| draft-ietf-ace-dtls-authorize-06.txt | draft-ietf-ace-dtls-authorize-07.txt | |||
|---|---|---|---|---|
| ACE Working Group S. Gerdes | ACE Working Group S. Gerdes | |||
| Internet-Draft O. Bergmann | Internet-Draft O. Bergmann | |||
| Intended status: Standards Track C. Bormann | Intended status: Standards Track C. Bormann | |||
| Expires: September 1, 2019 Universitaet Bremen TZI | Expires: September 12, 2019 Universitaet Bremen TZI | |||
| G. Selander | G. Selander | |||
| Ericsson AB | Ericsson AB | |||
| L. Seitz | L. Seitz | |||
| RISE SICS | RISE SICS | |||
| February 28, 2019 | March 11, 2019 | |||
| Datagram Transport Layer Security (DTLS) Profile for Authentication and | Datagram Transport Layer Security (DTLS) Profile for Authentication and | |||
| Authorization for Constrained Environments (ACE) | Authorization for Constrained Environments (ACE) | |||
| draft-ietf-ace-dtls-authorize-06 | draft-ietf-ace-dtls-authorize-07 | |||
| Abstract | Abstract | |||
| This specification defines a profile of the ACE framework that allows | This specification defines a profile of the ACE framework that allows | |||
| constrained servers to delegate client authentication and | constrained servers to delegate client authentication and | |||
| authorization. The protocol relies on DTLS for communication | authorization. The protocol relies on DTLS for communication | |||
| security between entities in a constrained network using either raw | security between entities in a constrained network using either raw | |||
| public keys or pre-shared keys. A resource-constrained server can | public keys or pre-shared keys. A resource-constrained server can | |||
| use this protocol to delegate management of authorization information | use this protocol to delegate management of authorization information | |||
| to a trusted host with less severe limitations regarding processing | to a trusted host with less severe limitations regarding processing | |||
| skipping to change at page 1, line 43 ¶ | skipping to change at page 1, line 43 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 1, 2019. | This Internet-Draft will expire on September 12, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 25 ¶ | skipping to change at page 2, line 25 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Communication between C and AS . . . . . . . . . . . . . 5 | 3.1. Communication between C and AS . . . . . . . . . . . . . 5 | |||
| 3.2. RawPublicKey Mode . . . . . . . . . . . . . . . . . . . . 6 | 3.2. RawPublicKey Mode . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.2.1. DTLS Channel Setup Between C and RS . . . . . . . . . 7 | 3.2.1. DTLS Channel Setup Between C and RS . . . . . . . . . 7 | |||
| 3.3. PreSharedKey Mode . . . . . . . . . . . . . . . . . . . . 8 | 3.3. PreSharedKey Mode . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.3.1. DTLS Channel Setup Between C and RS . . . . . . . . . 11 | 3.3.1. DTLS Channel Setup Between C and RS . . . . . . . . . 12 | |||
| 3.4. Resource Access . . . . . . . . . . . . . . . . . . . . . 12 | 3.4. Resource Access . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4. Dynamic Update of Authorization Information . . . . . . . . . 13 | 4. Dynamic Update of Authorization Information . . . . . . . . . 14 | |||
| 5. Token Expiration . . . . . . . . . . . . . . . . . . . . . . 14 | 5. Token Expiration . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 15 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | |||
| 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 15 | 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 17 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 16 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 18 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 17 | 9.2. Informative References . . . . . . . . . . . . . . . . . 19 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 1. Introduction | 1. Introduction | |||
| This specification defines a profile of the ACE framework | This specification defines a profile of the ACE framework | |||
| [I-D.ietf-ace-oauth-authz]. In this profile, a client and a resource | [I-D.ietf-ace-oauth-authz]. In this profile, a client and a resource | |||
| server use CoAP [RFC7252] over DTLS [RFC6347] to communicate. The | server use CoAP [RFC7252] over DTLS [RFC6347] to communicate. The | |||
| client obtains an access token, bound to a key (the proof-of- | client obtains an access token, bound to a key (the proof-of- | |||
| possession key), from an authorization server to prove its | possession key), from an authorization server to prove its | |||
| authorization to access protected resources hosted by the resource | authorization to access protected resources hosted by the resource | |||
| server. Also, the client and the resource server are provided by the | server. Also, the client and the resource server are provided by the | |||
| skipping to change at page 3, line 32 ¶ | skipping to change at page 3, line 32 ¶ | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| Readers are expected to be familiar with the terms and concepts | Readers are expected to be familiar with the terms and concepts | |||
| described in [I-D.ietf-ace-oauth-authz] and in | described in [I-D.ietf-ace-oauth-authz] and in | |||
| [I-D.ietf-ace-oauth-params]. | [I-D.ietf-ace-oauth-params]. | |||
| The authz-info resource refers to the authz-info endpoint as | The authorization information (authz-info) resource refers to the | |||
| specified in [I-D.ietf-ace-oauth-authz]. | authorization information endpoint as specified in | |||
| [I-D.ietf-ace-oauth-authz]. | ||||
| 2. Protocol Overview | 2. Protocol Overview | |||
| The CoAP-DTLS profile for ACE specifies the transfer of | The CoAP-DTLS profile for ACE specifies the transfer of | |||
| authentication information and, if necessary, authorization | authentication information and, if necessary, authorization | |||
| information between the client (C) and the resource server (RS) | information between the client (C) and the resource server (RS) | |||
| during setup of a DTLS session for CoAP messaging. It also specifies | during setup of a DTLS session for CoAP messaging. It also specifies | |||
| how C can use CoAP over DTLS to retrieve an access token from the | how C can use CoAP over DTLS to retrieve an access token from the | |||
| authorization server (AS) for a protected resource hosted on the | authorization server (AS) for a protected resource hosted on the | |||
| resource server. | resource server. | |||
| This profile requires the client to retrieve an access token for | This profile requires the client to retrieve an access token for | |||
| protected resource(s) it wants to access on RS as specified in | protected resource(s) it wants to access on RS as specified in | |||
| [I-D.ietf-ace-oauth-authz]. Figure 1 shows the typical message flow | [I-D.ietf-ace-oauth-authz]. Figure 1 shows the typical message flow | |||
| in this scenario (messages in square brackets are optional): | in this scenario (messages in square brackets are optional): | |||
| C RS AS | C RS AS | |||
| | [-- Resource Request --->] | | | | [---- Resource Request ------>]| | | |||
| | | | | | | | | |||
| | [<----- AS Information --] | | | | [<-AS Request Creation Hints-] | | | |||
| | | | | | | | | |||
| | --- Token Request ----------------------------> | | | ------- Token Request ----------------------------> | | |||
| | | | | | | | | |||
| | <---------------------------- Access Token ----- | | | <---------------------------- Access Token --------- | | |||
| | + Access Information | | | + Access Information | | |||
| Figure 1: Retrieving an Access Token | Figure 1: Retrieving an Access Token | |||
| To determine the AS in charge of a resource hosted at the RS, C MAY | To determine the AS in charge of a resource hosted at the RS, C MAY | |||
| send an initial Unauthorized Resource Request message to the RS. The | send an initial Unauthorized Resource Request message to the RS. The | |||
| RS then denies the request and sends an AS information message | RS then denies the request and sends an AS Request Creation Hints | |||
| containing the address of its AS back to the client as specified in | message containing the address of its AS back to the client as | |||
| Section 5.1.2 of [I-D.ietf-ace-oauth-authz]. | specified in Section 5.1.2 of [I-D.ietf-ace-oauth-authz]. | |||
| Once the client knows the authorization server's address, it can send | Once the client knows the authorization server's address, it can send | |||
| an access token request to the token endpoint at the AS as specified | an access token request to the token endpoint at the AS as specified | |||
| in [I-D.ietf-ace-oauth-authz]. As the access token request as well | in [I-D.ietf-ace-oauth-authz]. As the access token request as well | |||
| as the response may contain confidential data, the communication | as the response may contain confidential data, the communication | |||
| between the client and the authorization server MUST be | between the client and the authorization server MUST be | |||
| confidentiality-protected and ensure authenticity. C may have been | confidentiality-protected and ensure authenticity. C may have been | |||
| registered at the AS via the OAuth 2.0 client registration mechanism | registered at the AS via the OAuth 2.0 client registration mechanism | |||
| as outlined in Section 5.3 of [I-D.ietf-ace-oauth-authz]. | as outlined in Section 5.3 of [I-D.ietf-ace-oauth-authz]. | |||
| The access token returned by the authorization server can then be | The access token returned by the authorization server can then be | |||
| used by the client to establish a new DTLS session with the resource | used by the client to establish a new DTLS session with the resource | |||
| server. When the client intends to use asymmetric cryptography in | server. When the client intends to use an asymmetric proof-of- | |||
| the DTLS handshake with the resource server, the client MUST upload | possession key in the DTLS handshake with the resource server, the | |||
| the access token to the authz-info resource, i.e. the authz-info | client MUST upload the access token to the authz-info resource, i.e. | |||
| endpoint, on the resource server before starting the DTLS handshake, | the authz-info endpoint, on the resource server before starting the | |||
| as described in Section 5.8.1 of [I-D.ietf-ace-oauth-authz]. If only | DTLS handshake, as described in Section 5.8.1 of | |||
| symmetric cryptography is used between the client and the resource | [I-D.ietf-ace-oauth-authz]. In case the client uses a symmetric | |||
| server, the access token MAY instead be transferred in the DTLS | proof-of-possession key in the DTLS handshake, the procedure as above | |||
| ClientKeyExchange message (see Section 3.3.1). | MAY be used, or alternatively, the access token MAY instead be | |||
| transferred in the DTLS ClientKeyExchange message (see | ||||
| Section 3.3.1). | ||||
| Figure 2 depicts the common protocol flow for the DTLS profile after | Figure 2 depicts the common protocol flow for the DTLS profile after | |||
| the client C has retrieved the access token from the authorization | the client C has retrieved the access token from the authorization | |||
| server AS. | server AS. | |||
| C RS AS | C RS AS | |||
| | [--- Access Token ------>] | | | | [--- Access Token ------>] | | | |||
| | | | | | | | | |||
| | <== DTLS channel setup ==> | | | | <== DTLS channel setup ==> | | | |||
| | | | | | | | | |||
| skipping to change at page 5, line 36 ¶ | skipping to change at page 5, line 36 ¶ | |||
| secured. Depending on the used CoAP security mode (see also | secured. Depending on the used CoAP security mode (see also | |||
| Section 9 of [RFC7252], the Client-to-AS request, AS-to-Client | Section 9 of [RFC7252], the Client-to-AS request, AS-to-Client | |||
| response and DTLS session establishment carry slightly different | response and DTLS session establishment carry slightly different | |||
| information. Section 3.2 addresses the use of raw public keys while | information. Section 3.2 addresses the use of raw public keys while | |||
| Section 3.3 defines how pre-shared keys are used in this profile. | Section 3.3 defines how pre-shared keys are used in this profile. | |||
| 3.1. Communication between C and AS | 3.1. Communication between C and AS | |||
| To retrieve an access token for the resource that the client wants to | To retrieve an access token for the resource that the client wants to | |||
| access, the client requests an access token from the authorization | access, the client requests an access token from the authorization | |||
| server. Before C can request the access token, C and AS must | server. Before C can request the access token, C and AS MUST | |||
| establish a secure communication channel. C must securely have | establish a secure communication channel. C MUST securely have | |||
| obtained keying material to communicate with AS, and C must securely | obtained keying material to communicate with AS. Furthermore, C MUST | |||
| have received authorization information intended for C that states | verify that AS is authorized to provide access tokens (including | |||
| that AS is authorized to provide keying material concerning RS to C. | authorization information) about RS to C. Also, AS MUST securely | |||
| Also, AS must securely have obtained keying material for C, and | have obtained keying material for C, and obtained authorization rules | |||
| obtained authorization rules approved by the resource owner (RO) | approved by the resource owner (RO) concerning C and RS that relate | |||
| concerning C and RS that relate to this keying material. C and AS | to this keying material. C and AS MUST use their respective keying | |||
| must use their respective keying material for all exchanged messages. | material for all exchanged messages. How the security association | |||
| How the security association between C and AS is established is not | between C and AS is bootstrapped is not part of this document. C and | |||
| part of this document. C and AS MUST ensure the confidentiality, | AS MUST ensure the confidentiality, integrity and authenticity of all | |||
| integrity and authenticity of all exchanged messages. | exchanged messages. | |||
| If C is constrained, C and AS should use DTLS to communicate with | If C is constrained, C and AS should use DTLS to communicate with | |||
| each other. But C and AS may also use other means to secure their | each other. But C and AS may also use other means to secure their | |||
| communication, e.g., TLS. The used security protocol must provide | communication, e.g., TLS. The used security protocol MUST fulfill | |||
| confidentiality, integrity and authenticity, and enable the client to | the communication security requirements in Section 6.2 of | |||
| determine if it is the intended recipient of a message, e.g., by | [I-D.ietf-ace-oauth-authz]. | |||
| using an AEAD mechanism. C must also be able to determine if a | ||||
| response from AS belongs to a certain request. Additionally, the | ||||
| protocol must offer replay protection. | ||||
| 3.2. RawPublicKey Mode | 3.2. RawPublicKey Mode | |||
| After C and AS mutually authenticated each other and validated each | After C and AS mutually authenticated each other and validated each | |||
| other's authorization, C sends a token request to AS's token | other's authorization, C sends a token request to AS's token | |||
| endpoint. The client MUST add a "req_cnf" object carrying either its | endpoint. The client MUST add a "req_cnf" object carrying either its | |||
| raw public key or a unique identifier for a public key that it has | raw public key or a unique identifier for a public key that it has | |||
| previously made known to the authorization server. To prove that the | previously made known to the authorization server. To prove that the | |||
| client is in possession of this key, C MUST use the same keying | client is in possession of this key, C MUST use the same keying | |||
| material that it uses to secure the communication with AS, e.g., the | material that it uses to secure the communication with AS, e.g., the | |||
| DTLS session. | DTLS session. | |||
| An example access token request from the client to the AS is depicted | An example access token request from the client to the AS is depicted | |||
| in Figure 3. | in Figure 3. | |||
| POST coaps://as.example.com/token | POST coaps://as.example.com/token | |||
| Content-Format: application/ace+cbor | Content-Format: application/ace+cbor | |||
| Payload: | ||||
| { | { | |||
| grant_type: client_credentials, | "grant_type" : "client_credentials", | |||
| req_aud: "tempSensor4711", | "req_aud" : "tempSensor4711", | |||
| req_cnf: { | "req_cnf" : { | |||
| COSE_Key: { | "COSE_Key" : { | |||
| kty: EC2, | "kty" : "EC2", | |||
| crv: P-256, | "crv" : "P-256", | |||
| x: h'e866c35f4c3c81bb96a1...', | "x" : h'e866c35f4c3c81bb96a1...', | |||
| y: h'2e25556be097c8778a20...' | "y" : h'2e25556be097c8778a20...' | |||
| } | } | |||
| } | } | |||
| } | } | |||
| Figure 3: Access Token Request Example for RPK Mode | Figure 3: Access Token Request Example for RPK Mode | |||
| The example shows an access token request for the resource identified | The example shows an access token request for the resource identified | |||
| by the string "tempSensor4711" on the authorization server using a | by the string "tempSensor4711" on the authorization server using a | |||
| raw public key. | raw public key. | |||
| AS MUST check if the client that it communicates with is associated | AS MUST check if the client that it communicates with is associated | |||
| with the RPK in the cnf object before issuing an access token to it. | with the RPK in the cnf object before issuing an access token to it. | |||
| If AS determines that the request is to be authorized according to | If AS determines that the request is to be authorized according to | |||
| the respective authorization rules, it generates an access token | the respective authorization rules, it generates an access token | |||
| response for C. The response SHOULD contain a "profile" parameter | response for C. The access token MUST be bound to the RPK of the | |||
| with the value "coap_dtls" to indicate that this profile must be used | client by means of the cnf claim. The response MAY contain a | |||
| for communication between the client C and the resource server. The | "profile" parameter with the value "coap_dtls" to indicate that this | |||
| response also contains an access token and an "rs_cnf" parameter | profile MUST be used for communication between the client C and the | |||
| containing information about the public key that is used by the | resource server. The "profile" may be specified out-of-band, in | |||
| resource server. AS MUST ascertain that the RPK specified in | which case it does not have to be sent. The response also contains | |||
| "rs_cnf" belongs to the resource server that C wants to communicate | an access token and an "rs_cnf" parameter containing information | |||
| with. AS MUST protect the integrity of the token. If the access | about the public key that is used by the resource server. AS MUST | |||
| token contains confidential data, AS MUST also protect the | ascertain that the RPK specified in "rs_cnf" belongs to the resource | |||
| confidentiality of the access token. | server that C wants to communicate with. AS MUST protect the | |||
| integrity of the token. If the access token contains confidential | ||||
| data, AS MUST also protect the confidentiality of the access token. | ||||
| C MUST ascertain that the access token response belongs to a certain | C MUST ascertain that the access token response belongs to a certain | |||
| previously sent access token request, as the request may specify the | previously sent access token request, as the request may specify the | |||
| resource server with which C wants to communicate. | resource server with which C wants to communicate. | |||
| An example access token response from the AS to the client is | ||||
| depicted in Figure 4. | ||||
| 2.01 Created | ||||
| Content-Format: application/ace+cbor | ||||
| Max-Age: 3600 | ||||
| Payload: | ||||
| { | ||||
| "access_token" : "b64'SlAV32hkKG ... | ||||
| (remainder of CWT omitted for brevity; | ||||
| CWT contains clients RPK in the "cnf" claim)', | ||||
| "expires_in" : "3600", | ||||
| "rs_cnf" : { | ||||
| "COSE_Key" : { | ||||
| "kty" : "EC2", | ||||
| "crv" : "P-256", | ||||
| "x" : h'd7cc072de2205bdc1537...', | ||||
| "y" : h'f95e1d4b851a2cc80fff...' | ||||
| } | ||||
| } | ||||
| } | ||||
| Figure 4: Access Token Response Example for RPK Mode | ||||
| 3.2.1. DTLS Channel Setup Between C and RS | 3.2.1. DTLS Channel Setup Between C and RS | |||
| Before the client initiates the DTLS handshake with the resource | Before the client initiates the DTLS handshake with the resource | |||
| server, C MUST send a "POST" request containing the new access token | server, C MUST send a "POST" request containing the new access token | |||
| to the authz-info resource hosted by the resource server. If this | to the authz-info resource hosted by the resource server. After the | |||
| operation yields a positive response, the client SHOULD proceed to | client | |||
| establish a new DTLS channel with the resource server. To use the | receives a confirmation that the RS has accepted the access token, it | |||
| RawPublicKey mode, the client MUST specify the public key that AS | SHOULD proceed to establish a new DTLS channel with the resource | |||
| defined in the "cnf" field of the access token response in the | server. To use the RawPublicKey mode, the client MUST specify the | |||
| SubjectPublicKeyInfo structure in the DTLS handshake as specified in | public key that AS defined in the "cnf" field of the access token | |||
| [RFC7250]. | response in the SubjectPublicKeyInfo structure in the DTLS handshake | |||
| as specified in [RFC7250]. | ||||
| An implementation that supports the RPK mode of this profile MUST at | An implementation that supports the RPK mode of this profile MUST at | |||
| least support the ciphersuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 | least support the ciphersuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 | |||
| [RFC7251] with the ed25519 curve (cf. [RFC8032], [RFC8422]). | [RFC7251] with the ed25519 curve (cf. [RFC8032], [RFC8422]). | |||
| Note: According to [RFC7252], CoAP implementations MUST support the | Note: According to [RFC7252], CoAP implementations MUST support the | |||
| ciphersuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 [RFC7251] and the | ciphersuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 [RFC7251] and the | |||
| NIST P-256 curve. As discussed in [RFC7748], new ECC curves have | NIST P-256 curve. As discussed in [RFC7748], new ECC curves have | |||
| been defined recently that are considered superior to the so- | been defined recently that are considered superior to the so- | |||
| called NIST curves. The curve that is mandatory to implement in | called NIST curves. The curve that is mandatory to implement in | |||
| skipping to change at page 8, line 36 ¶ | skipping to change at page 9, line 12 ¶ | |||
| that the access token is generated for the resource server that C | that the access token is generated for the resource server that C | |||
| wants to communicate with. Also, AS MUST protect the integrity of | wants to communicate with. Also, AS MUST protect the integrity of | |||
| the access token. If the token contains confidential data such as | the access token. If the token contains confidential data such as | |||
| the symmetric key, the confidentiality of the token MUST also be | the symmetric key, the confidentiality of the token MUST also be | |||
| protected. Depending on the requested token type and algorithm in | protected. Depending on the requested token type and algorithm in | |||
| the access token request, the authorization server adds access | the access token request, the authorization server adds access | |||
| Information to the response that provides the client with sufficient | Information to the response that provides the client with sufficient | |||
| information to setup a DTLS channel with the resource server. AS | information to setup a DTLS channel with the resource server. AS | |||
| adds a "cnf" parameter to the access information carrying a | adds a "cnf" parameter to the access information carrying a | |||
| "COSE_Key" object that informs the client about the symmetric key | "COSE_Key" object that informs the client about the symmetric key | |||
| that is to be used between C and the resource server. | that is to be used between C and the resource server. The access | |||
| token MUST be bound to the same symmetric key by means of the cnf | ||||
| claim. | ||||
| An example access token response is illustrated in Figure 4. In this | An example access token request for an access token with a symmetric | |||
| proof-of-possession key is illustrated in Figure 5. | ||||
| POST coaps://as.example.com/token | ||||
| Content-Format: application/ace+cbor | ||||
| Payload: | ||||
| { | ||||
| "audience" : "smokeSensor1807", | ||||
| } | ||||
| Figure 5: Example Access Token Request, symmetric PoP-key | ||||
| An example access token response is illustrated in Figure 6. In this | ||||
| example, the authorization server returns a 2.01 response containing | example, the authorization server returns a 2.01 response containing | |||
| a new access token and information for the client, including the | a new access token and information for the client, including the | |||
| symmetric key in the cnf claim. The information is transferred as a | symmetric key in the cnf claim. The information is transferred as a | |||
| CBOR data structure as specified in [I-D.ietf-ace-oauth-authz]. | CBOR data structure as specified in [I-D.ietf-ace-oauth-authz]. | |||
| 2.01 Created | 2.01 Created | |||
| Content-Format: application/ace+cbor | Content-Format: application/ace+cbor | |||
| Max-Age: 86400 | Max-Age: 86400 | |||
| Payload: | ||||
| { | { | |||
| access_token: h'd08343a10... | "access_token" : h'd08343a10... | |||
| (remainder of CWT omitted for brevity) | (remainder of CWT omitted for brevity) | |||
| token_type: pop, | "token_type" : "pop", | |||
| expires_in: 86400, | "expires_in" : 86400, | |||
| profile: coap_dtls, | "profile" : "coap_dtls", | |||
| cnf: { | "cnf" : { | |||
| COSE_Key: { | "COSE_Key" : { | |||
| kty: symmetric, | "kty" : "symmetric", | |||
| alg: TLS_PSK_WITH_AES_128_CCM_8 | "kid" : h'3d027833fc6267ce', | |||
| kid: h'3d027833fc6267ce', | "k" : h'73657373696f6e6b6579' | |||
| k: h'73657373696f6e6b6579' | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| Figure 4: Example Access Token Response | Figure 6: Example Access Token Response, symmetric PoP-key | |||
| The access token also comprises a "cnf" claim. This claim usually | The access token also comprises a "cnf" claim. This claim usually | |||
| contains a "COSE_Key" object that carries either the symmetric key | contains a "COSE_Key" object that carries either the symmetric key | |||
| itself or a key identifier that can be used by the resource server to | itself or a key identifier that can be used by the resource server to | |||
| determine the secret key shared with the client. If the access token | determine the secret key shared with the client. If the access token | |||
| carries a symmetric key, the access token MUST be encrypted using a | carries a symmetric key, the access token MUST be encrypted using a | |||
| "COSE_Encrypt0" structure. The AS MUST use the keying material | "COSE_Encrypt0" structure. The AS MUST use the keying material | |||
| shared with the RS to encrypt the token. | shared with the RS to encrypt the token. | |||
| The "cnf" structure in the access token is provided in Figure 7. | ||||
| "cnf" : { | ||||
| "COSE_Key" : { | ||||
| "kty" : "symmetric", | ||||
| "kid" : h'eIiOFCa9lObw' | ||||
| } | ||||
| } | ||||
| Figure 7: Access Token without Keying Material | ||||
| A response that declines any operation on the requested resource is | A response that declines any operation on the requested resource is | |||
| constructed according to Section 5.2 of [RFC6749], (cf. | constructed according to Section 5.2 of [RFC6749], (cf. | |||
| Section 5.6.3. of [I-D.ietf-ace-oauth-authz]). | Section 5.6.3. of [I-D.ietf-ace-oauth-authz]). | |||
| 4.00 Bad Request | 4.00 Bad Request | |||
| Content-Format: application/ace+cbor | Content-Format: application/ace+cbor | |||
| Payload: | ||||
| { | { | |||
| error: invalid_request | "error" : "invalid_request" | |||
| } | } | |||
| Figure 5: Example Access Token Response With Reject | Figure 8: Example Access Token Response With Reject | |||
| The method for how the resource server determines the symmetric key | The method for how the resource server determines the symmetric key | |||
| from an access token containing only a key identifier is application | from an access token containing only a key identifier is application | |||
| specific, the remainder of this section provides one example. | specific, the remainder of this section provides one example. | |||
| The AS and the resource server are assumed to share a key derivation | The AS and the resource server are assumed to share a key derivation | |||
| key used to derive the symmetric key shared with the client from the | key used to derive the symmetric key shared with the client from the | |||
| key identifier in the access token. The key derivation key may be | key identifier in the access token. The key derivation key may be | |||
| derived from some other secret key shared between the AS and the | derived | |||
| resource server. Knowledge of the symmetric key shared with the | from some other secret key shared between the AS and the resource | |||
| client must not reveal any information about the key derivation key | server. This key needs to be securely stored and processed in the | |||
| or other secret keys shared between AS and resource server. | same way as the key used to protect the communication between AS and | |||
| RS. | ||||
| Knowledge of the symmetric key shared with the client must not reveal | ||||
| any information about the key derivation key or other secret keys | ||||
| shared between AS and resource server. | ||||
| In order to generate a new symmetric key to be used by client and | In order to generate a new symmetric key to be used by client and | |||
| resource server, the AS generates a key identifier and uses the key | resource server, the AS generates a key identifier and uses the key | |||
| derivation key shared with the resource server to derive the | derivation key shared with the resource server to derive the | |||
| symmetric key as specified below. Instead of providing the keying | symmetric key as specified below. Instead of providing the keying | |||
| material in the access token, the AS includes the key identifier in | material in the access token, the AS includes the key identifier in | |||
| the "kid" parameter, see Figure 6. This key identifier enables the | the "kid" parameter, see Figure 7. This key identifier enables the | |||
| resource server to calculate the keying material for the | resource server to calculate the keying material for the | |||
| communication with the client from the access token using the key | communication with the client from the access token using the key | |||
| derivation key and following Section 11 of [RFC8152] with parameters | derivation key and following Section 11 of [RFC8152] with parameters | |||
| as specified here. The KDF to be used needs to be defined by the | as specified here. The KDF to be used needs to be defined by the | |||
| application, for example HKDF-SHA-256. The key identifier picked by | application, for example HKDF-SHA-256. The key identifier picked by | |||
| the AS needs to be unique for each access token where a unique | the AS needs to be unique for each access token where a unique | |||
| symmetric key is required. | symmetric key is required. | |||
| The fields in the context information "COSE_KDF_Context" | The fields in the context information "COSE_KDF_Context" | |||
| (Section 11.2 of [RFC8152]) have the following values: | (Section 11.2 of [RFC8152]) have the following values: | |||
| o AlgorithmID = "ACE-CoAP-DTLS-key-derivation" | o AlgorithmID = "ACE-CoAP-DTLS-key-derivation" | |||
| o PartyUInfo = PartyVInfo = ( null, null, null ) | o PartyUInfo = PartyVInfo = ( null, null, null ) | |||
| o keyDataLength is a uint equal the length of the symmetric key | o keyDataLength needs to be defined by the application | |||
| shared between C and RS in bits | ||||
| o protected MUST be a zero length bstr | o protected MUST be a zero length bstr | |||
| o other is a zero length bstr | o other is a zero length bstr | |||
| o SuppPrivInfo is omitted | o SuppPrivInfo is omitted | |||
| The "cnf" structure in the access token is provided in Figure 6. | ||||
| cnf : { | ||||
| COSE_Key : { | ||||
| kty : symmetric, | ||||
| alg : TLS_PSK_WITH_AES_128_CCM_8, | ||||
| kid : h'eIiOFCa9lObw' | ||||
| } | ||||
| } | ||||
| Figure 6: Access Token without Keying Material | ||||
| 3.3.1. DTLS Channel Setup Between C and RS | 3.3.1. DTLS Channel Setup Between C and RS | |||
| When a client receives an access token response from an authorization | When a client receives an access token response from an authorization | |||
| server, C MUST ascertain that the access token response belongs to a | server, C MUST ascertain that the access token response belongs to a | |||
| certain previously sent access token request, as the request may | certain previously sent access token request, as the request may | |||
| specify the resource server with which C wants to communicate. | specify the resource server with which C wants to communicate. | |||
| C checks if the payload of the access token response contains an | C checks if the payload of the access token response contains an | |||
| "access_token" parameter and a "cnf" parameter. With this | "access_token" parameter and a "cnf" parameter. With this | |||
| information the client can initiate the establishment of a new DTLS | information the client can initiate the establishment of a new DTLS | |||
| skipping to change at page 13, line 29 ¶ | skipping to change at page 14, line 35 ¶ | |||
| 1. with response code 4.03 (Forbidden) when the resource URI | 1. with response code 4.03 (Forbidden) when the resource URI | |||
| specified in the request is not covered by the authorization | specified in the request is not covered by the authorization | |||
| information, and | information, and | |||
| 2. with response code 4.05 (Method Not Allowed) when the resource | 2. with response code 4.05 (Method Not Allowed) when the resource | |||
| URI specified in the request covered by the authorization | URI specified in the request covered by the authorization | |||
| information but not the requested action. | information but not the requested action. | |||
| The client cannot always know a priori if an Authorized Resource | The client cannot always know a priori if an Authorized Resource | |||
| Request will succeed. It must check the validity of its keying | Request will succeed. It MUST check the validity of its keying | |||
| material before sending a request or processing a response. If the | material before sending a request or processing a response. If the | |||
| client repeatedly gets error responses containing AS Creation Hints | client repeatedly gets error responses containing AS Creation Hints | |||
| (cf. Section 5.1.2 of [I-D.ietf-ace-oauth-authz] as response to its | (cf. Section 5.1.2 of [I-D.ietf-ace-oauth-authz] as response to its | |||
| requests, it SHOULD request a new access token from the authorization | requests, it SHOULD request a new access token from the authorization | |||
| server in order to continue communication with the resource server. | server in order to continue communication with the resource server. | |||
| Unauthorized requests that have been received over a DTLS session | Unauthorized requests that have been received over a DTLS session | |||
| SHOULD be treated as non-fatal by the RS, i.e., the DTLS session | SHOULD be treated as non-fatal by the RS, i.e., the DTLS session | |||
| SHOULD be kept alive until the associated access token has expired. | SHOULD be kept alive until the associated access token has expired. | |||
| 4. Dynamic Update of Authorization Information | 4. Dynamic Update of Authorization Information | |||
| The client can update the authorization information stored at the | The client can update the authorization information stored at the | |||
| resource server at any time without changing an established DTLS | resource server at any time without changing an established DTLS | |||
| session. To do so, the Client requests a new access token from the | session. To do so, the Client requests a new access token from the | |||
| authorization server for the intended action on the respective | authorization server for the intended action on the respective | |||
| resource and uploads this access token to the authz-info resource on | resource and uploads this access token to the authz-info resource on | |||
| the resource server. | the resource server. | |||
| Figure 7 depicts the message flow where the C requests a new access | Figure 9 depicts the message flow where the C requests a new access | |||
| token after a security association between the client and the | token after a security association between the client and the | |||
| resource server has been established using this protocol. If the | resource server has been established using this protocol. If the | |||
| client wants to update the authorization information, the token | client wants to update the authorization information, the token | |||
| request MUST specify the key identifier of the existing DTLS channel | request MUST specify the key identifier of the proof-of-possession | |||
| between the client and the resource server in the "kid" parameter of | key used for the existing DTLS channel between the client and the | |||
| the Client-to-AS request. The authorization server MUST verify that | resource server in the "kid" parameter of the Client-to-AS request. | |||
| the specified "kid" denotes a valid verifier for a proof-of- | The authorization server MUST verify that the specified "kid" denotes | |||
| possession token that has previously been issued to the requesting | a valid verifier for a proof-of-possession token that has previously | |||
| client. Otherwise, the Client-to-AS request MUST be declined with | been issued to the requesting client. Otherwise, the Client-to-AS | |||
| the error code "unsupported_pop_key" as defined in Section 5.6.3 of | request MUST be declined with the error code "unsupported_pop_key" as | |||
| [I-D.ietf-ace-oauth-authz]. | defined in Section 5.6.3 of [I-D.ietf-ace-oauth-authz]. | |||
| When the authorization server issues a new access token to update | When the authorization server issues a new access token to update | |||
| existing authorization information, it MUST include the specified | existing authorization information, it MUST include the specified | |||
| "kid" parameter in this access token. A resource server MUST replace | "kid" parameter in this access token. A resource server MUST replace | |||
| the authorization information of any existing DTLS session that is | the authorization information of any existing DTLS session that is | |||
| identified by this key identifier with the updated authorization | identified by this key identifier with the updated authorization | |||
| information. | information. | |||
| Note: By associating the access tokens with the identifier of an | Note: By associating the access tokens with the identifier of an | |||
| existing DTLS session, the authorization information can be | existing DTLS session, the authorization information can be | |||
| skipping to change at page 14, line 42 ¶ | skipping to change at page 15, line 49 ¶ | |||
| | <---------------------------- New Access Token - | | | <---------------------------- New Access Token - | | |||
| | + Access Information | | | + Access Information | | |||
| | | | | | | | | |||
| | --- Update /authz-info --> | | | | --- Update /authz-info --> | | | |||
| | New Access Token | | | | New Access Token | | | |||
| | | | | | | | | |||
| | == Authorized Request ===> | | | | == Authorized Request ===> | | | |||
| | | | | | | | | |||
| | <=== Protected Resource == | | | | <=== Protected Resource == | | | |||
| Figure 7: Overview of Dynamic Update Operation | Figure 9: Overview of Dynamic Update Operation | |||
| 5. Token Expiration | 5. Token Expiration | |||
| DTLS sessions that have been established in accordance with this | DTLS sessions that have been established in accordance with this | |||
| profile are always tied to a specific set of access tokens. As these | profile are always tied to a specific access token. As this token | |||
| tokens may become invalid at any time (either because the token has | may become invalid at any time (e.g. because it has expired), the | |||
| expired or the responsible authorization server has revoked the | session may become useless at some point. A resource server | |||
| token), the session may become useless at some point. A resource | therefore MUST terminate existing DTLS sessions after the access | |||
| server therefore MUST terminate existing DTLS sessions after the last | token for this session has been deleted. | |||
| valid access token for this session has been deleted. | ||||
| As specified in Section 5.8.3 of [I-D.ietf-ace-oauth-authz], the | As specified in Section 5.8.3 of [I-D.ietf-ace-oauth-authz], the | |||
| resource server MUST notify the client with an error response with | resource server MUST notify the client with an error response with | |||
| code 4.01 (Unauthorized) for any long running request before | code 4.01 (Unauthorized) for any long running request before | |||
| terminating the session. | terminating the session. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| This document specifies a profile for the Authentication and | This document specifies a profile for the Authentication and | |||
| Authorization for Constrained Environments (ACE) framework | Authorization for Constrained Environments (ACE) framework | |||
| [I-D.ietf-ace-oauth-authz]. As it follows this framework's general | [I-D.ietf-ace-oauth-authz]. As it follows this framework's general | |||
| approach, the general security and privacy considerations from | approach, the general security considerations from section 6 also | |||
| section 6 and section 7 also apply to this profile. | apply to this profile. | |||
| When using pre-shared keys provisioned by the AS, the security level | ||||
| depends on the randomness of PSK, and the security of the TLS cipher | ||||
| suite and key exchange algorithm. | ||||
| Constrained devices that use DTLS [RFC6347] are inherently vulnerable | Constrained devices that use DTLS [RFC6347] are inherently vulnerable | |||
| to Denial of Service (DoS) attacks as the handshake protocol requires | to Denial of Service (DoS) attacks as the handshake protocol requires | |||
| creation of internal state within the device. This is specifically | creation of internal state within the device. This is specifically | |||
| of concern where an adversary is able to intercept the initial cookie | of concern where an adversary is able to intercept the initial cookie | |||
| exchange and interject forged messages with a valid cookie to | exchange and interject forged messages with a valid cookie to | |||
| continue with the handshake. A similar issue exists with the | continue with the handshake. A similar issue exists with the | |||
| authorization information endpoint where the resource server needs to | authorization information endpoint where the resource server needs to | |||
| keep valid access tokens until their expiry. Adversaries can fill up | keep valid access tokens until their expiry. Adversaries can fill up | |||
| the constrained resource server's internal storage for a very long | the constrained resource server's internal storage for a very long | |||
| time with interjected or otherwise retrieved valid access tokens. | time with interjected or otherwise retrieved valid access tokens. | |||
| The use of multiple access tokens for a single client increases the | The use of multiple access tokens for a single client increases the | |||
| strain on the resource server as it must consider every access token | strain on the resource server as it must consider every access token | |||
| and calculate the actual permissions of the client. Also, tokens may | and calculate the actual permissions of the client. Also, tokens may | |||
| contradict each other which may lead the server to enforce wrong | contradict each other which may lead the server to enforce wrong | |||
| permissions. If one of the access tokens expires earlier than | permissions. If one of the access tokens expires earlier than | |||
| others, the resulting permissions may offer insufficient protection. | others, the resulting permissions may offer insufficient protection. | |||
| Developers should avoid using multiple access tokens for a client. | Developers SHOULD avoid using multiple access tokens for a client. | |||
| 7. Privacy Considerations | 7. Privacy Considerations | |||
| This privacy considerations from section 7 of the | ||||
| [I-D.ietf-ace-oauth-authz] apply also to this profile. | ||||
| An unprotected response to an unauthorized request may disclose | An unprotected response to an unauthorized request may disclose | |||
| information about the resource server and/or its existing | information about the resource server and/or its existing | |||
| relationship with the client. It is advisable to include as little | relationship with the client. It is advisable to include as little | |||
| information as possible in an unencrypted response. When a DTLS | information as possible in an unencrypted response. When a DTLS | |||
| session between the client and the resource server already exists, | session between the client and the resource server already exists, | |||
| more detailed information may be included with an error response to | more detailed information MAY be included with an error response to | |||
| provide the client with sufficient information to react on that | provide the client with sufficient information to react on that | |||
| particular error. | particular error. | |||
| Also, unprotected requests to the resource server may reveal | Also, unprotected requests to the resource server may reveal | |||
| information about the client, e.g., which resources the client | information about the client, e.g., which resources the client | |||
| attempts to request or the data that the client wants to provide to | attempts to request or the data that the client wants to provide to | |||
| the resource server. The client should not send confidential data in | the resource server. The client SHOULD NOT send confidential data in | |||
| an unprotected request. | an unprotected request. | |||
| Note that some information might still leak after DTLS session is | Note that some information might still leak after DTLS session is | |||
| established, due to observable message sizes, the source, and the | established, due to observable message sizes, the source, and the | |||
| destination addresses. | destination addresses. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| The following registrations are done for the ACE OAuth Profile | The following registrations are done for the ACE OAuth Profile | |||
| Registry following the procedure specified in | Registry following the procedure specified in | |||
| skipping to change at page 16, line 48 ¶ | skipping to change at page 18, line 19 ¶ | |||
| [I-D.ietf-ace-cwt-proof-of-possession] | [I-D.ietf-ace-cwt-proof-of-possession] | |||
| Jones, M., Seitz, L., Selander, G., Erdtman, S., and H. | Jones, M., Seitz, L., Selander, G., Erdtman, S., and H. | |||
| Tschofenig, "Proof-of-Possession Key Semantics for CBOR | Tschofenig, "Proof-of-Possession Key Semantics for CBOR | |||
| Web Tokens (CWTs)", draft-ietf-ace-cwt-proof-of- | Web Tokens (CWTs)", draft-ietf-ace-cwt-proof-of- | |||
| possession-06 (work in progress), February 2019. | possession-06 (work in progress), February 2019. | |||
| [I-D.ietf-ace-oauth-authz] | [I-D.ietf-ace-oauth-authz] | |||
| Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and | Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and | |||
| H. Tschofenig, "Authentication and Authorization for | H. Tschofenig, "Authentication and Authorization for | |||
| Constrained Environments (ACE) using the OAuth 2.0 | Constrained Environments (ACE) using the OAuth 2.0 | |||
| Framework (ACE-OAuth)", draft-ietf-ace-oauth-authz-21 | Framework (ACE-OAuth)", draft-ietf-ace-oauth-authz-22 | |||
| (work in progress), February 2019. | (work in progress), March 2019. | |||
| [I-D.ietf-ace-oauth-params] | [I-D.ietf-ace-oauth-params] | |||
| Seitz, L., "Additional OAuth Parameters for Authorization | Seitz, L., "Additional OAuth Parameters for Authorization | |||
| in Constrained Environments (ACE)", draft-ietf-ace-oauth- | in Constrained Environments (ACE)", draft-ietf-ace-oauth- | |||
| params-04 (work in progress), February 2019. | params-04 (work in progress), February 2019. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| End of changes. 41 change blocks. | ||||
| 139 lines changed or deleted | 190 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||