draft-ietf-dtn-bpsec-default-sc-09.txt   draft-ietf-dtn-bpsec-default-sc-10.txt 
Delay-Tolerant Networking E. Birrane Delay-Tolerant Networking E. Birrane
Internet-Draft A. White Internet-Draft A. White
Intended status: Standards Track S. Heiner Intended status: Standards Track S. Heiner
Expires: January 9, 2022 JHU/APL Expires: January 13, 2022 JHU/APL
July 8, 2021 July 12, 2021
BPSec Default Security Contexts BPSec Default Security Contexts
draft-ietf-dtn-bpsec-default-sc-09 draft-ietf-dtn-bpsec-default-sc-10
Abstract Abstract
This document defines default integrity and confidentiality security This document defines default integrity and confidentiality security
contexts that can be used with the Bundle Protocol Security Protocol contexts that can be used with the Bundle Protocol Security Protocol
(BPSec) implementations. These security contexts are intended to be (BPSec) implementations. These security contexts are intended to be
used for both testing the interoperability of BPSec implementations used for both testing the interoperability of BPSec implementations
and for providing basic security operations when no other security and for providing basic security operations when no other security
contexts are defined or otherwise required for a network. contexts are defined or otherwise required for a network.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 9, 2022. This Internet-Draft will expire on January 13, 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 37 skipping to change at page 2, line 37
4.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 13 4.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.3. Parameters . . . . . . . . . . . . . . . . . . . . . . . 16 4.3. Parameters . . . . . . . . . . . . . . . . . . . . . . . 16
4.3.1. Initialization Vector (IV) . . . . . . . . . . . . . 16 4.3.1. Initialization Vector (IV) . . . . . . . . . . . . . 16
4.3.2. AES Variant . . . . . . . . . . . . . . . . . . . . . 16 4.3.2. AES Variant . . . . . . . . . . . . . . . . . . . . . 16
4.3.3. Wrapped Key . . . . . . . . . . . . . . . . . . . . . 17 4.3.3. Wrapped Key . . . . . . . . . . . . . . . . . . . . . 17
4.3.4. AAD Scope Flags . . . . . . . . . . . . . . . . . . . 17 4.3.4. AAD Scope Flags . . . . . . . . . . . . . . . . . . . 17
4.3.5. Enumerations . . . . . . . . . . . . . . . . . . . . 18 4.3.5. Enumerations . . . . . . . . . . . . . . . . . . . . 18
4.4. Results . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.4. Results . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.4.1. Authentication Tag . . . . . . . . . . . . . . . . . 19 4.4.1. Authentication Tag . . . . . . . . . . . . . . . . . 19
4.4.2. Enumerations . . . . . . . . . . . . . . . . . . . . 19 4.4.2. Enumerations . . . . . . . . . . . . . . . . . . . . 20
4.5. Key Considerations . . . . . . . . . . . . . . . . . . . 20 4.5. Key Considerations . . . . . . . . . . . . . . . . . . . 20
4.6. GCM Considerations . . . . . . . . . . . . . . . . . . . 21 4.6. GCM Considerations . . . . . . . . . . . . . . . . . . . 21
4.7. Canonicalization Algorithms . . . . . . . . . . . . . . . 22 4.7. Canonicalization Algorithms . . . . . . . . . . . . . . . 22
4.7.1. Cipher text related calculations . . . . . . . . . . 22 4.7.1. Cipher text related calculations . . . . . . . . . . 22
4.7.2. Additional Authenticated Data . . . . . . . . . . . . 23 4.7.2. Additional Authenticated Data . . . . . . . . . . . . 23
4.8. Processing . . . . . . . . . . . . . . . . . . . . . . . 23 4.8. Processing . . . . . . . . . . . . . . . . . . . . . . . 24
4.8.1. Encryption . . . . . . . . . . . . . . . . . . . . . 23 4.8.1. Encryption . . . . . . . . . . . . . . . . . . . . . 24
4.8.2. Decryption . . . . . . . . . . . . . . . . . . . . . 25 4.8.2. Decryption . . . . . . . . . . . . . . . . . . . . . 25
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
5.1. Security Context Identifiers . . . . . . . . . . . . . . 26 5.1. Security Context Identifiers . . . . . . . . . . . . . . 27
5.2. Integrity Scope Flags . . . . . . . . . . . . . . . . . . 27 5.2. Integrity Scope Flags . . . . . . . . . . . . . . . . . . 27
5.3. AAD Scope Flags . . . . . . . . . . . . . . . . . . . . . 27 5.3. AAD Scope Flags . . . . . . . . . . . . . . . . . . . . . 28
5.4. Guidance for Designated Experts . . . . . . . . . . . . . 28 5.4. Guidance for Designated Experts . . . . . . . . . . . . . 29
6. Security Considerations . . . . . . . . . . . . . . . . . . . 29 6. Security Considerations . . . . . . . . . . . . . . . . . . . 30
6.1. Key Management . . . . . . . . . . . . . . . . . . . . . 29 6.1. Key Management . . . . . . . . . . . . . . . . . . . . . 30
6.2. Key Handling . . . . . . . . . . . . . . . . . . . . . . 30 6.2. Key Handling . . . . . . . . . . . . . . . . . . . . . . 31
6.3. AES GCM . . . . . . . . . . . . . . . . . . . . . . . . . 31 6.3. AES GCM . . . . . . . . . . . . . . . . . . . . . . . . . 32
6.4. AES Key Wrap . . . . . . . . . . . . . . . . . . . . . . 31 6.4. AES Key Wrap . . . . . . . . . . . . . . . . . . . . . . 32
6.5. Bundle Fragmentation . . . . . . . . . . . . . . . . . . 32 6.5. Bundle Fragmentation . . . . . . . . . . . . . . . . . . 33
7. Normative References . . . . . . . . . . . . . . . . . . . . 32 7. Normative References . . . . . . . . . . . . . . . . . . . . 33
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 34 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 35
A.1. Example 1: Simple Integrity . . . . . . . . . . . . . . . 34 A.1. Example 1: Simple Integrity . . . . . . . . . . . . . . . 35
A.1.1. Original Bundle . . . . . . . . . . . . . . . . . . . 34 A.1.1. Original Bundle . . . . . . . . . . . . . . . . . . . 35
A.1.2. Security Operation Overview . . . . . . . . . . . . . 36 A.1.2. Security Operation Overview . . . . . . . . . . . . . 37
A.1.3. Bundle Integrity Block . . . . . . . . . . . . . . . 37 A.1.3. Bundle Integrity Block . . . . . . . . . . . . . . . 38
A.1.4. Final Bundle . . . . . . . . . . . . . . . . . . . . 38 A.1.4. Final Bundle . . . . . . . . . . . . . . . . . . . . 39
A.2. Example 2: Simple Confidentiality with Key Wrap . . . . . 39 A.2. Example 2: Simple Confidentiality with Key Wrap . . . . . 40
A.2.1. Original Bundle . . . . . . . . . . . . . . . . . . . 39 A.2.1. Original Bundle . . . . . . . . . . . . . . . . . . . 40
A.2.2. Security Operation Overview . . . . . . . . . . . . . 40 A.2.2. Security Operation Overview . . . . . . . . . . . . . 41
A.2.3. Bundle Confidentiality Block . . . . . . . . . . . . 40 A.2.3. Bundle Confidentiality Block . . . . . . . . . . . . 41
A.2.4. Final Bundle . . . . . . . . . . . . . . . . . . . . 42 A.2.4. Final Bundle . . . . . . . . . . . . . . . . . . . . 43
A.3. Example 3: Security Blocks from Multiple Sources . . . . 42 A.3. Example 3: Security Blocks from Multiple Sources . . . . 43
A.3.1. Original Bundle . . . . . . . . . . . . . . . . . . . 42 A.3.1. Original Bundle . . . . . . . . . . . . . . . . . . . 43
A.3.2. Security Operation Overview . . . . . . . . . . . . . 44 A.3.2. Security Operation Overview . . . . . . . . . . . . . 45
A.3.3. Bundle Integrity Block . . . . . . . . . . . . . . . 45 A.3.3. Bundle Integrity Block . . . . . . . . . . . . . . . 46
A.3.4. Bundle Confidentiality Block . . . . . . . . . . . . 47 A.3.4. Bundle Confidentiality Block . . . . . . . . . . . . 48
A.3.5. Final Bundle . . . . . . . . . . . . . . . . . . . . 48 A.3.5. Final Bundle . . . . . . . . . . . . . . . . . . . . 49
A.4. Example 4: Security Blocks with Full Scope . . . . . . . 49 A.4. Example 4: Security Blocks with Full Scope . . . . . . . 50
A.4.1. Original Bundle . . . . . . . . . . . . . . . . . . . 49 A.4.1. Original Bundle . . . . . . . . . . . . . . . . . . . 50
A.4.2. Security Operation Overview . . . . . . . . . . . . . 50 A.4.2. Security Operation Overview . . . . . . . . . . . . . 51
A.4.3. Bundle Integrity Block . . . . . . . . . . . . . . . 50 A.4.3. Bundle Integrity Block . . . . . . . . . . . . . . . 51
A.4.4. Bundle Confidentiality Block . . . . . . . . . . . . 52 A.4.4. Bundle Confidentiality Block . . . . . . . . . . . . 53
A.4.5. Final Bundle . . . . . . . . . . . . . . . . . . . . 54 A.4.5. Final Bundle . . . . . . . . . . . . . . . . . . . . 55
Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 54 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 55
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55
1. Introduction 1. Introduction
The Bundle Protocol Security Protocol (BPSec) [I-D.ietf-dtn-bpsec] The Bundle Protocol Security Protocol (BPSec) [I-D.ietf-dtn-bpsec]
specification provides inter-bundle integrity and confidentiality specification provides inter-bundle integrity and confidentiality
operations for networks deploying the Bundle Protocol (BP) operations for networks deploying the Bundle Protocol (BP)
[I-D.ietf-dtn-bpbis]. BPSec defines BP extension blocks to carry [I-D.ietf-dtn-bpbis]. BPSec defines BP extension blocks to carry
security information produced under the auspices of some security security information produced under the auspices of some security
context. context.
skipping to change at page 8, line 12 skipping to change at page 8, line 12
acceptors MUST determine the proper key as a function of their local acceptors MUST determine the proper key as a function of their local
BPSec policy and configuration. BPSec policy and configuration.
3.3.3. Integrity Scope Flags 3.3.3. Integrity Scope Flags
This optional parameter contains a series of flags that describe what This optional parameter contains a series of flags that describe what
information is to be included with the block-type-specific data when information is to be included with the block-type-specific data when
constructing the IPPT value. constructing the IPPT value.
This value MUST be represented as a CBOR unsigned integer, the value This value MUST be represented as a CBOR unsigned integer, the value
of which MUST be processed as a bit field. of which MUST be processed as a 16-bit field. The maximum value of
this field, as a CBOR unsigned integer, MUST be 65535.
Integrity scope flags that are unrecognized MUST be ignored, as Integrity scope flags that are unrecognized MUST be ignored, as
future definitions of additional flags might not be integrated future definitions of additional flags might not be integrated
simultaneously into security context implementations operating at all simultaneously into security context implementations operating at all
nodes. nodes.
Implementations MUST set reserved and unassigned bits in this field Implementations MUST set reserved and unassigned bits in this field
to 0 when constructing these flags at a security source. Once set, to 0 when constructing these flags at a security source. Once set,
the value of this field MUST NOT be altered until the security the value of this field MUST NOT be altered until the security
service is completed at the security acceptor in the network and service is completed at the security acceptor in the network and
skipping to change at page 17, line 49 skipping to change at page 17, line 49
acceptors MUST determine the proper key as a function of their local acceptors MUST determine the proper key as a function of their local
BPSec policy and configuration. BPSec policy and configuration.
4.3.4. AAD Scope Flags 4.3.4. AAD Scope Flags
This optional parameter contains a series of flags that describe what This optional parameter contains a series of flags that describe what
information is to be included with the block-type-specific data of information is to be included with the block-type-specific data of
the security target as part of additional authenticated data (AAD). the security target as part of additional authenticated data (AAD).
This value MUST be represented as a CBOR unsigned integer, the value This value MUST be represented as a CBOR unsigned integer, the value
of which MUST be processed as a bit field. of which MUST be processed as a 16-bit field. The maximum value of
this field, as a CBOR unsigned integer, MUST be 65535.
AAD scope flags that are unrecognized MUST be ignored, as future AAD scope flags that are unrecognized MUST be ignored, as future
definitions of additional flags might not be integrated definitions of additional flags might not be integrated
simultaneously into security context implementations operating at all simultaneously into security context implementations operating at all
nodes. nodes.
Implementations MUST set reserved and unassigned bits in this field Implementations MUST set reserved and unassigned bits in this field
to 0 when constructing these flags at a security source. Once set, to 0 when constructing these flags at a security source. Once set,
the value of this field MUST NOT be altered until the security the value of this field MUST NOT be altered until the security
service is completed at the security acceptor in the network and service is completed at the security acceptor in the network and
skipping to change at page 37, line 33 skipping to change at page 38, line 33
A.1.3.1. Configuration, Parameters, and Results A.1.3.1. Configuration, Parameters, and Results
For this example, the following configuration and security parameters For this example, the following configuration and security parameters
are used to generate the security results indicated. are used to generate the security results indicated.
This BIB has a single target and includes a single security result: This BIB has a single target and includes a single security result:
the calculated signature over the payload block. the calculated signature over the payload block.
Key : h'1a2b1a2b1a2b1a2b1a2b1a2b1a2b1a2b' Key : h'1a2b1a2b1a2b1a2b1a2b1a2b1a2b1a2b'
SHA Variant : HMAC 512/512 SHA Variant : HMAC 512/512
Scope Flags : h'00' Scope Flags : 0x00
Payload Data: h'52656164792047656e65726174652061 Payload Data: h'52656164792047656e65726174652061
2033322062797465207061796c6f6164' 2033322062797465207061796c6f6164'
Signature : h'0654d65992803252210e377d66d0a8dc Signature : h'0654d65992803252210e377d66d0a8dc
18a1e8a392269125ae9ac198a9a598be 18a1e8a392269125ae9ac198a9a598be
4b83d5daa8be2f2d16769ec1c30cfc34 4b83d5daa8be2f2d16769ec1c30cfc34
8e2205fba4b3be2b219074fdd5ea8ef0' 8e2205fba4b3be2b219074fdd5ea8ef0'
Figure 4: Example 1: Configuration, Parameters, and Results Figure 4: Example 1: Configuration, Parameters, and Results
A.1.3.2. Abstract Security Block A.1.3.2. Abstract Security Block
The abstract security block structure of the BIB's block-type- The abstract security block structure of the BIB's block-type-
specific-data field for this application is as follows. specific-data field for this application is as follows.
[1], / Security Target - Payload block / [1], / Security Target - Payload block /
1, / Security Context ID - BIB-HMAC-SHA2 / 1, / Security Context ID - BIB-HMAC-SHA2 /
1, / Security Context Flags - Parameters Present / 1, / Security Context Flags - Parameters Present /
[2,[2, 1]], / Security Source - ipn:2.1 / [2,[2, 1]], / Security Source - ipn:2.1 /
[ / Security Parameters - 2 Parameters / [ / Security Parameters - 2 Parameters /
[1, 7], / SHA Variant - HMAC 512/512 / [1, 7], / SHA Variant - HMAC 512/512 /
[3, h'00'] / Scope Flags - No Additional Scope / [3, 0x00] / Scope Flags - No Additional Scope /
], ],
[ / Security Results: 1 Result / [ / Security Results: 1 Result /
[1, h'0654d65992803252210e377d66d0a8dc18a1e8a392269125ae9ac198a9a598b [1, h'0654d65992803252210e377d66d0a8dc18a1e8a392269125ae9ac198a9a598b
e4b83d5daa8be2f2d16769ec1c30cfc348e2205fba4b3be2b219074fdd5ea8ef0'] e4b83d5daa8be2f2d16769ec1c30cfc348e2205fba4b3be2b219074fdd5ea8ef0']
] ]
Figure 5: Example 1: BIB Abstract Security Block (CBOR Diagnostic Figure 5: Example 1: BIB Abstract Security Block (CBOR Diagnostic
Notation) Notation)
The CBOR encoding of the BIB block-type-specific-data field (the The CBOR encoding of the BIB block-type-specific-data field (the
skipping to change at page 41, line 12 skipping to change at page 42, line 12
block-type-specific data to encrypt the payload block, an block-type-specific data to encrypt the payload block, an
authentication tag, and the AES wrapped key. authentication tag, and the AES wrapped key.
Content Encryption Content Encryption
Key: h'71776572747975696f70617364666768' Key: h'71776572747975696f70617364666768'
Key Encryption Key: h'6162636465666768696a6b6c6d6e6f70' Key Encryption Key: h'6162636465666768696a6b6c6d6e6f70'
IV: h'5477656c7665313231323132' IV: h'5477656c7665313231323132'
AES Variant: A128GCM AES Variant: A128GCM
AES Wrapped Key: h'69c411276fecddc4780df42c8a2af892 AES Wrapped Key: h'69c411276fecddc4780df42c8a2af892
96fabf34d7fae700' 96fabf34d7fae700'
Scope Flags: h'00' Scope Flags: 0x00
Payload Data: h'52656164792047656e65726174652061 Payload Data: h'52656164792047656e65726174652061
2033322062797465207061796c6f6164' 2033322062797465207061796c6f6164'
Authentication Tag: h'da08f4d8936024ad7c6b3b800e73dd97' Authentication Tag: h'da08f4d8936024ad7c6b3b800e73dd97'
Payload Ciphertext: h'3a09c1e63fe2097528a78b7c12943354 Payload Ciphertext: h'3a09c1e63fe2097528a78b7c12943354
a563e32648b700c2784e26a990d91f9d' a563e32648b700c2784e26a990d91f9d'
Figure 9: Example 2: Configuration, Parameters, and Results Figure 9: Example 2: Configuration, Parameters, and Results
A.2.3.2. Abstract Security Block A.2.3.2. Abstract Security Block
skipping to change at page 41, line 35 skipping to change at page 42, line 35
[1], / Security Target - Payload block / [1], / Security Target - Payload block /
2, / Security Context ID - BCB-AES-GCM / 2, / Security Context ID - BCB-AES-GCM /
1, / Security Context Flags - Parameters Present / 1, / Security Context Flags - Parameters Present /
[2,[2, 1]], / Security Source - ipn:2.1 / [2,[2, 1]], / Security Source - ipn:2.1 /
[ / Security Parameters - 4 Parameters / [ / Security Parameters - 4 Parameters /
[1, h'5477656c7665313231323132'], / Initialization Vector / [1, h'5477656c7665313231323132'], / Initialization Vector /
[2, 1], / AES Variant - A128GCM / [2, 1], / AES Variant - A128GCM /
[3, h'69c411276fecddc4780df42c8a / AES wrapped key / [3, h'69c411276fecddc4780df42c8a / AES wrapped key /
2af89296fabf34d7fae700'], 2af89296fabf34d7fae700'],
[4, h'00'] / Scope Flags - No extra scope/ [4, 0x00] / Scope Flags - No extra scope/
], ],
[ / Security Results: 1 Result / [ / Security Results: 1 Result /
[1, h'da08f4d8936024ad7c6b3b800e73dd97'] / Payload Auth. Tag / [1, h'da08f4d8936024ad7c6b3b800e73dd97'] / Payload Auth. Tag /
] ]
Figure 10: Example 2: BCB Abstract Security Block (CBOR Diagnostic Figure 10: Example 2: BCB Abstract Security Block (CBOR Diagnostic
Notation) Notation)
The CBOR encoding of the BCB block-type-specific-data field (the The CBOR encoding of the BCB block-type-specific-data field (the
abstract security block) is 0x8101020182028202018482014c5477656c76653 abstract security block) is 0x8101020182028202018482014c5477656c76653
skipping to change at page 45, line 22 skipping to change at page 46, line 22
For this example, the following configuration and security parameters For this example, the following configuration and security parameters
are used to generate the security results indicated. are used to generate the security results indicated.
This BIB has two security targets and includes two security results, This BIB has two security targets and includes two security results,
holding the calculated signatures over the bundle age block and holding the calculated signatures over the bundle age block and
primary block. primary block.
Key: h'1a2b1a2b1a2b1a2b1a2b1a2b1a2b1a2b' Key: h'1a2b1a2b1a2b1a2b1a2b1a2b1a2b1a2b'
SHA Variant: HMAC 256/256 SHA Variant: HMAC 256/256
Scope Flags: h'00' Scope Flags: 0x00
Primary Block Data: h'88070000820282010282028202018202 Primary Block Data: h'88070000820282010282028202018202
820201820018281a000f4240' 820201820018281a000f4240'
Bundle Age Block Bundle Age Block
Data: h'85070200004319012c' Data: h'85070200004319012c'
Primary Block Primary Block
Signature: h'8e059b8e71f7218264185a666bf3e453 Signature: h'8e059b8e71f7218264185a666bf3e453
076f2b883f4dce9b3cdb6464ed0dcf0f' 076f2b883f4dce9b3cdb6464ed0dcf0f'
Bundle Age Block Bundle Age Block
Signature: h'72dee8eba049a22978e84a95d0496466 Signature: h'72dee8eba049a22978e84a95d0496466
8eb131b1ca4800c114206d70d9065c80' 8eb131b1ca4800c114206d70d9065c80'
skipping to change at page 46, line 11 skipping to change at page 47, line 11
The abstract security block structure of the BIB's block-type- The abstract security block structure of the BIB's block-type-
specific-data field for this application is as follows. specific-data field for this application is as follows.
[0, 2], / Security Targets / [0, 2], / Security Targets /
1, / Security Context ID - BIB-HMAC-SHA2 / 1, / Security Context ID - BIB-HMAC-SHA2 /
1, / Security Context Flags - Parameters Present / 1, / Security Context Flags - Parameters Present /
[2,[3, 0]], / Security Source - ipn:3.0 / [2,[3, 0]], / Security Source - ipn:3.0 /
[ / Security Parameters - 2 Parameters / [ / Security Parameters - 2 Parameters /
[1, 5], / SHA Variant - HMAC 256/256 / [1, 5], / SHA Variant - HMAC 256/256 /
[3, h'00'] / Scope Flags - No Additional Scope / [3, 0x00] / Scope Flags - No Additional Scope /
], ],
[ / Security Results: 2 Results / [ / Security Results: 2 Results /
[1, h'8e059b8e71f7218264185a666bf3e453 [1, h'8e059b8e71f7218264185a666bf3e453
076f2b883f4dce9b3cdb6464ed0dcf0f'], / Primary Block / 076f2b883f4dce9b3cdb6464ed0dcf0f'], / Primary Block /
[1, h'72dee8eba049a22978e84a95d0496466 [1, h'72dee8eba049a22978e84a95d0496466
8eb131b1ca4800c114206d70d9065c80'] / Bundle Age Block / 8eb131b1ca4800c114206d70d9065c80'] / Bundle Age Block /
] ]
Figure 16: Example 3: BIB Abstract Security Block (CBOR Diagnostic Figure 16: Example 3: BIB Abstract Security Block (CBOR Diagnostic
Notation) Notation)
skipping to change at page 47, line 24 skipping to change at page 48, line 24
This BCB has a single target, the payload block. Two security This BCB has a single target, the payload block. Two security
results are generated: cipher text which replaces the plain text results are generated: cipher text which replaces the plain text
block-type-specific data to encrypt the payload block, and an block-type-specific data to encrypt the payload block, and an
authentication tag. authentication tag.
Content Encryption Content Encryption
Key: h'71776572747975696f70617364666768' Key: h'71776572747975696f70617364666768'
IV: h'5477656c7665313231323132' IV: h'5477656c7665313231323132'
AES Variant: A128GCM AES Variant: A128GCM
Scope Flags: h'00' Scope Flags: 0x00
Payload Data: h'52656164792047656e65726174652061 Payload Data: h'52656164792047656e65726174652061
2033322062797465207061796c6f6164' 2033322062797465207061796c6f6164'
Authentication Tag: h'da08f4d8936024ad7c6b3b800e73dd97' Authentication Tag: h'da08f4d8936024ad7c6b3b800e73dd97'
Payload Ciphertext: h'3a09c1e63fe2097528a78b7c12943354 Payload Ciphertext: h'3a09c1e63fe2097528a78b7c12943354
a563e32648b700c2784e26a990d91f9d' a563e32648b700c2784e26a990d91f9d'
Figure 18: Example 3: Configuration, Parameters, and Results for the Figure 18: Example 3: Configuration, Parameters, and Results for the
BCB BCB
A.3.4.2. Abstract Security Block A.3.4.2. Abstract Security Block
skipping to change at page 48, line 12 skipping to change at page 49, line 12
The abstract security block structure of the BCB's block-type- The abstract security block structure of the BCB's block-type-
specific-data field for this application is as follows. specific-data field for this application is as follows.
[1], / Security Target - Payload block / [1], / Security Target - Payload block /
2, / Security Context ID - BCB-AES-GCM / 2, / Security Context ID - BCB-AES-GCM /
1, / Security Context Flags - Parameters Present / 1, / Security Context Flags - Parameters Present /
[2,[2, 1]], / Security Source - ipn:2.1 / [2,[2, 1]], / Security Source - ipn:2.1 /
[ / Security Parameters - 3 Parameters / [ / Security Parameters - 3 Parameters /
[1, h'5477656c7665313231323132'], / Initialization Vector / [1, h'5477656c7665313231323132'], / Initialization Vector /
[2, 1], / AES Variant - AES 128 / [2, 1], / AES Variant - AES 128 /
[4, h'00'] / Scope Flags - No Additional Scope / [4, 0x00] / Scope Flags - No Additional Scope /
], ],
[ / Security Results: 1 Result / [ / Security Results: 1 Result /
[1, h'da08f4d8936024ad7c6b3b800e73dd97'] / Payload Auth. Tag / [1, h'da08f4d8936024ad7c6b3b800e73dd97'] / Payload Auth. Tag /
] ]
Figure 19: Example 3: BCB Abstract Security Block (CBOR Diagnostic Figure 19: Example 3: BCB Abstract Security Block (CBOR Diagnostic
Notation) Notation)
The CBOR encoding of the BCB block-type-specific-data field (the The CBOR encoding of the BCB block-type-specific-data field (the
abstract security block) is 0x8101020182028202018382014c5477656c76653 abstract security block) is 0x8101020182028202018382014c5477656c76653
skipping to change at page 51, line 7 skipping to change at page 52, line 7
A.4.3.1. Configuration, Parameters, and Results A.4.3.1. Configuration, Parameters, and Results
For this example, the following configuration and security parameters For this example, the following configuration and security parameters
are used to generate the security results indicated. are used to generate the security results indicated.
This BIB has a single target and includes a single security result: This BIB has a single target and includes a single security result:
the calculated signature over the Payload block. the calculated signature over the Payload block.
Key: h'1a2b1a2b1a2b1a2b1a2b1a2b1a2b1a2b' Key: h'1a2b1a2b1a2b1a2b1a2b1a2b1a2b1a2b'
SHA Variant: HMAC 384/384 SHA Variant: HMAC 384/384
Scope Flags: h'07' (all additional headers) Scope Flags: 0x07 (all additional headers)
Primary Block Data: h'88070000820282010282028202018202 Primary Block Data: h'88070000820282010282028202018202
820201820018281a000f4240 820201820018281a000f4240
Payload Data: h'52656164792047656e65726174652061 Payload Data: h'52656164792047656e65726174652061
2033322062797465207061796c6f6164' 2033322062797465207061796c6f6164'
Payload Header: h'85010100005820' Payload Header: h'85010100005820'
BIB Header: h'850b0300005845' BIB Header: h'850b0300005845'
Payload Signature: h'07c84d929f83bee4690130729d77a1bd Payload Signature: h'07c84d929f83bee4690130729d77a1bd
da9611cd6598e73d0659073ea74e8c27 da9611cd6598e73d0659073ea74e8c27
523b02193cb8ba64be58dbc556887aca 523b02193cb8ba64be58dbc556887aca
skipping to change at page 51, line 32 skipping to change at page 52, line 32
The abstract security block structure of the BIB's block-type- The abstract security block structure of the BIB's block-type-
specific-data field for this application is as follows. specific-data field for this application is as follows.
[1], / Security Target - Payload block / [1], / Security Target - Payload block /
1, / Security Context ID - BIB-HMAC-SHA2 / 1, / Security Context ID - BIB-HMAC-SHA2 /
1, / Security Context Flags - Parameters Present / 1, / Security Context Flags - Parameters Present /
[2,[2, 1]], / Security Source - ipn:2.1 / [2,[2, 1]], / Security Source - ipn:2.1 /
[ / Security Parameters - 2 Parameters / [ / Security Parameters - 2 Parameters /
[1, 6], / SHA Variant - HMAC 384/384 / [1, 6], / SHA Variant - HMAC 384/384 /
[3, h'07'] / Scope Flags - All additional headers in the SHA Hash / [3, 0x07] / Scope Flags - All additional headers in the SHA Hash /
], ],
[ / Security Results: 1 Result / [ / Security Results: 1 Result /
[1, h'07c84d929f83bee4690130729d77a1bdda9611cd6598e73d [1, h'07c84d929f83bee4690130729d77a1bdda9611cd6598e73d
0659073ea74e8c27523b02193cb8ba64be58dbc556887aca'] 0659073ea74e8c27523b02193cb8ba64be58dbc556887aca']
] ]
Figure 24: Example 4: BIB Abstract Security Block (CBOR Diagnostic Figure 24: Example 4: BIB Abstract Security Block (CBOR Diagnostic
Notation) Notation)
The CBOR encoding of the BIB block-type-specific-data field (the The CBOR encoding of the BIB block-type-specific-data field (the
skipping to change at page 53, line 9 skipping to change at page 54, line 9
This BCB has two targets: the payload block and BIB. Four security This BCB has two targets: the payload block and BIB. Four security
results are generated: cipher text which replaces the plain text results are generated: cipher text which replaces the plain text
block-type-specific data of the payload block, cipher text to encrypt block-type-specific data of the payload block, cipher text to encrypt
the BIB, and authentication tags for both the payload block and BIB. the BIB, and authentication tags for both the payload block and BIB.
Key: h'71776572747975696f70617364666768 Key: h'71776572747975696f70617364666768
71776572747975696f70617364666768' 71776572747975696f70617364666768'
IV: h'5477656c7665313231323132' IV: h'5477656c7665313231323132'
AES Variant: A256GCM AES Variant: A256GCM
Scope Flags: h'07' (All additional headers) Scope Flags: 0x07 (All additional headers)
Payload Data: h'52656164792047656e65726174652061 Payload Data: h'52656164792047656e65726174652061
2033322062797465207061796c6f6164' 2033322062797465207061796c6f6164'
BIB Data: h'81010101820282020182820106820307 BIB Data: h'81010101820282020182820106820307
818201583007c84d929f83bee4690130 818201583007c84d929f83bee4690130
729d77a1bdda9611cd6598e73d065907 729d77a1bdda9611cd6598e73d065907
3ea74e8c27523b02193cb8ba64be58db 3ea74e8c27523b02193cb8ba64be58db
c556887aca c556887aca
BIB BIB
Authentication Tag: h'c95ed4534769b046d716e1cdfd00830e' Authentication Tag: h'c95ed4534769b046d716e1cdfd00830e'
Payload Block Payload Block
skipping to change at page 53, line 44 skipping to change at page 54, line 44
The abstract security block structure of the BCB's block-type- The abstract security block structure of the BCB's block-type-
specific-data field for this application is as follows. specific-data field for this application is as follows.
[3, 1], / Security Targets / [3, 1], / Security Targets /
2, / Security Context ID - BCB-AES-GCM / 2, / Security Context ID - BCB-AES-GCM /
1, / Security Context Flags - Parameters Present / 1, / Security Context Flags - Parameters Present /
[2,[2, 1]], / Security Source - ipn:2.1 / [2,[2, 1]], / Security Source - ipn:2.1 /
[ / Security Parameters - 3 Parameters / [ / Security Parameters - 3 Parameters /
[1, h'5477656c7665313231323132'], / Initialization Vector / [1, h'5477656c7665313231323132'], / Initialization Vector /
[2, 3], / AES Variant - AES 256 / [2, 3], / AES Variant - AES 256 /
[4, h'07'] / Scope Flags - All headers in SHA hash / [4, 0x07] / Scope Flags - All headers in SHA hash /
], ],
[ / Security Results: 2 Results / [ / Security Results: 2 Results /
[1, h'c95ed4534769b046d716e1cdfd00830e'], / BIB Auth. Tag / [1, h'c95ed4534769b046d716e1cdfd00830e'], / BIB Auth. Tag /
[1, h'0e365c700e4bb19c0d991faff5345aff'] / Payload Auth. Tag / [1, h'0e365c700e4bb19c0d991faff5345aff'] / Payload Auth. Tag /
] ]
Figure 27: Example 4: BCB Abstract Security Block (CBOR Diagnostic Figure 27: Example 4: BCB Abstract Security Block (CBOR Diagnostic
Notation) Notation)
The CBOR encoding of the BCB block-type-specific-data field (the The CBOR encoding of the BCB block-type-specific-data field (the
 End of changes. 21 change blocks. 
57 lines changed or deleted 59 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/