rfc9202.original | rfc9202.txt | |||
---|---|---|---|---|
ACE Working Group S. Gerdes | Internet Engineering Task Force (IETF) S. Gerdes | |||
Internet-Draft O. Bergmann | Request for Comments: 9202 O. Bergmann | |||
Intended status: Standards Track C. Bormann | Category: Standards Track C. Bormann | |||
Expires: 6 December 2021 Universität Bremen TZI | ISSN: 2070-1721 Universität Bremen TZI | |||
G. Selander | G. Selander | |||
Ericsson AB | Ericsson AB | |||
L. Seitz | L. Seitz | |||
Combitech | Combitech | |||
4 June 2021 | March 2022 | |||
Datagram Transport Layer Security (DTLS) Profile for Authentication and | Datagram Transport Layer Security (DTLS) Profile for Authentication and | |||
Authorization for Constrained Environments (ACE) | Authorization for Constrained Environments (ACE) | |||
draft-ietf-ace-dtls-authorize-18 | ||||
Abstract | Abstract | |||
This specification defines a profile of the ACE framework that allows | This specification defines a profile of the Authentication and | |||
constrained servers to delegate client authentication and | Authorization for Constrained Environments (ACE) framework that | |||
allows constrained servers to delegate client authentication and | ||||
authorization. The protocol relies on DTLS version 1.2 for | authorization. The protocol relies on DTLS version 1.2 for | |||
communication security between entities in a constrained network | communication security between entities in a constrained network | |||
using either raw public keys or pre-shared keys. A resource- | using either raw public keys or pre-shared keys. A resource- | |||
constrained server can use this protocol to delegate management of | constrained server can use this protocol to delegate management of | |||
authorization information to a trusted host with less severe | authorization information to a trusted host with less-severe | |||
limitations regarding processing power and memory. | limitations regarding processing power and memory. | |||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
provisions of BCP 78 and BCP 79. | ||||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF). Note that other groups may also distribute | ||||
working documents as Internet-Drafts. The list of current Internet- | ||||
Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
Internet Standards is available in Section 2 of RFC 7841. | ||||
This Internet-Draft will expire on 6 December 2021. | Information about the current status of this document, any errata, | |||
and how to provide feedback on it may be obtained at | ||||
https://www.rfc-editor.org/info/rfc9202. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
extracted from this document must include Simplified BSD License text | to this document. Code Components extracted from this document must | |||
as described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
provided without warranty as described in the Simplified BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
in the Revised BSD License. | ||||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction | |||
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.1. Terminology | |||
2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Protocol Overview | |||
3. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . . . 6 | 3. Protocol Flow | |||
3.1. Communication Between the Client and the Authorization | 3.1. Communication between the Client and the Authorization | |||
Server . . . . . . . . . . . . . . . . . . . . . . . . . 6 | Server | |||
3.2. Raw Public Key Mode . . . . . . . . . . . . . . . . . . . 7 | 3.2. Raw Public Key Mode | |||
3.2.1. Access Token Retrieval from the Authorization | 3.2.1. Access Token Retrieval from the Authorization Server | |||
Server . . . . . . . . . . . . . . . . . . . . . . . 7 | 3.2.2. DTLS Channel Setup between the Client and Resource | |||
3.2.2. DTLS Channel Setup Between Client and Resource | Server | |||
Server . . . . . . . . . . . . . . . . . . . . . . . 9 | 3.3. PreSharedKey Mode | |||
3.3. PreSharedKey Mode . . . . . . . . . . . . . . . . . . . . 10 | 3.3.1. Access Token Retrieval from the Authorization Server | |||
3.3.1. Access Token Retrieval from the Authorization | 3.3.2. DTLS Channel Setup between the Client and Resource | |||
Server . . . . . . . . . . . . . . . . . . . . . . . 11 | Server | |||
3.3.2. DTLS Channel Setup Between Client and Resource | 3.4. Resource Access | |||
Server . . . . . . . . . . . . . . . . . . . . . . . 15 | 4. Dynamic Update of Authorization Information | |||
3.4. Resource Access . . . . . . . . . . . . . . . . . . . . . 17 | 5. Token Expiration | |||
4. Dynamic Update of Authorization Information . . . . . . . . . 19 | 6. Secure Communication with an Authorization Server | |||
5. Token Expiration . . . . . . . . . . . . . . . . . . . . . . 20 | 7. Security Considerations | |||
6. Secure Communication with an Authorization Server . . . . . . 20 | 7.1. Reuse of Existing Sessions | |||
7. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | 7.2. Multiple Access Tokens | |||
7.1. Reuse of Existing Sessions . . . . . . . . . . . . . . . 23 | 7.3. Out-of-Band Configuration | |||
7.2. Multiple Access Tokens . . . . . . . . . . . . . . . . . 23 | 8. Privacy Considerations | |||
7.3. Out-of-Band Configuration . . . . . . . . . . . . . . . . 23 | 9. IANA Considerations | |||
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 24 | 10. References | |||
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 | 10.1. Normative References | |||
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 25 | 10.2. Informative References | |||
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 | Acknowledgments | |||
11.1. Normative References . . . . . . . . . . . . . . . . . . 25 | Authors' Addresses | |||
11.2. Informative References . . . . . . . . . . . . . . . . . 27 | ||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 | ||||
1. Introduction | 1. Introduction | |||
This specification defines a profile of the ACE framework | This specification defines a profile of the ACE framework [RFC9200]. | |||
[I-D.ietf-ace-oauth-authz]. In this profile, a client and a resource | In this profile, a client (C) and a resource server (RS) use the | |||
server use CoAP [RFC7252] over DTLS version 1.2 [RFC6347] to | Constrained Application Protocol (CoAP) [RFC7252] over DTLS version | |||
communicate. This specification uses DTLS 1.2 terminology, but later | 1.2 [RFC6347] to communicate. This specification uses DTLS 1.2 | |||
versions such as DTLS 1.3 can be used instead. The client obtains an | terminology, but later versions such as DTLS 1.3 can be used instead. | |||
access token, bound to a key (the proof-of-possession key), from an | The client obtains an access token bound to a key (the proof-of- | |||
authorization server to prove its authorization to access protected | possession (PoP) key) from an authorization server (AS) to prove its | |||
resources hosted by the resource server. Also, the client and the | authorization to access protected resources hosted by the resource | |||
resource server are provided by the authorization server with the | server. Also, the client and the resource server are provided by the | |||
necessary keying material to establish a DTLS session. The | authorization server with the necessary keying material to establish | |||
communication between client and authorization server may also be | a DTLS session. The communication between the client and | |||
secured with DTLS. This specification supports DTLS with Raw Public | authorization server may also be secured with DTLS. This | |||
Keys (RPK) [RFC7250] and with Pre-Shared Keys (PSK) [RFC4279]. How | specification supports DTLS with raw public keys (RPKs) [RFC7250] and | |||
token introspection [RFC7662] is performed between RS and AS is out | with pre-shared keys (PSKs) [RFC4279]. How token introspection | |||
of scope for this specification. | [RFC7662] is performed between the RS and AS is out of scope for this | |||
specification. | ||||
The ACE framework requires that client and server mutually | The ACE framework requires that the client and server mutually | |||
authenticate each other before any application data is exchanged. | authenticate each other before any application data is exchanged. | |||
DTLS enables mutual authentication if both client and server prove | DTLS enables mutual authentication if both the client and server | |||
their ability to use certain keying material in the DTLS handshake. | prove their ability to use certain keying material in the DTLS | |||
The authorization server assists in this process on the server side | handshake. The authorization server assists in this process on the | |||
by incorporating keying material (or information about keying | server side by incorporating keying material (or information about | |||
material) into the access token, which is considered a "proof of | keying material) into the access token, which is considered a "proof- | |||
possession" token. | of-possession" token. | |||
In the RPK mode, the client proves that it can use the RPK bound to | In the RPK mode, the client proves that it can use the RPK bound to | |||
the token and the server shows that it can use a certain RPK. | the token and the server shows that it can use a certain RPK. | |||
The resource server needs access to the token in order to complete | The resource server needs access to the token in order to complete | |||
this exchange. For the RPK mode, the client must upload the access | this exchange. For the RPK mode, the client must upload the access | |||
token to the resource server before initiating the handshake, as | token to the resource server before initiating the handshake, as | |||
described in Section 5.10.1 of the ACE framework | described in Section 5.10.1 of the ACE framework [RFC9200]. | |||
[I-D.ietf-ace-oauth-authz]. | ||||
In the PSK mode, client and server show with the DTLS handshake that | In the PSK mode, the client and server show with the DTLS handshake | |||
they can use the keying material that is bound to the access token. | that they can use the keying material that is bound to the access | |||
To transfer the access token from the client to the resource server, | token. To transfer the access token from the client to the resource | |||
the "psk_identity" parameter in the DTLS PSK handshake may be used | server, the psk_identity parameter in the DTLS PSK handshake may be | |||
instead of uploading the token prior to the handshake. | used instead of uploading the token prior to the handshake. | |||
As recommended in Section 5.8 of [I-D.ietf-ace-oauth-authz], this | As recommended in Section 5.8 of [RFC9200], this specification uses | |||
specification uses CBOR web tokens to convey claims within an access | Concise Binary Object Representation (CBOR) web tokens to convey | |||
token issued by the server. While other formats could be used as | claims within an access token issued by the server. While other | |||
well, those are out of scope for this document. | formats could be used as well, those are out of scope for this | |||
document. | ||||
1.1. Terminology | 1.1. Terminology | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
Readers are expected to be familiar with the terms and concepts | Readers are expected to be familiar with the terms and concepts | |||
described in [I-D.ietf-ace-oauth-authz] and in | described in [RFC9200] and [RFC9201]. | |||
[I-D.ietf-ace-oauth-params]. | ||||
The authorization information (authz-info) resource refers to the | The authorization information (authz-info) resource refers to the | |||
authorization information endpoint as specified in | authorization information endpoint, as specified in [RFC9200]. The | |||
[I-D.ietf-ace-oauth-authz]. The term "claim" is used in this | term claim is used in this document with the same semantics as in | |||
document with the same semantics as in [I-D.ietf-ace-oauth-authz], | [RFC9200], i.e., it denotes information carried in the access token | |||
i.e., it denotes information carried in the access token or returned | or returned from introspection. | |||
from introspection. | ||||
2. Protocol Overview | 2. Protocol Overview | |||
The CoAP-DTLS profile for ACE specifies the transfer of | The CoAP-DTLS profile for ACE specifies the transfer of | |||
authentication information and, if necessary, authorization | authentication information and, if necessary, authorization | |||
information between the client (C) and the resource server (RS) | information between the client (C) and the resource server (RS) | |||
during setup of a DTLS session for CoAP messaging. It also specifies | during setup of a DTLS session for CoAP messaging. It also specifies | |||
how the client can use CoAP over DTLS to retrieve an access token | how the client can use CoAP over DTLS to retrieve an access token | |||
from the authorization server (AS) for a protected resource hosted on | from the authorization server (AS) for a protected resource hosted on | |||
the resource server. As specified in Section 6.7 of | the resource server. As specified in Section 6.7 of [RFC9200], use | |||
[I-D.ietf-ace-oauth-authz], use of DTLS for one or both of these | of DTLS for one or both of these interactions is completely | |||
interactions is completely independent. | independent. | |||
This profile requires the client to retrieve an access token for | This profile requires the client to retrieve an access token for the | |||
protected resource(s) it wants to access on the resource server as | protected resource(s) it wants to access on the resource server, as | |||
specified in [I-D.ietf-ace-oauth-authz]. Figure 1 shows the typical | specified in [RFC9200]. Figure 1 shows the typical message flow in | |||
message flow in this scenario (messages in square brackets are | this scenario (messages in square brackets are optional): | |||
optional): | ||||
--> | ||||
C RS AS | C RS AS | |||
| [---- Resource Request ------>]| | | | [---- Resource Request ------>]| | | |||
| | | | | | | | |||
| [<-AS Request Creation Hints-] | | | | [<-AS Request Creation Hints-] | | | |||
| | | | | | | | |||
| ------- Token Request ----------------------------> | | | ------- Token Request ----------------------------> | | |||
| | | | | | | | |||
| <---------------------------- Access Token --------- | | | <---------------------------- Access Token --------- | | |||
| + Access Information | | | + Access Information | | |||
Figure 1: Retrieving an Access Token | Figure 1: Retrieving an Access Token | |||
To determine the authorization server in charge of a resource hosted | To determine the authorization server in charge of a resource hosted | |||
at the resource server, the client can send an initial Unauthorized | at the resource server, the client can send an initial Unauthorized | |||
Resource Request message to the resource server. The resource server | Resource Request message to the resource server. The resource server | |||
then denies the request and sends an AS Request Creation Hints | then denies the request and sends an AS Request Creation Hints | |||
message containing the address of its authorization server back to | message containing the address of its authorization server back to | |||
the client as specified in Section 5.3 of [I-D.ietf-ace-oauth-authz]. | the client, as specified in Section 5.3 of [RFC9200]. | |||
Once the client knows the authorization server's address, it can send | Once the client knows the authorization server's address, it can send | |||
an access token request to the token endpoint at the authorization | an access token request to the token endpoint at the authorization | |||
server as specified in [I-D.ietf-ace-oauth-authz]. As the access | server, as specified in [RFC9200]. As the access token request and | |||
token request as well as the response may contain confidential data, | the response may contain confidential data, the communication between | |||
the communication between the client and the authorization server | the client and the authorization server must be confidentiality | |||
must be confidentiality-protected and ensure authenticity. The | protected and ensure authenticity. The client is expected to have | |||
client is expected to have been registered at the authorization | been registered at the authorization server, as outlined in Section 4 | |||
server as outlined in Section 4 of [I-D.ietf-ace-oauth-authz]. | of [RFC9200]. | |||
The access token returned by the authorization server can then be | The access token returned by the authorization server can then be | |||
used by the client to establish a new DTLS session with the resource | used by the client to establish a new DTLS session with the resource | |||
server. When the client intends to use an asymmetric proof-of- | server. When the client intends to use an asymmetric proof-of- | |||
possession key in the DTLS handshake with the resource server, the | possession key in the DTLS handshake with the resource server, the | |||
client MUST upload the access token to the authz-info resource, i.e. | client MUST upload the access token to the authz-info resource, i.e., | |||
the authz-info endpoint, on the resource server before starting the | the authz-info endpoint, on the resource server before starting the | |||
DTLS handshake, as described in Section 5.10.1 of | DTLS handshake, as described in Section 5.10.1 of [RFC9200]. In case | |||
[I-D.ietf-ace-oauth-authz]. In case the client uses a symmetric | the client uses a symmetric proof-of-possession key in the DTLS | |||
proof-of-possession key in the DTLS handshake, the procedure as above | handshake, the procedure above MAY be used, or alternatively the | |||
MAY be used, or alternatively, the access token MAY instead be | access token MAY instead be transferred in the DTLS ClientKeyExchange | |||
transferred in the DTLS ClientKeyExchange message (see | message (see Section 3.3.2). In any case, DTLS MUST be used in a | |||
Section 3.3.2). In any case, DTLS MUST be used in a mode that | mode that provides replay protection. | |||
provides replay protection. | ||||
Figure 2 depicts the common protocol flow for the DTLS profile after | Figure 2 depicts the common protocol flow for the DTLS profile after | |||
the client has retrieved the access token from the authorization | the client has retrieved the access token from the authorization | |||
server, AS. | server (AS). | |||
C RS AS | C RS AS | |||
| [--- Access Token ------>] | | | | [--- Access Token ------>] | | | |||
| | | | | | | | |||
| <== DTLS channel setup ==> | | | | <== DTLS channel setup ==> | | | |||
| | | | | | | | |||
| == Authorized Request ===> | | | | == Authorized Request ===> | | | |||
| | | | | | | | |||
| <=== Protected Resource == | | | | <=== Protected Resource == | | | |||
Figure 2: Protocol overview | Figure 2: Protocol Overview | |||
3. Protocol Flow | 3. Protocol Flow | |||
The following sections specify how CoAP is used to interchange | The following sections specify how CoAP is used to interchange | |||
access-related data between the resource server, the client and the | access-related data between the resource server, the client, and the | |||
authorization server so that the authorization server can provide the | authorization server so that the authorization server can provide the | |||
client and the resource server with sufficient information to | client and the resource server with sufficient information to | |||
establish a secure channel, and convey authorization information | establish a secure channel and convey authorization information | |||
specific for this communication relationship to the resource server. | specific for this communication relationship to the resource server. | |||
Section 3.1 describes how the communication between the client (C) | Section 3.1 describes how the communication between the client (C) | |||
and the authorization server (AS) must be secured. Depending on the | and the authorization server (AS) must be secured. Depending on the | |||
used CoAP security mode (see also Section 9 of [RFC7252], the Client- | used CoAP security mode (see also Section 9 of [RFC7252]), the | |||
to-AS request, AS-to-Client response and DTLS session establishment | client-to-AS request, AS-to-client response, and DTLS session | |||
carry slightly different information. Section 3.2 addresses the use | establishment carry slightly different information. Section 3.2 | |||
of raw public keys while Section 3.3 defines how pre-shared keys are | addresses the use of raw public keys, while Section 3.3 defines how | |||
used in this profile. | pre-shared keys are used in this profile. | |||
3.1. Communication Between the Client and the Authorization Server | 3.1. Communication between the Client and the Authorization Server | |||
To retrieve an access token for the resource that the client wants to | To retrieve an access token for the resource that the client wants to | |||
access, the client requests an access token from the authorization | access, the client requests an access token from the authorization | |||
server. Before the client can request the access token, the client | server. Before the client can request the access token, the client | |||
and the authorization server MUST establish a secure communication | and the authorization server MUST establish a secure communication | |||
channel. This profile assumes that the keying material to secure | channel. This profile assumes that the keying material to secure | |||
this communication channel has securely been obtained either by | this communication channel has securely been obtained either by | |||
manual configuration or in an automated provisioning process. The | manual configuration or in an automated provisioning process. The | |||
following requirements in alignment with Section 6.5 of | following requirements, in alignment with Section 6.5 of [RFC9200], | |||
[I-D.ietf-ace-oauth-authz] therefore must be met: | therefore must be met: | |||
* The client MUST securely have obtained keying material to | * The client MUST securely have obtained keying material to | |||
communicate with the authorization server. | communicate with the authorization server. | |||
* Furthermore, the client MUST verify that the authorization server | * Furthermore, the client MUST verify that the authorization server | |||
is authorized to provide access tokens (including authorization | is authorized to provide access tokens (including authorization | |||
information) about the resource server to the client, and that | information) about the resource server to the client and that this | |||
this authorization information about the authorization server is | authorization information about the authorization server is still | |||
still valid. | valid. | |||
* Also, the authorization server MUST securely have obtained keying | * Also, the authorization server MUST securely have obtained keying | |||
material for the client, and obtained authorization rules approved | material for the client and obtained authorization rules approved | |||
by the resource owner (RO) concerning the client and the resource | by the resource owner (RO) concerning the client and the resource | |||
server that relate to this keying material. | server that relate to this keying material. | |||
The client and the authorization server MUST use their respective | The client and the authorization server MUST use their respective | |||
keying material for all exchanged messages. How the security | keying material for all exchanged messages. How the security | |||
association between the client and the authorization server is | association between the client and the authorization server is | |||
bootstrapped is not part of this document. The client and the | bootstrapped is not part of this document. The client and the | |||
authorization server must ensure the confidentiality, integrity and | authorization server must ensure the confidentiality, integrity, and | |||
authenticity of all exchanged messages within the ACE protocol. | authenticity of all exchanged messages within the ACE protocol. | |||
Section 6 specifies how communication with the authorization server | Section 6 specifies how communication with the authorization server | |||
is secured. | is secured. | |||
3.2. Raw Public Key Mode | 3.2. Raw Public Key Mode | |||
When the client uses raw public key authentication, the procedure is | When the client uses raw public key authentication, the procedure is | |||
as described in the following. | as described in the following. | |||
3.2.1. Access Token Retrieval from the Authorization Server | 3.2.1. Access Token Retrieval from the Authorization Server | |||
After the client and the authorization server mutually authenticated | After the client and the authorization server mutually authenticated | |||
each other and validated each other's authorization, the client sends | each other and validated each other's authorization, the client sends | |||
a token request to the authorization server's token endpoint. The | a token request to the authorization server's token endpoint. The | |||
client MUST add a "req_cnf" object carrying either its raw public key | client MUST add a req_cnf object carrying either its raw public key | |||
or a unique identifier for a public key that it has previously made | or a unique identifier for a public key that it has previously made | |||
known to the authorization server. It is RECOMMENDED that the client | known to the authorization server. It is RECOMMENDED that the client | |||
uses DTLS with the same keying material to secure the communication | uses DTLS with the same keying material to secure the communication | |||
with the authorization server, proving possession of the key as part | with the authorization server, proving possession of the key as part | |||
of the token request. Other mechanisms for proving possession of the | of the token request. Other mechanisms for proving possession of the | |||
key may be defined in the future. | key may be defined in the future. | |||
An example access token request from the client to the authorization | An example access token request from the client to the authorization | |||
server is depicted in Figure 3. | server is depicted in Figure 3. | |||
skipping to change at page 8, line 10 ¶ | skipping to change at line 324 ¶ | |||
} | } | |||
} | } | |||
Figure 3: Access Token Request Example for RPK Mode | Figure 3: Access Token Request Example for RPK Mode | |||
The example shows an access token request for the resource identified | The example shows an access token request for the resource identified | |||
by the string "tempSensor4711" on the authorization server using a | by the string "tempSensor4711" on the authorization server using a | |||
raw public key. | raw public key. | |||
The authorization server MUST check if the client that it | The authorization server MUST check if the client that it | |||
communicates with is associated with the RPK in the "req_cnf" | communicates with is associated with the RPK in the req_cnf parameter | |||
parameter before issuing an access token to it. If the authorization | before issuing an access token to it. If the authorization server | |||
server determines that the request is to be authorized according to | determines that the request is to be authorized according to the | |||
the respective authorization rules, it generates an access token | respective authorization rules, it generates an access token response | |||
response for the client. The access token MUST be bound to the RPK | for the client. The access token MUST be bound to the RPK of the | |||
of the client by means of the "cnf" claim. | client by means of the cnf claim. | |||
The response MUST contain an "ace_profile" parameter if | The response MUST contain an ace_profile parameter if the ace_profile | |||
the"ace_profile" parameter in the request is empty, and MAY contain | parameter in the request is empty and MAY contain this parameter | |||
this parameter otherwise (see Section 5.8.2 of | otherwise (see Section 5.8.2 of [RFC9200]). This parameter is set to | |||
[I-D.ietf-ace-oauth-authz]). This parameter is set to "coap_dtls" to | coap_dtls to indicate that this profile MUST be used for | |||
indicate that this profile MUST be used for communication between the | communication between the client and the resource server. The | |||
client and the resource server. The response also contains an access | response also contains an access token with information for the | |||
token with information for the resource server about the client's | resource server about the client's public key. The authorization | |||
public key. The authorization server MUST return in its response the | server MUST return in its response the parameter rs_cnf unless it is | |||
parameter "rs_cnf" unless it is certain that the client already knows | certain that the client already knows the public key of the resource | |||
the public key of the resource server. The authorization server MUST | server. The authorization server MUST ascertain that the RPK | |||
ascertain that the RPK specified in "rs_cnf" belongs to the resource | specified in rs_cnf belongs to the resource server that the client | |||
server that the client wants to communicate with. The authorization | wants to communicate with. The authorization server MUST protect the | |||
server MUST protect the integrity of the access token such that the | integrity of the access token such that the resource server can | |||
resource server can detect unauthorized changes. If the access token | detect unauthorized changes. If the access token contains | |||
contains confidential data, the authorization server MUST also | confidential data, the authorization server MUST also protect the | |||
protect the confidentiality of the access token. | confidentiality of the access token. | |||
The client MUST ascertain that the access token response belongs to a | The client MUST ascertain that the access token response belongs to a | |||
certain previously sent access token request, as the request may | certain, previously sent access token request, as the request may | |||
specify the resource server with which the client wants to | specify the resource server with which the client wants to | |||
communicate. | communicate. | |||
An example access token response from the authorization server to the | An example access token response from the authorization server to the | |||
client is depicted in Figure 4. Here, the contents of the | client is depicted in Figure 4. Here, the contents of the | |||
"access_token" claim have been truncated to improve readability. The | access_token claim have been truncated to improve readability. For | |||
response comprises access information for the client that contains | the client, the response comprises Access Information that contains | |||
the server's public key in the "rs_cnf" parameter. Caching proxies | the server's public key in the rs_cnf parameter. Caching proxies | |||
process the Max-Age option in the CoAP response which has a default | process the Max-Age option in the CoAP response, which has a default | |||
value of 60 seconds (Section 5.6.1 of [RFC7252]). The authorization | value of 60 seconds (Section 5.6.1 of [RFC7252]). The authorization | |||
server SHOULD adjust the Max-Age option such that it does not exceed | server SHOULD adjust the Max-Age option such that it does not exceed | |||
the "expires_in" parameter to avoid stale responses. | the expires_in parameter to avoid stale responses. | |||
2.01 Created | 2.01 Created | |||
Content-Format: application/ace+cbor | Content-Format: application/ace+cbor | |||
Max-Age: 3560 | Max-Age: 3560 | |||
Payload: | Payload: | |||
{ | { | |||
access_token : b64'SlAV32hkKG... | access_token : b64'SlAV32hkKG... | |||
(remainder of CWT omitted for brevity; | (remainder of CWT omitted for brevity; | |||
CWT contains the client's RPK in the cnf claim)', | CWT contains the client's RPK in the cnf claim)', | |||
expires_in : 3600, | expires_in : 3600, | |||
skipping to change at page 9, line 26 ¶ | skipping to change at line 384 ¶ | |||
kty : EC2, | kty : EC2, | |||
crv : P-256, | crv : P-256, | |||
x : h'd7cc072de2205bdc1537...', | x : h'd7cc072de2205bdc1537...', | |||
y : h'f95e1d4b851a2cc80fff...' | y : h'f95e1d4b851a2cc80fff...' | |||
} | } | |||
} | } | |||
} | } | |||
Figure 4: Access Token Response Example for RPK Mode | Figure 4: Access Token Response Example for RPK Mode | |||
3.2.2. DTLS Channel Setup Between Client and Resource Server | 3.2.2. DTLS Channel Setup between the Client and Resource Server | |||
Before the client initiates the DTLS handshake with the resource | Before the client initiates the DTLS handshake with the resource | |||
server, the client MUST send a "POST" request containing the obtained | server, the client MUST send a POST request containing the obtained | |||
access token to the authz-info resource hosted by the resource | access token to the authz-info resource hosted by the resource | |||
server. After the client receives a confirmation that the resource | server. After the client receives a confirmation that the resource | |||
server has accepted the access token, it proceeds to establish a new | server has accepted the access token, it proceeds to establish a new | |||
DTLS channel with the resource server. The client MUST use its | DTLS channel with the resource server. The client MUST use its | |||
correct public key in the DTLS handshake. If the authorization | correct public key in the DTLS handshake. If the authorization | |||
server has specified a "cnf" field in the access token response, the | server has specified a cnf field in the access token response, the | |||
client MUST use this key. Otherwise, the client MUST use the public | client MUST use this key. Otherwise, the client MUST use the public | |||
key that it specified in the "req_cnf" of the access token request. | key that it specified in the req_cnf of the access token request. | |||
The client MUST specify this public key in the SubjectPublicKeyInfo | The client MUST specify this public key in the SubjectPublicKeyInfo | |||
structure of the DTLS handshake as described in [RFC7250]. | structure of the DTLS handshake, as described in [RFC7250]. | |||
If the client does not have the keying material belonging to the | If the client does not have the keying material belonging to the | |||
public key, the client MAY try to send an access token request to the | public key, the client MAY try to send an access token request to the | |||
AS where it specifies its public key in the "req_cnf" parameter. If | AS, where it specifies its public key in the req_cnf parameter. If | |||
the AS still specifies a public key in the response that the client | the AS still specifies a public key in the response that the client | |||
does not have, the client SHOULD re-register with the authorization | does not have, the client SHOULD re-register with the authorization | |||
server to establish a new client public key. This process is out of | server to establish a new client public key. This process is out of | |||
scope for this document. | scope for this document. | |||
To be consistent with [RFC7252], which allows for shortened MAC tags | To be consistent with [RFC7252], which allows for shortened MAC tags | |||
in constrained environments, an implementation that supports the RPK | in constrained environments, an implementation that supports the RPK | |||
mode of this profile MUST at least support the cipher suite | mode of this profile MUST at least support the cipher suite | |||
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 [RFC7251]. As discussed in | TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 [RFC7251]. As discussed in | |||
[RFC7748], new Elliptic Curve Cryptography (ECC) curves have been | ||||
[RFC7748], new ECC curves have been defined recently that are | defined recently that are considered superior to the so-called NIST | |||
considered superior to the so-called NIST curves. Implementations of | curves. Implementations of this profile MUST therefore implement | |||
this profile therefore MUST implement support for curve25519 (cf. | support for curve25519 (cf. [RFC8032], [RFC8422]), as this curve is | |||
[RFC8032], [RFC8422]) as this curve said to be efficient and less | said to be efficient and less dangerous, regarding implementation | |||
dangerous regarding implementation errors than the secp256r1 curve | errors, than the secp256r1 curve mandated in [RFC7252]. | |||
mandated in [RFC7252]. | ||||
The resource server MUST check if the access token is still valid, if | The resource server MUST check if the access token is still valid, if | |||
the resource server is the intended destination (i.e., the audience) | the resource server is the intended destination (i.e., the audience) | |||
of the token, and if the token was issued by an authorized | of the token, and if the token was issued by an authorized | |||
authorization server (see also section 5.10.1.1 of | authorization server (see also Section 5.10.1.1 of [RFC9200]). The | |||
[I-D.ietf-ace-oauth-authz]). The access token is constructed by the | access token is constructed by the authorization server such that the | |||
authorization server such that the resource server can associate the | resource server can associate the access token with the client's | |||
access token with the Client's public key. The "cnf" claim MUST | public key. The cnf claim MUST contain either the client's RPK or, | |||
contain either the client's RPK or, if the key is already known by | if the key is already known by the resource server (e.g., from | |||
the resource server (e.g., from previous communication), a reference | previous communication), a reference to this key. If the | |||
to this key. If the authorization server has no certain knowledge | authorization server has no certain knowledge that the client's key | |||
that the Client's key is already known to the resource server, the | is already known to the resource server, the client's public key MUST | |||
Client's public key MUST be included in the access token's "cnf" | be included in the access token's cnf parameter. If CBOR web tokens | |||
parameter. If CBOR web tokens [RFC8392] are used (as recommended in | [RFC8392] are used (as recommended in [RFC9200]), keys MUST be | |||
[I-D.ietf-ace-oauth-authz]), keys MUST be encoded as specified in | encoded, as specified in [RFC8747]. A resource server MUST have the | |||
[RFC8747]. A resource server MUST have the capacity to store one | capacity to store one access token for every proof-of-possession key | |||
access token for every proof-of-possession key of every authorized | of every authorized client. | |||
client. | ||||
The raw public key used in the DTLS handshake with the client MUST | The raw public key used in the DTLS handshake with the client MUST | |||
belong to the resource server. If the resource server has several | belong to the resource server. If the resource server has several | |||
raw public keys, it needs to determine which key to use. The | raw public keys, it needs to determine which key to use. The | |||
authorization server can help with this decision by including a "cnf" | authorization server can help with this decision by including a cnf | |||
parameter in the access token that is associated with this | parameter in the access token that is associated with this | |||
communication. In this case, the resource server MUST use the | communication. In this case, the resource server MUST use the | |||
information from the "cnf" field to select the proper keying | information from the cnf field to select the proper keying material. | |||
material. | ||||
Thus, the handshake only finishes if the client and the resource | Thus, the handshake only finishes if the client and the resource | |||
server are able to use their respective keying material. | server are able to use their respective keying material. | |||
3.3. PreSharedKey Mode | 3.3. PreSharedKey Mode | |||
When the client uses pre-shared key authentication, the procedure is | When the client uses pre-shared key authentication, the procedure is | |||
as described in the following. | as described in the following. | |||
3.3.1. Access Token Retrieval from the Authorization Server | 3.3.1. Access Token Retrieval from the Authorization Server | |||
To retrieve an access token for the resource that the client wants to | To retrieve an access token for the resource that the client wants to | |||
access, the client MAY include a "cnf" object carrying an identifier | access, the client MAY include a cnf object carrying an identifier | |||
for a symmetric key in its access token request to the authorization | for a symmetric key in its access token request to the authorization | |||
server. This identifier can be used by the authorization server to | server. This identifier can be used by the authorization server to | |||
determine the shared secret to construct the proof-of-possession | determine the shared secret to construct the proof-of-possession | |||
token. The authorization server MUST check if the identifier refers | token. The authorization server MUST check if the identifier refers | |||
to a symmetric key that was previously generated by the authorization | to a symmetric key that was previously generated by the authorization | |||
server as a shared secret for the communication between this client | server as a shared secret for the communication between this client | |||
and the resource server. If no such symmetric key was found, the | and the resource server. If no such symmetric key was found, the | |||
authorization server MUST generate a new symmetric key that is | authorization server MUST generate a new symmetric key that is | |||
returned in its response to the client. | returned in its response to the client. | |||
The authorization server MUST determine the authorization rules for | The authorization server MUST determine the authorization rules for | |||
the client it communicates with as defined by the resource owner and | the client it communicates with, as defined by the resource owner, | |||
generate the access token accordingly. If the authorization server | and generate the access token accordingly. If the authorization | |||
authorizes the client, it returns an AS-to-Client response. If the | server authorizes the client, it returns an AS-to-client response. | |||
"ace_profile" parameter is present, it is set to "coap_dtls". The | If the ace_profile parameter is present, it is set to coap_dtls. The | |||
authorization server MUST ascertain that the access token is | authorization server MUST ascertain that the access token is | |||
generated for the resource server that the client wants to | generated for the resource server that the client wants to | |||
communicate with. Also, the authorization server MUST protect the | communicate with. Also, the authorization server MUST protect the | |||
integrity of the access token to ensure that the resource server can | integrity of the access token to ensure that the resource server can | |||
detect unauthorized changes. If the token contains confidential data | detect unauthorized changes. If the token contains confidential | |||
such as the symmetric key, the confidentiality of the token MUST also | data, such as the symmetric key, the confidentiality of the token | |||
be protected. Depending on the requested token type and algorithm in | MUST also be protected. Depending on the requested token type and | |||
the access token request, the authorization server adds access | algorithm in the access token request, the authorization server adds | |||
Information to the response that provides the client with sufficient | Access Information to the response that provides the client with | |||
information to setup a DTLS channel with the resource server. The | sufficient information to set up a DTLS channel with the resource | |||
authorization server adds a "cnf" parameter to the access information | server. The authorization server adds a cnf parameter to the Access | |||
carrying a "COSE_Key" object that informs the client about the shared | Information carrying a COSE_Key object that informs the client about | |||
secret that is to be used between the client and the resource server. | the shared secret that is to be used between the client and the | |||
To convey the same secret to the resource server, the authorization | resource server. To convey the same secret to the resource server, | |||
server can include it directly in the access token by means of the | the authorization server can include it directly in the access token | |||
"cnf" claim or provide sufficient information to enable the resource | by means of the cnf claim or provide sufficient information to enable | |||
server to derive the shared secret from the access token. As an | the resource server to derive the shared secret from the access | |||
alternative, the resource server MAY use token introspection to | token. As an alternative, the resource server MAY use token | |||
retrieve the keying material for this access token directly from the | introspection to retrieve the keying material for this access token | |||
authorization server. | directly from the authorization server. | |||
An example access token request for an access token with a symmetric | An example access token request for an access token with a symmetric | |||
proof-of-possession key is illustrated in Figure 5. | proof-of-possession key is illustrated in Figure 5. | |||
POST coaps://as.example.com/token | POST coaps://as.example.com/token | |||
Content-Format: application/ace+cbor | Content-Format: application/ace+cbor | |||
Payload: | Payload: | |||
{ | { | |||
audience : "smokeSensor1807", | audience : "smokeSensor1807", | |||
} | } | |||
Figure 5: Example Access Token Request, (implicit) symmetric PoP-key | Figure 5: Example Access Token Request, (Implicit) Symmetric PoP Key | |||
A corresponding example access token response is illustrated in | A corresponding example access token response is illustrated in | |||
Figure 6. In this example, the authorization server returns a 2.01 | Figure 6. In this example, the authorization server returns a 2.01 | |||
response containing a new access token (truncated to improve | response containing a new access token (truncated to improve | |||
readability) and information for the client, including the symmetric | readability) and information for the client, including the symmetric | |||
key in the cnf claim. The information is transferred as a CBOR data | key in the cnf claim. The information is transferred as a CBOR data | |||
structure as specified in [I-D.ietf-ace-oauth-authz]. | structure as specified in [RFC9200]. | |||
2.01 Created | 2.01 Created | |||
Content-Format: application/ace+cbor | Content-Format: application/ace+cbor | |||
Max-Age: 85800 | Max-Age: 85800 | |||
Payload: | Payload: | |||
{ | { | |||
access_token : h'd08343a10... | access_token : h'd08343a10... | |||
(remainder of CWT omitted for brevity) | (remainder of CWT omitted for brevity) | |||
token_type : PoP, | token_type : PoP, | |||
expires_in : 86400, | expires_in : 86400, | |||
profile : coap_dtls, | profile : coap_dtls, | |||
cnf : { | cnf : { | |||
COSE_Key : { | COSE_Key : { | |||
kty : symmetric, | kty : symmetric, | |||
kid : h'3d027833fc6267ce', | kid : h'3d027833fc6267ce', | |||
k : h'73657373696f6e6b6579' | k : h'73657373696f6e6b6579' | |||
} | } | |||
} | } | |||
} | } | |||
Figure 6: Example Access Token Response, symmetric PoP-key | Figure 6: Example Access Token Response, Symmetric PoP Key | |||
The access token also comprises a "cnf" claim. This claim usually | The access token also comprises a cnf claim. This claim usually | |||
contains a "COSE_Key" object [RFC8152] that carries either the | contains a COSE_Key object [RFC8152] that carries either the | |||
symmetric key itself or a key identifier that can be used by the | symmetric key itself or a key identifier that can be used by the | |||
resource server to determine the secret key it shares with the | resource server to determine the secret key it shares with the | |||
client. If the access token carries a symmetric key, the access | client. If the access token carries a symmetric key, the access | |||
token MUST be encrypted using a "COSE_Encrypt0" structure (see | token MUST be encrypted using a COSE_Encrypt0 structure (see | |||
section 7.1 of [RFC8392]). The authorization server MUST use the | Section 7.1 of [RFC8392]). The authorization server MUST use the | |||
keying material shared with the resource server to encrypt the token. | keying material shared with the resource server to encrypt the token. | |||
The "cnf" structure in the access token is provided in Figure 7. | The cnf structure in the access token is provided in Figure 7. | |||
cnf : { | cnf : { | |||
COSE_Key : { | COSE_Key : { | |||
kty : symmetric, | kty : symmetric, | |||
kid : h'3d027833fc6267ce' | kid : h'3d027833fc6267ce' | |||
} | } | |||
} | } | |||
Figure 7: Access Token without Keying Material | Figure 7: Access Token without Keying Material | |||
A response that declines any operation on the requested resource is | A response that declines any operation on the requested resource is | |||
constructed according to Section 5.2 of [RFC6749], (cf. | constructed according to Section 5.2 of [RFC6749] (cf. Section 5.8.3 | |||
Section 5.8.3. of [I-D.ietf-ace-oauth-authz]). Figure 8 shows an | of [RFC9200]). Figure 8 shows an example for a request that has been | |||
example for a request that has been rejected due to invalid request | rejected due to invalid request parameters. | |||
parameters. | ||||
4.00 Bad Request | 4.00 Bad Request | |||
Content-Format: application/ace+cbor | Content-Format: application/ace+cbor | |||
Payload: | Payload: | |||
{ | { | |||
error : invalid_request | error : invalid_request | |||
} | } | |||
Figure 8: Example Access Token Response With Reject | Figure 8: Example Access Token Response with Reject | |||
The method for how the resource server determines the symmetric key | The method for how the resource server determines the symmetric key | |||
from an access token containing only a key identifier is application- | from an access token containing only a key identifier is application | |||
specific; the remainder of this section provides one example. | specific; the remainder of this section provides one example. | |||
The authorization server and the resource server are assumed to share | The authorization server and the resource server are assumed to share | |||
a key derivation key used to derive the symmetric key shared with the | a key derivation key used to derive the symmetric key shared with the | |||
client from the key identifier in the access token. The key | client from the key identifier in the access token. The key | |||
derivation key may be derived from some other secret key shared | derivation key may be derived from some other secret key shared | |||
between the authorization server and the resource server. This key | between the authorization server and the resource server. This key | |||
needs to be securely stored and processed in the same way as the key | needs to be securely stored and processed in the same way as the key | |||
used to protect the communication between the authorization server | used to protect the communication between the authorization server | |||
and the resource server. | and the resource server. | |||
Knowledge of the symmetric key shared with the client must not reveal | Knowledge of the symmetric key shared with the client must not reveal | |||
any information about the key derivation key or other secret keys | any information about the key derivation key or other secret keys | |||
shared between the authorization server and resource server. | shared between the authorization server and resource server. | |||
In order to generate a new symmetric key to be used by client and | In order to generate a new symmetric key to be used by the client and | |||
resource server, the authorization server generates a new key | resource server, the authorization server generates a new key | |||
identifier which MUST be unique among all key identifiers used by the | identifier that MUST be unique among all key identifiers used by the | |||
authorization server for this resource server. The authorization | authorization server for this resource server. The authorization | |||
server then uses the key derivation key shared with the resource | server then uses the key derivation key shared with the resource | |||
server to derive the symmetric key as specified below. Instead of | server to derive the symmetric key, as specified below. Instead of | |||
providing the keying material in the access token, the authorization | providing the keying material in the access token, the authorization | |||
server includes the key identifier in the "kid" parameter, see | server includes the key identifier in the kid parameter (see | |||
Figure 7. This key identifier enables the resource server to | Figure 7). This key identifier enables the resource server to | |||
calculate the symmetric key used for the communication with the | calculate the symmetric key used for the communication with the | |||
client using the key derivation key and a KDF to be defined by the | client using the key derivation key and a key derivation function | |||
application, for example HKDF-SHA-256. The key identifier picked by | (KDF) to be defined by the application, for example, HKDF-SHA-256. | |||
the authorization server MUST be unique for each access token where a | The key identifier picked by the authorization server MUST be unique | |||
unique symmetric key is required. | for each access token where a unique symmetric key is required. | |||
In this example, HKDF consists of the composition of the HKDF-Extract | In this example, the HMAC-based key derivation function (HKDF) | |||
and HKDF-Expand steps [RFC5869]. The symmetric key is derived from | consists of the composition of the HKDF-Extract and HKDF-Expand steps | |||
the key identifier, the key derivation key and other data: | [RFC5869]. The symmetric key is derived from the key identifier, the | |||
key derivation key, and other data: | ||||
OKM = HKDF(salt, IKM, info, L), | OKM = HKDF(salt, IKM, info, L), | |||
where: | where: | |||
* OKM, the output keying material, is the derived symmetric key | * OKM, the output keying material, is the derived symmetric key | |||
* salt is the empty byte string | * salt is the empty byte string | |||
* IKM, the input keying material, is the key derivation key as | * IKM, the input keying material, is the key derivation key, as | |||
defined above | defined above | |||
* info is the serialization of a CBOR array consisting of | * info is the serialization of a CBOR array consisting of [RFC8610]: | |||
([RFC8610]): | ||||
info = [ | info = [ | |||
type : tstr, | type : tstr, | |||
L : uint, | L : uint, | |||
access_token: bytes | access_token: bytes | |||
] | ] | |||
where: | where: | |||
* type is set to the constant text string "ACE-CoAP-DTLS-key- | - type is set to the constant text string "ACE-CoAP-DTLS-key- | |||
derivation", | derivation" | |||
* L is the size of the symmetric key in bytes, | - L is the size of the symmetric key in bytes | |||
* access_token is the content of the "access_token" field as | - access_token is the content of the access_token field, as | |||
transferred from the authorization server to the resource server. | transferred from the authorization server to the resource | |||
server. | ||||
All CBOR data types are encoded in CBOR using preferred serialization | All CBOR data types are encoded in CBOR using preferred serialization | |||
and deterministic encoding as specified in Section 4 of [RFC8949]. | and deterministic encoding, as specified in Section 4 of [RFC8949]. | |||
This implies in particular that the "type" and "L" components use the | In particular, this implies that the type and L components use the | |||
minimum length encoding. The content of the "access_token" field is | minimum length encoding. The content of the access_token field is | |||
treated as opaque data for the purpose of key derivation. | treated as opaque data for the purpose of key derivation. | |||
Use of a unique (per resource server) "kid" and the use of a key | Use of a unique (per-resource-server) kid and the use of a key | |||
derivation IKM that MUST be unique per authorization server/resource | derivation IKM that MUST be unique per AS/RS pair, as specified | |||
server pair as specified above will ensure that the derived key is | above, will ensure that the derived key is not shared across multiple | |||
not shared across multiple clients. However, to provide variation in | clients. However, to provide variation in the derived key across | |||
the derived key across different tokens used by the same client, it | different tokens used by the same client, it is additionally | |||
is additionally RECOMMENDED to include the "iat" claim and either the | RECOMMENDED to include the "iat" claim and either the "exp" or "exi" | |||
"exp" or "exi" claims in the access token. | claims in the access token. | |||
3.3.2. DTLS Channel Setup Between Client and Resource Server | 3.3.2. DTLS Channel Setup between the Client and Resource Server | |||
When a client receives an access token response from an authorization | When a client receives an access token response from an authorization | |||
server, the client MUST check if the access token response is bound | server, the client MUST check if the access token response is bound | |||
to a certain previously sent access token request, as the request may | to a certain, previously sent access token request, as the request | |||
specify the resource server with which the client wants to | may specify the resource server with which the client wants to | |||
communicate. | communicate. | |||
The client checks if the payload of the access token response | The client checks if the payload of the access token response | |||
contains an "access_token" parameter and a "cnf" parameter. With | contains an access_token parameter and a cnf parameter. With this | |||
this information the client can initiate the establishment of a new | information, the client can initiate the establishment of a new DTLS | |||
DTLS channel with a resource server. To use DTLS with pre-shared | channel with a resource server. To use DTLS with pre-shared keys, | |||
keys, the client follows the PSK key exchange algorithm specified in | the client follows the PSK key exchange algorithm specified in | |||
Section 2 of [RFC4279] using the key conveyed in the "cnf" parameter | Section 2 of [RFC4279], using the key conveyed in the cnf parameter | |||
of the AS response as PSK when constructing the premaster secret. To | of the AS response as a PSK when constructing the premaster secret. | |||
be consistent with the recommendations in [RFC7252], a client in the | To be consistent with the recommendations in [RFC7252], a client in | |||
PSK mode MUST support the cipher suite TLS_PSK_WITH_AES_128_CCM_8 | the PSK mode MUST support the cipher suite TLS_PSK_WITH_AES_128_CCM_8 | |||
[RFC6655]. | [RFC6655]. | |||
In PreSharedKey mode, the knowledge of the shared secret by the | In PreSharedKey mode, the knowledge of the shared secret by the | |||
client and the resource server is used for mutual authentication | client and the resource server is used for mutual authentication | |||
between both peers. Therefore, the resource server must be able to | between both peers. Therefore, the resource server must be able to | |||
determine the shared secret from the access token. Following the | determine the shared secret from the access token. Following the | |||
general ACE authorization framework, the client can upload the access | general ACE authorization framework, the client can upload the access | |||
token to the resource server's authz-info resource before starting | token to the resource server's authz-info resource before starting | |||
the DTLS handshake. The client then needs to indicate during the | the DTLS handshake. The client then needs to indicate during the | |||
DTLS handshake which previously uploaded access token it intends to | DTLS handshake which previously uploaded access token it intends to | |||
use. To do so, it MUST create a "COSE_Key" structure with the "kid" | use. To do so, it MUST create a COSE_Key structure with the kid that | |||
that was conveyed in the "rs_cnf" claim in the token response from | was conveyed in the rs_cnf claim in the token response from the | |||
the authorization server and the key type "symmetric". This | authorization server and the key type symmetric. This structure then | |||
structure then is included as the only element in the "cnf" structure | is included as the only element in the cnf structure whose CBOR | |||
whose CBOR serialization is used as value for "psk_identity" as shown | serialization is used as value for psk_identity, as shown in | |||
in Figure 9. | Figure 9. | |||
{ cnf : { | { cnf : { | |||
COSE_Key : { | COSE_Key : { | |||
kty: symmetric, | kty: symmetric, | |||
kid : h'3d027833fc6267ce' | kid : h'3d027833fc6267ce' | |||
} | } | |||
} | } | |||
} | } | |||
Figure 9: Access token containing a single kid parameter | Figure 9: Access Token Containing a Single kid Parameter | |||
The actual CBOR serialization for the data structure from Figure 9 as | The actual CBOR serialization for the data structure from Figure 9 as | |||
sequence of bytes in hexadecimal notation will be: | a sequence of bytes in hexadecimal notation will be: | |||
A1 08 A1 01 A2 01 04 02 48 3D 02 78 33 FC 62 67 CE | A1 08 A1 01 A2 01 04 02 48 3D 02 78 33 FC 62 67 CE | |||
As an alternative to the access token upload, the client can provide | As an alternative to the access token upload, the client can provide | |||
the most recent access token in the "psk_identity" field of the | the most recent access token in the psk_identity field of the | |||
ClientKeyExchange message. To do so, the client MUST treat the | ClientKeyExchange message. To do so, the client MUST treat the | |||
contents of the "access_token" field from the AS-to-Client response | contents of the access_token field from the AS-to-client response as | |||
as opaque data as specified in Section 4.2 of [RFC7925] and not | opaque data, as specified in Section 4.2 of [RFC7925], and not | |||
perform any re-coding. This allows the resource server to retrieve | perform any recoding. This allows the resource server to retrieve | |||
the shared secret directly from the "cnf" claim of the access token. | the shared secret directly from the cnf claim of the access token. | |||
DTLS 1.3 does not use the ClientKeyExchange message; for DTLS 1.3, | ||||
the access token is placed in the identity field of a PSKIdentity | ||||
within the PreSharedKeyExtension of the ClientHello. | ||||
If a resource server receives a ClientKeyExchange message that | If a resource server receives a ClientKeyExchange message that | |||
contains a "psk_identity" with a length greater than zero, it MUST | contains a psk_identity with a length greater than zero, it MUST | |||
parse the contents of the "psk_identity" field as CBOR data structure | parse the contents of the psk_identity field as a CBOR data structure | |||
and process the contents as following: | and process the contents as following: | |||
* If the data contains a "cnf" field with a "COSE_Key" structure | * If the data contains a cnf field with a COSE_Key structure with a | |||
with a "kid", the resource server continues the DTLS handshake | kid, the resource server continues the DTLS handshake with the | |||
with the associated key that corresponds to this kid. | associated key that corresponds to this kid. | |||
* If the data comprises additional CWT information, this information | * If the data comprises additional CWT information, this information | |||
must be stored as an access token for this DTLS association before | must be stored as an access token for this DTLS association before | |||
continuing with the DTLS handshake. | continuing with the DTLS handshake. | |||
If the contents of the "psk_identity" do not yield sufficient | If the contents of the psk_identity do not yield sufficient | |||
information to select a valid access token for the requesting client, | information to select a valid access token for the requesting client, | |||
the resource server aborts the DTLS handshake with an | the resource server aborts the DTLS handshake with an | |||
"illegal_parameter" alert. | illegal_parameter alert. | |||
When the resource server receives an access token, it MUST check if | When the resource server receives an access token, it MUST check if | |||
the access token is still valid, if the resource server is the | the access token is still valid, if the resource server is the | |||
intended destination (i.e., the audience of the token), and if the | intended destination (i.e., the audience of the token), and if the | |||
token was issued by an authorized authorization server. This | token was issued by an authorized authorization server. This | |||
specification implements access tokens as proof-of-possession tokens. | specification implements access tokens as proof-of-possession tokens. | |||
Therefore, the access token is bound to a symmetric PoP key that is | Therefore, the access token is bound to a symmetric PoP key that is | |||
used as shared secret between the client and the resource server. A | used as a shared secret between the client and the resource server. | |||
resource server MUST have the capacity to store one access token for | A resource server MUST have the capacity to store one access token | |||
every proof-of-possession key of every authorized client. The | for every proof-of-possession key of every authorized client. The | |||
resource server may use token introspection [RFC7662] on the access | resource server may use token introspection [RFC7662] on the access | |||
token to retrieve more information about the specific token. The use | token to retrieve more information about the specific token. The use | |||
of introspection is out of scope for this specification. | of introspection is out of scope for this specification. | |||
While the client can retrieve the shared secret from the contents of | While the client can retrieve the shared secret from the contents of | |||
the "cnf" parameter in the AS-to-Client response, the resource server | the cnf parameter in the AS-to-client response, the resource server | |||
uses the information contained in the "cnf" claim of the access token | uses the information contained in the cnf claim of the access token | |||
to determine the actual secret when no explicit "kid" was provided in | to determine the actual secret when no explicit kid was provided in | |||
the "psk_identity" field. If key derivation is used, the "cnf" claim | the psk_identity field. If key derivation is used, the cnf claim | |||
MUST contain a "kid" parameter to be used by the server as the IKM | MUST contain a kid parameter to be used by the server as the IKM for | |||
for key derivation as described above. | key derivation, as described above. | |||
3.4. Resource Access | 3.4. Resource Access | |||
Once a DTLS channel has been established as described in Section 3.2 | Once a DTLS channel has been established, as described in Sections | |||
or Section 3.3, respectively, the client is authorized to access | 3.2 and 3.3, respectively, the client is authorized to access | |||
resources covered by the access token it has uploaded to the authz- | resources covered by the access token it has uploaded to the authz- | |||
info resource hosted by the resource server. | info resource that is hosted by the resource server. | |||
With the successful establishment of the DTLS channel, the client and | With the successful establishment of the DTLS channel, the client and | |||
the resource server have proven that they can use their respective | the resource server have proven that they can use their respective | |||
keying material. An access token that is bound to the client's | keying material. An access token that is bound to the client's | |||
keying material is associated with the channel. According to | keying material is associated with the channel. According to | |||
Section 5.10.1 of [I-D.ietf-ace-oauth-authz], there should be only | Section 5.10.1 of [RFC9200], there should be only one access token | |||
one access token for each client. New access tokens issued by the | for each client. New access tokens issued by the authorization | |||
authorization server SHOULD replace previously issued access tokens | server SHOULD replace previously issued access tokens for the | |||
for the respective client. The resource server therefore needs a | respective client. The resource server therefore needs a common | |||
common understanding with the authorization server how access tokens | understanding with the authorization server about how access tokens | |||
are ordered. The authorization server may, e.g., specify a "cti" | are ordered. The authorization server may, e.g., specify a cti claim | |||
claim for the access token (see Section 5.9.4 of | for the access token (see Section 5.9.4 of [RFC9200]) to employ a | |||
[I-D.ietf-ace-oauth-authz]) to employ a strict order. | strict order. | |||
Any request that the resource server receives on a DTLS channel that | Any request that the resource server receives on a DTLS channel that | |||
is tied to an access token via its keying material MUST be checked | is tied to an access token via its keying material MUST be checked | |||
against the authorization rules that can be determined with the | against the authorization rules that can be determined with the | |||
access token. The resource server MUST check for every request if | access token. The resource server MUST check for every request if | |||
the access token is still valid. If the token has expired, the | the access token is still valid. If the token has expired, the | |||
resource server MUST remove it. Incoming CoAP requests that are not | resource server MUST remove it. Incoming CoAP requests that are not | |||
authorized with respect to any access token that is associated with | authorized with respect to any access token that is associated with | |||
the client MUST be rejected by the resource server with 4.01 | the client MUST be rejected by the resource server with a 4.01 | |||
response. The response SHOULD include AS Request Creation Hints as | response. The response SHOULD include AS Request Creation Hints, as | |||
described in Section 5.2 of [I-D.ietf-ace-oauth-authz]. | described in Section 5.2 of [RFC9200]. | |||
The resource server MUST NOT accept an incoming CoAP request as | The resource server MUST NOT accept an incoming CoAP request as | |||
authorized if any of the following fails: | authorized if any of the following fails: | |||
1. The message was received on a secure channel that has been | 1. The message was received on a secure channel that has been | |||
established using the procedure defined in this document. | established using the procedure defined in this document. | |||
2. The authorization information tied to the sending client is | 2. The authorization information tied to the sending client is | |||
valid. | valid. | |||
3. The request is destined for the resource server. | 3. The request is destined for the resource server. | |||
4. The resource URI specified in the request is covered by the | 4. The resource URI specified in the request is covered by the | |||
authorization information. | authorization information. | |||
5. The request method is an authorized action on the resource with | 5. The request method is an authorized action on the resource with | |||
respect to the authorization information. | respect to the authorization information. | |||
Incoming CoAP requests received on a secure DTLS channel that are not | Incoming CoAP requests received on a secure DTLS channel that are not | |||
thus authorized MUST be rejected according to Section 5.10.1.1 of | thus authorized MUST be rejected according to Section 5.10.1.1 of | |||
[I-D.ietf-ace-oauth-authz] | [RFC9200]: | |||
1. with response code 4.03 (Forbidden) when the resource URI | 1. with response code 4.03 (Forbidden) when the resource URI | |||
specified in the request is not covered by the authorization | specified in the request is not covered by the authorization | |||
information, and | information and | |||
2. with response code 4.05 (Method Not Allowed) when the resource | 2. with response code 4.05 (Method Not Allowed) when the resource | |||
URI specified in the request covered by the authorization | URI specified in the request is covered by the authorization | |||
information but not the requested action. | information but not the requested action. | |||
The client MUST ascertain that its keying material is still valid | The client MUST ascertain that its keying material is still valid | |||
before sending a request or processing a response. If the client | before sending a request or processing a response. If the client | |||
recently has updated the access token (see Section 4), it must be | recently has updated the access token (see Section 4), it must be | |||
prepared that its request is still handled according to the previous | prepared that its request is still handled according to the previous | |||
authorization rules as there is no strict ordering between access | authorization rules, as there is no strict ordering between access | |||
token uploads and resource access messages. See also Section 7.2 for | token uploads and resource access messages. See also Section 7.2 for | |||
a discussion of access token processing. | a discussion of access token processing. | |||
If the client gets an error response containing AS Request Creation | If the client gets an error response containing AS Request Creation | |||
Hints (cf. Section 5.3 of [I-D.ietf-ace-oauth-authz] as response to | Hints (cf. Section 5.3 of [RFC9200]) as a response to its requests, | |||
its requests, it SHOULD request a new access token from the | it SHOULD request a new access token from the authorization server in | |||
authorization server in order to continue communication with the | order to continue communication with the resource server. | |||
resource server. | ||||
Unauthorized requests that have been received over a DTLS session | Unauthorized requests that have been received over a DTLS session | |||
SHOULD be treated as non-fatal by the resource server, i.e., the DTLS | SHOULD be treated as nonfatal by the resource server, i.e., the DTLS | |||
session SHOULD be kept alive until the associated access token has | session SHOULD be kept alive until the associated access token has | |||
expired. | expired. | |||
4. Dynamic Update of Authorization Information | 4. Dynamic Update of Authorization Information | |||
Resource servers must only use a new access token to update the | Resource servers must only use a new access token to update the | |||
authorization information for a DTLS session if the keying material | authorization information for a DTLS session if the keying material | |||
that is bound to the token is the same that was used in the DTLS | that is bound to the token is the same that was used in the DTLS | |||
handshake. By associating the access tokens with the identifier of | handshake. By associating the access tokens with the identifier of | |||
an existing DTLS session, the authorization information can be | an existing DTLS session, the authorization information can be | |||
updated without changing the cryptographic keys for the DTLS | updated without changing the cryptographic keys for the DTLS | |||
communication between the client and the resource server, i.e. an | communication between the client and the resource server, i.e., an | |||
existing session can be used with updated permissions. | existing session can be used with updated permissions. | |||
The client can therefore update the authorization information stored | The client can therefore update the authorization information stored | |||
at the resource server at any time without changing an established | at the resource server at any time without changing an established | |||
DTLS session. To do so, the client requests a new access token from | DTLS session. To do so, the client requests a new access token from | |||
the authorization server for the intended action on the respective | the authorization server for the intended action on the respective | |||
resource and uploads this access token to the authz-info resource on | resource and uploads this access token to the authz-info resource on | |||
the resource server. | the resource server. | |||
Figure 10 depicts the message flow where the client requests a new | Figure 10 depicts the message flow where the client requests a new | |||
access token after a security association between the client and the | access token after a security association between the client and the | |||
resource server has been established using this protocol. If the | resource server has been established using this protocol. If the | |||
client wants to update the authorization information, the token | client wants to update the authorization information, the token | |||
request MUST specify the key identifier of the proof-of-possession | request MUST specify the key identifier of the proof-of-possession | |||
key used for the existing DTLS channel between the client and the | key used for the existing DTLS channel between the client and the | |||
resource server in the "kid" parameter of the Client-to-AS request. | resource server in the kid parameter of the client-to-AS request. | |||
The authorization server MUST verify that the specified "kid" denotes | The authorization server MUST verify that the specified kid denotes a | |||
a valid verifier for a proof-of-possession token that has previously | valid verifier for a proof-of-possession token that has previously | |||
been issued to the requesting client. Otherwise, the Client-to-AS | been issued to the requesting client. Otherwise, the client-to-AS | |||
request MUST be declined with the error code "unsupported_pop_key" as | request MUST be declined with the error code unsupported_pop_key, as | |||
defined in Section 5.8.3 of [I-D.ietf-ace-oauth-authz]. | defined in Section 5.8.3 of [RFC9200]. | |||
When the authorization server issues a new access token to update | When the authorization server issues a new access token to update | |||
existing authorization information, it MUST include the specified | existing authorization information, it MUST include the specified kid | |||
"kid" parameter in this access token. A resource server MUST replace | parameter in this access token. A resource server MUST replace the | |||
the authorization information of any existing DTLS session that is | authorization information of any existing DTLS session that is | |||
identified by this key identifier with the updated authorization | identified by this key identifier with the updated authorization | |||
information. | information. | |||
C RS AS | C RS AS | |||
| <===== DTLS channel =====> | | | | <===== DTLS channel =====> | | | |||
| + Access Token | | | | + Access Token | | | |||
| | | | | | | | |||
| --- Token Request ----------------------------> | | | --- Token Request ----------------------------> | | |||
| | | | | | | | |||
| <---------------------------- New Access Token - | | | <---------------------------- New Access Token - | | |||
skipping to change at page 20, line 26 ¶ | skipping to change at line 883 ¶ | |||
| | | | | | | | |||
| == Authorized Request ===> | | | | == Authorized Request ===> | | | |||
| | | | | | | | |||
| <=== Protected Resource == | | | | <=== Protected Resource == | | | |||
Figure 10: Overview of Dynamic Update Operation | Figure 10: Overview of Dynamic Update Operation | |||
5. Token Expiration | 5. Token Expiration | |||
The resource server MUST delete access tokens that are no longer | The resource server MUST delete access tokens that are no longer | |||
valid. DTLS associations that have been setup in accordance with | valid. DTLS associations that have been set up in accordance with | |||
this profile are always tied to specific tokens (which may be | this profile are always tied to specific tokens (which may be | |||
exchanged with a dynamic update as described in Section 4). As | exchanged with a dynamic update, as described in Section 4). As | |||
tokens may become invalid at any time (e.g., because they have | tokens may become invalid at any time (e.g., because they have | |||
expired), the association may become useless at some point. A | expired), the association may become useless at some point. A | |||
resource server therefore MUST terminate existing DTLS association | resource server therefore MUST terminate existing DTLS association | |||
after the last access token associated with this association has | after the last access token associated with this association has | |||
expired. | expired. | |||
As specified in Section 5.10.3 of [I-D.ietf-ace-oauth-authz], the | As specified in Section 5.10.3 of [RFC9200], the resource server MUST | |||
resource server MUST notify the client with an error response with | notify the client with an error response with code 4.01 | |||
code 4.01 (Unauthorized) for any long running request before | (Unauthorized) for any long-running request before terminating the | |||
terminating the association. | association. | |||
6. Secure Communication with an Authorization Server | 6. Secure Communication with an Authorization Server | |||
As specified in the ACE framework (Sections 5.8 and 5.9 of | As specified in the ACE framework (Sections 5.8 and 5.9 of | |||
[I-D.ietf-ace-oauth-authz]), the requesting entity (the resource | [RFC9200]), the requesting entity (the resource server and/or the | |||
server and/or the client) and the authorization server communicate | client) and the authorization server communicate via the token | |||
via the token endpoint or introspection endpoint. The use of CoAP | endpoint or introspection endpoint. The use of CoAP and DTLS for | |||
and DTLS for this communication is RECOMMENDED in this profile. | this communication is RECOMMENDED in this profile. Other protocols | |||
Other protocols fulfilling the security requirements defined in | fulfilling the security requirements defined in Section 5 of | |||
Section 5 of [I-D.ietf-ace-oauth-authz] MAY be used instead. | [RFC9200] MAY be used instead. | |||
How credentials (e.g., PSK, RPK, X.509 cert) for using DTLS with the | How credentials (e.g., PSK, RPK, X.509 cert) for using DTLS with the | |||
authorization server are established is out of scope for this | authorization server are established is out of scope for this | |||
profile. | profile. | |||
If other means of securing the communication with the authorization | If other means of securing the communication with the authorization | |||
server are used, the communication security requirements from | server are used, the communication security requirements from | |||
Section 6.2 of [I-D.ietf-ace-oauth-authz] remain applicable. | Section 6.2 of [RFC9200] remain applicable. | |||
7. Security Considerations | 7. Security Considerations | |||
This document specifies a profile for the Authentication and | This document specifies a profile for the Authentication and | |||
Authorization for Constrained Environments (ACE) framework | Authorization for Constrained Environments (ACE) framework [RFC9200]. | |||
[I-D.ietf-ace-oauth-authz]. As it follows this framework's general | As it follows this framework's general approach, the general security | |||
approach, the general security considerations from Section 6 of | considerations from Section 6 of [RFC9200] also apply to this | |||
[I-D.ietf-ace-oauth-authz] also apply to this profile. | profile. | |||
The authorization server must ascertain that the keying material for | The authorization server must ascertain that the keying material for | |||
the client that it provides to the resource server actually is | the client that it provides to the resource server actually is | |||
associated with this client. Malicious clients may hand over access | associated with this client. Malicious clients may hand over access | |||
tokens containing their own access permissions to other entities. | tokens containing their own access permissions to other entities. | |||
This problem cannot be completely eliminated. Nevertheless, in RPK | This problem cannot be completely eliminated. Nevertheless, in RPK | |||
mode it should not be possible for clients to request access tokens | mode, it should not be possible for clients to request access tokens | |||
for arbitrary public keys: if the client can cause the authorization | for arbitrary public keys; if the client can cause the authorization | |||
server to issue a token for a public key without proving possession | server to issue a token for a public key without proving possession | |||
of the corresponding private key, this allows for identity misbinding | of the corresponding private key, this allows for identity misbinding | |||
attacks where the issued token is usable by an entity other than the | attacks, where the issued token is usable by an entity other than the | |||
intended one. The authorization server therefore at some point needs | intended one. At some point, the authorization server therefore | |||
to validate that the client can actually use the private key | needs to validate that the client can actually use the private key | |||
corresponding to the client's public key. | corresponding to the client's public key. | |||
When using pre-shared keys provisioned by the authorization server, | When using pre-shared keys provisioned by the authorization server, | |||
the security level depends on the randomness of PSK, and the security | the security level depends on the randomness of PSKs and the security | |||
of the TLS cipher suite and key exchange algorithm. As this | of the TLS cipher suite and key exchange algorithm. As this | |||
specification targets at constrained environments, message payloads | specification targets constrained environments, message payloads | |||
exchanged between the client and the resource server are expected to | exchanged between the client and the resource server are expected to | |||
be small and rare. CoAP [RFC7252] mandates the implementation of | be small and rare. CoAP [RFC7252] mandates the implementation of | |||
cipher suites with abbreviated, 8-byte tags for message integrity | cipher suites with abbreviated, 8-byte tags for message integrity | |||
protection. For consistency, this profile requires implementation of | protection. For consistency, this profile requires implementation of | |||
the same cipher suites. For application scenarios where the cost of | the same cipher suites. For application scenarios where the cost of | |||
full-width authentication tags is low compared to the overall amount | full-width authentication tags is low compared to the overall amount | |||
of data being transmitted, the use of cipher suites with 16-byte | of data being transmitted, the use of cipher suites with 16-byte | |||
integrity protection tags is preferred. | integrity protection tags is preferred. | |||
The PSK mode of this profile offers a distribution mechanism to | The PSK mode of this profile offers a distribution mechanism to | |||
convey authorization tokens together with a shared secret to a client | convey authorization tokens together with a shared secret to a client | |||
and a server. As this specification aims at constrained devices and | and a server. As this specification aims at constrained devices and | |||
uses CoAP [RFC7252] as transfer protocol, at least the cipher suite | uses CoAP [RFC7252] as the transfer protocol, at least the cipher | |||
TLS_PSK_WITH_AES_128_CCM_8 [RFC6655] should be supported. The access | suite TLS_PSK_WITH_AES_128_CCM_8 [RFC6655] should be supported. The | |||
tokens and the corresponding shared secrets generated by the | access tokens and the corresponding shared secrets generated by the | |||
authorization server are expected to be sufficiently short-lived to | authorization server are expected to be sufficiently short-lived to | |||
provide similar forward-secrecy properties to using ephemeral Diffie- | provide similar forward-secrecy properties to using ephemeral Diffie- | |||
Hellman (DHE) key exchange mechanisms. For longer-lived access | Hellman (DHE) key exchange mechanisms. For longer-lived access | |||
tokens, DHE cipher suites should be used, i.e., cipher suites of the | tokens, DHE cipher suites should be used, i.e., cipher suites of the | |||
form TLS_DHE_PSK_*. | form TLS_DHE_PSK_* or TLS_ECDHE_PSK_*. | |||
Constrained devices that use DTLS [RFC6347] are inherently vulnerable | Constrained devices that use DTLS [RFC6347] are inherently vulnerable | |||
to Denial of Service (DoS) attacks as the handshake protocol requires | to Denial of Service (DoS) attacks, as the handshake protocol | |||
creation of internal state within the device. This is specifically | requires creation of an internal state within the device. This is | |||
of concern where an adversary is able to intercept the initial cookie | specifically of concern where an adversary is able to intercept the | |||
exchange and interject forged messages with a valid cookie to | initial cookie exchange and interject forged messages with a valid | |||
continue with the handshake. A similar issue exists with the | cookie to continue with the handshake. A similar issue exists with | |||
unprotected authorization information endpoint when the resource | the unprotected authorization information endpoint when the resource | |||
server needs to keep valid access tokens for a long time. | server needs to keep valid access tokens for a long time. | |||
Adversaries could fill up the constrained resource server's internal | Adversaries could fill up the constrained resource server's internal | |||
storage for a very long time with interjected or otherwise retrieved | storage for a very long time with interjected or otherwise retrieved | |||
valid access tokens. To mitigate against this, the resource server | valid access tokens. To mitigate against this, the resource server | |||
should set a time boundary until an access token that has not been | should set a time boundary until an access token that has not been | |||
used until then will be deleted. | used until then will be deleted. | |||
The protection of access tokens that are stored in the authorization | The protection of access tokens that are stored in the authorization | |||
information endpoint depends on the keying material that is used | information endpoint depends on the keying material that is used | |||
between the authorization server and the resource server: The | between the authorization server and the resource server; the | |||
resource server must ensure that it processes only access tokens that | resource server must ensure that it processes only access tokens that | |||
are (encrypted and) integrity-protected by an authorization server | are (encrypted and) integrity-protected by an authorization server | |||
that is authorized to provide access tokens for the resource server. | that is authorized to provide access tokens for the resource server. | |||
7.1. Reuse of Existing Sessions | 7.1. Reuse of Existing Sessions | |||
To avoid the overhead of a repeated DTLS handshake, [RFC7925] | To avoid the overhead of a repeated DTLS handshake, [RFC7925] | |||
recommends session resumption [RFC8446] to reuse session state from | recommends session resumption [RFC8446] to reuse session state from | |||
an earlier DTLS association and thus requires client side | an earlier DTLS association and thus requires client-side | |||
implementation. In this specification, the DTLS session is subject | implementation. In this specification, the DTLS session is subject | |||
to the authorization rules denoted by the access token that was used | to the authorization rules denoted by the access token that was used | |||
for the initial setup of the DTLS association. Enabling session | for the initial setup of the DTLS association. Enabling session | |||
resumption would require the server to transfer the authorization | resumption would require the server to transfer the authorization | |||
information with the session state in an encrypted SessionTicket to | information with the session state in an encrypted SessionTicket to | |||
the client. Assuming that the server uses long-lived keying | the client. Assuming that the server uses long-lived keying | |||
material, this could open up attacks due to the lack of forward | material, this could open up attacks due to the lack of forward | |||
secrecy. Moreover, using this mechanism, a client can resume a DTLS | secrecy. Moreover, using this mechanism, a client can resume a DTLS | |||
session without proving the possession of the PoP key again. | session without proving the possession of the PoP key again. | |||
Therefore, session resumption should be used only in combination with | Therefore, session resumption should be used only in combination with | |||
reasonably short-lived PoP keys. | reasonably short-lived PoP keys. | |||
Since renegotiation of DTLS associations is prone to attacks as well, | Since renegotiation of DTLS associations is prone to attacks as well, | |||
[RFC7925] requires clients to decline any renegotiation attempt. A | [RFC7925] requires that clients decline any renegotiation attempt. A | |||
server that wants to initiate re-keying therefore SHOULD periodically | server that wants to initiate rekeying therefore SHOULD periodically | |||
force a full handshake. | force a full handshake. | |||
7.2. Multiple Access Tokens | 7.2. Multiple Access Tokens | |||
Developers SHOULD avoid using multiple access tokens for a client | Developers SHOULD avoid using multiple access tokens for a client | |||
(see also section 5.10.1 of [I-D.ietf-ace-oauth-authz]). | (see also Section 5.10.1 of [RFC9200]). | |||
Even when a single access token per client is used, an attacker could | Even when a single access token per client is used, an attacker could | |||
compromise the dynamic update mechanism for existing DTLS connections | compromise the dynamic update mechanism for existing DTLS connections | |||
by delaying or reordering packets destined for the authz-info | by delaying or reordering packets destined for the authz-info | |||
endpoint. Thus, the order in which operations occur at the resource | endpoint. Thus, the order in which operations occur at the resource | |||
server (and thus which authorization info is used to process a given | server (and thus which authorization info is used to process a given | |||
client request) cannot be guaranteed. Especially in the presence of | client request) cannot be guaranteed. Especially in the presence of | |||
later-issued access tokens that reduce the client's permissions from | later-issued access tokens that reduce the client's permissions from | |||
the initial access token, it is impossible to guarantee that the | the initial access token, it is impossible to guarantee that the | |||
reduction in authorization will take effect prior to the expiration | reduction in authorization will take effect prior to the expiration | |||
of the original token. | of the original token. | |||
7.3. Out-of-Band Configuration | 7.3. Out-of-Band Configuration | |||
To communicate securely, the authorization server, the client and the | To communicate securely, the authorization server, the client, and | |||
resource server require certain information that must be exchanged | the resource server require certain information that must be | |||
outside the protocol flow described in this document. The | exchanged outside the protocol flow described in this document. The | |||
authorization server must have obtained authorization information | authorization server must have obtained authorization information | |||
concerning the client and the resource server that is approved by the | concerning the client and the resource server that is approved by the | |||
resource owner as well as corresponding keying material. The | resource owner, as well as corresponding keying material. The | |||
resource server must have received authorization information approved | resource server must have received authorization information approved | |||
by the resource owner concerning its authorization managers and the | by the resource owner concerning its authorization managers and the | |||
respective keying material. The client must have obtained | respective keying material. The client must have obtained | |||
authorization information concerning the authorization server | authorization information concerning the authorization server | |||
approved by its owner as well as the corresponding keying material. | approved by its owner, as well as the corresponding keying material. | |||
Also, the client's owner must have approved of the client's | Also, the client's owner must have approved of the client's | |||
communication with the resource server. The client and the | communication with the resource server. The client and the | |||
authorization server must have obtained a common understanding how | authorization server must have obtained a common understanding about | |||
this resource server is identified to ensure that the client obtains | how this resource server is identified to ensure that the client | |||
access token and keying material for the correct resource server. If | obtains access tokens and keying material for the correct resource | |||
the client is provided with a raw public key for the resource server, | server. If the client is provided with a raw public key for the | |||
it must be ascertained to which resource server (which identifier and | resource server, it must be ascertained to which resource server | |||
authorization information) the key is associated. All authorization | (which identifier and authorization information) the key is | |||
information and keying material must be kept up to date. | associated. All authorization information and keying material must | |||
be kept up to date. | ||||
8. Privacy Considerations | 8. Privacy Considerations | |||
This privacy considerations from Section 7 of the | This privacy considerations from Section 7 of [RFC9200] apply also to | |||
[I-D.ietf-ace-oauth-authz] apply also to this profile. | this profile. | |||
An unprotected response to an unauthorized request may disclose | An unprotected response to an unauthorized request may disclose | |||
information about the resource server and/or its existing | information about the resource server and/or its existing | |||
relationship with the client. It is advisable to include as little | relationship with the client. It is advisable to include as little | |||
information as possible in an unencrypted response. When a DTLS | information as possible in an unencrypted response. When a DTLS | |||
session between an authenticated client and the resource server | session between an authenticated client and the resource server | |||
already exists, more detailed information MAY be included with an | already exists, more detailed information MAY be included with an | |||
error response to provide the client with sufficient information to | error response to provide the client with sufficient information to | |||
react on that particular error. | react on that particular error. | |||
Also, unprotected requests to the resource server may reveal | Also, unprotected requests to the resource server may reveal | |||
information about the client, e.g., which resources the client | information about the client, e.g., which resources the client | |||
attempts to request or the data that the client wants to provide to | attempts to request or the data that the client wants to provide to | |||
the resource server. The client SHOULD NOT send confidential data in | the resource server. The client SHOULD NOT send confidential data in | |||
an unprotected request. | an unprotected request. | |||
Note that some information might still leak after DTLS session is | Note that some information might still leak after the DTLS session is | |||
established, due to observable message sizes, the source, and the | established, due to observable message sizes, the source, and the | |||
destination addresses. | destination addresses. | |||
9. IANA Considerations | 9. IANA Considerations | |||
The following registrations are done for the ACE OAuth Profile | The following registration has been made in the "ACE Profiles" | |||
Registry following the procedure specified in | registry, following the procedure specified in [RFC9200]. | |||
[I-D.ietf-ace-oauth-authz]. | ||||
Note to RFC Editor: Please replace all occurrences of "[RFC-XXXX]" | ||||
with the RFC number of this specification and delete this paragraph. | ||||
Profile name: coap_dtls | ||||
Profile Description: Profile for delegating client authentication and | ||||
authorization in a constrained environment by establishing a Datagram | ||||
Transport Layer Security (DTLS) channel between resource-constrained | ||||
nodes. | ||||
Profile ID: TBD (suggested: 1) | ||||
Change Controller: IESG | ||||
Reference: [RFC-XXXX] | ||||
10. Acknowledgments | ||||
Special thanks to Jim Schaad for his contributions and reviews of | ||||
this document and to Ben Kaduk for his thorough reviews of this | ||||
document. Thanks also to Paul Kyzivat for his review. The authors | ||||
also would like to thank Marco Tiloca for his contributions. | ||||
Ludwig Seitz worked on this document as part of the CelticNext | ||||
projects CyberWI, and CRITISEC with funding from Vinnova. | ||||
11. References | ||||
11.1. Normative References | Name: coap_dtls | |||
Description: Profile for delegating client Authentication and | ||||
Authorization for Constrained Environments by establishing a | ||||
Datagram Transport Layer Security (DTLS) channel between resource- | ||||
constrained nodes. | ||||
CBOR Value: 1 | ||||
Reference: RFC 9202 | ||||
[I-D.ietf-ace-oauth-authz] | 10. References | |||
Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and | ||||
H. Tschofenig, "Authentication and Authorization for | ||||
Constrained Environments (ACE) using the OAuth 2.0 | ||||
Framework (ACE-OAuth)", Work in Progress, Internet-Draft, | ||||
draft-ietf-ace-oauth-authz-41, 6 May 2021, | ||||
<https://www.ietf.org/archive/id/draft-ietf-ace-oauth- | ||||
authz-41.txt>. | ||||
[I-D.ietf-ace-oauth-params] | 10.1. Normative References | |||
Seitz, L., "Additional OAuth Parameters for Authorization | ||||
in Constrained Environments (ACE)", Work in Progress, | ||||
Internet-Draft, draft-ietf-ace-oauth-params-15, 6 May | ||||
2021, <https://www.ietf.org/archive/id/draft-ietf-ace- | ||||
oauth-params-15.txt>. | ||||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
[RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key | [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key | |||
Ciphersuites for Transport Layer Security (TLS)", | Ciphersuites for Transport Layer Security (TLS)", | |||
RFC 4279, DOI 10.17487/RFC4279, December 2005, | RFC 4279, DOI 10.17487/RFC4279, December 2005, | |||
<https://www.rfc-editor.org/info/rfc4279>. | <https://www.rfc-editor.org/info/rfc4279>. | |||
skipping to change at page 27, line 21 ¶ | skipping to change at line 1154 ¶ | |||
[RFC8747] Jones, M., Seitz, L., Selander, G., Erdtman, S., and H. | [RFC8747] Jones, M., Seitz, L., Selander, G., Erdtman, S., and H. | |||
Tschofenig, "Proof-of-Possession Key Semantics for CBOR | Tschofenig, "Proof-of-Possession Key Semantics for CBOR | |||
Web Tokens (CWTs)", RFC 8747, DOI 10.17487/RFC8747, March | Web Tokens (CWTs)", RFC 8747, DOI 10.17487/RFC8747, March | |||
2020, <https://www.rfc-editor.org/info/rfc8747>. | 2020, <https://www.rfc-editor.org/info/rfc8747>. | |||
[RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object | [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object | |||
Representation (CBOR)", STD 94, RFC 8949, | Representation (CBOR)", STD 94, RFC 8949, | |||
DOI 10.17487/RFC8949, December 2020, | DOI 10.17487/RFC8949, December 2020, | |||
<https://www.rfc-editor.org/info/rfc8949>. | <https://www.rfc-editor.org/info/rfc8949>. | |||
11.2. Informative References | [RFC9200] Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and | |||
H. Tschofenig, "Authentication and Authorization for | ||||
Constrained Environments (ACE) Using the OAuth 2.0 | ||||
Framework (ACE-OAuth)", RFC 9200, DOI 10.17487/RFC9200, | ||||
March 2022, <https://www.rfc-editor.org/info/rfc9200>. | ||||
[RFC9201] Seitz, L., "Additional OAuth Parameters for Authentication | ||||
and Authorization for Constrained Environments (ACE)", | ||||
RFC 9201, DOI 10.17487/RFC9201, March 2022, | ||||
<https://www.rfc-editor.org/info/rfc9201>. | ||||
10.2. Informative References | ||||
[RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand | [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand | |||
Key Derivation Function (HKDF)", RFC 5869, | Key Derivation Function (HKDF)", RFC 5869, | |||
DOI 10.17487/RFC5869, May 2010, | DOI 10.17487/RFC5869, May 2010, | |||
<https://www.rfc-editor.org/info/rfc5869>. | <https://www.rfc-editor.org/info/rfc5869>. | |||
[RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for | [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for | |||
Transport Layer Security (TLS)", RFC 6655, | Transport Layer Security (TLS)", RFC 6655, | |||
DOI 10.17487/RFC6655, July 2012, | DOI 10.17487/RFC6655, July 2012, | |||
<https://www.rfc-editor.org/info/rfc6655>. | <https://www.rfc-editor.org/info/rfc6655>. | |||
skipping to change at page 28, line 11 ¶ | skipping to change at line 1200 ¶ | |||
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
<https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data | [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data | |||
Definition Language (CDDL): A Notational Convention to | Definition Language (CDDL): A Notational Convention to | |||
Express Concise Binary Object Representation (CBOR) and | Express Concise Binary Object Representation (CBOR) and | |||
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, | JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, | |||
June 2019, <https://www.rfc-editor.org/info/rfc8610>. | June 2019, <https://www.rfc-editor.org/info/rfc8610>. | |||
Acknowledgments | ||||
Special thanks to Jim Schaad for his contributions and reviews of | ||||
this document and to Ben Kaduk for his thorough reviews of this | ||||
document. Thanks also to Paul Kyzivat for his review. The authors | ||||
also would like to thank Marco Tiloca for his contributions. | ||||
Ludwig Seitz worked on this document as part of the CelticNext | ||||
projects CyberWI and CRITISEC with funding from Vinnova. | ||||
Authors' Addresses | Authors' Addresses | |||
Stefanie Gerdes | Stefanie Gerdes | |||
Universität Bremen TZI | Universität Bremen TZI | |||
Postfach 330440 | Postfach 330440 | |||
D-28359 Bremen | D-28359 Bremen | |||
Germany | Germany | |||
Phone: +49-421-218-63906 | Phone: +49-421-218-63906 | |||
Email: gerdes@tzi.org | Email: gerdes@tzi.org | |||
Olaf Bergmann | Olaf Bergmann | |||
Universität Bremen TZI | Universität Bremen TZI | |||
Postfach 330440 | Postfach 330440 | |||
D-28359 Bremen | D-28359 Bremen | |||
Germany | Germany | |||
Phone: +49-421-218-63904 | Phone: +49-421-218-63904 | |||
Email: bergmann@tzi.org | Email: bergmann@tzi.org | |||
Carsten Bormann | Carsten Bormann | |||
Universität Bremen TZI | Universität Bremen TZI | |||
Postfach 330440 | Postfach 330440 | |||
D-28359 Bremen | D-28359 Bremen | |||
Germany | Germany | |||
Phone: +49-421-218-63921 | Phone: +49-421-218-63921 | |||
Email: cabo@tzi.org | Email: cabo@tzi.org | |||
Göran Selander | Göran Selander | |||
Ericsson AB | Ericsson AB | |||
Email: goran.selander@ericsson.com | Email: goran.selander@ericsson.com | |||
Ludwig Seitz | Ludwig Seitz | |||
Combitech | Combitech | |||
Djäknegatan 31 | Djäknegatan 31 | |||
SE-211 35 Malmö | SE-211 35 Malmö | |||
Sweden | Sweden | |||
Email: ludwig.seitz@combitech.com | Email: ludwig.seitz@combitech.com | |||
End of changes. 142 change blocks. | ||||
449 lines changed or deleted | 427 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |