| Internet-Draft | Authentication Credentials DTLS profile | July 2023 | 
| Tiloca & Mattsson | Expires 11 January 2024 | [Page] | 
This document updates the Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE). In particular, it specifies the use of additional formats of authentication credentials for establishing a DTLS session, when peer authentication is based on asymmetric cryptography. Therefore, this document updates RFC 9202. What is defined in this document is seamlessly applicable also if the profile uses Transport Layer Security (TLS) instead.¶
This note is to be removed before publishing as an RFC.¶
Discussion of this document takes place on the Authentication and Authorization for Constrained Environments Working Group mailing list (ace@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/ace/.¶
Source for this draft and an issue tracker can be found at https://gitlab.com/crimson84/draft-tiloca-ace-authcred-dtls-profile.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 11 January 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The Authentication and Authorization for Constrained Environments (ACE) framework [RFC9200] defines an architecture to enforce access control for constrained devices. A Client (C) requests an evidence of granted permissions from an Authorization Server (AS) in the form of an access token, then uploads the access token to the target Resource Server (RS), and finally accesses protected resources at the RS according to what is specified in the access token.¶
The framework has as main building blocks the OAuth 2.0 framework [RFC6749], the Constrained Application Protocol (CoAP) [RFC7252] for message transfer, CBOR [RFC8949] for compact encoding, and COSE [RFC9052][RFC9053] for self-contained protection of access tokens.¶
Separate profile documents define in detail how the participants in the ACE architecture communicate, especially as to the security protocols that they use. In particular, the ACE profile defined in [RFC9202] specifies how Datagram Transport Layer Security (DTLS) [RFC6347][RFC9147] is used to protect communications with transport-layer security in the ACE architecture. The profile has also been extended in [I-D.ietf-ace-extend-dtls-authorize], in order to allow the alternative use of Transport Layer Security (TLS) [RFC8446] when CoAP is transported over TCP or WebSockets [RFC8323].¶
The DTLS profile [RFC9202] allows C and RS to establish a DTLS session with peer authentication based on symmetric or asymmetric cryptography. For the latter case, the profile defines an RPK mode (see Section 3.2 of [RFC9202]), where authentication relies on the public keys of the two peers as raw public keys [RFC7250].¶
That is, C specifies its public key to the AS when requesting an access token, and the AS provides such public key to the target RS as included in the issued access token. Upon issuing the access token, the AS also provides C with the public key of the RS. Then, C and RS use their asymmetric keys when performing the DTLS handshake, as defined in [RFC7250].¶
Per [RFC9202], the DTLS profile admits only a COSE Key object [RFC9052] as the format of authentication credentials to use for transporting the public keys of C and RS, as raw public keys. However, it is desirable to enable additional types of authentication credentials, as enhanced raw public keys or as public certificates.¶
This document enables such additional formats, by defining how the public keys of C and RS can be specified as CBOR Web Token (CWT) Claims Sets (CCSs) [RFC8392], or X.509 certificates [RFC5280], or C509 certificates [I-D.ietf-cose-cbor-encoded-cert]. In particular, this document updates [RFC9202] as follows.¶
When using the updated RPK mode, both public keys can be transported as a CCS, or instead only one can be transported as a CCS while the other one as a COSE Key object.¶
Also, the RPK mode and the certificate mode can be combined. That is, it is possible that one of the two authentication credentials is a public certificate, while the other one is a raw public key.¶
These updates to the DTLS profile rely on the CWT Confirmation Methods "kccs", "x5bag", "x5chain", "c5b", and "c5c", which are defined in [I-D.ietf-ace-edhoc-oscore-profile].¶
What is defined in this document is seamlessly applicable if TLS is used instead, as defined in [I-D.ietf-ace-extend-dtls-authorize].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Readers are expected to be familiar with the terms and concepts described in the ACE framework for Authentication and Authorization [RFC9200][RFC9201] and its DTLS profile [RFC9202], as well as with terms and concepts related to CBOR Web Tokens (CWTs) [RFC8392] and CWT Confirmation Methods [RFC8747].¶
The terminology for entities in the considered architecture is defined in OAuth 2.0 [RFC6749]. In particular, this includes Client (C), Resource Server (RS), and Authorization Server (AS).¶
Readers are also expected to be familiar with the terms and concepts related to the CoAP protocol [RFC7252], CBOR [RFC8949], COSE [RFC9052][RFC9053], the DTLS protocol suite [RFC6347][RFC9147], and the use of raw public keys in DTLS [RFC7250].¶
Note that, unless otherwise indicated, the term "endpoint" is used here following its OAuth definition, aimed at denoting resources such as /token and /introspect at the AS, and /authz-info at the RS. This document does not use the CoAP definition of "endpoint", which is "An entity participating in the CoAP protocol."¶
This document also refers to the term "authentication credential", which denotes the information associated with an entity, including that entity's public key and parameters associated with the public key. Examples of authentication credentials are CWT Claims Sets (CCSs) [RFC8392], X.509 certificates [RFC5280], and C509 certificates [I-D.ietf-cose-cbor-encoded-cert].¶
Examples throughout this document are expressed in CBOR diagnostic notation without the tag and value abbreviations.¶
The rest of this section updates Section 3.2 of [RFC9202], by defining how the raw public key of C and RS can be transported as a CCS [RFC8392], as an alternative to a COSE Key object [RFC9052]. Note that only the differences from [RFC9202] are compiled below.¶
If the raw public key of C is transported as a CCS, the following applies.¶
If the raw public key of RS is transported as a CCS, the following applies.¶
For the "req_cnf" parameter of the Access Token Request, the "rs_cnf" parameter of the Access Token Response, and the "cnf" claim of the access token, the Confirmation Method "kccs" structure and its identifier are defined in [I-D.ietf-ace-edhoc-oscore-profile].¶
It is not required that both public keys are transported as a CCS. That is, one of the two authentication credentials can be a CCS, while the other one can be a COSE Key object as per Section 3.2 of [RFC9202].¶
Figure 1 shows an example of Access Token Request from C to the AS.¶
   POST coaps://as.example.com/token
   Content-Format: application/ace+cbor
   Payload:
   {
     "grant_type" : 2,
     "audience" : "tempSensor4711",
     "req_cnf" : {
       "kccs" : {
         "sub" : "42-50-31-FF-EF-37-32-39",
         "cnf" : {
           "COSE_Key" : {
             "kty" : 2,
             "crv" : 1,
             "x" : h'd7cc072de2205bdc1537a543d53c60a6
                     acb62eccd890c7fa27c9e354089bbe13',
             "y" : h'f95e1d4b851a2cc80fff87d8e23f22af
                     b725d535e515d020731e79a3b4e47120'
           }
         }
       }
     }
   }
Figure 2 shows an example of Access Token Response from the AS to C.¶
   2.01 Created
   Content-Format: application/ace+cbor
   Max-Age: 3560
   Payload:
   {
     "access_token" : b64'SlAV32hk'/...
      (remainder of CWT omitted for brevity;
      CWT contains the client's RPK in the cnf claim)/,
     "expires_in" : 3600,
     "rs_cnf" : {
       "kccs" : {
         "sub" : "AA-BB-CC-00-01-02-03-04",
         "cnf" : {
           "COSE_Key" : {
             "kty" : 2,
             "crv" : 1,
             "x" : h'bbc34960526ea4d32e940cad2a234148
                     ddc21791a12afbcbac93622046dd44f0',
             "y" : h'4519e257236b2a0ce2023f0931f1f386
                     ca7afda64fcde0108c224c51eabf6072'
           }
         }
       }
     }
   }
This section defines a new certificate mode of the DTLS profile, which enables the transport of public keys of C and RS as public certificates.¶
Compared to the RPK mode defined in Section 3.2 of [RFC9202] and extended in Section 2 of this document, the certificate mode displays the following differences.¶
If the authentication credential AUTH_CRED_C of C is a public certificate, the following applies.¶
The "req_cnf" parameter [RFC9201] of the Access Token Request (see Section 5.8.1 of [RFC9200] specifies AUTH_CRED_C as follows.¶
The "cnf" claim of the access token that the AS provides to C in the Access Token Response (see Section 5.8.2 of [RFC9200]) specifies AUTH_CRED_C as follows.¶
If the authentication credential AUTH_CRED_RS of RS is a public certificate, the following applies.¶
The "rs_cnf" parameter [RFC9201] of the Access Token Response specifies AUTH_CRED_RS as follows.¶
For the "req_cnf" parameter of the Access Token Request, the "rs_cnf" parameter of the Access Token Response, and the "cnf" claim of the access token, the Confirmation Method "c5c" and "c5b" structures and their identifiers are defined in [I-D.ietf-ace-edhoc-oscore-profile].¶
When using either of the structures "x5chain", "x5bag", "c5c" and "c5b", i.e., either a chain or a bag of certificates, the specified authentication credential is just the end entity X.509 or C509 certificate.¶
As per [RFC6347][RFC9147], a public certificate is specified in the Certificate message of the DTLS handshake. For X.509 certificates, the TLS Certificate Type is "X509", as defined in [RFC6091]. For C509 certificates, the TLS certificate type is "C509 Certificate", as defined in [I-D.ietf-cose-cbor-encoded-cert].¶
It is not required that AUTH_CRED_C and AUTH_CRED_RS are both X.509 certificates or both C509 certificates.¶
Also, one of the two authentication credentials can be a public certificate, while the other one can be a raw public key. This is consistent with the admitted, combined use of raw public keys and certificates, as discussed in Section 5.3 of [RFC7250].¶
Figure 3 shows an example of Access Token Request from C to the AS. In the example, C specifies its authentication credential by means of an "x5chain" structure, including only its own X.509 certificate.¶
   POST coaps://as.example.com/token
   Content-Format: application/ace+cbor
   Payload:
   {
     "grant_type" : 2,
     "audience" : "tempSensor4711",
     "req_cnf" : {
       "x5chain" : h'3081ee3081a1a003020102020462319ec430
                     0506032b6570301d311b301906035504030c
                     124544484f4320526f6f7420456432353531
                     39301e170d3232303331363038323433365a
                     170d3239313233313233303030305a302231
                     20301e06035504030c174544484f43205265
                     73706f6e6465722045643235353139302a30
                     0506032b6570032100a1db47b95184854ad1
                     2a0c1a354e418aace33aa0f2c662c00b3ac5
                     5de92f9359300506032b6570034100b723bc
                     01eab0928e8b2b6c98de19cc3823d46e7d69
                     87b032478fecfaf14537a1af14cc8be829c6
                     b73044101837eb4abc949565d86dce51cfae
                     52ab82c152cb02'
     }
   }
Figure 4 shows an example of Access Token Response from the AS to C. In the example, the AS specifies the authentication credential of RS by means of an "x5chain" structure, including only the X.509 certificate of the RS.¶
   2.01 Created
   Content-Format: application/ace+cbor
   Max-Age: 3560
   Payload:
   {
     "access_token" : b64'SlAV32hk'/...
      (remainder of CWT omitted for brevity;
      CWT contains the client's X.509 certificate in the cnf claim)/,
     "expires_in" : 3600,
     "rs_cnf" : {
       "x5chain" : h'3081ee3081a1a003020102020462319ea030
                     0506032b6570301d311b301906035504030c
                     124544484f4320526f6f7420456432353531
                     39301e170d3232303331363038323430305a
                     170d3239313233313233303030305a302231
                     20301e06035504030c174544484f4320496e
                     69746961746f722045643235353139302a30
                     0506032b6570032100ed06a8ae61a829ba5f
                     a54525c9d07f48dd44a302f43e0f23d8cc20
                     b73085141e300506032b6570034100521241
                     d8b3a770996bcfc9b9ead4e7e0a1c0db353a
                     3bdf2910b39275ae48b756015981850d27db
                     6734e37f67212267dd05eeff27b9e7a813fa
                     574b72a00b430b'
     }
   }
The security considerations from [RFC9200] and [RFC9202] apply to this document as well.¶
When using public certificates as authentication credentials, the security considerations from Appendix C.2 of [RFC8446] apply.¶
When using X.509 certificates as authentication credentials, the security considerations from [RFC5280], [RFC6818], [RFC8398], and [RFC8399] apply.¶
When using C509 certificates as authentication credentials, the security considerations from [I-D.ietf-cose-cbor-encoded-cert] apply.¶
This document has no actions for IANA.¶
The authors sincerely thank Rikard Höglund and Göran Selander for their comments and feedback. The work on this document has been partly supported by the H2020 project SIFIS-Home (Grant agreement 952652).¶