Standardizations

Standardization is a major dissemination effort in the SIFIS-Home project, for which a specific Task T7.2 “Standardization” is dedicated in WP7 “Dissemination, Standardization and Exploitation”. This leverages the presence in the SIFIS-Home consortium of some partners with a strong participation and involvement in international standardization activities.

In particular, SIFIS-Home partners RISE and Ericsson have a long-term successful track record in the premier international body Internet Engineering Task Force (IETF), where for several years they have led the standardization of IoT security protocols, across multiple Working Groups. These Working Groups  include “Constrained RESTful Environments” (CoRE), “Authentication and Authorization for Constrained Environments” (ACE) and “Lightweight Authenticated Key Exchange” (LAKE).

The following list includes the IETF documents with RISE and/or Ericsson as co-author. For each of them, a brief description is provided.

Ephemeral Diffie-Hellman Over COSE (EDHOC)

A very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys, providing mutual authentication, forward secrecy, and identity protection. EDHOC is intended for constrained scenarios, and a main use case is to establish a Security Context for the security protocol Object Security for Constrained RESTful Environments (OSCORE).

Group Communication for the Constrained Application Protocol (CoAP)

Usage of the Constrained Application Protocol for group communication, using UDP/IP multicast as the underlying data transport.

Group OSCORE – Secure Group Communication for CoAP

A method for protecting group communication over CoAP, based on OSCORE.

Observe Notifications as CoAP Multicast Responses

Method for a CoAP server to send (secure) observe notifications as response messages over IP multicast.

Discovery of OSCORE Groups with the CoRE Resource Directory

Method for a CoAP endpoint to use the CoRE Resource Directory for discovering OSCORE groups and acquiring information to join them.

Proxy Operations for CoAP Group Communication

A method to enable CoAP forward-proxies to operate in group communication scenarios. The proxy forwards a client’s request to multiple servers, e.g., over IP multicast. Then, it receives the servers’ responses and forwards them back to the client, in such a way that the client is able to distinguish each response’s origin.

Profiling EDHOC for CoAP and OSCORE

Additional and optional features for the authenticated key establishment protocol EDHOC when run over the CoAP protocol. These especially include a method to efficiently combine the execution EDHOC with a following message exchange protected with OSCORE.

Cacheable OSCORE

A method to enable CoAP forward proxies to cache response messages protected with Group OSCORE.

Key Update for OSCORE (KUDOS)

A method for two OSCORE peers to address the limits of the used AEAD algorithms, so that the security of their communications is preserved. This lightweight method enables the two peers to update their keying material and establish a new OSCORE Security Context.

OSCORE-capable Proxies

A method for protecting CoAP messages with OSCORE also between an origin application endpoint and an intermediary, or between two intermediaries. This includes the possible double-protection of a message through “OSCORE-in-OSCORE”, i.e., both end-to-end between origin application endpoints, as well as between an application endpoint and an intermediary.

The Object Security for Constrained RESTful Environments (OSCORE) Profile of the Authentication and Authorization for Constrained Environments (ACE) Framework

A profile for the ACE framework, which utilizes OSCORE in order to achieve communication
security, server authentication, and proof-of-possession.

Key Provisioning for Group Communication using ACE

Definition of message formats and procedures based on the ACE framework, to request and distribute group keying material, which is then used to protect communications among members of a group.

Key Management for OSCORE Groups in ACE

A method to request and provision keying material in group communication scenarios where the group communication is based on CoAP and secured with Group OSCORE, building on the ACE framework for Authentication and Authorization.

Admin Interface for the OSCORE Group Manager

A RESTful admin interface at the OSCORE Group Manager, that allows an Administrator entity to create and delete OSCORE groups, as well as to retrieve and update their configuration. The ACE framework for Authentication and Authorization is used to enforce authentication and authorization of the Administrator at the Group Manager.

Group OSCORE Profile of the Authentication and Authorization for Constrained Environments Framework

A profile for the ACE framework, which utilizes Group OSCORE possibly together with OSCORE,
to provide communication security between a client and (a group of) resource server(s), while
achieving server authentication, proof-of-possession and proof of client’s group membership.

Notification of Revoked Access Tokens in the Authentication and Authorization for Constrained Environments (ACE) Framework

A method for the ACE framework to allow an authorization server to notify registered devices (i.e., clients and resource servers) about issued access tokens that have been revoked but are not expired yet.

Ephemeral Diffie-Hellman Over COSE (EDHOC) and Object Security for Constrained Environments (OSCORE) Profile for Authentication and Authorization for Constrained Environments (ACE)

A profile for the ACE framework, which utilizes OSCORE in order to achieve communication security, following the execution of the authenticated key establishment protocol EDHOC.

https://datatracker.ietf.org/doc/draft-ietf-ace-edhoc-oscore-profile/