Standardization is a major dissemination effort in the SIFIS-Home project, for which a specific Task T7.2 “Standardization” is dedicated in WP7 “Dissemination, Standardization and Exploitation”. This leverages the presence in the SIFIS-Home consortium of some partners with a strong participation and involvement in international standardization activities.
In particular, SIFIS-Home partners RISE and Ericsson have a long-term successful track record in the premier international body Internet Engineering Task Force (IETF), where for several years they have led the standardization of IoT security protocols, across multiple Working Groups. These Working Groups include “Constrained RESTful Environments” (CoRE), “Authentication and Authorization for Constrained Environments” (ACE) and “Lightweight Authenticated Key Exchange” (LAKE).
The following list includes the IETF documents with RISE and/or Ericsson as co-author. For each of them, a brief description is provided.
Ephemeral Diffie-Hellman Over COSE (EDHOC)
A very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys, providing mutual authentication, forward secrecy, and identity protection. EDHOC is intended for constrained scenarios, and a main use case is to establish a Security Context for the security protocol Object Security for Constrained RESTful Environments (OSCORE).
Group Communication for the Constrained Application Protocol (CoAP)
Usage of the Constrained Application Protocol for group communication, using UDP/IP multicast as the underlying data transport.
Observe Notifications as CoAP Multicast Responses
Method for a CoAP server to send (secure) observe notifications as response messages over IP multicast.
Discovery of OSCORE Groups with the CoRE Resource Directory
Method for a CoAP endpoint to use the CoRE Resource Directory for discovering OSCORE groups and acquiring information to join them.
Proxy Operations for CoAP Group Communication
A method to enable CoAP forward-proxies to operate in group communication scenarios. The proxy forwards a client’s request to multiple servers, e.g., over IP multicast. Then, it receives the servers’ responses and forwards them back to the client, in such a way that the client is able to distinguish each response’s origin.
Profiling EDHOC for CoAP and OSCORE
Additional and optional features for the authenticated key establishment protocol EDHOC when run over the CoAP protocol. These especially include a method to efficiently combine the execution EDHOC with a following message exchange protected with OSCORE.
Key Update for OSCORE (KUDOS)
A method for two OSCORE peers to address the limits of the used AEAD algorithms, so that the security of their communications is preserved. This lightweight method enables the two peers to update their keying material and establish a new OSCORE Security Context.
A method for protecting CoAP messages with OSCORE also between an origin application endpoint and an intermediary, or between two intermediaries. This includes the possible double-protection of a message through “OSCORE-in-OSCORE”, i.e., both end-to-end between origin application endpoints, as well as between an application endpoint and an intermediary.
OSCORE profile of the Authentication and Authorization for Constrained Environments Framework
A profile for the ACE framework, which utilizes OSCORE in order to achieve communication security, server authentication, and proof-of-possession.
Key Provisioning for Group Communication using ACE
Definition of message formats and procedures based on the ACE framework, to request and distribute group keying material, which is then used to protect communications among members of a group.
Key Management for OSCORE Groups in ACE
A method to request and provision keying material in group communication scenarios where the group communication is based on CoAP and secured with Group OSCORE, building on the ACE framework for Authentication and Authorization.
Admin Interface for the OSCORE Group Manager
A RESTful admin interface at the OSCORE Group Manager, that allows an Administrator entity to create and delete OSCORE groups, as well as to retrieve and update their configuration. The ACE framework for Authentication and Authorization is used to enforce authentication and authorization of the Administrator at the Group Manager.
Group OSCORE Profile of the Authentication and Authorization for Constrained Environments Framework
A profile for the ACE framework, which utilizes Group OSCORE possibly together with OSCORE, to provide communication security between a client and (a group of) resource server(s), while achieving server authentication, proof-of-possession and proof of client’s group membership.
Notification of Revoked Access Tokens in the Authentication and Authorization for Constrained Environments (ACE) Framework
A method for the ACE framework to allow an authorization server to notify registered devices (i.e., clients and resource servers) about issued access tokens that have been revoked but are not expired yet.