| rfc9529v3.txt | rfc9529.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) G. Selander | Internet Engineering Task Force (IETF) G. Selander | |||
| Request for Comments: 9529 J. Preuß Mattsson | Request for Comments: 9529 J. Preuß Mattsson | |||
| Category: Informational Ericsson | Category: Informational Ericsson | |||
| ISSN: 2070-1721 M. Serafin | ISSN: 2070-1721 M. Serafin | |||
| ASSA ABLOY | ASSA ABLOY | |||
| M. Tiloca | M. Tiloca | |||
| RISE | RISE AB | |||
| M. Vučinić | M. Vučinić | |||
| Inria | Inria | |||
| March 2024 | March 2024 | |||
| Traces of Ephemeral Diffie-Hellman Over COSE (EDHOC) | Traces of Ephemeral Diffie-Hellman Over COSE (EDHOC) | |||
| Abstract | Abstract | |||
| This document contains example traces of Ephemeral Diffie-Hellman | This document contains example traces of Ephemeral Diffie-Hellman | |||
| Over COSE (EDHOC). | Over COSE (EDHOC). | |||
| skipping to change at line 209 ¶ | skipping to change at line 209 ¶ | |||
| Initiator's ephemeral public key | Initiator's ephemeral public key | |||
| G_X (CBOR Data Item) (34 bytes) | G_X (CBOR Data Item) (34 bytes) | |||
| 58 20 31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28 ef 32 | 58 20 31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28 ef 32 | |||
| 63 2a 48 81 a1 c0 70 1e 23 7f 04 | 63 2a 48 81 a1 c0 70 1e 23 7f 04 | |||
| The Initiator selects its connection identifier C_I to be the byte | The Initiator selects its connection identifier C_I to be the byte | |||
| string 0x2d, which is encoded as 0x2d since it is represented by the | string 0x2d, which is encoded as 0x2d since it is represented by the | |||
| 1-byte CBOR int -14: | 1-byte CBOR int -14: | |||
| Connection identifier chosen by Initiator | Connection identifier chosen by the Initiator | |||
| C_I (Raw Value) (1 byte) | C_I (Raw Value) (1 byte) | |||
| 2d | 2d | |||
| Connection identifier chosen by Initiator | Connection identifier chosen by the Initiator | |||
| C_I (CBOR Data Item) (1 byte) | C_I (CBOR Data Item) (1 byte) | |||
| 2d | 2d | |||
| No external authorization data: | No external authorization data: | |||
| EAD_1 (CBOR Sequence) (0 bytes) | EAD_1 (CBOR Sequence) (0 bytes) | |||
| The Initiator constructs message_1: | The Initiator constructs message_1: | |||
| message_1 = | message_1 = | |||
| skipping to change at line 261 ¶ | skipping to change at line 261 ¶ | |||
| dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38 7e 62 | dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38 7e 62 | |||
| 3a 36 0b a4 80 b9 b2 9d 1c | 3a 36 0b a4 80 b9 b2 9d 1c | |||
| Responder's ephemeral public key | Responder's ephemeral public key | |||
| G_Y (CBOR Data Item) (34 bytes) | G_Y (CBOR Data Item) (34 bytes) | |||
| 58 20 dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38 | 58 20 dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38 | |||
| 7e 62 3a 36 0b a4 80 b9 b2 9d 1c | 7e 62 3a 36 0b a4 80 b9 b2 9d 1c | |||
| The Responder selects its connection identifier C_R to be the byte | The Responder selects its connection identifier C_R to be the byte | |||
| string 0x18, which is encoded as h'18' = 0x4118 since it is not | string 0x18, which is encoded as h'18' = 0x4118 since it is not | |||
| represented as a 1-byte CBOR int: | represented by a 1-byte CBOR int: | |||
| Connection identifier chosen by Responder | Connection identifier chosen by the Responder | |||
| C_R (Raw Value) (1 byte) | C_R (Raw Value) (1 byte) | |||
| 18 | 18 | |||
| Connection identifier chosen by Responder | Connection identifier chosen by the Responder | |||
| C_R (CBOR Data Item) (2 bytes) | C_R (CBOR Data Item) (2 bytes) | |||
| 41 18 | 41 18 | |||
| The transcript hash TH_2 is calculated using the EDHOC hash | The transcript hash TH_2 is calculated using the EDHOC hash | |||
| algorithm: | algorithm: | |||
| TH_2 = H( G_Y, H(message_1) ) | TH_2 = H( G_Y, H(message_1) ) | |||
| H(message_1) (Raw Value) (32 bytes) | H(message_1) (Raw Value) (32 bytes) | |||
| c1 65 d6 a9 9d 1b ca fa ac 8d bf 2b 35 2a 6f 7d 71 a3 0b 43 9c 9d 64 | c1 65 d6 a9 9d 1b ca fa ac 8d bf 2b 35 2a 6f 7d 71 a3 0b 43 9c 9d 64 | |||
| skipping to change at line 1061 ¶ | skipping to change at line 1061 ¶ | |||
| A_4 (CBOR Data Item) (45 bytes) | A_4 (CBOR Data Item) (45 bytes) | |||
| 83 68 45 6e 63 72 79 70 74 30 40 58 20 0e b8 68 f2 63 cf 35 55 dc cd | 83 68 45 6e 63 72 79 70 74 30 40 58 20 0e b8 68 f2 63 cf 35 55 dc cd | |||
| 39 6d d8 de c2 9d 37 50 d5 99 be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac | 39 6d d8 de c2 9d 37 50 d5 99 be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac | |||
| The Responder constructs the input needed to derive the EDHOC | The Responder constructs the input needed to derive the EDHOC | |||
| message_4 key (see Section 4.1.2 of [RFC9528]) using the EDHOC hash | message_4 key (see Section 4.1.2 of [RFC9528]) using the EDHOC hash | |||
| algorithm: | algorithm: | |||
| K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length ) | K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length ) | |||
| = HKDF-Expand( PRK_4x3m, info, key_length ) | = HKDF-Expand( PRK_4e3m, info, key_length ) | |||
| where key_length is the key length in bytes for the EDHOC AEAD | where key_length is the key length in bytes for the EDHOC AEAD | |||
| algorithm, and info for K_4 is: | algorithm, and info for K_4 is: | |||
| info = | info = | |||
| ( | ( | |||
| 8, | 8, | |||
| h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4 | h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4 | |||
| 1a5a37c896f294ac', | 1a5a37c896f294ac', | |||
| 16 | 16 | |||
| skipping to change at line 1089 ¶ | skipping to change at line 1089 ¶ | |||
| be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 10 | be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 10 | |||
| K_4 (Raw Value) (16 bytes) | K_4 (Raw Value) (16 bytes) | |||
| df 8c b5 86 1e 1f df ed d3 b2 30 15 a3 9d 1e 2e | df 8c b5 86 1e 1f df ed d3 b2 30 15 a3 9d 1e 2e | |||
| The Responder constructs the input needed to derive the EDHOC | The Responder constructs the input needed to derive the EDHOC | |||
| message_4 nonce (see Section 4.1.2 of [RFC9528]) using the EDHOC hash | message_4 nonce (see Section 4.1.2 of [RFC9528]) using the EDHOC hash | |||
| algorithm: | algorithm: | |||
| IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length ) | IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length ) | |||
| = HKDF-Expand( PRK_4x3m, info, iv_length ) | = HKDF-Expand( PRK_4e3m, info, iv_length ) | |||
| where length is the nonce length in bytes for the EDHOC AEAD | where length is the nonce length in bytes for the EDHOC AEAD | |||
| algorithm, and info for IV_4 is: | algorithm, and info for IV_4 is: | |||
| info = | info = | |||
| ( | ( | |||
| 9, | 9, | |||
| h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4 | h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4 | |||
| 1a5a37c896f294ac', | 1a5a37c896f294ac', | |||
| 13 | 13 | |||
| skipping to change at line 1157 ¶ | skipping to change at line 1157 ¶ | |||
| be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 18 20 | be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 18 20 | |||
| PRK_out (Raw Value) (32 bytes) | PRK_out (Raw Value) (32 bytes) | |||
| b7 44 cb 7d 8a 87 cc 04 47 c3 35 0e 16 5b 25 0d ab 12 ec 45 33 25 ab | b7 44 cb 7d 8a 87 cc 04 47 c3 35 0e 16 5b 25 0d ab 12 ec 45 33 25 ab | |||
| b9 22 b3 03 07 e5 c3 68 f0 | b9 22 b3 03 07 e5 c3 68 f0 | |||
| The Object Security for Constrained RESTful Environments (OSCORE) | The Object Security for Constrained RESTful Environments (OSCORE) | |||
| Master Secret and OSCORE Master Salt are derived with the | Master Secret and OSCORE Master Salt are derived with the | |||
| EDHOC_Exporter as specified in Section 4.2.1 of [RFC9528]. | EDHOC_Exporter as specified in Section 4.2.1 of [RFC9528]. | |||
| EDHOC_Exporter( label, context, length ) | EDHOC_Exporter( exporter_label, context, length ) | |||
| = EDHOC_KDF( PRK_exporter, label, context, length ) | = EDHOC_KDF( PRK_exporter, exporter_label, context, length ) | |||
| where PRK_exporter is derived from PRK_out: | where PRK_exporter is derived from PRK_out: | |||
| PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) | PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) | |||
| = HKDF-Expand( PRK_out, info, hash_length ) | = HKDF-Expand( PRK_out, info, hash_length ) | |||
| where hash_length is the length in bytes of the output of the EDHOC | where hash_length is the length in bytes of the output of the EDHOC | |||
| hash algorithm, and info for the PRK_exporter is: | hash algorithm, and info for the PRK_exporter is: | |||
| info = | info = | |||
| skipping to change at line 1249 ¶ | skipping to change at line 1249 ¶ | |||
| 00 40 10 | 00 40 10 | |||
| OSCORE Master Secret (Raw Value) (16 bytes) | OSCORE Master Secret (Raw Value) (16 bytes) | |||
| 1e 1c 6b ea c3 a8 a1 ca c4 35 de 7e 2f 9a e7 ff | 1e 1c 6b ea c3 a8 a1 ca c4 35 de 7e 2f 9a e7 ff | |||
| The OSCORE Master Salt is computed through EDHOC_Expand() using the | The OSCORE Master Salt is computed through EDHOC_Expand() using the | |||
| application hash algorithm (see Section 4.2 of [RFC9528]): | application hash algorithm (see Section 4.2 of [RFC9528]): | |||
| OSCORE Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length ) | OSCORE Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length ) | |||
| = EDHOC_KDF( PRK_exporter, 1, h'', oscore_salt_length ) | = EDHOC_KDF( PRK_exporter, 1, h'', oscore_salt_length ) | |||
| = HKDF-Expand( PRK_4x3m, info, oscore_salt_length ) | = HKDF-Expand( PRK_exporter, info, oscore_salt_length ) | |||
| where oscore_salt_length is the length in bytes of the OSCORE Master | where oscore_salt_length is the length in bytes of the OSCORE Master | |||
| Salt, and info for the OSCORE Master Salt is: | Salt, and info for the OSCORE Master Salt is: | |||
| info = | info = | |||
| ( | ( | |||
| 1, | 1, | |||
| h'', | h'', | |||
| 8 | 8 | |||
| ) | ) | |||
| skipping to change at line 1284 ¶ | skipping to change at line 1284 ¶ | |||
| EDHOC_KeyUpdate( context ): | EDHOC_KeyUpdate( context ): | |||
| PRK_out = EDHOC_KDF( PRK_out, 11, context, hash_length ) | PRK_out = EDHOC_KDF( PRK_out, 11, context, hash_length ) | |||
| = HKDF-Expand( PRK_out, info, hash_length ) | = HKDF-Expand( PRK_out, info, hash_length ) | |||
| where hash_length is the length in bytes of the output of the EDHOC | where hash_length is the length in bytes of the output of the EDHOC | |||
| hash function, and the context for KeyUpdate is: | hash function, and the context for KeyUpdate is: | |||
| context for KeyUpdate (Raw Value) (16 bytes) | context for KeyUpdate (Raw Value) (16 bytes) | |||
| d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c | d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c | |||
| context for KeyUpdate (CBOR Data Item) (17 bytes) | ||||
| 50 d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c | ||||
| where info for KeyUpdate is: | where info for KeyUpdate is: | |||
| info = | info = | |||
| ( | ( | |||
| 11, | 11, | |||
| h'd6be169602b8bceaa01158fdb820890c', | h'd6be169602b8bceaa01158fdb820890c', | |||
| 32 | 32 | |||
| ) | ) | |||
| info for KeyUpdate (CBOR Sequence) (20 bytes) | info for KeyUpdate (CBOR Sequence) (20 bytes) | |||
| skipping to change at line 1316 ¶ | skipping to change at line 1319 ¶ | |||
| PRK_exporter after KeyUpdate (Raw Value) (32 bytes) | PRK_exporter after KeyUpdate (Raw Value) (32 bytes) | |||
| 00 14 d2 52 5e e0 d8 e2 13 ea 59 08 02 8e 9a 1c e9 a0 1c 30 54 6f 09 | 00 14 d2 52 5e e0 d8 e2 13 ea 59 08 02 8e 9a 1c e9 a0 1c 30 54 6f 09 | |||
| 30 c0 44 d3 8d b5 36 2c 05 | 30 c0 44 d3 8d b5 36 2c 05 | |||
| The OSCORE Master Secret is derived with the updated PRK_exporter: | The OSCORE Master Secret is derived with the updated PRK_exporter: | |||
| OSCORE Master Secret | OSCORE Master Secret | |||
| = HKDF-Expand( PRK_exporter, info, oscore_key_length ) | = HKDF-Expand( PRK_exporter, info, oscore_key_length ) | |||
| where info and key_length are unchanged as in Section 2.6. | where info and oscore_key_length are unchanged as in Section 2.6. | |||
| OSCORE Master Secret after KeyUpdate (Raw Value) (16 bytes) | OSCORE Master Secret after KeyUpdate (Raw Value) (16 bytes) | |||
| ee 0f f5 42 c4 7e b0 e0 9c 69 30 76 49 bd bb e5 | ee 0f f5 42 c4 7e b0 e0 9c 69 30 76 49 bd bb e5 | |||
| The OSCORE Master Salt is derived with the updated PRK_exporter: | The OSCORE Master Salt is derived with the updated PRK_exporter: | |||
| OSCORE Master Salt = HKDF-Expand( PRK_exporter, info, salt_length ) | OSCORE Master Salt = HKDF-Expand( PRK_exporter, info, oscore_salt_length ) | |||
| where info and salt_length are unchanged as in Section 2.6. | where info and oscore_salt_length are unchanged as in Section 2.6. | |||
| OSCORE Master Salt after KeyUpdate (Raw Value) (8 bytes) | OSCORE Master Salt after KeyUpdate (Raw Value) (8 bytes) | |||
| 80 ce de 2a 1e 5a ab 48 | 80 ce de 2a 1e 5a ab 48 | |||
| 2.8. Certificates | 2.8. Certificates | |||
| 2.8.1. Responder Certificate | 2.8.1. Responder Certificate | |||
| Version: 3 (0x2) | Version: 3 (0x2) | |||
| Serial Number: 1647419076 (0x62319ec4) | Serial Number: 1647419076 (0x62319ec4) | |||
| skipping to change at line 1471 ¶ | skipping to change at line 1474 ¶ | |||
| Initiator's ephemeral public key, 'x'-coordinate | Initiator's ephemeral public key, 'x'-coordinate | |||
| G_X (CBOR Data Item) (34 bytes) | G_X (CBOR Data Item) (34 bytes) | |||
| 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 8f 65 | 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 8f 65 | |||
| f3 26 20 b7 49 be e8 d2 78 ef a9 | f3 26 20 b7 49 be e8 d2 78 ef a9 | |||
| The Initiator selects its connection identifier C_I to be the byte | The Initiator selects its connection identifier C_I to be the byte | |||
| string 0x0e, which is encoded as 0x0e since it is represented by the | string 0x0e, which is encoded as 0x0e since it is represented by the | |||
| 1-byte CBOR int 14: | 1-byte CBOR int 14: | |||
| Connection identifier chosen by Initiator | Connection identifier chosen by the Initiator | |||
| C_I (Raw Value) (1 byte) | C_I (Raw Value) (1 byte) | |||
| 0e | 0e | |||
| Connection identifier chosen by Initiator | Connection identifier chosen by the Initiator | |||
| C_I (CBOR Data Item) (1 byte) | C_I (CBOR Data Item) (1 byte) | |||
| 0e | 0e | |||
| No external authorization data: | No external authorization data: | |||
| EAD_1 (CBOR Sequence) (0 bytes) | EAD_1 (CBOR Sequence) (0 bytes) | |||
| The Initiator constructs message_1: | The Initiator constructs message_1: | |||
| message_1 = | message_1 = | |||
| skipping to change at line 1553 ¶ | skipping to change at line 1556 ¶ | |||
| Initiator's ephemeral public key, 'x'-coordinate | Initiator's ephemeral public key, 'x'-coordinate | |||
| G_X (CBOR Data Item) (34 bytes) | G_X (CBOR Data Item) (34 bytes) | |||
| 58 20 8a f6 f4 30 eb e1 8d 34 18 40 17 a9 a1 1b f5 11 c8 df f8 f8 34 | 58 20 8a f6 f4 30 eb e1 8d 34 18 40 17 a9 a1 1b f5 11 c8 df f8 f8 34 | |||
| 73 0b 96 c1 b7 c8 db ca 2f c3 b6 | 73 0b 96 c1 b7 c8 db ca 2f c3 b6 | |||
| The Initiator selects its connection identifier C_I to be the byte | The Initiator selects its connection identifier C_I to be the byte | |||
| string 0x37, which is encoded as 0x37 since it is represented by the | string 0x37, which is encoded as 0x37 since it is represented by the | |||
| 1-byte CBOR int -24: | 1-byte CBOR int -24: | |||
| Connection identifier chosen by Initiator | Connection identifier chosen by the Initiator | |||
| C_I (Raw Value) (1 byte) | C_I (Raw Value) (1 byte) | |||
| 37 | 37 | |||
| Connection identifier chosen by Initiator | Connection identifier chosen by the Initiator | |||
| C_I (CBOR Data Item) (1 byte) | C_I (CBOR Data Item) (1 byte) | |||
| 37 | 37 | |||
| No external authorization data: | No external authorization data: | |||
| EAD_1 (CBOR Sequence) (0 bytes) | EAD_1 (CBOR Sequence) (0 bytes) | |||
| The Initiator constructs message_1: | The Initiator constructs message_1: | |||
| message_1 = | message_1 = | |||
| skipping to change at line 1613 ¶ | skipping to change at line 1616 ¶ | |||
| Responder's ephemeral public key, 'x'-coordinate | Responder's ephemeral public key, 'x'-coordinate | |||
| G_Y (CBOR Data Item) (34 bytes) | G_Y (CBOR Data Item) (34 bytes) | |||
| 58 20 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93 | 58 20 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93 | |||
| 42 2c 8e a0 f9 55 a1 3a 4f f5 d5 | 42 2c 8e a0 f9 55 a1 3a 4f f5 d5 | |||
| The Responder selects its connection identifier C_R to be the byte | The Responder selects its connection identifier C_R to be the byte | |||
| string 0x27, which is encoded as 0x27 since it is represented by the | string 0x27, which is encoded as 0x27 since it is represented by the | |||
| 1-byte CBOR int -8: | 1-byte CBOR int -8: | |||
| Connection identifier chosen by Responder | Connection identifier chosen by the Responder | |||
| C_R (raw value) (1 byte) | C_R (raw value) (1 byte) | |||
| 27 | 27 | |||
| Connection identifier chosen by Responder | Connection identifier chosen by the Responder | |||
| C_R (CBOR Data Item) (1 byte) | C_R (CBOR Data Item) (1 byte) | |||
| 27 | 27 | |||
| The transcript hash TH_2 is calculated using the EDHOC hash | The transcript hash TH_2 is calculated using the EDHOC hash | |||
| algorithm: | algorithm: | |||
| TH_2 = H( G_Y, H(message_1) ) | TH_2 = H( G_Y, H(message_1) ) | |||
| H(message_1) (Raw Value) (32 bytes) | H(message_1) (Raw Value) (32 bytes) | |||
| ca 02 ca bd a5 a8 90 27 49 b4 2f 71 10 50 bb 4d bd 52 15 3e 87 52 75 | ca 02 ca bd a5 a8 90 27 49 b4 2f 71 10 50 bb 4d bd 52 15 3e 87 52 75 | |||
| skipping to change at line 1771 ¶ | skipping to change at line 1774 ¶ | |||
| CRED_R is an RPK encoded as a CCS: | CRED_R is an RPK encoded as a CCS: | |||
| { /CCS/ | { /CCS/ | |||
| 2 : "example.edu", /sub/ | 2 : "example.edu", /sub/ | |||
| 8 : { /cnf/ | 8 : { /cnf/ | |||
| 1 : { /COSE_Key/ | 1 : { /COSE_Key/ | |||
| 1 : 2, /kty/ | 1 : 2, /kty/ | |||
| 2 : h'32', /kid/ | 2 : h'32', /kid/ | |||
| -1 : 1, /crv/ | -1 : 1, /crv/ | |||
| -2 : h'BBC34960526EA4D32E940CAD2A234148 | -2 : h'bbc34960526ea4d32e940cad2a234148 | |||
| DDC21791A12AFBCBAC93622046DD44F0', /x/ | ddc21791a12afbcbac93622046dd44f0', /x/ | |||
| -3 : h'4519E257236B2A0CE2023F0931F1F386 | -3 : h'4519e257236b2a0ce2023f0931f1f386 | |||
| CA7AFDA64FCDE0108C224C51EABF6072' /y/ | ca7afda64fcde0108c224c51eabf6072' /y/ | |||
| } | } | |||
| } | } | |||
| } | } | |||
| CRED_R (CBOR Data Item) (95 bytes) | CRED_R (CBOR Data Item) (95 bytes) | |||
| a2 02 6b 65 78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 | a2 02 6b 65 78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 | |||
| 20 01 21 58 20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 | 20 01 21 58 20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 | |||
| 17 91 a1 2a fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b | 17 91 a1 2a fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b | |||
| 2a 0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea | 2a 0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea | |||
| bf 60 72 | bf 60 72 | |||
| skipping to change at line 2042 ¶ | skipping to change at line 2045 ¶ | |||
| CRED_I is an RPK encoded as a CCS: | CRED_I is an RPK encoded as a CCS: | |||
| { /CCS/ | { /CCS/ | |||
| 2 : "42-50-31-FF-EF-37-32-39", /sub/ | 2 : "42-50-31-FF-EF-37-32-39", /sub/ | |||
| 8 : { /cnf/ | 8 : { /cnf/ | |||
| 1 : { /COSE_Key/ | 1 : { /COSE_Key/ | |||
| 1 : 2, /kty/ | 1 : 2, /kty/ | |||
| 2 : h'2b', /kid/ | 2 : h'2b', /kid/ | |||
| -1 : 1, /crv/ | -1 : 1, /crv/ | |||
| -2 : h'AC75E9ECE3E50BFC8ED6039988952240 | -2 : h'ac75e9ece3e50bfc8ed6039988952240 | |||
| 5C47BF16DF96660A41298CB4307F7EB6' /x/ | 5c47bf16df96660a41298cb4307f7eb6' /x/ | |||
| -3 : h'6E5DE611388A4B8A8211334AC7D37ECB | -3 : h'6e5de611388a4b8a8211334ac7d37ecb | |||
| 52A387D257E6DB3C2A93DF21FF3AFFC8' /y/ | 52a387d257e6db3c2a93df21ff3affc8' /y/ | |||
| } | } | |||
| } | } | |||
| } | } | |||
| CRED_I (CBOR Data Item) (107 bytes) | CRED_I (CBOR Data Item) (107 bytes) | |||
| a2 02 77 34 32 2d 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 | a2 02 77 34 32 2d 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 | |||
| 2d 33 39 08 a1 01 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 | 2d 33 39 08 a1 01 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 | |||
| 0b fc 8e d6 03 99 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 | 0b fc 8e d6 03 99 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 | |||
| 7f 7e b6 22 58 20 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 | 7f 7e b6 22 58 20 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 | |||
| a3 87 d2 57 e6 db 3c 2a 93 df 21 ff 3a ff c8 | a3 87 d2 57 e6 db 3c 2a 93 df 21 ff 3a ff c8 | |||
| skipping to change at line 2381 ¶ | skipping to change at line 2384 ¶ | |||
| 07 58 20 c9 02 b1 e3 a4 32 6c 93 c5 55 1f 5f 3a a6 c5 ec c0 24 68 06 | 07 58 20 c9 02 b1 e3 a4 32 6c 93 c5 55 1f 5f 3a a6 c5 ec c0 24 68 06 | |||
| 76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e 18 20 | 76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e 18 20 | |||
| PRK_out (Raw Value) (32 bytes) | PRK_out (Raw Value) (32 bytes) | |||
| 2c 71 af c1 a9 33 8a 94 0b b3 52 9c a7 34 b8 86 f3 0d 1a ba 0b 4d c5 | 2c 71 af c1 a9 33 8a 94 0b b3 52 9c a7 34 b8 86 f3 0d 1a ba 0b 4d c5 | |||
| 1b ee ae ab df ea 9e cb f8 | 1b ee ae ab df ea 9e cb f8 | |||
| The OSCORE Master Secret and OSCORE Master Salt are derived with the | The OSCORE Master Secret and OSCORE Master Salt are derived with the | |||
| EDHOC_Exporter as specified in Section 4.2.1 of [RFC9528]. | EDHOC_Exporter as specified in Section 4.2.1 of [RFC9528]. | |||
| EDHOC_Exporter( label, context, length ) | EDHOC_Exporter( exporter_label, context, length ) | |||
| = EDHOC_KDF( PRK_exporter, label, context, length ) | = EDHOC_KDF( PRK_exporter, exporter_label, context, length ) | |||
| where PRK_exporter is derived from PRK_out: | where PRK_exporter is derived from PRK_out: | |||
| PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) | PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) | |||
| = HKDF-Expand( PRK_out, info, hash_length ) | = HKDF-Expand( PRK_out, info, hash_length ) | |||
| where hash_length is the length in bytes of the output of the EDHOC | where hash_length is the length in bytes of the output of the EDHOC | |||
| hash algorithm, and info for the PRK_exporter is: | hash algorithm, and info for the PRK_exporter is: | |||
| info = | info = | |||
| skipping to change at line 2506 ¶ | skipping to change at line 2509 ¶ | |||
| EDHOC_KeyUpdate( context ): | EDHOC_KeyUpdate( context ): | |||
| PRK_out = EDHOC_KDF( PRK_out, 11, context, hash_length ) | PRK_out = EDHOC_KDF( PRK_out, 11, context, hash_length ) | |||
| = HKDF-Expand( PRK_out, info, hash_length ) | = HKDF-Expand( PRK_out, info, hash_length ) | |||
| where hash_length is the length in bytes of the output of the EDHOC | where hash_length is the length in bytes of the output of the EDHOC | |||
| hash function, and the context for KeyUpdate is: | hash function, and the context for KeyUpdate is: | |||
| context for KeyUpdate (Raw Value) (16 bytes) | context for KeyUpdate (Raw Value) (16 bytes) | |||
| a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea | a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea | |||
| and where info for the KeyUpdate is: | ||||
| context for KeyUpdate (CBOR Data Item) (17 bytes) | context for KeyUpdate (CBOR Data Item) (17 bytes) | |||
| 50 a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea | 50 a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea | |||
| and where info for the key update is: | and where info for the key update is: | |||
| info = | info = | |||
| ( | ( | |||
| 11, | 11, | |||
| h'a01158fdb820890cd6be169602b8bcea', | h'a01158fdb820890cd6be169602b8bcea', | |||
| 32 | 32 | |||
| skipping to change at line 2543 ¶ | skipping to change at line 2544 ¶ | |||
| PRK_exporter after KeyUpdate (Raw Value) (32 bytes) | PRK_exporter after KeyUpdate (Raw Value) (32 bytes) | |||
| 00 fc f7 db 9b 2e ad 73 82 4e 7e 83 03 63 c8 05 c2 96 f9 02 83 0f ac | 00 fc f7 db 9b 2e ad 73 82 4e 7e 83 03 63 c8 05 c2 96 f9 02 83 0f ac | |||
| 23 d8 6c 35 9c 75 2f 0f 17 | 23 d8 6c 35 9c 75 2f 0f 17 | |||
| The OSCORE Master Secret is derived with the updated PRK_exporter: | The OSCORE Master Secret is derived with the updated PRK_exporter: | |||
| OSCORE Master Secret | OSCORE Master Secret | |||
| = HKDF-Expand( PRK_exporter, info, oscore_key_length ) | = HKDF-Expand( PRK_exporter, info, oscore_key_length ) | |||
| where info and key_length are unchanged as in Section 2.6. | where info and oscore_key_length are unchanged as in Section 2.6. | |||
| OSCORE Master Secret after KeyUpdate (Raw Value) (16 bytes) | OSCORE Master Secret after KeyUpdate (Raw Value) (16 bytes) | |||
| 49 f7 2f ac 02 b4 65 8b da 21 e2 da c6 6f c3 74 | 49 f7 2f ac 02 b4 65 8b da 21 e2 da c6 6f c3 74 | |||
| The OSCORE Master Salt is derived with the updated PRK_exporter: | The OSCORE Master Salt is derived with the updated PRK_exporter: | |||
| OSCORE Master Salt = HKDF-Expand( PRK_exporter, info, salt_length ) | OSCORE Master Salt = HKDF-Expand( PRK_exporter, info, oscore_salt_length ) | |||
| where info and salt_length are unchanged as in Section 2.6. | where info and oscore_salt_length are unchanged as in Section 3.8. | |||
| OSCORE Master Salt after KeyUpdate (Raw Value) (8 bytes) | OSCORE Master Salt after KeyUpdate (Raw Value) (8 bytes) | |||
| dd 8b 24 f2 aa 9b 01 1a | dd 8b 24 f2 aa 9b 01 1a | |||
| 4. Invalid Traces | 4. Invalid Traces | |||
| This section contains examples of invalid messages, which a compliant | This section contains examples of invalid messages, which a compliant | |||
| implementation will not compose and must or may reject according to | implementation will not compose and must or may reject according to | |||
| [RFC9528], [RFC8949], [RFC9053], and [SP-800-56A]. This is just a | [RFC9528], [RFC8949], [RFC9053], and [SP-800-56A]. This is just a | |||
| small set of examples of different reasons a message might be | small set of examples of different reasons for which a message might | |||
| invalid. The same types of invalidities applies to other fields and | be invalid. The same types of invalidities apply to other fields and | |||
| messages as well. Implementations should make sure to check for | messages as well. Implementations should make sure to check for | |||
| similar types of invalidities in all EDHOC fields and messages. | similar types of invalidities in all EDHOC fields and messages. | |||
| 4.1. Encoding Errors | 4.1. Encoding Errors | |||
| 4.1.1. Surplus Array Encoding of a Message | 4.1.1. Surplus Array Encoding of a Message | |||
| message_1 is incorrectly encoded as a CBOR array. The correct | message_1 is incorrectly encoded as a CBOR array. The correct | |||
| encoding is a CBOR sequence according to Section 5.2.1 of [RFC9528]. | encoding is a CBOR sequence according to Section 5.2.1 of [RFC9528]. | |||
| skipping to change at line 2662 ¶ | skipping to change at line 2663 ¶ | |||
| The x-coordinate in G_X is invalid as x ≥ p. It is required that x < | The x-coordinate in G_X is invalid as x ≥ p. It is required that x < | |||
| p according to Section 5.6.2.3 of [SP-800-56A], which is referenced | p according to Section 5.6.2.3 of [SP-800-56A], which is referenced | |||
| in Section 9.2 of [RFC9528]. | in Section 9.2 of [RFC9528]. | |||
| Invalid message_1 (37 bytes) | Invalid message_1 (37 bytes) | |||
| 03 02 58 20 ff ff ff ff 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 | 03 02 58 20 ff ff ff ff 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 | |||
| 00 ff ff ff ff ff ff ff ff ff ff ff ff 0e | 00 ff ff ff ff ff ff ff ff ff ff ff ff 0e | |||
| 4.2.3. Error in the Elliptic Curve Point | 4.2.3. Error in the Elliptic Curve Point | |||
| The x-coordinate in (G_X) is invalid as it does not correspond to a | The x-coordinate in G_X is invalid as it does not correspond to a | |||
| point on the P-256 curve. It is required that y^2 ≡ x^3 + a ⋅ x + b | point on the P-256 curve. It is required that y^2 ≡ x^3 + a ⋅ x + b | |||
| (mod p) according to Section 5.6.2.3 of [SP-800-56A], which is | (mod p) according to Section 5.6.2.3 of [SP-800-56A], which is | |||
| referenced in Section 9.2 of [RFC9528]. | referenced in Section 9.2 of [RFC9528]. | |||
| Invalid message_1 (37 bytes) | Invalid message_1 (37 bytes) | |||
| 03 02 58 20 a0 4e 73 60 1d f5 44 a7 0b a7 ea 1e 57 03 0f 7d 4b 4e b7 | 03 02 58 20 a0 4e 73 60 1d f5 44 a7 0b a7 ea 1e 57 03 0f 7d 4b 4e b7 | |||
| f6 73 92 4e 58 d5 4c a7 7a 5e 7d 4d 4a 0e | f6 73 92 4e 58 d5 4c a7 7a 5e 7d 4d 4a 0e | |||
| 4.2.4. Curve Point of the Low Order | 4.2.4. Curve Point of the Low Order | |||
| skipping to change at line 2718 ¶ | skipping to change at line 2719 ¶ | |||
| Invalid message_1 (39 bytes) | Invalid message_1 (39 bytes) | |||
| 19 00 03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea | 19 00 03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea | |||
| 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e | 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e | |||
| 4.3.2. Indefinite-Length Array Encoding | 4.3.2. Indefinite-Length Array Encoding | |||
| The element SUITES_I = [6, 2] is incorrectly encoded as an | The element SUITES_I = [6, 2] is incorrectly encoded as an | |||
| indefinite-length array. The correct encoding is the definite-length | indefinite-length array. The correct encoding is the definite-length | |||
| array 82 06 02 according to Section 4.2.1 of [RFC8949], which is | array 82 06 02 according to Section 4.2.1 of [RFC8949], which is | |||
| referenced in Section 5.2.2 of [RFC9528]. | referenced in Section 3.1 of [RFC9528]. | |||
| Invalid message_1 (40 bytes) | Invalid message_1 (40 bytes) | |||
| 03 9F 06 02 FF 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b | 03 9F 06 02 FF 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b | |||
| ea 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e | ea 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e | |||
| 5. Security Considerations | 5. Security Considerations | |||
| This document contains examples of EDHOC [RFC9528]. The security | This document contains examples of EDHOC [RFC9528]. The security | |||
| considerations described in [RFC9528] apply. The keys printed in | considerations described in [RFC9528] apply. The keys printed in | |||
| these examples cannot be considered secret and MUST NOT be used. | these examples cannot be considered secret and MUST NOT be used. | |||
| skipping to change at line 2820 ¶ | skipping to change at line 2821 ¶ | |||
| Ericsson | Ericsson | |||
| Sweden | Sweden | |||
| Email: john.mattsson@ericsson.com | Email: john.mattsson@ericsson.com | |||
| Marek Serafin | Marek Serafin | |||
| ASSA ABLOY | ASSA ABLOY | |||
| Poland | Poland | |||
| Email: marek.serafin@assaabloy.com | Email: marek.serafin@assaabloy.com | |||
| Marco Tiloca | Marco Tiloca | |||
| RISE | RISE AB | |||
| Isafjordsgatan 22 | ||||
| SE-164 40 Kista | ||||
| Sweden | Sweden | |||
| Email: marco.tiloca@ri.se | Email: marco.tiloca@ri.se | |||
| Mališa Vučinić | Mališa Vučinić | |||
| Inria | Inria | |||
| France | France | |||
| Email: malisa.vucinic@inria.fr | Email: malisa.vucinic@inria.fr | |||
| End of changes. 31 change blocks. | ||||
| 40 lines changed or deleted | 43 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||