Internet-Draft | Authentication Credentials DTLS profile | October 2024 |
Tiloca & Preuß Mattsson | Expires 24 April 2025 | [Page] |
This document updates the Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE). In particular, it specifies the use of additional formats of authentication credentials for establishing a DTLS session, when peer authentication is based on asymmetric cryptography. Therefore, this document updates RFC 9202. What is defined in this document is seamlessly applicable also if the profile uses Transport Layer Security (TLS) instead, as defined in RFC 9430.¶
This note is to be removed before publishing as an RFC.¶
Discussion of this document takes place on the Authentication and Authorization for Constrained Environments Working Group mailing list ([email protected]), which is archived at https://mailarchive.ietf.org/arch/browse/ace/.¶
Source for this draft and an issue tracker can be found at https://gitlab.com/crimson84/draft-tiloca-ace-authcred-dtls-profile.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 24 April 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The Authentication and Authorization for Constrained Environments (ACE) framework [RFC9200] defines an architecture to enforce access control for constrained devices. A client (C) requests an evidence of granted permissions from an authorization server (AS) in the form of an access token, then uploads the access token to the target resource server (RS), and finally accesses protected resources at RS according to what is specified in the access token.¶
The framework has as main building blocks the OAuth 2.0 framework [RFC6749], the Constrained Application Protocol (CoAP) [RFC7252] for message transfer, CBOR [RFC8949] for compact encoding, and COSE [RFC9052][RFC9053] for self-contained protection of access tokens.¶
Separate profile documents define in detail how the participants in the ACE architecture communicate, especially as to the security protocols that they use. In particular, the ACE profile defined in [RFC9202] specifies how Datagram Transport Layer Security (DTLS) [RFC6347][RFC9147] is used to protect communications with transport-layer security in the ACE architecture. The profile has also been extended in [RFC9430], in order to allow the alternative use of Transport Layer Security (TLS) [RFC8446] when CoAP is transported over TCP or WebSockets [RFC8323].¶
The DTLS profile [RFC9202] allows C and RS to establish a DTLS session with peer authentication based on symmetric or asymmetric cryptography. For the latter case, the profile defines an RPK mode (see Section 3.2 of [RFC9202]), where authentication relies on the public keys of the two peers as raw public keys [RFC7250].¶
That is, C specifies its public key to the AS when requesting an access token, and the AS provides such public key to the target RS as included in the issued access token. Upon issuing the access token, the AS also provides C with the public key of RS. Then, C and RS use their asymmetric keys when performing the DTLS handshake, as defined in [RFC7250].¶
Per [RFC9202], the DTLS profile admits only a COSE Key object [RFC9052] as the format of authentication credentials to use for transporting the public keys of C and RS, as raw public keys. However, it is desirable to enable additional formats of authentication credentials, as enhanced raw public keys or as public certificates.¶
This document enables such additional formats in the DTLS profile, by defining how the public keys of C and RS can be specified by means of CBOR Web Token (CWT) Claims Sets (CCSs) [RFC8392], or X.509 certificates [RFC5280], or C509 certificates [I-D.ietf-cose-cbor-encoded-cert]. In particular, this document updates [RFC9202] as follows.¶
It extends the RPK mode defined in Section 3.2 of [RFC9202], by enabling the use of CCSs to wrap the raw public keys of C and RS (see Section 2).¶
[ TODO: Further extend the RPK mode, by admitting the identification of COSE Keys by reference, using the CWT Confirmation Method 'ckt' defined in https://datatracker.ietf.org/doc/html/draft-ietf-cose-key-thumbprint ]¶
It defines a new certificate mode, which enables the use of X.509 or C509 certificates to specify the public keys of C and RS (see Section 3). In either case, certificates can be transported by value or instead identified by reference.¶
When using the updated RPK mode, the raw public keys of C and RS do not have to be of the same format. That is, it is possible to have both public keys as a COSE Key object or as a CCS, or instead one as a COSE Key object while the other one as a CCS.¶
When using the certificate mode, the certificates of C and RS do not have to be of the same format. That is, it is possible to have both as X.509 certificates, or both as C509 certificates, or one as an X.509 certificate while the other one as a C509 certificate. Furthermore, it is possible to have both certificates transported by value, or both identified by reference, or one transported by value while the other one identified by reference.¶
Also, the RPK mode and the certificate mode can be combined. That is, it is possible that one of the two authentication credentials is a certificate, while the other one is a raw public key.¶
When using the formats introduced in this document, authentication credentials are transported by means of the CWT Confirmation Methods "kccs", "x5bag", "x5chain", "x5t", "x5u", "c5b", "c5c", "c5t", and "c5u" that are defined in [I-D.ietf-ace-edhoc-oscore-profile].¶
What is defined in this document is seamlessly applicable if TLS is used instead, as defined in [RFC9430].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Readers are expected to be familiar with the terms and concepts described in the ACE framework for Authentication and Authorization [RFC9200][RFC9201] and its DTLS profile [RFC9202], as well as with terms and concepts related to CBOR Web Tokens (CWTs) [RFC8392] and CWT Confirmation Methods [RFC8747].¶
The terminology for entities in the considered architecture is defined in OAuth 2.0 [RFC6749]. In particular, this includes client (C), resource server (RS), and authorization server (AS).¶
Readers are also expected to be familiar with the terms and concepts related to CoAP [RFC7252], CBOR [RFC8949], CDDL [RFC8610], COSE [RFC9052][RFC9053], the DTLS protocol suite [RFC6347][RFC9147], and the use of raw public keys in DTLS [RFC7250].¶
Note that the term "endpoint" is used here following its OAuth definition, aimed at denoting resources such as /token and /introspect at the AS, and /authz-info at RS. This document does not use the CoAP definition of "endpoint", which is "An entity participating in the CoAP protocol."¶
This document also refers to the term "authentication credential", which denotes the information associated with an entity, including that entity's public key and parameters associated with the public key. Examples of authentication credentials are CWT Claims Sets (CCSs) [RFC8392], X.509 certificates [RFC5280], and C509 certificates [I-D.ietf-cose-cbor-encoded-cert].¶
Examples throughout this document are expressed in CBOR diagnostic notation as defined in Section 8 of [RFC8949] and Appendix G of [RFC8610]. Diagnostic notation comments are often used to provide a textual representation of the parameters' keys and values.¶
In the CBOR diagnostic notation used in this document, constructs of the form e'SOME_NAME' are replaced by the value assigned to SOME_NAME in the CDDL model shown in Figure 13 of Appendix B. For example, {e'x5chain' : h'3081...cb02'} stands for {5 : h'3081...cb02'}.¶
Note to RFC Editor: Please delete the paragraph immediately preceding this note. Also, in the CBOR diagnostic notation used in this document, please replace the constructs of the form e'SOME_NAME' with the value assigned to SOME_NAME in the CDDL model shown in Figure 13 of Appendix B. Finally, please delete this note.¶
This section updates the RPK mode defined in Section 3.2 of [RFC9202], by defining how the raw public key of C and RS can be provided as wrapped by a CCS [RFC8392], instead of as a COSE Key object [RFC9052]. Note that only the differences from [RFC9202] are compiled below.¶
If the raw public key of C is wrapped by a CCS, then the following applies.¶
The payload of the Access Token Request (see Section 5.8.1 of [RFC9200]) is as defined in Section 3.2.1 of [RFC9202], with the difference that the "req_cnf" parameter [RFC9201] MUST specify a "kccs" structure, with value a CCS specifying the public key of C that has to be bound to the access token.¶
In particular, the CCS MUST include the "cnf" claim specifying the public key of C as a COSE Key object, SHOULD include the "sub" claim specifying the subject name of C associated with the public key of C, and MAY include additional claims.¶
The content of the access token that the AS provides to C in the Access Token Response (see Section 5.8.2 of [RFC9200]) is as defined in Section 3.2.1 of [RFC9202], with the difference that the "cnf" claim of the access token MUST specify a "kccs" structure, with value a CCS specifying the public key of C that is bound to the access token.¶
In particular, the CCS MUST include the "cnf" claim specifying the public key of C as a COSE Key object, SHOULD include the "sub" claim specifying the subject name of C associated with the public key of C, and MAY include additional claims.¶
If the raw public key of RS is wrapped by a CCS, then the following applies.¶
The payload of the Access Token Response is as defined in Section 3.2.1 of [RFC9202], with the difference that the "rs_cnf" parameter [RFC9201] MUST specify a "kccs" structure, with value a CCS specifying the public key of RS.¶
In particular, the CCS MUST include the "cnf" claim specifying the public key of RS as a COSE Key object, SHOULD include the "sub" claim specifying the subject name of RS associated with the public key of RS, and MAY include additional claims.¶
For the "req_cnf" parameter of the Access Token Request, the "rs_cnf" parameter of the Access Token Response, and the "cnf" claim of the access token, the Confirmation Method "kccs" structure and its identifier are defined in [I-D.ietf-ace-edhoc-oscore-profile].¶
It is not required that both public keys are wrapped by a CCS. That is, one of the two authentication credentials can be a CCS, while the other one can be a COSE Key object as per Section 3.2 of [RFC9202].¶
This section defines a new certificate mode of the DTLS profile, which enables the use of public certificates to specify the public keys of C and RS. Compared to the RPK mode defined in Section 3.2 of [RFC9202] and extended in Section 2 of this document, the certificate mode displays the differences compiled below.¶
The authentication credential of C and/or RS is a public certificate, i.e., an X.509 certificate [RFC5280] or a C509 certificate [I-D.ietf-cose-cbor-encoded-cert].¶
The CWT Confirmation Methods "x5chain", "x5bag", "c5c", and "c5b" defined in [I-D.ietf-ace-edhoc-oscore-profile] are used to transport such authentication credentials by value.¶
The CWT Confirmation Methods "x5t", "x5u", "c5t", and "c5u" defined in [I-D.ietf-ace-edhoc-oscore-profile] are used to identify such authentication credentials by reference.¶
If the authentication credential AUTH_CRED_C of C is a public certificate, then the following applies.¶
The "req_cnf" parameter [RFC9201] of the Access Token Request (see Section 5.8.1 of [RFC9200]) specifies AUTH_CRED_C as follows.¶
If AUTH_CRED_C is an X.509 certificate, the "req_cnf" parameter MUST specify:¶
An "x5chain" or "x5bag" structure, in case AUTH_CRED_C is transported by value within a certificate chain or a certificate bag, respectively; or¶
An "x5t" or "x5u" structure, in case AUTH_CRED_C is identified by reference through a hash value (a thumbprint) or a URI [RFC3986], respectively.¶
If AUTH_CRED_C is a C509 certificate, the "req_cnf" parameter MUST specify:¶
The "cnf" claim of the access token that the AS provides to C in the Access Token Response (see Section 5.8.2 of [RFC9200]) specifies AUTH_CRED_C as follows.¶
If AUTH_CRED_C is an X.509 certificate, the "cnf" claim MUST specify:¶
An "x5chain" or "x5bag" structure, in case AUTH_CRED_C is transported by value within a certificate chain or a certificate bag, respectively; or¶
An "x5t" or "x5u" structure, in case AUTH_CRED_C is identified by reference through a hash value (a thumbprint) or a URI [RFC3986], respectively.¶
If AUTH_CRED_C is a C509 certificate, the "cnf" claim MUST specify:¶
If the authentication credential AUTH_CRED_RS of RS is a public certificate, then the following applies.¶
The "rs_cnf" parameter [RFC9201] of the Access Token Response specifies AUTH_CRED_RS as follows.¶
If AUTH_CRED_RS is an X.509 certificate, the "rs_cnf" parameter MUST specify:¶
An "x5chain" or "x5bag" structure, in case AUTH_CRED_RS is transported by value within a certificate chain or a certificate bag, respectively; or¶
An "x5t" or "x5u" structure, in case AUTH_CRED_RS is identified by reference through a hash value (a thumbprint) or a URI [RFC3986], respectively.¶
If AUTH_CRED_RS is a C509 certificate, the "rs_cnf" parameter MUST specify:¶
For the "req_cnf" parameter of the Access Token Request, the "rs_cnf" parameter of the Access Token Response, and the "cnf" claim of the access token, the structures "x5bag", "x5chain", "x5t", "x5u", "c5b", "c5c", "c5t", and "c5u" are defined in [I-D.ietf-ace-edhoc-oscore-profile], together with their identifiers.¶
When using either of the structures, the specified authentication credential is just the end-entity certificate.¶
As per [RFC6347] and [RFC9147], a public certificate is specified in the Certificate message of the DTLS handshake. For X.509 certificates, the TLS Certificate Type is "X509", as defined in [RFC6091]. For C509 certificates, the TLS certificate type is "C509 Certificate", as defined in [I-D.ietf-cose-cbor-encoded-cert].¶
It is not required that AUTH_CRED_C and AUTH_CRED_RS are both X.509 certificates or both C509 certificates. Also, it is not required that AUTH_CRED_C and AUTH_CRED_RS are both transported by value or both identified by reference.¶
Finally, one of the two authentication credentials can be a public certificate, while the other one can be a raw public key. This is consistent with the admitted, combined use of raw public keys and certificates, as discussed in Section 5.3 of [RFC7250].¶
Figure 3 shows an example of Access Token Request from C to the AS. In the example, C specifies its authentication credential by means of an "x5chain" structure, transporting by value only its own X.509 certificate.¶
Figure 4 shows an example of Access Token Response from the AS to C. In the example, the AS specifies the authentication credential of RS by means of an "x5chain" structure, transporting by value only the X.509 certificate of RS.¶
The following shows a variation of the two previous examples, where the same X.509 certificates are instead identified by reference.¶
Figure 5 shows an example of Access Token Request from C to the AS. In the example, C specifies its authentication credential by means of an "x5t" structure, identifying by reference its own X.509 certificate.¶
Figure 6 shows an example of Access Token Response from the AS to C. In the example, the AS specifies the authentication credential of RS by means of an "x5t" structure, identifying by reference the X.509 certificate of RS.¶
The security considerations from [RFC9200] and [RFC9202] apply to this document as well.¶
When using public certificates as authentication credentials, the security considerations from Appendix C.2 of [RFC8446] apply.¶
When using X.509 certificates as authentication credentials, the security considerations from [RFC5280], [RFC6818], [RFC8398], and [RFC8399] apply.¶
When using C509 certificates as authentication credentials, the security considerations from [I-D.ietf-cose-cbor-encoded-cert] apply.¶
This document has no actions for IANA.¶
This section provides additional examples where, within the same ACE execution workflow, C and RS use different formats of raw public keys (see Appendix A.1), or different formats of certificates (see Appendix A.2), or a combination of the RPK mode and certificate mode (see Appendix A.3).¶
Figure 7 shows an example of Access Token Request from C to the AS, where the public key of C is conveyed as a COSE Key.¶
Figure 8 shows an example of Access Token Response from the AS to C, where the public key of RS is wrapped by a CCS.¶
Figure 9 shows an example of Access Token Request from C to the AS. In the example, C specifies its authentication credential by means of an "x5chain" structure, transporting by value only its own X.509 certificate.¶
Figure 4 shows an example of Access Token Response from the AS to C. In the example, the AS specifies the authentication credential of RS by means of a "c5c" structure, transporting by value only the C509 certificate of RS.¶
Figure 11 shows an example of Access Token Request from C to the AS, where the public key of C is wrapped by a CCS.¶
Figure 12 shows an example of Access Token Response from the AS to C. In the example, the AS specifies the authentication credential of RS by means of an "x5chain" structure, transporting by value only the X.509 certificate of RS.¶
This section is to be removed before publishing as an RFC.¶
The authors sincerely thank Rikard Höglund and Göran Selander for their comments and feedback.¶
This work was supported by the Sweden's Innovation Agency VINNOVA within the EUREKA CELTIC-NEXT project CYPRESS; and by the H2020 project SIFIS-Home (Grant agreement 952652).¶