ACE Working Group                                            G. Selander
Internet-Draft                                               J. Mattsson
Intended status: Standards Track                            F. Palombini
Expires: April 21, 2016                                         Ericsson
                                                                L. Seitz
                                                        SICS Swedish ICT
                                                        October 19, 2015


                    Object Security of CoAP (OSCOAP)
                 draft-selander-ace-object-security-03

Abstract

   This memo defines Object Security of CoAP (OSCOAP), a method for
   protection of request and response message exchanges of the
   Constrained Application Protocol (CoAP) using data object security.
   OSCOAP provides end-to-end encryption, integrity and replay
   protection to CoAP payload, options and header fields, and a secure
   binding between CoAP request and response messages.  The use of
   OSCOAP is signaled with the Object-Security option, also defined in
   this memo.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 21, 2016.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of



Selander, et al.         Expires April 21, 2016                 [Page 1]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Background  . . . . . . . . . . . . . . . . . . . . . . . . .   5
   3.  The Object-Security Option  . . . . . . . . . . . . . . . . .   6
   4.  Secure Message Format . . . . . . . . . . . . . . . . . . . .   7
     4.1.  Secure Message Header . . . . . . . . . . . . . . . . . .   7
     4.2.  Secure Message Body and Tag . . . . . . . . . . . . . . .   8
       4.2.1.  Integrity Protection Only . . . . . . . . . . . . . .   8
       4.2.2.  Encryption and Integrity Protection . . . . . . . . .   8
   5.  CoAP Message Protection . . . . . . . . . . . . . . . . . . .   9
     5.1.  Integrity Protection Only . . . . . . . . . . . . . . . .   9
       5.1.1.  Protected CoAP message formatting . . . . . . . . . .   9
       5.1.2.  Secure Message formatting . . . . . . . . . . . . . .  10
       5.1.3.  Integrity Protection and Verification . . . . . . . .  10
     5.2.  Encryption and Integrity Protection . . . . . . . . . . .  10
       5.2.1.  Protected CoAP message formatting . . . . . . . . . .  10
       5.2.2.  Secure Message formatting . . . . . . . . . . . . . .  11
   6.  Protected CoAP Message Fields . . . . . . . . . . . . . . . .  12
     6.1.  Protected CoAP Header Fields  . . . . . . . . . . . . . .  12
     6.2.  Protected CoAP Options  . . . . . . . . . . . . . . . . .  12
       6.2.1.  Integrity Protection  . . . . . . . . . . . . . . . .  13
       6.2.2.  Encryption  . . . . . . . . . . . . . . . . . . . . .  15
   7.  Replay Protection and Freshness . . . . . . . . . . . . . . .  15
     7.1.  Replay Protection . . . . . . . . . . . . . . . . . . . .  15
     7.2.  Freshness . . . . . . . . . . . . . . . . . . . . . . . .  16
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  16
   9.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .  18
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  18
   11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  19
   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .  19
     12.1.  Normative References . . . . . . . . . . . . . . . . . .  19
     12.2.  Informative References . . . . . . . . . . . . . . . . .  20
   Appendix A.  COSE Profile of SM . . . . . . . . . . . . . . . . .  21
     A.1.  Integrity Protection Only . . . . . . . . . . . . . . . .  21
       A.1.1.  COSE_Sign . . . . . . . . . . . . . . . . . . . . . .  21
       A.1.2.  COSE_mac  . . . . . . . . . . . . . . . . . . . . . .  22
     A.2.  Encryption and Integrity Protection: COSE_enveloped . . .  22
     A.3.  COSE Optimizations  . . . . . . . . . . . . . . . . . . .  23
   Appendix B.  Comparison of message sizes  . . . . . . . . . . . .  25



Selander, et al.         Expires April 21, 2016                 [Page 2]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


     B.1.  MAC Only  . . . . . . . . . . . . . . . . . . . . . . . .  26
     B.2.  Signature Only  . . . . . . . . . . . . . . . . . . . . .  27
     B.3.  Authenticated Encryption with Additional Data (AEAD)  . .  29
     B.4.  Symmetric Encryption with Asymmetric Signature (SEAS) . .  30
   Appendix C.  Object Security of Content (OSCON) . . . . . . . . .  32
     C.1.  Security Considerations of OSCON  . . . . . . . . . . . .  33
   Appendix D.  Examples . . . . . . . . . . . . . . . . . . . . . .  34
     D.1.  CoAP Message Protection . . . . . . . . . . . . . . . . .  34
       D.1.1.  Integrity Protection of CoAP Message Exchange . . . .  34
       D.1.2.  Additional Encryption of CoAP Message . . . . . . . .  36
     D.2.  Payload Protection  . . . . . . . . . . . . . . . . . . .  37
       D.2.1.  Proxy Caching . . . . . . . . . . . . . . . . . . . .  37
       D.2.2.  Publish-Subscribe . . . . . . . . . . . . . . . . . .  38
       D.2.3.  Transporting Authorization Information  . . . . . . .  40
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  41

1.  Introduction

   The Constrained Application Protocol CoAP [RFC7252] was designed with
   a constrained RESTful environment in mind.  CoAP references DTLS
   [RFC6347] for securing the message exchanges.  Two prominent features
   of CoAP, store-and-forward and publish-subscribe exchanges, are
   problematic to secure with DTLS and transport layer security.  As
   DTLS offers hop-by-hop security, in case of store-and-forward
   exchanges it necessitates a trusted intermediary.  Securing publish-
   subscribe CoAP exchanges with DTLS requires the use of the keep-alive
   mechanism which incurs additional overhead and actually takes away
   most of the benefits of asynchronous communication.

   The pervasive monitoring debate has illustrated the need to protect
   data also from trustworthy intermediary nodes as they can be
   compromised.  The community has reacted strongly to the revelations,
   and new solutions must consider this attack [RFC7258] and include
   encryption by default.

   This memo defines Object Security of CoAP (OSCOAP) a data object
   based communication security solution complementing DTLS and
   supporting secure messaging end-to-end across intermediary nodes.
   OSCOAP may be used in very constrained settings where DTLS cannot be
   supported.  OSCOAP can also be combined with DTLS thus enabling, for
   example, end-to-end security of CoAP payload in combination with hop-
   by-hop protection of the entire CoAP message during transport between
   end-point and intermediary node.

   OSCOAP provides end-to-end encryption, integrity and replay
   protection to CoAP payload, options and header fields, and a secure
   binding between CoAP request and response messages.  Using this
   method the unprotected CoAP message is transformed into a protected



Selander, et al.         Expires April 21, 2016                 [Page 3]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   CoAP message, which contains a secure data object protecting the
   unprotected message, and which is sent instead of the unprotected
   message.  The use of OSCOAP is signaled with the Object-Security
   option, also defined in this memo.

1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].These words
   may also appear in this document in lowercase, absent their normative
   meanings.

   Certain security-related terms are to be understood in the sense
   defined in [RFC4949].  These terms include, but are not limited to,
   "authentication", "authorization", "confidentiality", "(data)
   integrity", "message authentication code", and "verify".  For
   "signature", see below.

   RESTful terms, such as "resource" or "representation", are to be
   understood as used in HTTP [RFC7231] and CoAP.

   Terminology for constrained environments, such as "constrained
   device", "constrained-node network", is defined in [RFC7228].

   Terminology for authentication and authorization in constrained
   environments, such as "Authorization Server", "Resource Server", etc,
   is defined in [I-D.ietf-ace-actors].

   The CoAP option Object-Security and the Secure Message (SM) format
   are defined in this memo.

   Two different scopes of object security are defined:

   o  OSCOAP = object security of CoAP, signaled with the Object-
      Security option

   o  OSCON = object security of content, signaled with Content Format/
      Media Type set to application/oscon.

   OSCON is defined in Appendix C and included for comparison with
   OSCOAP.

   The COSE message format is defined in [I-D.ietf-cose-msg].







Selander, et al.         Expires April 21, 2016                 [Page 4]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


2.  Background

   The background for this work is provided by the use cases and
   architecture in [I-D.ietf-ace-usecases] and [I-D.ietf-ace-actors].
   The focus of this memo is on end-to-end security in constrained
   environments in the presence of intermediary nodes.

   For constrained-node networks there may be several reasons for
   messages to be cached or stored in one node and later forwarded.

   For example, connectivity between the nodes may be intermittent, or
   some node may be sleeping at the time when the message should have
   been forwarded (see e.g.  [I-D.ietf-ace-usecases] sections 2.1.1, and
   2.5.1).  Also, the architectural model or protocol applied may
   require an intermediary node which breaks security on transport layer
   (see e.g.  [I-D.ietf-ace-usecases] sections 2.1.1, and 2.5.2).
   Examples of intermediary nodes include forward proxies, reverse
   proxies, pub-sub brokers, HTTP-CoAP cross-proxies, and SMS servers.

   Based on these examples the following security requirements have been
   identified:

   1.  The payload shall be integrity protected and should be encrypted
       end-to-end from sender to receiver.

   2.  It shall be possible for an intended receiver to detect if it has
       received this message previously, i.e. replay protection.

   3.  The CoAP options which are not intended to be changed by an
       intermediary node shall be integrity protected between Client and
       Server.

   4.  The CoAP options which are not intended to be read by an
       intermediary node shall be encrypted between Client and Server.

   5.  The CoAP header fields "Code" and "Version" shall be integrity
       protected between Client and Server.

   6.  A Client shall be able to verify that a message is the response
       to a particular request the Client made.

   In this list above, requirements 1-2 deals essentially with
   protecting the CoAP payload only, whereas 3-6 deals with protecting
   an entire CoAP request-response exchange, including also CoAP options
   and header fields.

   Object Security of CoAP (OSCOAP), which is the main focus of this
   memo, addresses all requirements above by defining a method for



Selander, et al.         Expires April 21, 2016                 [Page 5]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   encryption, integrity protection and replay protection of CoAP
   payload, options and header fields, and a secure binding between CoAP
   request and response messages.  OSCOAP consists of:

   o  the Object-Security option, indicating that OSCOAP is being used;

   o  a compact cryptographic message format called "Secure Message",
      based on the COSE message format ([I-D.ietf-cose-msg]); and

   o  a scheme for transforming an unprotected CoAP message into a
      protected CoAP message, which contains the Object-Security option
      and a Secure Message protecting CoAP payload, options and header
      fields.

   The same method can be applied to payload only of individual
   messages, targeting only requirements 1-2 above.  We call this object
   security of content (OSCON) and it is defined in Appendix C.

   Examples of the use of OSCOAP and OSCON are given in Appendix D.

3.  The Object-Security Option

   In order to end-to-end protect CoAP message exchanges including
   options and headers, a new CoAP option is introduced: the Object-
   Security option.  The Object-Security option indicates that OSCOAP is
   used, i.e. that certain CoAP Header fields, Options and Payload (if
   present) are integrity and replay protected and potentially
   encrypted, using a cryptographic message format called the Secure
   Message format Section 4.

   This option is critical, safe to forward, it is not part of a cache
   key, and it is not repeatable.  Figure 1 illustrates the structure of
   this option.

   +-----+---+---+---+---+-----------------+--------+--------+
   | No. | C | U | N | R | Name            | Format | Length |
   +-----+---+---+---+---+-----------------+--------+--------|
   | TBD | x |   | x |   | Object-Security | opaque | 0, TBD |
   +-----+---+---+---+---+-----------------+--------+--------+
            C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable

                   Figure 1: The Object-Security Option

   The length of the option depends on the specific choice of the Secure
   Message format.  Length 0 indicates that the Secure Message is the
   CoAP Payload of the message, and is used when the CoAP message type
   used supports payload.




Selander, et al.         Expires April 21, 2016                 [Page 6]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


4.  Secure Message Format

   There exist already standardized and draft content formats for
   encryption and integrity protection of data such as CMS [RFC5652],
   JWS [RFC7515], JWE [RFC7516], and COSE [I-D.ietf-cose-msg].

   Current CMS and JWx objects are undesirably large for very
   constrained devices.  Large messages has a negative impact on memory
   and storage in constrained devices, packet fragmentation in
   constrained-node networks due to limited frame sizes, and increased
   energy consumption due to more data transmission and reception.  The
   candidate for use with object security of CoAP messages is the COSE
   message format [I-D.ietf-cose-msg].

   Pending an optimized and stable version of the COSE message format
   this memo defines the SM format to refer to a content format for
   encrypted and integrity protected data, and also includes a unique
   transaction identifier for replay protection.  Appendix A shows a
   profile of the COSE message format which complies with the Secure
   Message format.

   A Secure Message (SM) SHALL consist of Header, Body and Tag.

4.1.  Secure Message Header

   The following parameters SHALL be included in the SM Header:

   o  Context Identifier (CID).  This parameter identifies the sender
      security context including the cipher suite, key(s) and additional
      algorithm specific parameters used to protect the message.  Each
      client and server communicating using OSCOAP has two contexts, one
      for sending and one for receiving.

   o  Sequence Number (SEQ).  The Sequence Number parameter enumerates
      the Secure Messages sent associated to a Context Identifier, and
      is used for replay protection and uniqueness of nonce.  The start
      sequence number SHALL be 0.  For a given key, any Sequence Number
      MUST NOT be used more than once.

   The granularity of "sender" - what is being identified with the
   Context Identifier - is defined by the application.  With OSCOAP the
   Context Identifier typically identifies the sending party and
   different resources may be identified by the Uri-Path in the request.
   (Compare Appendix C.)

   The ordered sequence (SEQ, CID) is called Transaction Identifier
   (TID), and SHALL be unique for each SM.




Selander, et al.         Expires April 21, 2016                 [Page 7]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


4.2.  Secure Message Body and Tag

   The use cases require support for two message types, one for
   Encryption and Integrity Protection, and another for integrity
   protection only.  The SM Body and the SM Tag are different depending
   on message type.

   For Integrity Protection Only we denote by Authenticated Data (AD)
   the data which is integrity protected in the Secure Message.  For
   Encryption and Integrity Protection we denote by Plaintext and
   Additional Authenticated Data (AAD), the data which is encrypted and
   integrity protected, and integrity protected only, respectively, in
   the Secure Message.

   The message type SHALL be explicit to allow an intermediate node to
   distinguish between the two types and read the SM Body of an
   Integrity Protected Only message.

4.2.1.  Integrity Protection Only

   In the case of integrity protection only, the SM Body SHALL consist
   of the payload of the CoAP message.

   The SM Tag SHALL consist of the Signature / Message Authentication
   Code (MAC) as defined by the cipher suite calculated over the
   Authenticated Data (AD).  The AD for OSCOAP is defined in
   Section 5.1.2.

4.2.2.  Encryption and Integrity Protection

   The use cases require support for two kinds of cipher suites:
   Authenticated Encryption with Additional Data (AEAD) as well as
   Symmetric Encryption and Asymmetric Signature (SEAS).

   In case of AEAD, the SM Body and SM Tag SHALL consist of the
   Ciphertext as defined by the cipher suite calculated over the
   Plaintext and the Additional Authenticated Data (AAD).

   In case of SEAS, the SM Body SHALL be the Ciphertext as defined by
   the symmetric encryption algorithm, given by the cipher suite,
   calculated over the Plaintext.  The SM Tag SHALL be the Signature
   defined by the cipher suite calculated over Ciphertext and AAD.

   The Plaintext and the AAD for OSCOAP are defined in Section 5.2.2.







Selander, et al.         Expires April 21, 2016                 [Page 8]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


5.  CoAP Message Protection

   This section presents how OSCOAP protects individual CoAP messages
   including payload, options and header fields, as well as request-
   response message exchanges, using the Object-Security option
   (Section 3) and the Secure Message format (Section 4).

   The basic idea is that the significant parts of an unprotected CoAP
   message - including payload, certain header field and options - are
   protected using the Secure Message format and sent in a CoAP message
   with the Object-Security option, in what we then call a "protected"
   CoAP message.  As much a possible of the CoAP message should be
   protected, but not all CoAP header fields or options can be encrypted
   and integrity protected, because some are intended to be read or
   changed by an intermediary node, see Section 6.1 and Section 6.2.

   The use of OSCOAP is signaled with the Object-Security option.
   Endpoints supporting the Object-Security option MUST verify the SM as
   described in this section before accepting a message as valid.  An
   endpoint receiving a CoAP request with the Object-Security option
   MUST respond with a CoAP message with the Object-Security option.

   The differences between Encryption and Integrity Protection vs
   Integrity Protection Only is described below.  Encryption and
   Integrity Protection SHALL be used by default.

5.1.  Integrity Protection Only

5.1.1.  Protected CoAP message formatting

   The protected CoAP message is formatted as an ordinary CoAP message,
   with the following Header, Options and Payload based on the
   unprotected CoAP message:

   o  The CoAP header SHALL be the same as the unprotected CoAP message.

   o  The CoAP options SHALL consist of the same options as the
      unprotected CoAP message, and the Object-Security option.

   o  If the unprotected CoAP message has no Payload then the Object-
      Security option SHALL contain the SM.  If the unprotected CoAP
      message has Payload, then the Object-Security option SHALL be
      empty and the Payload of the CoAP message SHALL be the SM.








Selander, et al.         Expires April 21, 2016                 [Page 9]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


5.1.2.  Secure Message formatting

   The SM Header, Body and Tag are specified in Section 4.1 and
   Section 4.2.

   The Authenticated Data SHALL consist of the following data, in this
   order:

   o  the SM Header;

   o  the two first bytes of the CoAP header (including Version and
      Code) with Type and Token Length bits set to 0;

   o  all CoAP options present which are marked as IP in Figure 2
      (Section 6.2), in the order as given by the option number (each
      Option with Option Header including delta to previous IP-marked
      Option which is present);

   o  the CoAP Payload (if any); and

   o  the Transaction Identifier of the associated CoAP Request, if the
      message is a CoAP Response (see Section 4.1).

5.1.3.  Integrity Protection and Verification

   A CoAP endpoint protecting a CoAP message with the Object-Security
   option using a cipher suite for integrity protection only SHALL
   generate a protected CoAP message and SM based on the unprotected
   CoAP message as described in Section 5.1.1 and Section 5.1.2.  In
   addition, the sending endpoint SHALL process the Sequence Number as
   described in Section 7.

   A CoAP endpoint receiving a message containing the Object-Security
   option SHALL first recreate the Authenticated Data as described in
   Section 5.1.2, and then verify the SM Tag as defined by the cipher
   suite associated to the Context Identifier.  In addition, the
   receiving endpoint SHALL process the Sequence Number as described in
   Section 7.

5.2.  Encryption and Integrity Protection

5.2.1.  Protected CoAP message formatting

   The protected CoAP message is formatted as an ordinary CoAP message,
   with the following Header, Options and Payload based on the
   unprotected CoAP message:

   o  The CoAP header SHALL be the same as the unprotected CoAP message.



Selander, et al.         Expires April 21, 2016                [Page 10]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   o  The CoAP options SHALL consist of the unencrypted options of the
      unprotected CoAP message (those not marked as E in Figure 2
      (Section 6.2)), and the Object-Security option.  The options shall
      be formatted as in a CoAP message (each Option with Options Header
      including delta to previous unencrypted Option).

   o  If the unprotected CoAP message has no Payload then the Object-
      Security option SHALL contain the SM.  If the unprotected CoAP
      message has Payload, then the Object-Security option SHALL be
      empty and the Payload of the CoAP message SHALL be the SM.

5.2.2.  Secure Message formatting

   The SM Header, Body and Tag are specified in Section 4.1 and
   Section 4.2.

   The Additional Authenticated Data SHALL consist of the following
   data, in this order:

   o  the SM Header;

   o  the two first bytes of the CoAP header (including Version and
      Code) with Type and Token Length bits set to 0;

   o  all CoAP options present which are marked as IP but not marked as
      E in Figure 2 (Section 6.2), in the order as given by the option
      number (each Option with Option Header including delta to previous
      IP-marked Option which is present); and

   o  the Transaction Identifier of the associated CoAP Request, if the
      message is a CoAP Response (see Section 4.1).

   The Plaintext SHALL consist of the following data, formatted as a
   CoAP message without Header consisting of:

   o  all CoAP Options present which are marked as E in Figure 2 (see
      Section 6.2), in the order as given by the Option number (each
      Option with Option Header including delta to previous E-marked
      Option); and

   o  the CoAP Payload, if present, and in that case prefixed by the
      one-byte Payload Marker (0xFF).

5.2.2.1.  Encryption and Decryption

   A CoAP endpoint protecting a CoAP message with the Object-Security
   option using a cipher suite for encryption and integrity protection
   SHALL generate a protected CoAP message and SM based on the



Selander, et al.         Expires April 21, 2016                [Page 11]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   unprotected CoAP message as described in Section 5.2.1 and
   Section 5.2.2.  In addition, the sending endpoint SHALL process the
   Sequence Number as described in Section 7.

   A CoAP endpoint receiving a message containing the Object-Security
   option SHALL recreate the Additional Authenticated Data as described
   in Section 5.1.2 and verify the integrity of, and decrypt the message
   as defined by the cipher suite associated to the Context Identifier.
   In addition, the receiving endpoint SHALL process the Sequence Number
   as described in Section 7.

6.  Protected CoAP Message Fields

   The CoAP payload SHALL be integrity protected.  The CoAP payload
   SHOULD be encrypted by default.

   How CoAP Options and Header Fields shall be protected is described in
   the remainder of this section.

6.1.  Protected CoAP Header Fields

   This section describes which CoAP header fields are encrypted or
   integrity protected end-to-end in OSCOAP.

   The CoAP Message Layer parameters, Type and Message ID, as well as
   Token and Token Length may be changed by a proxy and thus SHALL
   neither be integrity protected nor encrypted.

   The Version and Code fields SHALL be integrity protected, see
   security considerations.

6.2.  Protected CoAP Options

   This section describes which CoAP options are encrypted and integrity
   protected, if present in the unprotected CoAP message.

   All CoAP options SHALL be encrypted by default, unless intended to be
   read by an intermediate node; and SHALL be integrity protected,
   unless intended to be changed by an intermediate node.

   However, some special considerations are necessary because CoAP
   defines certain legitimate proxy operations, because the security
   information itself may be transported as an option, and because
   different processing is performed depending on whether encryption is
   applied or not.

   The details are presented in Section 6.2.1 and Section 6.2.2, and
   summarized in Figure 2.



Selander, et al.         Expires April 21, 2016                [Page 12]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   +-----+---+---+---+---+----------------+--------+--------+---+----+
   | No. | C | U | N | R | Name           | Format | Length | E | IP |
   +-----+---+---+---+---+----------------+--------+--------+---+----|
   |   1 | x |   |   | x | If-Match       | opaque | 0-8    | x | x  |
   |   3 | x | x | - |   | Uri-Host       | string | 1-255  |   | a  |
   |   4 |   |   |   | x | ETag           | opaque | 1-8    | x | x  |
   |   5 | x |   |   |   | If-None-Match  | empty  | 0      | x | x  |
   |   6 |   | x | - |   | Observe        | uint   | 0-3    |   |    |
   |   7 | x | x | - |   | Uri-Port       | uint   | 0-2    |   | a  |
   |   8 |   |   |   | x | Location-Path  | string | 0-255  | x | x  |
   |  11 | x | x | - | x | Uri-Path       | string | 0-255  | x | b  |
   |  12 |   |   |   |   | Content-Format | uint   | 0-2    | x | x  |
   |  14 |   | x | - |   | Max-Age        | uint   | 0-4    |   |    |
   |  15 | x | x | - | x | Uri-Query      | string | 0-255  | x | b  |
   |  17 | x |   |   |   | Accept         | uint   | 0-2    | x | x  |
   |  20 |   |   |   | x | Location-Query | string | 0-255  | x | x  |
   |  23 | x | x | - |   | Block2         | uint   | 0-3    |   |    |
   |  27 | x | x | - |   | Block1         | uint   | 0-3    |   |    |
   |  28 |   |   | x |   | Size2          | uint   | 0-4    | x | x  |
   |  35 | x | x | - |   | Proxy-Uri      | string | 1-1034 |   | i  |
   |  39 | x | x | - |   | Proxy-Scheme   | string | 1-255  |   | i  |
   |  60 |   |   | x |   | Size1          | uint   | 0-4    | x | x  |
   +-----+---+---+---+---+----------------+--------+--------+---+----+
        C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable,
        E=Encrypt, IP=Integrity Protect.

                Figure 2: Protected CoAP options in OSCOAP

   CoAP options marked "i" indicate that they are used as invariants in
   the authenticated data (AD/AAD) as described in Section 6.2.1.1 and
   Section 6.2.1.2.

   In case of Integrity Protection Only, options marked with "a" and "b"
   are composed into a URI as described in Section 6.2.1.2 and included
   as invariant in the Proxy-Uri option in the Authenticated Data.

   In case of Encryption and Integrity Protection, options marked "a"
   are composed into a URI as described in Section 6.2.2 and included as
   the Proxy-Uri option in the Additional Authenticated Data.  (Options
   marked "b" are included in the Plaintext.)

6.2.1.  Integrity Protection

   CoAP options which are not intended to be changed by an intermediate
   node MUST be integrity protected.

   o  CoAP options of the unprotected message which are Safe-to-Forward
      SHALL be integrity protected.  See Figure 2.



Selander, et al.         Expires April 21, 2016                [Page 13]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   Note: The Object-Security option in itself is Safe-to-Forward but is
   added to the protected message.

   CoAP options which are intended to be modified by a proxy can be
   divided into two categories, those that are intended to change in a
   predictable way, and those which are not.  The following options are
   of the latter kind and SHALL NOT be integrity protected:

   o  Max-Age, Observe, Block1, Block2: These options may be modified by
      a proxy in a way that is not predictable for client and server.

   The remaining options may be modified by a proxy, but when they are,
   the change is predictable.  Therefore it is possible to define
   "invariants" which can be integrity protected.

6.2.1.1.  Proxy-Scheme

   A Forward Proxy is intended to replace the URI scheme with the
   content of the Proxy-Scheme option.  The Proxy-Scheme option is
   defined in this memo to be an invariant with respect to the following
   processing

   o  If there is a Proxy-Scheme present in the unprotected message,
      then the client SHALL integrity protect the Proxy-Scheme option.

   o  If there is no Proxy-Scheme option present the client SHALL
      include the Proxy-Scheme option in the authenticated data (AD/AAD)
      set to the URI scheme.  (The sent message does not include the
      Proxy-Scheme option.)

   o  The server SHALL insert the Proxy-Scheme option with the name of
      the URI scheme the message was received in the authenticated data
      (AD/AAD).

6.2.1.2.  Uri-*

   For options related to URI of resource (Uri-Host, Uri-Port, Uri-Path,
   Uri-Query, Proxy-Uri) a Forward Proxy is intended to replace the Uri-
   * options with the content of the Proxy-Uri option.

   The Proxy-Uri option is defined in this memo to be an invariant with
   respect to the following processing (applied to Integrity Protection
   only, for Encryption see next section):

   o  If there is a Proxy-Uri present, then the client MUST integrity
      protect the Proxy-Uri option and the Uri-* options MUST NOT be
      integrity protected.




Selander, et al.         Expires April 21, 2016                [Page 14]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   o  If there is no Proxy-Uri option present, then the client SHALL
      compose the full URI from Uri-* options according to the method
      described in section 6.5 of [RFC7252].  The Authenticated Data
      contains the following options, modified compared to what is sent:

   o  All Uri-* options removed

   o  A Proxy-Uri option with the full URI included

   o  The server SHALL compose the URI from the Uri-* options according
      to the method described in section 6.5 of [RFC7252].  The so
      obtained URI is placed into a Proxy-Uri option, which is included
      in the Authenticated Data.

6.2.2.  Encryption

   All CoAP options MUST be encrypted, except the options below which
   MUST NOT be encrypted:

   o  Max-Age, Observe, Block1, Block2, Proxy-Uri, Proxy-Scheme: This
      information is intended to be read by a proxy.

   o  Uri-Host, Uri-Port: This information can be inferred from
      destination IP address and port.

   o  Object-Security: This is the security-providing option.

   In the case of encryption, the Proxy-Uri of the Additional
   Authenticated Data MUST only contain Uri-Host and Uri-Port and MUST
   NOT contain Uri-Path and Uri-Query because the latter options are not
   necessarily available to a Forward Proxy.

7.  Replay Protection and Freshness

   In order to protect from replay of messages and verify freshness of
   responses, a CoAP endpoint using object security SHALL maintain
   Sequence Numbers (SEQs) of sent and received Secure Messages (see
   Section 4.1), associated to the respective security context
   identified with the Context Identifier (CID).

7.1.  Replay Protection

   An endpoint SHALL maintain a SEQ for each security context it uses to
   receive messages, and one SEQ for each security context for
   protecting sent messages.  Depending on use case, an endpoint MAY
   maintain a sliding receive window for Sequence Numbers in received
   messages associated to each CID, equivalent to the functionality
   described in section 4.1.2.6 of [RFC6347].



Selander, et al.         Expires April 21, 2016                [Page 15]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   Before composing a new message a sending endpoint SHALL step the SEQ
   of the associated CID.  However, if the Sequence Number counter
   wraps, the endpoint must first acquire a new CID and associated
   security context/key(s).  The latter is out of scope of this memo.

   A receiving endpoint SHALL verify that the Sequence Number received
   in the SM Header is greater than the Sequence Number of the
   associated CID (or within the sliding window and not previously
   received) and update the SEQ (window) accordingly.

7.2.  Freshness

   OSCOAP is a challenge-response protocol, where the response is
   verified to match a prior request by including the unique transaction
   identifier TID (concatenation of SEQ and CID) of the request in the
   integrity calculation of the response message.

   If a CoAP server receives a request with the Object-Security option,
   then the authenticated data (AD or AAD) of the response SHALL include
   the TID of the request as described in Section 5.1.2 and
   Section 5.2.2.

   If the CoAP client receives a response with the Object-Security
   option, then the client SHALL verify the integrity of the response
   using the TID of its own associated request in the authenticated data
   (AD or AAD) as described in Section 5.1.2 and Section 5.2.2.

8.  Security Considerations

   In scenarios with proxies, gateways, or caching, DTLS only protects
   data hop-by-hop meaning that these intermediary nodes can read and
   modify information.  The trust model where all participating nodes
   are considered trustworthy is problematic not only from a privacy
   perspective but also from a security perspective as the
   intermediaries are free to delete resources on sensors and falsify
   commands to actuators (such as "unlock door", "start fire alarm",
   "raise bridge").  Even in the rare cases where all the owners of the
   intermediary nodes are fully trusted, attacks and data breaches make
   such an architecture weak.

   DTLS protects the entire CoAP message including Header, Options and
   Payload, whereas OSCOAP protects the payload and message fields
   described in Section 6.1 and Section 6.2.  The cost for DTLS
   providing this protection is the overhead in e.g. additional
   messages, processing, memory incurred by the DTLS Handshake protocol,
   which can be omitted in use cases where key establishment can be
   provided by other means.




Selander, et al.         Expires April 21, 2016                [Page 16]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   CoAP specifies how messages should be acknowledged on message layer.
   The CoAP message layer, however, cannot be protected by application
   layer security end-to-end since the parameters Type and Message ID,
   as well as Token and Token Length may be changed by a proxy.
   Moreover, messages that are not possible to verify should for
   security reasons not always be acknowledged but in some cases be
   silently dropped.  This would not comply with CoAP message layer, but
   does not have an impact on the object security solution, since
   message layer is excluded from that.

   The CoAP Header field Code needs to be integrity protected end-to-
   end.  For example, if a malicous man-in-the-middle would replace the
   client requested GET with a DELETE, this must be detected by the
   server.  The CoAP Header field Version needs also to be integrity
   protected to prevent from potential cross-version attacks, such as
   bidding-down.

   Blockwise transfers as defined [I-D.ietf-core-block] cannot be
   protected with application layer security end-to-end because the
   Block1/Block2 options may be changed in an unpredictable way by an
   intermediate node.

   However, it is possible to define end-to-end block options analogous
   to Block1 and Block2 which are safe-to-forward, integrity protected
   and not supposed to be changed by intermediate devices.  With such an
   option each individual block can be securely verified by the
   receiver, retransmission securely requested etc.  Since the blocks
   are enumerated sequentially and carry information about last block,
   when all blocks have been securely received, this proves that the
   entire message has been securely transferred.

   The Observe option cannot be integrity protected since it is allowed
   to change in an unpredictable way.  But since message sequence
   numbers are integrity protected a client
   can verifies that a GET response has not been received before.

   The use of sequence numbers for replay protection introduces the
   problem related to wrapping of the counter.  The alternatives also
   have issues: very constrained devices may not be able to support
   accurate time or generate and store large numbers of random nonces.
   The requirement to change key at counter wrap is a complication, but
   it also forces the user of this specification to think about
   implementing key renewal.

   This specification needs to be complemented with a procedure whereby
   the client and the server establish the keys used for wrapping and
   unwrapping the Secure Message.  One way to address key establishment
   is to assume that there is a trusted third party which can support



Selander, et al.         Expires April 21, 2016                [Page 17]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   client and server, such as the Authorization Server in
   [I-D.ietf-ace-actors].  The Authorization Server may, for example,
   authenticate the client on behalf of the server, or provide
   cryptographic keys or credentials to the client and/or server which
   can be use to derive the keys used in the Secure Message exchange.
   Similarly, the Authorization Server may, on behalf of the server,
   notify the client of server supported ciphers, in order to facilitate
   the usage of OSCOAP in deployments with multiple supported
   cryptographic algorithms.

   The security contexts required are different for different cipher
   suites.  For an AEAD or SEAS it is required to have a unique
   Initialization Vector for each message, for which the Sequence Number
   is used.  The Initialization Vector SHALL be the concatenation of a
   Salt (4 bytes unsigned integer) and the Sequence Number.  The Salt
   SHOULD be established between sender and receiver before the message
   is sent, to avoid the overhead of sending it in each message.  For
   example, the Salt may be established by the same means as keys are
   established.

9.  Privacy Considerations

   End-to-end integrity protection provides certain privacy properties,
   e.g. protection of communication with sensor and actuator from
   manipulation which may affect the personal sphere.  End-to-end
   encryption of payload and certain CoAP options provides additional
   protection as to the content and nature of the message exchange.

   The headers sent in plaintext allow for example matching of CON and
   ACK (CoAP Message Identifier), matching of request and response
   (Token).  Plaintext options could also reveal information, e.g.
   lifetime of measurement (Max-age), or that this message contains one
   data point in a sequence (Observe).

10.  IANA Considerations

   Note to RFC Editor: Please replace all occurrences of "[this
   document]" with the RFC number of this specification.

   The following entry is added to the CoAP Option Numbers registry:

   +--------+-----------------+-------------------+
   | Number | Name            |     Reference     |
   +--------+-----------------+-------------------+
   |  TBD   | Object-Security | [[this document]] |
   +--------+-----------------+-------------------+





Selander, et al.         Expires April 21, 2016                [Page 18]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   This document registers the following value in the CoAP Content
   Format registry established by [RFC7252].

   Media Type: application/oscon

   Encoding: -

   Id: 70

   Reference: [this document]

11.  Acknowledgments

   Klaus Hartke has independently been working on the same problem and a
   similar solution: establishing end-to-end security across proxies by
   adding a CoAP option.  We are grateful to Malisa Vucinic for
   providing helpful and timely reviews of new versions of the draft.

12.  References

12.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
              RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
              January 2012, <http://www.rfc-editor.org/info/rfc6347>.

   [RFC7252]  Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
              Application Protocol (CoAP)", RFC 7252, DOI 10.17487/
              RFC7252, June 2014,
              <http://www.rfc-editor.org/info/rfc7252>.

   [RFC7258]  Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
              Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
              2014, <http://www.rfc-editor.org/info/rfc7258>.

   [RFC7515]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web
              Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
              2015, <http://www.rfc-editor.org/info/rfc7515>.

   [RFC7516]  Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
              RFC 7516, DOI 10.17487/RFC7516, May 2015,
              <http://www.rfc-editor.org/info/rfc7516>.




Selander, et al.         Expires April 21, 2016                [Page 19]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


12.2.  Informative References

   [I-D.ietf-ace-actors]
              Gerdes, S., Seitz, L., Selander, G., and C. Bormann, "An
              architecture for authorization in constrained
              environments", draft-ietf-ace-actors-02 (work in
              progress), September 2015.

   [I-D.ietf-ace-usecases]
              Seitz, L., Gerdes, S., Selander, G., Mani, M., and S.
              Kumar, "ACE use cases", draft-ietf-ace-usecases-09 (work
              in progress), October 2015.

   [I-D.ietf-core-block]
              Bormann, C. and Z. Shelby, "Block-wise transfers in CoAP",
              draft-ietf-core-block-18 (work in progress), September
              2015.

   [I-D.ietf-cose-msg]
              Schaad, J. and B. Campbell, "CBOR Encoded Message Syntax",
              draft-ietf-cose-msg-05 (work in progress), September 2015.

   [I-D.seitz-ace-core-authz]
              Seitz, L., Selander, G., and M. Vucinic, "Authorization
              for Constrained RESTful Environments", draft-seitz-ace-
              core-authz-00 (work in progress), June 2015.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2", FYI
              36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
              <http://www.rfc-editor.org/info/rfc4949>.

   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
              RFC 5652, DOI 10.17487/RFC5652, September 2009,
              <http://www.rfc-editor.org/info/rfc5652>.

   [RFC7228]  Bormann, C., Ersue, M., and A. Keranen, "Terminology for
              Constrained-Node Networks", RFC 7228, DOI 10.17487/
              RFC7228, May 2014,
              <http://www.rfc-editor.org/info/rfc7228>.

   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Semantics and Content", RFC 7231, DOI
              10.17487/RFC7231, June 2014,
              <http://www.rfc-editor.org/info/rfc7231>.







Selander, et al.         Expires April 21, 2016                [Page 20]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


Appendix A.  COSE Profile of SM

   This section defines a profile of the 05-version of COSE
   [I-D.ietf-cose-msg] complying with the Secure Message format (see
   Section 4) and supporting the two scopes of object security OSCOAP
   and OSCON (Appendix C).  In the last subsection we elaborate on
   possible optimizations.

   o  The "COSE_MSG" top level object as defined in COSE corresponds to
      the Secure Message object.

   o  The "msg_type" parameter corresponds to the Secure Message type,
      as defined in Section 4.2.  Depending on the use case, this field
      can take the values msg_type_mac, msg_type_signed or
      msg_type_encryptData.

   o  The "Header" field of the COSE object corresponds to the Header
      field of the Secure Message.

      *  The "protected" field includes:

         +  the new "seq" parameter corresponding to the parameter
            Sequence Number of the Secure Message (see Section 4.1).

      *  The "unprotected" field is empty.

A.1.  Integrity Protection Only

   When Integrity Protection only needs to be provided, the Secure
   Message object corresponds to a COSE_MSG with msg_type equal to
   msg_type_signed (COSE_Sign) or msg_type_mac (COSE_mac).

   The Externally Supplied Data ("external_aad" field), as defined in
   Section 4.1 of [I-D.ietf-cose-msg] include the Authenticated Data as
   defined in Section 5.1.2 with the exception of SM Header and CoAP
   Payload.

A.1.1.  COSE_Sign

   A COSE_MSG of type COSE_Sign is a Secure Message if its fields are
   defined as follows (see example in Appendix B.2).

   The "Headers" field of COSE_Sign as defined in Appendix A.

   The "payload" field contains the CoAP Payload (if any).

   The "signatures" array contains one "COSE_signature" item.  The
   "Headers" field of the COSE_signature object is defined as follows:



Selander, et al.         Expires April 21, 2016                [Page 21]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   o  The "protected" field includes:

      *  the new "cid" parameter which corresponds to the parameter
         Context Identifier of the Secure Message (see Section 4.1);

   o  The "unprotected" field is empty.

   The "signature" field contains the computed signature value as
   described in Section 4.2 of [I-D.ietf-cose-msg].

   A Secure Message with digital signature and Detached Content
   corresponds to COSE_sign with "Headers" and "signatures" fields; i.e.
   no "payload" field.

A.1.2.  COSE_mac

   A COSE_MSG of type COSE_mac is a Secure Message if its fields are
   defined as follows (see example in Appendix B.1).

   The "Headers" field of COSE_mac as defined in Appendix A.

   The "payload" field contains the CoAP Payload (if any).

   The "tag" field contains the MAC value, computed as defined in
   Section 6.1 of [I-D.ietf-cose-msg].

   The "recipients" array contains one "COSE_recipient" item (section 5
   of [I-D.ietf-cose-msg]).  The "COSE_recipient" item contains one
   "COSE_encrypt_fields" object.  The "Headers" field of the
   COSE_encrypt_fields object is defined as follows:

   o  The "protected" field includes:

      *  the new "cid" parameter which corresponds to the parameter
         Context Identifier of the Secure Message (see Section 4.1);

   o  The "unprotected" field is empty.

   A Secure Message with MAC and Detached Content corresponds to a
   COSE_sign with "Headers", "recipients" and "tag" fields; i.e. no
   "payload" field.

A.2.  Encryption and Integrity Protection: COSE_enveloped

   When Encryption and Integrity Protection need to be provided, the
   Secure Message object corresponds to a COSE_MSG with msg_type equal
   to msg_type_enveloped (COSE_enveloped).




Selander, et al.         Expires April 21, 2016                [Page 22]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   The Additional Authenticated Data ("Enc_structure") as described is
   Section 5.3 of [I-D.ietf-cose-msg] is defined in Section 5.2.2: * the
   "protected" parameters includes the SM Header; * the "external_aad"
   includes the other fields (CoAP Version, Code, Options to integrity
   protect and TID).

   The plain text, as mentioned in Sections 5.3 and 5.4 of
   [I-D.ietf-cose-msg] is defined in Section 5.2.2 and contains CoAP
   Options to encrypt and the CoAP Payload.

   A COSE_MSG of type COSE_enveloped [I-D.ietf-cose-msg] is a Secure
   Message if its fields are defined as follows (see example in
   Appendix B.3).

   The "Headers" field of COSE_encrypt_fields item as defined in
   Appendix A.

   The "ciphertext" field is encoded as a nil type, following the
   specifications in Section 5.1 of [I-D.ietf-cose-msg].

   The "recipients" array contains one "COSE_recipient" item
   (Section 5.1 of [I-D.ietf-cose-msg]).  The "COSE_recipient" item
   contains one "COSE_encrypt_fields" object.  The "Headers" field of
   the COSE_encrypt_fields object is defined as follows:

   o  The "protected" field includes:

      *  the new "cid" parameter which corresponds to the parameter
         Context Identifier of the Secure Message (see Section 4.1);

   o  The "unprotected" field is empty.

   The "ciphertext" field of the COSE_encrypt_fields object contains the
   encrypted plain text, as defined in section 5 of [I-D.ietf-cose-msg].

A.3.  COSE Optimizations

   For constrained environments it is important that the message
   expansion due to security overhead is kept at a minimum.

   This section lists potential optimizations of COSE
   [I-D.ietf-cose-msg] for the purpose of reducing message size and
   improving performance in constrained node networks.  The message
   sizes resulting from the first four optimizations are presented in
   Appendix B (as "modified COSE").

   1.  The first improvement proposed is to flatten the structure of the
       COSE_msg, following the Encrypted COSE structure defined in



Selander, et al.         Expires April 21, 2016                [Page 23]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


       Section 5.2 of [I-D.ietf-cose-msg].  In fact, there is little
       need to support multiple signatures or recipients in the use
       cases targeting the most constrained devices.  Two different
       structures inspired by the COSE_encryptData are defined: COSE_ip
       and COSE_en.  COSE_ip is used for the Integrity Protection Only
       use case (Section 5.1), COSE_en is used for Encryption
       (Section 5.2).

   2.  In general, the security context defines uniquely the cipher
       suite, and hence the "alg" parameter of COSE_msg can be removed.

   3.  The "unprotected" field is not used since it is assumed that all
       parameters should be protected when possible.  Thus the "Headers"
       structure can be flattened into a "protectedHeader" field,
       containing the "cid" parameter and the "seq" parameter.

   4.  Analogous to other key values, one-byte keys/labels can be
       assigned to the new parameters defined in this document and
       cipher suites adapted to constrained device processing.  For
       example: "cid" = 11 and "seq" = 12.

   5.  Digitally signed messages have the largest absolute overhead due
       to the size of the signature (see Appendix B.2 and Appendix B.4).
       Whereas certain MACs can be securely truncated, signatures
       cannot.  Signature schemes with message recovery allow some
       remedy since they allow part of the message to be recovered from
       the signature itself and thus need not be sent.  The effective
       size of the signature could in this way be considerably reduced,
       which would have a large impact on the message size (compare size
       of signature and total overhead in Figure 5 and Figure 6).  A
       valuable optimization would thus be to support signature schemes
       with message recovery.

   Combining the first 4 points, the resulting structures and their
   fields are defined as follows: COSE_ip top level object corresponds
   to the Secure Message object.

   o  The "msg_type" parameter takes a new value,
      msg_type_integrityprotection=5.

   o  The "protectedHeader" field, analogous to the "protected" field of
      the "Headers", includes:

      *  the new "cid" parameter which corresponds to the parameter
         Context Identifier of the Secure Message (see Section 4.1);

      *  the new "seq" parameter corresponding to the parameter Sequence
         Number of the Secure Message (see Section 4.1).



Selander, et al.         Expires April 21, 2016                [Page 24]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   o  The "payload" field (as described in Appendix A.1.1 and
      Appendix A.1.2).

   o  The "tag" field (as described in Appendix A.1.1 and
      Appendix A.1.2).

   COSE_en top level object corresponds to the Secure Message object.

   o  The "msg_type" parameter takes a new value, msg_type_encryption=6.

   o  The "protectedHeader" field, analogous to the "protected" field of
      the "Headers", includes:

      *  the new "cid" parameter which corresponds to the parameter
         Context Identifier of the Secure Message (see Section 4.1);

      *  the new "seq" parameter corresponding to the parameter Sequence
         Number of the Secure Message (see Section 4.1).

   o  The "ciphertext" field (as described in Appendix A.2).

   o  The "tag" field contains the tag value in case Integrity
      Protection is also provided.

Appendix B.  Comparison of message sizes

   This section gives some examples of overhead incurred with the
   current proposal for COSE at the time of writing [I-D.ietf-cose-msg].
   Message sizes are also listed for a modified version of COSE
   implementing some of the optimizations described in Appendix A.3 and
   for a lower bound CBOR encoding of the Secure Message with structure
   [seq, cid, body, tag].

   Motivated by the use cases, there are four different kinds of
   protected messages that need to be supported: message authentication
   code, digital signature, authenticated encryption, and symmetric
   encryption + digital signature.  The latter is relevant e.g. for
   proxy-caching and publish-subscribe with untrusted intermediary (see
   Appendix D.2).  The sizes estimated for selected algorithms are
   detailed in the subsections.

   The size of the header is shown separately from the size of the MAC/
   signature.  An 8-byte Context Identifier and a 3-byte Sequence Number
   are used throughout all examples, with these value:

   o  cid: 0xa1534e3c5fdc09bd

   o  seq: 0x112233



Selander, et al.         Expires April 21, 2016                [Page 25]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   For each scheme, we indicate the fixed length of these two parameters
   ("seq+cid" column) and of the tag ("MAC"/"SIG"/"TAG").  The "Total
   Size" column shows the total Secure Message size, while the
   "Overhead" column is calculated from the previous columns following
   this equation:

   Overhead = Total Size - (MAC + seq+cid)

   This means that overhead incurring from CBOR encoding is also
   included in the Overhead count.

   To make it easier to read, COSE objects are represented using CBOR's
   diagnostic notation rather than a binary dump.

B.1.  MAC Only

   This example is based on HMAC-SHA256, with truncation to 16 bytes.

   The object in COSE encoding gives:

   [
     3,                                       # msg_type
     h'a201046373657143112233',               # protected:
                                                {1: 4,
                                                "seq": h'112233'}
     {},                                      # unprotected
     h'',                                     # payload
     MAC,                                     # truncated 16-byte MAC
     [                                        # recipients
       [                                      # recipient structure
         h'',                                 # protected
         {1:-6, "cid":h'a1534e3c5fdc09bd'},   # unprotected
         h''                                  # ciphertext
       ]
     ]
   ]

   The COSE object encodes to a total size of 53 bytes.

   In the modified version of COSE defined in Appendix A.3, the
   equivalent COSE object would be:










Selander, et al.         Expires April 21, 2016                [Page 26]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   [
     5,                                       # msg_type
     h'a20b48a1534e3c5fdc09bd0c43112233',     # protected:
                                                {11:h'a1534e3c5fdc09bd',
                                                 12:h'112233'}
     h'',                                     # payload
     MAC                                      # truncated 16-byte MAC
   ]

   This modified COSE object encodes to a total size of 37 bytes.

   The low-bound CBOR encoding of this same object is encoded by:

   [
     h'112233',                               # seq
     h'a1534e3c5fdc09bd',                     # cid
     h'',                                     # payload
     MAC                                      # truncated 16-byte MAC
   ]

   This object encodes to a total size of 32 bytes.

   Figure 3 summarizes these results.

                   +--------+---------+------+------------+----------+
                   | Scheme | seq+cid |  MAC | Total Size | Overhead |
                   +--------+---------+------+------------+----------+
                   |  COSE  |   11 B  | 16 B |  53 bytes  | 26 bytes |
                   +--------+---------+------+------------+----------+
                   |mod-COSE|   11 B  | 16 B |  37 bytes  | 10 bytes |
                   +--------+---------+------+------------+----------+
                   |  bound |   11 B  | 16 B |  32 bytes  |  5 bytes |
                   +--------+---------+------+------------+----------+

   Figure 3: Comparison of COSE, modified COSE and CBOR lower bound for
                               HMAC-SHA256.

B.2.  Signature Only

   This example is based on ECDSA, with a signature of 64 bytes.

   The object in COSE encoding gives:









Selander, et al.         Expires April 21, 2016                [Page 27]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   [
     1,                                       # msg_type
     h'a16373657143112233',                   # protected:
                                                {"seq": h'112233'}
     {},                                      # unprotected
     h'',                                     # payload
     [                                        # signatures
       [                                      # signature structure
         h'a201266363696448a1534e3c5fdc09bd', # protected:
                                                {1: -7,
                                              "cid":h'a1534e3c5fdc09bd'}
         {},                                  # unprotected
         SIG                                  # 64-byte signature
       ]
     ]
   ]

   The COSE object encodes to a total size of 100 bytes.

   In the modified version of COSE defined in Appendix A.3, the
   equivalent COSE object would be:

   [
     5,                                       # msg_type
     h'a20b48a1534e3c5fdc09bd0c43112233',     # protected:
                                                {11:h'a1534e3c5fdc09bd',
                                                 12:h'112233'}
     h'',                                     # payload
     SIG                                      # 64-byte signature
   ]

   The COSE object encodes to a total size of 86 bytes.

   The low-bound CBOR encoding of this same object is encoded by:

   [
     h'112233',                               # seq
     h'a1534e3c5fdc09bd',                     # cid
     h'',                                     # payload
     SIG                                      # 64-byte signature
   ]

   This object encodes to a total size of 81 bytes.

   Figure 4 summarizes these results.






Selander, et al.         Expires April 21, 2016                [Page 28]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


                   +--------+---------+------+------------+----------+
                   | Scheme | seq+cid |  SIG | Total Size | Overhead |
                   +--------+---------+------+------------+----------+
                   |  COSE  |   11 B  | 64 B | 100 bytes  | 25 bytes |
                   +--------+---------+------+------------+----------+
                   |mod-COSE|   11 B  | 64 B |  86 bytes  | 11 bytes |
                   +--------+---------+------+------------+----------+
                   |  bound |   11 B  | 64 B |  81 bytes  |  6 bytes |
                   +--------+---------+------+------------+----------+

   Figure 4: Comparison of COSE, modified COSE and CBOR lower bound for
                         64 byte ECDSA signature.

B.3.  Authenticated Encryption with Additional Data (AEAD)

   This example is based on AES-128-CCM-8.

   It is assumed that the IV is generated from the Sequence Number and
   some previously agreed upon Salt.  This means it is not required to
   explicitly send the whole IV in the message.

   The object in COSE encoding gives:

   [
     2,                                       # msg_type
     h'a201046373657143112233',               # protected:
                                                {1: 4,
                                                "seq": h'112233'}
     {},                                      # unprotected
     TAG,                                     # 8byte authentication tag
     [                                        # recipients
       [                                      # recipient structure
         h'',                                 # protected
         {1:-6, "cid":h'a1534e3c5fdc09bd'},   # unprotected
         h''                                  # ciphertext
       ]
     ]
   ]

   The COSE object encodes to a total size of 44 bytes.

   In the modified version of COSE defined in Appendix A.3, the
   equivalent COSE object would be:








Selander, et al.         Expires April 21, 2016                [Page 29]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   [
     6,                                       # msg_type
     h'a20b48a1534e3c5fdc09bd0c43112233',     # protected:
                                                {11:h'a1534e3c5fdc09bd',
                                                 12:h'112233'}
     h'',                                     # ciphertext
     TAG                                      # 8byte authentication tag
   ]

   The modified COSE object encodes to a total size of 29 bytes.

   The low-bound CBOR encoding of this same object is encoded by:

   [
     h'112233',                               # seq
     h'a1534e3c5fdc09bd',                     # cid
     h'',                                     # ciphertext
     TAG                                      # 8byte authentication tag
   ]

   This object encodes to a total size of 24 bytes.

   Figure 5 summarizes these results.

                   +--------+---------+-----+------------+----------+
                   | Scheme | seq+cid | TAG | Total Size | Overhead |
                   +--------+---------+-----+------------+----------+
                   |  COSE  |   11 B  | 8 B |  44 bytes  | 25 bytes |
                   +--------+---------+-----+------------+----------+
                   |mod-COSE|   11 B  | 8 B |  29 bytes  | 10 bytes |
                   +--------+---------+-----+------------+----------+
                   |  bound |   11 B  | 8 B |  24 bytes  |  5 bytes |
                   +--------+---------+-----+------------+----------+

   Figure 5: Comparison of COSE, modified COSE and CBOR lower bound for
                                 AES-CCM.

B.4.  Symmetric Encryption with Asymmetric Signature (SEAS)

   This example is based on AES-128-CTR and ECDSA with 64 bytes
   signature.  COSE requires this to be a nested encapsulation of one
   object into another, here illustrated with a digitally signed AEAD
   protected object.

   The object in COSE encoding gives:






Selander, et al.         Expires April 21, 2016                [Page 30]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   [
     1,                                       # msg_type
     h'a16373657143112233',                   # protected:
                                                {"seq": h'112233'}
     {},                                      # unprotected
     h'85024ba2010a6373657143112233a04081834
     0a201256363696448a1534e3c5fdc09bd40',    # payload:
                                           [2,
                                       h'a2010a6373657143112233',
                                       {}, h', [[h'',
                                       {1: -6,
                                            "cid": h'a1534e3c5fdc09bd'
                                            }, h'']]]
     [                                        # signatures
       [                                      # signature structure
         h'a201266363696448a1534e3c5fdc09bd', # protected:
                                                {1: -7,
                                              "cid":h'a1534e3c5fdc09bd'}
         {},                                  # unprotected
         SIG                                  # 64-byte signature
       ]
     ]
   ]

   The COSE object encodes to a total size of 134 bytes.

   In the modified version of COSE defined in Appendix A.3, the
   equivalent COSE object would be:

   [
     6,                                       # msg_type
     h'a20b48a1534e3c5fdc09bd0c43112233',     # protected:
                                                {11:h'a1534e3c5fdc09bd',
                                                 12:h'112233'}
     h'',                                     # ciphertext
     SIG                                      # 64-byte signature
   ]

   This modified COSE object encodes to a total size of 86 bytes.

   The low-bound CBOR encoding of this same object is encoded by:

   [
     h'112233',                               # seq
     h'a1534e3c5fdc09bd',                     # cid
     h'',                                     # ciphertext
     SIG                                      # 64-byte signature
   ]



Selander, et al.         Expires April 21, 2016                [Page 31]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   This object encodes to a total size of 81 bytes.

   Figure 6 summarizes these results.

                   +--------+---------+------+------------+----------+
                   | Scheme | seq+cid |  SIG | Total Size | Overhead |
                   +--------+---------+------+------------+----------+
                   |  COSE  |   11 B  | 64 B | 134 bytes  | 59 bytes |
                   +--------+---------+------+------------+----------+
                   |mod-COSE|   11 B  | 64 B |  86 bytes  | 11 bytes |
                   +--------+---------+------+------------+----------+
                   |  bound |   11 B  | 64 B |  81 bytes  |  6 bytes |
                   +--------+---------+------+------------+----------+

      Figure 6: Comparison of nested AES-CCM within ECDSA (COSE) and
         combined AES-ECDSA (modified COSE and CBOR lower bound).

Appendix C.  Object Security of Content (OSCON)

   In this section we define how to only protect the payload/content of
   individual messages using the Secure Message format (Section 4) to
   comply with the requirements 1 and 2 in Section 2.  This is referred
   to as Object Security of Content (OSCON).

   Note that by only protecting the content of a message it may be
   verified by multiple recipients.  For example, in the case of a proxy
   that supports caching, a recent response for a certain resource can
   be cached and used to serve multiple clients.  Or, in a publish-
   subscribe setting, multiple subscribers can be served the same
   publication.  The use of content protection also decouples the
   binding to the underlying transfer protocol, so the same protected
   content object can be freely move between CoAP, HTTP, BlueTooth or
   whatever application layer protocol.

   The use of OSCON is signaled with the Content-Format/Media Type set
   to application/oscon (Section 10).  Since the actual format of the
   content which is protected is lost, that information needs to be
   added to the message header or known to the recipient.

   The sending endpoint SHALL wrap the Payload, and the receiving
   endpoint unwrap the Payload in the SM format as described in this
   section.  A CoAP client MAY request a response in the OSCON format by
   setting the option Accept to application/oscon.

   In case of cipher suite for integrity protection only, the
   Authenticated Data SHALL be the concatenation of the SM Header and
   the CoAP Payload.  If case of cipher suite for both encryption and
   integrity protection, then the AAD SHALL be the SM Header and the



Selander, et al.         Expires April 21, 2016                [Page 32]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   Plaintext SHALL be the CoAP Payload.  By default, cipher suites for
   encryption and integrity protection SHALL be used.

   The SM SHALL be protected (encrypted) and verified (decrypted) as
   described in Section 5.1.3 (Section 5.2.2.1), including replay
   protection as described in Section 7.1.

   Whereas in OSCOAP, the Context Identifier of the SM Header
   (Section 4.1) typically identifies the sending party, with OSCON
   (Appendix C) the Context Identifier may well identify the sender and
   resource.

C.1.  Security Considerations of OSCON

   OSCON (Appendix C) only protects payload and only gives replay
   protection (not freshness of response), but allows additional use
   cases such as point to multi-point interactions including publish-
   subscribe, reverse proxies and proxy caching of responses.  In case
   of symmetric keys the receiver does not get data origin
   authentication, which requires a digital signature using a private
   asymmetric key.

   OSCON SHALL NOT be used in cases where CoAP header fields (such as
   Code or Version) or CoAP options need to be integrity protected.  The
   request for a response in OSCON using the CoAP option Accept set to
   "application/oscon" is not secured since OSCON does not integrity
   protect any options.  Hence the exchange of OSCON request-response
   messages is vulnerable to a man-in-the-middle attack where response
   is exchanged for another response, but since there is replay
   protection only messages with higher sequence numbers will be
   accepted.

   Blockwise transfers in CoAP as defined in [I-D.ietf-core-block] can
   be applied with OSCON, i.e. the entire payload is encapsulated in a
   Secure Message which is partitioned into blocks which are sent with
   unprotected CoAP.  The receiver is able to verify the integrity of
   the payload but only after the last block containing the signature/
   MAC is received, and if the verification fails the entire message
   needs to be resent.  However, if the verification succeeds, then the
   transmission in OSCON has less computational and packet overhead
   since only one signature/MAC was generated and sent.  As CoAP
   blockwise transfer with OSCON is prone to Denial of Service attacks,
   it should only be used for exchanges where this threat can be
   mitigated, for example within a local area network where link-layer
   security is activated.






Selander, et al.         Expires April 21, 2016                [Page 33]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


Appendix D.  Examples

   This section gives examples of how to use the Object-Security option
   and the message formats defined in this memo.

D.1.  CoAP Message Protection

   This section illustrates Object Security of CoAP (OSCOAP).  The
   message exchange assumes there is a security context established
   between client and server.  One key is used for each direction of the
   message transfer.  The intermediate node detects that the CoAP
   message contains an OSCOAP object (Object-Security option is set) and
   thus forwards the message as it cannot serve a cached response.

D.1.1.  Integrity Protection of CoAP Message Exchange

   Here is an example of a PUT request/response message exchange passing
   an intermediate node protected with the Object-Security option.  The
   example illustrates a client closing a lock (PUT 1) and getting a
   confirmation that the lock is closed.  Code, Uri-Path and Payload of
   the request and Code of the response are integrity protected (and
   other message fields, see Section 6.1 and Section 6.2).





























Selander, et al.         Expires April 21, 2016                [Page 34]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   Client  Proxy  Server
      |      |      |
      |      |      |
      |      |      |
      +----->|      |      Code: 0.03 (PUT)
      | PUT  |      |     Token: 0x8c
      |      |      |  Uri-Path: lock
      |      |      |  Object-Security:
      |      |      |   Payload: ["seq":"142",
      |      |      |            "cid":"a1534e3c5fdc09bd", 1, <Tag>]
      |      |      |
      |      +----->|      Code: 0.03 (PUT)
      |      | PUT  |    Token: 0x7b
      |      |      |  Uri-Path: lock
      |      |      |  Object-Security:
      |      |      |   Payload: ["seq":"142",
      |      |      |            "cid":"a1534e3c5fdc09bd", 1, <Tag>]
      |      |      |
      |      |<-----+      Code: 2.04 (Changed)
      |      | 2.04 |     Token: 0x7b
      |      |      |   Object-Security: ["seq":"a6",
      |      |      |            "cid":"5fdc09bda1534e3c", , <Tag>]
      |      |      |
      |<-----+      |      Code: 2.04 (Changed)
      | 2.04 |      |     Token: 0x8c
      |      |      |   Object-Security: ["seq":"a6",
      |      |      |            "cid":"5fdc09bda1534e3c", , <Tag>]
      |      |      |

                 Figure 7: CoAP PUT protected with OSCOAP

   Since the request message (PUT) supports payload, the OSCOAP object
   is carried in the CoAP payload.  Since the response message (Changed)
   does not supports payload the Object-Security option carries the
   OSCOAP object.

   The Header contains Sequence Number ("seq":"a6") and Context
   Identifier ("cid":"5fdc09bda1534e3c"), the latter is an identifier
   indicating which security context was used to integrity protect the
   message, and may be used as an identifier for a secret key or a
   public key.  (It may e.g. be the hash of a public key.)

   The server and client can verify that the Sequence Number has not
   been received and used with this key before.  With OSCOAP, the client
   additionally verifies the freshness of the response, i.e. that the
   response message is generated as an answer to the received request
   message (see Section 7).




Selander, et al.         Expires April 21, 2016                [Page 35]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   This example deviates from encryption by default (see Section 8) just
   to illustrate the case of Integrity Protection only.  If there is no
   compelling reason why the CoAP message should be in plaintext, then
   it MUST be encrypted.

D.1.2.  Additional Encryption of CoAP Message

   Here is an example of a GET request/response message exchange passing
   an intermediate node protected with the Enc option.  The example
   illustrates a client requesting a blood sugar measurement resource
   (GET /glucose) and receiving the value 220 mg/dl.  Uri-Path and
   Payload are encrypted and integrity protected.  Code is integrity
   protected only (see Section 6.1 and Section 6.2).

   Client  Proxy  Server
      |      |      |
      |      |      |
      |      |      |
      +----->|      |      Code: 0.01 (GET)
      | GET  |      |     Token: 0x83
      |      |      |   Object-Security: ["seq":"15b7",
      |      |      |            "cid":"34e3c5fdca1509bd",
      |      |      |            {"glucose"}, <Tag>]
      |      |      |
      |      +----->|      Code: 0.01 (GET)
      |      | GET  |     Token: 0xbe
      |      |      |   Object-Security: ["seq":"15b7",
      |      |      |            "cid":"34e3c5fdca1509bd",
      |      |      |            {"glucose"}, <Tag>]
      |      |      |
      |      |      |
      |      |<-----+      Code: 2.05 (Content)
      |      | 2.05 |     Token: 0xbe
      |      |      |   Object-Security:
      |      |      |   Payload: ["seq":"32c9",
      |      |      |            "cid":"c09bda155fd34e3c",
      |      |      |            {220}, <Tag>]
      |      |      |
      |<-----+      |      Code: 2.05 (Content)
      | 2.05 |      |     Token: 0x83
      |      |      |   Object-Security:
      |      |      |   Payload: ["seq":"32c9",
      |      |      |            "cid":"c09bda155fd34e3c",
      |      |      |            {220}, <Tag>]
      |      |      |

      Figure 8: CoAP GET protected with OSCOAP.  The bracket { ... }
                         indicates encrypted data.



Selander, et al.         Expires April 21, 2016                [Page 36]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   Since the request message (GET) does not support payload, the OSCOAP
   object is carried in the Object-Security option.  Since the response
   message (Content) supports payload, the Object-Security option is
   empty and the OSCOAP object is carried in the payload.

   The Context Identifier is a hint to the receiver indicating which
   security context was used to encrypt and integrity protect the
   message, and may be used as an identifier for the AEAD secret key.
   One key is used for each direction of the message transfer.

   The server and client can verify that the Sequence Number has not
   been received and used with this key before, and the client
   additionally verifies the freshness of the response, i.e.  that the
   response message is generated as an answer to the received request
   message (see Section 7).

D.2.  Payload Protection

   This section gives examples that illustrate Object Security of
   Content (OSCON), see Appendix C).  The assumption here is that only
   the intended receiver(s) has the relevant security context related to
   the resource.  In case of a closed group of recipients of the same
   object, e.g. in Information-Centric Networking or firmware update
   distribution, it may be necessary to support symmetric key encryption
   in combination with digital signature.

D.2.1.  Proxy Caching

   This example outlines how a proxy forwarding request and response of
   one client can cache a response whose payload is a OSCON object, and
   serve this response to another client request, such that both clients
   can verify integrity and non-replay.



















Selander, et al.         Expires April 21, 2016                [Page 37]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   Client1 Proxy  Server

      |      |      |
      |      |      |
      +----->|      |      Code: 0.01 (GET)
      | GET  |      |     Token: 0x83
      |      |      | Proxy-Uri: example.com/temp
      |      |      |
      |      |      |
      |      +----->|      Code: 0.01 (GET)
      |      | GET  |     Token: 0xbe
      |      |      |  Uri-Host: example.com
      |      |      |  Uri-Path: temp
      |      |      |
      |      |      |
      |      |<-----+      Code: 2.05 (Content)
      |      | 2.05 |     Token: 0xbe
      |      |      |   Payload: ["seq":"15b7",
      |      |      |            "cid":"c09bda155fd34e3c",
      |      |      |            "471 F", <Tag>]
      |      |      |
      |<-----+      |      Code: 2.05 (Content)
      | 2.05 |      |     Token: 0x83
      |      |      |   Payload: ["seq":"15b7",
      |      |      |            "cid":"c09bda155fd34e3c",
             |      |            "471 F", <Tag>]
   Client2   |      |
             |      |
      |      |      |
      |      |      |
      +----->|      |      Code: 0.01 (GET)
      | GET  |      |     Token: 0xa1
      |      |      | Proxy-Uri: example.com/temp
      |      |      |
      |<-----+      |      Code: 2.05 (Content)
      | 2.05 |      |     Token: 0xa1
      |      |      |   Payload: ["seq":"15b7",
      |      |      |            "cid":"c09bda155fd34e3c",
      |      |      |            "471 F", <Tag>]

     Figure 9: Proxy caching protected with Object Security of Content
                                  (OSCON)

D.2.2.  Publish-Subscribe

   This example outlines a publish-subscribe setting where the payload
   is encrypted, integrity and replay protected end-to-end between
   Publisher and Subscriber.  The example applies for example to closed



Selander, et al.         Expires April 21, 2016                [Page 38]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   user groups of a single data source and illustrates a subscription
   registration and a later publication of birch pollen count of 300 per
   cubic meters.  The PubSub Broker can define the Observe count
   arbitrarily (as could any intermediary node, even in OSCOAP), but
   cannot manipulate the Sequence Number without being possible to
   detect.

   Sub-    PubSub- Pub-
   scriber Broker  lisher

      |      |      |
      +----->|      |      Code: 0.01 (GET)
      | GET  |      |     Token: 0x72
      |      |      |  Uri-Path: ps
      |      |      |  Uri-Path: birch-pollen
      |      |      |   Observe: 0 (register)
      |      |      |
      |      |      |
      |<-----+      |      Code: 2.05 (Content)
      | 2.05 |      |     Token: 0x72
      |      |      |   Observe: 1
      |      |      |   Payload: ["seq":"15b7",
      |      |      |            "cid":"c09bda155fd34e3c",
      |      |      |            {"270"}, <Tag>]
      |      |      |
      |      |      |
      |      |      |
      |      |<-----+      Code: 0.03 (PUT)
      |      | PUT  |     Token: 0x1f
      |      |      |  Uri-Path: ps
      |      |      |  Uri-Path: birch-pollen
      |      |      |   Payload: ["seq":"15b8",
      |      |      |            "cid":"c09bda155fd34e3c",
      |      |      |            {"300"}, <Tag>]
      |      |      |
      |      +----->|      Code: 2.04 (Changed)
      |      | 2.04 |     Token: 0x1f
      |      |      |
      |      |      |
      |<-----+      |      Code: 2.05 (Content)
      | 2.05 |      |     Token: 0x72
      |      |      |   Observe: 2
      |      |      |   Payload: ["seq":"15b8",
      |      |      |            "cid":"c09bda155fd34e3c",
      |      |      |            {"300"}, <Tag>]

   Figure 10: Publish-subscribe protected with OSCON.  The bracket { ...
                        } indicates encrypted data.



Selander, et al.         Expires April 21, 2016                [Page 39]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   This example deviates from encryption by default (see Section 8) just
   to illustrate Integrity Protection only in the case of OSCON.  If
   there is no compelling reason why the payload should be in plaintext,
   then encryption MUST be used.

D.2.3.  Transporting Authorization Information

   This example outlines the transportation of authorization information
   from a node producing (Authorization Server, AS) to a node consuming
   (Resource Server, RS) such information.  Authorization information
   may for example be an authorization decision with respect to a Client
   (C) accessing a Resource to be enforced by RS, see e.g.
   [I-D.ietf-ace-actors] or [I-D.seitz-ace-core-authz].  Here, C is
   clearly not trusted with modifying the information, but may need to
   be involved in mediating the authorization information to the RS, for
   example, because AS and RS does not have direct connectivity.  So
   end-to-end security is required and object security ("access tokens")
   is the natural candidate.

   This example considers the authorization information to be
   encapsulated in a OSCON object, generated by AS.  How C accesses the
   OSCON object is out of scope for this example, it may e.g. be using
   CoAP.  C then requests RS to configure the authorization information
   in the OSCON object by doing POST to /authz-info.  This particular
   resource has a default access policy that only new messages signed by
   AS are authorized.  RS thus verifies the integrity and sequence
   number by using the existing security context for the AS, and
   responds accordingly, a) or b), see Figure 11.























Selander, et al.         Expires April 21, 2016                [Page 40]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   Authz           Resource
   Server  Client  Server
      |      |      |
      |      |      |     Client accesses Access Token:
      +- - ->|      |     ["seq":"142",
      |      |      |     "cid":"c09bda1534e3c5fdc09bd",
      |      |      |            <AuthzInfo>, <Tag>]
      |      |      |
      |      +----->|      Code: 0.02 (POST)
      |      | POST |     Token: 0xac
      |      |      |  Uri-Path: authz-info
      |      |      |   Payload: ["seq":"142",
      |      |      |            "cid":"c09bda1534e3c5fdc09bd",
      |      |      |            <AuthzInfo>, <Tag>]

   a)
      |      |      |
      |      |<-----+      Code: 2.04 (Changed)
      |      | 2.04 |     Token: 0xac
      |      |      |

   b)
      |      |      |
      |      |<-----+      Code: 4.01 (Unauthorized)
      |      | 4.01 |     Token: 0xac
      |      |      |

         Figure 11: Protected Transfer of Access Token using OSCON

Authors' Addresses

   Goeran Selander
   Ericsson
   Farogatan 6
   Kista  16480
   Sweden

   Email: goran.selander@ericsson.com


   John Mattsson
   Ericsson
   Farogatan 6
   Kista  16480
   Sweden

   Email: john.mattsson@ericsson.com




Selander, et al.         Expires April 21, 2016                [Page 41]


Internet-Draft      Object Security of CoAP (OSCOAP)        October 2015


   Francesca Palombini
   Ericsson
   Farogatan 6
   Kista  16480
   Sweden

   Email: francesca.palombini@ericsson.com


   Ludwig Seitz
   SICS Swedish ICT
   Scheelevagen 17
   Lund  22370
   Sweden

   Email: ludwig@sics.se



































Selander, et al.         Expires April 21, 2016                [Page 42]