rfc9529.original   rfc9529.txt 
LAKE Working Group G. Selander Internet Engineering Task Force (IETF) G. Selander
Internet-Draft J. Preuß Mattsson Request for Comments: 9529 J. Preuß Mattsson
Intended status: Informational Ericsson Category: Informational Ericsson
Expires: 30 July 2024 M. Serafin ISSN: 2070-1721 M. Serafin
ASSA ABLOY ASSA ABLOY
M. Tiloca M. Tiloca
RISE RISE AB
M. Vučinić M. Vučinić
Inria Inria
27 January 2024 March 2024
Traces of EDHOC Traces of Ephemeral Diffie-Hellman Over COSE (EDHOC)
draft-ietf-lake-traces-09
Abstract Abstract
This document contains some example traces of Ephemeral Diffie- This document contains example traces of Ephemeral Diffie-Hellman
Hellman Over COSE (EDHOC). Over COSE (EDHOC).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
This Internet-Draft will expire on 30 July 2024. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9529.
Copyright Notice Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
1.1. Setup . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Setup
1.2. Terminology and Requirements Language . . . . . . . . . . 4 1.2. Requirements Language
2. Authentication with Signatures, X.509 Certificates Identified 2. Authentication with Signatures, X.509 Identified by 'x5t'
by 'x5t' . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. message_1
2.1. message_1 . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. message_2
2.2. message_2 . . . . . . . . . . . . . . . . . . . . . . . . 6 2.3. message_3
2.3. message_3 . . . . . . . . . . . . . . . . . . . . . . . . 14 2.4. message_4
2.4. message_4 . . . . . . . . . . . . . . . . . . . . . . . . 23 2.5. PRK_out and PRK_exporter
2.5. PRK_out and PRK_exporter . . . . . . . . . . . . . . . . 25 2.6. OSCORE Parameters
2.6. OSCORE Parameters . . . . . . . . . . . . . . . . . . . . 26 2.7. Key Update
2.7. Key Update . . . . . . . . . . . . . . . . . . . . . . . 28 2.8. Certificates
2.8. Certificates . . . . . . . . . . . . . . . . . . . . . . 29 3. Authentication with Static DH, CCS Identified by 'kid'
3. Authentication with Static DH, CCS Identified by 'kid' . . . 31 3.1. message_1 (First Time)
3.1. message_1 (first time) . . . . . . . . . . . . . . . . . 32 3.2. error
3.2. error . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3.3. message_1 (Second Time)
3.3. message_1 (second time) . . . . . . . . . . . . . . . . . 33 3.4. message_2
3.4. message_2 . . . . . . . . . . . . . . . . . . . . . . . . 35 3.5. message_3
3.5. message_3 . . . . . . . . . . . . . . . . . . . . . . . . 42 3.6. message_4
3.6. message_4 . . . . . . . . . . . . . . . . . . . . . . . . 49 3.7. PRK_out and PRK_exporter
3.7. PRK_out and PRK_exporter . . . . . . . . . . . . . . . . 51 3.8. OSCORE Parameters
3.8. OSCORE Parameters . . . . . . . . . . . . . . . . . . . . 53 3.9. Key Update
3.9. Key Update . . . . . . . . . . . . . . . . . . . . . . . 54 4. Invalid Traces
4. Invalid Traces . . . . . . . . . . . . . . . . . . . . . . . 56 4.1. Encoding Errors
4.1. Encoding Errors . . . . . . . . . . . . . . . . . . . . . 56 4.2. Cryptography-Related Errors
4.2. Crypto-related Errors . . . . . . . . . . . . . . . . . . 57 4.3. Non-deterministic CBOR
4.3. Non-deterministic CBOR . . . . . . . . . . . . . . . . . 59 5. Security Considerations
5. Security Considerations . . . . . . . . . . . . . . . . . . . 59 6. IANA Considerations
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 7. References
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 59 7.1. Normative References
7.1. Normative References . . . . . . . . . . . . . . . . . . 59 7.2. Informative References
7.2. Informative References . . . . . . . . . . . . . . . . . 60 Acknowledgments
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 61 Authors' Addresses
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 61
1. Introduction 1. Introduction
EDHOC [I-D.ietf-lake-edhoc] is a lightweight authenticated key EDHOC [RFC9528] is a lightweight authenticated key exchange protocol
exchange protocol designed for highly constrained settings. This designed for highly constrained settings. This document contains
document contains annotated traces of EDHOC sessions, with input, annotated traces of EDHOC sessions with input, output, and
output, and intermediate processing results to simplify testing of intermediate processing results to simplify testing of
implementations. The traces have been verified by two independent implementations. The traces have been verified by two independent
implementations. implementations.
1.1. Setup 1.1. Setup
EDHOC is run between an Initiator (I) and a Responder (R). The EDHOC is run between an Initiator (I) and a Responder (R). The
private/public key pairs and credentials of the Initiator and the private/public key pairs and credentials of the Initiator and the
Responder required to produce the protocol messages are shown in the Responder required to produce the protocol messages are shown in the
traces when needed for the calculations. traces when needed for the calculations.
EDHOC messages and intermediate results are encoded in CBOR [RFC8949] EDHOC messages and intermediate results are encoded in Concise Binary
and can therefore be displayed in CBOR diagnostic notation using, Object Representation (CBOR) [RFC8949] and can therefore be displayed
e.g., the CBOR playground [CborMe], which makes them easy to parse in CBOR diagnostic notation using, e.g., the CBOR playground
for humans. Credentials can also be encoded in CBOR, e.g. CBOR Web [CborMe], which makes them easy to parse for humans. Credentials can
Tokens (CWT) [RFC8392]. also be encoded in CBOR, e.g., CBOR Web Tokens (CWTs) [RFC8392].
The document contains two traces: The document contains two traces:
* Section 2 - Authentication with signature keys identified by the * Section 2 - Authentication with signature keys identified by the
hash value of the X.509 certificates (provided in Section 2.8). hash value of the X.509 certificates (provided in Section 2.8).
The endpoints use EdDSA [RFC8032] for authentication and X25519 The endpoints use Edwards-curve Digital Signature Algorithm
[RFC7748] for ephemeral-ephemeral Diffie-Hellman key exchange. (EdDSA) [RFC8032] for authentication and X25519 [RFC7748] for
ephemeral-ephemeral Diffie-Hellman (DH) key exchange.
* Section 3 - Authentication with static Diffie-Hellman keys * Section 3 - Authentication with static Diffie-Hellman keys
identified by short key identifiers labelling CWT Claim Sets identified by short key identifiers labeling CWT Claims Sets
(CCSs) [RFC8392]. The endpoints use NIST P-256 [SP-800-186] for (CCSs) [RFC8392]. The endpoints use NIST P-256 [SP-800-186] for
both ephemeral-ephemeral and static-ephemeral Diffie-Hellman key both ephemeral-ephemeral and ephemeral-static DH key exchange.
exchange. This trace also illustrates the cipher suite This trace also illustrates the cipher suite negotiation and
negotiation, and provides an example of low protocol overhead, provides an example of low protocol overhead with messages sizes
with messages sizes of (39, 45, 19) bytes. of 39, 45, and 19 bytes.
Examples of invalid EDHOC messages are found in Section 4. Examples of invalid EDHOC messages are found in Section 4.
NOTE 1. The same name is used for hexadecimal byte strings and their Note 1. The same name is used for hexadecimal byte strings and their
CBOR encodings. The traces contain both the raw byte strings and the CBOR encodings. The traces contain both the raw byte
corresponding CBOR encoded data items. strings and the corresponding CBOR-encoded data items.
NOTE 2. If not clear from the context, remember that CBOR sequences Note 2. If not clear from the context, remember that CBOR sequences
and CBOR arrays assume CBOR encoded data items as elements. and CBOR arrays assume CBOR-encoded data items as elements.
NOTE 3. When the protocol transporting EDHOC messages does not Note 3. When the protocol transporting EDHOC messages does not
inherently provide correlation across all messages, like CoAP inherently provide correlation across all messages, then
[RFC7252], then some messages typically are prepended with connection some messages are typically prepended with connection
identifiers and potentially a message_1 indicator (see Sections 3.4.1 identifiers and potentially a message_1 indicator (see
and A.2 of [I-D.ietf-lake-edhoc]). Those bytes are not included in Section 3.4.1 and Appendix A.2 of [RFC9528]). Those bytes
the traces in this document. are not included in the traces in this document.
1.2. Terminology and Requirements Language 1.2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. Authentication with Signatures, X.509 Certificates Identified by 2. Authentication with Signatures, X.509 Identified by 'x5t'
'x5t'
In this example the Initiator (I) and Responder (R) are authenticated In this example, the Initiator (I) and Responder (R) are
with digital signatures (METHOD = 0). Both the Initiator and the authenticated with digital signatures (METHOD = 0). Both the
Responder support cipher suite 0, which determines the algorithms: Initiator and the Responder support cipher suite 0, which determines
the algorithms:
* EDHOC AEAD algorithm = AES-CCM-16-64-128 * EDHOC AEAD algorithm = AES-CCM-16-64-128
* EDHOC hash algorithm = SHA-256 * EDHOC hash algorithm = SHA-256
* EDHOC MAC length in bytes (Static DH) = 8 * EDHOC Message Authentication Code (MAC) length in bytes (Static
DH) = 8
* EDHOC key exchange algorithm (ECDH curve) = X25519 * EDHOC key exchange algorithm (ECDH curve) = X25519
* EDHOC signature algorithm = EdDSA * EDHOC signature algorithm = EdDSA
* Application AEAD algorithm = AES-CCM-16-64-128 * application AEAD algorithm = AES-CCM-16-64-128
* Application hash algorithm = SHA-256 * application hash algorithm = SHA-256
The public keys are represented with X.509 certificates identified by The public keys are represented with X.509 certificates identified by
the COSE header parameter 'x5t'. the CBOR Object Signing and Encryption (COSE) header parameter 'x5t'.
2.1. message_1 2.1. message_1
Both endpoints are authenticated with signatures, i.e., METHOD = 0: Both endpoints are authenticated with signatures, i.e., METHOD = 0:
METHOD (CBOR Data Item) (1 byte) METHOD (CBOR Data Item) (1 byte)
00 00
The Initiator selects cipher suite 0. A single cipher suite is The Initiator selects cipher suite 0. A single cipher suite is
encoded as an int: encoded as an int:
skipping to change at page 5, line 27 skipping to change at line 206
G_X (Raw Value) (32 bytes) G_X (Raw Value) (32 bytes)
31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28 ef 32 63 2a 31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28 ef 32 63 2a
48 81 a1 c0 70 1e 23 7f 04 48 81 a1 c0 70 1e 23 7f 04
Initiator's ephemeral public key Initiator's ephemeral public key
G_X (CBOR Data Item) (34 bytes) G_X (CBOR Data Item) (34 bytes)
58 20 31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28 ef 32 58 20 31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28 ef 32
63 2a 48 81 a1 c0 70 1e 23 7f 04 63 2a 48 81 a1 c0 70 1e 23 7f 04
The Initiator selects its connection identifier C_I to be the byte The Initiator selects its connection identifier C_I to be the byte
string 0x2d, which since it is represented by the 1-byte CBOR int -14 string 0x2d, which is encoded as 0x2d since it is represented by the
is encoded as 0x2d: 1-byte CBOR int -14:
Connection identifier chosen by Initiator Connection identifier chosen by the Initiator
C_I (Raw Value) (1 byte) C_I (Raw Value) (1 byte)
2d 2d
Connection identifier chosen by Initiator Connection identifier chosen by the Initiator
C_I (CBOR Data Item) (1 byte) C_I (CBOR Data Item) (1 byte)
2d 2d
No external authorization data: No external authorization data:
EAD_1 (CBOR Sequence) (0 bytes) EAD_1 (CBOR Sequence) (0 bytes)
The Initiator constructs message_1: The Initiator constructs message_1:
message_1 = message_1 =
( (
0, 0,
0, 0,
h'31f82c7b5b9cbbf0f194d913cc12ef1532d328ef32632a48 h'31f82c7b5b9cbbf0f194d913cc12ef1532d328ef32632a48
81a1c0701e237f04', 81a1c0701e237f04',
-14 -14
) )
message_1 (CBOR Sequence) (37 bytes) message_1 (CBOR Sequence) (37 bytes)
00 00 58 20 31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28 00 00 58 20 31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28
ef 32 63 2a 48 81 a1 c0 70 1e 23 7f 04 2d ef 32 63 2a 48 81 a1 c0 70 1e 23 7f 04 2d
2.2. message_2 2.2. message_2
The Responder supports the most preferred and selected cipher suite The Responder supports the most preferred and selected cipher suite
0, so SUITES_I is acceptable. 0, so SUITES_I is acceptable.
The Responder creates an ephemeral key pair for use with the EDHOC The Responder creates an ephemeral key pair for use with the EDHOC
skipping to change at page 6, line 32 skipping to change at line 260
G_Y (Raw Value) (32 bytes) G_Y (Raw Value) (32 bytes)
dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38 7e 62 dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38 7e 62
3a 36 0b a4 80 b9 b2 9d 1c 3a 36 0b a4 80 b9 b2 9d 1c
Responder's ephemeral public key Responder's ephemeral public key
G_Y (CBOR Data Item) (34 bytes) G_Y (CBOR Data Item) (34 bytes)
58 20 dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38 58 20 dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38
7e 62 3a 36 0b a4 80 b9 b2 9d 1c 7e 62 3a 36 0b a4 80 b9 b2 9d 1c
The Responder selects its connection identifier C_R to be the byte The Responder selects its connection identifier C_R to be the byte
string 0x18, which since it is not represented as a 1-byte CBOR int string 0x18, which is encoded as h'18' = 0x4118 since it is not
is encoded as h'18' = 0x4118: represented by a 1-byte CBOR int:
Connection identifier chosen by Responder Connection identifier chosen by the Responder
C_R (Raw Value) (1 byte) C_R (Raw Value) (1 byte)
18 18
Connection identifier chosen by Responder Connection identifier chosen by the Responder
C_R (CBOR Data Item) (2 bytes) C_R (CBOR Data Item) (2 bytes)
41 18 41 18
The transcript hash TH_2 is calculated using the EDHOC hash The transcript hash TH_2 is calculated using the EDHOC hash
algorithm: algorithm:
TH_2 = H( G_Y, H(message_1) ) TH_2 = H( G_Y, H(message_1) )
H(message_1) (Raw Value) (32 bytes) H(message_1) (Raw Value) (32 bytes)
c1 65 d6 a9 9d 1b ca fa ac 8d bf 2b 35 2a 6f 7d 71 a3 0b 43 9c 9d 64 c1 65 d6 a9 9d 1b ca fa ac 8d bf 2b 35 2a 6f 7d 71 a3 0b 43 9c 9d 64
skipping to change at page 7, line 25 skipping to change at line 301
bf 2b 35 2a 6f 7d 71 a3 0b 43 9c 9d 64 d3 49 a2 38 48 03 8e d1 6b bf 2b 35 2a 6f 7d 71 a3 0b 43 9c 9d 64 d3 49 a2 38 48 03 8e d1 6b
TH_2 (Raw Value) (32 bytes) TH_2 (Raw Value) (32 bytes)
c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a
06 52 ca e6 6c 90 61 68 8d 06 52 ca e6 6c 90 61 68 8d
TH_2 (CBOR Data Item) (34 bytes) TH_2 (CBOR Data Item) (34 bytes)
58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a
79 6a 06 52 ca e6 6c 90 61 68 8d 79 6a 06 52 ca e6 6c 90 61 68 8d
PRK_2e is specified in Section 4.1.1.1 of [I-D.ietf-lake-edhoc]. PRK_2e is specified in Section 4.1.1.1 of [RFC9528].
First, the ECDH shared secret G_XY is computed from G_X and Y, or G_Y First, the Elliptic Curve Diffie-Hellman (ECDH) shared secret G_XY is
and X: computed from G_X and Y or G_Y and X:
G_XY (Raw Value) (ECDH shared secret) (32 bytes) G_XY (Raw Value) (ECDH shared secret) (32 bytes)
e5 cd f3 a9 86 cd ac 5b 7b f0 46 91 e2 b0 7c 08 e7 1f 53 99 8d 8f 84 e5 cd f3 a9 86 cd ac 5b 7b f0 46 91 e2 b0 7c 08 e7 1f 53 99 8d 8f 84
2b 7c 3f b4 d8 39 cf 7b 28 2b 7c 3f b4 d8 39 cf 7b 28
Then, PRK_2e is calculated using EDHOC_Extract() determined by the Then, PRK_2e is calculated using EDHOC_Extract(), which is determined
EDHOC hash algorithm: by the EDHOC hash algorithm:
PRK_2e = EDHOC_Extract( salt, G_XY ) = PRK_2e = EDHOC_Extract( salt, G_XY )
= HMAC-SHA-256( salt, G_XY ) = HMAC-SHA-256( salt, G_XY )
where salt is TH_2: where salt is TH_2:
salt (Raw Value) (32 bytes) salt (Raw Value) (32 bytes)
c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a
06 52 ca e6 6c 90 61 68 8d 06 52 ca e6 6c 90 61 68 8d
PRK_2e (Raw Value) (32 bytes) PRK_2e (Raw Value) (32 bytes)
d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73 d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73
skipping to change at page 8, line 4 skipping to change at line 325
where salt is TH_2: where salt is TH_2:
salt (Raw Value) (32 bytes) salt (Raw Value) (32 bytes)
c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a
06 52 ca e6 6c 90 61 68 8d 06 52 ca e6 6c 90 61 68 8d
PRK_2e (Raw Value) (32 bytes) PRK_2e (Raw Value) (32 bytes)
d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73 d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73
bf 2c 24 0a fa 7b a8 04 da bf 2c 24 0a fa 7b a8 04 da
Since METHOD = 0, the Responder authenticates using signatures. Since METHOD = 0, the Responder authenticates using signatures.
Since the selected cipher suite is 0, the EDHOC signature algorithm Since the selected cipher suite is 0, the EDHOC signature algorithm
is EdDSA. is EdDSA.
The Responder's signature key pair using EdDSA: The Responder's signature key pair uses EdDSA:
Responder's private authentication key Responder's private authentication key
SK_R (Raw Value) (32 bytes) SK_R (Raw Value) (32 bytes)
ef 14 0f f9 00 b0 ab 03 f0 c0 8d 87 9c bb d4 b3 1e a7 1e 6e 7e e7 ff ef 14 0f f9 00 b0 ab 03 f0 c0 8d 87 9c bb d4 b3 1e a7 1e 6e 7e e7 ff
cb 7e 79 55 77 7a 33 27 99 cb 7e 79 55 77 7a 33 27 99
Responder's public authentication key Responder's public authentication key
PK_R (Raw Value) (32 bytes) PK_R (Raw Value) (32 bytes)
a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62
c0 0b 3a c5 5d e9 2f 93 59 c0 0b 3a c5 5d e9 2f 93 59
PRK_3e2m is specified in Section 4.1.1.2 of [I-D.ietf-lake-edhoc]. PRK_3e2m is specified in Section 4.1.1.2 of [RFC9528].
Since the Responder authenticates with signatures PRK_3e2m = PRK_2e. Since the Responder authenticates with signatures, PRK_3e2m = PRK_2e.
PRK_3e2m (Raw Value) (32 bytes) PRK_3e2m (Raw Value) (32 bytes)
d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73 d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73
bf 2c 24 0a fa 7b a8 04 da bf 2c 24 0a fa 7b a8 04 da
The Responder constructs the remaining input needed to calculate The Responder constructs the remaining input needed to calculate
MAC_2: MAC_2:
MAC_2 = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 ) MAC_2 = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 )
context_2 = << C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 >> context_2 = << C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 >>
CRED_R is identified by a 64-bit hash: CRED_R is identified by a 64-bit hash:
ID_CRED_R = ID_CRED_R =
{ {
34 : [-15, h'79f2a41b510c1f9b'] 34 : [-15, h'79f2a41b510c1f9b']
} }
where the COSE header value 34 ('x5t') indicates a hash of an X.509 where the COSE header value 34 ('x5t') indicates a hash of an X.509
certficate, and the COSE algorithm -15 indicates the hash algorithm certificate, and the COSE algorithm -15 indicates the hash algorithm
SHA-256 truncated to 64 bits. SHA-256 truncated to 64 bits.
ID_CRED_R (CBOR Data Item) (14 bytes) ID_CRED_R (CBOR Data Item) (14 bytes)
a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b
CRED_R is a CBOR byte string of the DER encoding of the X.509 CRED_R is a CBOR byte string of the DER encoding of the X.509
certificate in Section 2.8.1: certificate in Section 2.8.1:
CRED_R (Raw Value) (241 bytes) CRED_R (Raw Value) (241 bytes)
30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06 03 2b 65 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06 03 2b 65
skipping to change at page 10, line 4 skipping to change at line 420
30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48
4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33
31 36 30 38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 31 36 30 38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30
5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 52 65 73 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 52 65 73
70 6f 6e 64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 70 6f 6e 64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70
03 21 00 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 03 21 00 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0
f2 c6 62 c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7 f2 c6 62 c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7
23 bc 01 ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32 23 bc 01 ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32
47 8f ec fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a 47 8f ec fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a
bc 94 95 65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02 bc 94 95 65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02
context_2 (CBOR byte string) (296 bytes) context_2 (CBOR byte string) (296 bytes)
59 01 25 41 18 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 20 c6 40 59 01 25 41 18 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 20 c6 40
5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a 06 52 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a 06 52
ca e6 6c 90 61 68 8d 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 ca e6 6c 90 61 68 8d 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62
31 9e c4 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 31 9e c4 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12
45 44 48 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 45 44 48 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32
32 30 33 31 36 30 38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33 30 32 30 33 31 36 30 38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33 30
30 30 30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 30 30 30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20
52 65 73 70 6f 6e 64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 52 65 73 70 6f 6e 64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03
2b 65 70 03 21 00 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac 2b 65 70 03 21 00 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac
e3 3a a0 f2 c6 62 c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03 e3 3a a0 f2 c6 62 c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03
41 00 b7 23 bc 01 ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69 41 00 b7 23 bc 01 ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69
87 b0 32 47 8f ec fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18 87 b0 32 47 8f ec fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18
37 eb 4a bc 94 95 65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02 37 eb 4a bc 94 95 65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02
MAC_2 is computed through EDHOC_Expand() using the EDHOC hash MAC_2 is computed through EDHOC_Expand() using the EDHOC hash
algorithm, see Section 4.1.2 of [I-D.ietf-lake-edhoc]: algorithm (see Section 4.1.2 of [RFC9528]):
MAC_2 = HKDF-Expand(PRK_3e2m, info, mac_length_2), where MAC_2 = HKDF-Expand( PRK_3e2m, info, mac_length_2 )
where
info = ( 2, context_2, mac_length_2 ) info = ( 2, context_2, mac_length_2 )
Since METHOD = 0, mac_length_2 is given by the EDHOC hash algorithm. Since METHOD = 0, mac_length_2 is given by the EDHOC hash algorithm.
info for MAC_2 is: info for MAC_2 is:
info = info =
( (
2, 2,
h'4118a11822822e4879f2a41b510c1f9b5820c6405c154c56 h'4118a11822822e4879f2a41b510c1f9b5820c6405c154c56
7466ab1df20369500e540e9f14bd3a796a0652cae66c9061 7466ab1df20369500e540e9f14bd3a796a0652cae66c9061
688d58f13081ee3081a1a003020102020462319ec4300506 688d58f13081ee3081a1a003020102020462319ec4300506
032b6570301d311b301906035504030c124544484f432052 032b6570301d311b301906035504030c124544484f432052
6f6f742045643235353139301e170d323230333136303832 6f6f742045643235353139301e170d323230333136303832
3433365a170d3239313233313233303030305a3022312030 3433365a170d3239313233313233303030305a3022312030
1e06035504030c174544484f4320526573706f6e64657220 1e06035504030c174544484f4320526573706f6e64657220
45643235353139302a300506032b6570032100a1db47b951 45643235353139302a300506032b6570032100a1db47b951
84854ad12a0c1a354e418aace33aa0f2c662c00b3ac55de9 84854ad12a0c1a354e418aace33aa0f2c662c00b3ac55de9
2f9359300506032b6570034100b723bc01eab0928e8b2b6c 2f9359300506032b6570034100b723bc01eab0928e8b2b6c
98de19cc3823d46e7d6987b032478fecfaf14537a1af14cc 98de19cc3823d46e7d6987b032478fecfaf14537a1af14cc
8be829c6b73044101837eb4abc949565d86dce51cfae52ab 8be829c6b73044101837eb4abc949565d86dce51cfae52ab
82c152cb02', 82c152cb02',
32 32
) )
where the last value is the output size of the EDHOC hash algorithm where the last value is the output size of the EDHOC hash algorithm
in bytes. in bytes.
info for MAC_2 (CBOR Sequence) (299 bytes) info for MAC_2 (CBOR Sequence) (299 bytes)
02 59 01 25 41 18 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 20 c6 02 59 01 25 41 18 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 20 c6
40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a 06 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a 06
52 ca e6 6c 90 61 68 8d 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 52 ca e6 6c 90 61 68 8d 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04
62 31 9e c4 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 62 31 9e c4 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c
skipping to change at page 12, line 5 skipping to change at line 499
MAC_2 (CBOR Data Item) (34 bytes) MAC_2 (CBOR Data Item) (34 bytes)
58 20 86 2a 7e 5e f1 47 f9 a5 f4 c5 12 e1 b6 62 3c d6 6c d1 7a 72 72 58 20 86 2a 7e 5e f1 47 f9 a5 f4 c5 12 e1 b6 62 3c d6 6c d1 7a 72 72
07 2b fe 5b 60 2f fe 30 7e e0 e9 07 2b fe 5b 60 2f fe 30 7e e0 e9
Since METHOD = 0, Signature_or_MAC_2 is the 'signature' of the Since METHOD = 0, Signature_or_MAC_2 is the 'signature' of the
COSE_Sign1 object. COSE_Sign1 object.
The Responder constructs the message to be signed: The Responder constructs the message to be signed:
[ "Signature1", << ID_CRED_R >>, [
<< TH_2, CRED_R, ? EAD_2 >>, MAC_2 ] = "Signature1",
<< ID_CRED_R >>,
<< TH_2, CRED_R, ? EAD_2 >>,
MAC_2
] =
[ [
"Signature1", "Signature1",
h'a11822822e4879f2a41b510c1f9b', h'a11822822e4879f2a41b510c1f9b',
h'5820c6405c154c567466ab1df20369500e540e9f14bd3a79 h'5820c6405c154c567466ab1df20369500e540e9f14bd3a79
6a0652cae66c9061688d58f13081ee3081a1a00302010202 6a0652cae66c9061688d58f13081ee3081a1a00302010202
0462319ec4300506032b6570301d311b301906035504030c 0462319ec4300506032b6570301d311b301906035504030c
124544484f4320526f6f742045643235353139301e170d32 124544484f4320526f6f742045643235353139301e170d32
32303331363038323433365a170d32393132333132333030 32303331363038323433365a170d32393132333132333030
30305a30223120301e06035504030c174544484f43205265 30305a30223120301e06035504030c174544484f43205265
73706f6e6465722045643235353139302a300506032b6570 73706f6e6465722045643235353139302a300506032b6570
032100a1db47b95184854ad12a0c1a354e418aace33aa0f2 032100a1db47b95184854ad12a0c1a354e418aace33aa0f2
c662c00b3ac55de92f9359300506032b6570034100b723bc c662c00b3ac55de92f9359300506032b6570034100b723bc
01eab0928e8b2b6c98de19cc3823d46e7d6987b032478fec 01eab0928e8b2b6c98de19cc3823d46e7d6987b032478fec
faf14537a1af14cc8be829c6b73044101837eb4abc949565 faf14537a1af14cc8be829c6b73044101837eb4abc949565
d86dce51cfae52ab82c152cb02', d86dce51cfae52ab82c152cb02',
h'862a7e5ef147f9a5f4c512e1b6623cd66cd17a7272072bfe h'862a7e5ef147f9a5f4c512e1b6623cd66cd17a7272072bfe
5b602ffe307ee0e9' 5b602ffe307ee0e9'
] ]
Message to be signed 2 (CBOR Data Item) (341 bytes) Message to be signed in message_2 (CBOR Data Item) (341 bytes)
84 6a 53 69 67 6e 61 74 75 72 65 31 4e a1 18 22 82 2e 48 79 f2 a4 1b 84 6a 53 69 67 6e 61 74 75 72 65 31 4e a1 18 22 82 2e 48 79 f2 a4 1b
51 0c 1f 9b 59 01 15 58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 51 0c 1f 9b 59 01 15 58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50
0e 54 0e 9f 14 bd 3a 79 6a 06 52 ca e6 6c 90 61 68 8d 58 f1 30 81 ee 0e 54 0e 9f 14 bd 3a 79 6a 06 52 ca e6 6c 90 61 68 8d 58 f1 30 81 ee
30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06 03 2b 65 70 30 1d 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06 03 2b 65 70 30 1d
31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f 74 20 45 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f 74 20 45
64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38 32 34 33 36 5a 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38 32 34 33 36 5a
17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31 20 30 1e 06 03 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31 20 30 1e 06 03
55 04 03 0c 17 45 44 48 4f 43 20 52 65 73 70 6f 6e 64 65 72 20 45 64 55 04 03 0c 17 45 44 48 4f 43 20 52 65 73 70 6f 6e 64 65 72 20 45 64
32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 a1 db 47 b9 51 84 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 a1 db 47 b9 51 84
85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62 c0 0b 3a c5 5d e9 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62 c0 0b 3a c5 5d e9
2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7 23 bc 01 ea b0 92 8e 8b 2b 2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7 23 bc 01 ea b0 92 8e 8b 2b
6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32 47 8f ec fa f1 45 37 a1 af 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32 47 8f ec fa f1 45 37 a1 af
14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a bc 94 95 65 d8 6d ce 51 cf 14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a bc 94 95 65 d8 6d ce 51 cf
ae 52 ab 82 c1 52 cb 02 58 20 86 2a 7e 5e f1 47 f9 a5 f4 c5 12 e1 b6 ae 52 ab 82 c1 52 cb 02 58 20 86 2a 7e 5e f1 47 f9 a5 f4 c5 12 e1 b6
62 3c d6 6c d1 7a 72 72 07 2b fe 5b 60 2f fe 30 7e e0 e9 62 3c d6 6c d1 7a 72 72 07 2b fe 5b 60 2f fe 30 7e e0 e9
The Responder signs using the private authentication key SK_R The Responder signs using the private authentication key SK_R.
Signature_or_MAC_2 (Raw Value) (64 bytes) Signature_or_MAC_2 (Raw Value) (64 bytes)
c3 b5 bd 44 d1 e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11 c5 72 a1 96 8c c3 c3 b5 bd 44 d1 e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11 c5 72 a1 96 8c c3
62 9b 50 5f 98 c6 81 60 8d 3d 1d e7 93 d1 c4 0e b5 dd 5d 89 ac f1 96 62 9b 50 5f 98 c6 81 60 8d 3d 1d e7 93 d1 c4 0e b5 dd 5d 89 ac f1 96
6a ea 07 02 2b 48 cd c9 98 70 eb c4 03 74 e8 fa 6e 09 6a ea 07 02 2b 48 cd c9 98 70 eb c4 03 74 e8 fa 6e 09
Signature_or_MAC_2 (CBOR Data Item) (66 bytes) Signature_or_MAC_2 (CBOR Data Item) (66 bytes)
58 40 c3 b5 bd 44 d1 e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11 c5 72 a1 96 58 40 c3 b5 bd 44 d1 e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11 c5 72 a1 96
8c c3 62 9b 50 5f 98 c6 81 60 8d 3d 1d e7 93 d1 c4 0e b5 dd 5d 89 ac 8c c3 62 9b 50 5f 98 c6 81 60 8d 3d 1d e7 93 d1 c4 0e b5 dd 5d 89 ac
f1 96 6a ea 07 02 2b 48 cd c9 98 70 eb c4 03 74 e8 fa 6e 09 f1 96 6a ea 07 02 2b 48 cd c9 98 70 eb c4 03 74 e8 fa 6e 09
The Responder constructs PLAINTEXT_2: The Responder constructs PLAINTEXT_2:
PLAINTEXT_2 = PLAINTEXT_2 =
( (
C_R, C_R,
ID_CRED_R / bstr / -24..23, ID_CRED_R / bstr / -24..23,
Signature_or_MAC_2, Signature_or_MAC_2,
? EAD_2 ? EAD_2
) )
PLAINTEXT_2 (CBOR Sequence) (82 bytes) PLAINTEXT_2 (CBOR Sequence) (82 bytes)
41 18 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 40 c3 b5 bd 44 d1 41 18 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 40 c3 b5 bd 44 d1
e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11 c5 72 a1 96 8c c3 62 9b 50 5f 98 e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11 c5 72 a1 96 8c c3 62 9b 50 5f 98
c6 81 60 8d 3d 1d e7 93 d1 c4 0e b5 dd 5d 89 ac f1 96 6a ea 07 02 2b c6 81 60 8d 3d 1d e7 93 d1 c4 0e b5 dd 5d 89 ac f1 96 6a ea 07 02 2b
48 cd c9 98 70 eb c4 03 74 e8 fa 6e 09 48 cd c9 98 70 eb c4 03 74 e8 fa 6e 09
The input needed to calculate KEYSTREAM_2 is defined in Section 4.1.2 The input needed to calculate KEYSTREAM_2 is defined in Section 4.1.2
of [I-D.ietf-lake-edhoc], using EDHOC_Expand() with the EDHOC hash of [RFC9528], using EDHOC_Expand() with the EDHOC hash algorithm:
algorithm:
KEYSTREAM_2 = EDHOC_KDF( PRK_2e, 0, TH_2, plaintext_length ) = KEYSTREAM_2 = EDHOC_KDF( PRK_2e, 0, TH_2, plaintext_length )
= HKDF-Expand( PRK_2e, info, plaintext_length ) = HKDF-Expand( PRK_2e, info, plaintext_length )
where plaintext_length is the length in bytes of PLAINTEXT_2 in where plaintext_length is the length in bytes of PLAINTEXT_2 in bytes
bytes, and info for KEYSTREAM_2 is: and info for KEYSTREAM_2 is:
info = info =
( (
0, 0,
h'c6405c154c567466ab1df20369500e540e9f14bd3a796a06 h'c6405c154c567466ab1df20369500e540e9f14bd3a796a06
52cae66c9061688d', 52cae66c9061688d',
82 82
) )
where the last value is the length in bytes of PLAINTEXT_2. where the last value is the length in bytes of PLAINTEXT_2.
info for KEYSTREAM_2 (CBOR Sequence) (37 bytes) info for KEYSTREAM_2 (CBOR Sequence) (37 bytes)
00 58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 00 58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd
3a 79 6a 06 52 ca e6 6c 90 61 68 8d 18 52 3a 79 6a 06 52 ca e6 6c 90 61 68 8d 18 52
KEYSTREAM_2 (Raw Value) (82 bytes) KEYSTREAM_2 (Raw Value) (82 bytes)
fd 3e 7c 3f 2d 6b ee 64 3d 3c 9d 2f 28 47 03 5d 73 e2 ec b0 f8 db 5c fd 3e 7c 3f 2d 6b ee 64 3d 3c 9d 2f 28 47 03 5d 73 e2 ec b0 f8 db 5c
d1 c6 85 4e 24 89 6a f2 11 88 b2 c4 34 4e 68 9e c2 98 42 83 d9 fb c6 d1 c6 85 4e 24 89 6a f2 11 88 b2 c4 34 4e 68 9e c2 98 42 83 d9 fb c6
9c e1 c5 db 10 dc ff f2 4d f9 a4 9a 04 a9 40 58 27 7b c7 fa 9a d6 c6 9c e1 c5 db 10 dc ff f2 4d f9 a4 9a 04 a9 40 58 27 7b c7 fa 9a d6 c6
b1 94 ab 32 8b 44 5e b0 80 49 0c d7 86 b1 94 ab 32 8b 44 5e b0 80 49 0c d7 86
The Responder calculates CIPHERTEXT_2 as XOR between PLAINTEXT_2 and The Responder calculates CIPHERTEXT_2 as XOR between PLAINTEXT_2 and
KEYSTREAM_2: KEYSTREAM_2:
CIPHERTEXT_2 (Raw Value) (82 bytes) CIPHERTEXT_2 (Raw Value) (82 bytes)
bc 26 dd 27 0f e9 c0 2c 44 ce 39 34 79 4b 1c c6 2b a2 2f 05 45 9f 8d bc 26 dd 27 0f e9 c0 2c 44 ce 39 34 79 4b 1c c6 2b a2 2f 05 45 9f 8d
35 8c 8d 12 27 5a c4 2c 5f 96 de d5 f1 3c c9 08 4e 5b 20 18 89 a4 5e 35 8c 8d 12 27 5a c4 2c 5f 96 de d5 f1 3c c9 08 4e 5b 20 18 89 a4 5e
5a 60 a5 56 2d c1 18 61 9c 3d aa 2f d9 f4 c9 f4 d6 ed ad 10 9d d4 ed 5a 60 a5 56 2d c1 18 61 9c 3d aa 2f d9 f4 c9 f4 d6 ed ad 10 9d d4 ed
f9 59 62 aa fb af 9a b3 f4 a1 f6 b9 8f f9 59 62 aa fb af 9a b3 f4 a1 f6 b9 8f
The Responder constructs message_2: The Responder constructs message_2:
message_2 = message_2 =
( (
G_Y_CIPHERTEXT_2 G_Y_CIPHERTEXT_2
) )
where G_Y_CIPHERTEXT_2 is the bstr encoding of the concatenation of where G_Y_CIPHERTEXT_2 is the bstr encoding of the concatenation of
the raw values of G_Y and CIPHERTEXT_2. the raw values of G_Y and CIPHERTEXT_2.
message_2 (CBOR Sequence) (116 bytes) message_2 (CBOR Sequence) (116 bytes)
58 72 dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38 58 72 dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38
7e 62 3a 36 0b a4 80 b9 b2 9d 1c bc 26 dd 27 0f e9 c0 2c 44 ce 39 34 7e 62 3a 36 0b a4 80 b9 b2 9d 1c bc 26 dd 27 0f e9 c0 2c 44 ce 39 34
79 4b 1c c6 2b a2 2f 05 45 9f 8d 35 8c 8d 12 27 5a c4 2c 5f 96 de d5 79 4b 1c c6 2b a2 2f 05 45 9f 8d 35 8c 8d 12 27 5a c4 2c 5f 96 de d5
f1 3c c9 08 4e 5b 20 18 89 a4 5e 5a 60 a5 56 2d c1 18 61 9c 3d aa 2f f1 3c c9 08 4e 5b 20 18 89 a4 5e 5a 60 a5 56 2d c1 18 61 9c 3d aa 2f
d9 f4 c9 f4 d6 ed ad 10 9d d4 ed f9 59 62 aa fb af 9a b3 f4 a1 f6 b9 d9 f4 c9 f4 d6 ed ad 10 9d d4 ed f9 59 62 aa fb af 9a b3 f4 a1 f6 b9
8f 8f
2.3. message_3 2.3. message_3
Since METHOD = 0, the Initiator authenticates using signatures. Since METHOD = 0, the Initiator authenticates using signatures.
Since the selected cipher suite is 0, the EDHOC signature algorithm Since the selected cipher suite is 0, the EDHOC signature algorithm
is EdDSA. is EdDSA.
The Initiator's signature key pair using EdDSA: The Initiator's signature key pair uses EdDSA:
Initiator's private authentication key Initiator's private authentication key
SK_I (Raw Value) (32 bytes) SK_I (Raw Value) (32 bytes)
4c 5b 25 87 8f 50 7c 6b 9d ae 68 fb d4 fd 3f f9 97 53 3d b0 af 00 b2 4c 5b 25 87 8f 50 7c 6b 9d ae 68 fb d4 fd 3f f9 97 53 3d b0 af 00 b2
5d 32 4e a2 8e 6c 21 3b c8 5d 32 4e a2 8e 6c 21 3b c8
Initiator's public authentication key Initiator's public authentication key
PK_I (Raw Value) (32 bytes) PK_I (Raw Value) (32 bytes)
ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 0f ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 0f
23 d8 cc 20 b7 30 85 14 1e 23 d8 cc 20 b7 30 85 14 1e
PRK_4e3m is specified in Section 4.1.1.3 of [I-D.ietf-lake-edhoc]. PRK_4e3m is specified in Section 4.1.1.3 of [RFC9528].
Since the Initiator authenticates with signatures PRK_4e3m = Since the Initiator authenticates with signatures, PRK_4e3m =
PRK_3e2m. PRK_3e2m.
PRK_4e3m (Raw Value) (32 bytes) PRK_4e3m (Raw Value) (32 bytes)
d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73 d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73
bf 2c 24 0a fa 7b a8 04 da bf 2c 24 0a fa 7b a8 04 da
The transcript hash TH_3 is calculated using the EDHOC hash The transcript hash TH_3 is calculated using the EDHOC hash
algorithm: algorithm:
TH_3 = H(TH_2, PLAINTEXT_2, CRED_R) TH_3 = H( TH_2, PLAINTEXT_2, CRED_R )
Input to calculate TH_3 (CBOR Sequence) (359 bytes) Input to calculate TH_3 (CBOR Sequence) (359 bytes)
58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a
79 6a 06 52 ca e6 6c 90 61 68 8d 41 18 a1 18 22 82 2e 48 79 f2 a4 1b 79 6a 06 52 ca e6 6c 90 61 68 8d 41 18 a1 18 22 82 2e 48 79 f2 a4 1b
51 0c 1f 9b 58 40 c3 b5 bd 44 d1 e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11 51 0c 1f 9b 58 40 c3 b5 bd 44 d1 e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11
c5 72 a1 96 8c c3 62 9b 50 5f 98 c6 81 60 8d 3d 1d e7 93 d1 c4 0e b5 c5 72 a1 96 8c c3 62 9b 50 5f 98 c6 81 60 8d 3d 1d e7 93 d1 c4 0e b5
dd 5d 89 ac f1 96 6a ea 07 02 2b 48 cd c9 98 70 eb c4 03 74 e8 fa 6e dd 5d 89 ac f1 96 6a ea 07 02 2b 48 cd c9 98 70 eb c4 03 74 e8 fa 6e
09 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06 09 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06
03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20
52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30
skipping to change at page 16, line 15 skipping to change at line 697
MAC_3 = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 ) MAC_3 = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 )
where where
context_3 = << ID_CRED_I, TH_3, CRED_I, ? EAD_3 >> context_3 = << ID_CRED_I, TH_3, CRED_I, ? EAD_3 >>
CRED_I is identified by a 64-bit hash: CRED_I is identified by a 64-bit hash:
ID_CRED_I = ID_CRED_I =
{ {
34 : [-15, h'c24ab2fd7643c79f'] 34 : [-15, h'c24ab2fd7643c79f']
} }
where the COSE header value 34 ('x5t') indicates a hash of an X.509 where the COSE header value 34 ('x5t') indicates a hash of an X.509
certficate, and the COSE algorithm -15 indicates the hash algorithm certificate, and the COSE algorithm -15 indicates the hash algorithm
SHA-256 truncated to 64 bits. SHA-256 truncated to 64 bits.
ID_CRED_I (CBOR Data Item) (14 bytes) ID_CRED_I (CBOR Data Item) (14 bytes)
a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f
CRED_I is a CBOR byte string of the DER encoding of the X.509 CRED_I is a CBOR byte string of the DER encoding of the X.509
certificate in Section 2.8.2: certificate in Section 2.8.2:
CRED_I (Raw Value) (241 bytes) CRED_I (Raw Value) (241 bytes)
30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05 06 03 2b 65 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05 06 03 2b 65
skipping to change at page 17, line 41 skipping to change at line 773
33 31 36 30 38 32 34 30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 33 31 36 30 38 32 34 30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30
30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49 6e 30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49 6e
69 74 69 61 74 6f 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 69 74 69 61 74 6f 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65
70 03 21 00 ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 70 03 21 00 ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3
02 f4 3e 0f 23 d8 cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41 00 02 f4 3e 0f 23 d8 cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41 00
52 12 41 d8 b3 a7 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df 52 12 41 d8 b3 a7 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df
29 10 b3 92 75 ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 22 29 10 b3 92 75 ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 22
67 dd 05 ee ff 27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b 67 dd 05 ee ff 27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b
MAC_3 is computed through EDHOC_Expand() using the EDHOC hash MAC_3 is computed through EDHOC_Expand() using the EDHOC hash
algorithm, see Section 4.1.2 of [I-D.ietf-lake-edhoc]: algorithm (see Section 4.1.2 of [RFC9528]):
MAC_3 = HKDF-Expand(PRK_4e3m, info, mac_length_3), where MAC_3 = HKDF-Expand( PRK_4e3m, info, mac_length_3 )
where
info = ( 6, context_3, mac_length_3 ) info = ( 6, context_3, mac_length_3 )
where context_3 = << ID_CRED_I, TH_3, CRED_I, ? EAD_3 >> where
context_3 = << ID_CRED_I, TH_3, CRED_I, ? EAD_3 >>
Since METHOD = 0, mac_length_3 is given by the EDHOC hash algorithm. Since METHOD = 0, mac_length_3 is given by the EDHOC hash algorithm.
info for MAC_3 is: info for MAC_3 is:
info = info =
( (
6, 6,
h'a11822822e48c24ab2fd7643c79f58205b7df9b4f58f240c h'a11822822e48c24ab2fd7643c79f58205b7df9b4f58f240c
e0418e48191b5fff3a22b5ca57f669b16777996592e928bc e0418e48191b5fff3a22b5ca57f669b16777996592e928bc
58f13081ee3081a1a003020102020462319ea0300506032b 58f13081ee3081a1a003020102020462319ea0300506032b
6570301d311b301906035504030c124544484f4320526f6f 6570301d311b301906035504030c124544484f4320526f6f
742045643235353139301e170d3232303331363038323430 742045643235353139301e170d3232303331363038323430
305a170d3239313233313233303030305a30223120301e06 305a170d3239313233313233303030305a30223120301e06
035504030c174544484f4320496e69746961746f72204564 035504030c174544484f4320496e69746961746f72204564
3235353139302a300506032b6570032100ed06a8ae61a829 3235353139302a300506032b6570032100ed06a8ae61a829
ba5fa54525c9d07f48dd44a302f43e0f23d8cc20b7308514 ba5fa54525c9d07f48dd44a302f43e0f23d8cc20b7308514
1e300506032b6570034100521241d8b3a770996bcfc9b9ea 1e300506032b6570034100521241d8b3a770996bcfc9b9ea
d4e7e0a1c0db353a3bdf2910b39275ae48b756015981850d d4e7e0a1c0db353a3bdf2910b39275ae48b756015981850d
27db6734e37f67212267dd05eeff27b9e7a813fa574b72a0 27db6734e37f67212267dd05eeff27b9e7a813fa574b72a0
0b430b', 0b430b',
32 32
) )
where the last value is the output size of the EDHOC hash algorithm where the last value is the output size of the EDHOC hash algorithm
in bytes. in bytes.
info for MAC_3 (CBOR Sequence) (297 bytes) info for MAC_3 (CBOR Sequence) (297 bytes)
06 59 01 23 a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 20 5b 7d f9 06 59 01 23 a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 20 5b 7d f9
b4 f5 8f 24 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca 57 f6 69 b1 67 77 b4 f5 8f 24 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca 57 f6 69 b1 67 77
99 65 92 e9 28 bc 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 99 65 92 e9 28 bc 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31
9e a0 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 9e a0 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45
skipping to change at page 18, line 46 skipping to change at line 830
65 70 03 21 00 ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 65 70 03 21 00 ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44
a3 02 f4 3e 0f 23 d8 cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41 a3 02 f4 3e 0f 23 d8 cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41
00 52 12 41 d8 b3 a7 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b 00 52 12 41 d8 b3 a7 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b
df 29 10 b3 92 75 ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 df 29 10 b3 92 75 ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21
22 67 dd 05 ee ff 27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b 18 20 22 67 dd 05 ee ff 27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b 18 20
MAC_3 (Raw Value) (32 bytes) MAC_3 (Raw Value) (32 bytes)
39 b1 27 c1 30 12 9a fa 30 61 8c 75 13 29 e6 37 cc 37 34 27 0d 4b 01 39 b1 27 c1 30 12 9a fa 30 61 8c 75 13 29 e6 37 cc 37 34 27 0d 4b 01
25 84 45 a8 ee 02 da a3 bd 25 84 45 a8 ee 02 da a3 bd
MAC_3 (CBOR Data Item) (34 bytes) MAC_3 (CBOR Data Item) (34 bytes)
58 20 39 b1 27 c1 30 12 9a fa 30 61 8c 75 13 29 e6 37 cc 37 34 27 0d 4b 58 20 39 b1 27 c1 30 12 9a fa 30 61 8c 75 13 29 e6 37 cc 37 34 27 0d
01 25 84 45 a8 ee 02 da a3 bd 4b 01 25 84 45 a8 ee 02 da a3 bd
Since METHOD = 0, Signature_or_MAC_3 is the 'signature' of the Since METHOD = 0, Signature_or_MAC_3 is the 'signature' of the
COSE_Sign1 object. COSE_Sign1 object.
The Initiator constructs the message to be signed: The Initiator constructs the message to be signed:
[ "Signature1", << ID_CRED_I >>, [
<< TH_3, CRED_I, ? EAD_3 >>, MAC_3 ] = "Signature1",
<< ID_CRED_I >>,
<< TH_3, CRED_I, ? EAD_3 >>,
MAC_3
] =
[ [
"Signature1", "Signature1",
h'a11822822e48c24ab2fd7643c79f', h'a11822822e48c24ab2fd7643c79f',
h'58205b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f6 h'58205b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f6
69b16777996592e928bc58f13081ee3081a1a00302010202 69b16777996592e928bc58f13081ee3081a1a00302010202
0462319ea0300506032b6570301d311b301906035504030c 0462319ea0300506032b6570301d311b301906035504030c
124544484f4320526f6f742045643235353139301e170d32 124544484f4320526f6f742045643235353139301e170d32
32303331363038323430305a170d32393132333132333030 32303331363038323430305a170d32393132333132333030
30305a30223120301e06035504030c174544484f4320496e 30305a30223120301e06035504030c174544484f4320496e
69746961746f722045643235353139302a300506032b6570 69746961746f722045643235353139302a300506032b6570
032100ed06a8ae61a829ba5fa54525c9d07f48dd44a302f4 032100ed06a8ae61a829ba5fa54525c9d07f48dd44a302f4
3e0f23d8cc20b73085141e300506032b6570034100521241 3e0f23d8cc20b73085141e300506032b6570034100521241
d8b3a770996bcfc9b9ead4e7e0a1c0db353a3bdf2910b392 d8b3a770996bcfc9b9ead4e7e0a1c0db353a3bdf2910b392
75ae48b756015981850d27db6734e37f67212267dd05eeff 75ae48b756015981850d27db6734e37f67212267dd05eeff
27b9e7a813fa574b72a00b430b', 27b9e7a813fa574b72a00b430b',
h'39b127c130129afa30618c751329e637cc3734270d4b0125 h'39b127c130129afa30618c751329e637cc3734270d4b0125
8445a8ee02daa3bd' 8445a8ee02daa3bd'
] ]
Message to be signed 3 (CBOR Data Item) (341 bytes) Message to be signed in message_3 (CBOR Data Item) (341 bytes)
84 6a 53 69 67 6e 61 74 75 72 65 31 4e a1 18 22 82 2e 48 c2 4a b2 fd 84 6a 53 69 67 6e 61 74 75 72 65 31 4e a1 18 22 82 2e 48 c2 4a b2 fd
76 43 c7 9f 59 01 15 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41 8e 48 19 1b 76 43 c7 9f 59 01 15 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41 8e 48 19 1b
5f ff 3a 22 b5 ca 57 f6 69 b1 67 77 99 65 92 e9 28 bc 58 f1 30 81 ee 5f ff 3a 22 b5 ca 57 f6 69 b1 67 77 99 65 92 e9 28 bc 58 f1 30 81 ee
30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05 06 03 2b 65 70 30 1d 30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05 06 03 2b 65 70 30 1d
31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f 74 20 45 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f 74 20 45
64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38 32 34 30 30 5a 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38 32 34 30 30 5a
17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31 20 30 1e 06 03 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31 20 30 1e 06 03
55 04 03 0c 17 45 44 48 4f 43 20 49 6e 69 74 69 61 74 6f 72 20 45 64 55 04 03 0c 17 45 44 48 4f 43 20 49 6e 69 74 69 61 74 6f 72 20 45 64
32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 ed 06 a8 ae 61 a8 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 ed 06 a8 ae 61 a8
29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 0f 23 d8 cc 20 b7 30 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 0f 23 d8 cc 20 b7 30
skipping to change at page 20, line 4 skipping to change at line 888
59 81 85 0d 27 db 67 34 e3 7f 67 21 22 67 dd 05 ee ff 27 b9 e7 a8 13 59 81 85 0d 27 db 67 34 e3 7f 67 21 22 67 dd 05 ee ff 27 b9 e7 a8 13
fa 57 4b 72 a0 0b 43 0b 58 20 39 b1 27 c1 30 12 9a fa 30 61 8c 75 13 fa 57 4b 72 a0 0b 43 0b 58 20 39 b1 27 c1 30 12 9a fa 30 61 8c 75 13
29 e6 37 cc 37 34 27 0d 4b 01 25 84 45 a8 ee 02 da a3 bd 29 e6 37 cc 37 34 27 0d 4b 01 25 84 45 a8 ee 02 da a3 bd
The Initiator signs using the private authentication key SK_I: The Initiator signs using the private authentication key SK_I:
Signature_or_MAC_3 (Raw Value) (64 bytes) Signature_or_MAC_3 (Raw Value) (64 bytes)
96 e1 cd 5f ce ad fa c1 b5 af 81 94 43 f7 09 24 f5 71 99 55 95 7f d0 96 e1 cd 5f ce ad fa c1 b5 af 81 94 43 f7 09 24 f5 71 99 55 95 7f d0
26 55 be b4 77 5e 1a 73 18 6a 0d 1d 3e a6 83 f0 8f 8d 03 dc ec b9 cf 26 55 be b4 77 5e 1a 73 18 6a 0d 1d 3e a6 83 f0 8f 8d 03 dc ec b9 cf
15 4e 1c 6f 55 5a 1e 12 ca 11 8c e4 2b db a6 87 89 07 15 4e 1c 6f 55 5a 1e 12 ca 11 8c e4 2b db a6 87 89 07
Signature_or_MAC_3 (CBOR Data Item) (66 bytes) Signature_or_MAC_3 (CBOR Data Item) (66 bytes)
58 40 96 e1 cd 5f ce ad fa c1 b5 af 81 94 43 f7 09 24 f5 71 99 55 95 58 40 96 e1 cd 5f ce ad fa c1 b5 af 81 94 43 f7 09 24 f5 71 99 55 95
7f d0 26 55 be b4 77 5e 1a 73 18 6a 0d 1d 3e a6 83 f0 8f 8d 03 dc ec 7f d0 26 55 be b4 77 5e 1a 73 18 6a 0d 1d 3e a6 83 f0 8f 8d 03 dc ec
b9 cf 15 4e 1c 6f 55 5a 1e 12 ca 11 8c e4 2b db a6 87 89 07 b9 cf 15 4e 1c 6f 55 5a 1e 12 ca 11 8c e4 2b db a6 87 89 07
The Initiator constructs PLAINTEXT_3: The Initiator constructs PLAINTEXT_3:
PLAINTEXT_3 = PLAINTEXT_3 =
( (
ID_CRED_I / bstr / -24..23, ID_CRED_I / bstr / -24..23,
Signature_or_MAC_3, Signature_or_MAC_3,
? EAD_3 ? EAD_3
) )
PLAINTEXT_3 (CBOR Sequence) (80 bytes) PLAINTEXT_3 (CBOR Sequence) (80 bytes)
a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 40 96 e1 cd 5f ce ad fa a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 40 96 e1 cd 5f ce ad fa
c1 b5 af 81 94 43 f7 09 24 f5 71 99 55 95 7f d0 26 55 be b4 77 5e 1a c1 b5 af 81 94 43 f7 09 24 f5 71 99 55 95 7f d0 26 55 be b4 77 5e 1a
73 18 6a 0d 1d 3e a6 83 f0 8f 8d 03 dc ec b9 cf 15 4e 1c 6f 55 5a 1e 73 18 6a 0d 1d 3e a6 83 f0 8f 8d 03 dc ec b9 cf 15 4e 1c 6f 55 5a 1e
12 ca 11 8c e4 2b db a6 87 89 07 12 ca 11 8c e4 2b db a6 87 89 07
The Initiator constructs the associated data for message_3: The Initiator constructs the associated data for message_3:
A_3 = A_3 =
[ [
"Encrypt0", "Encrypt0",
h'', h'',
h'5b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f669b1 h'5b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f669b1
6777996592e928bc' 6777996592e928bc'
] ]
A_3 (CBOR Data Item) (45 bytes) A_3 (CBOR Data Item) (45 bytes)
83 68 45 6e 63 72 79 70 74 30 40 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41 83 68 45 6e 63 72 79 70 74 30 40 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41
8e 48 19 1b 5f ff 3a 22 b5 ca 57 f6 69 b1 67 77 99 65 92 e9 28 bc 8e 48 19 1b 5f ff 3a 22 b5 ca 57 f6 69 b1 67 77 99 65 92 e9 28 bc
The Initiator constructs the input needed to derive the key K_3, see The Initiator constructs the input needed to derive the key K_3 (see
Section 4.1.2 of [I-D.ietf-lake-edhoc], using the EDHOC hash Section 4.1.2 of [RFC9528]) using the EDHOC hash algorithm:
algorithm:
K_3 = EDHOC_KDF( PRK_3e2m, 3, TH_3, key_length ) K_3 = EDHOC_KDF( PRK_3e2m, 3, TH_3, key_length )
= HKDF-Expand( PRK_3e2m, info, key_length ), = HKDF-Expand( PRK_3e2m, info, key_length )
where key_length is the key length in bytes for the EDHOC AEAD where key_length is the key length in bytes for the EDHOC
algorithm, and info for K_3 is: Authenticated Encryption with Associated Data (AEAD) algorithm, and
info for K_3 is:
info = info =
( (
3, 3,
h'5b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f669b1 h'5b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f669b1
6777996592e928bc', 6777996592e928bc',
16 16
) )
where the last value is the key length in bytes for the EDHOC AEAD where the last value is the key length in bytes for the EDHOC AEAD
algorithm. algorithm.
info for K_3 (CBOR Sequence) (36 bytes) info for K_3 (CBOR Sequence) (36 bytes)
03 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca 03 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca
57 f6 69 b1 67 77 99 65 92 e9 28 bc 10 57 f6 69 b1 67 77 99 65 92 e9 28 bc 10
K_3 (Raw Value) (16 bytes) K_3 (Raw Value) (16 bytes)
da 19 5e 5f 64 8a c6 3b 0e 8f b0 c4 55 20 51 39 da 19 5e 5f 64 8a c6 3b 0e 8f b0 c4 55 20 51 39
The Initiator constructs the input needed to derive the nonce IV_3, The Initiator constructs the input needed to derive the nonce IV_3
see Section 4.1.2 of [I-D.ietf-lake-edhoc], using the EDHOC hash (see Section 4.1.2 of [RFC9528]) using the EDHOC hash algorithm:
algorithm:
IV_3 = EDHOC_KDF( PRK_3e2m, 4, TH_3, iv_length ) IV_3 = EDHOC_KDF( PRK_3e2m, 4, TH_3, iv_length )
= HKDF-Expand( PRK_3e2m, info, iv_length ), = HKDF-Expand( PRK_3e2m, info, iv_length )
where iv_length is the nonce length in bytes for the EDHOC AEAD where iv_length is the nonce length in bytes for the EDHOC AEAD
algorithm, and info for IV_3 is: algorithm, and info for IV_3 is:
info = info =
( (
4, 4,
h'5b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f669b1 h'5b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f669b1
6777996592e928bc', 6777996592e928bc',
13 13
) )
where the last value is the nonce length in bytes for the EDHOC AEAD where the last value is the nonce length in bytes for the EDHOC AEAD
algorithm. algorithm.
info for IV_3 (CBOR Sequence) (36 bytes) info for IV_3 (CBOR Sequence) (36 bytes)
04 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca 04 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca
57 f6 69 b1 67 77 99 65 92 e9 28 bc 0d 57 f6 69 b1 67 77 99 65 92 e9 28 bc 0d
IV_3 (Raw Value) (13 bytes) IV_3 (Raw Value) (13 bytes)
skipping to change at page 22, line 4 skipping to change at line 977
where the last value is the nonce length in bytes for the EDHOC AEAD where the last value is the nonce length in bytes for the EDHOC AEAD
algorithm. algorithm.
info for IV_3 (CBOR Sequence) (36 bytes) info for IV_3 (CBOR Sequence) (36 bytes)
04 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca 04 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca
57 f6 69 b1 67 77 99 65 92 e9 28 bc 0d 57 f6 69 b1 67 77 99 65 92 e9 28 bc 0d
IV_3 (Raw Value) (13 bytes) IV_3 (Raw Value) (13 bytes)
38 d8 c6 4c 56 25 5a ff a4 49 f4 be d7 38 d8 c6 4c 56 25 5a ff a4 49 f4 be d7
The Initiator calculates CIPHERTEXT_3 as 'ciphertext' of The Initiator calculates CIPHERTEXT_3 as 'ciphertext' of
COSE_Encrypt0 applied using the EDHOC AEAD algorithm with plaintext COSE_Encrypt0 applied using the EDHOC AEAD algorithm with plaintext
PLAINTEXT_3, additional data A_3, key K_3 and nonce IV_3. PLAINTEXT_3, additional data A_3, key K_3, and nonce IV_3.
CIPHERTEXT_3 (Raw Value) (88 bytes) CIPHERTEXT_3 (Raw Value) (88 bytes)
25 c3 45 88 4a aa eb 22 c5 27 f9 b1 d2 b6 78 72 07 e0 16 3c 69 b6 2a 25 c3 45 88 4a aa eb 22 c5 27 f9 b1 d2 b6 78 72 07 e0 16 3c 69 b6 2a
0d 43 92 81 50 42 72 03 c3 16 74 e4 51 4e a6 e3 83 b5 66 eb 29 76 3e 0d 43 92 81 50 42 72 03 c3 16 74 e4 51 4e a6 e3 83 b5 66 eb 29 76 3e
fe b0 af a5 18 77 6a e1 c6 5f 85 6d 84 bf 32 af 3a 78 36 97 04 66 dc fe b0 af a5 18 77 6a e1 c6 5f 85 6d 84 bf 32 af 3a 78 36 97 04 66 dc
b7 1f 76 74 5d 39 d3 02 5e 77 03 e0 c0 32 eb ad 51 94 7c b7 1f 76 74 5d 39 d3 02 5e 77 03 e0 c0 32 eb ad 51 94 7c
message_3 is the CBOR bstr encoding of CIPHERTEXT_3: message_3 is the CBOR bstr encoding of CIPHERTEXT_3:
message_3 (CBOR Sequence) (90 bytes) message_3 (CBOR Sequence) (90 bytes)
skipping to change at page 23, line 15 skipping to change at line 1037
2.4. message_4 2.4. message_4
No external authorization data: No external authorization data:
EAD_4 (CBOR Sequence) (0 bytes) EAD_4 (CBOR Sequence) (0 bytes)
The Responder constructs PLAINTEXT_4: The Responder constructs PLAINTEXT_4:
PLAINTEXT_4 = PLAINTEXT_4 =
( (
? EAD_4 ? EAD_4
) )
PLAINTEXT_4 (CBOR Sequence) (0 bytes) PLAINTEXT_4 (CBOR Sequence) (0 bytes)
The Responder constructs the associated data for message_4: The Responder constructs the associated data for message_4:
A_4 = A_4 =
[ [
"Encrypt0", "Encrypt0",
h'', h'',
h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4 h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4
1a5a37c896f294ac' 1a5a37c896f294ac'
] ]
A_4 (CBOR Data Item) (45 bytes) A_4 (CBOR Data Item) (45 bytes)
83 68 45 6e 63 72 79 70 74 30 40 58 20 0e b8 68 f2 63 cf 35 55 dc cd 83 68 45 6e 63 72 79 70 74 30 40 58 20 0e b8 68 f2 63 cf 35 55 dc cd
39 6d d8 de c2 9d 37 50 d5 99 be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 39 6d d8 de c2 9d 37 50 d5 99 be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac
The Responder constructs the input needed to derive the EDHOC The Responder constructs the input needed to derive the EDHOC
message_4 key, see Section 4.1.2 of [I-D.ietf-lake-edhoc], using the message_4 key (see Section 4.1.2 of [RFC9528]) using the EDHOC hash
EDHOC hash algorithm: algorithm:
K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length ) K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length )
= HKDF-Expand( PRK_4x3m, info, key_length ) = HKDF-Expand( PRK_4e3m, info, key_length )
where key_length is the key length in bytes for the EDHOC AEAD where key_length is the key length in bytes for the EDHOC AEAD
algorithm, and info for K_4 is: algorithm, and info for K_4 is:
info = info =
( (
8, 8,
h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4 h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4
1a5a37c896f294ac', 1a5a37c896f294ac',
16 16
) )
where the last value is the key length in bytes for the EDHOC AEAD where the last value is the key length in bytes for the EDHOC AEAD
algorithm. algorithm.
info for K_4 (CBOR Sequence) (36 bytes) info for K_4 (CBOR Sequence) (36 bytes)
08 58 20 0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 37 50 d5 99 08 58 20 0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 37 50 d5 99
be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 10 be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 10
K_4 (Raw Value) (16 bytes) K_4 (Raw Value) (16 bytes)
df 8c b5 86 1e 1f df ed d3 b2 30 15 a3 9d 1e 2e df 8c b5 86 1e 1f df ed d3 b2 30 15 a3 9d 1e 2e
The Responder constructs the input needed to derive the EDHOC The Responder constructs the input needed to derive the EDHOC
message_4 nonce, see Section 4.1.2 of [I-D.ietf-lake-edhoc], using message_4 nonce (see Section 4.1.2 of [RFC9528]) using the EDHOC hash
the EDHOC hash algorithm: algorithm:
IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length ) IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length )
= HKDF-Expand( PRK_4x3m, info, iv_length ) = HKDF-Expand( PRK_4e3m, info, iv_length )
where length is the nonce length in bytes for the EDHOC AEAD where length is the nonce length in bytes for the EDHOC AEAD
algorithm, and info for IV_4 is: algorithm, and info for IV_4 is:
info = info =
( (
9, 9,
h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4 h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4
1a5a37c896f294ac', 1a5a37c896f294ac',
13 13
) )
where the last value is the nonce length in bytes for the EDHOC AEAD where the last value is the nonce length in bytes for the EDHOC AEAD
algorithm. algorithm.
info for IV_4 (CBOR Sequence) (36 bytes) info for IV_4 (CBOR Sequence) (36 bytes)
09 58 20 0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 37 50 d5 99 09 58 20 0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 37 50 d5 99
be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 0d be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 0d
IV_4 (Raw Value) (13 bytes) IV_4 (Raw Value) (13 bytes)
12 8e c6 58 d9 70 d7 38 0f 74 fc 6c 27 12 8e c6 58 d9 70 d7 38 0f 74 fc 6c 27
The Responder calculates CIPHERTEXT_4 as 'ciphertext' of The Responder calculates CIPHERTEXT_4 as 'ciphertext' of
COSE_Encrypt0 applied using the EDHOC AEAD algorithm with plaintext COSE_Encrypt0 applied using the EDHOC AEAD algorithm with plaintext
PLAINTEXT_4, additional data A_4, key K_4 and nonce IV_4. PLAINTEXT_4, additional data A_4, key K_4, and nonce IV_4.
CIPHERTEXT_4 (8 bytes) CIPHERTEXT_4 (8 bytes)
4f 0e de e3 66 e5 c8 83 4f 0e de e3 66 e5 c8 83
message_4 is the CBOR bstr encoding of CIPHERTEXT_4: message_4 is the CBOR bstr encoding of CIPHERTEXT_4:
message_4 (CBOR Sequence) (9 bytes) message_4 (CBOR Sequence) (9 bytes)
48 4f 0e de e3 66 e5 c8 83 48 4f 0e de e3 66 e5 c8 83
2.5. PRK_out and PRK_exporter 2.5. PRK_out and PRK_exporter
PRK_out is specified in Section 4.1.3 of [I-D.ietf-lake-edhoc]. PRK_out is specified in Section 4.1.3 of [RFC9528].
PRK_out = EDHOC_KDF( PRK_4e3m, 7, TH_4, hash_length ) = PRK_out = EDHOC_KDF( PRK_4e3m, 7, TH_4, hash_length )
= HKDF-Expand( PRK_4e3m, info, hash_length ) = HKDF-Expand( PRK_4e3m, info, hash_length )
where hash_length is the length in bytes of the output of the EDHOC where hash_length is the length in bytes of the output of the EDHOC
hash algorithm, and info for PRK_out is: hash algorithm, and info for PRK_out is:
info = info =
( (
7, 7,
h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4 h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4
1a5a37c896f294ac', 1a5a37c896f294ac',
32 32
) )
where the last value is the length in bytes of the output of the where the last value is the length in bytes of the output of the
EDHOC hash algorithm. EDHOC hash algorithm.
info for PRK_out (CBOR Sequence) (37 bytes) info for PRK_out (CBOR Sequence) (37 bytes)
07 58 20 0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 37 50 d5 99 07 58 20 0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 37 50 d5 99
be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 18 20 be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 18 20
PRK_out (Raw Value) (32 bytes) PRK_out (Raw Value) (32 bytes)
b7 44 cb 7d 8a 87 cc 04 47 c3 35 0e 16 5b 25 0d ab 12 ec 45 33 25 ab b7 44 cb 7d 8a 87 cc 04 47 c3 35 0e 16 5b 25 0d ab 12 ec 45 33 25 ab
b9 22 b3 03 07 e5 c3 68 f0 b9 22 b3 03 07 e5 c3 68 f0
The OSCORE Master Secret and OSCORE Master Salt are derived with the The Object Security for Constrained RESTful Environments (OSCORE)
EDHOC_Exporter as specified in Section 4.2.1 of Master Secret and OSCORE Master Salt are derived with the
[I-D.ietf-lake-edhoc]. EDHOC_Exporter as specified in Section 4.2.1 of [RFC9528].
EDHOC_Exporter( label, context, length ) EDHOC_Exporter( exporter_label, context, length )
= EDHOC_KDF( PRK_exporter, label, context, length ) = EDHOC_KDF( PRK_exporter, exporter_label, context, length )
where PRK_exporter is derived from PRK_out: where PRK_exporter is derived from PRK_out:
PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) = PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length )
= HKDF-Expand( PRK_out, info, hash_length ) = HKDF-Expand( PRK_out, info, hash_length )
where hash_length is the length in bytes of the output of the EDHOC where hash_length is the length in bytes of the output of the EDHOC
hash algorithm, and info for the PRK_exporter is: hash algorithm, and info for the PRK_exporter is:
info = info =
( (
10, 10,
h'', h'',
32 32
) )
where the last value is the length in bytes of the output of the where the last value is the length in bytes of the output of the
EDHOC hash algorithm. EDHOC hash algorithm.
info for PRK_exporter (CBOR Sequence) (4 bytes) info for PRK_exporter (CBOR Sequence) (4 bytes)
0a 40 18 20 0a 40 18 20
PRK_exporter (Raw Value) (32 bytes) PRK_exporter (Raw Value) (32 bytes)
2a ae c8 fc 4a b3 bc 32 95 de f6 b5 51 05 1a 2f a5 61 42 4d b3 01 fa 2a ae c8 fc 4a b3 bc 32 95 de f6 b5 51 05 1a 2f a5 61 42 4d b3 01 fa
84 f6 42 f5 57 8a 6d f5 1a 84 f6 42 f5 57 8a 6d f5 1a
2.6. OSCORE Parameters 2.6. OSCORE Parameters
The derivation of OSCORE parameters is specified in Appendix A.1 of The derivation of OSCORE parameters is specified in Appendix A.1 of
[I-D.ietf-lake-edhoc]. [RFC9528].
The AEAD and Hash algorithms to use in OSCORE are given by the The AEAD and hash algorithms to use in OSCORE are given by the
selected cipher suite: selected cipher suite:
Application AEAD Algorithm (int) Application AEAD Algorithm (int)
10 10
Application Hash Algorithm (int) Application Hash Algorithm (int)
-16 -16
The mapping from EDHOC connection identifiers to OSCORE Sender/ The mapping from EDHOC connection identifiers to OSCORE Sender/
Recipient IDs is defined in Section 3.3.3 of [I-D.ietf-lake-edhoc]. Recipient IDs is defined in Section 3.3.3 of [RFC9528].
C_R is mapped to the Recipient ID of the server, i.e., the Sender ID C_R is mapped to the Recipient ID of the server, i.e., the Sender ID
of the client. The byte string 0x18, which as C_R is encoded as the of the client. The byte string 0x18, which as C_R is encoded as the
CBOR byte string 0x4118, is converted to the server Recipient ID CBOR byte string 0x4118, is converted to the server Recipient ID
0x18. 0x18.
Client's OSCORE Sender ID (Raw Value) (1 byte) Client's OSCORE Sender ID (Raw Value) (1 byte)
18 18
C_I is mapped to the Recipient ID of the client, i.e., the Sender ID C_I is mapped to the Recipient ID of the client, i.e., the Sender ID
of the server. The byte string 0x2d, which as C_I is encoded as the of the server. The byte string 0x2d, which as C_I is encoded as the
CBOR integer 0x2d is converted to the client Recipient ID 0x2d. CBOR integer 0x2d, is converted to the client Recipient ID 0x2d.
Server's OSCORE Sender ID (Raw Value) (1 byte) Server's OSCORE Sender ID (Raw Value) (1 byte)
2d 2d
The OSCORE Master Secret is computed through EDHOC_Expand() using the The OSCORE Master Secret is computed through EDHOC_Expand() using the
Application hash algorithm, see Appendix A.1 of application hash algorithm (see Appendix A.1 of [RFC9528]):
[I-D.ietf-lake-edhoc]:
OSCORE Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length ) OSCORE Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length )
= EDHOC_KDF( PRK_exporter, 0, h'', oscore_key_length ) = EDHOC_KDF( PRK_exporter, 0, h'', oscore_key_length )
= HKDF-Expand( PRK_exporter, info, oscore_key_length ) = HKDF-Expand( PRK_exporter, info, oscore_key_length )
where oscore_key_length is by default the key length in bytes for the where oscore_key_length is the key length in bytes for the
Application AEAD algorithm, and info for the OSCORE Master Secret is: application AEAD algorithm by default, and info for the OSCORE Master
Secret is:
info = info =
( (
0, 0,
h'', h'',
16 16
) )
where the last value is the key length in bytes for the Application where the last value is the key length in bytes for the application
AEAD algorithm. AEAD algorithm.
info for OSCORE Master Secret (CBOR Sequence) (3 bytes) info for OSCORE Master Secret (CBOR Sequence) (3 bytes)
00 40 10 00 40 10
OSCORE Master Secret (Raw Value) (16 bytes) OSCORE Master Secret (Raw Value) (16 bytes)
1e 1c 6b ea c3 a8 a1 ca c4 35 de 7e 2f 9a e7 ff 1e 1c 6b ea c3 a8 a1 ca c4 35 de 7e 2f 9a e7 ff
The OSCORE Master Salt is computed through EDHOC_Expand() using the The OSCORE Master Salt is computed through EDHOC_Expand() using the
Application hash algorithm, see Section 4.2 of [I-D.ietf-lake-edhoc]: application hash algorithm (see Section 4.2 of [RFC9528]):
OSCORE Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length ) OSCORE Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length )
= EDHOC_KDF( PRK_exporter, 1, h'', oscore_salt_length ) = EDHOC_KDF( PRK_exporter, 1, h'', oscore_salt_length )
= HKDF-Expand( PRK_4x3m, info, oscore_salt_length ) = HKDF-Expand( PRK_exporter, info, oscore_salt_length )
where oscore_salt_length is the length in bytes of the OSCORE Master where oscore_salt_length is the length in bytes of the OSCORE Master
Salt, and info for the OSCORE Master Salt is: Salt, and info for the OSCORE Master Salt is:
info = info =
( (
1, 1,
h'', h'',
8 8
) )
where the last value is the length in bytes of the OSCORE Master where the last value is the length in bytes of the OSCORE Master
Salt. Salt.
info for OSCORE Master Salt (CBOR Sequence) (3 bytes) info for OSCORE Master Salt (CBOR Sequence) (3 bytes)
01 40 08 01 40 08
OSCORE Master Salt (Raw Value) (8 bytes) OSCORE Master Salt (Raw Value) (8 bytes)
ce 7a b8 44 c0 10 6d 73 ce 7a b8 44 c0 10 6d 73
2.7. Key Update 2.7. Key Update
Key update is defined in Appendix H of [I-D.ietf-lake-edhoc]. Key update is defined in Appendix H of [RFC9528].
EDHOC_KeyUpdate( context ): EDHOC_KeyUpdate( context ):
PRK_out = EDHOC_KDF( PRK_out, 11, context, hash_length ) PRK_out = EDHOC_KDF( PRK_out, 11, context, hash_length )
= HKDF-Expand( PRK_out, info, hash_length ) = HKDF-Expand( PRK_out, info, hash_length )
where hash_length is the length in bytes of the output of the EDHOC where hash_length is the length in bytes of the output of the EDHOC
hash function, and context for KeyUpdate is hash function, and the context for KeyUpdate is:
context for KeyUpdate (Raw Value) (16 bytes) context for KeyUpdate (Raw Value) (16 bytes)
d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c
context for KeyUpdate (CBOR Data Item) (17 bytes) context for KeyUpdate (CBOR Data Item) (17 bytes)
50 d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c 50 d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c
and where info for key update is: where info for KeyUpdate is:
info = info =
( (
11, 11,
h'd6be169602b8bceaa01158fdb820890c', h'd6be169602b8bceaa01158fdb820890c',
32 32
) )
info for KeyUpdate (CBOR Sequence) (20 bytes)
0b 50 d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c 18 20
PRK_out after KeyUpdate (Raw Value) (32 bytes) PRK_out after KeyUpdate (Raw Value) (32 bytes)
da 6e ac d9 a9 85 f4 fb a9 ae c2 a9 29 90 22 97 6b 25 b1 4e 89 fa 15 da 6e ac d9 a9 85 f4 fb a9 ae c2 a9 29 90 22 97 6b 25 b1 4e 89 fa 15
97 94 f2 8d 82 fa f2 da ad 97 94 f2 8d 82 fa f2 da ad
After key update, the PRK_exporter needs to be derived anew: After the key update, the PRK_exporter needs to be derived anew:
PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) = PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length )
= HKDF-Expand( PRK_out, info, hash_length ) = HKDF-Expand( PRK_out, info, hash_length )
where info and hash_length are unchanged as in Section 2.5. where info and hash_length are unchanged as in Section 2.5.
PRK_exporter after KeyUpdate (Raw Value) (32 bytes) PRK_exporter after KeyUpdate (Raw Value) (32 bytes)
00 14 d2 52 5e e0 d8 e2 13 ea 59 08 02 8e 9a 1c e9 a0 1c 30 54 6f 09 00 14 d2 52 5e e0 d8 e2 13 ea 59 08 02 8e 9a 1c e9 a0 1c 30 54 6f 09
30 c0 44 d3 8d b5 36 2c 05 30 c0 44 d3 8d b5 36 2c 05
The OSCORE Master Secret is derived with the updated PRK_exporter: The OSCORE Master Secret is derived with the updated PRK_exporter:
OSCORE Master Secret = OSCORE Master Secret
= HKDF-Expand(PRK_exporter, info, oscore_key_length) = HKDF-Expand( PRK_exporter, info, oscore_key_length )
where info and key_length are unchanged as in Section 2.6. where info and oscore_key_length are unchanged as in Section 2.6.
OSCORE Master Secret after KeyUpdate (Raw Value) (16 bytes) OSCORE Master Secret after KeyUpdate (Raw Value) (16 bytes)
ee 0f f5 42 c4 7e b0 e0 9c 69 30 76 49 bd bb e5 ee 0f f5 42 c4 7e b0 e0 9c 69 30 76 49 bd bb e5
The OSCORE Master Salt is derived with the updated PRK_exporter: The OSCORE Master Salt is derived with the updated PRK_exporter:
OSCORE Master Salt = HKDF-Expand(PRK_exporter, info, salt_length) OSCORE Master Salt = HKDF-Expand( PRK_exporter, info, oscore_salt_length )
where info and salt_length are unchanged as in Section 2.6. where info and oscore_salt_length are unchanged as in Section 2.6.
OSCORE Master Salt after KeyUpdate (Raw Value) (8 bytes) OSCORE Master Salt after KeyUpdate (Raw Value) (8 bytes)
80 ce de 2a 1e 5a ab 48 80 ce de 2a 1e 5a ab 48
2.8. Certificates 2.8. Certificates
2.8.1. Responder Certificate 2.8.1. Responder Certificate
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: 1647419076 (0x62319ec4) Serial Number: 1647419076 (0x62319ec4)
skipping to change at page 31, line 33 skipping to change at line 1414
CA:TRUE CA:TRUE
Signature Algorithm: ED25519 Signature Algorithm: ED25519
Signature Value: Signature Value:
4b b5 2b bf 15 39 b7 1a 4a af 42 97 78 f2 9e da 7e 81 4b b5 2b bf 15 39 b7 1a 4a af 42 97 78 f2 9e da 7e 81
46 80 69 8f 16 c4 8f 2a 6f a4 db e8 25 41 c5 82 07 ba 46 80 69 8f 16 c4 8f 2a 6f a4 db e8 25 41 c5 82 07 ba
1b c9 cd b0 c2 fa 94 7f fb f0 f0 ec 0e e9 1a 7f f3 7a 1b c9 cd b0 c2 fa 94 7f fb f0 f0 ec 0e e9 1a 7f f3 7a
94 d9 25 1f a5 cd f1 e6 7a 0f 94 d9 25 1f a5 cd f1 e6 7a 0f
3. Authentication with Static DH, CCS Identified by 'kid' 3. Authentication with Static DH, CCS Identified by 'kid'
In this example the Initiator and the Responder are authenticated In this example, the Initiator and the Responder are authenticated
with ephemeral-static Diffie-Hellman (METHOD = 3). The Initiator with ephemeral-static Diffie-Hellman (METHOD = 3). The Initiator
supports cipher suites 6 and 2 (in order of preference) and the supports cipher suites 6 and 2 (in order of preference), and the
Responder only supports cipher suite 2. After an initial negotiation Responder only supports cipher suite 2. After an initial negotiation
message exchange, cipher suite 2 is used, which determines the message exchange, cipher suite 2 is used, which determines the
algorithms: algorithms:
* EDHOC AEAD algorithm = AES-CCM-16-64-128 * EDHOC AEAD algorithm = AES-CCM-16-64-128
* EDHOC hash algorithm = SHA-256 * EDHOC hash algorithm = SHA-256
* EDHOC MAC length in bytes (Static DH) = 8 * EDHOC MAC length in bytes (Static DH) = 8
* EDHOC key exchange algorithm (ECDH curve) = P-256 * EDHOC key exchange algorithm (ECDH curve) = P-256
* EDHOC signature algorithm = ES256 * EDHOC signature algorithm = ES256
* Application AEAD algorithm = AES-CCM-16-64-128 * application AEAD algorithm = AES-CCM-16-64-128
* Application hash algorithm = SHA-256
The public keys are represented as raw public keys (RPK), encoded in * application hash algorithm = SHA-256
The public keys are represented as raw public keys (RPKs), encoded in
a CWT Claims Set (CCS) and identified by the COSE header parameter a CWT Claims Set (CCS) and identified by the COSE header parameter
'kid'. 'kid'.
3.1. message_1 (first time) 3.1. message_1 (First Time)
Both endpoints are authenticated with static DH, i.e., METHOD = 3: Both endpoints are authenticated with static DH, i.e., METHOD = 3:
METHOD (CBOR Data Item) (1 byte) METHOD (CBOR Data Item) (1 byte)
03 03
The Initiator selects its preferred cipher suite 6. A single cipher The Initiator selects its preferred cipher suite 6. A single cipher
suite is encoded as an int: suite is encoded as an int:
SUITES_I (CBOR Data Item) (1 byte) SUITES_I (CBOR Data Item) (1 byte)
skipping to change at page 32, line 42 skipping to change at line 1471
G_X (Raw Value) (32 bytes) G_X (Raw Value) (32 bytes)
74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 8f 65 f3 26 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 8f 65 f3 26
20 b7 49 be e8 d2 78 ef a9 20 b7 49 be e8 d2 78 ef a9
Initiator's ephemeral public key, 'x'-coordinate Initiator's ephemeral public key, 'x'-coordinate
G_X (CBOR Data Item) (34 bytes) G_X (CBOR Data Item) (34 bytes)
58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 8f 65 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 8f 65
f3 26 20 b7 49 be e8 d2 78 ef a9 f3 26 20 b7 49 be e8 d2 78 ef a9
The Initiator selects its connection identifier C_I to be the byte The Initiator selects its connection identifier C_I to be the byte
string 0x0e, which since it is represented by the 1-byte CBOR int 14 string 0x0e, which is encoded as 0x0e since it is represented by the
is encoded as 0x0e: 1-byte CBOR int 14:
Connection identifier chosen by Initiator Connection identifier chosen by the Initiator
C_I (Raw Value) (1 byte) C_I (Raw Value) (1 byte)
0e 0e
Connection identifier chosen by Initiator Connection identifier chosen by the Initiator
C_I (CBOR Data Item) (1 byte) C_I (CBOR Data Item) (1 byte)
0e 0e
No external authorization data: No external authorization data:
EAD_1 (CBOR Sequence) (0 bytes) EAD_1 (CBOR Sequence) (0 bytes)
The Initiator constructs message_1: The Initiator constructs message_1:
message_1 = message_1 =
( (
3, 3,
6, 6,
h'741a13d7ba048fbb615e94386aa3b61bea5b3d8f65f32620 h'741a13d7ba048fbb615e94386aa3b61bea5b3d8f65f32620
b749bee8d278efa9', b749bee8d278efa9',
14 14
) )
message_1 (CBOR Sequence) (37 bytes) message_1 (CBOR Sequence) (37 bytes)
03 06 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 03 06 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d
8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
3.2. error 3.2. error
The Responder does not support cipher suite 6 and sends an error with The Responder does not support cipher suite 6 and sends an error with
ERR_CODE 2 containing SUITES_R as ERR_INFO. The Responder proposes ERR_CODE 2 containing SUITES_R as ERR_INFO. The Responder proposes
cipher suite 2, a single cipher suite thus encoded as an int. cipher suite 2, a single cipher suite thus encoded as an int.
SUITES_R SUITES_R
02 02
error (CBOR Sequence) (2 bytes) error (CBOR Sequence) (2 bytes)
02 02 02 02
3.3. message_1 (second time) 3.3. message_1 (Second Time)
Same steps are performed as for message_1 the first time, Same steps are performed as for message_1 the first time
Section 3.1, but with updated SUITES_I. (Section 3.1) but with SUITES_I updated.
Both endpoints are authenticated with static DH, i.e., METHOD = 3: Both endpoints are authenticated with static DH, i.e., METHOD = 3:
METHOD (CBOR Data Item) (1 byte) METHOD (CBOR Data Item) (1 byte)
03 03
The Initiator selects cipher suite 2 and indicates the more preferred The Initiator selects cipher suite 2 and indicates the more preferred
cipher suite(s), in this case 6, all encoded as the array [6, 2]: cipher suite(s), in this case 6, all encoded as the array [6, 2]:
SUITES_I (CBOR Data Item) (3 bytes) SUITES_I (CBOR Data Item) (3 bytes)
skipping to change at page 34, line 28 skipping to change at line 1553
(Raw Value) (32 bytes) (Raw Value) (32 bytes)
51 e8 af 6c 6e db 78 16 01 ad 1d 9c 5f a8 bf 7a a1 57 16 c7 c0 6a 5d 51 e8 af 6c 6e db 78 16 01 ad 1d 9c 5f a8 bf 7a a1 57 16 c7 c0 6a 5d
03 85 03 c6 14 ff 80 c9 b3 03 85 03 c6 14 ff 80 c9 b3
Initiator's ephemeral public key, 'x'-coordinate Initiator's ephemeral public key, 'x'-coordinate
G_X (CBOR Data Item) (34 bytes) G_X (CBOR Data Item) (34 bytes)
58 20 8a f6 f4 30 eb e1 8d 34 18 40 17 a9 a1 1b f5 11 c8 df f8 f8 34 58 20 8a f6 f4 30 eb e1 8d 34 18 40 17 a9 a1 1b f5 11 c8 df f8 f8 34
73 0b 96 c1 b7 c8 db ca 2f c3 b6 73 0b 96 c1 b7 c8 db ca 2f c3 b6
The Initiator selects its connection identifier C_I to be the byte The Initiator selects its connection identifier C_I to be the byte
string 0x37, which since it is represented by the 1-byte CBOR int -24 string 0x37, which is encoded as 0x37 since it is represented by the
is encoded as 0x37: 1-byte CBOR int -24:
Connection identifier chosen by Initiator Connection identifier chosen by the Initiator
C_I (Raw Value) (1 byte) C_I (Raw Value) (1 byte)
37 37
Connection identifier chosen by Initiator Connection identifier chosen by the Initiator
C_I (CBOR Data Item) (1 byte) C_I (CBOR Data Item) (1 byte)
37 37
No external authorization data: No external authorization data:
EAD_1 (CBOR Sequence) (0 bytes) EAD_1 (CBOR Sequence) (0 bytes)
The Initiator constructs message_1: The Initiator constructs message_1:
message_1 = message_1 =
( (
3, 3,
[6, 2], [6, 2],
h'8af6f430ebe18d34184017a9a11bf511c8dff8f834730b96 h'8af6f430ebe18d34184017a9a11bf511c8dff8f834730b96
c1b7c8dbca2fc3b6', c1b7c8dbca2fc3b6',
-24 -24
) )
message_1 (CBOR Sequence) (39 bytes) message_1 (CBOR Sequence) (39 bytes)
03 82 06 02 58 20 8a f6 f4 30 eb e1 8d 34 18 40 17 a9 a1 1b f5 11 c8 03 82 06 02 58 20 8a f6 f4 30 eb e1 8d 34 18 40 17 a9 a1 1b f5 11 c8
df f8 f8 34 73 0b 96 c1 b7 c8 db ca 2f c3 b6 37 df f8 f8 34 73 0b 96 c1 b7 c8 db ca 2f c3 b6 37
3.4. message_2 3.4. message_2
The Responder supports the selected cipher suite 2 and not the by the The Responder supports the selected cipher suite 2 and not the
Initiator more preferred cipher suite(s) 6, so SUITES_I is Initiator's more preferred cipher suite(s) 6, so SUITES_I is
acceptable. acceptable.
The Responder creates an ephemeral key pair for use with the EDHOC The Responder creates an ephemeral key pair for use with the EDHOC
key exchange algorithm: key exchange algorithm:
Responder's ephemeral private key Responder's ephemeral private key
Y (Raw Value) (32 bytes) Y (Raw Value) (32 bytes)
e2 f4 12 67 77 20 5e 85 3b 43 7d 6e ac a1 e1 f7 53 cd cc 3e 2c 69 fa e2 f4 12 67 77 20 5e 85 3b 43 7d 6e ac a1 e1 f7 53 cd cc 3e 2c 69 fa
88 4b 0a 1a 64 09 77 e4 18 88 4b 0a 1a 64 09 77 e4 18
skipping to change at page 35, line 48 skipping to change at line 1613
(Raw Value) (32 bytes) (Raw Value) (32 bytes)
5e 4f 0d d8 a3 da 0b aa 16 b9 d3 ad 56 a0 c1 86 0a 94 0a f8 59 14 91 5e 4f 0d d8 a3 da 0b aa 16 b9 d3 ad 56 a0 c1 86 0a 94 0a f8 59 14 91
5e 25 01 9b 40 24 17 e9 9d 5e 25 01 9b 40 24 17 e9 9d
Responder's ephemeral public key, 'x'-coordinate Responder's ephemeral public key, 'x'-coordinate
G_Y (CBOR Data Item) (34 bytes) G_Y (CBOR Data Item) (34 bytes)
58 20 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93 58 20 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93
42 2c 8e a0 f9 55 a1 3a 4f f5 d5 42 2c 8e a0 f9 55 a1 3a 4f f5 d5
The Responder selects its connection identifier C_R to be the byte The Responder selects its connection identifier C_R to be the byte
string 0x27, which since it is represented by the 1-byte CBOR int -8 string 0x27, which is encoded as 0x27 since it is represented by the
is encoded as 0x27: 1-byte CBOR int -8:
Connection identifier chosen by Responder Connection identifier chosen by the Responder
C_R (raw value) (1 byte) C_R (raw value) (1 byte)
27 27
Connection identifier chosen by Responder Connection identifier chosen by the Responder
C_R (CBOR Data Item) (1 byte) C_R (CBOR Data Item) (1 byte)
27 27
The transcript hash TH_2 is calculated using the EDHOC hash The transcript hash TH_2 is calculated using the EDHOC hash
algorithm: algorithm:
TH_2 = H( G_Y, H(message_1) ) TH_2 = H( G_Y, H(message_1) )
H(message_1) (Raw Value) (32 bytes) H(message_1) (Raw Value) (32 bytes)
ca 02 ca bd a5 a8 90 27 49 b4 2f 71 10 50 bb 4d bd 52 15 3e 87 52 75 ca 02 ca bd a5 a8 90 27 49 b4 2f 71 10 50 bb 4d bd 52 15 3e 87 52 75
skipping to change at page 36, line 43 skipping to change at line 1654
2f 71 10 50 bb 4d bd 52 15 3e 87 52 75 94 b3 9f 50 cd f0 19 88 8c 2f 71 10 50 bb 4d bd 52 15 3e 87 52 75 94 b3 9f 50 cd f0 19 88 8c
TH_2 (Raw Value) (32 bytes) TH_2 (Raw Value) (32 bytes)
35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02 8f f3 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02 8f f3
9d 52 36 c1 82 b2 02 08 4b 9d 52 36 c1 82 b2 02 08 4b
TH_2 (CBOR Data Item) (34 bytes) TH_2 (CBOR Data Item) (34 bytes)
58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02
8f f3 9d 52 36 c1 82 b2 02 08 4b 8f f3 9d 52 36 c1 82 b2 02 08 4b
PRK_2e is specified in Section 4.1.1.1 of [I-D.ietf-lake-edhoc]. PRK_2e is specified in Section 4.1.1.1 of [RFC9528].
First, the ECDH shared secret G_XY is computed from G_X and Y, or G_Y First, the ECDH shared secret G_XY is computed from G_X and Y or G_Y
and X: and X:
G_XY (Raw Value) (ECDH shared secret) (32 bytes) G_XY (Raw Value) (ECDH shared secret) (32 bytes)
2f 0c b7 e8 60 ba 53 8f bf 5c 8b de d0 09 f6 25 9b 4b 62 8f e1 eb 7d 2f 0c b7 e8 60 ba 53 8f bf 5c 8b de d0 09 f6 25 9b 4b 62 8f e1 eb 7d
be 93 78 e5 ec f7 a8 24 ba be 93 78 e5 ec f7 a8 24 ba
Then, PRK_2e is calculated using EDHOC_Extract() determined by the
EDHOC hash algorithm:
PRK_2e = EDHOC_Extract( salt, G_XY ) = Then, PRK_2e is calculated using EDHOC_Extract(), which is determined
by the EDHOC hash algorithm:
PRK_2e = EDHOC_Extract( salt, G_XY )
= HMAC-SHA-256( salt, G_XY ) = HMAC-SHA-256( salt, G_XY )
where salt is TH_2: where salt is TH_2:
salt (Raw Value) (32 bytes) salt (Raw Value) (32 bytes)
35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02 8f f3 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02 8f f3
9d 52 36 c1 82 b2 02 08 4b 9d 52 36 c1 82 b2 02 08 4b
PRK_2e (Raw Value) (32 bytes) PRK_2e (Raw Value) (32 bytes)
5a a0 d6 9f 3e 3d 1e 0c 47 9f 0b 8a 48 66 90 c9 80 26 30 c3 46 6b 1d 5a a0 d6 9f 3e 3d 1e 0c 47 9f 0b 8a 48 66 90 c9 80 26 30 c3 46 6b 1d
c9 23 71 c9 82 56 31 70 b5 c9 23 71 c9 82 56 31 70 b5
Since METHOD = 3, the Responder authenticates using static DH. The Since METHOD = 3, the Responder authenticates using static DH. The
EDHOC key exchange algorithm is based on the same curve as for the EDHOC key exchange algorithm is based on the same curve as for the
ephemeral keys, which is P-256, since the selected cipher suite is 2. ephemeral keys, which is P-256, since the selected cipher suite is 2.
The Responder's static Diffie-Hellman P-256 key pair: The Responder's static Diffie-Hellman P-256 key pair consists of a
private key and a public key.
Responder's private authentication key Responder's private authentication key
SK_R (Raw Value) (32 bytes) SK_R (Raw Value) (32 bytes)
72 cc 47 61 db d4 c7 8f 75 89 31 aa 58 9d 34 8d 1e f8 74 a7 e3 03 ed 72 cc 47 61 db d4 c7 8f 75 89 31 aa 58 9d 34 8d 1e f8 74 a7 e3 03 ed
e2 f1 40 dc f3 e6 aa 4a ac e2 f1 40 dc f3 e6 aa 4a ac
Responder's public authentication key, 'x'-coordinate Responder's public authentication key, 'x'-coordinate
(Raw Value) (32 bytes) (Raw Value) (32 bytes)
bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb
cb ac 93 62 20 46 dd 44 f0 cb ac 93 62 20 46 dd 44 f0
Responder's public authentication key, 'y'-coordinate Responder's public authentication key, 'y'-coordinate
(Raw Value) (32 bytes) (Raw Value) (32 bytes)
45 19 e2 57 23 6b 2a 0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 45 19 e2 57 23 6b 2a 0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0
10 8c 22 4c 51 ea bf 60 72 10 8c 22 4c 51 ea bf 60 72
Since the Responder authenticates with static DH (METHOD = 3), Since the Responder authenticates with static DH (METHOD = 3),
PRK_3e2m is derived from SALT_3e2m and G_RX. PRK_3e2m is derived from SALT_3e2m and G_RX.
The input needed to calculate SALT_3e2m is defined in Section 4.1.2 The input needed to calculate SALT_3e2m is defined in Section 4.1.2
of [I-D.ietf-lake-edhoc], using EDHOC_Expand() with the EDHOC hash of [RFC9528], using EDHOC_Expand() with the EDHOC hash algorithm:
algorithm:
SALT_3e2m = EDHOC_KDF( PRK_2e, 1, TH_2, hash_length ) = SALT_3e2m = EDHOC_KDF( PRK_2e, 1, TH_2, hash_length )
= HKDF-Expand( PRK_2e, info, hash_length ) = HKDF-Expand( PRK_2e, info, hash_length )
where hash_length is the length in bytes of the output of the EDHOC where hash_length is the length in bytes of the output of the EDHOC
hash algorithm, and info for SALT_3e2m is: hash algorithm, and info for SALT_3e2m is:
info = info =
( (
1, 1,
h'356efd53771425e008f3fe3a86c83ff4c6b16e57028ff39d h'356efd53771425e008f3fe3a86c83ff4c6b16e57028ff39d
5236c182b202084b', 5236c182b202084b',
32 32
) )
info for SALT_3e2m (CBOR Sequence) (37 bytes) info for SALT_3e2m (CBOR Sequence) (37 bytes)
01 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 01 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57
02 8f f3 9d 52 36 c1 82 b2 02 08 4b 18 20 02 8f f3 9d 52 36 c1 82 b2 02 08 4b 18 20
SALT_3e2m (Raw Value) (32 bytes) SALT_3e2m (Raw Value) (32 bytes)
af 4e 10 3a 47 cb 3c f3 25 70 d5 c2 5a d2 77 32 bd 8d 81 78 e9 a6 9d af 4e 10 3a 47 cb 3c f3 25 70 d5 c2 5a d2 77 32 bd 8d 81 78 e9 a6 9d
06 1c 31 a2 7f 8e 3c a9 26 06 1c 31 a2 7f 8e 3c a9 26
PRK_3e2m is specified in Section 4.1.1.2 of [I-D.ietf-lake-edhoc]. PRK_3e2m is specified in Section 4.1.1.2 of [RFC9528].
PRK_3e2m is derived from G_RX using EDHOC_Extract() with the EDHOC PRK_3e2m is derived from G_RX using EDHOC_Extract() with the EDHOC
hash algorithm: hash algorithm:
PRK_3e2m = EDHOC_Extract( SALT_3e2m, G_RX ) = PRK_3e2m = EDHOC_Extract( SALT_3e2m, G_RX )
= HMAC-SHA-256( SALT_3e2m, G_RX ) = HMAC-SHA-256( SALT_3e2m, G_RX )
where G_RX is the ECDH shared secret calculated from G_X and R, or where G_RX is the ECDH shared secret calculated from G_X and R, or
G_R and X. G_R and X.
G_RX (Raw Value) (ECDH shared secret) (32 bytes) G_RX (Raw Value) (ECDH shared secret) (32 bytes)
f2 b6 ee a0 22 20 b9 5e ee 5a 0b c7 01 f0 74 e0 0a 84 3e a0 24 22 f6 f2 b6 ee a0 22 20 b9 5e ee 5a 0b c7 01 f0 74 e0 0a 84 3e a0 24 22 f6
08 25 fb 26 9b 3e 16 14 23 08 25 fb 26 9b 3e 16 14 23
PRK_3e2m (Raw Value) (32 bytes) PRK_3e2m (Raw Value) (32 bytes)
skipping to change at page 39, line 7 skipping to change at line 1759
MAC_2: MAC_2:
MAC_2 = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 ) MAC_2 = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 )
context_2 = << C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 >> context_2 = << C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 >>
CRED_R is identified by a 'kid' with byte string value 0x32: CRED_R is identified by a 'kid' with byte string value 0x32:
ID_CRED_R = ID_CRED_R =
{ {
4 : h'32' 4 : h'32'
} }
ID_CRED_R (CBOR Data Item) (4 bytes) ID_CRED_R (CBOR Data Item) (4 bytes)
a1 04 41 32 a1 04 41 32
CRED_R is an RPK encoded as a CCS: CRED_R is an RPK encoded as a CCS:
{ /CCS/ { /CCS/
2 : "example.edu", /sub/ 2 : "example.edu", /sub/
8 : { /cnf/ 8 : { /cnf/
1 : { /COSE_Key/ 1 : { /COSE_Key/
1 : 2, /kty/ 1 : 2, /kty/
2 : h'32', /kid/ 2 : h'32', /kid/
-1 : 1, /crv/ -1 : 1, /crv/
-2 : h'BBC34960526EA4D32E940CAD2A234148 -2 : h'bbc34960526ea4d32e940cad2a234148
DDC21791A12AFBCBAC93622046DD44F0', /x/ ddc21791a12afbcbac93622046dd44f0', /x/
-3 : h'4519E257236B2A0CE2023F0931F1F386 -3 : h'4519e257236b2a0ce2023f0931f1f386
CA7AFDA64FCDE0108C224C51EABF6072' /y/ ca7afda64fcde0108c224c51eabf6072' /y/
} }
} }
} }
CRED_R (CBOR Data Item) (95 bytes) CRED_R (CBOR Data Item) (95 bytes)
a2 02 6b 65 78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 a2 02 6b 65 78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32
20 01 21 58 20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 20 01 21 58 20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2
17 91 a1 2a fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 17 91 a1 2a fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b
2a 0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea 2a 0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea
bf 60 72 bf 60 72
skipping to change at page 40, line 4 skipping to change at line 1802
context_2 = << C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 >> context_2 = << C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 >>
context_2 (CBOR Sequence) (134 bytes) context_2 (CBOR Sequence) (134 bytes)
27 a1 04 41 32 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 27 a1 04 41 32 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4
c6 b1 6e 57 02 8f f3 9d 52 36 c1 82 b2 02 08 4b a2 02 6b 65 78 61 6d c6 b1 6e 57 02 8f f3 9d 52 36 c1 82 b2 02 08 4b a2 02 6b 65 78 61 6d
70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 01 21 58 20 bb c3 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 01 21 58 20 bb c3
49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb cb ac 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb cb ac
93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 0c e2 02 3f 09 31 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 0c e2 02 3f 09 31
f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf 60 72 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf 60 72
context_2 (CBOR byte string) (136 bytes) context_2 (CBOR byte string) (136 bytes)
58 86 27 a1 04 41 32 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 58 86 27 a1 04 41 32 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8
3f f4 c6 b1 6e 57 02 8f f3 9d 52 36 c1 82 b2 02 08 4b a2 02 6b 65 78 3f f4 c6 b1 6e 57 02 8f f3 9d 52 36 c1 82 b2 02 08 4b a2 02 6b 65 78
61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 01 21 58 20 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 01 21 58 20
bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb
cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 0c e2 02 3f cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 0c e2 02 3f
09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf 60 72 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf 60 72
MAC_2 is computed through EDHOC_Expand() using the EDHOC hash MAC_2 is computed through EDHOC_Expand() using the EDHOC hash
algorithm, see Section 4.1.2 of [I-D.ietf-lake-edhoc]: algorithm (see Section 4.1.2 of [RFC9528]):
MAC_2 = HKDF-Expand(PRK_3e2m, info, mac_length_2), where MAC_2 = HKDF-Expand( PRK_3e2m, info, mac_length_2 )
where
info = ( 2, context_2, mac_length_2 ) info = ( 2, context_2, mac_length_2 )
Since METHOD = 3, mac_length_2 is given by the EDHOC MAC length. Since METHOD = 3, mac_length_2 is given by the EDHOC MAC length.
info for MAC_2 is: info for MAC_2 is:
info = info =
( (
2, 2,
h'27a10441325820356efd53771425e008f3fe3a86c83ff4c6 h'27a10441325820356efd53771425e008f3fe3a86c83ff4c6
b16e57028ff39d5236c182b202084ba2026b6578616d706c b16e57028ff39d5236c182b202084ba2026b6578616d706c
652e65647508a101a501020241322001215820bbc3496052 652e65647508a101a501020241322001215820bbc3496052
6ea4d32e940cad2a234148ddc21791a12afbcbac93622046 6ea4d32e940cad2a234148ddc21791a12afbcbac93622046
dd44f02258204519e257236b2a0ce2023f0931f1f386ca7a dd44f02258204519e257236b2a0ce2023f0931f1f386ca7a
fda64fcde0108c224c51eabf6072', fda64fcde0108c224c51eabf6072',
8 8
) )
where the last value is the EDHOC MAC length in bytes. where the last value is the EDHOC MAC length in bytes.
info for MAC_2 (CBOR Sequence) (138 bytes) info for MAC_2 (CBOR Sequence) (138 bytes)
02 58 86 27 a1 04 41 32 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 02 58 86 27 a1 04 41 32 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86
c8 3f f4 c6 b1 6e 57 02 8f f3 9d 52 36 c1 82 b2 02 08 4b a2 02 6b 65 c8 3f f4 c6 b1 6e 57 02 8f f3 9d 52 36 c1 82 b2 02 08 4b a2 02 6b 65
78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 01 21 58 78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 01 21 58
20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a 20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a
fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 0c e2 02 fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 0c e2 02
skipping to change at page 41, line 15 skipping to change at line 1864
Signature_or_MAC_2 (Raw Value) (8 bytes) Signature_or_MAC_2 (Raw Value) (8 bytes)
09 43 30 5c 89 9f 5c 54 09 43 30 5c 89 9f 5c 54
Signature_or_MAC_2 (CBOR Data Item) (9 bytes) Signature_or_MAC_2 (CBOR Data Item) (9 bytes)
48 09 43 30 5c 89 9f 5c 54 48 09 43 30 5c 89 9f 5c 54
The Responder constructs PLAINTEXT_2: The Responder constructs PLAINTEXT_2:
PLAINTEXT_2 = PLAINTEXT_2 =
( (
C_R, C_R,
ID_CRED_R / bstr / -24..23, ID_CRED_R / bstr / -24..23,
Signature_or_MAC_2, Signature_or_MAC_2,
? EAD_2 ? EAD_2
) )
Since ID_CRED_R contains a single 'kid' parameter, only the byte Since ID_CRED_R contains a single 'kid' parameter, only the byte
string value is included in the plaintext, represented as described string value is included in the plaintext, represented as described
in Section 3.3.2 of [I-D.ietf-lake-edhoc]. The CBOR map { 4 : h'32' in Section 3.3.2 of [RFC9528]. The CBOR map { 4 : h'32' } is thus
} is thus replaced, not by the CBOR byte string 0x4132, but by the replaced, not by the CBOR byte string 0x4132, but by the CBOR int
CBOR int 0x32, since that is a one byte encoding of a CBOR integer 0x32, since that is a one-byte encoding of a CBOR integer (-19).
(-19).
PLAINTEXT_2 (CBOR Sequence) (11 bytes) PLAINTEXT_2 (CBOR Sequence) (11 bytes)
27 32 48 09 43 30 5c 89 9f 5c 54 27 32 48 09 43 30 5c 89 9f 5c 54
The input needed to calculate KEYSTREAM_2 is defined in Section 4.1.2 The input needed to calculate KEYSTREAM_2 is defined in Section 4.1.2
of [I-D.ietf-lake-edhoc], using EDHOC_Expand() with the EDHOC hash of [RFC9528], using EDHOC_Expand() with the EDHOC hash algorithm:
algorithm:
KEYSTREAM_2 = EDHOC_KDF( PRK_2e, 0, TH_2, plaintext_length ) = KEYSTREAM_2 = EDHOC_KDF( PRK_2e, 0, TH_2, plaintext_length )
= HKDF-Expand( PRK_2e, info, plaintext_length ) = HKDF-Expand( PRK_2e, info, plaintext_length )
where plaintext_length is the length in bytes of PLAINTEXT_2, and where plaintext_length is the length in bytes of PLAINTEXT_2, and
info for KEYSTREAM_2 is: info for KEYSTREAM_2 is:
info = info =
( (
0, 0,
h'356efd53771425e008f3fe3a86c83ff4c6b16e57028ff39d h'356efd53771425e008f3fe3a86c83ff4c6b16e57028ff39d
5236c182b202084b', 5236c182b202084b',
11 11
) )
where the last value is the length in bytes of PLAINTEXT_2. where the last value is the length in bytes of PLAINTEXT_2.
info for KEYSTREAM_2 (CBOR Sequence) (36 bytes) info for KEYSTREAM_2 (CBOR Sequence) (36 bytes)
00 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 00 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57
02 8f f3 9d 52 36 c1 82 b2 02 08 4b 0b 02 8f f3 9d 52 36 c1 82 b2 02 08 4b 0b
KEYSTREAM_2 (Raw Value) (11 bytes) KEYSTREAM_2 (Raw Value) (11 bytes)
bf 50 e9 e7 ba d0 bb 68 17 33 99 bf 50 e9 e7 ba d0 bb 68 17 33 99
skipping to change at page 42, line 22 skipping to change at line 1915
The Responder calculates CIPHERTEXT_2 as XOR between PLAINTEXT_2 and The Responder calculates CIPHERTEXT_2 as XOR between PLAINTEXT_2 and
KEYSTREAM_2: KEYSTREAM_2:
CIPHERTEXT_2 (Raw Value) (11 bytes) CIPHERTEXT_2 (Raw Value) (11 bytes)
98 62 a1 ee f9 e0 e7 e1 88 6f cd 98 62 a1 ee f9 e0 e7 e1 88 6f cd
The Responder constructs message_2: The Responder constructs message_2:
message_2 = message_2 =
( (
G_Y_CIPHERTEXT_2, G_Y_CIPHERTEXT_2
) )
where G_Y_CIPHERTEXT_2 is the bstr encoding of the concatenation of where G_Y_CIPHERTEXT_2 is the bstr encoding of the concatenation of
the raw values of G_Y and CIPHERTEXT_2. the raw values of G_Y and CIPHERTEXT_2.
message_2 (CBOR Sequence) (45 bytes) message_2 (CBOR Sequence) (45 bytes)
58 2b 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93 58 2b 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93
42 2c 8e a0 f9 55 a1 3a 4f f5 d5 98 62 a1 ee f9 e0 e7 e1 88 6f cd 42 2c 8e a0 f9 55 a1 3a 4f f5 d5 98 62 a1 ee f9 e0 e7 e1 88 6f cd
3.5. message_3 3.5. message_3
skipping to change at page 43, line 4 skipping to change at line 1944
8f f3 9d 52 36 c1 82 b2 02 08 4b 27 32 48 09 43 30 5c 89 9f 5c 54 a2 8f f3 9d 52 36 c1 82 b2 02 08 4b 27 32 48 09 43 30 5c 89 9f 5c 54 a2
02 6b 65 78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 02 6b 65 78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20
01 21 58 20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 01 21 58 20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17
91 a1 2a fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 91 a1 2a fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a
0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf 0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf
60 72 60 72
TH_3 (Raw Value) (32 bytes) TH_3 (Raw Value) (32 bytes)
ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07 03 9d f0 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07 03 9d f0
bc 1b bf 0c 16 1b b3 15 5c bc 1b bf 0c 16 1b b3 15 5c
TH_3 (CBOR Data Item) (34 bytes) TH_3 (CBOR Data Item) (34 bytes)
58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07 03 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07 03
9d f0 bc 1b bf 0c 16 1b b3 15 5c 9d f0 bc 1b bf 0c 16 1b b3 15 5c
Since METHOD = 3, the Initiator authenticates using static DH. The Since METHOD = 3, the Initiator authenticates using static DH. The
EDHOC key exchange algorithm is based on the same curve as for the EDHOC key exchange algorithm is based on the same curve as for the
ephemeral keys, which is P-256, since the selected cipher suite is 2. ephemeral keys, which is P-256, since the selected cipher suite is 2.
The Initiator's static Diffie-Hellman P-256 key pair: The Initiator's static Diffie-Hellman P-256 key pair consists of a
private key and a public key:
Initiator's private authentication key Initiator's private authentication key
SK_I (Raw Value) (32 bytes) SK_I (Raw Value) (32 bytes)
fb 13 ad eb 65 18 ce e5 f8 84 17 66 08 41 14 2e 83 0a 81 fe 33 43 80 fb 13 ad eb 65 18 ce e5 f8 84 17 66 08 41 14 2e 83 0a 81 fe 33 43 80
a9 53 40 6a 13 05 e8 70 6b a9 53 40 6a 13 05 e8 70 6b
Initiator's public authentication key, 'x'-coordinate Initiator's public authentication key, 'x'-coordinate
(Raw Value) (32 bytes) (Raw Value) (32 bytes)
ac 75 e9 ec e3 e5 0b fc 8e d6 03 99 88 95 22 40 5c 47 bf 16 df 96 66 ac 75 e9 ec e3 e5 0b fc 8e d6 03 99 88 95 22 40 5c 47 bf 16 df 96 66
0a 41 29 8c b4 30 7f 7e b6 0a 41 29 8c b4 30 7f 7e b6
Initiator's public authentication key, 'y'-coordinate Initiator's public authentication key, 'y'-coordinate
(Raw Value) (32 bytes) (Raw Value) (32 bytes)
6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6 db 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6 db
3c 2a 93 df 21 ff 3a ff c8 3c 2a 93 df 21 ff 3a ff c8
Since I authenticates with static DH (METHOD = 3), PRK_4e3m is Since I authenticates with static DH (METHOD = 3), PRK_4e3m is
derived from SALT_4e3m and G_IY. derived from SALT_4e3m and G_IY.
The input needed to calculate SALT_4e3m is defined in Section 4.1.2 The input needed to calculate SALT_4e3m is defined in Section 4.1.2
of [I-D.ietf-lake-edhoc], using EDHOC_Expand() with the EDHOC hash of [RFC9528], using EDHOC_Expand() with the EDHOC hash algorithm:
algorithm:
SALT_4e3m = EDHOC_KDF( PRK_3e2m, 5, TH_3, hash_length ) = SALT_4e3m = EDHOC_KDF( PRK_3e2m, 5, TH_3, hash_length )
= HKDF-Expand( PRK_3e2m, info, hash_length ) = HKDF-Expand( PRK_3e2m, info, hash_length )
where hash_length is the length in bytes of the output of the EDHOC where hash_length is the length in bytes of the output of the EDHOC
hash algorithm, and info for SALT_4e3m is: hash algorithm, and info for SALT_4e3m is:
info = info =
( (
5, 5,
h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc
1bbf0c161bb3155c', 1bbf0c161bb3155c',
32 32
) )
info for SALT_4e3m (CBOR Sequence) (37 bytes) info for SALT_4e3m (CBOR Sequence) (37 bytes)
05 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07 05 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07
03 9d f0 bc 1b bf 0c 16 1b b3 15 5c 18 20 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c 18 20
SALT_4e3m (Raw Value) (32 bytes) SALT_4e3m (Raw Value) (32 bytes)
cf dd f9 51 5a 7e 46 e7 b4 db ff 31 cb d5 6c d0 4b a3 32 25 0d e9 ea cf dd f9 51 5a 7e 46 e7 b4 db ff 31 cb d5 6c d0 4b a3 32 25 0d e9 ea
5d e1 ca f9 f6 d1 39 14 a7 5d e1 ca f9 f6 d1 39 14 a7
PRK_4e3m is specified in Section 4.1.1.3 of [I-D.ietf-lake-edhoc]. PRK_4e3m is specified in Section 4.1.1.3 of [RFC9528].
Since I authenticates with static DH (METHOD = 3), PRK_4e3m is Since I authenticates with static DH (METHOD = 3), PRK_4e3m is
derived from G_IY using EDHOC_Extract() with the EDHOC hash derived from G_IY using EDHOC_Extract() with the EDHOC hash
algorithm: algorithm:
PRK_4e3m = EDHOC_Extract(SALT_4e3m, G_IY) = PRK_4e3m = EDHOC_Extract(SALT_4e3m, G_IY)
= HMAC-SHA-256(SALT_4e3m, G_IY) = HMAC-SHA-256(SALT_4e3m, G_IY)
where G_IY is the ECDH shared secret calculated from G_I and Y, or where G_IY is the ECDH shared secret calculated from G_I and Y, or
G_Y and I. G_Y and I.
G_IY (Raw Value) (ECDH shared secret) (32 bytes) G_IY (Raw Value) (ECDH shared secret) (32 bytes)
08 0f 42 50 85 bc 62 49 08 9e ac 8f 10 8e a6 23 26 85 7e 12 ab 07 d7 08 0f 42 50 85 bc 62 49 08 9e ac 8f 10 8e a6 23 26 85 7e 12 ab 07 d7
20 28 ca 1b 5f 36 e0 04 b3 20 28 ca 1b 5f 36 e0 04 b3
PRK_4e3m (Raw Value) (32 bytes) PRK_4e3m (Raw Value) (32 bytes)
skipping to change at page 44, line 43 skipping to change at line 2030
MAC_3: MAC_3:
MAC_3 = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 ) MAC_3 = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 )
context_3 = << ID_CRED_I, TH_3, CRED_I, ? EAD_3 >> context_3 = << ID_CRED_I, TH_3, CRED_I, ? EAD_3 >>
CRED_I is identified by a 'kid' with byte string value 0x2b: CRED_I is identified by a 'kid' with byte string value 0x2b:
ID_CRED_I = ID_CRED_I =
{ {
4 : h'2b' 4 : h'2b'
} }
ID_CRED_I (CBOR Data Item) (4 bytes) ID_CRED_I (CBOR Data Item) (4 bytes)
a1 04 41 2b a1 04 41 2b
CRED_I is an RPK encoded as a CCS: CRED_I is an RPK encoded as a CCS:
{ /CCS/ { /CCS/
2 : "42-50-31-FF-EF-37-32-39", /sub/ 2 : "42-50-31-FF-EF-37-32-39", /sub/
8 : { /cnf/ 8 : { /cnf/
1 : { /COSE_Key/ 1 : { /COSE_Key/
1 : 2, /kty/ 1 : 2, /kty/
2 : h'2b', /kid/ 2 : h'2b', /kid/
-1 : 1, /crv/ -1 : 1, /crv/
-2 : h'AC75E9ECE3E50BFC8ED6039988952240 -2 : h'ac75e9ece3e50bfc8ed6039988952240
5C47BF16DF96660A41298CB4307F7EB6' /x/ 5c47bf16df96660a41298cb4307f7eb6' /x/
-3 : h'6E5DE611388A4B8A8211334AC7D37ECB -3 : h'6e5de611388a4b8a8211334ac7d37ecb
52A387D257E6DB3C2A93DF21FF3AFFC8' /y/ 52a387d257e6db3c2a93df21ff3affc8' /y/
} }
} }
} }
CRED_I (CBOR Data Item) (107 bytes) CRED_I (CBOR Data Item) (107 bytes)
a2 02 77 34 32 2d 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 a2 02 77 34 32 2d 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32
2d 33 39 08 a1 01 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 2d 33 39 08 a1 01 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5
0b fc 8e d6 03 99 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 0b fc 8e d6 03 99 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30
7f 7e b6 22 58 20 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 7f 7e b6 22 58 20 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52
a3 87 d2 57 e6 db 3c 2a 93 df 21 ff 3a ff c8 a3 87 d2 57 e6 db 3c 2a 93 df 21 ff 3a ff c8
skipping to change at page 45, line 52 skipping to change at line 2085
context_3 (CBOR byte string) (147 bytes) context_3 (CBOR byte string) (147 bytes)
58 91 a1 04 41 2b 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 58 91 a1 04 41 2b 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7
22 00 0b 25 07 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c a2 02 77 34 32 2d 22 00 0b 25 07 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c a2 02 77 34 32 2d
35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33 39 08 a1 01 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33 39 08 a1 01
a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc 8e d6 03 99 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc 8e d6 03 99
88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e b6 22 58 20 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e b6 22 58 20
6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6 db 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6 db
3c 2a 93 df 21 ff 3a ff c8 3c 2a 93 df 21 ff 3a ff c8
MAC_3 is computed through EDHOC_Expand() using the EDHOC hash MAC_3 is computed through EDHOC_Expand() using the EDHOC hash
algorithm, see Section 4.1.2 of [I-D.ietf-lake-edhoc]: algorithm (see Section 4.1.2 of [RFC9528]):
MAC_3 = HKDF-Expand(PRK_4e3m, info, mac_length_3), where MAC_3 = HKDF-Expand( PRK_4e3m, info, mac_length_3 )
where
info = ( 6, context_3, mac_length_3 ) info = ( 6, context_3, mac_length_3 )
Since METHOD = 3, mac_length_3 is given by the EDHOC MAC length. Since METHOD = 3, mac_length_3 is given by the EDHOC MAC length.
info for MAC_3 is: info for MAC_3 is:
info = info =
( (
6, 6,
h'a104412b5820adaf67a78a4bcc91e018f8882762a722000b h'a104412b5820adaf67a78a4bcc91e018f8882762a722000b
2507039df0bc1bbf0c161bb3155ca2027734322d35302d33 2507039df0bc1bbf0c161bb3155ca2027734322d35302d33
312d46462d45462d33372d33322d333908a101a501020241 312d46462d45462d33372d33322d333908a101a501020241
2b2001215820ac75e9ece3e50bfc8ed60399889522405c47 2b2001215820ac75e9ece3e50bfc8ed60399889522405c47
bf16df96660a41298cb4307f7eb62258206e5de611388a4b bf16df96660a41298cb4307f7eb62258206e5de611388a4b
8a8211334ac7d37ecb52a387d257e6db3c2a93df21ff3aff 8a8211334ac7d37ecb52a387d257e6db3c2a93df21ff3aff
c8', c8',
8 8
) )
where the last value is the EDHOC MAC length in bytes. where the last value is the EDHOC MAC length in bytes.
info for MAC_3 (CBOR Sequence) (149 bytes) info for MAC_3 (CBOR Sequence) (149 bytes)
06 58 91 a1 04 41 2b 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 06 58 91 a1 04 41 2b 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62
a7 22 00 0b 25 07 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c a2 02 77 34 32 a7 22 00 0b 25 07 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c a2 02 77 34 32
2d 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33 39 08 a1 2d 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33 39 08 a1
01 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc 8e d6 03 01 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc 8e d6 03
99 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e b6 22 58 99 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e b6 22 58
skipping to change at page 47, line 7 skipping to change at line 2139
Signature_or_MAC_3 (Raw Value) (8 bytes) Signature_or_MAC_3 (Raw Value) (8 bytes)
62 3c 91 df 41 e3 4c 2f 62 3c 91 df 41 e3 4c 2f
Signature_or_MAC_3 (CBOR Data Item) (9 bytes) Signature_or_MAC_3 (CBOR Data Item) (9 bytes)
48 62 3c 91 df 41 e3 4c 2f 48 62 3c 91 df 41 e3 4c 2f
The Initiator constructs PLAINTEXT_3: The Initiator constructs PLAINTEXT_3:
PLAINTEXT_3 = PLAINTEXT_3 =
( (
ID_CRED_I / bstr / -24..23, ID_CRED_I / bstr / -24..23,
Signature_or_MAC_3, Signature_or_MAC_3,
? EAD_3 ? EAD_3
) )
Since ID_CRED_I contains a single 'kid' parameter, only the byte Since ID_CRED_I contains a single 'kid' parameter, only the byte
string value is included in the plaintext, represented as described string value is included in the plaintext, represented as described
in Section 3.3.2 of [I-D.ietf-lake-edhoc]. The CBOR map { 4 : h'2b' in Section 3.3.2 of [RFC9528]. The CBOR map { 4 : h'2b' } is thus
} is thus replaced, not by the CBOR byte string 0x412b, but by the replaced, not by the CBOR byte string 0x412b, but by the CBOR int
CBOR int 0x2b, since that is a one byte encoding of a CBOR integer 0x2b, since that is a one-byte encoding of a CBOR integer (-12).
(-12).
PLAINTEXT_3 (CBOR Sequence) (10 bytes) PLAINTEXT_3 (CBOR Sequence) (10 bytes)
2b 48 62 3c 91 df 41 e3 4c 2f 2b 48 62 3c 91 df 41 e3 4c 2f
The Initiator constructs the associated data for message_3: The Initiator constructs the associated data for message_3:
A_3 = A_3 =
[ [
"Encrypt0", "Encrypt0",
h'', h'',
h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc
1bbf0c161bb3155c' 1bbf0c161bb3155c'
] ]
A_3 (CBOR Data Item) (45 bytes) A_3 (CBOR Data Item) (45 bytes)
83 68 45 6e 63 72 79 70 74 30 40 58 20 ad af 67 a7 8a 4b cc 91 e0 18 83 68 45 6e 63 72 79 70 74 30 40 58 20 ad af 67 a7 8a 4b cc 91 e0 18
f8 88 27 62 a7 22 00 0b 25 07 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c f8 88 27 62 a7 22 00 0b 25 07 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c
The Initiator constructs the input needed to derive the key K_3, see The Initiator constructs the input needed to derive the key K_3 (see
Section 4.1.2 of [I-D.ietf-lake-edhoc], using the EDHOC hash Section 4.1.2 of [RFC9528]) using the EDHOC hash algorithm:
algorithm:
K_3 = EDHOC_KDF( PRK_3e2m, 3, TH_3, key_length ) K_3 = EDHOC_KDF( PRK_3e2m, 3, TH_3, key_length )
= HKDF-Expand( PRK_3e2m, info, key_length ), = HKDF-Expand( PRK_3e2m, info, key_length )
where key_length is the key length in bytes for the EDHOC AEAD where key_length is the key length in bytes for the EDHOC AEAD
algorithm, and info for K_3 is: algorithm, and info for K_3 is:
info = info =
( (
3, 3,
h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc
1bbf0c161bb3155c', 1bbf0c161bb3155c',
16 16
) )
where the last value is the key length in bytes for the EDHOC AEAD where the last value is the key length in bytes for the EDHOC AEAD
algorithm. algorithm.
info for K_3 (CBOR Sequence) (36 bytes) info for K_3 (CBOR Sequence) (36 bytes)
03 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07 03 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07
03 9d f0 bc 1b bf 0c 16 1b b3 15 5c 10 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c 10
K_3 (Raw Value) (16 bytes) K_3 (Raw Value) (16 bytes)
8e 7a 30 04 20 00 f7 90 0e 81 74 13 1f 75 f3 ed 8e 7a 30 04 20 00 f7 90 0e 81 74 13 1f 75 f3 ed
The Initiator constructs the input needed to derive the nonce IV_3, The Initiator constructs the input needed to derive the nonce IV_3
see Section 4.1.2 of [I-D.ietf-lake-edhoc], using the EDHOC hash (see Section 4.1.2 of [RFC9528]) using the EDHOC hash algorithm:
algorithm:
IV_3 = EDHOC_KDF( PRK_3e2m, 4, TH_3, iv_length ) IV_3 = EDHOC_KDF( PRK_3e2m, 4, TH_3, iv_length )
= HKDF-Expand( PRK_3e2m, info, iv_length ), = HKDF-Expand( PRK_3e2m, info, iv_length )
where iv_length is the nonce length in bytes for the EDHOC AEAD where iv_length is the nonce length in bytes for the EDHOC AEAD
algorithm, and info for IV_3 is: algorithm, and info for IV_3 is:
info = info =
( (
4, 4,
h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc
1bbf0c161bb3155c', 1bbf0c161bb3155c',
13 13
) )
where the last value is the nonce length in bytes for the EDHOC AEAD where the last value is the nonce length in bytes for the EDHOC AEAD
algorithm. algorithm.
info for IV_3 (CBOR Sequence) (36 bytes) info for IV_3 (CBOR Sequence) (36 bytes)
04 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07 04 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07
03 9d f0 bc 1b bf 0c 16 1b b3 15 5c 0d 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c 0d
IV_3 (Raw Value) (13 bytes) IV_3 (Raw Value) (13 bytes)
6d 83 00 c1 e2 3b 56 15 3a e7 0e e4 57 6d 83 00 c1 e2 3b 56 15 3a e7 0e e4 57
The Initiator calculates CIPHERTEXT_3 as 'ciphertext' of The Initiator calculates CIPHERTEXT_3 as 'ciphertext' of
COSE_Encrypt0 applied using the EDHOC AEAD algorithm with plaintext COSE_Encrypt0 applied using the EDHOC AEAD algorithm with plaintext
PLAINTEXT_3, additional data A_3, key K_3 and nonce IV_3. PLAINTEXT_3, additional data A_3, key K_3, and nonce IV_3.
CIPHERTEXT_3 (Raw Value) (18 bytes) CIPHERTEXT_3 (Raw Value) (18 bytes)
e5 62 09 7b c4 17 dd 59 19 48 5a c7 89 1f fd 90 a9 fc e5 62 09 7b c4 17 dd 59 19 48 5a c7 89 1f fd 90 a9 fc
message_3 is the CBOR bstr encoding of CIPHERTEXT_3: message_3 is the CBOR bstr encoding of CIPHERTEXT_3:
message_3 (CBOR Sequence) (19 bytes) message_3 (CBOR Sequence) (19 bytes)
52 e5 62 09 7b c4 17 dd 59 19 48 5a c7 89 1f fd 90 a9 fc 52 e5 62 09 7b c4 17 dd 59 19 48 5a c7 89 1f fd 90 a9 fc
The transcript hash TH_4 is calculated using the EDHOC hash The transcript hash TH_4 is calculated using the EDHOC hash
skipping to change at page 49, line 40 skipping to change at line 2265
3.6. message_4 3.6. message_4
No external authorization data: No external authorization data:
EAD_4 (CBOR Sequence) (0 bytes) EAD_4 (CBOR Sequence) (0 bytes)
The Responder constructs PLAINTEXT_4: The Responder constructs PLAINTEXT_4:
PLAINTEXT_4 = PLAINTEXT_4 =
( (
? EAD_4 ? EAD_4
) )
PLAINTEXT_4 (CBOR Sequence) (0 bytes) PLAINTEXT_4 (CBOR Sequence) (0 bytes)
The Responder constructs the associated data for message_4: The Responder constructs the associated data for message_4:
A_4 = A_4 =
[ [
"Encrypt0", "Encrypt0",
h'', h'',
h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5 h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5
2b5d99e6059d6b6e' 2b5d99e6059d6b6e'
] ]
A_4 (CBOR Data Item) (45 bytes) A_4 (CBOR Data Item) (45 bytes)
83 68 45 6e 63 72 79 70 74 30 40 58 20 c9 02 b1 e3 a4 32 6c 93 c5 55 83 68 45 6e 63 72 79 70 74 30 40 58 20 c9 02 b1 e3 a4 32 6c 93 c5 55
1f 5f 3a a6 c5 ec c0 24 68 06 76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e 1f 5f 3a a6 c5 ec c0 24 68 06 76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e
The Responder constructs the input needed to derive the EDHOC The Responder constructs the input needed to derive the EDHOC
message_4 key, see Section 4.1.2 of [I-D.ietf-lake-edhoc], using the message_4 key (see Section 4.1.2 of [RFC9528]) using the EDHOC hash
EDHOC hash algorithm: algorithm:
K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length ) K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length )
= HKDF-Expand( PRK_4e3m, info, key_length ) = HKDF-Expand( PRK_4e3m, info, key_length )
where key_length is the key length in bytes for the EDHOC AEAD where key_length is the key length in bytes for the EDHOC AEAD
algorithm, and info for K_4 is: algorithm, and info for K_4 is:
info = info =
( (
8, 8,
h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5 h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5
2b5d99e6059d6b6e', 2b5d99e6059d6b6e',
16 16
) )
where the last value is the key length in bytes for the EDHOC AEAD where the last value is the key length in bytes for the EDHOC AEAD
algorithm. algorithm.
info for K_4 (CBOR Sequence) (36 bytes) info for K_4 (CBOR Sequence) (36 bytes)
08 58 20 c9 02 b1 e3 a4 32 6c 93 c5 55 1f 5f 3a a6 c5 ec c0 24 68 06 08 58 20 c9 02 b1 e3 a4 32 6c 93 c5 55 1f 5f 3a a6 c5 ec c0 24 68 06
76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e 10 76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e 10
K_4 (Raw Value) (16 bytes) K_4 (Raw Value) (16 bytes)
d3 c7 78 72 b6 ee b5 08 91 1b db d3 08 b2 e6 a0 d3 c7 78 72 b6 ee b5 08 91 1b db d3 08 b2 e6 a0
The Responder constructs the input needed to derive the EDHOC The Responder constructs the input needed to derive the EDHOC
message_4 nonce, see Section 4.1.2 of [I-D.ietf-lake-edhoc], using message_4 nonce (see Section 4.1.2 of [RFC9528]) using the EDHOC hash
the EDHOC hash algorithm: algorithm:
IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length ) IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length )
= HKDF-Expand( PRK_4e3m, info, iv_length ) = HKDF-Expand( PRK_4e3m, info, iv_length )
where iv_length is the nonce length in bytes for the EDHOC AEAD where iv_length is the nonce length in bytes for the EDHOC AEAD
algorithm, and info for IV_4 is: algorithm, and info for IV_4 is:
info = info =
( (
9, 9,
h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5 h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5
2b5d99e6059d6b6e', 2b5d99e6059d6b6e',
13 13
) )
where the last value is the nonce length in bytes for the EDHOC AEAD where the last value is the nonce length in bytes for the EDHOC AEAD
algorithm. algorithm.
info for IV_4 (CBOR Sequence) (36 bytes) info for IV_4 (CBOR Sequence) (36 bytes)
09 58 20 c9 02 b1 e3 a4 32 6c 93 c5 55 1f 5f 3a a6 c5 ec c0 24 68 06 09 58 20 c9 02 b1 e3 a4 32 6c 93 c5 55 1f 5f 3a a6 c5 ec c0 24 68 06
76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e 0d 76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e 0d
IV_4 (Raw Value) (13 bytes) IV_4 (Raw Value) (13 bytes)
04 ff 0f 44 45 6e 96 e2 17 85 3c 36 01 04 ff 0f 44 45 6e 96 e2 17 85 3c 36 01
The Responder calculates CIPHERTEXT_4 as 'ciphertext' of The Responder calculates CIPHERTEXT_4 as 'ciphertext' of
COSE_Encrypt0 applied using the EDHOC AEAD algorithm with plaintext COSE_Encrypt0 applied using the EDHOC AEAD algorithm with plaintext
PLAINTEXT_4, additional data A_4, key K_4 and nonce IV_4. PLAINTEXT_4, additional data A_4, key K_4, and nonce IV_4.
CIPHERTEXT_4 (8 bytes) CIPHERTEXT_4 (8 bytes)
28 c9 66 b7 ca 30 4f 83 28 c9 66 b7 ca 30 4f 83
message_4 is the CBOR bstr encoding of CIPHERTEXT_4: message_4 is the CBOR bstr encoding of CIPHERTEXT_4:
message_4 (CBOR Sequence) (9 bytes) message_4 (CBOR Sequence) (9 bytes)
48 28 c9 66 b7 ca 30 4f 83 48 28 c9 66 b7 ca 30 4f 83
3.7. PRK_out and PRK_exporter 3.7. PRK_out and PRK_exporter
PRK_out is specified in Section 4.1.3 of [I-D.ietf-lake-edhoc]. PRK_out is specified in Section 4.1.3 of [RFC9528].
PRK_out = EDHOC_KDF( PRK_4e3m, 7, TH_4, hash_length ) = PRK_out = EDHOC_KDF( PRK_4e3m, 7, TH_4, hash_length )
= HKDF-Expand( PRK_4e3m, info, hash_length ) = HKDF-Expand( PRK_4e3m, info, hash_length )
where hash_length is the length in bytes of the output of the EDHOC where hash_length is the length in bytes of the output of the EDHOC
hash algorithm, and info for PRK_out is: hash algorithm, and info for PRK_out is:
info = info =
( (
7, 7,
h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5 h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5
2b5d99e6059d6b6e', 2b5d99e6059d6b6e',
32 32
) )
where the last value is the length in bytes of the output of the where the last value is the length in bytes of the output of the
EDHOC hash algorithm. EDHOC hash algorithm.
info for PRK_out (CBOR Sequence) (37 bytes) info for PRK_out (CBOR Sequence) (37 bytes)
07 58 20 c9 02 b1 e3 a4 32 6c 93 c5 55 1f 5f 3a a6 c5 ec c0 24 68 06 07 58 20 c9 02 b1 e3 a4 32 6c 93 c5 55 1f 5f 3a a6 c5 ec c0 24 68 06
76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e 18 20 76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e 18 20
PRK_out (Raw Value) (32 bytes) PRK_out (Raw Value) (32 bytes)
2c 71 af c1 a9 33 8a 94 0b b3 52 9c a7 34 b8 86 f3 0d 1a ba 0b 4d c5 2c 71 af c1 a9 33 8a 94 0b b3 52 9c a7 34 b8 86 f3 0d 1a ba 0b 4d c5
1b ee ae ab df ea 9e cb f8 1b ee ae ab df ea 9e cb f8
The OSCORE Master Secret and OSCORE Master Salt are derived with the The OSCORE Master Secret and OSCORE Master Salt are derived with the
EDHOC_Exporter as specified in 4.2.1 of [I-D.ietf-lake-edhoc]. EDHOC_Exporter as specified in Section 4.2.1 of [RFC9528].
EDHOC_Exporter( label, context, length ) EDHOC_Exporter( exporter_label, context, length )
= EDHOC_KDF( PRK_exporter, label, context, length ) = EDHOC_KDF( PRK_exporter, exporter_label, context, length )
where PRK_exporter is derived from PRK_out: where PRK_exporter is derived from PRK_out:
PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) = PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length )
= HKDF-Expand( PRK_out, info, hash_length ) = HKDF-Expand( PRK_out, info, hash_length )
where hash_length is the length in bytes of the output of the EDHOC where hash_length is the length in bytes of the output of the EDHOC
hash algorithm, and info for the PRK_exporter is: hash algorithm, and info for the PRK_exporter is:
info = info =
( (
10, 10,
h'', h'',
32 32
) )
where the last value is the length in bytes of the output of the where the last value is the length in bytes of the output of the
EDHOC hash algorithm. EDHOC hash algorithm.
info for PRK_exporter (CBOR Sequence) (4 bytes) info for PRK_exporter (CBOR Sequence) (4 bytes)
0a 40 18 20 0a 40 18 20
PRK_exporter (Raw Value) (32 bytes) PRK_exporter (Raw Value) (32 bytes)
e1 4d 06 69 9c ee 24 8c 5a 04 bf 92 27 bb cd 4c e3 94 de 7d cb 56 db e1 4d 06 69 9c ee 24 8c 5a 04 bf 92 27 bb cd 4c e3 94 de 7d cb 56 db
43 55 54 74 17 1e 64 46 db 43 55 54 74 17 1e 64 46 db
3.8. OSCORE Parameters 3.8. OSCORE Parameters
The derivation of OSCORE parameters is specified in Appendix A.1 of The derivation of OSCORE parameters is specified in Appendix A.1 of
[I-D.ietf-lake-edhoc]. [RFC9528].
The AEAD and Hash algorithms to use in OSCORE are given by the The AEAD and hash algorithms to use in OSCORE are given by the
selected cipher suite: selected cipher suite:
Application AEAD Algorithm (int) Application AEAD Algorithm (int)
10 10
Application Hash Algorithm (int) Application Hash Algorithm (int)
-16 -16
The mapping from EDHOC connection identifiers to OSCORE Sender/ The mapping from EDHOC connection identifiers to OSCORE Sender/
Recipient IDs is defined in Section 3.3.3 of [I-D.ietf-lake-edhoc]. Recipient IDs is defined in Section 3.3.3 of [RFC9528].
C_R is mapped to the Recipient ID of the server, i.e., the Sender ID C_R is mapped to the Recipient ID of the server, i.e., the Sender ID
of the client. The byte string 0x27, which as C_R is encoded as the of the client. The byte string 0x27, which as C_R is encoded as the
CBOR integer 0x27, is converted to the server Recipient ID 0x27. CBOR integer 0x27, is converted to the server Recipient ID 0x27.
Client's OSCORE Sender ID (Raw Value) (1 byte) Client's OSCORE Sender ID (Raw Value) (1 byte)
27 27
C_I is mapped to the Recipient ID of the client, i.e., the Sender ID C_I is mapped to the Recipient ID of the client, i.e., the Sender ID
of the server. The byte string 0x37, which as C_I is encoded as the of the server. The byte string 0x37, which as C_I is encoded as the
CBOR integer 0x0e is converted to the client Recipient ID 0x37. CBOR integer 0x0e, is converted to the client Recipient ID 0x37.
Server's OSCORE Sender ID (Raw Value) (1 byte) Server's OSCORE Sender ID (Raw Value) (1 byte)
37 37
The OSCORE Master Secret is computed through EDHOC_Expand() using the The OSCORE Master Secret is computed through EDHOC_Expand() using the
Application hash algorithm, see Appendix A.1 of application hash algorithm (see Appendix A.1 of [RFC9528]):
[I-D.ietf-lake-edhoc]:
OSCORE Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length ) OSCORE Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length )
= EDHOC_KDF( PRK_exporter, 0, h'', oscore_key_length ) = EDHOC_KDF( PRK_exporter, 0, h'', oscore_key_length )
= HKDF-Expand( PRK_exporter, info, oscore_key_length ) = HKDF-Expand( PRK_exporter, info, oscore_key_length )
where oscore_key_length is by default the key length in bytes for the where oscore_key_length is by default the key length in bytes for the
Application AEAD algorithm, and info for the OSCORE Master Secret is: application AEAD algorithm, and info for the OSCORE Master Secret is:
info = info =
( (
0, 0,
h'', h'',
16 16
) )
where the last value is the key length in bytes for the Application where the last value is the key length in bytes for the application
AEAD algorithm. AEAD algorithm.
info for OSCORE Master Secret (CBOR Sequence) (3 bytes) info for OSCORE Master Secret (CBOR Sequence) (3 bytes)
00 40 10 00 40 10
OSCORE Master Secret (Raw Value) (16 bytes) OSCORE Master Secret (Raw Value) (16 bytes)
f9 86 8f 6a 3a ca 78 a0 5d 14 85 b3 50 30 b1 62 f9 86 8f 6a 3a ca 78 a0 5d 14 85 b3 50 30 b1 62
The OSCORE Master Salt is computed through EDHOC_Expand() using the The OSCORE Master Salt is computed through EDHOC_Expand() using the
Application hash algorithm, see Section 4.2 of [I-D.ietf-lake-edhoc]: application hash algorithm (see Section 4.2 of [RFC9528]):
OSCORE Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length ) OSCORE Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length )
= EDHOC_KDF( PRK_exporter, 1, h'', oscore_salt_length ) = EDHOC_KDF( PRK_exporter, 1, h'', oscore_salt_length )
= HKDF-Expand( PRK_4x3m, info, oscore_salt_length ) = HKDF-Expand( PRK_4x3m, info, oscore_salt_length )
where oscore_salt_length is the length in bytes of the OSCORE Master where oscore_salt_length is the length in bytes of the OSCORE Master
Salt, and info for the OSCORE Master Salt is: Salt, and info for the OSCORE Master Salt is:
info = info =
( (
1, 1,
h'', h'',
8 8
) )
where the last value is the length in bytes of the OSCORE Master where the last value is the length in bytes of the OSCORE Master
Salt. Salt.
info for OSCORE Master Salt (CBOR Sequence) (3 bytes) info for OSCORE Master Salt (CBOR Sequence) (3 bytes)
01 40 08 01 40 08
OSCORE Master Salt (Raw Value) (8 bytes) OSCORE Master Salt (Raw Value) (8 bytes)
ad a2 4c 7d bf c8 5e eb ad a2 4c 7d bf c8 5e eb
3.9. Key Update 3.9. Key Update
Key update is defined in Appendix H of [I-D.ietf-lake-edhoc]. The key update is defined in Appendix H of [RFC9528].
EDHOC_KeyUpdate( context ): EDHOC_KeyUpdate( context ):
PRK_out = EDHOC_KDF( PRK_out, 11, context, hash_length ) PRK_out = EDHOC_KDF( PRK_out, 11, context, hash_length )
= HKDF-Expand( PRK_out, info, hash_length ) = HKDF-Expand( PRK_out, info, hash_length )
where hash_length is the length in bytes of the output of the EDHOC where hash_length is the length in bytes of the output of the EDHOC
hash function, context for KeyUpdate is hash function, and the context for KeyUpdate is:
context for KeyUpdate (Raw Value) (16 bytes) context for KeyUpdate (Raw Value) (16 bytes)
a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea
context for KeyUpdate (CBOR Data Item) (17 bytes) context for KeyUpdate (CBOR Data Item) (17 bytes)
50 a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea 50 a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea
and where info for key update is: and where info for the key update is:
info = info =
( (
11, 11,
h'a01158fdb820890cd6be169602b8bcea', h'a01158fdb820890cd6be169602b8bcea',
32 32
) )
info for KeyUpdate (CBOR Sequence) (20 bytes)
0b 50 a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea 18 20
PRK_out after KeyUpdate (Raw Value) (32 bytes) PRK_out after KeyUpdate (Raw Value) (32 bytes)
f9 79 53 77 43 fe 0b d6 b9 b1 41 dd bd 79 65 6c 52 e6 dc 7c 50 ad 80 f9 79 53 77 43 fe 0b d6 b9 b1 41 dd bd 79 65 6c 52 e6 dc 7c 50 ad 80
77 54 d7 4d 07 e8 7d 0d 16 77 54 d7 4d 07 e8 7d 0d 16
After key update the PRK_exporter needs to be derived anew: After the key update, the PRK_exporter needs to be derived anew:
PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) = PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length )
= HKDF-Expand( PRK_out, info, hash_length ) = HKDF-Expand( PRK_out, info, hash_length )
where info and hash_length are unchanged as in Section 3.7. where info and hash_length are unchanged as in Section 3.7.
PRK_exporter after KeyUpdate (Raw Value) (32 bytes) PRK_exporter after KeyUpdate (Raw Value) (32 bytes)
00 fc f7 db 9b 2e ad 73 82 4e 7e 83 03 63 c8 05 c2 96 f9 02 83 0f ac 00 fc f7 db 9b 2e ad 73 82 4e 7e 83 03 63 c8 05 c2 96 f9 02 83 0f ac
23 d8 6c 35 9c 75 2f 0f 17 23 d8 6c 35 9c 75 2f 0f 17
The OSCORE Master Secret is derived with the updated PRK_exporter: The OSCORE Master Secret is derived with the updated PRK_exporter:
OSCORE Master Secret = OSCORE Master Secret
= HKDF-Expand(PRK_exporter, info, oscore_key_length) = HKDF-Expand( PRK_exporter, info, oscore_key_length )
where info and key_length are unchanged as in Section 2.6. where info and oscore_key_length are unchanged as in Section 2.6.
OSCORE Master Secret after KeyUpdate (Raw Value) (16 bytes) OSCORE Master Secret after KeyUpdate (Raw Value) (16 bytes)
49 f7 2f ac 02 b4 65 8b da 21 e2 da c6 6f c3 74 49 f7 2f ac 02 b4 65 8b da 21 e2 da c6 6f c3 74
The OSCORE Master Salt is derived with the updated PRK_exporter: The OSCORE Master Salt is derived with the updated PRK_exporter:
OSCORE Master Salt = HKDF-Expand(PRK_exporter, info, salt_length) OSCORE Master Salt = HKDF-Expand( PRK_exporter, info, oscore_salt_length )
where info and salt_length are unchanged as in Section 2.6. where info and oscore_salt_length are unchanged as in Section 3.8.
OSCORE Master Salt after KeyUpdate (Raw Value) (8 bytes) OSCORE Master Salt after KeyUpdate (Raw Value) (8 bytes)
dd 8b 24 f2 aa 9b 01 1a dd 8b 24 f2 aa 9b 01 1a
4. Invalid Traces 4. Invalid Traces
This section contains examples of invalid messages, which a compliant This section contains examples of invalid messages, which a compliant
implementation will not compose and must or may reject according to implementation will not compose and must or may reject according to
[I-D.ietf-lake-edhoc], [RFC8949], [RFC9053], and [SP-800-56A]. This [RFC9528], [RFC8949], [RFC9053], and [SP-800-56A]. This is just a
is just a small set of examples of different reasons a message might small set of examples of different reasons for which a message might
be invalid. The same types of invalidities applies to other fields be invalid. The same types of invalidities apply to other fields and
and messages as well. Implementations should make sure to check for messages as well. Implementations should make sure to check for
similar types of invalidities in all EHDOC fields and messages. similar types of invalidities in all EDHOC fields and messages.
4.1. Encoding Errors 4.1. Encoding Errors
4.1.1. Surplus array encoding of message 4.1.1. Surplus Array Encoding of a Message
Invalid encoding of message_1 as array. Correct encoding is a CBOR message_1 is incorrectly encoded as a CBOR array. The correct
sequence according to Section 5.2.1 of [I-D.ietf-lake-edhoc]. encoding is a CBOR sequence according to Section 5.2.1 of [RFC9528].
Invalid message_1 (38 bytes) Invalid message_1 (38 bytes)
84 03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 84 03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b
3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
4.1.2. Surplus bstr encoding of connection identifier 4.1.2. Surplus bstr Encoding of the Connection Identifier
Invalid encoding 41 0e of C_I = 0x0e. Correct encoding is 0e The connection identifier C_I = 0x0e is incorrectly encoded as the
according to Section 3.3.2 of [I-D.ietf-lake-edhoc]. CBOR byte string 41 0e. The correct encoding is the integer 0e
according to Section 3.3.2 of [RFC9528].
Invalid message_1 (38 bytes) Invalid message_1 (38 bytes)
03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d
8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 41 0e 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 41 0e
4.1.3. Surplus array encoding of ciphersuite 4.1.3. Surplus Array Encoding of the Ciphersuite
Invalid array encoding 81 02 of SUITES_I = 2. Correct encoding is 02 The element SUITES_I = 2 is incorrectly encoded as the CBOR array 81
according to Section 5.2.2 of [I-D.ietf-lake-edhoc]. 02. The correct encoding is the integer 02 according to
Section 5.2.2 of [RFC9528].
Invalid message_1 (38 bytes) Invalid message_1 (38 bytes)
03 81 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 03 81 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b
3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
4.1.4. Text string encoding of ephemeral key 4.1.4. Text String Encoding of the Ephemeral Key
Invalid type of the third element (G_X). Correct encoding is a byte The third element of message_1 (G_X) is incorrectly encoded as a text
string according to Section 5.2.1 of [I-D.ietf-lake-edhoc]. string. The correct encoding is a byte string according to
Section 5.2.1 of [RFC9528].
Invalid message_1 (37 bytes) Invalid message_1 (37 bytes)
03 02 78 20 20 61 69 72 20 73 70 65 65 64 20 6F 66 20 61 20 75 6E 6C 03 02 78 20 20 61 69 72 20 73 70 65 65 64 20 6F 66 20 61 20 75 6E 6C
61 64 65 6E 20 73 77 61 6C 6C 6F 77 20 0e 61 64 65 6E 20 73 77 61 6C 6C 6F 77 20 0e
4.1.5. Wrong number of CBOR sequence elements 4.1.5. Wrong Number of CBOR Sequence Elements
Invalid number of elements in the CBOR sequence. Correct number of The CBOR sequence in message_2 has an incorrect number of elements.
elements is 1 according to Section 5.3.1 of [I-D.ietf-lake-edhoc]. The correct number of elements in the CBOR sequence is 1 according to
Section 5.3.1 of [RFC9528].
Invalid message_2 (46 bytes) Invalid message_2 (46 bytes)
58 20 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93 58 20 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93
42 2c 8e a0 f9 55 a1 3a 4f f5 d5 4B 98 62 a1 1d e4 2a 95 d7 85 38 6a 42 2c 8e a0 f9 55 a1 3a 4f f5 d5 4B 98 62 a1 1d e4 2a 95 d7 85 38 6a
4.1.6. Surplus map encoding of ID_CRED field 4.1.6. Surplus Map Encoding of the ID_CRED Field
Invalid encoding a1 04 42 32 10 of ID_CRED_R in PLAINTEXT_2. Correct The element ID_CRED_R in PLAINTEXT_2 is incorrectly encoded as the
encoding is 42 32 10 according to Section 3.5.3.2 of map a1 04 42 32 10. The correct encoding is 42 32 10 according to
[I-D.ietf-lake-edhoc]. Section 3.5.3.2 of [RFC9528].
Invalid PLAINTEXT_2 (15 bytes) Invalid PLAINTEXT_2 (15 bytes)
27 a1 04 42 32 10 48 fa 5e fa 2e bf 92 0b f3 27 a1 04 42 32 10 48 fa 5e fa 2e bf 92 0b f3
4.1.7. Surplus bstr encoding of ID_CRED field 4.1.7. Surplus bstr Encoding of the ID_CRED Field
Invalid encoding 41 32 of ID_CRED_R in PLAINTEXT_2. Correct encoding The element ID_CRED_R in PLAINTEXT_2 is incorrectly encoded as the
is 32 according to Section 3.5.3.2 of [I-D.ietf-lake-edhoc]. byte string 41 32. The correct encoding is 32 according to
Section 3.5.3.2 of [RFC9528].
Invalid PLAINTEXT_2 (12 bytes) Invalid PLAINTEXT_2 (12 bytes)
27 41 32 48 fa 5e fa 2e bf 92 0b f3 27 41 32 48 fa 5e fa 2e bf 92 0b f3
4.2. Crypto-related Errors 4.2. Cryptography-Related Errors
4.2.1. Error in length of ephemeral key 4.2.1. Error in the Length of the Ephemeral Key
Invalid length of the third element (G_X). Selected cipher suite is The third element (G_X) has an invalid length. The selected cipher
cipher suite 24 with curve P-384 according to Sections 5.2.2, and suite is cipher suite 24 with curve P-384 according to Sections 5.2.2
10.2 of [I-D.ietf-lake-edhoc]. Correct length of x-coordinate is 48 and 10.2 of [RFC9528]. The correct length of the x-coordinate is 48
bytes according to Section 3.7 of [I-D.ietf-lake-edhoc] and bytes according to Section 3.7 of [RFC9528] and Section 7.1.1 of
Section 7.1.1 of [RFC9053]. [RFC9053].
Invalid message_1 (40 bytes) Invalid message_1 (40 bytes)
03 82 02 18 18 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b 03 82 02 18 18 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b
ea 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e ea 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
4.2.2. Error in elliptic curve representation 4.2.2. Error in Elliptic Curve Representation
Invalid x-coordinate in G_X as x ≥ p. Requirement that x < p The x-coordinate in G_X is invalid as x ≥ p. It is required that x <
according to Section 9.2 of [I-D.ietf-lake-edhoc] and Section 5.6.2.3 p according to Section 5.6.2.3 of [SP-800-56A], which is referenced
of [SP-800-56A]. in Section 9.2 of [RFC9528].
Invalid message_1 (37 bytes) Invalid message_1 (37 bytes)
03 02 58 20 ff ff ff ff 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 03 02 58 20 ff ff ff ff 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
00 ff ff ff ff ff ff ff ff ff ff ff ff 0e 00 ff ff ff ff ff ff ff ff ff ff ff ff 0e
4.2.3. Error in elliptic curve point 4.2.3. Error in the Elliptic Curve Point
Invalid x-coordinate in (G_X) not corresponding to a point on the The x-coordinate in G_X is invalid as it does not correspond to a
P-256 curve. Requirement that y^2 ≡ x^3 + a ⋅ x + b (mod p) point on the P-256 curve. It is required that y^2 ≡ x^3 + a ⋅ x + b
according to Section 9.2 of [I-D.ietf-lake-edhoc] and Section 5.6.2.3 (mod p) according to Section 5.6.2.3 of [SP-800-56A], which is
of [SP-800-56A]. referenced in Section 9.2 of [RFC9528].
Invalid message_1 (37 bytes) Invalid message_1 (37 bytes)
03 02 58 20 a0 4e 73 60 1d f5 44 a7 0b a7 ea 1e 57 03 0f 7d 4b 4e b7 03 02 58 20 a0 4e 73 60 1d f5 44 a7 0b a7 ea 1e 57 03 0f 7d 4b 4e b7
f6 73 92 4e 58 d5 4c a7 7a 5e 7d 4d 4a 0e f6 73 92 4e 58 d5 4c a7 7a 5e 7d 4d 4a 0e
4.2.4. Curve point of low order 4.2.4. Curve Point of the Low Order
Curve25519 point of low order which fails the check for all-zero The Curve25519 point is invalid as it is of low order and fails the
output according to Section 9.2 of [I-D.ietf-lake-edhoc]. check for all-zero output according to Section 9.2 of [RFC9528].
Invalid message_1 (37 bytes) Invalid message_1 (37 bytes)
03 00 58 20 ed ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 03 00 58 20 ed ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff 7f 0e ff ff ff ff ff ff ff ff ff ff ff ff 7f 0e
4.2.5. Error in length of MAC 4.2.5. Error in the Length of the MAC
Invalid length of third element (Signature_or_MAC_2). The length of The third element (Signature_or_MAC_2) has an invalid length. The
Signature_or_MAC_2 is given by the cipher suite and the MAC length is length of Signature_or_MAC_2 is given by the cipher suite, and the
at least 8 bytes according to Section 9.3 of [I-D.ietf-lake-edhoc]. MAC length is at least 8 bytes according to Section 9.3 of [RFC9528].
Invalid PLAINTEXT_2 (7 bytes) Invalid PLAINTEXT_2 (7 bytes)
27 32 44 fa 5e fa 2e 27 32 44 fa 5e fa 2e
4.2.6. Error in elliptic curve encoding 4.2.6. Error in the Elliptic Curve Encoding
Invalid encoding of third element (G_X). Correct encoding is with The third element (G_X) is incorrectly encoded. The correct encoding
leading zeros according to Section 3.7 of [I-D.ietf-lake-edhoc] and is with leading-zero octets according to Section 7.1.1 of [RFC9053],
Section 7.1.1 of [RFC9053]. which is referenced in Section 3.7 of [RFC9528].
Invalid message_1 (36 bytes) Invalid message_1 (36 bytes)
03 02 58 1f d9 69 77 25 d2 3a 68 8b 12 d1 c7 e0 10 8a 08 c9 f7 1a 85 03 02 58 1f d9 69 77 25 d2 3a 68 8b 12 d1 c7 e0 10 8a 08 c9 f7 1a 85
a0 9c 20 81 49 76 ab 21 12 22 48 fc 0e a0 9c 20 81 49 76 ab 21 12 22 48 fc 0e
4.3. Non-deterministic CBOR 4.3. Non-deterministic CBOR
4.3.1. Unnecessary long encoding 4.3.1. Unnecessary Long Encoding
Invalid 16-bit encoding 19 00 03 of METHOD = 3. Correct is the The element METHOD = 3 is incorrectly encoded as a 16-bit integer.
deterministic encoding 03 according to Section 3.1 of The deterministic encoding 03 is correct according to Section 3.1 of
[I-D.ietf-lake-edhoc] and Section 4.2.1 of [RFC8949], which states [RFC9528] and Section 4.2.1 of [RFC8949], which states that the
that the arguments for integers, lengths in major types 2 through 5, arguments for integers, lengths in major types 2 through 5, and tags
and tags are required to be as short as possible. are required to be as short as possible.
Invalid message_1 (39 bytes) Invalid message_1 (39 bytes)
19 00 03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 19 00 03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea
5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
4.3.2. Indefinite-length array encoding 4.3.2. Indefinite-Length Array Encoding
Invalid indefinite-length array encoding 9F 06 02 FF of SUITES_I = The element SUITES_I = [6, 2] is incorrectly encoded as an
[6, 2]. Correct encoding is 82 06 02 according to Section 5.2.2 of indefinite-length array. The correct encoding is the definite-length
[I-D.ietf-lake-edhoc]. array 82 06 02 according to Section 4.2.1 of [RFC8949], which is
referenced in Section 3.1 of [RFC9528].
Invalid message_1 (40 bytes) Invalid message_1 (40 bytes)
03 9F 06 02 FF 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b 03 9F 06 02 FF 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b
ea 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e ea 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
5. Security Considerations 5. Security Considerations
This document contains examples of EDHOC [I-D.ietf-lake-edhoc] whose This document contains examples of EDHOC [RFC9528]. The security
security considerations apply. The keys printed in these examples considerations described in [RFC9528] apply. The keys printed in
cannot be considered secret and MUST NOT be used. these examples cannot be considered secret and MUST NOT be used.
6. IANA Considerations 6. IANA Considerations
There are no IANA considerations. This document has no IANA actions.
7. References 7. References
7.1. Normative References 7.1. Normative References
[I-D.ietf-lake-edhoc]
Selander, G., Mattsson, J. P., and F. Palombini,
"Ephemeral Diffie-Hellman Over COSE (EDHOC)", Work in
Progress, Internet-Draft, draft-ietf-lake-edhoc-23, 22
January 2024, <https://datatracker.ietf.org/doc/html/
draft-ietf-lake-edhoc-23>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
7.2. Informative References [RFC9528] Selander, G., Preuß Mattsson, J., and F. Palombini,
"Ephemeral Diffie-Hellman Over COSE (EDHOC)", RFC 9528,
DOI 10.17487/RFC9528, March 2024,
<https://www.rfc-editor.org/rfc/rfc9528>.
[CborMe] Bormann, C., "CBOR playground", August 2023, 7.2. Informative References
<https://cbor.me/>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [CborMe] Bormann, C., "CBOR playground", <https://cbor.me/>.
Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014,
<https://www.rfc-editor.org/rfc/rfc7252>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/rfc/rfc7748>. 2016, <https://www.rfc-editor.org/info/rfc7748>.
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032, Signature Algorithm (EdDSA)", RFC 8032,
DOI 10.17487/RFC8032, January 2017, DOI 10.17487/RFC8032, January 2017,
<https://www.rfc-editor.org/rfc/rfc8032>. <https://www.rfc-editor.org/info/rfc8032>.
[RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig,
"CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392,
May 2018, <https://www.rfc-editor.org/rfc/rfc8392>. May 2018, <https://www.rfc-editor.org/info/rfc8392>.
[RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object
Representation (CBOR)", STD 94, RFC 8949, Representation (CBOR)", STD 94, RFC 8949,
DOI 10.17487/RFC8949, December 2020, DOI 10.17487/RFC8949, December 2020,
<https://www.rfc-editor.org/rfc/rfc8949>. <https://www.rfc-editor.org/info/rfc8949>.
[RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE): [RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE):
Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053, Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053,
August 2022, <https://www.rfc-editor.org/rfc/rfc9053>. August 2022, <https://www.rfc-editor.org/info/rfc9053>.
[SP-800-186] [SP-800-186]
Chen, L., Moody, D., Randall, K., Regenscheid, A., and A. Chen, L., Moody, D., Randall, K., Regenscheid, A., and A.
Robinson, "Recommendations for Discrete Logarithm-based Robinson, "Recommendations for Discrete Logarithm-based
Cryptography: Elliptic Curve Domain Parameters", Cryptography: Elliptic Curve Domain Parameters",
NIST Special Publication 800-186, February 2023, NIST Special Publication 800-186,
DOI 10.6028/NIST.SP.800-186, February 2023,
<https://doi.org/10.6028/NIST.SP.800-186>. <https://doi.org/10.6028/NIST.SP.800-186>.
[SP-800-56A] [SP-800-56A]
Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R. Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R.
Davis, "Recommendation for Pair-Wise Key-Establishment Davis, "Recommendation for Pair-Wise Key-Establishment
Schemes Using Discrete Logarithm Cryptography", Schemes Using Discrete Logarithm Cryptography",
NIST Special Publication 800-56A Revision 3, April 2018, NIST Special Publication 800-56A Revision 3,
DOI 10.6028/NIST.SP.800-56Ar3, April 2018,
<https://doi.org/10.6028/NIST.SP.800-56Ar3>. <https://doi.org/10.6028/NIST.SP.800-56Ar3>.
Acknowledgments Acknowledgments
The authors want to thank all people verifying EDHOC test vectors The authors want to thank all people verifying EDHOC test vectors
and/or contributing to the interoperability testing including: and/or contributing to the interoperability testing, including:
Christian Amsüss, Timothy Claeys, Stefan Hristozov, Rikard Höglund, Christian Amsüss, Timothy Claeys, Rikard Höglund, Stefan Hristozov,
Christos Koulamas, Francesca Palombini, Lidia Pocero, Peter van der Christos Koulamas, Francesca Palombini, Lidia Pocero, Peter van der
Stok, and Michel Veillette. Stok, and Michel Veillette.
Authors' Addresses Authors' Addresses
Göran Selander Göran Selander
Ericsson Ericsson
Sweden Sweden
Email: goran.selander@ericsson.com Email: goran.selander@ericsson.com
skipping to change at page 61, line 38 skipping to change at line 2821
Ericsson Ericsson
Sweden Sweden
Email: john.mattsson@ericsson.com Email: john.mattsson@ericsson.com
Marek Serafin Marek Serafin
ASSA ABLOY ASSA ABLOY
Poland Poland
Email: marek.serafin@assaabloy.com Email: marek.serafin@assaabloy.com
Marco Tiloca Marco Tiloca
RISE RISE AB
Isafjordsgatan 22
SE-164 40 Kista
Sweden Sweden
Email: marco.tiloca@ri.se Email: marco.tiloca@ri.se
Mališa Vučinić Mališa Vučinić
Inria Inria
France France
Email: malisa.vucinic@inria.fr Email: malisa.vucinic@inria.fr
 End of changes. 280 change blocks. 
615 lines changed or deleted 651 lines changed or added

This html diff was produced by rfcdiff 1.48.