | ||||
security properties depend on the type of context and the number | ||||
of KeyUpdate iterations.</t> | ||||
<t>An application using EDHOC_KeyUpdate needs to store PRK_out. Compromise of PRK_out leads to compromise of all keying material derived with the EDHOC_Ex porter since the last invocation of the EDHOC_KeyUpdate function.</t> | <t>An application using EDHOC_KeyUpdate needs to store PRK_out. Compromise of PRK_out leads to compromise of all keying material derived with the EDHOC_Ex porter since the last invocation of the EDHOC_KeyUpdate function.</t> | |||
<t>While this key update method provides forward secrecy it does not give | <t>While this key update method provides forward secrecy, it does not give | |||
as strong security properties as re-running EDHOC. EDHOC_KeyUpdate can be used t | as strong security properties as re-running EDHOC. EDHOC_KeyUpdate can be used | |||
o meet cryptographic limits and provide partial protection against key leakage, | to meet cryptographic limits and provide partial protection against key leakage, | |||
but it provides significantly weaker security properties than re-running EDHOC w | but it provides significantly weaker security properties than re-running EDHOC | |||
ith ephemeral Diffie-Hellman. Even with frequent use of EDHOC_KeyUpdate, comprom | with ephemeral Diffie-Hellman. Even with frequent use of EDHOC_KeyUpdate, compro | |||
ise of one session key compromises all future session keys, and an attacker ther | mise of one session key compromises all future session keys, and an attacker the | |||
efore only needs to perform static key exfiltration <xref target="RFC7624"/>, wh | refore only needs to perform static key exfiltration <xref target="RFC7624"/>, w | |||
ich is less complicated and has a lower risk profile than the dynamic case, see | hich is less complicated and has a lower risk profile than the dynamic case; see | |||
<xref target="sec-prop"/>.</t> | <xref target="sec-prop"/>.</t> | |||
<t>A similar method to do key update for OSCORE is KUDOS, see <xref target | <t>A similar method to do a key update for OSCORE is KUDOS; see <xref targ | |||
="I-D.ietf-core-oscore-key-update"/>.</t> | et="I-D.ietf-core-oscore-key-update"/>.</t> | |||
</section> | </section> | |||
<section anchor="example-protocol-state-machine"> | <section anchor="example-protocol-state-machine"> | |||
<name>Example Protocol State Machine</name> | <name>Example Protocol State Machine</name> | |||
<t>This appendix describes an example protocol state machine for the Initi | <t>This appendix describes an example protocol state machine for the Initi | |||
ator and for the Responder. States are denoted in all capitals and parentheses d | ator and Responder. States are denoted in all capitals, and parentheses denote a | |||
enote actions taken only in some circumstances.</t> | ctions taken only in some circumstances.</t> | |||
<t>Note that this state machine is just an example, and that details of pr | <t>Note that this state machine is just an example, and that details of pr | |||
ocessing are omitted, for example:</t> | ocessing are omitted. For example:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>When error messages are being sent (with one exception)</li> | <li>when error messages are being sent (with one exception);</li> | |||
<li>How credentials and EAD are processed by EDHOC and the application i | <li>how credentials and EAD are processed by EDHOC and the application i | |||
n the RCVD state</li> | n the RCVD state; and</li> | |||
<li>What verifications are made, which includes not only MACs and signat | <li>what verifications are made, which includes not only MACs and signat | |||
ures</li> | ures.</li> | |||
</ul> | </ul> | |||
<section anchor="initiator-state-machine"> | <section anchor="initiator-state-machine"> | |||
<name>Initiator State Machine</name> | <name>Initiator State Machine</name> | |||
<t>The Initiator sends message_1, triggering the state machine to transi tion from START to WAIT_M2, and waits for message_2.</t> | <t>The Initiator sends message_1, triggering the state machine to transi tion from START to WAIT_M2, and waits for message_2.</t> | |||
<t>If the incoming message is an error message then the Initiator transi tions from WAIT_M2 to ABORTED. In case of error code 2 (Wrong Selected Cipher Su ite), the Initiator remembers the supported cipher suites for this particular Re sponder and transitions from ABORTED to START. The message_1 that the Initiator subsequently sends takes into account the cipher suites supported by the Respond er.</t> | <t>If the incoming message is an error message, then the Initiator trans itions from WAIT_M2 to ABORTED. In case of error code 2 (Wrong Selected Cipher S uite), the Initiator remembers the supported cipher suites for this particular R esponder and transitions from ABORTED to START. The message_1 that the Initiator subsequently sends takes into account the cipher suites supported by the Respon der.</t> | |||
<t>Upon receiving a non-error message, the Initiator transitions from WA IT_M2 to RCVD_M2 and processes the message. If a processing error occurs on mess age_2, then the Initiator transitions from RCVD_M2 to ABORTED. In case of succes sful processing of message_2, the Initiator transitions from RCVD_M2 to VRFD_M2. </t> | <t>Upon receiving a non-error message, the Initiator transitions from WA IT_M2 to RCVD_M2 and processes the message. If a processing error occurs on mess age_2, then the Initiator transitions from RCVD_M2 to ABORTED. In case of succes sful processing of message_2, the Initiator transitions from RCVD_M2 to VRFD_M2. </t> | |||
<t>The Initiator prepares and processes message_3 for sending. If any pr ocessing error is encountered, the Initiator transitions from VRFD_M2 to ABORTED . If message_3 is successfully sent, the Initiator transitions from VRFD_M2 to C OMPLETED.</t> | <t>The Initiator prepares and processes message_3 for sending. If any pr ocessing error is encountered, the Initiator transitions from VRFD_M2 to ABORTED . If message_3 is successfully sent, the Initiator transitions from VRFD_M2 to C OMPLETED.</t> | |||
<t>If the application profile includes message_4, then the Initiator wai ts for message_4. If the incoming message is an error message then the Initiator transitions from COMPLETED to ABORTED. Upon receiving a non-error message, the Initiator transitions from COMPLETED (="WAIT_M4") to RCVD_M4 and processes the m essage. If a processing error occurs on message_4, then the Initiator transition s from RCVD_M4 to ABORTED. In case of successful processing of message_4, the In itiator transitions from RCVD_M4 to PERSISTED (="VRFD_M4").</t> | <t>If the application profile includes message_4, then the Initiator wai ts for message_4. If the incoming message is an error message, then the Initiato r transitions from COMPLETED to ABORTED. Upon receiving a non-error message, the Initiator transitions from COMPLETED (="WAIT_M4") to RCVD_M4 and processes the message. If a processing error occurs on message_4, then the Initiator transitio ns from RCVD_M4 to ABORTED. In case of successful processing of message_4, the I nitiator transitions from RCVD_M4 to PERSISTED (="VRFD_M4").</t> | |||
<t>If the application profile does not include message_4, then the Initi ator waits for an incoming application message. If the decryption and verificati on of the application message is successful, then the Initiator transitions from COMPLETED to PERSISTED.</t> | <t>If the application profile does not include message_4, then the Initi ator waits for an incoming application message. If the decryption and verificati on of the application message is successful, then the Initiator transitions from COMPLETED to PERSISTED.</t> | |||
<figure> | ||||
<name>Initiator State Machine</name> | ||||
<artset> | <artset> | |||
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="528" width="536" viewBox="0 0 536 528" class="diagram " text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap=" round"> | <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="" width="" viewBox="0 0 536 528" class="diagram" text -anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round" > | |||
<path d="M 40,32 L 40,48" fill="none" stroke="black"/> | <path d="M 40,32 L 40,48" fill="none" stroke="black"/> | |||
<path d="M 40,128 L 40,432" fill="none" stroke="black"/> | <path d="M 40,128 L 40,432" fill="none" stroke="black"/> | |||
<path d="M 232,48 L 232,96" fill="none" stroke="black"/> | <path d="M 232,48 L 232,96" fill="none" stroke="black"/> | |||
<path d="M 232,128 L 232,176" fill="none" stroke="black"/> | <path d="M 232,128 L 232,176" fill="none" stroke="black"/> | |||
<path d="M 232,208 L 232,256" fill="none" stroke="black"/> | <path d="M 232,208 L 232,256" fill="none" stroke="black"/> | |||
<path d="M 232,288 L 232,336" fill="none" stroke="black"/> | <path d="M 232,288 L 232,336" fill="none" stroke="black"/> | |||
<path d="M 232,368 L 232,416" fill="none" stroke="black"/> | <path d="M 232,368 L 232,416" fill="none" stroke="black"/> | |||
<path d="M 232,448 L 232,496" fill="none" stroke="black"/> | <path d="M 232,448 L 232,496" fill="none" stroke="black"/> | |||
<path d="M 424,352 L 424,512" fill="none" stroke="black"/> | <path d="M 424,352 L 424,512" fill="none" stroke="black"/> | |||
<path d="M 72,112 L 200,112" fill="none" stroke="black"/> | <path d="M 72,112 L 200,112" fill="none" stroke="black"/> | |||
skipping to change at line 3962 ¶ | skipping to change at line 3117 ¶ | |||
| | (Receive message_4) | | | | (Receive message_4) | | |||
| | | | | | | | |||
| (Processing error) v | (Verify | | (Processing error) v | (Verify | |||
+------------------- (RCVD_M4) | application | +------------------- (RCVD_M4) | application | |||
| | message) | | | message) | |||
| (Verify message_4) | | | (Verify message_4) | | |||
| | | | | | |||
v | | v | | |||
PERSISTED <---------------+ | PERSISTED <---------------+ | |||
]]></artwork> | ]]></artwork> | |||
</artset> | </artset> | |||
</figure> | ||||
</section> | </section> | |||
<section anchor="responder-state-machine"> | <section anchor="responder-state-machine"> | |||
<name>Responder State Machine</name> | <name>Responder State Machine</name> | |||
<t>Upon receiving message_1, the Responder transitions from START to RCV D_M1.</t> | <t>Upon receiving message_1, the Responder transitions from START to RCV D_M1.</t> | |||
<t>If a processing error occurs on message_1, the Responder transitions | <t>If a processing error occurs on message_1, the Responder transitions | |||
from RCVD_M1 to ABORTED. This includes sending error message with error code 2 ( | from RCVD_M1 to ABORTED. This includes sending an error message with error code | |||
Wrong Selected Cipher Suite) if the selected cipher suite in message_1 is not su | 2 (Wrong Selected Cipher Suite) if the selected cipher suite in message_1 is not | |||
pported. In case of successful processing of message_1, the Responder transition | supported. In case of successful processing of message_1, the Responder transit | |||
s from RCVD_M1 to VRFD_M1.</t> | ions from RCVD_M1 to VRFD_M1.</t> | |||
<t>The Responder prepares and processes message_2 for sending. If any pr | <t>The Responder prepares and processes message_2 for sending. If any pr | |||
ocessing error is encountered, the Responder transitions from VRFD_M1 to ABORTED | ocessing error is encountered, the Responder transitions from VRFD_M1 to ABORTED | |||
. If message_2 is successfully sent, the Initiator transitions from VRFD_M2 to W | . If message_2 is successfully sent, the Initiator transitions from VRFD_M2 to W | |||
AIT_M3, and waits for message_3.</t> | AIT_M3 and waits for message_3.</t> | |||
<t>If the incoming message is an error message then the Responder transi | <t>If the incoming message is an error message, then the Responder trans | |||
tions from WAIT_M3 to ABORTED.</t> | itions from WAIT_M3 to ABORTED.</t> | |||
<t>Upon receiving message_3, the Responder transitions from WAIT_M3 to R CVD_M3. If a processing error occurs on message_3, the Responder transitions fro m RCVD_M3 to ABORTED. In case of successful processing of message_3, the Respond er transitions from RCVD_M3 to COMPLETED (="VRFD_M3").</t> | <t>Upon receiving message_3, the Responder transitions from WAIT_M3 to R CVD_M3. If a processing error occurs on message_3, the Responder transitions fro m RCVD_M3 to ABORTED. In case of successful processing of message_3, the Respond er transitions from RCVD_M3 to COMPLETED (="VRFD_M3").</t> | |||
<t>If the application profile includes message_4, the Responder prepares and processes message_4 for sending. If any processing error is encountered, th e Responder transitions from COMPLETED to ABORTED.</t> | <t>If the application profile includes message_4, the Responder prepares and processes message_4 for sending. If any processing error is encountered, th e Responder transitions from COMPLETED to ABORTED.</t> | |||
<t>If message_4 is successfully sent, or if the application profile does not include message_4, the Responder transitions from COMPLETED to PERSISTED.</ t> | <t>If message_4 is successfully sent, or if the application profile does not include message_4, the Responder transitions from COMPLETED to PERSISTED.</ t> | |||
<figure> | ||||
<name>Responder State Machine</name> | ||||
<artset> | <artset> | |||
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="528" width="384" viewBox="0 0 384 528" class="diagram " text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap=" round"> | <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="" width="" viewBox="0 0 384 528" class="diagram" text -anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round" > | |||
<path d="M 40,128 L 40,432" fill="none" stroke="black"/> | <path d="M 40,128 L 40,432" fill="none" stroke="black"/> | |||
<path d="M 232,48 L 232,96" fill="none" stroke="black"/> | <path d="M 232,48 L 232,96" fill="none" stroke="black"/> | |||
<path d="M 232,128 L 232,176" fill="none" stroke="black"/> | <path d="M 232,128 L 232,176" fill="none" stroke="black"/> | |||
<path d="M 232,208 L 232,256" fill="none" stroke="black"/> | <path d="M 232,208 L 232,256" fill="none" stroke="black"/> | |||
<path d="M 232,288 L 232,336" fill="none" stroke="black"/> | <path d="M 232,288 L 232,336" fill="none" stroke="black"/> | |||
<path d="M 232,368 L 232,416" fill="none" stroke="black"/> | <path d="M 232,368 L 232,416" fill="none" stroke="black"/> | |||
<path d="M 232,448 L 232,496" fill="none" stroke="black"/> | <path d="M 232,448 L 232,496" fill="none" stroke="black"/> | |||
<path d="M 72,112 L 200,112" fill="none" stroke="black"/> | <path d="M 72,112 L 200,112" fill="none" stroke="black"/> | |||
<path d="M 40,192 L 200,192" fill="none" stroke="black"/> | <path d="M 40,192 L 200,192" fill="none" stroke="black"/> | |||
<path d="M 40,272 L 200,272" fill="none" stroke="black"/> | <path d="M 40,272 L 200,272" fill="none" stroke="black"/> | |||
skipping to change at line 4065 ¶ | skipping to change at line 3223 ¶ | |||
| | Verify message_3 | | | Verify message_3 | |||
| | | | | | |||
| (Processing error) v | | (Processing error) v | |||
+------------------- COMPLETED | +------------------- COMPLETED | |||
| | | | |||
| (Send message_4) | | (Send message_4) | |||
| | | | |||
v | v | |||
PERSISTED | PERSISTED | |||
]]></artwork> | ]]></artwork> | |||
</artset> | </artset> | |||
</figure> | ||||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="change-log"> | ||||
<name>Change Log</name> | ||||
<t>RFC Editor: Please remove this appendix.</t> | ||||
<ul spacing="normal"> | ||||
<li> | ||||
<t>From -21 to -22 </t> | ||||
<ul spacing="normal"> | ||||
<li>Normative text on transport capabilities.</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -20 to -21 </t> | ||||
<ul spacing="normal"> | ||||
<li>Recommendation to use chain instead of bag</li> | ||||
<li> | ||||
<t>Improved text about | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>denial-of-service</li> | ||||
<li>deriving secret and non-secret randomness from the same KDF | ||||
instance</li> | ||||
<li>practical security against quantum computers</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>Clarifications, including | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>several updates section 3.4. Transport</li> | ||||
<li>descriptions in COSE IANA registration</li> | ||||
<li>encoding in Figure 5, reading of Figure 17</li> | ||||
</ul> | ||||
</li> | ||||
<li>Removed term "dummy"</li> | ||||
<li>Harmonizing captions</li> | ||||
<li>Updated references</li> | ||||
<li>Acknowledgments</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -19 to -20 | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>C_R encrypted in message_2</li> | ||||
<li>C_R removed from TH_2</li> | ||||
<li>Error code for unknown referenced credential</li> | ||||
<li>Error code 0 (success) explicitly reserved</li> | ||||
<li>Message deduplication section moved from appendix to body</li> | ||||
<li> | ||||
<t>Terminology | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>discontinued -> aborted</li> | ||||
<li>protocol run / exchange -> session</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>Clarifications, in particular | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>when to derive application keys</li> | ||||
<li>the role of the application for authentication</li> | ||||
</ul> | ||||
</li> | ||||
<li>Security considerations for kccs and kcwt</li> | ||||
<li>Updated references</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -18 to -19 | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li> | ||||
<t>Clarifications: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Relation to SIGMA</li> | ||||
<li>Role of Static DH</li> | ||||
<li>Initiator and Responder roles</li> | ||||
<li>Transport properties</li> | ||||
<li>Construction of SUITES_I</li> | ||||
<li>Message correlation, new subsection 3.4.1, replacing former | ||||
appendix H</li> | ||||
<li>Role of description about long PLAINTEXT_2</li> | ||||
<li>ead_label and ead_value</li> | ||||
<li>Message processing (Section 5)</li> | ||||
<li>Padding</li> | ||||
<li>Cipher suite negotiation example</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>Other updates: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Improved and stricter normative text in Appendix A</li> | ||||
<li>Naming and separate sections for the two message flows in Ap | ||||
pendix A: Forward/Reverse message flow,</li> | ||||
<li>Table index style captions</li> | ||||
<li>Aligning with COSE terminology: header map -> header_map< | ||||
/li> | ||||
<li>Aligning terminology, use of "_" instead of "-"</li> | ||||
<li>Prefixing "EDHOC_" to functions</li> | ||||
<li>Updated list of security analysis papers</li> | ||||
<li>New appendix with example state machine</li> | ||||
<li>Acknowledgements</li> | ||||
<li>Language improvements by native English speakers</li> | ||||
<li>Updated IANA section with registration procedures</li> | ||||
<li>New and updated references</li> | ||||
<li>Removed appendix H</li> | ||||
</ul> | ||||
</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -17 to -18 </t> | ||||
<ul spacing="normal"> | ||||
<li>Padding realised as EAD with ead_label = 0, PAD fields removed</ | ||||
li> | ||||
<li>Revised EAD syntax; ead is now EAD item; ead_value is now option | ||||
al</li> | ||||
<li> | ||||
<t>Clarifications of | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Identifier representation</li> | ||||
<li>Authentication credentials</li> | ||||
<li>RPK</li> | ||||
<li>Encoding of ID_CRED with kid</li> | ||||
<li>Representation of public keys, y-coordinate of ephemeral key | ||||
s and validation</li> | ||||
<li>Processing after completed protocol</li> | ||||
<li>Making verifications available to the application</li> | ||||
<li>Relation between EDHOC and OSCORE identifiers</li> | ||||
</ul> | ||||
</li> | ||||
<li>Terminology alignment in particular session / protocol; disconti | ||||
nue / terminate</li> | ||||
<li>Updated CDDL</li> | ||||
<li>Additional unicode encodings</li> | ||||
<li>Large number of nits from WGLC</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -16 to -17 </t> | ||||
<ul spacing="normal"> | ||||
<li>EDHOC-KeyUpdate moved to appendix</li> | ||||
<li>Updated peer awareness properties based on SIGMA</li> | ||||
<li>Clarify use of random connection identifiers</li> | ||||
<li>Editorials related to appendix about messages with long PLAINTEX | ||||
T_2</li> | ||||
<li>Updated acknowledgments (have we forgotten someone else? please | ||||
send email)</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -15 to -16 </t> | ||||
<ul spacing="normal"> | ||||
<li>TH_2 used as salt in the derivation of PRK_2e</li> | ||||
<li>CRED_R/CRED_I included in TH_3/TH_4</li> | ||||
<li>Distinguish label used in info, exporter or elsewhere</li> | ||||
<li> | ||||
<t>New appendix for optional handling arbitrarily large message_2 | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>info_label type changed to int to support this</li> | ||||
</ul> | ||||
</li> | ||||
<li>Updated security considerations</li> | ||||
<li>Implementation note about identifiers which are bstr/int</li> | ||||
<li>Clarifications, especifically about compact representation</li> | ||||
<li>Type bug fix in CDDL section</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -14 to -15 | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li> | ||||
<t>Connection identifiers and key identifiers are now byte strings | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li> | ||||
<t>Represented as CBOR bstr in the EDHOC message | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Unless they happen to encode a one-byte CBOR int</li> | ||||
</ul> | ||||
</li> | ||||
<li>More examples</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>EAD updates and details | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Definition of EAD item</li> | ||||
<li>Definition of critical / non-critical EAD item</li> | ||||
</ul> | ||||
</li> | ||||
<li>New section in Appendix D: Unauthenticated Operation</li> | ||||
<li> | ||||
<t>Clarifications | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Lengths used in EDHOC-KDF</li> | ||||
<li> | ||||
<t>Key derivation from PRK_out | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>EDHOC-KeyUpdate and EDHOC-Exporter</li> | ||||
</ul> | ||||
</li> | ||||
<li>Padding</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>Security considerations | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>When a change in a message is detected</li> | ||||
<li>Confidentiality in case of active attacks</li> | ||||
<li>Connection identifiers should be unpredictable</li> | ||||
<li>Maximum length of message_2</li> | ||||
</ul> | ||||
</li> | ||||
<li>Minor bugs</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -13 to -14 | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Merge of section 1.1 and 1.2</li> | ||||
<li>Connection and key identifiers restricted to be byte strings</li | ||||
> | ||||
<li>Representation of byte strings as one-byte CBOR ints (-24..23)</ | ||||
li> | ||||
<li>Simplified mapping between EDHOC and OSCORE identifiers</li> | ||||
<li> | ||||
<t>Rewrite of 3.5 | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Clarification of authentication related operations performed | ||||
by EDHOC</li> | ||||
<li>Authentication related verifications, including old section | ||||
3.5.1, moved to new appendix D</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>Rewrite of 3.8 | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Move content about use of EAD to new appendix E</li> | ||||
<li>ead_value changed to bstr</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>EDHOC-KDF updated | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>transcript_hash argument removed</li> | ||||
<li>TH included in context argument</li> | ||||
<li>label argument is now type uint, all labels replaced</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>Key schedule updated | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>New salts derived to avoid reuse of same key with expand and | ||||
extract</li> | ||||
<li>PRK_4x3m renamed PRK_4e3m</li> | ||||
<li>K_4 and IV_4 derived from PRK_4e3m</li> | ||||
<li>New PRK: PRK_out derived from PRK_4e3m and TH_4</li> | ||||
<li>Clarified main output of EDHOC is the shared secret PRK_out< | ||||
/li> | ||||
<li>Exporter defined by EDHOC-KDF and new PRK PRK_exporter deriv | ||||
ed from PRK_out</li> | ||||
<li>Key update defined by Expand instead of Extract</li> | ||||
</ul> | ||||
</li> | ||||
<li>All applications of EDHOC-KDF in one place</li> | ||||
<li> | ||||
<t>Update of processing | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>EAD and ID_CRED passed to application when available</li> | ||||
<li>identity verification and credential retrieval omitted in pr | ||||
otocol description</li> | ||||
<li>Transcript hash defined by plaintext messages instead of cip | ||||
hertext</li> | ||||
<li>Changed order of input to TH_2</li> | ||||
<li>Removed general G_X checking against selfie-attacks</li> | ||||
</ul> | ||||
</li> | ||||
<li>Support for padding of plaintext</li> | ||||
<li>Updated compliance requirements</li> | ||||
<li> | ||||
<t>Updated security considerations | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Updated and more clear requirements on MAC length</li> | ||||
<li>Clarification of key confirmation</li> | ||||
<li>Forbid use of same key for signature and static DH</li> | ||||
</ul> | ||||
</li> | ||||
<li>Updated appendix on message deduplication</li> | ||||
<li> | ||||
<t>Clarifications of | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>connection identifiers</li> | ||||
<li>cipher suites, including negotiation</li> | ||||
<li>EAD</li> | ||||
<li>Error messages</li> | ||||
</ul> | ||||
</li> | ||||
<li>Updated media types</li> | ||||
<li>Applicability template renamed application profile</li> | ||||
<li>Editorials</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -12 to -13 | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>no changes</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -12: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Shortened labels to derive OSCORE key and salt</li> | ||||
<li>ead_value changed to bstr</li> | ||||
<li>Removed general G_X checking against selfie-attacks</li> | ||||
<li>Updated and more clear requirements on MAC length</li> | ||||
<li>Clarifications from Kathleen, Stephen, Marco, Sean, Stefan,</li> | ||||
<li>Authentication Related Verifications moved to appendix</li> | ||||
<li>Updated MTI section and cipher suite</li> | ||||
<li>Updated security considerations</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -11 to -12: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Clarified applicability to KEMs</li> | ||||
<li>Clarified use of COSE header parameters</li> | ||||
<li>Updates on MTI</li> | ||||
<li>Updated security considerations</li> | ||||
<li>New section on PQC</li> | ||||
<li>Removed duplicate definition of cipher suites</li> | ||||
<li>Explanations of use of COSE moved to Appendix C.3</li> | ||||
<li>Updated internal references</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -10 to -11: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Restructured section on authentication parameters</li> | ||||
<li>Changed UCCS to CCS</li> | ||||
<li>Changed names and description of COSE header parameters for CWT/ | ||||
CCS</li> | ||||
<li>Changed several of the KDF and Exporter labels</li> | ||||
<li>Removed edhoc_aead_id from info (already in transcript_hash)</li | ||||
> | ||||
<li>Added MTI section</li> | ||||
<li>EAD: changed CDDL names and added value type to registry</li> | ||||
<li>Updated Figures 1, 2, and 3</li> | ||||
<li>Some correction and clarifications</li> | ||||
<li>Added core.edhoc to CoRE Resource Type registry</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -09 to -10: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>SUITES_I simplified to only contain the selected and more prefer | ||||
red suites</li> | ||||
<li>Info is a CBOR sequence and context is a bstr</li> | ||||
<li>Added kid to UCCS example</li> | ||||
<li>Separate header parameters for CWT and UCCS</li> | ||||
<li>CWT Confirmation Method kid extended to bstr / int</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -08 to -09: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>G_Y and CIPHERTEXT_2 are now included in one CBOR bstr</li> | ||||
<li>MAC_2 and MAC_3 are now generated with EDHOC-KDF</li> | ||||
<li>Info field “context” is now general and explicit in EDHOC-KDF</l | ||||
i> | ||||
<li>Restructured Section 4, Key Derivation</li> | ||||
<li>Added EDHOC MAC length to cipher suite for use with static DH</l | ||||
i> | ||||
<li>More details on the use of CWT and UCCS</li> | ||||
<li>Restructured and clarified Section 3.5, Authentication Parameter | ||||
s</li> | ||||
<li>Replaced 'kid2' with extension of 'kid'</li> | ||||
<li>EAD encoding now supports multiple ead types in one message</li> | ||||
<li>Clarified EAD type</li> | ||||
<li>Updated message sizes</li> | ||||
<li>Replaced “perfect forward secrecy” with “forward secrecy”</li> | ||||
<li>Updated security considerations</li> | ||||
<li>Replaced prepended 'null' with 'true' in the CoAP transport of m | ||||
essage_1</li> | ||||
<li>Updated CDDL definitions</li> | ||||
<li>Expanded on the use of COSE</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -07 to -08: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Prepended C_x moved from the EDHOC protocol itself to the transp | ||||
ort mapping</li> | ||||
<li>METHOD_CORR renamed to METHOD, corr removed</li> | ||||
<li>Removed bstr_identifier and use bstr / int instead; C_x can now | ||||
be int without any implied bstr semantics</li> | ||||
<li>Defined COSE header parameter 'kid2' with value type bstr / int | ||||
for use with ID_CRED_x</li> | ||||
<li>Updated message sizes</li> | ||||
<li>New cipher suites with AES-GCM and ChaCha20 / Poly1305</li> | ||||
<li>Changed from one- to two-byte identifier of CNSA compliant suite | ||||
</li> | ||||
<li>Separate sections on transport and connection id with further su | ||||
b-structure</li> | ||||
<li>Moved back key derivation for OSCORE from draft-ietf-core-oscore | ||||
-edhoc</li> | ||||
<li>OSCORE and CoAP specific processing moved to new appendix</li> | ||||
<li>Message 4 section moved to message processing section</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -06 to -07: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Changed transcript hash definition for TH_2 and TH_3</li> | ||||
<li>Removed "EDHOC signature algorithm curve" from cipher suite</li> | ||||
<li>New IANA registry "EDHOC Exporter Label"</li> | ||||
<li>New application defined parameter "context" in EDHOC-Exporter</l | ||||
i> | ||||
<li>Changed normative language for failure from MUST to SHOULD send | ||||
error</li> | ||||
<li>Made error codes non-negative and 0 for success</li> | ||||
<li>Added detail on success error code</li> | ||||
<li>Aligned terminology "protocol instance" -> "session"</li> | ||||
<li>New appendix on compact EC point representation</li> | ||||
<li>Added detail on use of ephemeral public keys</li> | ||||
<li>Moved key derivation for OSCORE to draft-ietf-core-oscore-edhoc< | ||||
/li> | ||||
<li>Additional security considerations</li> | ||||
<li>Renamed "Auxililary Data" as "External Authorization Data"</li> | ||||
<li>Added encrypted EAD_4 to message_4</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -05 to -06: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>New section 5.2 "Message Processing Outline"</li> | ||||
<li>Optional inital byte C_1 = null in message_1</li> | ||||
<li>New format of error messages, table of error codes, IANA registr | ||||
y</li> | ||||
<li>Change of recommendation transport of error in CoAP</li> | ||||
<li>Merge of content in 3.7 and appendix C into new section 3.7 "App | ||||
licability Statement"</li> | ||||
<li>Requiring use of deterministic CBOR</li> | ||||
<li>New section on message deduplication</li> | ||||
<li>New appendix containin all CDDL definitions</li> | ||||
<li>New appendix with change log</li> | ||||
<li>Removed section "Other Documents Referencing EDHOC"</li> | ||||
<li>Clarifications based on review comments</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -04 to -05: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>EDHOC-Rekey-FS -> EDHOC-KeyUpdate</li> | ||||
<li>Clarification of cipher suite negotiation</li> | ||||
<li>Updated security considerations</li> | ||||
<li>Updated test vectors</li> | ||||
<li>Updated applicability statement template</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -03 to -04: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Restructure of section 1</li> | ||||
<li>Added references to C509 Certificates</li> | ||||
<li>Change in CIPHERTEXT_2 -> plaintext XOR KEYSTREAM_2 (test vec | ||||
tor not updated)</li> | ||||
<li>"K_2e", "IV_2e" -> KEYSTREAM_2</li> | ||||
<li>Specified optional message 4</li> | ||||
<li>EDHOC-Exporter-FS -> EDHOC-Rekey-FS</li> | ||||
<li>Less constrained devices SHOULD implement both suite 0 and 2</li | ||||
> | ||||
<li>Clarification of error message</li> | ||||
<li>Added exporter interface test vector</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -02 to -03: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Rearrangements of section 3 and beginning of section 4</li> | ||||
<li>Key derivation new section 4</li> | ||||
<li>Cipher suites 4 and 5 added</li> | ||||
<li>EDHOC-EXPORTER-FS - generate a new PRK_4x3m from an old one</li> | ||||
<li>Change in CIPHERTEXT_2 -> COSE_Encrypt0 without tag (no chang | ||||
e to test vector)</li> | ||||
<li>Clarification of error message</li> | ||||
<li>New appendix C applicability statement</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -01 to -02: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>New section 1.2 Use of EDHOC</li> | ||||
<li>Clarification of identities</li> | ||||
<li>New section 4.3 clarifying bstr_identifier</li> | ||||
<li>Updated security considerations</li> | ||||
<li>Updated text on cipher suite negotiation and key confirmation</l | ||||
i> | ||||
<li>Test vector for static DH</li> | ||||
</ul> | ||||
</li> | ||||
<li> | ||||
<t>From -00 to -01: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>Removed PSK method</li> | ||||
<li>Removed references to certificate by value</li> | ||||
</ul> | ||||
</li> | ||||
</ul> | ||||
</section> | ||||
<section numbered="false" anchor="acknowledgments"> | <section numbered="false" anchor="acknowledgments"> | |||
<name>Acknowledgments</name> | <name>Acknowledgments</name> | |||
<t>The authors want to thank | <t>The authors want to thank | |||
<contact fullname="Christian Amsüss"/>, | <contact fullname="Christian Amsüss"/>, | |||
<contact fullname="Alessandro Bruni"/>, | ||||
<contact fullname="Karthikeyan Bhargavan"/>, | <contact fullname="Karthikeyan Bhargavan"/>, | |||
<contact fullname="Carsten Bormann"/>, | <contact fullname="Carsten Bormann"/>, | |||
<contact fullname="Alessandro Bruni"/>, | ||||
<contact fullname="Timothy Claeys"/>, | <contact fullname="Timothy Claeys"/>, | |||
<contact fullname="Baptiste Cottier"/>, | <contact fullname="Baptiste Cottier"/>, | |||
<contact fullname="Roman Danyliw"/>, | <contact fullname="Roman Danyliw"/>, | |||
<contact fullname="Martin Disch"/>, | <contact fullname="Martin Disch"/>, | |||
<contact fullname="Martin Duke"/>, | <contact fullname="Martin Duke"/>, | |||
<contact fullname="Donald Eastlake"/>, | <contact fullname="Donald Eastlake 3rd"/>, | |||
<contact fullname="Lars Eggert"/>, | <contact fullname="Lars Eggert"/>, | |||
<contact fullname="Stephen Farrell"/>, | <contact fullname="Stephen Farrell"/>, | |||
<contact fullname="Loïc Ferreira"/>, | <contact fullname="Loïc Ferreira"/>, | |||
<contact fullname="Theis Grønbech Petersen"/>, | <contact fullname="Theis Grønbech Petersen"/>, | |||
<contact fullname="Felix Günther"/>, | <contact fullname="Felix Günther"/>, | |||
<contact fullname="Dan Harkins"/>, | <contact fullname="Dan Harkins"/>, | |||
<contact fullname="Klaus Hartke"/>, | <contact fullname="Klaus Hartke"/>, | |||
<contact fullname="Russ Housley"/>, | <contact fullname="Russ Housley"/>, | |||
<contact fullname="Stefan Hristozov"/>, | <contact fullname="Stefan Hristozov"/>, | |||
<contact fullname="Marc Ilunga"/>, | <contact fullname="Marc Ilunga"/>, | |||
skipping to change at line 4630 ¶ | skipping to change at line 3287 ¶ | |||
<contact fullname="Rene Struik"/>, | <contact fullname="Rene Struik"/>, | |||
<contact fullname="Vaishnavi Sundararajan"/>, | <contact fullname="Vaishnavi Sundararajan"/>, | |||
<contact fullname="Erik Thormarker"/>, | <contact fullname="Erik Thormarker"/>, | |||
<contact fullname="Marco Tiloca"/>, | <contact fullname="Marco Tiloca"/>, | |||
<contact fullname="Sean Turner"/>, | <contact fullname="Sean Turner"/>, | |||
<contact fullname="Michel Veillette"/>, | <contact fullname="Michel Veillette"/>, | |||
<contact fullname="Mališa Vučinić"/>, | <contact fullname="Mališa Vučinić"/>, | |||
<contact fullname="Paul Wouters"/>, | <contact fullname="Paul Wouters"/>, | |||
and | and | |||
<contact fullname="Lei Yan"/> | <contact fullname="Lei Yan"/> | |||
for reviewing and commenting on intermediate versions of the draft. We are espec ially indebted to the late <contact fullname="Jim Schaad"/> for his continuous r eviewing and implementation of early versions of this and other drafts.</t> | for reviewing and commenting on intermediate draft versions of this document. We are especially indebted to the late <contact fullname="Jim Schaad"/> for his co ntinuous reviewing and implementation of early draft versions of this document.< /t> | |||
<t>Work on this document has in part been supported by the H2020 project S IFIS-Home (grant agreement 952652).</t> | <t>Work on this document has in part been supported by the H2020 project S IFIS-Home (grant agreement 952652).</t> | |||
</section> | </section> | |||
</back> | </back> | |||
<!-- ##markdown-source: | ||||
H4sIAAAAAAAAA9y9y3Yb2ZUoOOdXxJUGAtMARACkRMlOVzNJKkVLSskk7cxc | ||||
VbVUQSBAhgVEwBEBUrQye/WkR/0FPer+il53cEftP7lf0vt5zj7xAKl8uFzN | ||||
cilJIOI89tlnvx+DwWCrSqtF8jw6Xl0ly6SIF9FROp+nyeBlslgs4yx6e50U | ||||
0eHbs+Ood3z08u3h9tYsn2bxEt6ZFfG8GqRJNR8s4g/JIJld5dPBeLwVX1wU | ||||
yTUMii9sbaWr4nlUFeuyGu/sPNuB74skfh6dHR9u3eTFh8siX6+eR68PXh1H | ||||
38LfaXYZfY2fbU3j6nlUVrOtcn2xTMsyzbPqdgUznxyfv9ia5lmZZOW6pMGT | ||||
LfhgBu8+j9awoP2tVfo8ehhNYQvrMonioohvo146j+LFIrpNyu0oL6KruLyK | ||||
rpIi2YqiKp8+xy/g1zIvqiKZl+7v26X9E56cJavq6nk03tqK19VVXjzfGkQM | ||||
lK///v8UMOdZsoizWVLg2+uCvzKf5QWs87hIp2WZZ9HBV/CRA5p8im/CKpIK | ||||
ITUYPdmN9neiM5j7w1W+WMK303ydVcUtfH2TzBJ8PlnG6eJ5dJnDCoalzPa/ | ||||
JDLgcJov3TL/kF9l0bsiWf/9/4rexFUlM6ZZWqXxArb6B7vy5oO/6gb+Aosb | ||||
LmWy9vW/gC1Ok3IaR+/iRb68gIUHCzYf/qpLnes6hiudMlzwVpYXsJX0Onm+ | ||||
Ba+dvjgcj0bPnvOvk/FT9+ve3lh+3RuNnuiv+0/0gSdwdfTXZ0/8r26Ep2M3 | ||||
wtOnu/v667M9fWB/NH7ifn26q79Onulr+7sjHXf/if11or8+HbvXnu6O/a9P | ||||
9ddnuzrbsx23HPhVR3g2erqnv05wF1tpNm9A6Nm+A8B432119GzXbXW873ft | ||||
f32mrz194hc6eeJ2PXnqft3ddb8+mzx1C93ZcQt1m4I1P3FrfkafngyOhkT4 | ||||
irgqBwnQKfshUcMi+WvZ/LQqYkCX4PNpXiSDvKT/EAmtfVsmg+lFXgySDAhc | ||||
MhtMk6LqHOBDcjtYr2ZxlYRz36SXg+m6uMZ1rYoECGcFIAcKGjyW5lW+Kgdl | ||||
Ao+m1e1gVcAH03wBUyxXcZECUrvnC5x5XlwOZkk1KNPLcnCTVleDLE9LN7fS | ||||
IN47ksq/6Vdx8eFDPoiL6dUgzaqkyGCU6goYQzVYwjYXg8t1OsO7BUgBr5y9 | ||||
G+zv7Az2nhzgAECD4+ISr+tVVa3K548fz/J0CBf98Whn+GRnvP/4m5Oz8+HZ | ||||
u6G8VEz4LWZ2pwnsZ5lkMwJBBPgHBCMtBt/C0qNXAMHjsoovFml5BQ9V0dkU | ||||
eWMZ/alE1nSUltMiqZLodX4JIKmultFhcbuq8ssiXl3d0jwlkICkRMzm1UbR | ||||
A1zQg+fRg7NVMgUKG71bwwRTXoAsEtZ1nSKTiyYP6DXlLTzEQP6LVBoI9PEw | ||||
+gqASOyk5evXw+jwiihVy5cHw+g0v4RfP9x2PvDnGBjuIrluf+B0GB3FsFr6 | ||||
lNAtOlgV6SIa74z2zYGNdvY//8DgpWJ0x4HBMUVHAOZr/ojP5l2ZrGfI/Wb5 | ||||
MnqxzqaE4j/1SGAZ/khG9zgSC3OByfoSxB4ACkhFBBQad3/vJ8Bkf89C5Ozl | ||||
wWDCAEhmfqvRFL54ddyPXr05OOxH5+vVInmJQg6ABHAc5LtFssAPfjJM9vfu | ||||
AQiSLl4lizLpwK+zq/XgL0kG4Iqzyw4MA3ntXVIsMsFwBuhRMk2WFyCSAp49 | ||||
QZAeJZfxBWxjkYxG7VAFegcUZpjG04KgC2+OHj8ZBeB8m0XVVQLrTvG+C/mL | ||||
8nl0nE3xcuP2EYRn6WUWV+sigTVGx2/+fA9QDKN3Q7PKzvv2OrkCebvjwr4a | ||||
Rl/DQACCgsWVlme+oZnOlnFRtT/wBr5FuXbRCdERQhRR4N0fD9uBOS2L6TBL | ||||
y2p4mV8/flfkf0mmVfl4lZfV4K/rOKvWy8HUkMPH8/ivpYX0O3zyj/xkQDij | ||||
Fwd/LFuvzoSuzvHh1+1Lurm5AUYzvaTDhV9Gg+vxcDWbB9elgtOLi1lJtOMY | ||||
NJxpiqQ9WMAo6sEs0WjbrOINYCFqLbSEk6/fdLAfXINDMN7/7OIxcje4n4Bx | ||||
O5PHh6ffvzt/+3i0+2yP/mksEUePBtE54OEj+CMbwJIHbw6mj4CyAiOOp1eg | ||||
eQBYAFGzCu8kXPyasoYoelIhpyIERZQ+eXU8eCdsvLwbXV8Oo1dFfDP92+0H | ||||
A4U/rLMEwUAn8fLV0YtVvEqKe1+3ncfjJ7v1/T4wsE+n0fFHFI3cRQvJ+3OC | ||||
Ck4szPgeNKh9J3yeox3cyPkVCp7IQsf3Jh3j0eO9nWeNvbxFLRM5EIK8BBUk | ||||
AkEsWoFQwQg3G+/tjZ7RzuCYvuO/LuISjvDV8Zv7cXu/3BamO6are/jNWQeC | ||||
JtnwJv2QrpJZGtNW8K/Hh8hVCyT0778hQMMvSv3eHyxAkUT55v3ZOq0Su1// | ||||
XqTvearp3ov8exv3Botuu/dAoeHjr9eA7aCinyzW2WU8Ht/7oMaPR0939kKM | ||||
i4H6rRcRCqoR3KwBXqUB3jWYFje1Wle6nQP457ZMS2QCeKhky4hep5dX1U2C | ||||
/9ZuIiLs8ccp8rMk0gt3j4N9AZT97/+DtthJtXnv7TSbBYs/xCQgjSft4LmK | ||||
F8M0K+Do5wX+MdiZ7I/gFowfW/gcRCjmFwnsqgSy1Y9IMVsw1q6rfEkbjVsB | ||||
o5rC3Rs+HOpqOzH91SJJO5jcGd5qtFR1AusUBl9Pr/LKwOvttMotuA7zqkqT | ||||
4h2ye6An1/GiC7Hi4mN6TSgVX5SPx2O4+zuTvWfPAsrtMP9nguaroa6s/fsj | ||||
4PB+yWZ/Z8mqChHim7yAs8vGO/fa1s7O0+FotDt+arf1gk/fboo3RKgeaEhI | ||||
4w5B/AQSnmaAIyf5OeDodTpN7sFyQLaR1bZ//2cQW9bIveH//tL1EAhQXxVr | ||||
sve0AoUIPj0x6lBISIxAMnKZFHBk84TsjXBxZglQz8d8FwbXwJPmIhAP8vkg | ||||
UbvpYMas+IpZ8SCHJ1l5J53+8ejJeH93srvfAuE/mzEJyve3xd4J3AAujW/P | ||||
AbTx1SL6w9//OwADzamdz31d/P2/ZxcJCCHvEpRCux6F6w0s+u//o3DCLJ/G | ||||
NwAQFTNJQTy8yIs3SYeUCd8Nl0lAnQ6/ensavVvEt2gvzmb3IjRf5fVlCP/f | ||||
5zsipormAsiKoReX7gl9Mryqlgu7KBRLaBhH8tEyuUzQrt03+vzu3csFGIO6 | ||||
U6R2tX9YL3S5g8EggrtKQtLW1vkVXMhZPl3T9StRWQNEKT8DdfpRHMFnt0Tz | ||||
YUyi8gvD3uJNgiZKN4lyO2Kn7iLgd+XQ077rdAYLW66rNbISPyjAhTjMDYjl | ||||
oIlOi2R626dVwAvwCNBTPICEZEIdD3aN1qJsBktCorMu40sSdaeG+pTTJIuL | ||||
NC+Zc0VL+JicANMY5eISxehE6RfKY2/PDt+eHkdq9sLBquRjBfhzGxUJC3YE | ||||
O5zSajd9xkr8mKxz8CBv4TA/eEcfw5qycpUXVZ84QjybpSJgoDEvKtO/JeSj | ||||
uECJcVXxkSzymyGf+DKdzUBn3HoYnWRVkc/WBA34+2H0Jq9EOt7aehNnt/gE | ||||
mdGQhAB+ZJdl1ANCvB3NktUiv0VMKWE7f12noL4CXK+yfJFfItbcgAAOgICP | ||||
r+DoAeVAuCd6B7hVg22SXadFnvFgnz6JLfbHH4dE82dM8wHit7gj+yKMc42H | ||||
sobp4tuyDx9MF2uEWLRMlnkBsCyrvIDj7OO5T5H8wnfTGJATzoTBuspvkmJI | ||||
tw7GzhA3rvHACNJXCZxumQD/xK3jEuJFCSf98Sq9SCu/GFh4ucb9ltE6K5JF | ||||
CoiQMPrnZQmnD1idJQtYokCjAGQp0ilegwt47CadVVe8ntltFi9BeanyFcLy | ||||
lpeG3il0LUXx9EOW3yyS2SW8WuGVhZ3BZMvo4hZ2yypp+jfcZxwVdJfg7Owl | ||||
VBLEqAxoDW8XcPOTMr3M5A6QlpefW4jiR5YfgwLprDiOUPUQSft6iHvjH38E | ||||
ogBvTZGcfZXCFbqN3l6gfg+EzNqM4U3AenkTLf70JplH8IEpDoL3J3qZxDMk | ||||
OyRVEjsFDfvw5aG++nS8C68OkZwlUZbIfkoxPfm9M3UmdKgJGRa1YUYgDCWf | ||||
OlxxUsX0Ss9yogKfPjWN9IS8S7yjiO9w+khigSWXsJVyI/7jjcFZsjVxNjg7 | ||||
Yk1w6dMVn5juAXC8JFKFFx4wi29cOudLD/ediADSnSK9WFcJrv8yz2f+Jk4T | ||||
RBrCADphpSsRChqAPuUSHZtmJfEszdE9tcT5igRIB763AGqeTQEea5oDvr9c | ||||
unMF4M/WSP9upwt8K6mmQ5D/clROotSDCCAK8IEXAKMdGdNNyd2HndO9A0UC | ||||
rtACT5DJZwKDAFDtyclimHrQlb9IF/AqUBJ4A0gaslOAUgw3bo0SWjRPi+UN | ||||
gp99HSBz5MukgRGECYRXMHq5XhG8YqJDCZv31uidWNyGELW0EYgR8KAMnaKw | ||||
jeQ6yZjdAcDhpYWnQ8CjtrZoFQ7nynyxZqssoTXSHEeeko+AX7DAAq4IkA1i | ||||
I3LZ0MZIJAHwx5gfe8iB5Oagbw1ujmH8F3EJFy/29xzw+xZOzS8mKZg2J2r8 | ||||
wv2wSwmRHFfgDzv5GC9XC2KWuiodqC7rnx6fnaNSfWxvRo9Zql70J6MJLlew | ||||
Hg4mIHKoDIKIKvTJrZjuMxENOD1iqMKJEVbEZAEgcHURb5HMBFydLs9fQeQg | ||||
fh5YmlA+4RPRmTylUcZA3B7n0H3gNQc0BIjNVjnxEMRzkKxRfri/qKQzgeRT | ||||
5EsBSAkkJxEZqMLniSmirRfJoEgHMzb1oy6ES2wfFobK14sZIz68ZKD8W4QP | ||||
kOFrFBgv4pCyIJFD2QjpRrJKaBsgMAEFGF4O+7X7WSQXeU7UGGA4R4EChywS | ||||
WXgAWUDvEnDlt/gojBBf5+lMaBBiLcwbu/stbmBCAbolfNOWKNuoYGHlR7wi | ||||
lTe4VekyGf5SknG3INwOd5ZzcUmEeBazAM4V71W5c0PobRF4mZ9O0xXexhLt | ||||
aACnSwB7zOLwQSBIK5KwRRH+LuKbaEWuG0b33um7VxTx4j8kSsx6Z8LMSmTD | ||||
kiVVIzIQ5pAgD7tYrSuc4Qp4FnxO+vAtvAFH4e8GMUYM+EGEpRORg9A7zrSY | ||||
ZyqSeVIgQiBGzeGyJjMmuIQf7m4TC0scI0W2dwXEsx8BvwxeYskPZeFYuA9A | ||||
BnXPmZA6nFSGKYdbrFjMctg3EL8IDq5g4qgMAy7NQK4ogq337gxAGSoySDJq | ||||
nxDuliwP1TDOHszFrds/oRPuEWg0Ui5cAjH1QHag7fLFIIaSIp0uaGWztGTx | ||||
QY3obYrUlmx4CeJPSVoRwBzF1MxjMws8rGsAB1SiyB6KT5/ovz/+yESRtd/v | ||||
votWcYUwh+/pI/yeOBjb9cmZcfxxhR8RT8DIFpS8eDWwjrJdxTIbsTYSe+A9 | ||||
f7VwiPevElXMvk0uovP8Q4Lc89tzFG+/PY8OF3G6hN0Are0dHp7Bp98N93ae | ||||
ieKGrylbpM/hIfh3O7guAJMkgX3gmQ9wKSjG8vqdxsubiOLLlHiQl98Z6wXy | ||||
8zV5E2O1mfNN9LuLMODNSsAg47gzTGuagOgrgS7s9SEKrANFKBEBm1A8rUj7 | ||||
wbdBCh2QgqUUWRQ8jJr58UfPGgGL1yDPsc7x5DwFiZ5h9zo/jb89+AaIE6vc | ||||
OUkOcAXZB6JLrog13ZvG4rvKhdNhAuzIkKP6Ncxwx6xp0CANKyWKiGoK8Oy+ | ||||
usrhs4t1uiDaRsKG0YuAaFzni2uE36OKNOtHYvRQqgJKIOisKL7nC9TQEEGy | ||||
MsdfyAYxrdYxaLdlYFJwrCvU+NIlSc0lLkwsE6JwsQSIq9v+TGsCXFNUKpBK | ||||
g8wBBx4IUcGkhQICKDkrUXUlBjblDhNJ5gUrPYDrQATgkkwJPZw8Deh6gGgM | ||||
h7RwrD1FqwPcyzxL1Fru2QepFR6H4dhIULCfCYoyePFtkVtlDBYyMwRKLn5Q | ||||
tY709NDjaJlfICxWV7CK7SEbTQZVPqAzJkOTuCRL1rJaFsAAI3mrSBbJNepH | ||||
cLioreWIIG5PNySYIbbC6WTJHC4iiYC4tprGrxKDwMWZIQXqUxxJRTM4aRRC | ||||
CZax06BYJymdeQDUJdA2UELqiyTmJWWQ4OBfYkbeDoTHirJivECjxy3eVpRH | ||||
2UGUL9PSndoiR5glxZLtfmyaEoZ1hvh4zKpECURLfvOehJCz4cQgwAInIk19 | ||||
nl4O6AtkJXxj0MaOvBKk5BRVfRioRgFoHw6vr9gAAVgJ1wyt1gSRkJs87+DS | ||||
NBLKsi7kAz8BuKesDmetLCZ63MpjlJI+I2oi8ytokVK5zwrZ6qMP6eyR1fb6 | ||||
cg+YKQXCW31ACmu+jhfrRAf7uFfpYJMnO8h3D0q6URrW11fBSPUAEBgb1lrv | ||||
07IHx8hH1x0OpxB1EkmokCI4ciSx8Mfo8VPFm6Pz12fRaDiBxcJJXoE0Iusb | ||||
7T4FGBF5PT48eslqmNeyo5Mj5b5n8skYx/ycGEbY/9bW/9r+E8VxeX2Jxtef | ||||
+OOs+sGPWMaOXqL3rHSfOtzCT1vfrA/f/mn7pIBC+isgQPunP2unggbvR3bW | ||||
ydM7f/Vvju2bu3vu1719/W20454ZYdCWvjmxb46e+dH9F0/9nM92ftZGz/MK | ||||
mFf4M9px2x6N3XLHoyfu193xz5m0A0G3Pj2PHjrayI6oLx/cRVvhSl7cAq0Y | ||||
PgAyS5xrEAPbyb58ME2Qzz34kSj3kSrOZyT/A2aycbbAcHe0len1dRo2OoaL | ||||
yziDWWbIVecgAOU35XO4nxfx9AM76+BC5+tqAYyzlNWFAh8rSzVC++kTMt3r | ||||
NLmB10HOnYJuI8Kzk0iA5bLBSbfdD/VsTCIQvZJEDGcEMDoYzoRh07A7FHOd | ||||
xQBfILXKhSHhk3F5uwweUzgbp4UXd+/cJnGYTv6DEwJJzYsGBOhTI5B9+jRb | ||||
O4U9eJoXosps4JNigdCpvkiJF17DNgOymPXp07JKYWwQG6qSeMciJfORGA7o | ||||
JKyo6VIfInIHpGKRXZfMI+LVCuQjtOsQ9zGy46dPyk6IVCNmnoOIkZJVlnWp | ||||
UzNn9Bo0hTWu+dNDFEV+ZKTFwwNMBznhwZs/nZ0/6PN/o2/e0u+nx3/808np | ||||
8RH+fvby4PVr98uWPHH28u2fXh/53/ybh2/fvDn+5ohfhk+j4KOtB28Ovn/A | ||||
QHvw9t35ydtvDl4/YA5rrVNkJiFtiGTNFYaV4yXa0tMjMH11+O7//b9HuwCU | ||||
/ybZI3AG/AemcSCzBBzj2fIMtDr+E7DkdgtBHLP4vEBT4gr0PfRswUVlSQuT | ||||
n4Zbv/sXvJvR4Mm//B6gfUpSE8tjyUdA9Iot6LDOebwEdRZGJFQmoyjAu1Qe | ||||
PQWlo4yC1ZOQZDxFopmfkdkQbR3iCtolEYektlJpj/Oh6MUKxCG20XrFWb+c | ||||
0JcghJEYGApjRgzzqoP6vI7iKo6OQDTPSKvyWNU7PDp67W3ZO+TvcsZsQmcU | ||||
qT+Sl4v3N8Ox/EaGkSXQXvmCcQnMos/OWPLF71FG+xYFKzIPkdMDzeCkB1ZN | ||||
i1q8QK8qP0wq9hHKu3BjyI1Fyv6xWDV4djcATyqyVBntDsfDES0OfyPRypwe | ||||
OzjF9QEkHY2BpMaEhC4xbovQK1kT16v4cpvUPQxMh8vCBk+kFg/6wkrcuWNa | ||||
lJADIWpvmafArTesRo0jnkJ7raE2O+gEV/msbHAHH9WzyZj/vE7KyfrQScvV | ||||
ECpCq+OHZAWwA4kVlxc3jF6sC1I4ZkkVpwtabJP90d2nxzq2WEeyqsnUDWVC | ||||
VxYZ+3o2EHmbtWqiAbcCtBxoFin23oci/jF2+XmHJHrdYo4aEAPiMHqdfiDn | ||||
w8mr4+uxWlyeobUJN9Q72lYlgVFwdxe+MlpC/95cNi29dSfWpei581a9a4b+ | ||||
HpzoFXcWvRZzahRfAgjRk8eGLhA3ABNLNTogS7uVpMpKr4DX5w+QGy4QBgQA | ||||
Z1ZBQsHnis+/OTiUQFXYU+vaBydm0HNv3Y7m6FnuAcLKDQRUzFdiMZrniFj6 | ||||
KJ1tQ/m+XMZ1XUn0oxPeE0gTn/9zmoD0QYmwP9z16Nfvv7vrkR+2fvPThWz9 | ||||
+f0Pd6/lHj9ulK/ff99HgtsDdfX9IQgZ74Fsw/n1otPf4oH2Iv0Qdoj/fB9t | ||||
0//JKL/7+Vv6zS+7oyg6OD448vs5kf2c2P2c9HnneGx+P/9sZ9SuTAGuqzL1 | ||||
WTeO+f/FrVO7kOBGO0PQqGDwTmXrXMgDMijhKBwLxRI9iWyZCu9i0kYiLpzS | ||||
37/eybYIxHKrot4piSeJRKf4R0uKj/FKe4/tKF7NIiOoNb53KExTCpVHI37o | ||||
u7a293enr94Dk5NAKfJeYyI9wKcIIxWYQqsUJbQ1eACFKaBCXxBe4XB4XzT4 | ||||
Bo1E7esksxDDBiNgUCBghyCNxQjLYhjdRTdijYVaVxOa+IHgO1LOk7XZIDfO | ||||
7S4RZ+woiaAVKCDEqMfajlJt4LtWe0uCxQmC+vNWAdehRstS8BLDHR5G25rg | ||||
1jvlP2Fc1OQcJ0Uf0izxkv+K1OIGuPDsN24eySIgKJETiRtDCqITlkZ67HfL | ||||
lSxleAcI4ggPpsyvfozoDBg4t5xxuCGmqdxAZyexFizZkocCVO2crNMG20lq | ||||
RX0VVyZxSQF/39qysSlTzG3GK/Ngvl4sBnMOC3xgYjcweMjsqEXKKzhMDr3q | ||||
IvnMZuVzBOo5YgVoXauKrL8AxZ78F87CafQAo+3o/OV7EDXg3wn9u8sYh4aB | ||||
0NrBnqvSLik8DXctg8yZBQo8swRVezLUNwDqLm1IO3A2t5LOY4fdeHHeO/Fh | ||||
EQedsk10mZLvjoIe8gxjx1xcw0lUi0Vjupk5QoQKeY0UkahEDkXczikNw0to | ||||
BO+ATgg3NSkkEhlXwBFr0VxSdhntaiEhfDPRgh2EfZDj24SE0GNvmOGQn7gv | ||||
diGy5Lhg5BWeYHYpgy5UAZlbq7r3P4ACq2QRKFIQ06eGG8Y9S6M8ElexrOvc | ||||
RyjOKZarUAyCi/e3gLA3vdmoTvOhs/8fuOZlYURvxEuKf3DVIzgIY5UDA7pY | ||||
YECgYzVON5O8cHc44XbwcimesteEPn+PSYdMbGRKDKKiOOaOudU9gWIFl8T5 | ||||
MJv7UAfY5pxVOiIpdsvoFi+7A/LtFKjCkeXFXG+JLfX2Em/i4IDKW46joXo4 | ||||
HHnIcYgaVaceZhfBvkgvCgyWLL2qxkpZv05dU43lQU4Da+TphCOZC+SgoPgG | ||||
hKqLwZWNMBvD7fpqG2LdDH7J55iQgyASKcT5T7v4FIaL5RxCg0hMvkHVvch3 | ||||
bwI1Qoe5wxokBevlEoD0N2u9gQfxOTKYJCU64qc4ojFOs5UojS+zHC00aIAV | ||||
TGqYg9oqiJBa9tAHcx8rj/j00IlzZDf9OslQLmKBM0xII3822XIJUgVg7RJj | ||||
0mGlt14Q7Tl5se+9Nv7XCbHwTtLr3t4VVg/PBrZrdGEDhick7jal2jiUa1m9 | ||||
zWczvz7yGlNQ4210wkdGYbrw5ylmAMFiRBYhfyTKwDXr+ZBdHDla565iFFPp | ||||
2i1uDatpi+jT6E3y7Eu6A5wa8jR2ibpRKUag5Iuu5AFGRN/kCk/yYLEIvTb8 | ||||
yiZLKQGH6EfdzifRS0MhQWgDQKfzYrHG4AUO9qv5iMhO4AS7rrMEAnSTwEpj | ||||
vuuUJcN6UYLJ6fIYH1FTeBGjEyyJAp6ohAKntCieG3cPuxvY1zJ08QTGoVMz | ||||
DBMSWHumc9TwSOJEwVCUOjP38erC7n1wTnxZJDX+b+TGHkqwfRK3tnV3JbHX | ||||
pBa5KXrWtMQgaEeSzaiImBiQp8SGkFgjNJLZfRi1zpGSFvcG87w1dgxdMZaD | ||||
G/cUIdBcE3Q+fVriewN8j4B1HqgTuMq7Fbl4ToEiKO06JuqphWK/CkZ4vO+6 | ||||
JS2cElllMkdeeSE3nZ1FVMuEw1kuE7J9ctBAOOGw9sEusSqORoLLgn6vki2e | ||||
/zgj15vj85dvAXXO/nRyfnzGVpPv+nic/QhwKnSni9HiH2FAaXXnt6zllzUs | ||||
eVvZIRrEQoMZq57v8+I96IjIdxA+Y2NY+keYylqDFTbs6Of81EZpM7qFMJkw | ||||
TCYOJjzKPxJfJhuf+lXgUvthMCEcdgM4tIzyu0H0c//vvviye8eO2gyRxIo1 | ||||
qKPJpENvWgenvsv2yDF6pDZ+esgGS7FIsnpbJUuhUUhqG/ZC5KyDZXk5GiBD | ||||
JmdoSkIFqWmJZPDNbzt8furYCgITOuLnnRfnjjCJuLR8jOQMgEiHM+x5tNOP | ||||
QJodsxQ1sQobP0IcsHQuWJYI4u4VtG2Tsz1ZjKeoPJViaqkbh2iX6sFN3laz | ||||
qthJUFJ2HkmZusVuwlKohpYjxMgrTCk5ki9cmmNkLdFGaVBMhsovrTtkh2SH | ||||
Z5HYsyDAZ3pQGxJGw2DpsvdILhd5jHx44oMWczsrz6F044L0WahglbTDnRVS | ||||
y1ba2f4hUAK5SeeAMtEPUYvM8IPZTws9+zMFav5QxwusstH+4dZvvrQ/4V8b | ||||
Pwzo1g4MHwQg6mrbPgzeHHW+aaMc294cdzx095yTzjfb5vzp59lGky1RUNp8 | ||||
0GLzn5NS6c1xd9HhWuoR4zgQspnYPR3lT5MF+wQy/ioMggO1qSTTylcgdFOW | ||||
B18vigORmHGOxDUaF2agezLN6V+XoEQmZMfOkhu94BzSfWgCcI0G8ukhKBzO | ||||
gEe8SUMa7mFo7JHEC1LftrMkMqE1zyNMmcSxdlEoGYB1HbYPa3UdNLznRZGg | ||||
lb6hYsOm5/EU6YLCtEClBovrBGEWZNRUE3/DKydc0ZmtiCEiJoRGU6Pb2HBF | ||||
DuNPXREKp8dJRVd1ynXBcJYb3Mnqua6rdbHKuRicaHwaJLZp4z5rHsWBuCzz | ||||
aepDKwLcU3tvx1EE1lXEvjQrRfPCcFSMkMJ0GlBY87IK8is045MWKzdjDljp | ||||
wVAa3Civ0NDcggTlWtOdKVOYfCyc+4M2k+V6GS2S7BJ2Zd9lPwvaFrAGAqHQ | ||||
coWBdbh9TTysRT2+zG+Sa/SwkdHGbg4ERgc34HyJc2TQB8tVFcAiuvqf/9v/ | ||||
Cf9zfB2NOZQLhI4oerC383F3ZxuGpQA9iepCo8xN7jxVHOwbneciGeDbA3pb | ||||
C5XQvZRk/GC5nCCEoUHq6vRJcWRU5hN1dYRLN0wAQwmEE5nQhcTcAMiUM2M5 | ||||
G6pHrFGeD0P/RDvRAWQzdg/yiWP6Fln82r2OUShlMGny5hN2i6dVKOxq7ozn | ||||
3VXOpeQxCMonbUqSlL2eWS2l3R2/WwMvyQ/tl3TauaSxr/bhtvJTl1T6NblF | ||||
oL+yk1Q7zzSKsgEx87TAX0fGEG/BKpl4V2oV9Way9tkoCjeKZxzDkAuFMgG/ | ||||
DIm4MlFbDbrJjsRMaxkMGcFqpUwAy75C5D/jyxfyNo+f5CiIF6SBmUc4DxcJ | ||||
CRJOJQwBprdeMWt3U+FWladafW6Rkd01Yhqklzm4mTTsYLzbj4ZD4CnjQLGB | ||||
AQb6Wl0I3jrh0Z9H+Dr+Axo9jBENRiP+BT4CuWowYrmRRED+fLQnv4wnW8eZ | ||||
dmDgbI/JE/3uQH/BAcY4wA79o6PsvNDhnrYKYHbxKoC9bcIgmTk43Sf8pk71 | ||||
AHGnOQgxqUY5xF2Axrwzr+5SUDkm4unJ8TWh0OL6a4S08uIwektmywZqkEfq | ||||
1pL2BlOBA3yRuzodFAKw8xHAm5b1ZdDHvZaFeJQbjEFioUxOfHx31PmC5VM4 | ||||
7vaQ5t05ap0XPt4872gSztv5QjjvzpHMO9pvnXd3BF/cZ6DRvgw06Rpocr+B | ||||
JjrQwVeH7bDYHdNX9xkMH8SiSIDgJMWgS4TDc4sG7QpRB7mADw9K3HWMgxkk | ||||
qjUuSpYryJB0Hzzvcfq1/ikmA0pdQMHRUh4KJ/3LmmS6FbpkZkAMpxXFhgg9 | ||||
d/6/ttU5nSgt7TWIGxfBBd6YbOMT9eEymNDS8ZwNOc67q6YpO5JJwQwB3UdG | ||||
PCVAsAAJTAcE7OWSCypxkkAZXSWLFZdJQcJOhU1uSA8kbYCjs8O0AI0w7qHs | ||||
VFEMXEGCOYx78O5kG4gKsoaSY4QDOHHZC3IzlhTNwGXEJEXAV5JogRhyxUA2 | ||||
izhah77jhVDuqDDMP4n/u10BJDopqgsqg8p9mTzZ6jkgpGFucpc2iBLbeuH9 | ||||
hC6TWxRJql1QYieAdEWluzUPVLNAJ8ORT1aggkN9I5EoGwYJCN2pmKcRCBQo | ||||
0NzWB5zUBiSpjX1R/btC7SJNNZINdIk6lI3OXKGqw4CKAwhw7caH0RmlmNeF | ||||
PA9MCtQP0CWtJK3+GvMrOF0/axuci4+o1GXGGPoMbmrUEn1BFYPbpt/5+OJF | ||||
1LNEUHYUWrThRiORffGiRSHYbiwX329bL042vGs9yNLut57x6GeuZjzSlDVH | ||||
ij899NYBUF+sio66sKpUjuphWk2AniJSmnJlVN4LNDyYPKGYpSByQFzjohde | ||||
mTyuDDPx3IancFlnQjhCnd5ZT8UHfzIPMhwpFYUFbK3yROJ93/tW+41YD0LL | ||||
qkKd1wU8kUNXb09oWMGnL9BLPLMxYveoOMHA4aQ0XAOFg3hLTFDDDwlYDuA+ | ||||
eTeM/rSoUowOw7XXXfQYtoURMmgNuMrRpiIVkPysNfOSd9UQEMqwVBmXwlpn | ||||
3s7QkkiKBZv0VDjMwzMkWJBJOlRN0NWzNIVHXeUWDOlKM/8MNtoxiWy4ZWBe | ||||
MZCg4HVWrPJ4RXiQRZccUiRF0dz2JUeSs0hJItUdYV3Nvvk7yCzl4cPsVdHc | ||||
TBUnfJ0cYFJkBf+GXwHOEtzrPg1LGrJhM4arsLyAY4XvZ8kSNpgCGfvYiE8o | ||||
JeSXeDWbe318XclvZ8BsMdBMCupFWDjlkvditqhGR7NFYI4UDkjaV+3Ca1lW | ||||
vi6MaA6wXE8kFquu9eVoCA6FTkoMRXVV5OvLK384QVQwFVIp1xellG3zkZW2 | ||||
snX98p8HB91YtYkQXibwFOu0QTJxkRDmI8Qvkmm8tgVEph/KKlkFeC/m0e7Y | ||||
UKnZuqlwEHsQbQWt0qZFqP2vWYNEFsZX1cdNedciVVOBO7leZiwhmFIlIiMw | ||||
pQL5/WNjEhOoJFqi3vHfspifMmXVGow+llq4AA3SLH0SlsSiPdxKJTY5OR98 | ||||
RoWrMOk9nfkKrHoo7qDTWpJonSZimfR04UlIkMONqot4GEB+XaZiz2i4Irvd | ||||
dCR+8vmr7/TQXysWN/lGof3Zf6EBhXV6XErwPBU+vb/dn+1xYWnoLmcA0Eef | ||||
544KAVbGbLUkXlLIu3p0KBqdnLGwFGHooWwi9PkiuUyzTHUzUjGCBfSNQJnl | ||||
Pry3tidbo1G3hMDR6lwCD/GyeNCKVd3VGXTjLxO8dWm5dMKrRyNT9NKjdV9S | ||||
r4Elcfmc+3ptiILRexJsnEiIOJED76uQR4DMldVGD4qrFH2P2dVG2kQ26kY6 | ||||
XVMWaIByeRXEATBvETKp9lAPq4uUFTFhphyPixTCq2hzMcAW+arArXbIvD2u | ||||
CXUNkhqXeHO5F0EQ8LYKs8FGSd7ztnCDpZu31P/Je/KTOcs06ahc4FCqGf0H | ||||
Nnr9D3SAzPeIatkcA3VC8smv4lssGFwK6/AFCVSUsZVCRJSjwnAd9m+fWBTC | ||||
g1aLM2LZO1hsirTPFlCkQBCJ26cLwOCaLlBjICki8VJeOXQh3RK4Kf49V/AO | ||||
XXwG/Sh+g4vEonJD26xBljhMkhSPyg5MoXSohcVxHxzShuq1CykXN7+o2HOn | ||||
ErURYKT4SF50gDegDFFarwdHPkDQVbCknYv8wLRrqj5SK5NGIJFaZ1R08SNe | ||||
SzpYlVIwe50LyhVolYpKCbG2wh67vWte/ne+kNinh5aHuqIDGs2kte5d/UWq | ||||
z4hodlWvVfeoEfvU47zCbZJnBLwBE/cFvyTFQ2qt6jKktm8pkVBaRqE2DVM4 | ||||
zL0AcZ6YM0ntkt3jsjDCPJeLvFZuFdP3O9IZe7WLl87eu2KZXykLYZHHT9G/ | ||||
KwezmbhZn8eW5dTQB0VPFw+sVN+jqdqIOsBUS/c51pSmgyCliYqIiBP/4IiE | ||||
KwUpFTm9Y3PIPG9yapFQD7cbY7rANAiOx48n8vE29xX5glhd5wzcQQPtC0L2 | ||||
2xUAEwT/5uCQA1DKYfcEkvS5cXOuVooj8PVYVh/oImWF75HVw2k87EjpODi7 | ||||
MZHw18Qxyimgvg0YI0Hi3plMJ1bevQNtA+kKmFk6sxqFimAyS2v4i1OEEIaB | ||||
HC/Dkeqs6E3WR3ZY1qV2ygGj+AURNDfd76hn4rHdPd8OpuHojOmUyvzlbXBA | ||||
9HB5D10gCvgOSRAYUdda4rGRfuZH8TlvzaLBBFu/NYkq4UIlKSfd5UF5aNJQ | ||||
htGLutjagbipZAiS0qn5CD5s9KWEisamh4CpUoICRGvtyPqwNEKMduX5QHRi | ||||
Uw7yMYzB3gHgo2wncuIHHb2LEgihIUuydTPJ7UCFKJ1cF1dMQSJYdda6LFiy | ||||
eA6asYuWbZbihW1BFXE00TX39crbkoPhjW3nf63Bc2PMcD0mpMV+f/A9CYQ+ | ||||
B8wZhFry/TWQC4N0iM7XFxPWqdVHOpfXCRuXgBRQFMoZreiMHXWVSESd+O7U | ||||
pGEXZb//nEwVAjOMf5m9Va1bbsZOM5XjumJd83gI1yfxX7QOHJAaitrE8LOW | ||||
4SQH1H8jljY0xXr7Tds6OshdCE7NXArizDeUow18To/KsO7Ho3JDqqvGnGCF | ||||
BXIKtEZKeeK5obKFHehrEcS+ft+s9IBUs6VYbQdQmk7zODpbUwVx7kEN5OME | ||||
GBWTWqbJrsjb4ZkTlozot/05cz2aZvNHoJUB7XWJlliI1lT8iF15eVuIjuQA | ||||
lR9qjRek7wIHx7csJHRt6+A3BZbtm4mlg8hpGz09NGKjkFXaeCvpCDKnGxJ0 | ||||
X7dZbj78n1Bi5Fu2K+IzLsWZJv3ouBF5rXlJeKi0ouHWac3/JS9xtY6Sy2v7 | ||||
F2P2B+nLm2Vgn/5HGoDbO9NmUy2azWhWciNR0t98I1d1imR9tU8Z42hT5PIS | ||||
C0ibvQclo/6D7Xp1dNvGZZmWaluRwmO6CBkplURxjdgkyCEstdPCHY0VdDBV | ||||
20I9veVymxLTgGYtX7tcdmqNiX0eB3IJBviklG50nQeoXnazjmPZrKotJNQK | ||||
fsmspn2QC4V6iqB3PL68S2YXlNNQFjmGSA6Jt48YW9sn1wAnulD5wAdnKNQl | ||||
wAK6/Xiy1L44f2icoOR3xlvgwMyMfBUJM3vUbAWlAxmRjSGo7iZomQj7WUiU | ||||
BJKpGbNc9I9xxQixrpB8z7U8qCy+6IcGImbIX1K+CmhXXczKuFJ5m3TV3usG | ||||
axsSTMV4oFqpCWfa7BCzujh5Yi2B8P6SILAj1eqBWCrxhnk9UxEPIvifj8UF | ||||
FYNMiQtpuCXZn+EqVPVvA7YHdL2MK6VPOF+SVBFtxKRtOoN2h424PgJkVlWO | ||||
CA6XtHfktW8AYWvJbJy9b0qcxuLZ/gmb2AwxMVTTPbQm9G5K0TPmOZ/0oMbe | ||||
G6wuSxZctGAks21nIy2Sga6ZTO7UPAtDzCSkwnx/t30FL34+na4L0dZi37uO | ||||
or/RX6ODEVJRZBjZ4QITVElRP7RoJAJTl03CHlFeR1qEpSfc0GVXbVkpLVsr | ||||
KIsWR0e5N9qO4pbeB32l0RwxfsGU8ujYBwQHDwfyFob3BD0R7r+SBslvXwc+ | ||||
dWj4wj3Y32ctAnii92HEtvlRy2LWwBEusREp8qZ7zqIJXUY4JcOCxGZmvIjm | ||||
fHEWTNcwaUgtXPgfmsSBgJc2l8WGrU9RM21E8pMZ8pv4QzJzC9NunMDZZoUL | ||||
fULNwFOZ1AnqEnDJzqWSdEBqygqS1Tz9qKzNS+Sod+58PBjt7B9g2f8elg1Z | ||||
qcnEqA7bwvXRcxKX6lvGoL4W+7uBtBNBs1x4mJMFyaxSM4XA2oGxdwh7Bw5Q | ||||
FLfpZBiu7nqRLPKb52H4/6fOHPXWn8cAVWzNPY6eRw92x4O9ncFkNHjxYnD8 | ||||
YjB5OpiMB5NnD/r1l0CixZf24aV7z/cYIMtNwEf3f+2xHttj6YqB747q62l9 | ||||
80PlXsLNXT3a2Xl014uPgavJSwOcafdeM02La32JZ7oYxZMEaOKTnWR/fzaJ | ||||
92d7u+PRaDZ9tjffuXiG6RKPPz4O+nxM5vPxzl5y8XT0bDSePZld7M934/mz | ||||
/Z3ZGH6fxI/o6R+38P9/bM2rgNul6RStlker/AL1He/tjZ5tyIKX+k7HfzoZ | ||||
PNl1GDyUkgMPXeCw1zZCHVYVDUkLZ2uzOB/6tkym8TKBUFSLcQlzpqzjdlK3 | ||||
dnyWg6Vdl9V1hOqs94hhzzFdeFOp9W/X9drQp2Y+EO02hM5nVg417P65rUd6 | ||||
GjRYD8NkmslnEiTSUeahrkedbjKJYcOhWmXUu1fiBbbPW8nJHSvBYo7+YKw6 | ||||
dR91kXXkj9GXER3+KdviyciIznvnEE4dHw1STcPyrt2TIe9RflbzUKSVL2qV | ||||
DIzcSYrvlDBwhj4w9KxdEJJgDAK1abIpuIs0+4BRqx3e3c/MPPaK7Ab3p6QJ | ||||
h8UejWP7s00YFLzlSoxgpES9taL3sHW0DAuLZKm41WL86BlhcrvN/NG7hwAo | ||||
TSrF9JIlNwNe0YBWpAXE6tS682mDym3FhlGWRy+b2fp7kGzqBVVcSoST3rUJ | ||||
hzT+EPuZKZXbDsxubEJzgF4zbxJoGQCJX/OQvElPI2VIjWq3s/FnTY+gz3B4 | ||||
3na+WkThrm5rOCh3XDO6rs0s8V01GFkCGoyU41M02QWpgAQZVCBe4hQ/NiiL | ||||
WS4iBKp0IO92LLO1yxwtta6Wd2XV8Jm3LBbXCoPAXz9qhC3/SR/Xlx04Xzru | ||||
XBqwxjbeFnhpE/F/1BT8QsMmpX5clrtUhdxx8gcDfv1Bcxk+dB5OUx7r33Ev | ||||
pL3eCZBR6k5MGIZxRsSrKBRTx3dWALeEYMK+2iEkLhFF+5LjN8PJG0fUD4tN | ||||
uEykuCzXSwE8nzqhrUgPlBkl0a7XVLqH3T218g+xvIosRqvzoDfwKpmiPnbB | ||||
oHbbJp96wjHN62w2jA7s0pZU2ZYMLT6G3F5ahQfOqWESjyLuVos8i7JgOOtO | ||||
vHK+Wgiz01uO165NLFU7MbPpmvziVH7R4FzpABJU9nVMrHBJP2R2cWYeYocy | ||||
sYUjmh2JSHNdWPE6kmmOc6rYaf6Qb8RLRsV3YePKrqZGDxuEv94HXWu7cJEI | ||||
jBruuHiPPkxvAMA4C/w6LR/RxHhAHOjYbHnZt1b4du4EVCl8qq0+A7yEiiVj | ||||
q3ICY3igvzq8dHrbRexBacQ3nrFdcnlR4vpTk6/MjKHO6HrQrxQURbM4aExR | ||||
UeRGML5fqciqQaBkobRuAY7IJTha07Rpdr3NY75KClh7jroZ3KlKXvSxU6Wt | ||||
bR0OMEQWEOwBz1Bbupqa5rJYTxzNsuvd47lmRluwCaO1DySn+rdyxRBxmugU | ||||
0zFRJ3k0XQDqD/A9F/D/kKrJYyjOsTF8qrbzgrUdHpoapD6UctmDDxSGeR4W | ||||
a8HjfX3w6jhMwLCpdaoEhkWW4QlqO0slVUCDWkp4X+nXr1oI2XnogBz1aKoA | ||||
TkRy4as1rgu7H8k9wCuG1qWAr4rPehFPvfPRJvXSY8OtMY/RTBQPUk7DQrkm | ||||
zZHsitIOAfBABkV9s0xqcHBBN/J4Ove1hdJ5t4AQiH0fcQXvXh+cfHN+/N35 | ||||
+1sbCA7q+S28PEYITj5XVY+CSLLG4vU+mL1qOHFp0A3Wx8yEiDpIDz5IzOKT | ||||
OqWEPeHKBTe0I7xcOia3vhcciVIvjIXAQ+vq0YsXj1CcYheb3IQatER/rCzW | ||||
kJVyF5NqSe903wUlhnBw7abOGbjDTUsZj+61FOmM3LoczKrN8qJrPTCDXQ8+ | ||||
HaxeM9UluxapBEcxnWEUE9Uhw3iyA1U2gxgnW+Y8lhRMqp9IKoCp6OxSJB7Q | ||||
wR24bx4QnvGnx4tFukID2OG6uE7gK+atWCW/XiFbYiSBVXCRKez4tbDRVHD3 | ||||
WUWdua6D2kGVF7Ohx6HFcW6bCAoPhr2X7P+ES76mVo08iwpSx2fjvScc83p4 | ||||
dHbAZPLs5cEAPu5HB9jJFr88OD4bwO+s4B3P2PLnSB7uPEpm2LKipK+GBlhW | ||||
KvSkhuZJMkpNtHqbSF4w7FLczph/a4KsmKLVQenpTwWfxGUV7WvNq4OGLcJD | ||||
3Hp671Q91LZG7T4keM60NnE98NpD60y/B4BXIS8gefRACWSr9qi50unoVPuT | ||||
QF/y7UAxByUjYJTxqlxLloaUo+y9On6zbXNc3uVlNfjjOs6qNeCVkRmi3rs/ | ||||
Hm5H8Dx2doqDVGntZqX0d/VXoq5SE6KWJ9u1ATKMEusyobD1lAeZadQf9yfb | ||||
0Q1J5xh/urj1aaa1npfUScXn8BIQw8KF9RKzcPvagvycSgeMFbFiGP0B4z0W | ||||
QcuLDX0ImafVexj2A+kwFZPVrxNAWM/r1ERU1C6AYZnekXcOyfit8QEdMdhW | ||||
0WbiozD2thtW4lhYK6vc90fqDi007TFU7EcwkC1GY1TCmBFPQillglFNxPuu | ||||
rd4DsMP78BI2JWlyjSchJosG61L7Ud3HZDJqfmzIm/brjnquvum2e64jvrbn | ||||
KYR/tgW1sFORyQdorNF+WVvp1jF2eggg4kJbPJmPyfDs7STMuxfxRbJwl9IS | ||||
Gn7JskbpKEzEzt1OUoHpeoYVftgyJ9IHB22gMrK8kHIJ5GiqMVLui2TZkJTt | ||||
4dAG9JRqMK3dLUl2lCedmcQzv1f7LOXyNYdosyMyALJbj1XrQm0zVFZpgMXc | ||||
BuMx/jPSDhsd05J0iz26Pas7OfjmQOWUWzRD85MD/QgVd1oDtypd+N4e3KV2 | ||||
Rn2iCa8jlbxksp0BrMzlA6PYcHj4pu8M+eS+medF4Fg4yc/FTKhitKudR4EN | ||||
8MctytpAULCO9TyeUslEL+/INIPRk8GTXZRT6DzNp/ARf1y0x6mfHB8fg6b8 | ||||
5t++oCIYQ/GrflHbHDdCnkhEHiWKFNizWG9pD+e5SKtt7+Ygd72AvfuWRT1Y | ||||
N744bIPpLk27Z+B6eBXD/8Y7LYBtuG0C25/TyXALslqzg7Jl/uhJ7UC/xgOV | ||||
ogRS+wNk+WzQNSlFgllCeZWi0Mc5iZSyaYUDynov8GxmyeLWSR4bJ2gD2pih | ||||
Nt5rgojmd/nuAXxULL5EDKSSMEJB4E0gH9kUb0O4OdaGwysnvjCqzE4X2e9w | ||||
GAIXlhnoIy3ax+E3IJePhjvyxqdP+IHrx2Lb33EF9h72baEi/nCN1axNtaOC | ||||
RbLQyF0GDSEUVVjhTt+rBGVE7zYRRfTPUFj0JXW6sjAaZd9dAKVmZAF06r3u | ||||
yGHqpIw088FoK5fSVK+q+tnjDl1LFm+xCR+WJ73o5nbR1/ZEYl0LSjCxAOby | ||||
U2sNFHCJJXf7I/XK4otp/xc2ke96ik70MsWaRzRZ8nEA36p9LTp2hfk5rULT | ||||
stAf+R4EC4zVIMGxtaOqI3M904p1WxLn2TjStD0lqjGz3shJ3b6u0BLekDQK | ||||
bj/XMRKyhukVVaVA4JtmUKRrd7eBxTgwFyXmtSmyLL199S6sgnWmxaWfDpn6 | ||||
Px2OrXuF6srhRWJLV9CO49FHY9FDWBkgsY8+NB5E9RV17h29oyot2X4Nuq+h | ||||
CjgkBZP+ryPBTVxJAMIds1MEqtOM07CKoihhyJ4f3QbuQnyD3Z9or5vD8hI2 | ||||
Y5v2qLdAywnGJA150a+BBYyjm1KrgY9uA74eHP0Y9lelbhfYcI1KgxXpqnSS | ||||
vvcF+EJAXDzZ9f6zTRNds8p2liFOBg5TEGecK7R/YcJsNOTP70AzkrnNSpBq | ||||
6tVVytota+WQNjTQFJCwwcU4JzFDFI+pSkK9ua8VpslD4LsNiLXDiqC1Sg89 | ||||
ak4lPZik7RD/Zxczgg+o9Gm+itFtRitTsAxFccBHaBp+66Ozk3M3lgmeym5f | ||||
olup+odWZpAIB/yQkvqZhQpwbNwBraJKlmQIcn9FTrYMh2WLIHz5nrQTjWBz | ||||
fXXwG8LtoKlnPBvgoKL447KOjl6LT4/uD/xpTXq1liP49RYu6MuoB4Knn/05 | ||||
YlIfPvoXPzF8iAb6/tZ2awSfrsW1DJINU9AdViRpQWHCYPUINoBHS/GJRHEW | ||||
4yQa66EVnUiB9p5h24qvVi7JuIQk6j5QRoLEs/iizBdYrIO3rqlPCqB+9G8/ | ||||
uD/+7YffekHHg0vj6BqGOpRGuFehDCA6vmKIUCVRI6ewfErWQPEERVH5u99h | ||||
vWms1VWY1PFrEYr6naQzHiALj6l6EO9DW32UPonCDYUmRV0fN8nEJX7eAHZT | ||||
XNUIL4ImmUltAEqZ0pn820EJuGl+mZEThGl+42kpIyOnbH37mhwDkBfnJOKQ | ||||
KSHklkPGXurc6QpuhYUlL+Lph1rMkmv66JNaw/KSzoIsNSZZ2NVlh6ZGHldK | ||||
adLMHuPp8Aw0GygF6AGXC+M3aIrWK2mbr0hZLx3FSbFa5YTLgIIGzYCdid+g | ||||
E0UaKMzwWFOza+eyMZhr63Q4rMI952VKvyPGD80bX0Y77i0kgtJx2lmN+U9i | ||||
71E3DJAsiRVGSzSyKGM6VTjyrk43RwLc1mt9V7y+VCvlFb3RSShppkjU+xcb | ||||
qoCKRmZualAtzBnyvbdKgWxqhmAxJiKS9nBsQtaF19hENXLT+U4xjK4kdAZm | ||||
M0UcM34L8Q5VB5xNiv2RVaLRcRi5CuYgA259FKHsYfSOTxFkLz1PlVh8YSyX | ||||
Pr7A9iFS0qSta3AQl72rNwUHtgViTJnIMIZKpAcWJWpCRD/aHbrFMsrAyqRM | ||||
J5I0EvkU6SRxVgWMWV5SfIrpm65jeImHfGLUa/Aq1X5HWJlMzUJqGHRA0ERa | ||||
LJWeJdUAmy3HFZVc0IUqNRJiwV7BtJzGxcxzGibLRCNMIZqtLbfb0pfhurjV | ||||
YBWDzuyFC+4tM5DeqkzWs3ywzU3SAcvY0sOarikePg9Kz8mGgfIaSQmIOWtE | ||||
wnZC8cr5dG1im+HfeLcwB1W8eYGv/K22wNGj6TUltSiHo4Zlcz2kLwRVvsS+ | ||||
ATvYlv4mF8u6I1I+FLLZjUd67dgNtoy7SyNTB+3a2K4SXDLzBh6GdQuk/SZ2 | ||||
PibPbLqaWVPb/KPk2dZWFz1zdKH1+Mmig9F0wAEPhcoqeMVI6Dxw5k46vyuG | ||||
yJAVzUveNsBz5VEzYJJaBRaHdMY6qnefouZBATUe3VNigHw3YBIpzmZ4xzsu | ||||
RYqFEIK0VB84Lurr1G3RGv8vXHPB9cpUuutIEB1GZ9QGwA8h9EvNMElYhtc3 | ||||
w6ZadOTvdPIFVcoOfQy2XTSZGqpaXQIK3UZW4Jv6mORvqpAdLKbHvJIdaK19 | ||||
HOuFpZxBcRh9n7SswPj4P2ToLbHpBFSht0RzFiAGSklYBVWc+6SA6nJY+gha | ||||
MxNnI4lFqnYGPaGTKRFc7Y0l4iG8Fp6UK2ltmxuR00SyElwRzXotW8E0J2oF | ||||
6Kk8kw392hBItT5Q7pNr9FfUlKGw/BjDDCPI+oH1iHJC0OP8nCLBXkrhLrdH | ||||
ru+s9vJ6A3eKDuNyXppbqbmbmGHZ0ls+qCcYVF+UbEOun8llZqmips4lLj69 | ||||
SH8q0sG7GLlegU0i0G00eEEy/m/D0uFMts6vXGUiW2u4pRS3k7TcYUhL8KJI | ||||
yQyWY7sQX+1IXnMOBSn2q8djEmuAYMFplHNlqjYnax628jOxXW1lQb0cpuDw | ||||
FqZw83CmB60Xr8eddn/buHhbk6Eja82yV2GhDk2F42SK39poAFe6gzeyMiPa | ||||
4FROHrA46U3dmzzlKDlxrRIb1Gp8BFl3oQzYI4hq1Di1Ed8fbM8k+7mMEd2k | ||||
KSq5tcehKUSDJHDhLsNZhz1LR5cSjk+GpuuJmGFZ7nN5urU6LX55Njn3aVBY | ||||
dxcdRouFtkF4rEqBVIyZIxHsa3FaoaixDeK1ypOnBGTac8JGUHU68Fg4lNt1 | ||||
zqU2iujuoQZlN5NqPKrUHODsqAZyOMO1z3PtdBfQRm36WYsqKKsUYCNuQ3Wj | ||||
hHU+634Ujga9KYAyDDQoS+31LituirxbDL+ulA/Mh3xskcwuXeSWIymqnTiP | ||||
jitx2w4yDWX0NodaU4ikraiqC7fBXXhNAhFE62/Wcru7WRjnejOQ4IkB9tyg | ||||
Q36hBSZslgsFOjEZ6ruLEwTB4e2Fe9E3WogE17dwolhKDUoRT2L8Kfl9HbVu | ||||
BZogva2ogn1GbMOABdp5qIWQjtnn4N15okyY8nturm5bLD5z8sEJFLQIr1St | ||||
ECiIuAYLEs3ExylXGuxtirpQ+G1QmbeyIpgtvCjQoJeb29gImugmLu3u8B7h | ||||
XuBOPY9O2gu4BknQ3lIGmjeuj+CKixSDggNwHNHtCQK8wuTSzFc28ELXxoo7 | ||||
eMN82Ukp7liDnOazWnF5my2BlBHti0Gr5CnVWXxZnbC3Fnn9XAp2sjCqRgu0 | ||||
bpDUIFAC3aUtRVfFCb8gFCfEKu6i+72woc/XjU8BUONomX7kLlsgaOE9eHl+ | ||||
/i6wZLG4w5JZdaU2vJTFJCaVLI62Vew2PqZNVP6ipdlEnb+FtatNazNL0FRG | ||||
46L8wdYdMaazVWs9oaHwJ3SRga5xFZfeWuU0KC7vuKZuE34+od7ZMOqFkQXO | ||||
To1ft+7Hs0fJXEMNFCDtKr0Z61WziNXd4/u13DH+ZLitdYyNUVcTuePC5au2 | ||||
0k6NY7mRCq3ETDBeqQqel+g1aQ/C+ZFLzteL2dJpnn4Mj7r2AChHUUxlrIZU | ||||
5IozdsKt0/LKIRs8vSRvPtEJZ8ltWbYvW1BjLLailnKTeoKfpqpMYy2sH0vY | ||||
Q60hhlVuXFzTn05PcFAeqnE/VYoi9N4kQSKzxMCKra2HFIp9lFDEH37/6SHW | ||||
hgck+ZGMFa+0QXzY0OSd0xXVUkGk9JhrrA0A4wbHH1cs15y+ONzbf/IM5Jxa | ||||
HdQwSFN5VXvBV4IkJT1SbISP3ak3nxI9shStRz0gNON7WR+GHkk5OM390+9p | ||||
zfQ1/uZsqqbTAuKJWc6701fvUQyCd1bFB/iNghJtbyqKriLnYpFUjqkjs/El | ||||
dkjsjV0mwSxEBvWxu/WrwcEvY55+TGYDEb/WWYpEBrPKjcmOIdeDBW/zfBR7 | ||||
EqyuHIaACOYhDwd//erohQmrox28OTiU1vRIv3BRJIlwFAfMTN1WkERS3bG3 | ||||
r97IImA5SN9dNVJbF82gtdceanp8fYdMqLVlgZRNZSDNhE24vnTtJqUgLq01 | ||||
CIpE0t/9t8EgOgBSEmNTTaVyPtK5nF6B+rBwcSOUR4xjvEgvkdFLeM6f19M0 | ||||
S6djqgV5/tXRcyDTN0UqDX509MHg96avkMODTw8VjcVO1Hrc5bZ3cYX0wpp8 | ||||
qFwEg4kty8FUYekl+4P2EZgk+jJ8oReV8QIo0cmrN9F257tbvrEVl/dvYMoJ | ||||
Ygo552G4oKgFEUgMz8DZqT6Uhhq6EAZn9nIQq2FAKyHalB5D9vx0voGKlZyW | ||||
JP7gbpgAwF7CPRq0fmeo5r3me3VMWU93T/kK7ik8aj7uR5RC9eBBtH3Pqej5 | ||||
+00FjwZT7Y3GMpU5+VfJdBp/8N0dawajfAacHwfbbnT2+vTp7N3+zs5gtL/n | ||||
bAFFUlb+CEMuUPdi8B1BEj4GYQT/O0nGnMOCf+wmkyVFa6Qsf4QaKsWxYB+v | ||||
wYfZXBNXMH7jI2skiJY+mkEa5SJnTjOWd8wtrGShrqeJVt/MrvMFWUcDwdut | ||||
1Dyi/BO0FcySEuzXOSZazVej22yfDPPcWPP5GSjtZEW+tJTVsXafWUIXmu4L | ||||
uc7x+rpKe+cv34+H+hUiTFDzz8VDDnxkZJNZYZji91HPhOsRQ9Hgxe8R1F+/ | ||||
/55TcbYbYRZah+LJUCpRmBTFc+8wokkuKagECA6mDvL009u+l1gyVa+RgcMi | ||||
0tKkWXTXNndiuHlthc4pIySUtrrLAVbC0JOTBVJ0KmUziuWmA1AijQhHltVJ | ||||
bbT5OmNgcB7Y0919KpiygeLTkF/K+73o+z7Bfdt89F2foL+B9m/cluR2qhBP | ||||
xJuUK/wSCadvFi3YGGsOankns8LHgfwC7g9knh6hZJ/3tWHN7m7g9dtwO/R2 | ||||
6v0IFndS1+FsO8iy3n+jUbBOiK+bpsF5zw5en9NXuJ9TOBYpb4MXzn1nV6eS | ||||
GJFBtq6qAEzyL7xHAwkOtaBY8xZy4bTv+nwN+U6eRr1g4xtr/7ckB273t7bI | ||||
JmL2zsu2ZAvJ9oajwa/vOhrjl/upR0PTtB8NfoVHc/J982jqq3NHw+fZdTgn | ||||
33/W4XAZq+/7lkae8OHYRg0//XBk97rwoC2mahde78LrjLIs7YqPbqPmMDD+ | ||||
Hm5jcvLnsu/ExBIesPKscyqgMGziJtzkppuw8gh1hNsVb6YrsDJ33jBmD2fr | ||||
k71Hw0Cl0kJfzeTbWhfzy2Aa86Z59A4RGp+mCC0ffFFpyIrGDbfE89JrHNDr | ||||
V+ojerXDk0bzRrqe59GaHgnDe7cEl6PoN3Y4roIMz/M3Omiq5Yz5Y00h5YV7 | ||||
TwLCVfNKt7a+9XInYk1TE8bHN2k6ckXdItSzYVIjm/2HmTnAvxO6MvDLbktB | ||||
rbKl1Men55Ly8eWDKWiAgMYPusp/tD26UaVZcQ2G/xyNphNTvWLT/cgvod9s | ||||
WoBTc8zXr3+mknPXfCRFtMwnF/Q1PLYPG//0P/+P//3HH3+Ut/tWKDNJ1KAu | ||||
wNE3lAzKBRPm4PI6ZuKGCciZ8BTc3XsZd2AulcyoPZl/Eubg+EB924avKSKm | ||||
B0tbgvmds6TXXZNI5q9aN6+TKfUk+MlzvVgXZMuulR7ADXige5NgN6NSwkSl | ||||
tUKd1ZmQukj6q+Pvz85Pjw/evB8b5qA8hYS0CItbMFWiHxe0+d4xDC/pRd2j | ||||
jIJRLLZsbwFO0wKi9gFYIBn7AkIYKBtP5X14c3sLHjKFnztGmChhpR+DUNtb | ||||
J3+2A3S8vxu871FFIECSyIbX94LXmxCYdM/PctwTD4FJAIEJjKDm4Y0jPKUl | ||||
7LYuAZ7ZBEIeYD8YoA7C3Tvffxa8b0GIz4Bchs7OouV12Fo/GgEqXj1yFcfD | ||||
9XfhuMsEUuKmqUCvgqtWBsZImHeIU+HtIskG7aNZTo0cXGlr5+qsR8VSkaYd | ||||
TDGCyeOiusmLDwOgHZcZMNyE+a3EjMupfXooNn3JgWjVJwgGRpnoNhH1a0q4 | ||||
9QWQyajb/u8dMWGefKfVVo6s5xQG+htN2k6j0A+d9CvtEdu0D4TGxr2xhaoK | ||||
gxWNf8D60VhkZwtXuQYdakoVKdEjXaFXTyeEAe06h1Ev7LQJBziLHtA7D5ja | ||||
Eqd1ZpWUKuq5x+0SrrCXRtD704e96/RaNTN2hakxt7W4dqUhhPFS0uI59zKO | ||||
jl2s7HF2nRY5Jee7zAZfN3B72OZfs8U+pRhmlydLDhgPLSmWPuOCxGK1YHrQ | ||||
HXAzyhX1MHf2nrRmFINn+BGXPlGbjrQ0RqWtrVc1nqc3zwJavB8hknrly+wD | ||||
/p1jsSVdUFyz46CyFL7U07V0KFiiX1mqFeL9ne/b6Z1MFb7FaozJZ0HFqNa2 | ||||
3m/zNb1ia5roaAMaDRADZmhoSLbUUw3C8LjXnGKefcPTpE50AW47WsVpEXYd | ||||
8WtfYnWpCy25q9FicL7dw7kavhoPQihyk5v0JiEXJQUPY+XZfj1ADFGIqsZw | ||||
0dsryZwiJ5uUquUCcnCnKdwk1jL1M1TquEQB1mutRwRR+0wjpgb1PcwsgsNF | ||||
4uNmTSmnHBMW2Gas54YvBP77xHCkeh1Bb+ClS2ySh2rwr1VIIC11jjQdr6pz | ||||
zb/wBQaICngX36eHJHnW6IoKp6UtTSAL8KHXWZAsC5i+Ql+xTWYs20RdyWXE | ||||
pGbiz6ipF7EmeFgeV7bkc4XFTflF7RXTCHwImiTZTGkWFCh1nbJJevTBmTyh | ||||
FX6f7o6JKB/4srsdFVR90n69DNAQzRMYlVRrnG46HOFv2IZ5xNYq+vuYMXDH | ||||
R4Fhoj+GFmGrsAsp+Eg8ytT7c0GZPi83iNVSnsOFmymyxRQdmGImV+JWF+UU | ||||
C+3iWaRGtAvjt1WzMcspTENxo3BZQm2ztGF1YXhLsLXoEVzDR9QV0wErkhJa | ||||
DlRScKEjJiV6y/WfSH4DAUXKQf3IEZTkM86Sm8dAKnIfwO8Cb6ogTI4SjagA | ||||
OdeWTZIV0acgiZyDvKjGuW0+Y0Lu+3UFEZhPNR16okgHjSgZJGJQnRgZ3lZh | ||||
cCHKdua0tCu9CDLdpVRXawxdr9EUTyNY5DoyFitxo9JE+c2GvAxfIqwf1pQZ | ||||
1lIvS+/3M3VnbF0TmpjrUNa2yyDw7kaiSY2ugTiyD8XmDHHnHK0H+XEOyxGl | ||||
rETtGSsoN14kLsmrnoUCDHeZxBmRN4qj5BoefQzc6nM8K6gsHKzcAnaAz3gY | ||||
nXJbGBfVa8+4ARxdmImfdDkcKQvodPtN5FyW10Z1nsyp+NdcZmxfsrqbmMYE | ||||
ZFavXeQohouFozqpGqbrehIChsAlwNQrlKix0ahkulKWmSa0AjwmrryL7lQh | ||||
L2blIKNeTHba9hOkgABgJrmePBX2OcmSV9zJENVdSEId6jVUZKmqJaqGkbIF | ||||
ybUSVB+kKSqF5kvxc6sEt20z2pxMUvVmi7jjvu8k0m8AxYcFejqsqifFvcu1 | ||||
dVnQ4WGDgIVX13feQy2VUurFEoYVDkxJEzOr12fxOdNjIYCuyQLrhytX0IkE | ||||
iZtA7j9HNiEBqT5Vb3Fr4EsuBHSl6yQ9H0me29w9Np/T8lup43Y70NzOAGy0 | ||||
HCaYcLWSFqEIqZfzdrlhxAogRZKWqH5yDnRCMt68bSifLle3VNbFpzAYg9jL | ||||
1BfXC6Szra0jJ84GBcWdFKxQtPJ8iMxZDUjDyBQ+NDjsQtbVCh+Mj9n7ccES | ||||
HIYTk2Bv9GMzkAZfUBGFAK42R5dRuB6OjVR8mV9zTC2CA8Og+eqXXJAaExuJ | ||||
RgydfAFwXXv00MR3UjFEz/Lh824msb+Y1DxsltCXLKlmXTb3YL8lccjM72pO | ||||
BSLQCCSe5UiMWC8Ccd4+UktA2trylRB8L8woEJPrlYxMNA2F3rW4Fv2g7F/k | ||||
TB3vW3Q1655rpb8tiisxzsZD+pYU4MdYUXQ4HE+40BCnwG1tb21Jhbsvo3+N | ||||
xl/g2NG/w8PobOQKCl9Goy8webzFUUmuL1nWoD0atJ5YjC1I3cLRy1zEt83a | ||||
fD4+2wcSuCKANre+3nMWiy2kFfkD6YB4QgTKIIyMsjkr9ZB9eOOQVncdg6SJ | ||||
3FYMBK3ZoLZAaUe6KJIWo7CWFGKrAbimF4+r/sY7kwq6Za1kmILUNHDATfJp | ||||
DTbFreubmN0o5ikP30PDlWr4XoOplApssGk2pkqwL2G1J5X15LxGMUi+OMwa | ||||
Ey9AhdElX2CqMR++x6KYxJgOTAoIxElHAUn+zofgYeOgWl6iBDzTJBeJ2uDI | ||||
AMLjFDKFFwOIffpn2ZQiTjOakM19aVkn/CK4BAtomSkoUE9iW7OKJSfYEGra | ||||
0SQ23ar8FF/AnQpq5UOpxcdtvz47NQ8MPIG4Q1fPRLTXYdTD/keUSNqCBds+ | ||||
O9wN4zJBXdbGjVqgPbpMWYekvlZclKfOCZxM/VvllP5t2ArWmyipyrxIwy2Z | ||||
sw1BkAtp0EdkvR5bbVWgf6qkvr7ZbY1mxYfvKC/q1mDKYtm7Qg3CeGiKjK2h | ||||
R3tibhQvOZkMb1jvAgQFkQOWKaEsALkmMYnZHhD1MpltUxknOS2/GCfSSGFy | ||||
XE7bHSOTf4hZiIbudazfUk8H9jsSvSHANZO/qAda38CG06Xw2a+lBgsddRgr | ||||
i5xBrLl6hbmQ6cY8G8ngWHIaYWx7aA+j1xxLqubMsG5o7otw0tNE7a7ynGpQ | ||||
tzIW4lKkQFRcHyWarV25/boD7AturFQjrS2WPiUKxuLX5LL1FGxmJv7mvAtM | ||||
MJaXYDWngJeE+i+zAdUr/VobAjmhGLGEo6S2r1DUor2/qw9IKjum16UY2VcE | ||||
abrdp5vaqxrrpSF7QFpDbwSatpxJDWm2Q3DrW871NtzUa31WOXOJ0szoU9fP | ||||
TEgE2QkQ55yNQO6MVcrmnNBt872kCOBtnZ+ztmzojz+kf0hdvhbxfIzi+Xij | ||||
eD424vm4Lp6Pfw3xfCzi+dfvv39/ePLu5fEp9UYad1TwNJJz442B2gkxWNY3 | ||||
McAA054vLbBJhnVnJB35zOjD+h3tEPhCCFJkXfslrctq47qs9p9BXL//BYnr | ||||
aUhc1TsbBlA16SzCdS2+gVokJMUKYXxfD5fah/86grQdbUtzhJe9bReL/Lkh | ||||
ZZpEg3YRuf70tnVY11Df6i/BesRrN+XtML2bxpiVB4spQCO8dUWDAmrvhgig | ||||
wcFQpNWYAGwpoqMBUACa3/3O13rR2Cr9i9XWcfT734f3lY5G41dEpPyZOQKu | ||||
MxFACWvRkAtlsu1orQnTCs7K9HLZfE73XJ+rpd+yph1c07hrTfQQV8F38UTc | ||||
8MI2fh9YlA/7rbMri0zp6Mybu2OoFeCRMd2A3LmNCqF64ZgYUWdX8zr1CqLj | ||||
g1kYAe6t5QqD/fUw4UwP6H1evGccB9jTL7/CGbfPRuTOjfJIS7fMlTyKC1A8 | ||||
lP4+16Q6TejaHe7WKt8bKt3WD2IToveFQHTlQbQcvYoHbT2WmIAgdetZ7ywH | ||||
dmWkk16nyQ1hK1XGp0DxNirxXJQZnxj9ZRQQH6Ay8oji2vuYinfDQ11kSceU | ||||
ImpfMiIQGbR8Hu3fPqVE0ADbFhW30rb2mmxFSbwUYGq1SurnLd/4+pEmepnD | ||||
rFuBqPFZunPfx5FEGGR4ps5W9LhuN2zBPr/37S3XS+dkbka5swOqhsH4V2zn | ||||
0FNpQOkdJ5jH5rtRur6lpqOAawv7o+nvQ5Tpv5A9j49ImacNaK6zUG293ohg | ||||
biSCmAP30Ybqsmy8nnycJsksUCcpNM5EvuvKqUPSwI8wNjuweP9lgHPfAZsw | ||||
G2tRUce/hIoqWkDT4Nmuo47bDZN1jXT8GRrpuE0j3eSklrvuFLkWH7XW9iSp | ||||
FqsHUWdu/ntvUK0pREsDSguu7jNDg0HTuc3rgTVjZEhwYF3tdz9Tb/Xqqb/k | ||||
VCYknasOuy1k5E7lNeQgA63JHBQwIUerqToiAQx17oMZBquWeWh3b6me8h1i | ||||
C9dfPN3e1FsQE6O99clup4fFgaSHPEc98En8mU0RLbzes+H7VX1hbSCoeKV4 | ||||
XMt6Cp01jfOO3kizVim5olw7GHrT2d3fylAzLP76VoammWGCZobJRjPDxCjJ | ||||
k7qZYfJrmBkmYmYw93PSZWK4n2cn3INR9O9yykyaTpmNGu+ENF6WmQwDUAHq | ||||
n0DvpUX+XH133NB3J23M2iq8k1DhPdFUGv2LpasJSpaR1Wp/anp1XbsYd2m1 | ||||
k5+o1d53gXeqPKOuRd1HrT35fLX2ZKNae/Kz1FrTK26TWjv5SWrtr4MKDeYz | ||||
UbXWx5P9cmfcPtuvq9aO/yFqrTn6n6DW3qmkntyhpLaTkjYldWJpV1yLq2YY | ||||
11ity9neG465celwUgNwv16x7jNSSYP+DGEm7CvcV3XVlbxKSY8oW1JssDhU | ||||
w5m35fx8ypJjS5Nf7qSuHj1qPRs8GHn8lbREoTXb4lwB12go7CQMGCy4h64+ | ||||
8SjgdPVQWT/5fGX9JFDWT36mso6rCsQbJQKMF3hQj9SyYyPZ7xRAdlUAmfTD | ||||
k+ZN/GcJILRytQPZLMEACVrLZIWBEBh9J9k99TTBeySMmaIokuPY5i6eiL8l | ||||
SAbZoHZPvNr9ReT1hw6LSo8008NAlzI7MYlFmx1Em1UQDnylyGtKJdCt9Wv8 | ||||
DGEq/MRnqEpPK6lRyVTiFwV67WAlyANDI0CBxbaH3NOukeLZnB3AuqhtCSM2 | ||||
G7Vnd7l5W62OmjdJuqTccAZfdhbg9Pbs8O3psclLaQujaZ4o5Y8asaFWYVe7 | ||||
WZRYsT1FBz1WbY1TLvbJxl7Q/qR0O/Vv7h0cvqKG3HFLHOkG4JKG2V5cn/Dc | ||||
Q/Nz1n+/gIjJ/cIfJp9hbJr8ExmbTu8yNvleAN4966SOX1zc2EQ6TPS+5/UB | ||||
Ha5Xm/nZRrCTdiPY5L+kEezkLiPYyS9jBJv8w41gk1/SCPZPxgoN3taYoSdJ | ||||
/4nM0NLFn88M7ybfjj9smP6XZBd+vn/eIKymeXQXzaO73WnQXrpwReHevjs/ | ||||
efvNwWsqUcHRb0MqnA53YJ6acv4ZWlslE4kzcS5uXX5ULf1S93mPljdN0cYV | ||||
JEpmNa7h8FNbJzH+ipxj81Eod3ybMoOBkizyW+4lxcqEJAn+Ih17+gamekJh | ||||
HKJ+uqZMM2x2mJiUeBLX7BLjQnI1fTU4aiKJ0eIuo7ZGxznNp4nwso8hZl5+ | ||||
65o71J6gkcPt+sOR7VrhSZOzwkbS0jGHmkFINXkPmGb6ey07VIIBAGGRoq+c | ||||
R7Ddwr9rrOO7dQv/7q9h4d9tWvh3uyz894rkC7fwGZF8u10G/rph6J/HIrR7 | ||||
h0Vo96dbhHb/IRahXWcR2lWL0O4dFqHAJETYIyaeXVcZ8wv5+3PSgmoYeG8j | ||||
TM1gsPuZBoPdz/PT797PT99A5Zq6tPtPpC7d6Zv/r6gu7Vp1iWTfhsaz++vF | ||||
rP/DvcksV/v+dg7P6jYmKTZBuS2adODpMsqLJkQMvzTl0qLeh5rspLoCZyO4 | ||||
tq0V194xlX8+UPDzQyk98xLeWnBpG95pR80spn0UeE3VGoIkmyDx3bXDqJXO | ||||
IIWH61Asbh2MfSpVOYxM5RjzuS8dpgWinLaADw3woQF8SRj2BnHiQ5pxA3V6 | ||||
QDqDIhioP7LmyNTzoWF+0qjwwpoSAOIUBnpweZlI7puMK/fDpRi5ajai2biN | ||||
1B6lzGgp84CNrrGgBoG11kDWlBPiYbTkW6vC7qQixfHgkIZAEFiIriVIoUe1 | ||||
LEWV59YzF+vLS3zywufWlx/S1QrvxDwo19H3d0lvBMBLmuBxvxYccS3th+oV | ||||
K7j+giu0QyUrGkWRUtfXhpxzNzHWewN2soADo7tmtINmKQv6VpUluqXNW8zK | ||||
nmtCJboexlhWzQxATZWcKdjd5bWXDnsKApqT1sekoW3a6CtXJK+ed5deXlU+ | ||||
867WJgsPBYufVdybM83WScvwpspTuAVBaZLGEZvTyrZ2Y64NXIk7s+GFwgbe | ||||
PERQy4W7FQuGxxawi/hWym3ZVn/G2oJ9xwt+rNTqiVoeKcmIEdQgIkmeWgjC | ||||
VLvhuEpkoait8mu/oHTOA7Jkfnx6+v7w7dGxz8HHT06+efEWPsEc2ZqY7mp0 | ||||
EqVS+EudzpajwdKaJj/ITTewOaeNpF2MKRUjF/eQ54IgptKiWCIloiXT7o9a | ||||
p45pFWWYLRaCxxLF2ssSrClzTVSNdYzrxCWyyimVQ1ksQUIXaxr1DbVDNK3A | ||||
OQQZIRAf/PZcExos5zHTzJ1WO8OdLEUJiz8C+pjKqbXzGgIQCnLEhz25tE0H | ||||
hR85KTasQxzFcXl9ufWbgfsxv7b+3fnzm60fPAr84AFMjZN/AKGQvZy4pg0/ | ||||
P2z95kv3Y35t/bvzB9ciPzvRD/Up2FnD2Gdxr2UtvxBc5GcEc1fo+TZr+VPm | ||||
FQw+vS64/LJrGcPcks7t1vItNVVtN9D+mmuZIFyKtZkE4UK9Mq3p3iVnz375 | ||||
tXTTQb5qLVTQ38EmBUHKSLbIM6ZlW1vHniTuqJxSI2gRNyK1UhJ1DRbiJWTR | ||||
FeIsOV4qm2GTIsHmzAXIa2kiNQvCV6gRrhHftZU9LGiRX0bU5FIlGV1hvZIn | ||||
TGfbe4Zl0pKPnE1PwVYohCh3FiGgWbmrUZtgR9QgkBk3ST9hEn678EiAt/eK | ||||
dhYcwcgVbHcKgkjes5wq9VzF6BvwvQnNSoV0Dz2Jc3pVRLYYTrOwcXdxdLVe | ||||
xtkAwzK5HpovZO0AQmKFiHMwGHYFrLj453F2uUjLq7D23IM3HKIW1BV6wJzV | ||||
DF/VSm8hoyJUYyFEyovNqxsqpZeBKJ0kDhase3gZW4UewtkV9ppBEV8DaNgS | ||||
FSaaCvyEr9bWpsvym3YWUa0FCPeiXk5aGqBU5jXA4kvNwWYidqZE7JCJ2BkR | ||||
sU8Pa1UuAqQY80EG4gapKSReSjm4IMff9ZgOSKUtm9LQolvLQJl0Mnyqnofn | ||||
agnF9SorhS060ZiO2uVuMIqwvFErccC1Q0mIwe31PZp/6WuGSEUWPGtk71oh | ||||
I3RFarWFlsxCV7NbtrZplZWpFXPKRyTlWriJS8FwaC8iUrZM3gVOW/eAxcrN | ||||
AIx6KPNJJ+oFuY3TDQbhsBwDJ/dtb9odjdReGsUu1bmtmkV3al5CPw3wH53F | ||||
Bc+FUKeuhTgw4Thr8i0FeO4+WVTJutbuab7cZbcokOyxMkvHoZoxTtG6xv19 | ||||
CqxgBFc0GN0Xd6nf02AUUn6BZ2JkLREsjnhD025AQb5JLnMEZ4q1tVmj92YS | ||||
HawtQKveGLre7liq4/S4fNG2S9+n0olMTIt15q1T1v3UiHBm6l6qyh1P6wY7 | ||||
DdBZY7BCfblyFqDUJFjNVBbc2agZ/VrejWxLPQKRdAVUpVF1pWUvwympW5xb | ||||
HRUNFKMEbhq2kzPGUVskpPf5KvIdRU3VNVpk2VZkqFGaoUYUCGBOliA4d5IU | ||||
PvjOBg51gOJ1c9Dspg8CSzgbPpdaxWybAdIoEQX/M6dbSuV/sWZiSdewUFG+ | ||||
wCYMZAu91ayRFq0xX1c0DOBY2IrBdo3DHkXstm2/qzHZ1ZoVlmCV1MZarRx1 | ||||
tiEO0HqFvG1XCxPJfj38g00pXE17SqZKw7DvIM50I1qLqTla22L7plphjqX0 | ||||
2nkqLto544i3kklotiahC+3qZXR3MR+K+gmxulen8ts1WcSKGhdw/biKECKx | ||||
KY9f+pCWQSbG6ZM7oIU0vgNivh5iC9O14PS1fTN/Tt3hIx06wQZBZm4qGWUW | ||||
FVAQztIVOyzMjGSgAsn7NoyTsnlT9YSa1qIpvu6pkhp/V+m7LuuutOHQcAhs | ||||
wEFHAtxG6sc1q8s52PJ5XNf53B51LXpKjYNwOc8QGDMqCl+66Mzwdg6lb3lp | ||||
DVKjjf3t3GPjjsdKiu2rBXtoX62QW4r3xhdNlMhAx65VfQOsdkhC/O5SXUeW | ||||
G3rCxiEZTVGg5WIrVFnAkBMBzbEXQmS7ToJ85U97J56Qg0IvjTj+Kcqk7X7t | ||||
1UO6iuQvxNj8jfPIrMXe1QzhqvapCMZGVV6FlZxqUcYhJZMXnLus4HLOymHN | ||||
eEwmqH6vL6ZTG1scx2WNmjbqKD7xEk5Nu3H1HY1yotDqk2bGFcVRol3lldiM | ||||
4qpCR6mETAYwzrwo12oU9Yv//B93cFs16yOXn+17GHyJq//6/Xd99qhztbRN | ||||
xr+f+vP7H+prqf14hNr0c9co9/tpH8WZj7/EPnPurn8JWNE1yu9+PmB+c+eO | ||||
Nthl79jR5/7UR2lBl39Fav7vG3HmnwtfOk2rI7WqHnZcS2frGt3Vxc0Q6HFA | ||||
oMf3JdBltC+80dLpGg26Q9piTouy+FOgf3kEfH5dVoWm8dqdLRO0mKbTMrrB | ||||
mid1ji4kHuNP4uhyjd6wDRyqwWIcEzmTnmatb2XiS93DOFak9Gn1C/EZD0yr | ||||
YvfIvn3L4sb2PbiPG0b7iuA56G5BlinzGjva/6XZ0f4d7KijQnMblxLkwI08 | ||||
/QX4FeljoxYDzFVsC+p6BqkSbuNU8/Vi5m3epKyz6oQeKcKQvuuNZyfKL8hv | ||||
JpgpE7Ed6nPNkoK/Ynmk+JeyPh2vk9boeg25SQ2WiaWHnaKlhH4BZvP7BAbZ | ||||
6DRfJuE6SFWl2F9bRruBTAJ9KUtEDYY8PGuqP+otl66yJKniXcUlQUSdXrkU | ||||
79bkkH+QnPLT2M4/Gd/51eSUTjHlX4FQ7f976yj/v5ZTutCFdc5upPnnwpdO | ||||
OWV8bzllfHe3WefYPvSO7VPn2A78UZM2J6WEp8XedmI85KaKSM8XrzKWDyqb | ||||
4TP6XBbVduit9EY6msrM4E07zehAb/tn76n2W9VkcwqpEX6altalmhrxxo12 | ||||
c5VzBBVxwtZNlldE1Fts5eouxsCzOGNvTscYPjOl3vappT/QUJrKmYjCth5r | ||||
U1oXWUY/7nEc0cc9kPhQAgq8Gm1LkhDVUuq/xDyG7NWFDcyRqUlwnOsDp0D8 | ||||
bri384xq/LENi7vFubBlecofIWatSBKzOZbqCkvUU4CbxC+ZAXk3JtCNGCf5 | ||||
S9FNjFa1+9Tsjyn5qDJ5ByXZ+uPZNUACS0ziHjV+MGZnQ5YgauGXVMuvA4xy | ||||
VoRU5lb1zSfWNOSi8PBrisMrU7rVHFvxHxih8h9Rb+fjfG87iJaYNKMlblTa | ||||
uuOWkve07hWmNLZaFttR0I3o00PbG0i77F1QWFmMuZ6MEHKr1M1uR4A5rzCa | ||||
OmlrRaTCqwaxJR8TAATHUtD95ahjrYoRc3JSuETMucBkAhu6G/Q38oVu9lyk | ||||
/9MxRvoLIvL6BPFQHnRApSZQhxJPjvjcO3z7zXZbg7FoCdBIqekktYwV6rlM | ||||
JW45zMkXqdusGx+iuE8XdZsvlxw4EfamMssPqJmCJOiT5qdFnRILAfRJdQsQ | ||||
xjxPN8vHkObSA8attUSdAePJ9aCT2lGDMJyvC2q2vIw1/tha9cKoBKRSiwWP | ||||
TVcAocM5bapSuiS8Ci9gJfEuqOxyWKNvhu3iwOH004KzJhA6PALFd644tpHk | ||||
bgkHcCUROOpW+I4LzkHMaMNrWB5GnMAlm8bS/ZBoEfGx6zzFqIVyrVWfGodT | ||||
+lRh00dUu/9crlMC3QqI2pSQSlssmqoPdOgB/G35tW4Ee25Zul9YGGfl2+NJ | ||||
Tjdp1MzdtJObKkCGGboIaMZhelNC0LjtpZmw+ZrvJ+jzFbmXe4WOjAIUletY | ||||
OTuqXdROc3Mvz5NMPI9l0m9H+/bWc0vuKEhBwVOvoDWawvmCHBhBBC8+CLcU | ||||
nNADG3we4juBibO2cSLTiIdYXjiodGGVvCBKGUJQsf/AIU1f/ZCt87GWqsEC | ||||
KYZJ0cUoEqdEkv9gxqmui9oSagvse8UXwZgDbGR1iC1JPAv2FiSO1TcjHYSR | ||||
bMjO7gSIafGtLQ5bJlI3MOOBbkR2q75okAeLnJowayfuqeu7hk74Il9SL03s | ||||
/Z1WLb2/cWwzpvHnTehAqNOJFJ1gGbiHeQTBQWyjvn52YKqv9cr4ti+FGKRI | ||||
XD802kidOrY72IpYSJUBmLDuv5GoBOS/UV1LcRsb1McqmHIyOKc3Z1NpUy4U | ||||
qh2FXbRkJYYZ7j1UbzVLJ3tpmmDUqIBpKQukKi0/GI+1tk7n5dPig/7vPYnS | ||||
2obzA1BmUyeVlENtzybLMnlJtRVakvABXfvY/V2jtKjpFrG6v67TQqbGwonA | ||||
SIjdo5943oIVGjBLRNkIQVkejE839rvDlwfffH38/vXJi+PzkzeSX+8lmf3h | ||||
uCbLbLMwhxnJi5TI8ykvkDPbPz1cVinbr0nhuCi1cnSHYsEBlRSM6GJpnhP5 | ||||
aiNcwk1JfghiRegTG0J0jwFcoBjjO4ajZI7b8GfaNj2b4US3gyofuFGRDIay | ||||
hCQ5yhy12m1lOD7zONN1PEhp3jTp5+zMCOncs/nw8KwfHX573meNCn6Hf7fD | ||||
pdVe+jkwcGzBVXVoe8Ms3+VrWoWkjHpqotqORnQnx81CDHet5fjg6K5HapQO | ||||
J5oMo8PAIzIGAff4bHB4+GYwejJ4sjsYjff7KMgMxntPKCLhHf92fEb/6X6Y | ||||
k0YnwXjwfW3A0ZPPGZGOn1mKEyaAIOvR+kKy7GzgfbMkRxSKImr44dIrci6G | ||||
sHKjJxQsWQMmze5iqvVLpgS+bo5IsGLkSK3FQm4dpcieCe+jnpOmCMWnh8oV | ||||
2f7knntX5KuEYoH4GS4zocokBu6pWKsDIBXSVyjjl4wProe2q5UB/w+0nuWT | ||||
s5Ov3xwMTjwt//SJPpL4Lnz8mxx593ffwZWuMBcCHqGPuFkAsnjqquxlbCU2 | ||||
O4wRfZU6QYBcAO+HjV1TxGHLqm3PT2/e5+di0EFuS5QDqFGVwM9knXgLVT3P | ||||
C07gT67aA4sM+SK/vGWYuC33fR4vCtLU3PsG0zdKlK+mKEusq7VUPTDFTNjz | ||||
toD9ZZQBQnVGsKjQVPqsrRKMRMMYfnyAkoNrzYTdCnzlNbeK8O1GgRM8hIWt | ||||
QXDHiybi+KtbcdbcWX3YZR3XwqkMyCry9MWXWPOzio6cyuKqblGNHo78p7oG | ||||
R2evzrYHGEgqAjMcMsgCg4tUdGB2tjkxBq77AJc3wBG5/UZGoY2KxKlt3H69 | ||||
XqCsxBIyMppumDsaANQEcJQCn9yKZGcUnVQ0UyDCINngYIZ1dGobs17a1wEw | ||||
pgsjQJA24d3vm4BHeX8Vg1TlBwCky8IxpRrXZbLJhNsYHnN84+uknMGtXRml | ||||
GfYHlFeiuGazAhHOy5gqt9kiBiOFWOayrqnb542NBNROnSjByrCiJ+dofPJW | ||||
V9ztZcbnIuARvzDAAsbnZFMHwsd+j32UC0SPI1xzEftk+Ay0MmRERDOKfF2x | ||||
bclbKOWG2HTkodLrWjK2djfNGDTUbFOs+RnQ1lt6IEsWXNgDJru8gp3MfMTj | ||||
xS2JoHKQwNVpwDIMo4yNWxQYfcLFAVpaQXjTnbur5RS9oI5nVpiYg/WcMkoi | ||||
x2u1reRaSmHhGL5URXMWv8gq7xy0tS2Q3cdk46y24G8wX1jZ6R6v78LRoVoQ | ||||
S7/YBpMAbOSA9I9I6NJK9UySTCntkKrrlIHeXKev2GJKbBOxSSJeiP7hKqM6 | ||||
caO/ufSOxGGIBunKDzllju0uDWJtUImyqWJbbaTkGhQYeBJ8SvdAzVv1KFmB | ||||
EQaNEKBKR/axqXZHIyQs+wfX/7IADcJ4HKwrD9/GCjU5PLSCe2r0DJd5mQUE | ||||
DjEtBvou9EAHQxOxUWYOVMdQzxRMxHtwXjNNfqkvJ+xCjJaCtArcMkEptnu3 | ||||
hnXEqyNHohG34chWM6j8DkYlQaR5Z1ZnigmrFTNRp8HD4KpJ7+O1ODk+f+Hk | ||||
yNIJzi6OBoS865hY0jKHteTke6ILqDRWGaY3fEu0h0QdqWDJyakuTKPWjkAq | ||||
OjDLZXMMp1v48tmSBgBf8TdYvQH51AKJ801CJLqm3rN0XCTwDtV3OebgLKdc | ||||
dMuMTo7NStcIzJnEcjW6ddX+Lz0CmtdWMXE1Ph16qifVfLb7UnfAThHbZ+83 | ||||
4DB6UVCdi4rMm4NinWW+0s3mEwAQoP1Pb2FpK8bObrN4KW1mk4/zdFEVNm+U | ||||
hFC9vct1Kc5qqUyCVI2SW2OpR+WrAeWLBWIvFzh0VyG22h4gUlmxA4SnQNtW | ||||
DoeOvcJJc2AyAQC7KDBsKHHOEdD+AANxjMq+IP3Cy9vlEot8TaNLYNUrPpA5 | ||||
6Z85FhSISVJqYjdmIl8Lf9I6roYNTHPO3OEiYUV8Y1r0MrUE4jEfiNxjnL/c | ||||
wAxLX1JeuLtdp581hPiduHxLPGXll0o52lbBIABhYl+xnpLYgOTPJ/5KBj3b | ||||
su8PKOa84Q1BY98AVTdBd70xXmLB6EbpT0JRW+V2K6YHOiUxo9YksXIYuUWo | ||||
drTplsJIaHSQij1JVXJR8VDeBjSC6wCHWzUowUxeTWs1kATHfT0g1JMRym5v | ||||
Gp7aOkv4XsfgfIFqKzH77zoEtwSpshPXlA7meAb2kjjXTrjaJnx59OqF1EM0 | ||||
BsUeBeaVVySbEZ2ttskGX9bmy7mgdjCf1mkVc0jtEIJB6yvCA76LkDLAQ0oa | ||||
jqJl1zYsmJkMRhzCYoES3FFbFi7MVzG7nkWVsxKSsVUVgXEbi5e+h2/LFstH | ||||
jCEh6XJNRTSf7IJOXhlLjIiNwJ0xY/aiwGqeRPQDdTUYA02B7YPM512jUJQ2 | ||||
kuIPn7UEI/+xc40qabOgTdxE65rtDifRRbpYmEK65GXSkFKkTE/2o9sk9oWl | ||||
kBmAGhizUphmgV/9JD8HOj1LQWlNpldkY6JcvgMuvVX4dce6I7RhumtJey0b | ||||
JApRQq5OvRxuX6w/8Z0z0KDrC25/2SHeSKlJqU5M0t3+k9EExSOvI3MBhvaV | ||||
kiWAynNqiwGsOAZ3F05D5McW6dLXNfP6mKvX6Gowdh6+4hyMg+llmYrG5dqX | ||||
gK2KoOGYa17h2AejLMCqxEB4tYkJ7LCW5TaZ7eLMeKhURdA4QLqeogZO6p7G | ||||
UI3drWc9pPWS3jRY960Jt96r7dcffWASGIdrkCB/Mq74qAluq8N8WQdoursY | ||||
YYBQsSYg+l5JLAL/6yBTJJQY3zhYWSnHu+s8VTOsjyciNOg+gQDyLACHzg89 | ||||
Im6hx8mTkXgDTwZHwzSp5oMpCGWDvKT/SMnUvjuCdtNvx3lo4N/0Ciu/wrTc | ||||
K4ZFjcbu5b6RvF1W6sSn+HhXBFRNZJ1tZuolQGuVO52XtL0WP35jaoJi8e10 | ||||
Uc/UxBcIExMOKNhUur6jakFHzX2ZPmB6yif/yRrQaHmBZlXWRrOD+pHA+Fcg | ||||
Q8ARhztx3eYap3DeODAHf22QkM3uhqFErG4+MbTadNuWOIAkMC/2KFp8O/Lx | ||||
omhlpNa728Yyq1XXYcp15qdXoqExXfzdAOeiwp3UwZermqA4g2+s2wrbovx1 | ||||
CyLwhoYIzuJhCn072U1EHi6AKxZwS2lDO/xnAmnC8JgEQNrlD3epP5gBSFLd | ||||
YHZPV9kN4WpKEvuaTqYBewdH3NTQFbm19cntYV+w9mntkgFlTkuvFAXVvLFK | ||||
IKrTFIDDiKiZcqXI0jBnSUsRw7GGAqd01UFMuryqxEIixshZPl0vXYCyE0BJ | ||||
TDg4MqGGbiYfjQlPgxRGXC++LJLE+CPg2hVYM1ZLfaEZVNEAO8NIAXD809rw | ||||
UYGReMRs1t5khqtJkkPllhKGaM9oL4TlerQHWesvEmqHwY7zNVqPrtPkBlCI | ||||
m1U4qd8rbGScenV4sv0cY/CEqTbFgqAbZtkQ3mGAwG3VYuUFOZgjbKfGMxio | ||||
d1pT3Ft5WCmios/Rt7SMznagIZfs11fkY97Um/YT1tictu+TQ/O7R2rfWFhI | ||||
hSbCxSOl8SIwZeE571aov4U6subnx+HWmCPduRxfX9X6Ql3Vu7rR/TRZgdhK | ||||
IH9eL/W3uatq30TxuFdwcjwgAw/3nZjz8OSoBlBeCx68uNWq7Go8Ifp4kXA6 | ||||
A5mbYsyuZRtV6HtKK7RKfTaS1R3YNveFazxlt4oKZBEBGTGufKSBa+8GND4u | ||||
FikzebaTOHeAz8Kca3cZCkz4W4JFNr4CWKSj/R9/pCCJAh7Ixjv012FeVTDi | ||||
O1zN9Aq7BY/H9MUfYgpaH0/or69ROYNTOFmss8uYHlGqFRTr85WbtJTQhbUA | ||||
aKwE19w7DOwBjQAUNhdINw/yclmDN1kMggQgx0NtmKanPvdipOrvCbyjwBlB | ||||
tEHdQ7bB9tWtkAL6BQyjl5zO2+Viw/Z+YvPntQiadg3oNXHkgaBw4X1/3v24 | ||||
DXkUKylxXPK8BZDKsCCyhtk2u6Z5Olg5lxrFIlgHcGwCFRwzZBs2CFcYfeuC | ||||
MwFvMQ6v7sJCeDp/JcWnSmCBmGhD6HuKZI3G7F///9p7k+ZIkixN7I5fYYIU | ||||
YTgy3T18w1qV1YIEEJmo2NAAIjOLVUWMwd0AWIXDDeXmjqUio6UvFJJC4YW3 | ||||
EZkRmRGZyxwoc+BlDn2aHP6R+iV8q+pTNXMAEZFZC9norgzA3UzXp0/f+j0S | ||||
mThCVmNLKNE2CvPeTs4LUMnSS0SZwdU3rwRmdc0Rw3PtA4GbtjcfXyPeKnXz | ||||
K4GRZ2CcCa9XExLnGJEiigDxzWhqNKdKghCKcCaWPQr05xFYuCYJ/XfhuWdw | ||||
ZC5ksmFnlEscgIUhlw6esOIbSQ9a1LXEaG3NSw4slaVUS6pnljVV+kqRkUn3 | ||||
D7vXr2ENaIru25Z/jvzb7nPpFYclgTZ5OZyXZSXQZjH/6DGRBiF38f5WjMuo | ||||
ssVMBRm9APtrZIsToZ+YEBxTCWxGYXtB3In6aki0CwyuJBY6P6IXCb55vvus | ||||
xd+vMPjvaT7BFDh26FyzDSq9VMOEsyZemXC4zFpQaLGiDsmldXD4rJ3YDlXY | ||||
Ls5mKpcI/LDtEU0fnBgyLm4YN9+488U8hS4nI+w6kzGTQszaSYzAaC2M/Tmf | ||||
50CTXB8LND1SWC8KWOTEF/tJGvuvdls7O9sr9vb3qF5eRtSDu5BgGBwPLkVM | ||||
yHFZB5xTdD7Oz9E+20yku8CLj4zAWxMFgcANwXJjUZ7yySQjW1jSID3aCSoM | ||||
LypaB5ufVkgOM2Z25GxSNdPp7sonmpi8mI9SLYGj9YYWc1+Pck/PjMeI2T7E | ||||
RJ7rjJfs+97qaneTmvt+MNjQ/B0zokodKHTirw82UMN7RiiNw6ve6tq026Rf | ||||
+xsD/JUtCMOr1V532n24VY26l+zBo4PWRqfTWl3b/qBeUnKT0NmfUmgar0UL | ||||
+ZQsnbuHgWWOgFVLwgJHjC2sM2ohvs80UrhqNDAIXwWhcG8TFYVT7PqsAq6F | ||||
ZH3DLngdh4w9uZRHW3uz9MFQyDuLOTor0F4yRnIIWQSGfmGGlIgjkbNHBT/U | ||||
H1nInVNYLt+Akh8ptksx9BKwpQO2EGMwOTp1zI+6Vih8B87dDFUYd0TCh1Ai | ||||
uEIp45KZIzAUVJLnU59kTl4j1Ko4RA4GJ3evVEqYwxiGecau+DNxxLvYYHQy | ||||
8zLp/ehHguKmInrMOWkGqX83O09Pp3k2zrpdB2t5fIHS/RSulF7XZRhKpPKd | ||||
DnSB65hixXOVmV0CoN48TnKXu4vgQC+y8Shm/p4Uw8x9jZJ0LboIExKxjP2R | ||||
HyDPL3H+FDEuRaoASgBdhSJ0kY0TwRxP52TLFrs0knDj+PWzNyv0K6biuBTM | ||||
WXE21yvdQB2y+SMOcqq9geXSAh6CqRmFTovtKgHEqsb9MJWyjwqoqCVbTIyR | ||||
4yorQUdE94gCRHuAYoFJe6vx0FNELArv9aiEssRmYdNJaINH9EhJBatZ4goS | ||||
8L0vMM6y70sCOHX/o0A3g2Es9EnIVOiW9P2ZxafSJMMZOVk5jiB9S3eqt2AE | ||||
oAdSq45lW3OJjepqNKdlQJ6kGwiqYoIUZZ1/h3s7r1++3Hu1u4cpLa/2gZcf | ||||
HSRyXUR3B7Kj03wkbnwyJrC1RDLuWvKn0TOcEY9YG0hNLhdXDYmU/TzMy0Cv | ||||
ZvUP0/+Q4z6fpjfDP929heGg4HWVXmG5VglZpGEUYje9JLcV0tVQMmklogd3 | ||||
eP/bsqlmFkXZ1FRCYHhjzGYhtrS3fdA6Pn5xJC6F7VcIvp30vz44SLafb5sq | ||||
aUe8jq39kXvtxVHSbfetiqGlIZ7v/ebo+HBv+yWb1ik8s37RnLDIaCiMyQVX | ||||
zkxTToPo4+MLAeDCPGHgzHYPu50Nv4fwB64a4q6IEaq6npRNKMyTw42Eo8Nz | ||||
Kndca3FEDbvB2HLvVlNPT+wOoYAypPVRxkGmFU/7RKuHBy2ms7gpMawY7HHW | ||||
pENTy7a/4imHh6MtlpZIV+PzpFdt4K+k3EiuUMd1HW7iMFMmmCLnbEQ8cZwI | ||||
5VQ3WgZnLojylbQCFvBPjMWkFNeyULZhrli3NmyMkAIVEkRXU9bXJIw0q57+ | ||||
oLafSWCoeKJi7LkqHDjfM9lEQj5cpEk4YLm3gXtfUXE0nzrmsqguTI1KVyhE | ||||
pU6QT9H360KL8c3wHdL8WxxqL2lrT9cGSUN+x7o5E/FIFeKVL1cMUEBQexkX | ||||
VCDGpZKNL+cXgMUIW7bpR4pjM1ydOfmaVyKqeoz5MjhkvchBal3rbg6ojpVz | ||||
28cKGQskNxfF+L4coZgso+WFaZlReqFGorNDhSySSKOmUhctEJZFQH7ONydQ | ||||
Knp1Zf3pFvehkM342gGCo/zkpk+FqKWQvPSpjDxCs+nR/KpdaKM+b7FKchtw | ||||
2ygzIQ9Eeq7PBqQblVettCO0Zm8B0bjedh1oieprSni0dJxFz/cp0x4ZdmxD | ||||
iMxHyb7mHHBaLUjMJMfiqxaORXaLXtrffrUt/G16x4z0oChnrX+cp5MZnOGK | ||||
gfrqj0MC2HZeBp8A6DP9rHXc1bacDGE1prypmFyuBtjkj9KXuN6njJDv+R6y | ||||
CtLIKZkHrZu3V+MCWjWhr0bzumPU8OwW5oRuUl8cnWMxMhW6eWaUn09CR0p5 | ||||
YRPxAWl8JHM3SQ0S0SFcItt14+Afd1Z0hWHhW7OiaKFNhgyr1GQ7eemvtvIO | ||||
LpZLlzw1YxjTkvOWbtJ81oKZt5A7AGOeFii6cXA29EPmkYtULhl3WHQ5ZxdU | ||||
6FJRJvNLFEcxt3ZHkEawCUM0pM9QPLVs9tCk3OypdWMHrRvRnPd2dlbcIWHf | ||||
O+xZGbgW0TdMiiuacwnQJIrVk5UAGjxykclmdHqXyiUmUSLK2rHzSvKy5AiS | ||||
+CcA4mzXExsmUSCjYsUkiOGONwUSIopPT8roLmNLkrzUAhlcNthYRAKCxIE4 | ||||
nxCOk0bnr6l28o/xGbCFPSRzeIIW1yabDCVF7SJLr+8cZBfpEO5u/xotFdM/ | ||||
//O/NTlLzYqtk4UPxBW6TMdNTdLh6HtKEqb9S6coD49ROmnXNszj9e6B2Wyc | ||||
ceEehCeDuYmKz3IqMmtYhqbbN1yPG4bIQaFGd4rL1vLBZJ0Mb0ncEqBdMgUo | ||||
OWiZonFg7/Dk44qB3hHfa5pcWzwGte8okX1zdNR68fKobdxRrjglJ8W48mkB | ||||
8+a0CrGdmHa1FBQZQMhaKLlKeCwwHGEPrsmrci5itRQvazzfe7kSjxs+K5sa | ||||
4ea8JQKyYgPHgrGYZ5Lclm3nmGbQNh17j8xMPuCl0mg6Qr5UcuIkjItdQGfp | ||||
MNtCUEtJo5qYS4MjGyI1HBEwf6M5V5ldCKHqk+/d11GA+BuJ6ZZ1YTAecgSa | ||||
ZIQ4XVzQB7mAjtjX08i/S27dKOEG9QCDKYBglT58aBd5II72ADWK4R3cmzak | ||||
Ki5wX5WpSTmiPBQMWZNwHtPBSDuAIaT0h+B9oTpGPqE7m2hrC7ZSoA8nA5rg | ||||
Uh/Z5WOnWLOcT0KXqyQkBCZNuuONCZOC0ZoOPfOQwUwl7DZENcRtC6RLhj0l | ||||
HiAetjBLguxmpXNA+QRoSW4iNjhW9CevdtXVBlIZJEtHJ67IqV8K0FVQRHAB | ||||
B+I0g4fH6WnGefgy3FJWXrxlkXfMi5DVl3vxy7EbDY1wgspphbEAO++hwkJo | ||||
sHXI2ePApSkKTCU07WHFj4iUKKlCqSHJCIGKiiEV14lGUenFaCzJIauQFYmT | ||||
MWHVURGB1zgLHONts7pO8LIov6FASQtB9tP6tFeNGWRR1Ykb4v16KGQ/oD6O | ||||
sy8V8NNQ4lU6u6BEXqwb6T4l1EVedJ90J6MVy6m3gkoiP03pDOUBb3RnaL0p | ||||
RiiZmCMgopoRqxl3wWqQtY5XQEKG9YJ3IQ/sseCUTlIBF6cTo5un/n0CGnTn | ||||
vczRLZNOMgZLk+NQ33A7OVLFebPT6bBNkhL3J60AZFFQh+mIEAa59k8VrOuG | ||||
jJcqm7dPM3WeslEOB3VZOPBxzguc0HnqtlBjXDjYSlek1fMVYZYk1WxbaBNP | ||||
h4r2eDVJJiCXAwtIV6SV/QOH+cBJA+7PekwEvLokbGmf6uvChI5ZdXhZjLJx | ||||
VQXM5bEWaxhwnfnaCZE6SDvTX1VH3DQzHpeJ8/+ODDCKg2SsjztQelaHzjTI | ||||
lmvCicGAGqAcKg96g9vGgkhWzkpGqb3Tu5JMnz6Pyz9GeZ64ppyPAIr026KV | ||||
TocXrWjqrUtcoRaiXaING+027MFd6w1gxopxQp4JjQ0TtYzeJGp1qx559NUo | ||||
5PCGqPUPHBDonFMxcXsEBDuEKtQSW3yIpIxSOqPMavum6MoIBT2XAvBOp9ac | ||||
4JkLhyJbMSLh4QZPRQc4vYviHKs3AF3RXibxIpCo6VGcpDsFLHpoFDb5G31Q | ||||
thWYhZXSgHjJ1Zfca6/7pJQPIQKW76QvByFeJw9RQHpTh3cyYCWc4HTQtq+A | ||||
WhwV4dn/NDtPpw4oSExSeFmQ3yj2CGxXo3UuEYzRcTf1I7jLCDEZzFHjS8Iy | ||||
G1gWC9SD/ZPvKvb1+SHjyCgksIIxh+Pmwn5enpG1o9VgVqd2N9avrtCRg2nc | ||||
Vcg6MzXloWETdh4EeMRwehguzA90odkx5RWwBtzU7oJoMMEtkK8oLQ/08Vwc | ||||
GVSj3dkKdUBBUvfpnS9F/kQgz5/gBJ8MV4dPmDPvZhNgBq3irHWEAs0Q6zKP | ||||
itJBj3F0bl0CBVWSuwTuyvl0wj5Hrr1S2nOxedG5MzFZcJ3OqR4n1koHtadQ | ||||
YBKT79MNPKC4TgxAHkqMSJkgvnON9hmF2igWQRg6gb59ZkdM/CmBat9Z8BRD | ||||
bHzoeSLNGgoT4YWkVA0FcQDv5joMxIJnhQcKFlO0R3JGayADgfy3/5BKHpzo | ||||
wTGaNysNDD6NRWDYP6xrsweShaA6V+KANrvrq8DB2WIjOA6ureFY4y5G2SVL | ||||
OjP0xqVDF/eVsnsaRNWUzqnKwh67SZGe04nFOqBcDZDSryIHOY7bcHPeE58b | ||||
OsRnMOBWD4uShnpsmI2IbhidnrapmnrjrBZ2dXS3SzZ5O5zu7PYCKE28Clfk | ||||
HynOloDiijPi6PksOB6BNJESxipc0ZTxtehwAOGMKNQHVnfcDPSoQPbgLSHc | ||||
b8LfQ85B9lQ6RMFqEWfiteQ9BYqFBVTzHMNFa5SNQc04zfhYUTATmy792ZT+ | ||||
sTQ9RSxpDqfia2xHMQpcRgpD2M7St+Ys9wzynf91QBKV1gKQ455dXjGA9TSn | ||||
jAhbKEFyHaULVwzLxYbjhwsqe9ai8zKcJ0brz8nxdmZhwA0AtxhzkBvb/IBz | ||||
tv5ZNkXX6vmErOPsq8LYEsf24hGjZnEqwGnVMRO/DmWpGtEZvifFRGxAwoZy | ||||
DYh3/nUJV5bNlfAODlLBOBIOnNNAbes1p0FRdMuk4FvonqYcF2ziWvJzJUre | ||||
6sJy0ZcCMOURr+T0ibDo8joDNm6N7ldlNh8VC8ZC7k6KS6l77JIDoYzZoiCe | ||||
XGX0zp+O4cYpKGX5H+l+RY+zyIv3jkNyg6cZYqAQvXuwG5cfK1jcE1Qyrwu0 | ||||
TRLi42UxvSMtG8nnNvmq3W13HSvnzH2jEAi2PsVYFOO5xgCSh0dMcjdT5hyE | ||||
0FbtaZ+KxORSDQDlokkefHSDsmAULHLv7H2q9Cmv8lQ9bSImO+UK1LzpFahW | ||||
peg7G5v99VDfwfAuDlc00KJsJYlPNQoF83OFc82nSYNHubJwmBr95IOjbJAk | ||||
w10EcOTGvq/h2wp7f0l+kLISpHQ6Ld6yo9LDWJbz0+uMrGuLhmaS+OHYpIGi | ||||
YbBjJFEgsfHkBmGuguGkIeccgePcYybciiLRWZz9BnV+ePI5/AtkEju/FfFv | ||||
RvGFLiRWznOYFiLJHXR1ztmuRxsVr4BLU7nJp1r3p9bJN8rwXtV4JusWnDnM | ||||
YGcIYl6Ce3tJdmxY3b1bDm93DcXAuqYZKdnILnT0nI/gF+KM/JFFZ2smyyHB | ||||
0CPLhN3kvCN6mNc21zeB2k3Ycjs5mAuUoW9CA8Jb5OKx6Ba60TVdsiqII+Xb | ||||
65zX7qrA+tvM41GE9Hj4+loph8edNzFy+CD11OzxRX5+0cJgT3zSb3gbZHUK | ||||
GsN0QdR1yVxzwTGacJznmj8Zn2EHvVbrSBNBJkCBJV2IXH1wUFoKsUkHIuVy | ||||
HX/QlFnBcRCXJ0/TL90l2wBZwXJh4AZNYopoEmfTc6xQgOhaZQtPYmvCuMli | ||||
MFQDukh8FAPHIebl/Byk+CjMvEfc3USa98nAlXsWyjI2yxwgJZ5yvbDobNlZ | ||||
gHymd8duhIUxvsnPmYpaoHhxKicvfMB0MbPhJdxX5yAfYzw3eRYdsUW5CPRL | ||||
Y3aDgW2jFSA5TAMv9aW0jF/fG/n390bYgMz0Eq6tKEu7vIBD1fouQxUbTn9J | ||||
99klrXR0YaMtGu41/FotesNhNubErTCjQmDKvGZIPqLannAtyRvtLgUMlXZs | ||||
0+cC739berR38SK+nozvIrWVQ8TCSm2VWOrFgGTUVaHNWhiOBc26R+5ttmq5 | ||||
E3vdIiMA8sbgsMnB0i2e5ZdBtt4+vz0ia5DDxSCbhX+pWqGz9NH9YV6cTw3J | ||||
OFKfpS1C78pomjHiQfthT2k6dQVMCQUKiczDgahd91xQy0ecqaJwc8Yc006+ | ||||
jRBx3JPIvtQ1HGSTHII+2DrOMQBrXADXaBwe7yiOj8VYpasW5ruzbVGSMUEG | ||||
h3qnmARjHqGNLpxm14WMyKIZaF0C6srH+JmnPRQEakTZmZN/Aw9fXPpFC3xU | ||||
auLBedkxwzr0Hb3IS8IvAza42ttADwy0+Xrn6EDvyjX8zBjOMMBH8OmjaMi0 | ||||
jKMrBfnQo/rvfHf8dGfniCfuDZSfQgTSpMtklYpZfi3FJ2fcZ07N8FH+VFNF | ||||
RKoJ7MhUB8UVn7h1PuqUatdSYw+904ILBu7FvLy4FCP3kLHpF0FCPoVR40LD | ||||
wHFkvnigBvSSpC3BPHgdOa8rJmQgePWd9V4FA0cWmGn0vIrxXI7XPqdlj0YC | ||||
wN4gs+BloXh+KySEkxklJ2MnIn1gAaPp5Q0VvbmisG/rweuveQ+eFJSR7FW5 | ||||
K7T/kU04i3DfRDIEMvs1PkwicUxWTfVVzshgIj6nBSVTnrwd3syeUK/w67B8 | ||||
Ehrq4MsWv9Sil5DaseOgGFeK8Y/KBkgfBVk2dGWR8jZijwkFFvFxhdenfDzU | ||||
CpUqySbFqUZ/s3Z+5+UwTdNRP5rmNgYTZwbAk1LTkwNLdlgvpBIEYKVNE+jn | ||||
0EZJx6kANOOgbID5NIS34QhzWVZrXadAqiiMwBqFUdwTcrApUk3vzrORjMRW | ||||
4fClZB3jmhZh8tQjbxqTtMUcfrHTG4v4choC+nts2Y2mM9wEoGCFxpvTN5Pz | ||||
wkccaYJOkKdL2QEfiyEYXx31U1DEeRe+LjAMBiVxrpQrq5KLpZ5tgcB10GDn | ||||
Ko1TYpiNhqdEZDrBKCKbGHrW8Um+C33okrd1gymaC4YdFEISKFcfQZr69XFW | ||||
w5lGH2qpwDpTJvNSEpFcrTeaYKZ2OzupBp8naneBnXOFXSnShp/VorY4auuU | ||||
Ih0rjWmmos7JM38FZ8N0aFy9G9QMMaQythhxUhgyiZsiCMOoRaole524X33N | ||||
OgmJvBF8ZhXlvKEhykKhV1CVXoR37g90dpsPQ9MiYr4ghNvXJ9/bsC6RZEoJ | ||||
lV4QSMZ1LU1UjnB8vBTLpMEctGlvBeQ7s2F7xRVtqwDca/4E71fQJFOCgQI7 | ||||
RZmR09UuPfh4MAresABDnjgvXXEaWB/YdkiF0rwDjvaosZGxcELmTDkSx3I3 | ||||
7d0C7dF52vN1SZPG8d4e80tTFk4v7c11dH46aCUfdmhUNZdBUpr+PW5RTnIg | ||||
jRd6aifkmWK8RqYttFdkxrixaObeiWU6r6oqMbIJhg2zguPtGaHuonWmC0Ku | ||||
lc06OHzOsxFVmCT6eC7HVmOAT5I0xxAfqiVwLZhMVBsZ6ZE4DwYmmsVnOWuW | ||||
IjCZmBF9cQlpgO5iJSyaL1elLhgNJyVjbtAE2yVGmQtyjPvFanz+SFmEiwuy | ||||
UVKYG0eIM7z5ZXrLAMOc4eUTZXqrq0Ar7/78v//P70E4wiyeEw1suNGYIP1I | ||||
Q3ttmhiCn1Aezn35YgouW1fCQWy9LICKizGbuOQBg0caNto0ZSh7hqHaYocb | ||||
3bUOD88XUkW7JlwRd4LZ7iURtqIXpbkzLcCH5MAG5UTVmmkPHiWmVwqMU7wX | ||||
+wTvrUsy86UpT4Fxid0Hcz1mpDxJaHhk96SGW66MyUmPZCaGdyARRMrphiWp | ||||
LM554/gbdC3Cf/v034HBhA9c88AQW1KLVisdYFt+fVMqkHw+UfkFNs4+KGoj | ||||
I7CE5ZqLUFdwtqe25IEC+xXfgvMsRmhDFZ8k2jTuqdVhr+QAo3x856+2nd3d | ||||
FyIU+iLkC2z3D/RVP26X4D/BM68ZfaH9Geu4cwlOSgqr+i7TCYeuY+KdCF3n | ||||
VDOh7nlgFE3FzPAeFMLroKJsbPKTtGOUS7u9NSKpz7SeuyKqJy8wXhoEcU5S | ||||
g5Fk8k2LIqmxJigOQCqasq0WRQ8pw0uaq6a4CRgOhxiaj9m4uLy3qIzGazSA | ||||
kyjQoNGtLLO5goLRtxBmRhp6Bdf3Vu0M8CFBxtlKfvvbmQXc/P3vl5b+yf8k | ||||
aVpeny8tfdGyP+FflZ+6r79Y+kGWj39+QNhQOp64e5WfHxI3RP/Z0hdf2p/w | ||||
r8pP3dc4ik7Qza4khYtm8jLF9GqkKvRn/VBdHRzFT7EW3ceMIgUVIPk5R9Fr | ||||
9Xp+FG8mrl5a3Y7UfPYTjaIfbjxFJ9WN4eddi0Gr31tfW//rrgUOYaO1trra | ||||
X4VuDkRSxoSiv9woLANYereVfHaWn7dCVpfM8tk4+3JZM9KFvdB37WVghJ/M | ||||
RMyaHFI4m6cPYnAsSBygYWtEToVoGT6EVQTcARi2EOQPyRGonSMSS7aH9Yzq | ||||
g5fczKs3wM6Y6H5AHg2CFFq0c7gP6n8+tq9gR/3FFiJVmHuNk3Vaein97V5s | ||||
wQweutfI0FSM55fOT+xHh3Lat+hQaibb02nK1nlzRamG8K0mZ1HWwCw7z7yF | ||||
TnOjuAdCcEGbCcb1Tc4lIkPhbmKTrx3IVrBf9meJut9KWr3BEg1zK3n1dHvJ | ||||
jHPL8oz712NRHw933v9rdt77a3be/et13tGuu51m0upyHe4B/Ar/yEfhiB4o | ||||
4c1u+CbHeDSXmMEsfufnmZRbz75OCv/3yFnVFxL/m5hXr26zuvDr+sdtVlAd | ||||
/a80p37tXj1yUo8o+v5XmpbjpL1BlQTls3BaOxcp/H+v8/SgGN91+53Vx1Dg | ||||
4pd+nmmt1k5LduujplW3WX/pWa25cxXt1XpTPoooEOjn652XizYooLvo0Z+J | ||||
MfSXVMH5mTpw9NyH9Rj0ecY9+L0Pm8OfRWsEk3UT728MdLfp170j/EeXKHry | ||||
Z5pBSLqDVR7QqjmRg9XHkO7zPb/jBHr7iANJ73zkvB6j9XyQgmAVn4/WfT5I | ||||
/SHNcw1lezgCpAEF+BOHWub3Xq3kg+bY6lmVq07nYvypQDv6pB5Z7WIVO/kL | ||||
zDGkEad8CZrKMQKwGNWLjd4txGUp/3b1LjP4n0jr8gEP22GA4fNMwN98AMTi | ||||
J2Qgj9HWCBtpga6msawatFVT21XiNB6jz2HwwM2EvRdoSgm2+H1bFxOOABrZ | ||||
5XZo/ys3+Yg5tvhw//+Fm3gXBeWH7VAwhfVP4Mct9LSgLedvl52Y4X8qO9k7 | ||||
PDzZeb2716Tf9l89e01cqhkac2q5hb4aMgzTEHn8yEXmgiap6chWxM8ZfvJ4 | ||||
00/MKvwGEqfYE3y1UVblFv+fYxYfYxD9oDk+zCx+6h4rzOJnnuMC0cMVK9wO | ||||
vPIEFma4B/pZW1k6+hvmG4sn8ql8BLtpssvyMbyDfZt08BHyZ5Kdp4J49jPY | ||||
iPOywifSETtmSimTya6YD+YSX0T/VmlqAWXjcukx4rVY6OF92Lf7RfRvlV8s | ||||
4CEHkvHPzrEOd6ZQSR6ankdR50n8IRin/osBCRRaI/vkvtDog357o92tOawf | ||||
uZz22Dr/m9th53vTXS7J4/Yg//+7dLg9Qlz7OPb7cYLaRzvciLN9wyH9Bz6k | ||||
33DbSvj+Aq6rGPAMT0P8kYsaYvSuw9Zaru9wuY5PxzyayP01Fyo90tKumEnl | ||||
ay41sHlg0YI9gwRqxw5caGWLeBkDywgDkwSGOLNB5Coc8HfZaXJM+c6Nne+O | ||||
VyQip7/Zw6oiykPjNjFkf0Gb3x0nO2OKczzKZtDmztGKC7fPppfILHGUmsdA | ||||
+RLIdlOKRcUhnSAOKv31ZDg5e5IMsTkZ1/pgXVtgTdNt55nWl8tnGWU+IT6F | ||||
5N9d5rNZZsrIckI8nOPippZBfxGSXkyCjyJJx6I9d+YRk/kheTAeJzrlixj0 | ||||
o449jgUJAfo8/mq3SwwWF/ql4NTA39vMcmNqkJ0hDux4tWfT0WDv3UDcieRR | ||||
rQg8vAKE0euIoAeklZe6Lg+2YjJ1gHISJOl2PO2HW8nLuCGsLdWu5VifTC94 | ||||
sHiPetj3ZXoVjGW79nT9be0RHOlP3aPooZ9odetu+ICB6iVfmwpmr324W5D/ | ||||
fIepfM+pLMubw317r1CSHxVsWXSjgNDEOR/uSWpjORtdFMNlzddcDrswVwlw | ||||
rRa9QVj5t1sJvYgf7jASFdLEFG6qbLqV7O8dP8OvwttXhbBGCffG7377u1A0 | ||||
+93vf/d7fOeQAE0DBLqt5FUxyWgZXmKCMDG0MjSowsdkbHto/vQkqfRlsmzC | ||||
oZ/SfL4YnoIqXmZ/XCbCDB4Y5qNW/JAumxlWsGSfwZAXd2JmEwhguAz04YTU | ||||
INMALer8dOa/DFvkBRQhx2cVcigDfPf6ShIWar7bw2hdwWc1sbVbUs6Suq6v | ||||
LLJFWZUqJ6+7ygy6tUQ7lN9NeRICQBS3IcM4mFNqajYKYbEXUEzSCD5awRa2 | ||||
bRVLrU3PI/K7v4VZH6e+oko2wlefTVPGhjH5XQvGue2zPyypLi0lyefJy/Q8 | ||||
HwpcCZE7vYTfPENUHYyYn2Acdfjdy3SIIJflRXJGmGS4y2gH8k/B8lC9+OR/ | ||||
SBC6fuzQVrnExCwdcuy+4nAGhwg3aZmVaBCmtgUzAgi2lMKbuk0TDtqGC2sr | ||||
wWjw16+YrlAxEvQYxCnnB3Q5qN1HdiIsYydgGUdfV89L9cz9FGem2uq/npt/ | ||||
PTd/3+eGcRp32JrUekajD1VP+Yon9te5JuvG+Dht1aTRHO4dHSNOtUkZLEEu | ||||
LQ73VqwSfJ+adY/UVvl1kTHM8KG6nx88X/gh2d9NHpfuUKdJVX5dZBi7R9Dg | ||||
EbX84EDgX11oHnuAA8cNrT0qYv8TFrtOkGYybmFBSJWiq8QFC1+K/HyoCJ60 | ||||
Y43p7MuV5EU+eZscY6rZLNmeCTIn68zB0Zk+eFwcPijxnuVhMc3akWT9oQP4 | ||||
Gc8FbJ+E4diR0udBxA3b33Vu/KIxuC8Q4ckFERjz9icM3IAcUJAPcDFlham+ | ||||
qSKSKJCoaTWoL50COwoaX24myXK9lW8ZUxSXH2FtXJZkvzLIM6NEabYnjxPE | ||||
287GMARBS1To6IzasUA746KgPOszrC7DVUYzqcmUcRoco5bxZPR9hiFBfHoE | ||||
3yn4Jd8ojmhCAAxY+Qn9BpgOO5uPcFdkLlOaS4ykTqjpYSmP0KbIqCBw/36O | ||||
er4DrZH6ToqSPzWiFiHj8bBxWhYNb3iRCTLrUAHkzhS+UdE7vadDD5KYNbVZ | ||||
j3hjK31kigWFSZth8Tmc6MTb2hj3QY+KK+zH1ckEWmnk5yCr5Su08bgElLW4 | ||||
yieKB0PepJplyUKpkUeiYDykDCcIhYwt0rnFmcrlIIKWwOddZtlM8tYLMs1S | ||||
YvuZW0zeGMY4oCHI2CVT2I+mDbsZzc9Tg2LoK/3S5nFZbOhLwNBp0Qgj9Nrl | ||||
jDPoPedMkXxKVomwRqHmfLL91lPwTYZJ9SMHhozwcQLaqC2XruSqNIl7i2hS | ||||
jACjRTwV5ifCOLBFRg1KsWmdgak48VwT1hlEAFqmFbtm8N6YxYQStWItuRKH | ||||
WPkKT2f1IQOSPnJHnKhLoxECPinZ6H6BYeRwEd8JAo6x3bpG3VEhtCdTx9Ci | ||||
4SMij9blzoIlSU+La2LsrRalZ1NC7hstKSaZiriqx4JBzoCQdNW++0yByTVP | ||||
N1VIwRAlkKCrplQRYKJtVkBHQshzLReE8Vv8hmBacXPacZh2XPrBBUAINFrE | ||||
CeOumf9rT4Vodsyr87PkrpgL4gbSffgubcTEgUlOeIWvM+UqfOei+HQniJsE | ||||
/qP+GkbQkeJDgrgvtazxaxmfUxZ3ZGnefVaUeE+3hrPblseu01XXW0tT6N2i | ||||
4/SlohDjG/iNMN3FO4FwhoSUV84JJhBFCoGWwoEq6LMF7d5hdHgqMcig89JN | ||||
ZSqWSfod8TEA7GvyHteeQ70UJCG6p3BvwyReqvhjEmoZ7PDU14M+vTN1ZWkC | ||||
Jy5f2pWOU6+Rpjq+f7+FccSfmwKuYZJ1KTUDq5tYHV7NlzDSpisCPqcD2aFn | ||||
uyGEU9uPYhgvJNLwxZMnSaNzO+isSM0w8kPFDm1p5Ssq/oqop82E6eoETlkE | ||||
iGHKSjcUEGNFWbwFf6JitNuPwsVwOFQR+vo24gydVkdVwvLosBAEhG+UjbpK | ||||
YT5qlLB9zqcZYXoguP5pqni0gqNRnTMhazCHlRHIO4QHha9MlywIh3m0Zqzt | ||||
xbHvsP4hXXwZkWIj6TRxN+t2ZsW+zknj1de74et2CVcWx7QzaUVb6Y5Q7ZY/ | ||||
DgplwZZrjwjzsqhHBLdxRUzjIXwAGssiqgvBKM8sPMsn9NbkOdVgvURzlRth | ||||
Act3KzSVavflRX4FKzO7wfICtqRMPrG3tLvVIjiVYd5iilBPtuuXDs3+rpwi | ||||
mApxcvjAcFBBnXSAUNzLgtprOyeHgkO3X7/0hHIdBTah/ikjBI2+hSC/Uqfj | ||||
UTacGqtBve3hi6VqPv0P1cVwHwUrUmerqTHF1Bt0sGdeBs+53FhwzWJ/Ja5f | ||||
xSH5sXPmnj2X/KHai+358KfquTbGqX6z1YrzRvWQBfTlCL69DFcnlZhpUWm1 | ||||
L5cRSzybor2nKpAwOWsdHCOGkARMZb7VBGGk1PhcNqmUPPNvlVAMMjfLKIhI | ||||
L6rohLSS6mgCFD7py8EEcsUHL61YIpSr6cqB6LEv3MNnWrHfIS1DI6ut2RxY | ||||
HUudKsxPPeajFeuHRXp1v3ApHIBxyEx5omRBdSIuU9ejwny+qBJ9JZqMYHxx | ||||
ITI/HVLPhlQKmMMbpdAlXMkodWHFHdeAVKYkTR4x1HOGX0JLuQLiItZu6QGS | ||||
5gacmMscaZ0arRN1Jn4NXlAqgatloFQJuKfIFekgeODGd06X8HPzurFiRboF | ||||
wBpvBJHsa2SxghSOR66XJlkisbSSVv4q89lc1FDSdnA3OH5MQWCx2LtYqQy0 | ||||
oitxTSDUcwOH6LmWFDpgY5YtDlVMbd0pUIrx7pgUggJL2HtTvUKW4U+EAnN7 | ||||
gZvnI834Sw/0l6G5a2ZeRyy6aZnVvy5fEu6olXZvSLWeX7oBVUbgDHYJEE1W | ||||
aikvX5LT1IgkLwmCq5nKx1Jl09RSJPZBPCHZHgLLG0mNFbJwBhaDZm3BLySC | ||||
g9dHx2o3cKjtb6Z56yCdXWwly0/bPqjjqVidZSlMXMj7FT4FvXZnkDTYkzRa | ||||
USDrjAr/BmIP0gCbXamwF97YWEvWn0kUDnLg49docVLSmztEMzF3j3I0mBVo | ||||
SJcyY4i85Zii9TnaUmX3W9S1X4JCRXJ7UkbWai0DxnYWVxfK2V8Y4Y7gJ4MC | ||||
S77muBDTDEeLS+OL9Hn7g8iCdbRUI4a5Egt098kVSJMiCtmfMFszlZbotggK | ||||
/aauE4e9xnjMpkabfwZBG3MpJ8RWIW6YSl8HUpm7AJrenEKvyJGT1p1YCC1f | ||||
scPT48qhwgljxoKif3LA9mxyqgPOZdhSM1HU8lSs1vUH0VVXKFEjE9VnPi2w | ||||
2yJYf+UWdeyBK9DlkxGDGHJCQwRqN7mHM/jagw+vAcH2icL6b7As1r9B/fxs | ||||
FRjSnoDXEqukCh5wDaOWw9Rccwd6wUDu8+OdA9bzpX8xywTleR3hEfmbEWOt | ||||
1CEb1xh8m80fNsAA1ojnNSE4brzwdbRuVK5agl+DoALz1FuCYVVpVXhz5iWj | ||||
zKM3hYvVtUXTsaVG4vmoQVEO0mk5m1JxEpAn3Ny4NM6xeluU3uF08DxIrRvC | ||||
xTgOLVhsZ8yupIw1POkOAFeeizCEg/oaeEFr46fF6M44VvCjEN3aYY07ViNW | ||||
tZpK5AuLWzvg1iy2fqrFmav7eX2tdovoRppEK4EH0Hv+73EoC19lcS9sw/dG | ||||
6PH1R/+ejqoOZ8cKwggGQlEvPkAgq9bGRGsRX4Cuwi+Du9srV4vNDdqdbtJ4 | ||||
M1GUU7w9TSAsLoQpIGlqagrjMjU1vTT1SRU19888j4oFQy5j0ayjE0G+11cc | ||||
QKdbna8QK7r1HUJoOru/L/HBwvzm6ibtgIDD2dKFvg7AaWY5Bou4LG6E1xSJ | ||||
FGdsKxfJhVokEa62B9ss7Q8NnAp0C0PV8hTp3bhIkVt5eGEKyPcVB5zqg/IH | ||||
axmEOXwK7Ptqii6vMy3MJtdgS+jHVbZ3Zmm5JuUQlPfcfs5+dHpn70CsbMGQ | ||||
/aai6X03ywoXQ7pz5Gpg5lHmKdsyNOnAwcJKoUxBcJaLETtHgFuVCmlJ4bQN | ||||
LzQxhTsJpIJ4OcTHLfGv2PczuVIlDj55hgLSu89U0CfZZ6Eg5ehSFjePD5Fe | ||||
+/Zoy0PO5qGHEBsUEb60go3K7r5aK3tfFW+9dL1oB/ELcdlrYrH3zMuwI85/ | ||||
0GIYKuwZt7Ofa4PHu0LFlbzH03NdNN/c05I3AjV4ItwSWRxDx06XJFgjNcpR | ||||
YtTkgEM617uXQf1KPSm9MO8uv2ad8GRORyA1KXFKeehYbqsZey8JTI9hZVWd | ||||
lhu1l7MtQVQmLWoJHYymERYvCY1fnaaOw3EGd6BtubdEna15oVoDMDCYIbNq | ||||
kYHmfc20+x807Yc266Ftr93DRdVJDmm4+7H3cOCNGFzpV4tCxfVwtf7AT7Bz | ||||
1VXHw52Oi3PWlDDwROmIJLNFY3Knw95qpoKxGXHU/uOb6XEpZQVjp01wFcsW | ||||
6XD3aTI1icVIT93Y2v5PVcu76Ozww3bMpSDB5gf40xuCf/WDJCZuMc00EPjh | ||||
y06701uR1+hjguG915QRdRJF+G09IDvGbx8wUWxRseJmzPGqE/rhl96c7SZE | ||||
h1rOtLxCHz00vEcOLWJlf8+rTNWIIh71t7jIg3hQi3yl6sWgI+OStP3hXHTq | ||||
MI0L3l3osThedFpdvIVY3Lh0kXJc76pwNnfKsJsVM6mDdAMyG1ZSbc2m+VWp | ||||
qtQDligntx2KISWS29TC6uS2OoPLIrnN1LhaLLc5gWeh3LZIDFsoty0S9O6T | ||||
2+rm9SFym5G2Hpbb9h8pAVbktuPCFdyrEY+advYYUck+GooRCaS4h6W2e6XE | ||||
T7mUHxadPlnI+4tKO/ufLJz9HcukP7WQ9xfeuZ9H4vuglj5J6KvlxfVCX+/v | ||||
ROj7m5ARaqTDvydBbD8WxGoEy7/+Ilekw8cIYr0FgljdSXhIECPRhyDYTDEp | ||||
Gx2xgPVJSSe2pEZvNettmMwmSm7YW9x8ifBajs+NuMfVzzmjyob4KrNqqtyK | ||||
DYfPE0OvuBsWFLgjw2DUHweah/eDhAQM2p1O0vgqHVEGDjDeFcvrhYtzc1Iq | ||||
dDRXQ3A6luJ8ATms0IWxSu1SHixmjUoMDe1R0INcmXU9oG0Z00jIPSDRutzT | ||||
24xiM4B6yXEppUqjNDLNbQiX0m8Ue13v8ZYsdGBgvP1OQQ4bWLXABYaBOJdw | ||||
ccWhOOyTRwM1t8P1hqWNyI0WRFDuSYX71g5WuG8dYCRIa1a0Xg9n2ax1xKhX | ||||
MHM8NL4juvE13qnX7rf7HO90tLfzNU1hO3LP6bMDE7291tnEYss4ils4LxQH | ||||
gf4OuWJlYMlwTiE+rvYvA/xgZCV5Ku3krn1kJ97eU81OwTAZPPZJOUwxbAbL | ||||
iuY+qMFEZKYYY9qiktPzCefYUi1qvXXhUSorTyKDri9H0mtYgXMDxpNiCcPW | ||||
sLc9kxhjCz6y818Mowu20voPadYOZM/USk4aX598T8rF1ye/WfF0V1IoMbqi | ||||
3jhXz6TQMoEoaOmGsrYgCQOMkVkgfSgqGkxOAoqHWT5uJA0QcnrJH1eSp8lG | ||||
sqILQ9/drqg250qnKlIe+h+oWBsFVN9qWW4egmTKEPnl6g2GQ/SymXzfTG6v | ||||
WHv6p7srPqvlLLsq7yVSSdi5GqdD8rdQsnm3LbQ+E79fNh4BJVIOB3QiMlsw | ||||
9+8fmD0/beqPopSppwm08BnG0gSStB3yanSu8JpNXvNGvEy+TL5nK0GmacVa | ||||
w5WTsij0D9frztVR1jqE0NZOPU35EoFsO1A3kktlgWd87XNHTggQVnhiWkCw | ||||
FM2BOZQuw+QUjuZZPuNQo7C0oR+K+g41lVD8dTxNmVr9vBvehwB/yVYCQz/K | ||||
L3NgBVgKO5XChNeZBMJgXUdZyDt7hhHNi+MXFh7IGd4jFIRJsXelKSS5DDPF | ||||
lonsxZ27rG5oOSJBLV9a/tINSVfa0QKbhzSyQBy47OKl02IK1OtlMMvFjUz8 | ||||
a/tgP0w11EqfCyaHaS3hg3RI5uNxcExR6BOVjzWUKVegj9dSsy4lgQrbYq4I | ||||
p1jvzz9l00KtXC6WY9H4/I3DAbxDwvKVEBmWCFxoqlb9FQUSRy/UY0Ysd+np | ||||
nY2qyWdeYZSC0pRQ07nt9JIGC154NOnv3/3wux+S71fashwgC04evyJp+ACe | ||||
HfafA0WhkEZgco4ALNsYBJwOodU1C28nun7x2N259IU/zokrFsWsVJ+7b8O8 | ||||
tVLdk2BitJyyejAvWY6BLAf/8xuMifYJF4wayJc9FRzh+V4EgdmNefWmyifB | ||||
yJDyrqC/3i+BSH8F7fzyKf6S/Pl//T/1s95APvtCPulu9qJPNu1rXWgyhSZb | ||||
ffjlFH4ZdDurG/21/npvtbva6w563d5mv7cG/13f6HQG6721jUFns9sdDODJ | ||||
7urmJj65urQ62Oivwoj63UGnvzlYWx904JXu0tLXlMmdeuX+lg7QLXTV7a6u | ||||
b/Y6G5vdjX5/c63f6XU2V1cHaxud9e7qAFpYXd0YDPqDztr65mq3s7G22u/3 | ||||
15b6mxub6521zfX19d76xsb65ub62hr0vbR0w+fCkVBy56QPv/vJDXTduKWl | ||||
6LulSU0N5Vv4+3SFHmg0ruCP7srTwYo82rgsRskVbcUdNLTRH/Q31ruwNOsd | ||||
WOqNztpGD35f3VgbwLTWemudzmpvoztY7fZgrdZgVVbXVwdL3bW1fm+119uE | ||||
SW7Cwx2skLi6FgZtECaA3BLnMP4UhAn5snHbTO5I3AjztCPREk4A8zDDL1Mb | ||||
lqsHa7W91rZixEELZtRaXduG5ZDjIBXDOcwJY8bpwmKShRF1aAH/t//EC/hL | ||||
oFNXs/yOSVMWkB77j/TYQ3ugi93WLF2Mr//q9WGT8MpZLCIsOae4vvsMv4fP | ||||
8WNVJByDQOhKha3BFOJsfOWvZVSAcaXPUrg981QMgxSFwskOm4NNFBcJKl3T | ||||
Hzr0CQ6B4586qw7UkxKg6FPY300tvusiA6kZGa/4Q0A8G2IM0leEo6RgpZGW | ||||
1MAXVuyQpGYz4lwLW+JwFLkquXw46a2UUU6V1rmkuFrmMB1c0ifnOSbDC1H9 | ||||
+uj1K24YA/THFCxOkEQjxABFQmCl04lojADFr3ActNRhBlmQdLO1gRERSS3X | ||||
ovJq7pQmaDTablOWDamOy6OP8vR8UlBhZccsPeJBOiL1CWeajUSXgsFezC/T | ||||
SekUXlprggff9ZL3CxBM5rgoDdygFbvRNnUDtSh0a9/SrZAw3AcBCOOSu7gg | ||||
H6oIQ/EiCcZ8Uz3ooHmani4vLkXNJFG0xaWgFUYY1jD0FIZE+bn8F+k5JiG2 | ||||
dMHqGITYYsG+xXKJ28JyiGqWiyPHyLELTC+9QDiDUhJRYJc8grcie1NPijNr | ||||
83JAYpEsg8v0D6jNQe9CbyJsobJ/TbodIzAh6oGbIRnsLZmIUlViqi6opphI | ||||
jKqfCRXDWu923g0MoJV8gKAkSmPGX3j6ciNKsVxTiaAvv0/iAV2moIG9e09g | ||||
H2k+rQyYzpjUbS8dri5mAwUPgqiO+oLcjLyVjHyiwLnHzn0S5E6QnjHLgbyY | ||||
lpCXINRb6YKP6w5ISl/zkf3lL5P93ZOdw71d9Fj/A6Krn/SSX/1K3I+XWaqY | ||||
aPyNQQ7wjN21wMmY9KDP8iH0lnw2nxk3RD5VVJPTDAgE5o5/SkrSPsmX+Zlp | ||||
98vkXTJItijj+73pBYcjkMMkTi6aDjQAX9k2fvWrpgTi86EhubNzO+in3c5g | ||||
0KE0HiIEwmIx8C3FEK5URrMq7y5P4XQv/+7z5WYyzglnRNY16X2eEFXiCtLl | ||||
eENn8hInSzuj1Csiond0RFtMyVe0REIeqiR5xo+PGA5CY3c4HeHNhohLCjIh | ||||
ifI2ChY/uRqnd+fkO4dGd06L6cvsEe6SZNdTmvvZE34U/FBdpdrEycf9LAX1 | ||||
xfUHZO/qx/OJXICy2EuIkl7zaneju/Hgq62adzu3/fXKh3F9hCUu+lF9tdpr | ||||
9VWM16m+elZtz/K9JSLy6muDTuVDwx/xrW5vOHoSv9XDTxe/VfMSvjXod0Fh | ||||
6K8N6t9axreW47fWqm8ZRr3kjjB2+N69RWe2G4wRWPMSnvku1QekVQQ2wCPr | ||||
d7qdXrCEwch+a1/6vfaxUX2LroalpGGfX9HnK08n7ipYsi+Yyd/3yqccmAd9 | ||||
SWivd7dP6FOiO23uZW4ntN6Xh4wCLt5FXqAqUcSFj2KjPjK9fCwmIF99SN7h | ||||
LE3ufKoAbFFyPL60xDW9gcv/Vhgv7NtT/HdpCaRAVPSWEmhpdMKVQ7aIN8NH | ||||
/0AfsuizlaB00FwCnQ6vjS5qpp/j90t8iwR/9sM/B/7PJR8hwt2+3Dv+5vWu | ||||
7/Pozf7x3tHJPnzCw8YP0XytA+D0dP4LZgF8p93u9Xm4NDIao48G4W6+PvnN | ||||
yc7+wTd7h8d73x/Dx2Y+PhSDnzXP9eueG1SfG9jn2CHEz7jCUm6CrqTUFhpW | ||||
6QUUA+V5/DXeBkV38Ssg1uYtkuqwCUu3ruYE0BTrd4+u6mD1sypckxb9gTcl | ||||
SSlh0DoU6V0qXFwxj8QHFvYy35/gKJF4T4P1OtWv4U/BXQJhb5ReKaoi2rnk | ||||
sneAVgaDKKfEbgd8yIBgpWaKcIiTHlUBnmet9ETWoeN15RNcpq7ArbnKGj6Z | ||||
STslKw35g+odLygVYSrT3g6FJb1+TvEY/gyQ+OJIlcDmSudYdPD4HtYHxddR | ||||
8uT2CYs5DiS4zU2tG+ca7GL//XuXgUJwJEhGpR1BPxjBwI4gZVwqNxqxdE4d | ||||
7oDsJi41yuq8VvGCshCZ1zsDy2S13Wutqj3FkV47GjJlRKrfjPznZBUcpzkf | ||||
DJxDWpbFME91OC7leGKpDp2H9PBE9TFNSb2mbGTuOGpK/F0wpxOnwepCicdF | ||||
QhApsRLDI1iVzaREFabZzik/VRps6DcnaTpakQPAtDvXQMZ8Ithc+AeB67CV | ||||
pNtdE1+Y7loOGh5wDwokG6j4e9l3ku/lAI0tFjlqJayvlSAAlGAP4Qo9h9ae | ||||
n+T8+asCZflX8NH+t/rZgVv5g3Ak/PW2Xz8yHGzDy7/7bbKsVLEscETH38DY | ||||
ERv0c+JKzEcsdfY47ZJKZDIEVo+PaEDB8TPd5iPImMTXaZVy6dw/SLYDINuB | ||||
2tgjsnUssUq1Kc4zJCLNE5RQjuankZIzXVwRHJwdjJI+Qf7lQXYfWUUpIpVG | ||||
wuwreJOBkewCWXbILglVCISi8Af23G1sd9nMrZnYYTddIMvv+VW2qix4mu8f | ||||
eYFSesMgxMuep3zGXcFycxnlSsbVNEitlUC/u+T79mpnkwAr8F9MHGU9E/Xw | ||||
Oy9hBciz6nvY7K91XL8mjrrMRH5kXa+FrSKAHPoRMBiHUKRYwnI+pSe3q7Mn | ||||
OI4nQ/zFjzY8xXpyVaW/JTtAH0UR2qkd6OobbP49Zw7i9/vY7GGz9s3jr3b7 | ||||
D7/7Cxx6MeXRY+UPO+y5Dnv+wcNeRWlmmn/AYAeL3mhL1JV/w3u0xfCG45Ws | ||||
b2B7RAAI9pjP1IsKx+SOkd4UwiJXJFMFS6GQJ0KVGymuYsrhKT5y1N/cT97m | ||||
oyfsFQ0mgrOAr+Cv92pO5D/p48rU6CAqHj3ami7lBlPGD+/ijIjwvZvE90mu | ||||
H1kFNSdWjkVTgDDYF/UugZ1twn9mCbsBeWQ4TBVNCajC9UFwe2gdckeL2Ixb | ||||
aCQeovkIcC21hw7d3xTGNalJGE7d7kqIBrshaivmDFeHOOrbVWqwGR7dB4+q | ||||
Nx+ZI+6n4kU8LIlE4uPOUd2gPRZE3SBLixnM4GxxTTjOwIgLYGtdnG+JrStk | ||||
yrvPUAhveX/We03JFgij0uXFR9L6VNoj5AdqTAmLWgTybuUjlCdIPp84JGyO | ||||
FZxkKBejZ0JhmlNf1+E6GOJpdldMosC+APvgO7qCw5eIlgnQgIMcGJFCHTHw | ||||
17i4Q1tejJJEBvopVnhjF41P2pUYFELUzckiPp8xgA8aCCmSK3e4NuLIkDTy | ||||
DJcRdj8cIsY0ekKX2D6M2+GZMtQQi3jZLe443igkwkgmfZk0/CkgEycjCyBq | ||||
9tQhe80Za/4inxLGNKILwdha5HxBrxH5g7LZsL1CR1kKYKriNyKE9VNGuYn1 | ||||
NUPbBGpBPZpPKV4GI5TVbRzMg5c5nQyxZAWoldvBRdp0Qzdakgy0wgxMxJ/l | ||||
C3hBw1kjMKoMwc4otam6IsBNEV88jBsMFglFC4dYQQe3YOyg8VlLxBnT8VPt | ||||
VbG5GEGc5qsBuWbEVX8wryQ5DTTlgfiimHCOqSWMvCOwiXnpkGdnxdlcsYBm | ||||
1j50k6m7jWOqMmOVoqCXgDZJPi2ziGAVaVYCWDU+qAbVlY4Gz99ZzTl0UfFO | ||||
HOzHOD+dplTrCq0R3wofEnkzYmE7/ri8++zaPdoihuPpTty/C6mVhiY3W8UZ | ||||
Nqu++RbVf94SKw8ih3Hw2aeZk5cD6uR7fCISI3H9WGRshhJ0iZdEPiQJngQH | ||||
pBFGV18e5ef5LB07UZnLp0RFkq1VYXFT8Os2SiS4Nct8bfV765vv37MDZEAO | ||||
kIcHz5EQEjXouR6rDCBVJIwFje/iX1+Rl4oc1eYWZCXhz//876CBP//zv6eP | ||||
4a/J6Rn+xYX6BKCcQ/HUG1RyBPRnyT5H7SGu07vPcveHUoJFJcOjMwI9YJQR | ||||
P9CQqABppuAI05GHR5qIqi3RDirbOSUzBNojWuGLLnVuKB9ayCc6TUTZ9OMl | ||||
iCnE3KJUu7w8zbn7AIDGNxPKmRyOMRzPBTQpBelqx2txs4tpMT+/kKxBdqi3 | ||||
k5cFqSiIM676o3GeOpj4PGQnsOwHcg/6chZ+/UpvhCOe4YgQJxyElMdz4VMW | ||||
rq6Xo31DdN1yD7ZbQTKrXfFUojSmUk6Jgqcr6x/C+oZsN9XSAdolx/ykCqzD | ||||
26MoO8hk7humWB3FgGBYjuh3wSkD4hd13dPZVCEyGTJNihbwLsqdRKqXeWVn | ||||
W4OW4ebCcFadkRssXkQ4Xomh5UEHs6wZcKkQR6Yrz4WIi3zHQYoH/CmaKvcn | ||||
Z9PUWzgaB8/3V1yQemUFItLXuPA5G2T4/p5P8j/OuUabqmIwweKSoPbpwzR5 | ||||
JZPYJmx64RukgDVebe9zvgjeTbdy0N9wm/a5vTf4XHTY7EF8Utqht9lq5UKI | ||||
b2Qlnu+HswV++MAsfck0hc9xNUKIRzZKDNsQkLcn8NaTpCHvrvhNkI6Rv1Hn | ||||
kuhCbPgeeWalOjR3Gl1okrGHOi2mepmGh50ksCqetj+U9TK1pKmSV433SJeJ | ||||
Aze4CAaTcSBBSrisslZn1uFJWSmM95fisBAr0IhskRnZ9qyDWyh9bCWk+5KW | ||||
LlEZIirdL0/i46gwekvggtV1KosZVaCaidaf7KUUtSG3B0HrOXkGUwq5FeWl | ||||
1Z6eysIvWAk6S8JiZe2qbZQPNFI6CyvfppY3XV7Cu45hMprb4suTwrvvSorx | ||||
qomgTye+aLqVoDTaTgvZ4MKMs9G5i2NRAypJiUf7X7/cxoBP/Pf9e1hdQW3j | ||||
y7gSku1cFMtKhMvqhtKKFtzk6Z17jS8CbM69DfxvfA/JuTUMEpMXGjGVsTH3 | ||||
WZbtkFJ98tf2eIalwpel3I+Tg+x9aai20uIysyzYtAao72NWLHiqVykiZNNt | ||||
dFYM55gzGEkLUs8HTxviqw1zSbeiOACPtVaHZa3qey2rMnfWCjtHA/Uak26l | ||||
mA0Kkduiub77DNeuhdi2msX5yRed1Y2lSn0wlG2n6YPevBJcN3ysWa/l40wF | ||||
kVLSGDMQARZoy3Rc/4Ddku3JPiZetmAEBOUrzAiV5UJrL1nWo5lsVie/mZSx | ||||
Bqx0Y2fxGvdfdDxnBGhFYxadtGD9eZhdcbbSo2/bLF4qLYQULFmdxcBeBmW4 | ||||
XWG1pIwkWLpesE9eygdaBGakAgy6S2bFVCV6e0HI8aLP4YxJdKPXJVUvX6gG | ||||
1ymvdYfBBaaW5RyB8O5TB4ODDjrcPr2DahwxioWaH7TtdD2JSY50PV650EYj | ||||
icNpuAGS4BgSWDphpkAkxXekbIJZEVrLGjpnKIlokxcurKfA2ICC2JmjbKFs | ||||
ZEYiGTX3GDkQ3HwqsZUmk8sLVtY8VzlhOjX1gFSkwgflwXpG9WiJj7Qrvpbo | ||||
vpjRlUxDqB8mF+G8LuTToxlQeclYQvJZnbaf3rmEQHcohUkF5kuBvsXG3nrw | ||||
aDRetdBFjOISxRaj7wbH61BQKWmcxEXyAbXGBKkdGEHPrGjr48Cd5US5pKFD | ||||
uvKuNGlCTQ/Ta/SISBUXP2/OHAHW8tWc7dliam/aJsf5GUU4E+nH75JIMc0k | ||||
dJaSKqd3ePBKcrRLkeNpYX1gVGdiDr2aTbE3rqyP9WwA/e+JfzY27ZH7v7G3 | ||||
veuSjrN01NKCcAoqlTB6ruqdo+S1Oh+wmhzaPl0BAqrh6OyvIsRFlHl65+0/ | ||||
uMYeIwk9aA56qUbYpExXnyp6i1ePoty3E+9N48Fo95dz8iNGo4DNvp6PcccI | ||||
t7tQBKpiQjKFk19Frp9yoPd8UqZnmTHZj3Gq7eQbkI+B0hWT4aoAPUjaRZFz | ||||
auuUyOkNigQpLNh8QqgiYgpr3WWzljJMVRmicHuHYSv+i4W8TfQ5d+XYSlvo | ||||
tZGBwjjPs3bQpmLWGLP5KQVYc7K1N/c81GLFgJ40jl8/exPkKsY8Q32gcfki | ||||
xbjVgpAimepg4N6CliPcNZCXbhG+XBAK2IOU7BfHxjUlHijmkS5X5rwoRt4b | ||||
BYryCEUUSVcb31nio6cy05czvRGrEgPSTY5WBEylz4YXk2JcnLsc7pKd22i+ | ||||
IrECz/xUqnVO/Xe4uJPhnc0qC445gl2bU/7us+Bom7oFhA88mg+ZP/oinEHa | ||||
D0fUCxod38QUso375L2CPhLEL1ZQK0LdExgfPk1nmuDLm4vmFeVbyBzU1+na | ||||
TINpjRzziuL/Sk052d41Ka5RGMr2LqMmBNG8Ild7ayzMWZ35aq4VbH1sPHA2 | ||||
yQmm4qugH1Ek5pDyoCeEVRLkRZBhKIKtsGIp2lHo1AdTbprqu1wPk+JpNWQu | ||||
XB40Cp5hDnYDBL3rAjQxkgjhejrTjK3+2hoKNNMMJFfxuFOwsMUbBGEkRX7c | ||||
GqdvMxKH/iQuim2R7cwUptklngOEJCtnlSH75mXAe8w3tv3jgs0Hu3rctN5/ | ||||
oJWylSH6SnW4fR6NrJ8ZjVWAsgnco+x6FjOE0e0yF3UrEDggiB0dNnmVepsb | ||||
tErW9EjdejhAEtFHi/yhDZbcOTywt8HJlvzJg9ENK2xD97FNdBWh9bysrMOA | ||||
ikovPio+p0mLJqPLaOID2uD8CZiJxzmk7wTMA0lehM16Z2TdmUd8B0PXMTlX | ||||
6WXBrokL+jiICqACGGStlBHQkedSyI2UfGBx0QaW37ESzVytmlTyB73OVw61 | ||||
QeICKs0GRz6o5xAWWzXcyEvcMy1yIYwmclo2F8V6WPmO8rSAO+C06RIM5Urz | ||||
aDOOyTFrg7NQxzQHskp2YxAcoAgVssNWcncm8HrfrY0TOY62hWYQBAeVK+rk | ||||
FimLbvX0GtitCmcVVzc/GCxz6WQb5l+GYVfjV3jf0/IOA3cc3jvJJcpBCKIC | ||||
vRfCPB3/esT4hqkCjEYibmimsJ6yqubvZWGZLr+pcrOzOVRqQDnx2qy7rXkR | ||||
ScK25jSao636xtXXFlFmrGiHxj3s3VAC4tl4J9hCfmF7x3pnpvSKbqPtVvQE | ||||
yj10GxleBbKRTvtztWrgDjg6tKUnODdGkXhAHTOVHiq7wWMivBxXcxmtZypg | ||||
hzH8eNwEQwW1A4WBrFiz9SMPpSsWpkVrNc18xWiXsu3KwQvfkYNlKnzcR74R | ||||
W7p3q7TyF0nfjDHkq66Wkq3r2aQrJxqoVWIxZe+gQwytqwvbKKztXZOR5GJY | ||||
NLb63A+DuUUhU/4pTg2ZMu4QJj8/RiA6vshqLgG6M2fZZdJw+VtNm7e14guJ | ||||
1CywtRUGke7WR8SPeguHTxTLbdiis66kkxREKQoS9L42shNparTPKnOFBl3y | ||||
EEpuooAZxwalVNUXo1MkIoF0q5+pBPbYbGVYOfWgMJmXWLkZMwu0IV1bGgnq | ||||
Y47d6VxRyGf8HK2NRV4I1MVqByFaoqu+ZoI+fWfBphTDOYdZBUKTEoF7VCUu | ||||
fCCfouoEk0gnGXRDBgS0XaJ4R4JayJCYIRYzLgTmQu4xxNv15bnUgksy5J/h | ||||
VYlkxKGQNERZCsMq6LojVw6DU8x8vDYsFEHU+OUkVgfcbBhjkqmIyMWdeGPJ | ||||
zcQQMZQTxLvGMmkLP3K5RiKPSWkvPVS4NFw3KzxDRjB0wTQq3bZ9fdhINSWD | ||||
nMmV91tO4UtaXZS0ZBdIa2aeju9Aa5MwYLMPB9PiDJ1tinP67jPsuAUtO5RI | ||||
1cu9DgpCP5xMNQpaTOHwiF1x487VzF+xXM5VbYFS9Eg5u1jQxPfi13dBWRgD | ||||
exUaWbaWlrptX1cKARqodFO1aDUhSisetVS/zG6vgqpJFjq+8aW/WlfQbvQU | ||||
xtZFhNwmWqUjTE+2ubeXem3NTP0y6SaNfSalIKSvmRzKp6haDJPdb8TH2G9r | ||||
MABnju3v7e0lG51eu7t9CJJpdr2/67BIOPI0dtVqTHnnMTpcm3JmPofRpEMx | ||||
8GgsgjeYIS8eiXlVBJGuvqiB+/uYkDAgCAiBy6GkBV5r5tfE/wkjXuARXGJ4 | ||||
e2nQ1siH3IXTyjww77G6lTZsgXM88ChSw5fpFUk+JjITduHt7G6lmbTgt+H0 | ||||
WoBKWr2kYXE2V9phugiN5t3xV7uY8gtjggOfJHugcxSIFo6FaLcS+lY0z/oc | ||||
Ap49TOfJ2+GwfOIwDytB+kur7eQ+JZlSyjj/wOTRMiHU1AVdIAysQSdv9ltr | ||||
DkJdQ7EXRhGS58nZLqLVhzVbRxOjnmOXD7pV4flUO8wkqTkjHjnTDpGj7zOH | ||||
elHAUT94sb3/SjKu3302TqfnWcvlbZ70gD19xSc2hPU0KZvwl22EaPH53m+O | ||||
jg/3tl+irYct4lQ2km8UTo4u4zcJ4fF2COfbySOMoqmM6+T57jPnpri9gnUn | ||||
1e3MXHCUreWkT+z36JttoEBUXgjKqrVHL3pke76HaHS8Q5K6XZhmsWMdDIy/ | ||||
t7pqIL6wyxN+SU1L5iOl2rBVP7GFQxcAHcnMMRJwJJvTetMkV9fI01PTWLNm | ||||
CPSEx4vt94hX+LIbl+ktyCiX5i27V/BGuAp9zOPf6K51uBnyb+KVF73k7gER | ||||
LFCmIKs4SUbAijeSt185h6qL+3XuvyaXx2MpDEFgL9iIfgV3ZcbWCI+jXRbj | ||||
OZGow96lGCUPSycGMbSiJQXvLcWDETWomXYb1LWZuFAYLoJN4Xnpk8oCDUWC | ||||
Mkc+qRGX2oMV71drhsqxfo7RRWgSu84o5krrvpIfUYdUuqhgSdprL6z5bpaA | ||||
yRzHX3pPWjAwxJqKZCAnaOcTNTDRqbUHCf/nYF8EFAnNkw4mgdV+J/wGFEHr | ||||
MKNED43mLpODRr5iEHtBhEBArYIgKu85euINFM8bn5txSoViQPk4aODvK7IO | ||||
eHN1kl9qFx7y72WIzrFkB/slNNJZQQz8Rhf/abfb9Ac1HAI8MBv43Q/uTifz | ||||
C/4yUbLCm1TympmSpGZ3ymUbcRcMF3XSMyrZMmq6noxIaniyKoj4NGK8pWWY | ||||
VIdmr9Zled5Do+eQ0l3t+AMcji+DHfse7n4zrnDauzwF7Bo16Nk0Sy+h76h1 | ||||
O60vQfJ4yauKv8C6uoXFvxctbdggPgkk86Vn1o3k4PD5SQ/YYyunNHa4hnjV | ||||
GkhdK0nUqHfe5WfuQT/rFUshfJcQKYRLo5wzvClrZzssMHxupBHcXNmDKxS8 | ||||
HZ2JNcEkt5exXlkxEFLAVSlpE6YM3nFgfGSMDW+t0dBGUn0vKLoBi5MHbWgm | ||||
IbBowjvOI6mBQooMwXANlBoNhY0Bwp0x1HjmUeok84PNuQQVEFk7jIrE0ovs | ||||
dXb35gpD1UB4AZKb0+/vJSSVzdtanosg24cSlMRQ0hFUCaEhXlBEams6n0xc | ||||
tYHITegZbGA0UUZaGZrNRfTyBK4bUilcPBoNVHkRg7ARmbopBaLkeflCo1lJ | ||||
RVlGZrjsBIyxa9zgCHD7wrjdcNFCNx7PuZSx09C8NnhVZvNRwQUoSBW/0AwI | ||||
7WGYkpqV6lfAzfAruOz5ZlegOq6SxWeEDJ5yRnBqlmDI/Aa0gaZiLwyO0YeO | ||||
IoAp1oGToT6MXEh/x5BvqHNEy9twuD0rWwKIYNc4YCdmPZtJlwEs8NVmIOut | ||||
RM24BQjaMp1AWx3B2gjbqblN7AMg6wDHKv/bfzDCJKGi5hMR4+4TLZ0lpsa+ | ||||
asEaDSXOuP6YWzGy6oo4LG4OjfuW1vkoeipEyYzCVowMxsXPspHeGPJSzLWU | ||||
sXpup7YpSu732MGyJRreZqM5cejzCRFKKhQ9hXZBJeJ4B85AoZWSbLB67hEf | ||||
LhwbkStRdCZopcDaGvqUIwLK1YUPY0pfYesSWXi5UhQh8PPJdC5DxdhHnyEx | ||||
CxIZCHBRx0TjwF4EDiqKvIvbIR3oqs76X+Hg9sR5onDGTQqVdcyMCqPAKuRl | ||||
wCTGoIaX6qzxX6OYGxVzcWvpovDCs44QMRKsQgKel04jrc2N1AnfqpYQP/cU | ||||
p5eOC/epXBrG5Hmec6VxYJioQdfZHKkUd3iHtCuDimKeLrNsJv6T82l6BTSs | ||||
Wql6j5AeSWJGP4Z3zGtBRJwOLPJbKshGd/bMTwgNY2S8mhCWMTxGtcyrQ6+9 | ||||
AHknvH8kTH2FqeFtSs+ckclvMgssjn7SzWj30WgfRJe5b1kBOpuTMc88Uvpo | ||||
F00i8W4kyl5wZKnCsZj/sP3sFiSRmcYuYkDG+lqP4JccoBDpk+RQFGscnSi6 | ||||
YzEJZppM8/Ktk2louehGu5uklwhYnvq08CCqINk2odVEbXiCC0uFqKdKXVAY | ||||
yPM3u6+P7q38iWAPIvIQLrczMB+oGxDDdbPkJaZXTbLY1OylS4Nr7zyIJb16 | ||||
ya86FTrkyvqpKddOPZYCwYO3FIfQI3Z3eoVZ1ELPKarGmO1eynPOq4R3zYS3 | ||||
MmeIYLihpsP5JYwIfXHtCrx8OFT44A8cxWACKxTr18QEGHEaRytAvEHc8JZL | ||||
34tqgOELpxlFdSGxN4j2CwrnQi0U5rECb36DCagRWgP6FCTH1ztuJHRT7jnL | ||||
eUWTO9z5dpenSQOCiVQxAtBK71OOJB8AGRYt5cvtHZ+jykheksPtdrRCLHa7 | ||||
2a7ogPGaenu7YIRgD/BSQVcBq0F0Jx4dbx8e4xffbe8fn7yUIDB08JcBRhkq | ||||
EPsKyQ3n0CgjYq4PCzLOtDKJibFwXYvZU7rE3re/eg2Kym5QLpIb5CKbSeM7 | ||||
YutHKh3tsHR0hNKRRN/7ntC5xem/tAZauicQqUo5JnlpE3WjcrrxiGWYVNwA | ||||
F45lIo9L6MLpzQ4hjBoxX0r5Jvh1EtsowhJDEeeTWcWcWJpRx4EOsBNvrgqr | ||||
FaboD29FxT8fv/hIxvirtayXiQniaXNJGnM0uS9CrSa/rdFLH7Pz2uOCnfeB | ||||
G5F2HXbzyB6+PXyGv7bjs4OladJpVkbz9vEhZ3LAKF6KqtDcVddAahuRFCsF | ||||
aO4blwwmnPmZ6TSP4lZKCrN7fKs7r18evNjDdt2BrdP6HSsy9VZrdq7KCAbO | ||||
tv+T8QE35GBVfgIa9w03vlxmgh8sr3iSH/wUJF+/cAsIcvDRJD94JMlTDwd7 | ||||
h0f7RzJxJg6Y+P0U4SRpIY1HUwahggopBFEmZiXZuuAsoR5RMdQQal4PD8Tj | ||||
1jogKLcWD6PNJ1iENqn836+Y2dP3ppxq8PPD0oIv+Fu4uAxgbPfRTR0S/Wux | ||||
TPy5XtJL6JcxJLfydHr/f7q39YV9ux5tYduHxkrfHsRHBceKX3xRBx+uDPqT | ||||
xvotq9I/91CFu37SUIP97z92oI1g/wkF/r6BerqPv/ri/sF/5KQaMbEMVh7x | ||||
1kN9NeLtgUavF4+BiWDhqsAgmS+u1I7FcJwHTvDCz7W87gPvNyJq5QE9xDcW | ||||
fH7vWwsX6563/I0Rs5Uv7kP6v6/ysxGmIx0mutqt+hIYFCuM3WkrvKddvtEe | ||||
dU0/3Li0GdzQpJo7WUk9OaGIw1aYRysriohaH0gbwJxXao9+kMTwQTNmHtcV | ||||
Idm/84CQ3Pt4IfmecclgFgnJvU8Wkvmi7C9Sdvsfq+zeMyfp0s5p4UHoP7hC | ||||
pjXexP7jBdaHW5cmP1pW/aAeAiGd96j/kKy6QHt5PN0Ofha6rVVkaCK+33rS | ||||
xb4+WjR/9JA+TBSu//Gi8KKfh660WGjoPra1WrFtsTQs3O2nlDAfI7h/vIT5 | ||||
aUMNJMxHi8K1GsbigQrf+Uk1jEdLwx+lYXzaWKP9f+xQa0XYxSKqO6SfdK4a | ||||
AQUMHpBH75cgF3/reMhHioXJDkcjvCjOl5YOn+1IUPFWcjCmokwcaFeJLfk8 | ||||
eYbsrNUjqaDV6yG8PZbZoBQ5fAEd4Ohz1uxK9GxwwH1O3gnXQodb6HILh1rS | ||||
zqWtUVjjBdeZLGdY6QmuttP0nB7fv6SMMan0SOmZEg4+yiZ5OsbAcUmmcJ9P | ||||
+XYvuVQIheYVk5b8yf7uCbq3GFhHw4AwGgUHkE5cUz7w0Kc3iJvxj/N0Mptf | ||||
auWMaUmj3Rmnxh9hEoukQUVxYHeVj6XptweSVYAr6SaCjqkrF+1IId/726+2 | ||||
JR9n6rWoz33JT3jwWX6O7sLVJlVPFVlBPuyuyy5cyqpOL5Pl0fzy8m6Zvvgm | ||||
nV4Wk/xP+BZsKHVOX7yRSAaXg80fbw8Vk47yW/y2dzd52zu8MCeHphCPrZ3i | ||||
vp7KkGhXMFiNvtnzcj5KEAoM4kZh0W7iFzqIQElX/wqG3CL22oyymRg2hx5/ | ||||
KSLlKBvNbfg474sZkfMXYnhsMbqjt49h+XKGrdBNy0uMwMgnmAnf+hVSLGoS | ||||
jqDErTidT5Kn6CbjwwkPinN3ARkZn4k0deOiH6bkiY/CKeQppO5pMc7qDH5k | ||||
SwwSWpekwg6TepQJhY9jVgEHewxvZovIwpPABpFAd7NmUluaDSLwL+TiQQQ+ | ||||
/VwGfaRJK5oEEnhevSCGk9RJu4NkPPry1Y5WLxIjqGZOytdKDYRoMpb8cYxU | ||||
Iq+SP6tdPFpX43SIxwS96+jAUgL5JpqCOceSXz6Ocg70DLuMRUIe1uzDaGxG | ||||
aG64it8r8tABook7drNjNd1Jdl7g0uHz4tilfXmNgQPKkXRbHNslXylDFmNw | ||||
YsD9gSxdNW7dt1fppaL3l6gRSFacJyGkQiyjqrrcGeFMBk1tYWw/Bp48Pcwo | ||||
UTp4uKm7TPFWOez+LYzwbpxZfkWsaSxoFr7oxsyf1y3NnsEcHjh//NcJVZwM | ||||
XzcvNTWgY/lk2d5Wy61l3QA4CPktvrbMQR/LSNkaeaND01MzlupPlew5xqHU | ||||
x19xZCAvD5s/JE4h8DfrwB1L5pxD+dgVw855bzkf8fQumfCW7k3OCZipvKKw | ||||
mHiodPE4QH9Oa/O3EFPliPzpZsxABfO6e8NeQebcGNaxzqxjg4UGIWu8z2CM | ||||
Aua1vStr4Y7Nl0mnmRz4ZH+5UuTGu6Y38bXybjJLb3+Bb7LN58YlOf7CZP3K | ||||
VxraWsPFYO/0wHiM5mlQ4103ZWH1Cl2Og+fy255e5YUrnswTfZuP3NoFZeQ9 | ||||
xi2HBt2ZRDPy7Icp3eQNcggAjnB9HAghhiiawMjdWsqIODsiCr24J48+ZvUK | ||||
IufjPTTcxy1iGV+vCYm2l5L8aiIINCjqqRvmL+wlDJ/z+cWgEUvPVHGUdsaX | ||||
fkGQNRQcVJjiUbzAdDADCDUh8xVZhb5+sWOJdo2Jdp2JlqbX8pFuInEVjuKD | ||||
8VxleIfcYEAQp/K4WDQHnKX3o1LhnXIjieE0NQTilWShXzFL0lk4ELmWXFwP | ||||
UVvNJeVHm4ZiX9Ig4NIbEtLgmpllHLJEsUDjMvuH5Iq1jZIQSS+BVlbMuq3y | ||||
uq1JCS0U/ly6YJmOXd2SMF6akxv4Fc6hfKr5rAYbHRrrP4X/DPjBXa6GOEdO | ||||
x0xDMWwwVwfzZyS6EsOfYOScaFHlwgT0qzHvhA7CEVSnOXDEaQ5iJmURRgYC | ||||
PgimeCqlnbIQSDuSS/aWgAWgVrYUsOGyXjpb0ltbABQZNoHiyWhrDT0ohD7G | ||||
bgH7for1dZM6qTNzyApoN+N2CMhrOKvhcZ9TSfDkdA4CEawP6itYCFhuDLPZ | ||||
A97s1SUVyGpoVgOKw88obvfGZvOWS7qmjiMy1XDaL5beDWA3ZDe8tg0LO2H8 | ||||
OYwMvqDt5WhuYgQpRrO1qEMt9+56fGnLufNk8BJR1Y7qF3GY3ZK8sRukxOiN | ||||
U/8tSIyseT4l5dX9ad9iktQ72YpQu1uLwSrrNlvH8EJyUvVMCAvbfaYPIKS0 | ||||
OYXEBSW02RB4zPlSraDV0uBlbc/Iqws1D31WwK1FZSK0XOMkgLUm944+DYR1 | ||||
lssdS2CFBn6cIS4F2tK8UEeJHi4M8RiyEUjCeM3pWy8rCaLBiYcH4AKb4rGw | ||||
ilGfz8BAVNCpltLg7rtSJrfbFu3Yj6zuXJiaIpy6GR2QOnHBPoLnpULmwNKl | ||||
ZPUKa4WMckiAPnBKqC7BY6/xw+xmmrMk0m+vuvW2FEjb8lCJNw1lNtGi2tj2 | ||||
I4CZLM4LJgp4hW4VFTp3PU8sn9+tzmDD7T0azhSSg/mjB22ptLSnr3kB0zB+ | ||||
5FVWath9ppKzvkaGNlIkTziTZXpOmCtGypXbM7j/XK6KPK6PiaKpjYisS/fR | ||||
nKvfjMf8UCm6rgjSyALK4QUI++MsHiPxI7iwfSIIShnXRT4SfCakcjS2IQ2L | ||||
IuPyZ2GUaG9zrAHYyuC2fwlvcjlp+iDrO4YJf9F7+9/CL0HiSfzkK8412nJZ | ||||
GLVPM7q+SAqGQonk80mch+8KpFyk02yk1saAGcJuqjihiadKuC1NfpM8qDBJ | ||||
pjI+0+RzHylvG5WEfq+T7rnlRF12HKK86CRabPWkoG3aYyPlhdHhqpxg4DYu | ||||
uigmV2lZOmHSmZYY+F5VAnnVgT4EkWhhnUpEc5zmGUJNSyQ6iftqNjOmFGvr | ||||
oc84v8ssiS+87QRbszy+bLcaS+QwMhosJW9LapcYI63SqqjHCJ7lQazFNozA | ||||
5XnW8vcLsE8R6FBsvBJlFpdXhxgI15x2gXboADsoeOYeOdCK6eigQDllCOL3 | ||||
NEIimlAZD764lgKK9zyZs1HgJhVkPHnuWQGC7iiJTzT5eB32DJuOvPnODEt5 | ||||
ogk7DAyw96ja8MVCPYe/tWHdlucbA5g7ntu77tcgtSEYLjCfPCXWKDZvCy6U | ||||
IH4RgT8pn6rxKEc6mJEEeiwJ9FlYQPh5IsPgkS0mIQKIQNoWruyNv3Lvav0d | ||||
5MBLD980H0vLH0Ncld0kzvY8nV2MQYRoJkcztFHALy/T6RDUsKMs5U/P4N+l | ||||
mhu+vqDs/Sr2y+N9d+kT2zGU8qjD5feEvWK6Nf6iSEPSKJLney/L6Bk5NfUF | ||||
ds04eBWP9x957kNtAPG2/nEn2Gc9X3FufnBgluTWGqcTf1XYEbsldsrGTrsf | ||||
DJGS5CfEy2t8AuwN7Ha3ZGyuNs3Ijj0GUg3XR1n1GwRvwpCWnaPgcynCNRkF | ||||
tveFa058a+e746dxO+quE+eJXtnuUueDGCwywRecpHjyck2DBXU/aaRjdMZx | ||||
uZlQkltRM1RIokvCoLbc4SWF2s8tpTcE8ArlNkIwJ5vsXbAh7PorExByJd+I | ||||
N4wA9AW83Z2JWC/UkWGqXZtmRyteAL+BzSvmU7ilSPN3Xbu97rALsNvZEv1O | ||||
nC0KmZ4zIVFilq147iL1HIe5IlIiGlEqRXMHLiyDeKHWwmk/Q754VOylr4Xl | ||||
ubm8zaljIh/vCiENVFwWC2mEGn/DhIKUAp/smPsRlDlKasQeMi3jJ0wXVHm0 | ||||
H/jlYfdYZ1OW5+uT31RgJJzRw4r0VElJDRyiZW7vCAgF/tZ3r0lBZc0iDvR5 | ||||
WUAGdP7zP/87WTKshCPagN4MLJ2zA7ViFogOsbqkBk2SVHedscBuAAvQ/oag | ||||
hGjrrDoTtD4atRUi1PDiMhgnFjqoukHB2AyBm5GC/teMr5cDy3BYgyYNiKDm | ||||
ek9Ud4ENVvxawqDzZiDnj8d1dAAfDkoIhVASKHQ/jWXK3hWkSMJzoRFQZSYE | ||||
O4gHCBuJajIi6kTp27ixNG54pPrVB5gZXV8Y9Mck/mQyH49lWZ5gJbQnangj | ||||
jEMfJGLjZcMuibv5m0lNaqTXZKN4o4GRG8t7h91FnQ05SgduYDsnt9aL702B | ||||
TqfIZyjjqNvCj1TMHEJzBLJ4AmLWoZPzEIyJPm4SE7V6uL8P8IieeCmVXWJl | ||||
ZhiCKiW/oLFiOjwZOQn3y9eOmRDC5ziXJmGDLlMkV1mmXVF76mEBLdGa+8KM | ||||
IThvikl4+yDVocQRplFSA9t7R62vd14yN7tI4f97HejooBjfdfsdtfzKrUb7 | ||||
gvYn2oKbgu1QZslwu18dbTu1aOYkNsuxnZM5iEmSq8CrC5KfL8Usyvlpy/EH | ||||
5S60bSDtkjxtjZ0+L51r6E7Ts1mrko5OdyS3JU/TMhDUp5azND78WrOTDEUW | ||||
fBDFo8y899w05Czt/lSwP6qzvhWu+KxOZ87dHMn9IraQfkjNy4Je7XU8B6cC | ||||
/OIaKzJiz5FgLYRiQ5futCknS71AWWrZP221KFXqPUUvy2W17K8ja1o2oqAL | ||||
WRir/xvneAaXB46fhvvyzRElORx98/rNi13xUaE6KNuAuL8+34DAsFsO7A0X | ||||
qsOaL8ca2XuObykCWuYvTTvy3FgKxRpX57LnTRKPtowRCsmy+DrDVXKatPpm | ||||
9oC5EZhmnZMmHpfw01pocHsgFp8FVEMfPAnGyfrA1cK8dXl7fgs61BhBf7Fu | ||||
zzIaqZfvKeyzbKfnI82oIIg5MCcDczzY7dhZ2/LrqQdttd1LlvX8Gdf46/ls | ||||
DKQovb1WByAeH6yORhb0k27yZYL3YZBc4vuQWjwu415tDs2EPAthKj58Gpwb | ||||
S93k+o3CKe1FKzH1jFGsLEV8DQZJut9eZ33CKXScKz8x64HPLId2D8oxQm1/ | ||||
WbcO9X+Dm4geGSRq9LgOSWCtrvM9BqCYwl3lBrJM10sL1UAZ8RbBuQo5mQ5g | ||||
mcOfdgXAvIQHWGl1qC/LgUymlgbnlEeUdLwFaRcwANLTF3s6O6tCX8ymDjPE | ||||
K3l2hCc68pPVdBTr57ER65ESmz6E9WWSa5h6MY2+CQ0Xpe6ts27ZebH3qjPY | ||||
qojYgRfLnkhvCiDtEYGkTd2hMqBqJFirAsFCeVNuhLyYNMyUuIAkT2iFm1zG | ||||
EIHlZrK8/y3+gm1Z3EYWIRyesXPoK00O7M7pBRNsnm4nP/iCUXMwxpAK20iF | ||||
+1Kvllwd9FzUm7e0Q6evt2D3Ax4RMDm9OcnecpYiFpRfC7NdbGLs9N12pVMq | ||||
vuYA6d0hp4GcAqdh0CPzlSxE5P61HEKe2AmkQXbQrLKpIljL7w8wjeSQ1tJp | ||||
qQbfjzw/HHg7UdC7h6gEhd+TPeb9HSc6z9LzpOEMqyRk+mVaefyqB7xlZ9GB | ||||
seeEjYSdXs390oX7RavVqR+zZhi+Dn21iUG7L8oswYZFisZHMQeO6F/Eb5zz | ||||
OXYIYKCWP4QkCjmN3a8GG/463a2QER8cPRckqPDzkGNY1PnTO1ZiuMBAFH/+ | ||||
bksitbLRl8uTYlnLspLAAOqJK9aUTt4uvXv3budiivcTENn2Zfnjv5Tl+/fv | ||||
m/jFNoaFwIynRfLVdD7J9fPnKagOOSwDvPLVRTo9T6/TiX65k05LjH36Cq/4 | ||||
ifv4OL+E436H+wtilX76FYarligxFDPY4ql+fljAuyDUTO7G+Y1++BIj3iYY | ||||
vjS8iD+bv830o11kXyD2pOUModj14xcwrmQPgYpm+pFY3JNnKYY6j92TxY// | ||||
ZZg8Q2NbPk3dBC6yvEy+nv74Xyen2fAiOSDTSOYm+Cwbw6H4+sd/QTArNxGY | ||||
AuYTvM0nbs7Px+m8xA9nfnCHc2Ca32ClkezOjO4M38bNKf5UXJspD5P98Xxy | ||||
7sYG/GAKenHy65TuYP14DwNFk+fjLHej3Jvmb+ETYMymGxDhn6PXYmo2/pb2 | ||||
vYQvMIoQxqDf7eN5S17k8/I6Tf3yHKZnKXoufvy/Jq0XP/7fV9mfPLWwhwON | ||||
VjmWfvNrcw3K6CsgHuA0hrbGmGKDxOOGmI6v0xGcqYMf//PUN3yYok/qIJuO | ||||
zbPc6AEK/8MLdKL6Zfvxv9xkk0lyCIs0H14UM7MmQ7zBQWAfu/m8zIFZZuPk | ||||
EP+djsrCUzKcomuksKP0Ypz8+sf/CuLkxBDC/5hiYMCf/pQiCR/B3vt1/XV+ | ||||
mRxBe1hyJ+wGP52exWcIPv3xX4Jj9OviAj+ew2XiWn0xH93kmPqdz9zafDXF | ||||
83yUXxWl3+gU5NBxep0cXd6VF+O7NHM09W06xmKi+MXYU9qBFFRA7RMT6ou3 | ||||
bunhtoIPpvP8rW8iLy8msPrJ0RxE8Sn83x/SkO5w5S6DBSFXV3Kcj4uhW3n0 | ||||
eyXHWM9walcJFunbLB+Ps9ks86+P8//nP6bJt/P//n+AFPzf/xc38nQ+Tr4r | ||||
KCuJPgNqpqXK8uQ3NKqlMwLtQsFVg/VFfqVrf8IiBbk9Z1RmrFRPEEVhorbX | ||||
Tr7LyMqcSeEcwqkbZacShsSwlIhIHO083Q+YbCYRulj6JxxKHkYx4m0M5+Iu | ||||
GkfOThCuvUlDIrj9YvqWTYUYEiZCPeEWStQwiDcYmxqDfX3T6/Q6aE0hKPKj | ||||
/Wf7R61v0D3SOJ/ilUEQq9TW5mpvbbWH+dKYSXg2np+dLf2/xGpO6kwMAwA= | ||||
</rfc> | </rfc> | |||
End of changes. 332 change blocks. | ||||
5812 lines changed or deleted | 2820 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |