[Search] [txt|pdfized|bibtex] [Tracker] [Email] [Diff1] [Diff2] [Nits]
Versions: 00 01                                                         
  CORE Working Group                                           P. Urien
  Internet Draft                                          Telecom Paris
  Intended status: Experimental

                                                        February 4 2022
  Expires: August 2022

                  TLS for Secure Element Input Output (TLS-SE-IO)
                      draft-urien-core-tls-se-io-01.txt


Abstract

   The goal of TLS-SE-IO is to provide virtual IO pins for secure
   elements running TLS servers, in order to interact with sensors and
   actuators. TLS-SE device processes TLS packets in secure element. It
   may work like a black box (server mode) that exchanges fully
   encrypted packets. It may also export encrypted packet in clear
   form, in order to provide virtual output pin. Output messages may
   include cookies and/or cryptographic materials. Virtual input pin
   forwards input messages, triggered by previous output messages, and
   sent to TLS-SE device for further processing.


Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF). Note that other groups may also distribute
   working documents as Internet-Drafts. The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 2022.







   Urien                      Expire August 2022              [Page 1]


Copyright Notice

   Copyright (c) 2022 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document. Code Components extracted from this
   document must include Simplified BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.







































   Urien                      Expires August 2022             [page 2]


                                 TLS-SE-IO                February 2022

Table of Contents
   Abstract........................................................... 1
   Requirements Language.............................................. 1
   Status of this Memo................................................ 1
   Copyright Notice................................................... 2
   1 Overview......................................................... 4
   2 TLS-SE-IO........................................................ 4
   3 TLS-SE-IO Protocol............................................... 5
      3.1 Output messages............................................. 5
      3.2 Input message............................................... 6
   4 Example.......................................................... 6
   5 Security Considerations.......................................... 8
   6 IANA Considerations.............................................. 8
   7 References....................................................... 8
      7.1 Normative References........................................ 8
      7.2 Informative References...................................... 9
   8 Authors' Addresses............................................... 9



































   Urien                       Expires August 2022            [Page 3]


                                 TLS-SE-IO                February 2022

1 Overview

   Input output (IO) interfaces are used in the internet of things
   context (IoT) to manage sensors and actuators.

   Output pin has two binary states, one or zero, and can generate a
   bit stream, i.e. messages comprising a set of bytes.

   Input pin detects two binary states, one or zero, which can realize
   a bit stream, i.e. messages comprising a set of bytes.

   Usually input messages are triggered by previous output messages.

   Secure elements, mainly specified by [ISO7816] standards have
   multiple form factors, such as SIM card, or surface mounted device
   (SMD). They provide tamper resistant computing resources. According
   to Common Criteria (CC) standards, their Evaluation Assurance Level
   ranges between EAL4 to EAL6+, EAL7 being the highest level.

   Nevertheless secure elements have no IO pins, and are not able to
   physically communicate with sensors and actuators. However they may
   be connected to processors, with physical IO capacities (i.e.
   equipped with IO pins)

   This document describes the processing of output and input messages
   by secure elements that execute TLS server. Output messages are
   exported from the secure element in clear form; they provide an
   output byte stream. Input messages are triggered by output messages;
   a byte stream is forwarded to secure element for further processing.

2 TLS-SE-IO

   The draft [TLS-SE] defines [TLS 1.3] support for secure elements.
   Two procedures RECV and SEND realize a logical bridge between TLS
   packets and [ISO7816] messages.

           +-----------+ recv +------------+ RECV +-----------+
           |     IP    + ---> |   TCP/IP   | ---> |  TLS 1.3  |
           |  Network  +------+ Constraint +------+  Secure   |
           |           | <--- |    Node    | <--- |  Element  |
           +-----------+ send +------------+ SEND +-----------+
                          |                   |
                   Network Interface    ISO7816 interface

   A processor physically connected to secure element (the secure
   element processor, SEP) can read TLS packets transparently
   transported by ISO7816 requests and responses. It also knows if the
   secure channel is opened, thanks to a dedicated ISO7816 status word
   (sw-open = 0x9001)



   Urien                       Expires August 2022            [Page 4]


                                 TLS-SE-IO                February 2022


                 +------------+ TLS-Packet +-----------+
                 |            | ---------> |  TLS 1.3  |
                 | Processor  +------------+  Secure   |
                 |   (SEP)    | <--------_ |  Element  |
                 +------------+ TLS-Packet +-----------+
                  SE Processor             Secure Element

   TLS-SE provides two classes of service:

   - TLS-SE as server, this is the technological basis for [IOSE]
   framework. The secure element is a black box providing secure
   storage and tamper resistant computing resources.

   - TLS-SE as stack. The secure element fully processes TLS session
   opening, i.e. TLS flights. It provides TLS packets encryption (TLS-
   Encrypt) and decryption (TLS-Decrypt) procedures.

           +------------+                     +------------+
           |            +-<----- Output ----<-+-+          |
           |            |                     | |Decryption|
           |            +-- Rx-TLS-Packets ->-+-+          |
           |    SEP     |                     |   TLS-SE   |
           |            +-<- Tx-TLS-Packets <-+-+          |
           |            |                     | |Encryption|
           |            +->------Input ----->-+-+          |
           +------------+                     +------------+

   The main idea of TLS-SE-IO is to provide virtual Input/Output (IO)
   resources (i.e. virtual IO pins) to TLS-SE secure element.

   - Output requests MUST be received in encrypted TLS record messages.
   Clear messages are returned by secure element.

   - Input messages are triggered by output requests. They MUST be
   encrypted by the secure element thanks to the SEND procedure
   described in [TLS-SE]

3 TLS-SE-IO Protocol

   The SEP entity can read incoming and outgoing TLS packets.

   A TLS record packet has a five bytes header in clear form, which
   comprises 3 fields, type (one byte), version (2 bytes), and length
   (2 bytes)

3.1 Output messages

   An output message is received in encrypted TLS record packet. It is
   decrypted within TLS-SE secure element. It MUST contain an attribute
   ('output-mark') that triggers the output message exportation.

   Urien                       Expires August 2022            [Page 5]


                                 TLS-SE-IO                February 2022


   The TLS-SE secure element produces a TLS packet with the first three
   bytes (type and version) set to zero, and a length. The payload
   comprises the data and the TLS type in clear form.

         Type=0x00  Version=0x0000  Length  output-message  TLS-Type

   An output message MAY be encrypted. It MAY also contains cookie to
   be used in input messages.

   Output messages are processed by SEP device. They contain any kind
   of information, such as object or data serialization, script, or AT
   commands for cellular serial modems.


3.2 Input message

   Input message is triggered by a previous output message. It MAY be
   encrypted. It MAY also contains cookie found in a previous output
   message.

   Input message is sent to the secure element thanks to the procedure
   RECV(F-Encrypt,input-message), as specified in[TLS-SE]. It MAY
   trigger a TLS record packet, according to the RECV procedure.

4 Example

   PSK=
   0102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20
   DHE=
   45A4CB06906CD3426E9F8E02FD0EAA39E016729A8F00D08E34B907418723007E

   TLS Reset
   Tx: 00D8000000
   Rx: 9000

   RECV(F-First,ClientHello)
   Tx: 00D80001F0 1603030103010000FF0303
       749F4A35B3E76B4554517F221F8BD54C
       C7DD96E9B70A0DBF4652821AD8AF095C
       0000021304010000D4002D0003020001
       002B0003020304000D001E001C060305
       03040302030806080B0805080A080408
       09060105010401020100330047004500
       170041047ED91D5E7DC92EBF5D26444B
       A267299D8D5A89481C121E7691A7D782
       77668F366DEC65B6B35D707777F523C0
       05B48CC7165EC151E8D9A28F22B8603B
       14C11975000A00060004001800170000
       000D000B0000086B6579312E636F6D00
       29003A0015000F436C69656E745F6964

   Urien                       Expires August 2022            [Page 6]


                                 TLS-SE-IO                February 2022

       656E7469747900000000002120F3793B
       B581E86684
       9000

   RECV(F-Last,ClientHello))
   Tx: 00D8000218 6F72919312AEF766B56275
       B26573A433A8BD1806A492620F
   Rx: 6186

   SEND(ServerHello)
   Tx: 00C0000086
   Rx: 1603030081 0200007D03030BBDF53C07
       596AACAF7724DB911E11C92F418ED96C
       008451A49E7AE08230B3D10013040000
       55002900020000003300450017004104
       07A637DCCBF63DE1A6EFB59ADDB796FE
       BC9106A96379081BC3547FB42C7982B7
       A8FA04A0F7E3F1784A1A0086CBCC03BE
       F8FDE7526EED3DB4F85DAF5BD26443E2
       002B00020304
       9F1C

   SEND(ServerEncryptedExtension)
   Tx: 00C000001C
   Rx: 1703030017CD418DE7D2E6E8F393A5AC
       B0E4E2C06BFA0B0631C59A26
       9F3A

   SEND(ServerFinished)
   Tx: 00C000003A
   Rx: 17030300350F106E7DB08E7CCB69644D
       7E0F9CB39FB2B5A0AC0D36FA462A9E40
       0517A548E7F9E07191ECC1F869671E3B
       1F1B39D9A38E09EE6DE8
       9000

   RECV(F-First||F-Last, ClientFinished)
   Tx: 00D800033A 1703030035C407E727ACBC
       7CE96EB6A81391FF8F8546976430B8F8
       65A1C8A41F279B7B4A72934A0225021B
       A4001793EBFFC2167FAE250A5B69A8
   Rx: 9001

   TLS Secure Channel is open

   Encrypted opaque message

   RECV(F-First||F-Last, TLS-Record-Message)
   Tx: 00D800031F170303001AE4EBF10433EB
       78B4454D7ACE9EBBCB74455F232EC1A6
       A6D046B5

   Urien                       Expires August 2022            [Page 7]


                                 TLS-SE-IO                February 2022

   Rx: 611C


   Encrypted opaque response
   SEND(TLS-Record-Message)
   Tx: 00C000001C
   Rx: 1703030017215C9D0932B76BBCD439C4
       5D5FEDC4C4A4253A3EC736E7
       9000

   Encrypted output message
   RECV(F-First||F-Last, TLS-Record-Message)
   Tx: 00D800031D 1703030018AEBBB88F858C
       C8325E85C75FF1C95FEFA2F5D3BBD1D3
       C86B
   Rx: 610D

   Output message in clear form (value=#tempCrLf, Type=0x17)
   Character '#' is the output mark
   Tx: 00C000000D
   Rx: 0000000008 2374656D700D0A 17
       9000

   An input message is triggered by the output message
   Input message in clear form
   RECV(F-Encrypt||F-First||F-Last, InputMessage=18.81CrLf, Type=0x17)
   Tx: 00D8020308 31382E38310D0A 17
   Encrypted TLS record packet
   Rx: 611D
   Tx: 00C000001D
   Rx: 1703030018C14E29429EA6F071D13FB8
       8653C7ABE7315423E9D1A2B58B
       9000

5 Security Considerations

   This entire document is about security.

6 IANA Considerations

   This draft does not require any action from IANA.

7 References

7.1 Normative References

   [TLS 1.3] Rescorla, E., "The Transport Layer Security (TLS) Protocol
   Version 1.3", RFC 8446, August 2018.




   Urien                       Expires August 2022            [Page 8]


                                 TLS-SE-IO                February 2022

   [ISO7816] ISO 7816, "Cards Identification - Integrated Circuit Cards
   with Contacts", The International Organization for Standardization
   (ISO).

7.2 Informative References

   [TLS-SE] IETF Draft, "Secure Element for TLS Version 1.3", draft-
   urien-tls-se-03.txt, 2021

   [IOSE] IETF Draft, "Internet of Secure Elements", draft-urien-
   coinrg-iose-04.txt, 2021

8 Authors' Addresses

   Pascal Urien
   Telecom Paris
   19 place Marguerite Perey
   91120 Palaiseau           Phone: NA
   France                    Email: Pascal.Urien@telecom-paris.fr

































   Urien                       Expires August 2022            [Page 9]