| Internet-Draft | BP SAFE | March 2026 |
| Sipos | Expires 11 September 2026 | [Page] |
This document defines a protocol for negotiating scoped security associations between Bundle Protocol version 7 (BPv7) agents within a delay-tolerant network (DTN). Security associations are used to amortize the costs of asymmetric-keyed security operations and allow for efficient and high-throughput BPv7 security within a public key infrastructure. This protocol also provides for unilateral re-keying of established security associations in a delay-tolerant manner.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 11 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The combination of Bundle Protocol version 7 (BPv7) [RFC9171] and Bundle Protocol Security (BPSec) [RFC9172] enables security to be applied at a fine-grained level to individual target blocks of a bundle.¶
When operating within a Public Key Infrastructure Using X.509 (PKIX) [RFC5280] environment, in the absence of any kind of online protocol between the security source and expected acceptor(s) there are two extreme alternatives for the use of public keys for integrity and/or confidentiality described below.¶
The security source can use a static public key of the security source directly for signing each target or use a public key of the security acceptor directly for each target (for either key agreement or key encapsulation).¶
This is the strategy taken by the email security of S/MIME [RFC8551] and asymmetric algorithms of CBOR Object Signing and Encryption (COSE) [RFC9052]. While it ensures that each security operation can be processed independently it also introduces a large overhead because asymmetric-keyed algorithms are likely to be orders of magnitude more resource intensive than symmetric-keyed ones.¶
For key types which support key exchange, such as elliptic curve (EC) keys, the security source can use a static public key from both the security source and acceptor to perform a one-time key derivation of a shared secret, and from that secret a pseudorandom function (PRF) can be used to derive symmetric keys known to both entities.¶
This allows the cost of one-time key exchange and PRF operations to be amortized across all of the cryptographic operations using the derived symmetric keys. But without any additional scoping added to the derived keys (e.g., valid time of use or volume of data processed, restriction to specific ciphersuites or algorithms, etc.), the keys themselves will be vulnerable to overuse or cross-use vulnerabilities.¶
This technique alone also provides confidentiality of the derived symmetric keys but does not provide any authentication of the peer entity (via some identity binding to the associated private key). It also does not allow for forward secrecy (FS) because the original asymmetric keys need to be long-lived enough to handle all communications between the entities.¶
In order to both amortize the costs of asymmetric-keyed algorithms and to provide a separate means of mutually authenticating a peer BP node, including a proof-of-possession for the private key associated with a known public key, this document defines the Security Associations with Few Exchanges (SAFE) protocol.¶
The SAFE protocol operation is explained in detail in Section 2. It operates as an "in-band" control plane application over BPv7 as depicted in Figure 1. This is similar to how the Internet Key Exchange Version 2 (IKEv2) protocol of [RFC7296] operates as an application over UDP/IP.¶
+-----------------------+ | Security Associations | -\ | (SAFE) | | +-----------------------| | | BPv7 + BPSec | -> Application Layer +-----------------------+ | | CL + opt. security | -/ +-----------------------+ | TCP/UDP/etc. | ---> Transport Layer +-----------------------+ | IPv4/IPv6 | ---> Network Layer +-----------------------+ | Link-Layer Protocol | ---> Link Layer +-----------------------+
This document describes the format of the protocol data units passed between BP nodes for security association negotiation and defines behavior at message source and destination nodes. It also defines how each participating node acts on those security associations to process BPSec security operations.¶
This document does not address:¶
Based on terminology from Section 3.1 of [RFC9171], the four data plane interaction points between a BP Agent (BPA) and other entities are shown for two agents in Figure 2. For simplicity that diagram shows a situation where there is reachability between the nodes in one direction, but typically reachability between nodes would be in both directions (via similar or dissimilar convergence layer types and/or hop counts).¶
Two of the interaction points are with application(s) registered as endpoints in the BPA (transmit and deliver) and two are with underlying convergence layer(s) used to transport bundles between BPAs (forward and receive) for each hop. Within a BPA there is logic about how and when to deliver, forward, retain, delete, discard, or some combination of those actions which are defined in Section 5 of [RFC9171]. This logic is indicated in later diagrams by the "(Decide)" label inside a BPA block.¶
+---------------+ +---------------+
| Registered | | Registered |
| Application(s)| | Application(s)|
+---------------+ +---------------+
| ^ | ^
Transmit| |Deliver Transmit| |Deliver
v | v |
+----------------+----+ +----------------+----+
| | | |
| BP Agent | | BP Agent |
| | | |
+----------------+----+ +----------------+----+
^ | ^ |
Receive| |Forward Receive| |Forward
| v | v
~---------+ +-----------~ ~---------+-+ +--------~
| | Forwarding Hop(s) | |
~---------+ +-----------~ ~-----------+ +--------~
This document considers two principal use cases to narrow the scope of discussion, each described in the following subsections. More complex use cases can be achieved by this protocol, either by more complex interaction with a BPSec entity or the use of techniques such as BIBE of [I-D.ietf-dtn-bibect] to perform secure tunneling between pairs of security gateway nodes.¶
The end-to-end use case is where the SAFE entities negotiate secondary SAs which match endpoints on the participating nodes themselves.
This use case corresponds to the end-to-end mode of Security Mode Selector (SMS).¶
For this mode the bundle flows and security processing will look like what is depicted in Figure 3. The negotiated security service is sourced immediately upon bundle creation (after the corresponding ADU is transmitted by the source endpoint), has a lifetime equal to the bundle itself, and is accepted immediately before bundle delivery (of the ADU to the destination endpoint).¶
| ^
Transmit| |Deliver
v |
+----+----------------+ +----------------+----+
| Source | | Accept |
| \ | | / |
| (Decide) | | (Decide) |
| \ | | / |
| \ | | / |
+----------------+----+ +----+----------------+
| ^
|Forward Receive|
v |
+-----------~ ~---------+-+
| Forwarding Hop(s) |
+-----------~ ~-----------+
The purpose of this mode is to ensure that specific traffic has integrity or confidentiality protection for its entire lifetime, applied as close to the endpoints as possible. This protection also includes any possible storage at the source and destination nodes.¶
The one-hop use case is where the SAFE entities negotiate secondary SAs which match arbitrary endpoints but apply to bundles traversing a single hop with a neighbor node.
This use case corresponds to the one-hop mode of Security Mode Selector (SMS).¶
For this mode the bundle flows and security processing will look like what is depicted in Figure 4. The negotiated security service is sourced immediately before forwarding (specifically to the peer node of the SA), has a lifetime of just a single bundle hop, and is accepted immediately upon reception at that peer node.¶
| ^
Transmit| |Deliver
v |
+----+----------------+ +----------------+----+
| \ | | / |
| \ | | / |
| (Decide) | | (Decide) |
| / \ | | / \ |
| / Source | | Accept \ |
+----+-----------+----+ +----+-----------+----+
^ | ^ |
Receive| |Forward Receive| |Forward
| v | v
+--------------------+-+
| Forwarding Hop |
+----------------------+
The purpose of this mode is to supplement security mechanisms (if any) provided by the forwarding convergence layer adapter (CLA). This allows the receiving node to authenticate data from the previous node during reception, by transitively linking the one-hop security back to the mutual authentication and proof-of-possession from the Initial Authentication (IA) activity.¶
This document defines CBOR structure using the Concise Data Definition Language (CDDL) of [RFC8610]. The entire CDDL structure can be extracted from the XML version of this document using the following XPath expression:¶
'//sourcecode[@type="cddl"]'¶
The following initial fragment defines the top-level symbols of this document's CDDL, including the PDU data structure with its parameter/result sockets.¶
start = safe-pdu-seq / safe-msg / safe-msg-bstr¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Terminology used within the SAFE protocol includes the following:¶
The service of this protocol is the establishment and management of one or more secondary security association (SA) between two participating peer BP nodes (that may or may not be BP neighbors) which are used to inform a BPSec entity on each node how to secure specific data plane traffic as described in Section 2.3. To avoid coupling each SAFE entity with any BPSec entity on the same node, SAFE PDUs use application-provided security instead of relying on BPSec.¶
The initial confidential channel between a pair of SAFE entities is provided by an Ephemeral Diffie-Hellman Over COSE (EDHOC) session [RFC9528] and Section 2.2, which includes forward secrecy, mutual authentication, and proof-of-possession. EDHOC also allows using external authorization data (EAD) items to confidentially transport SAFE messages during session establishment (see Section 9.1.1), which avoids excess delay before negotiating secondary SAs.¶
A side effect of the EDHOC session is the establishment of a primary SA between the two SAFE peers and initial symmetric keys for that primary SA. The primary SA keys provide SAFE message confidentiality after the initial authentication EDHOC session (see Section 9.1.2). After a primary SA is established, this protocol allows creating secondary SAs through a single 1.5 round-trip activity without re-authenticating. It also allows managing established SAs, both primary and secondary, including life-cycle management of subordinate symmetric keys (re-keying with optional forward secrecy and decommissioning), in order to bound key use over time and over volume of processed data.¶
+-----------------------------------------+
| +----------+ +----------+ |
| Primary SA |RX Content| |TX Content| |
| * SAIs |Keys #1..N| |Keys #1..M| |
| * Peer EID +----------+ +----------+ |
| * PRK +----------+ +----------+ |
| |RX Prekeys| |TX Prekeys| |
| | #1..P | | #1..Q | |
| +----------+ +----------+ |
+----+------------------------------------+
|
| +-------------------------------------------+
| | +----------+ +----------+ |
+----+ Secondary SA |RX Content| |TX Content| |
: | * SAIs |Keys #1..N| |Keys #1..M| |
: | * Modes +----------+ +----------+ |
: | * Selectors +----------+ +----------+ |
more | * PRK |RX Prekeys| |TX Prekeys| |
SSAs | | #1..P | | #1..Q | |
| +----------+ +----------+ |
+-------------------------------------------+
The concepts and procedures of SAFE are similar in both form and function to the IP-level IKEv2 of [RFC7296] and MAC-level Port-Based Network Access Control (PBNAC) of [802.1X]. These earlier protocols assume a low enough latency that chaining two-way exchanges over time is not a resource burden or source of major delay, and that if retransmissions are needed they can easily be performed at the exchange initiator side. Because SAFE is expected to operate in environments where one-way latency can be significant (see [RFC4838]), its structure (Section 4) is organized to avoid a sequence-of-exchanges pattern and its activities (Section 5) are organized to minimize the number of steps (i.e., round trips) in each.¶
Instead of a two-way request--response pattern where all retransmission occurs from the requesting entity, the SAFE pattern is an activity sequence where each step acknowledges the receipt of the previous step and the final message is purely acknowledgement that the activity has finished. SAFE separates its messaging sub-layer from its packetization sub-layer (see Section 4) to allow messages from multiple simultaneous activities to be aggregated together into a single protocol data unit (PDU). For an individual activity sequence this results in more total messages than two-way exchanges, but it enables pipelining of messages and selective retransmission (ARQ) of individual encoded messages from either side of an activity conversation.¶
Some SAFE activities involve negotiating of a shared state between an initiator and a responder using two data-bearing steps and a final acknowledgement. Many activities are unilateral, meaning they consist of a single data-bearing step from the initiator followed by a single responder acknowledgement. Having activities be unilateral makes the overall protocol more delay-tolerant.¶
Within each SA, both primary and secondary, there are some number of content keys (CKs) available for use in the data plane. The primary SA content keys are used for AEAD of SAFE PDUs themselves, while secondary SA content keys are for BPSec operations on other traffic.¶
The primary SA has an implicit pair of content keys created as part of the Initial Authentication (IA) activity, each with a key identifier (KID) derived from and the same length as the primary security association identifier (SAI). All other KIDs of primary and secondary SAs are explicitly chosen by the entity which would use that key as the security source (i.e., the TX side of the data plane).¶
Within a single SA, the lifecycle of a single CK is depicted in Figure 6 where "Entity A" is the TX end of that key and "Entity B" is the RX end. The optional CK Prekey activity and its public key data is used to ensure forward secrecy of the CK when desired by the TX end. The CK Discard activity is used to inform the RX end when the CK will no longer be used for security operations and it is safe to be discarded.¶
+--------+ +--------+
|Entity A| |Entity B|
|(TX end)| |(RX end)|
+--------+ +--------+
|<===== SA Creation ====>|
| ... |
| |
| optional |
| CK Prekey |
|<-----------------------+
|- - - - - - - - - - - ->|
| |
| CK Create |
+----------------------->|
|<- - - - - - - - - - - -|
| |
| Use CK in |
| data plane |
+----------------------->|
+----------------------->|
| |
| CK Discard |
+----------------------->|
|<- - - - - - - - - - - -|
+--------------------------------------+
| Security Association |
+--------------------------------------+
+----------+
| CK 1 |
+----------+
+----------------+
| CK 2 |
+----------------+
+--------------+
| CK 3 |
+--------------+
=----- time ----->
This protocol embeds EDHOC as the messaging structure and behavior of the Initial Authentication (IA) activity type. Because the IA activity is the very beginning of a conversation between two SAFE entities, the packetization behavior during the IA activity is a special case containing a single EDHOC message in each PDU. This also means that during the IA activity EDHOC is responsible for confidentiality of SAFE data as EAD items. After the IA has finished and a primary SA is established, confidentiality is provided by an application-layer use of COSE encryption (see Section 4.4) using EDHOC session parameters.¶
This SAFE protocol functions as a control plane for establishing secondary SAs, which are then used to provide symmetric content keys to be used by BPSec for data plane security operations on individual target blocks within specific bundles as described in Section 1.2. The scoping of each secondary SA includes a BPSec security context identifier and its options for which each derived content key is authorized to be used. It is up to BPSec policy on each of the SAFE peer nodes to enforce those authorized uses as the mandatory security source and mandatory security acceptor for matching flows in each direction.¶
A secondary SA is scoped by the following aspects which inform BPSec policy on each peer node.¶
In the typical use of IKEv2 [RFC7296], TLS [RFC8446], or DTLS [RFC9147] the full credentials (and in the case of PKIX certificates, full certificate chains) are carried in the protocol exchanges. Because the original target for EDHOC was constrained networks, the credentials themselves are purposefully omitted from the EDHOC messages and instead only credential identifiers are exchanged Section 3.5.3 of [RFC9528].¶
Part of the configuration for each SAFE entity is a set of peer information (see Section 3.1), each of which contains a set of validated credentials and their root-of-trust for that peer. It is still possible for SAFE entities to provide actual credential data, which itself is kept confidential as part of the secure channel established by EDHOC.¶
The protocol defined in this document defines a basic set of modes and data types which are expected to be suitable for many bundle security use cases. But the protocol uses extensible IANA registries (see Section 12.3) which allow future specifications to define additional well-known code points. And each registry has a reserved block to allow private networks to make use of private code points tailored to their specific needs.¶
The EDHOC cipher suite, chosen by the initiator and agreed with the responder, controls the cryptographic algorithms used to secure the EDHOC session, derive internal key material, authenticate each entity to its peer, and to secure SAFE messages after the EDHOC session has completed. The base specification in Section 3.6 of [RFC9528] defines 9 suites which cover capabilities all the way from lightweight algorithms targeting constrained processors to one which adheres to the NSA Commercial National Security Algorithm Suite (CNSA) version 1 citation TBD.¶
The EDHOC method controls how each entity authenticates to its peer within an EDHOC session. The base specification in Section 3.2 of [RFC9528] defines four methods to cover authenticating each side with either an asymmetric-key signature or a key-agreement-key MAC. Future methods are expected to provide access to post-quantum cryptographic (PQC) mechanisms.¶
The credential type used to authenticate each entity and how it is identified to its peer are both chosen by that entity being authenticated, based on a profile exposed outside of this protocol. The credential identifiers are derived from COSE header parameters from [IANA-COSE] and currently include a X.509 certificate thumbnail, URL, or certificate chain data, or a C509 certificate thumbnail, URL, or certificate chain data. Future credential types are expected to include pre-shared key material.¶
The activity types defined in this document are expected to be sufficient for SA creation and management, but there is a registry of available types defined in Section 12.3 for future expansion as necessary.¶
Within each activity type, specifically the SA Creation (SC) type, there is a block of code points reserved for private use and left unassigned for future specifications. These are expected to include additional selectors for traffic flows beyond just source and destination EID from Section 6.11.¶
There are currently only two well-known BPSec contexts defined in [RFC9173] and one drafted in [I-D.ietf-dtn-bpsec-cose]. The first pair from [RFC9173] are intended to be "... for testing the interoperability ... and for providing basic security operations when no other security contexts are defined or otherwise required for a network" and these have few options needed to operate them as described in Section 9.3 and Section 9.4.¶
The COSE context from [I-D.ietf-dtn-bpsec-cose] is more full-featured, but that also means it has more options and more complex configurations of those options available as described in Section 9.5; COSE itself is also expected to be expanded in the near- and long-term to include PQC-type algorithms.¶
Future contexts are expected to be specialized to specific missions and networks. Well-known contexts will be registered with IANA under [IANA-BUNDLE] and need to define a SAFE binding if they are to be used with negotiated secondary SAs.¶
BP SAFE operates by using an activity sequence of messages (see Section 5) to establish and maintain security associations between pairs of participating entities.¶
There are two logical tiers of SA, primary and secondary, which are treated here as two separate information tables. How these are mapped to an actual internal data model is an implementation detail, as well as whether an entity treats all SAs together into one pool or separates primary and secondary SA data as indicated in this section.¶
All private asymmetric key material and all derived PRK and symmetric key material is expected to be maintained outside of the SAFE entity in some form of trusted execution environment (TEE). The key material is included in these information bases as a logical placeholder and to show its association with the other fields.¶
In order to set appropriate retransmission timers, the local entity needs to know expected timing information for each participating peer node.¶
| Name | Description |
|---|---|
| Peer EID | The transport EID for the SAFE entity on the peer node. |
| Properties below are based on the above key column. | |
| Round-Trip Time | The expected full round-trip time between a sent message and an acknowledgement. This value includes actual one-way-light time (OWLT) of links as well as expected queuing and processing delays. |
| Acceptable EDHOC Cipher Suites | A priority list of code points from the "EDHOC Cipher Suites" registry of [IANA-EDHOC] which are acceptable to use for EDHOC sessions with this peer. This value is sent in Message 1 when acting as an EDHOC initiator and validated when acting as an EDHOC responder. |
| TX Credential Types | A priority list of acceptable COSE credential types for EDHOC authentication of this node to the peer. Details on this complex field are described below. |
| Acceptable RX Credential Types | A priority list of acceptable COSE credential types for EDHOC authentication of the peer node. Details on this complex field are described below. |
For the two stores of credential types in the Participating Peers information base, the detailed information present consists of an ordered list of entries, each containing the following.¶
One of the "COSE Header Parameters" registry values from [IANA-COSE] which identifies a credential type:¶
Each SAFE entity maintains a table of in-progress activities and their associated metadata, with logical columns as indicated in Table 2.¶
| Name | Description |
|---|---|
| Initiator | The transport EID for the initiator of the activity. This may be a local endpoint or remote. |
| Responder | The transport EID for the responder of the activity. This will be the opposite site of conversation from the initiator endpoint. |
| Activity Index | The index for the activity, which is unique to and defined by the initiator. |
| Properties below are based on the above key columns. | |
| Last Step Transmitted (LTX) | The step of the activity which is associated with the last message sent to the peer. |
| Last Message Transmitted | The logic of activity step ARQ requires messages to be re-transmitted with the same content as the original. One way this can be controlled by each entity is to simply retain an encoded form of each TX message until it is acknowledged by the subsequent activity step. The actual mechanism of retaining and re-transmitting each message is implementation defined. |
| Last Step Received (LRX) | The step of the activity which is associated with the last message received from the peer. This value is optional for activities initiated by the local entity. |
While the last received step is less than the last sent step, it means that the local entity is waiting for an acknowledging message. After the final message of an activity is received, the associated table row is removed as there is no need to maintain long-term bookkeeping of finished activities. TBD about row removal timer and ignoring late duplicate messages.¶
Each primary SA allows SAFE entities to provide PDU-level confidentiality and is used as the source of a shared secret from which secondary SAs can be derived, as depicted in Figure 5. The state of each primary SA known to the local entity has logical columns as indicated in Table 3.¶
A primary SA covers traffic in both directions between the two peers participating in the SA. The primary SA has no specific endpoint selectors because each is used for security between the SAFE entities themselves rather than any other, data plane traffic.¶
| Name | Description |
|---|---|
| Local SAI | The locally-generated SA identifier for this entry. This Local SAI alone (within the local SAFE entity) is a unique identifier for the primary SA. |
| Peer EID | The transport EID for the SAFE entity on the peer node. |
| Peer SAI | The peer-generated SA identifier for this entry. The combination of Peer EID and Peer SAI together form a unique identifier for the primary SA. |
| Properties below are based on the above key columns. | |
| AEAD Algorithm | The "application AEAD algorithm" from the EDHOC cipher suite negotiated as part of the IA activity. This applies to SAFE confidential PDU processing defined in Section 9.1. |
| Hash Algorithm |
The "application hash algorithm" from the EDHOC cipher suite negotiated as part of the IA activity.
This applies to the SAFE_KDF function defined in Section 8.1.
|
| Primary pseudo-random key (PRK) |
Internal key material derived from the EDHOC session for this SA, as the byte string PRK_SA1 defined in Section 8.1.
This is used to derive further values for secondary SAs as defined in Section 8.3 and content key material.
|
| TX Content Keys | The primary SA has one or more content keys for outgoing PDUs to the Peer EID. Each content key has the information defined in Table 4 and is scoped within a single primary SA. The associated key material is derived from the shared secret created during Initial Authentication (IA) and CK Creation (CC) activities. |
| RX Content Keys | The primary SA has one or more content keys for incoming PDUs from the Peer EID. Each content key has the information defined in Table 5 and is scoped within a single primary SA. The associated key material is derived from the shared secret created during an Initial Authentication (IA) activity. |
| RX Prekeys | A set of one-time-use private asymmetric key material used to process received CK Creation activities. These private keys are generated locally and their associated public prekeys are communicated to the peer entity via CK Prekey activities. Each private prekey has the information defined in Table 6 and is scoped within a single primary SA. |
| TX Prekeys | A set of one-time-use public key material used to process and initiate CK Creation activities. These public keys are received from the peer entity through CK Prekey activities. Each public prekey has the information defined in Table 7 and is scoped within a single primary SA. |
The information in Table 4 is implicitly scoped to a single primary SA and does not have an explicit relationship in that table. An entity SHOULD remove any TX Content Key when the wall-clock time advances past the end of its validity time interval.¶
| Name | Description |
|---|---|
| Key ID | A byte string identifier for this key, chosen by the local entity. |
| Validity Time Interval | An absolute interval of time during which the key is valid for use. This interval is chosen by the local entity. |
| Partial IV Counter | An unsigned 64-bit integer counter used to construct Partial IV byte strings for outgoing SAFE PDUs as defined in Section 9.1.2. The initial value of each counter for a new content key SHOULD be zero. |
| Symmetric Key | The actual private key material and intrinsic metadata such as acceptable algorithm types. This logically corresponds to COSE Key information for a symmetric key with structure defined in Section 8.2. |
The information in Table 5 is implicitly scoped to a single primary SA and does not have an explicit relationship in that table. An entity SHOULD remove any RX Content Key when the wall-clock time advances past the end of its validity time interval.¶
| Name | Description |
|---|---|
| Key ID | A byte string identifier for this key, chosen by the peer entity. |
| Validity Time Interval | An absolute interval of time during which the key is valid for use. This interval is chosen by the peer entity. |
| Symmetric Key | The actual private key material and intrinsic metadata such as acceptable algorithm types. This logically corresponds to COSE Key information for a symmetric key with structure defined in Section 8.2. |
The information in Table 6 is implicitly scoped to a single primary SA and does not have an explicit relationship in that table. An entity SHOULD remove any RX Prekey when the wall-clock time advances past the end of its validity time interval.¶
| Name | Description |
|---|---|
| Key ID | A locally unique byte string identifier for this key. |
| Validity Time Interval | An absolute interval of time during which the key is valid for use. This interval is chosen by the local entity. |
| Private Key | The actual private key material and intrinsic metadata such as acceptable algorithm types. This logically corresponds to COSE Key information for a private key. |
The information in Table 7 is implicitly scoped to a single primary SA and does not have an explicit relationship in that table. An entity SHOULD remove any TX Prekey when the wall-clock time advances past the end of its validity time interval.¶
| Name | Description |
|---|---|
| Peer Key ID | A unique byte string identifier for this key, chosen by the peer entity. |
| Validity Time Interval | An absolute interval of time during which the key is valid for use. This interval is chosen by the peer entity. |
| Public Key | The actual public key material and intrinsic metadata such as acceptable algorithm types. This logically corresponds to COSE Key information for a public key. |
Each secondary SA allows SAFE entities to provide key material and associated policy configuration to a BPSec entity on the same BP node. The state of each secondary SA known to the local entity has logical columns as indicated in Table 8.¶
| Name | Description |
|---|---|
| Parent SA | The primary SA (Table 3) from which this secondary SA was derived, which includes the Peer EID of the other SAFE entity. |
| Local SAI | The locally-generated SA identifier for this entry, as defined in Section 6.5. |
| Peer SAI | The peer-generated SA identifier for this entry, as defined in Section 6.5. |
| Security Mode Selector | This is a mode selector for this SA, as defined in Section 6.9. |
| Validity Time Interval | An optional interval of time during which the SA is valid. The logic is consistent with the node time interval (NTI) of Section 6.10. If absent, the SA is valid for all time. |
| Local Endpoint Selectors | This is an unordered set of endpoint selector items for the local side of the SA, as described below and in Section 6.11. |
| Peer Endpoint Selectors | This is an unordered set of endpoint selector items for the local side of the SA, as described below and in Section 6.11. |
| Security Operation Selector | This is a combination of information derived from the negotiated Security Operation Selectors (SOS) during the Section 5.3 activity. |
| BPSec Context ID | This is a single code point from the "BPSec Security Context Identifiers" registry at [IANA-BUNDLE], which restricts the scope in which the key can be used and provides context for the Key Use Selector details below. |
| Key Use Options | This field represents a set of context-specific options which determine exactly how the SA and its keys are to be used by the BPSec entity on this node. The options are negotiated during SA Creation (SC) as defined in Section 6.13 and per-context specifications (see Section 9). |
| Key Information | This field represent a set of context-specific key material and derived options for each direction between the two peers. The key material are derived from the shared secret created during SA Creation (SC) as defined in Section 8.3 and per-context specifications (see Section 9). |
Each endpoint selector item functions as a filter for the BP Agent to determine to which bundles the SA applies. The order in which endpoint selectors and other filters are applied to filter bundles for security processing is an implementation matter and can be optimized to, for example, process the less expensive checks first to reduce the average expense of matching. An implementation is also free to perform additional indexing of endpoint selectors across multiple SAs to reduce total processing expense.¶
Each key use option contains fields necessary to restrict when and how the key can be used for BPSec security operations. The fields of each item roughly correspond with a COSE Key from Section 7 of [RFC9052] and an implementation can choose to use a COSE Key representation if that is convenient.¶
The SAFE protocol operates with three distinct sub-layers, each with a different structure and purpose. They are described as follows, starting from the topmost sub-layer and working down toward the BP transport.¶
+-------------------------------------------+
| Data Item 1 | ... | Data Item N | <- Activity
+-------------------------------------------+ Data
\__________________________________ |
\ |
+-------------------------------------------+
| Act. Idx. | Act. Step | Act. Type | Data | <- Activity State
+-------------------------------------------+
| SAFE Message | <- Messaging
+-------------------------------------------+ and Retransmission
\__ ____________________________/
\ /
+-------------------------------------+
| Msg. 1 bstr |...| Msg. N bstr | pad | <- Message Aggregation
+-------------------------------------+
| Plaintext |
+ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ +
| Ciphertext + tag | <- Message Security
+-------------------------------------------+
\____________________ |
\ |
+-------------------------------------------+
| Version | PIV | SAI | EDHOC / Ciphertext |
+-------------------------------------------+
| SAFE PDU | <- Packetization
+-------------------------------------------+
\___________________________ /
\ /
+-------------------------------------------+
| Bundle | Payload Block | <- Transport
+-------------------------------------------+ and Security
The contents of a SAFE message allow it to be correlated to a specific activity sequence and an individual step within that sequence (see Section 4.2 for details). All steps are numbered starting with zero at the initiator of an activity. The sending of a step number greater than zero is also used to acknowledge receipt and processing of the message with its preceding step number. The final acknowledgement of an activity is sent without a corresponding data payload in order to indicate that it is the end of the sequence.¶
Because SAFE allows messages to be aggregated into an PDU, this also enables explicit pipelining of multiple activities over a sequence of PDUs. It is an implementation matter to determine when to aggregate messages but the patterns defined in Section 7 make use of aggregation.¶
An example of this pipelining is shown in Figure 9, which depicts a series of PDUs sent in opposite direction between two peers "A" and "B". An Initial Authentication (IA) is the first activity (initiated by "A"), followed by a Capability Indication (CI) activity (initiated by "B"), and finally a pair of SA Creation (SC) activities (initiated by "A").¶
Node A A A A A
| ^ | ^ |
v | v | v
Node B B B B B
unsecured | EDHOC security | SAFE security
PDU #1 #2 #3 #4 #5
| | | | |
(IA 0 --- 1 --- 2 --- 3) |
| (CI 0 --- 1 --- 2) |
| | (SC 0 --- 1 --- 2)
| | (SC 0 --- 1 --- 2)
=----- time ----->
As described in Section 4.4 and indicated in Figure 9, the IA step-0 message is always sent alone in a PDU and unsecured. After that IA step 1 through 3 messages use EDHOC session encryption to provide confidentiality with EDHOC EAD for SAFE message aggregation. All subsequent messaging occurs using SAFE ciphertext confidentiality with SAFE plaintext aggregation.¶
Each encoded SAFE message SHOULD use CBOR core deterministic encoding requirements from Section 4.2.1 of [RFC8949]. Each SAFE message SHALL consist of a CBOR sequence containing the following items.¶
The combination of Activity Index and Activity Step SHALL uniquely identify a message in an activity sequence independently of the type of activity being performed.¶
The activity index SHALL be unique per initiator and transport conversation (e.g., unordered pair of source and destination EID). The first activity index for a conversation SHALL be zero, and each subsequent activity initiated by a peer SHALL increment the activity index by one.¶
The first step of an activity SHALL be zero, and each subsequent step SHALL increment by one. This means that the initiator of an activity can be identified implicitly because it will only send messages with an even step number and will only receive messages with an odd step number.¶
The last message of an activity sequence SHALL NOT contain either an activity type or a data payload. That last message is purely to acknowledge the message from the previous step and conclude the activity.¶
This structure is indicated by the following CDDL for the general SAFE message structure and its data item payload.¶
safe-msg-bstr = bstr .cborseq safe-msg
safe-msg = $safe-msg .within safe-msg-struct
safe-msg-struct = [
msg-ident,
? (
act-type: int16,
data-map
)
]
; Unique identifier for a single message (one step of one activity)
msg-ident = (
act-idx: uint,
act-step: uint,
)
; activity-type-specific data
; non-negative labels are well-known
; negative labels are private use
data-map = {
* label => value,
}
; Generic map label
label = int16
; Generic map value
value = any
; Signed integer that fits in 16-bit two's complement form
int16 = -32768 .. 32767
¶
As described in Section 3.2, the state kept by each entity about an activity includes the step of the message last sent by the entity (LTX) and the step of the message last received from the peer entity (LRX). Based on these two step states, each entity can determine how to make progress¶
An example of this logic is shown in Figure 10.
The state notation of {LTX,LRX} indicates the LTX and LRX steps respectively and negative values are used as a placeholder for an invalid/absent step number.
In that diagram, if a state transition has a specific trigger condition it is indicated by square bracket text.¶
Initiator Responder
+-----------------+ +-----------------+
| | | |
| {-1,-1} Start | | {-1,-1} Start |
| | Step 0 | |
+--------+--------+ Message +--------+--------+
Re-TX | ident+data [RX 0]|
+--------+ | TX 0 ~~~~~~~~~~~~~~> |
| v v v
| +-----------------+ +-----------------+
| | | | |
+--+ { 0,-1} Wait | | {-1, 0} Process |
[timer]| | Step 1 | |
+--------+--------+ Message +--------+--------+
|[RX 1] ident+data | Re-TX
| <~~~~~~~~~~~~~~ TX 1 | +--------+
v v v |
+-----------------+ +-----------------+ |
| | | | |
| { 0, 1} Process | | { 1, 0} Wait +--+
| | Step 2 | |[timer]
+--------+--------+ Message +--------+--------+[Re-RX]
Re-TX | ident [RX 2]|
+--------+ | TX 2 ~~~~~~~~~~~~~~> |
| v v v
| +-----------------+ +-----------------+
| | | | |
+--+ { 2, 1} Finished| | { 1, 2} Finished|
[Re-RX]| | | |
+--------+--------+ +--------+--------+
|[timer] [timer]|
v v
+-----------------+ +-----------------+
| | | |
| {-1,-1} Removed | | {-1,-1} Removed |
| | | |
+-----------------+ +-----------------+
Based on an existing activity state (Section 3.2) when the last LTX step is less than the LRX step, or when the initiator starts the activity, or an activity-associated retransmission timer expires, the entity SHALL perform the following:¶
If the next step is within the number of steps for this activity type, generate type-specific data items based on the activity type and next step.¶
Otherwise, only the message identity is present and no activity type or data items are needed.¶
If either the LTX or LRX step are beyond the number of steps for this activity type, the activity is in the finished state.¶
Otherwise, begin a retransmission timer associated to the activity index with a duration taken from the expected round-trip time between the peer node plus some optional additional margin. It is an implementation matter to determine the specific margin added to the expected round-trip duration.¶
Upon receiving a SAFE message from a peer, an entity SHALL perform the following:¶
Error indication and handling is generally accomplished by terminating an activity early, indicating error conditions within data item(s) specific to the activity type, and possibly the initiator of the terminated activity attempting a new activity of that type with options adjusted based on error feedback. When an error is indicated on an activity it SHALL be considered finished regardless of the step in which the error was indicated.¶
Because SAFE is used to provide BPSec key material, the security properties of a SAFE bundle are more complex than other BP flows might be. For example, the bundles carrying Initialization messages need to be transported as plaintext payload (with intrinsic EDHOC protections) while other SAFE bundles need to be protected by the keys from a primary SA (negotiated as part of the EDHOC sequence).¶
The structure of a SAFE PDU is a CBOR sequence of the SAFE version number followed by header items and then payload items. The protocol in this document SHALL be identified by version number 1. The version specific header defined in this document SHALL be the following:¶
null value¶
true value¶
When the Partial IV is null, the payload SHALL be one of the EDHOC messages defined in [RFC9528] and handled in accordance with Section 5.1.
When the Receiver SAI is true, the payload SHALL be a Message 1 as defined in Section 5.2 of [RFC9528].
All other Receiver SAI values SHALL be treated as a connection identifier, encoded in accordance with Section 3.3.2 of [RFC9528], used to correlate with an existing EDHOC session.¶
When the Partial IV is a byte string, the payload SHALL be a SAFE ciphertext and handled in accordance with Section 9.1.2. In this case, Receiver SAI values SHALL be decoded as and treated as a Security Association Identifier (SAI) used to correlate with the Local SAI of a Primary SA (see Table 3) on the receiving entity.¶
This is indicated by the following CDDL for the SAFE bundle PDU sequence.¶
; Encoded to PDU as CBOR sequence
safe-pdu-seq = [
version: 1,
; PDU variants follow the same structure with unique prefix items
safe-pdu-edhoc // safe-pdu-confidential,
]
safe-pdu-edhoc //= (
partial-iv: null,
rx-sai: true,
; Group message_1 from RFC 9528
message_1
)
safe-pdu-edhoc //= (
partial-iv: null,
rx-sai: safe-sai,
edhoc_234 // error
)
; Equivalent to (message_2 // message_3 // message_4) from RFC 9528
; Encoded SAFE messages can be present as EAD items
edhoc_234 = bstr
safe-pdu-confidential //= (
partial-iv: bstr,
rx-sai: safe-sai,
; Ciphertext data corresponding to safe-pdu-plaintext below
ciphertext: bstr
)
; A sequence of encoded-message bstr with optional tagged padding
safe-pdu-plaintext = (+ safe-msg-bstr, ? safe-padding)
safe-padding = #6.55799(bstr)
safe-pdu-aad = (
rx-sai: safe-sai
)
Within restrictions defined for each message type, multiple messages MAY be combined into a single PDU (as either EDHOC EAD or SAFE plaintext). Due to the logic of the Initial Authentication (IA) sequencing, only one EDHOC session can make progress between two endpoints at any time so there is no concept of a full EDHOC PDU embedded within an EAD item, only individual messages.¶
Each SAFE PDU is handled as an application data unit (ADU) of a BPv7 bundle, referred to as a "SAFE bundle" in this document. Additional constraints, controllability, and visibility on transport parameters are defined in the following subsection.¶
Both the source and destination EID, defined in Section 4.3.1 of [RFC9171], for a SAFE bundle SHALL be singleton. The source EID for SAFE bundles SHALL NOT be a null EID. Each endpoint for SAFE messaging needs to be an identified singleton. The bundle source and destination EID for received bundles SHALL be exposed to the SAFE entity in order to support message exchange sequencing.¶
When using the IPN scheme, the EIDs used as source and/or destination SHOULD use the well-known service number defined in Section 12.1. SAFE entities can use other schemes and service numbers, but such configuration is an implementation and deployment matter.¶
The bundle creation timestamp (both DTN time and sequence number), defined in Timestamp Section 4.3.1 of [RFC9171], for received bundles SHALL be exposed to the SAFE entity to allow it to de-duplicate and order received SAFE bundles.¶
This section defines the initial types of activity which make use of SAFE message (Section 4.2) sequencing to exchange data.¶
Any current or future activity type SHALL define how many steps comprise a single sequence of messages and what is the required data payload of each step.¶
This activity is used to establish an initial shared secret between two SAFE endpoints which don't already have a usable SA, or when re-authentication is deemed necessary by either side of an existing SA.¶
Because this is the initializing activity for all other SAFE interactions, and occurs outside of any pre-existing SA, it does not follow the same message structure as other SAFE activities but it does use the same local progress bookkeeping and retransmission logic (from Section 4.3). The retransmission logic and the BP transport of Section 4 satisfies the EDHOC requirements of Section 3.4 of [RFC9528].¶
Even though the IA activity does not follow the same messaging structure, it does have an activity identifier allocated to it in Table 28 to allow its state to be tracked in accordance with Section 3.2. The IA activity SHALL be identified by activity type 0.¶
Only one instance of this activity SHOULD be in progress at any time. The data of each PDU for the IA activity SHALL contain an EDHOC message as defined in Section 5 of [RFC9528].¶
The sequence of steps and their data for this activity are the following:¶
An indication of failure in the activity is provided by an EDHOC error CBOR sequence in place of the normal EDHOC message. SAFE entities SHALL use EDHOC errors in accordance with Section 6 of [RFC9528].¶
During transport, PI PDUs SHALL NOT be the target of a BPSec confidentiality operation between the participating (source and destination) nodes. The use of application-level confidentiality ensures the security of information exchanged via this PDU. There is no restriction on any intermediate security handling of SAFE PDUs between the participating entities.¶
The CDDL corresponding to this activity type are the first two variations of safe-pdu-data from Section 4.4.
Additionally, the EAD payload of the EDHOC messages are extended to be able to confidentially carry encoded SAFE messages during the IA activity.
Any number of EAD items of label TBA5 and value matching the safe-msg-bstr rule (defined in Section 4.2) MAY be present in EDHOC lists EAD_2, EAD_3, and EAD_4.
EAD items of label TBA5 SHALL NOT be present in EAD_1, which is transported as plaintext.¶
After receiving the ID_CRED_x values from a peer, each SAFE entity SHALL¶
When the Message 2 payload is received by the initiator, both peers have established an EDHOC shared secret but only the responder has sent an identity to authenticate with the initiator. When the Message 3 payload is received by the responder, both peers have authenticated each other and established an application AEAD symmetric key and exporter state.¶
Upon the first reception or transmission of IA step 2 (i.e., EDHOC message_3), the entity SHALL create a primary SA based on the data derived in Section 8.1.¶
This activity allows each entity to indicate its SAFE-related capabilities to its peer. The Capability Indication (CI) activity SHALL be identified by activity type 2.¶
The sequence of steps and their data for this activity are the following:¶
| Label | Type |
|---|---|
| 1 | A Concurrent Activity Support (CAS) limit |
| 2 | An EID Scheme Support (ESS) list |
| 3 | A BPSec Context Support (BCS) list |
ci-data = { * $$ci-data } .within data-map
$$ci-data //= (1: concur-act-limit)
$$ci-data //= (2: eid-scheme-list)
$$ci-data //= (3: bpsec-ctxid-list)
¶
This activity is used to create a new SA from within the context of an existing primary SA. The SA Creation (SC) activity SHALL be identified by activity type 3.¶
The sequence of steps and their data for this activity are the following:¶
The responder items with proposals SHALL be a logical subset of the initiator-provided proposals. The Secondary SA SHALL be configured to use a logical intersection between the items provided by the initiator and by the responder. For some cases of EID patterns, the intersection can be derived as a single pattern generated from the initiator and responder options. But for more complex cases, the intersection needs to be represented as a logical AND between the two separate patterns.¶
| Label | Type |
|---|---|
| 0 | Error indications per Section 6.1 for messages after step 0 |
| 1 | The local SAI per Section 6.5 for the SA which does not yet exist |
| Options for key material derivation | |
| 2 | An Additional Key Exchange (AKE) public key value |
| 3 | An Additional Random Nonce (ARN) value |
| Options for when to use the SA | |
| 9 | A Security Mode Selector (SMS) value |
| 6 | One or more Endpoint Selectors (ESx) proposals for the initiator side |
| 7 | One or more Endpoint Selectors (ESx) proposals for the responder side |
| 8 | A Node Time Interval (NTI) used as the SA validity time interval |
| Options for how to use the SA | |
| 4 | A Security Operation Selectors (SOS) with conditions for sourcing and accepting BPSec security |
| 5 | A Key Use Selectors (KUS) for a specific BPSec context, which contains one or more set of key use options as defined in Section 9 |
sc-data = {* $$sc-data } .within data-map
; Error codes from the responder
$$sc-data //= (0: safe-ete)
; SAI for the sender
$$sc-data //= (1: safe-sai)
; Optional PRF parameters
$$sc-data //= (2: safe-ake)
$$sc-data //= (3: safe-arn)
; Initiator side endpoint selectors
$$sc-data //= (6: safe-esx)
; Responder side endpoint selectors
$$sc-data //= (7: safe-esx)
; Time limit for the SA
$$sc-data //= (8: safe-nti)
; BPSec Context and its options for how to use the keys
$$sc-data //= (4: safe-kus)
¶
Upon the first reception or transmission of SC step 1, the entity SHALL create a secondary SA based on the data derived in Section 8.3.¶
This activity is used to negotiate removal of an established SA from both entities. The SA Teardown (ST) activity SHALL be identified by activity type 5.¶
The sequence of steps and their data for this activity are the following:¶
| Label | Type |
|---|---|
| 1 | The local SAI per Section 6.5 |
st-data = {* $$st-data } .within data-map
; Error codes from the responder
$$st-data //= (0: safe-ete)
; SAI for the sender
$$st-data //= (1: safe-sai / true)
¶
This activity is used to preemptively share a one-time-use public key which can be used to add forward secrecy to later-derived content keys in the CK Creation (CC) activity. The recipient of the CP activity will be the initiator of the later CC activity. The SA Prekey (SP) activity SHALL be identified by activity type 5.¶
The sequence of steps and their data for this activity are the following:¶
| Label | Type |
|---|---|
| 1 | The responder local SAI for the containing SA, as defined in Section 6.5 |
| 2 | The KID for the prekey created by the initiator of this activity, as defined in Section 6.6. |
| 3 | A Node Time Interval (NTI) used as the prekey validity time interval. |
| 4 | The sender's one-time-use public key, as defined in Section 6.7. |
cp-data = {* $$cp-data } .within data-map
; SAI for the responder
$$sr-data //= (1: safe-sai)
; KID for the prekey being shared by the initiator
$$cp-data //= (2: safe-kid)
$$cp-data //= (3: safe-nti)
$$cp-data //= (4: safe-ake)
¶
Upon the first reception of CP step 0, the entity SHALL correlate the Local SAI of a Primary SA or Secondary SA and store the prekey information within the SA.¶
This activity is used to establish a new set of derived key (and possibly other) material within an existing SA without changing the other parameters of the SA (e.g., algorithm choice or endpoint selectors). The SA Rekey (SR) activity SHALL be identified by activity type 6.¶
The sequence of steps and their data for this activity are the following:¶
| Label | Type |
|---|---|
| 1 | The responder local SAI for the containing SA, as defined in Section 6.5 |
| 2 | An optional identifier for a prekey, shared by the responder in an earlier CK Prekey (CP) activity, as defined in Section 6.6 |
| 3 | An optional random nonce per Section 6.8 |
sr-data = {* $$sr-data } .within data-map
; Error codes from the responder
$$sr-data //= (0: safe-ete)
; SAI for the responder
$$sr-data //= (1: safe-sai)
; Optional PRF parameters
$$sr-data //= (2: safe-kid)
$$sr-data //= (3: safe-arn)
¶
Upon the first reception or transmission of SR step 0, the entity SHALL correlate the responder SAI of a Primary SA or Secondary SA and create a new content key within it based on the derived secrets defined in Section 8.2 or Section 8.4 respectively.¶
TBD This activity is used by the initiator to inform the peer entity of an event. The Event Notification (EN) activity SHALL be identified by activity type 7.¶
en-data = {* $$en-data } .within data-map
$$en-data //= (1: en-cause)
en-cause = [msg-ident]
¶
This section defines the initial set of data items which can be present as the data payload of a SAFE message (Section 4.2).¶
Some types of data item allow the activity initiator to provide multiple independent proposals, from which the responder can either choose one proposal or create a new single proposal which narrows down from one provided by the initiator. It is the responsibility for each data item type to define detailed logic of acceptable responder proposals. Each proposal SHALL take the form of a CBOR map. When multiple proposals are present, they SHALL take the form of a CBOR array of proposal maps.¶
safe-proposals = data-map / [+ data-map]¶
The Error Type Enumeration (ETE) data item is used by its sender to signal a failure to process a message or make progress in an activity. The ETE value SHALL be an integer limited to the inclusive range -32768 to 32767.¶
These values are used in many activities to indicate a failure in decoding, processing, or consistency of received message contents. Well-known error values are non-negative and registered in Section 12.3. Private and experimental use error values are negative and not registered.¶
safe-ete = [+ safe-error] safe-error = int16¶
This data item indicates how many concurrent (pipelined) SAFE activities the sender of the item supports. The minimum number of concurrent activities supported SHALL be 2. This is necessary in order to enable the processing of Capability Indication (CI) containing this data item during the Initial Authentication (IA) messaging. The maximum number of concurrent activities supported SHALL be 1024. This is an arbitrary upper bound not expected to be encountered during normal operations.¶
An attempt by a peer to send messages associated with more than this limit¶
concur-act-limit = 2 .. 1024¶
This data item indicates which EID schemes the sender of the item supports. Schemes are identified by the code points from the "Bundle Protocol URI Scheme Types" registry at [IANA-BUNDLE], which includes a block reserved for private-use. Expressing support for an EID scheme indicates that the node can handle EIDs of that scheme and EID Patterns with scheme-specific parts.¶
eid-scheme-list = [+ eid-scheme] ; Unrestricted per RFC 9171 eid-scheme = uint¶
This data item indicates which BPSec contexts the sender of the data item supports. Schemes are identified by the code points from the "BPSec Security Context Identifiers" registry at [IANA-BUNDLE], which includes a block of negative values reserved for private-use. Expressing support for a security context indicates that the node can handle sourcing, verifying, and accepting security blocks using that context.¶
bpsec-ctxid-list = [+ bpsec-ctxid] ; Restricted domain per RFC 9172 bpsec-ctxid = -32768 .. 32767¶
The Security Association Identifier (SAI) data item is used by both sides of an SA to uniquely identify the SA within each entity. This means that a single SA has two SAIs used to identify it, one from each entity.¶
An SAI SHALL be treated as an opaque byte string as its internal representation and comparison logic. An SAI SHALL be limited to a length between 0 and 16 bytes inclusive. This length allows a Universally Unique IDentifier (UUID) [RFC9562] to be used as an SAI. An SAI SHALL have the same compressed encoding rules as EDHOC connection identifiers as defined in Section 3.3.2 of [RFC9528].¶
safe-sai = (bstr .size (0..16)) / (-24..23)¶
The Key Identifier (KID) data item is used by both sides of an SA to uniquely identify a shared content key or prekey within each entity. All KIDs are guaranteed unique within the parent primary SA context, but each entity is able to reuse KID values across different primary SAs. Each content key has a single KID defined by the entity which initiated the creation of the symmetric key, and each content prekey has a single KID defined by the entity which holds the associated private key.¶
A KID SHALL be treated as an opaque byte string as its internal representation and comparison logic. A KID SHALL be limited to a length between 0 and 16 bytes inclusive. This length allows a UUID [RFC9562] to be used as an KID. A KID SHALL have the same compressed encoding rules as EDHOC connection identifiers as defined in Section 3.3.2 of [RFC9528].¶
safe-kid = (bstr .size (0..16)) / (-24..23)¶
This data item indicates the public key of the sender for an additional ECDH exchange to add forward secrecy to a secondary SA. When sent by the activity initiator this is a request for additional key exchange, and when sent by the responder this is the confirmation that a key exchange is supported and desired. The algorithm and parameters related to key exchange are taken from the cipher suite negotiated by the primary SA.¶
; The compressed public key for the same algorithm as the primary SA safe-ake = bstr¶
This data item provides a random nonce value from the sender to add entropy into the PRF used during SA Creation (Section 5.3) and CK Creation (Section 5.6) to generate content key data. The data value SHALL be a byte string with a size in the inclusive range 1 to 256 bytes.¶
safe-arn = bstr .size (1..256)¶
This data item controls how the secondary SA is used in the BP data plane by the BPSec entity in each participating node. This data value SHALL be an integer limited to the inclusive range -32768 to 32767.¶
Based on the discussion in Section 1.2 this document defines two modes: end-to-end (1) and one-hop (2). The behavior of these modes is defined in Section 9.2. Future specifications can add additional mode code points with different behavior.¶
safe-sms = secondary-sa-mode .within int16
secondary-sa-mode = &(
end-to-end: 1,
one-hop: 2,
)
¶
This data item filters on the current DTN time of the node hosting the SAFE entity. The type is used to limit the validity time of the associated SA, but requires synchronization of time between the two peers to perform properly. The start time can be the current time to allow immediate use of the SA or can be in the future to pre-establish an SA meant to be used later on. An entity can use NTI in multiple SCs, possibly using concurrent SC activities, to establish a chain of SAs each spanning a small time interval that together spans a large time interval.¶
The NTI value SHALL consist of a start time and an end time. The SA established with an NTI value SHALL be valid at an after the start time (inclusive), and only before the end time (exclusive).¶
relocate this to secondary SA info section? Multiple SAs between the same two peers with the same mode and endpoint selectors MAY have validity NTIs which overlap in time. In that case, it is an implementation matter to choose which SA to use for securing traffic. prefer lexicographic lower SAI?¶
; Using DTN time as reported by the local BP node
safe-nti = [
begin: dtn-time,
end: dtn-time
]
¶
This data item is used to determine which individual bundles will correlate with a secondary SA by comparing their source and destination EIDs to patterns. There is a separate endpoint selector applied to the initiator and responder side of a secondary SA, where each side selects on the source EID for traffic being forwarded from that node and destination EID for traffic being received by that node.¶
This selector filters on the Source or Destination of the bundle contained in its primary block (see Section 4.3.1 of [RFC9171]). The pattern can, but doesn't need to, include the EIDs from the node to which it applies (see Section 1.2).¶
The value of this data item consists of one or more EID Pattern in accordance with [I-D.ietf-dtn-eid-pattern], as indicated by the following CDDL. When multiple patterns are present they each represent an alternate proposal provided by the initiator and chosen by the responder of an activity.¶
safe-esx = eid-selectors .within safe-proposals eid-selectors = embed-eid-pattern / [+ embed-eid-pattern]¶
This data item controls how the node of each SAFE endpoint applies BPSec security operations to traffic selected for handling by the secondary SA.¶
The SOS value SHALL be an array with the following items.¶
safe-sos = [
target-block-types: [+ bpv7-block-type],
service: bpsec-service,
]
; Type consistent with RFC 9171
bpv7-block-type = uint
; Services available in RFC 9172
bpsec-service = &(
integrity: 1,
confidentiality: 2,
)
¶
This data item is used to negotiate the purpose(s) for which an SA-derived symmetric key can be used by each side of the SA.¶
The KUS value is an array with the following items.¶
safe-kus = $safe-kus .within safe-kus-struct
safe-kus-struct = [
ctxid: bpsec-ctxid,
options: safe-proposals
]
¶
Some examples of what KUS options can be defined by each Context binding are: a specific algorithm identifier or an choice of additional authenticated data (AAD) outside the security target block.¶
The packetization form defined in Section 4 allows multiple messages to be combined into a single ADU but this behavior is limited by support for the receiving entity, as defined and communicated in the Concurrent Activity Support (CAS) data item. Two examples of how this parameter affects activity sequencing is shown in Figure 12 for a large CAS limit and Figure 13 for a constraining limit of two. Note that when constrained, some activities can only begin with specific odd PDU numbers (from IA initiator) or even numbers (from the IA responder) so there are necessarily gaps between activities so less efficient use of the network.¶
PDU #1 #2 #3 #4 #5
| | | | |
(IA 0 --- 1 --- 2 --- 3) |
| (CI 0 --- 1 --- 2) |
| (SC 0 --- 1 --- 2) |
| | (SC 0 --- 1 --- 2)
| | (SC 0 --- 1 --- 2)
=----- time ----->
PDU #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 #11
| | | | | | | | | | |
(IA 0 --- 1 --- 2 --- 3)(SC 0 --- 1 --- 2) (SC 0 --- 1 --- 2)
| (CI 0 --- 1 --- 2) (SC 0 --- 1 --- 2)
=----- time ----->
Regardless of how activities are aggregated into specific ADUs, the following requirements apply to ordering of activities related to a single primary SA.¶
When no primary SA exists between two SAFE application endpoints, the first messaging between those applications SHALL be Initial Authentication (IA) used to progress the activity state and establish a primary SA. After a primary SA exists, either side of the SA MAY choose to initialize a new primary SA and re-authenticate with its peer.¶
Only after the first step of the IA activity has been received, the responder for the IA activity SHALL begin a Capability Indication (CI) activity. This CI activity MAY begin immediately upon sending of the second IA step, or MAY wait until after the IA activity has completed and a primary SA is established.¶
Only after the first step of the CI activity has been received, the initiator for the IA activity SHOULD begin any number of needed SA Creation (SC) activities. Only after the second step of the CI activity has been received, the responder for the IA activity SHOULD begin any number of needed SA Creation (SC) activities. The number of concurrent SC activities allowed to be started at each step is limited by the CAS limit for the receiving peer.¶
+-----------+
| Start |
+-----+-----+
IA step 0 |
|
+-------v--------+
| |
| Initializing <---.
| | |
+-------+---+----+ | IA step 1-2
IA step 3 | | |
| '--------`
|
+-------v--------+
| |
| Established <---.
| | | SA Rekey
+-------+------+-+ | (optional)
ST step 0 | | |
| '-----`
+-----v-----+
| Half Down |
+-----------+
ST step 1 |
+-----v-----+
| Removed |
+-----------+
Within the Initial Authentication (IA) activity, a shared secret is established and internal pseudo-random keys (PRKs) for EDHOC processing are derived.
One of the final PRKs, the PRK_exporter, is used for "EDHOC application" purposes which in this case means SAFE entity use as depicted in Figure 15 and defined in the following subsections.¶
EDHOC
PRK_Exporter
|
+-------|-----------------------+
| exp. v Primary SA |
|label->O |
| | |
| v |
| PRK_SA1 |
| | Each CK |
| +--------+-...-+ |
| | v v |
| | KID-->O O<--KID |
| | | | |
| | v v |
| SK_SA1 SK_SA1 |
+-------|-----------------------+
+-------|-----------------------+
| v Each Secondary SA |
|SAIs-->O |
| | |
| v |
| PRK_SA2 |
| | Each CK |
| +--------+-...-+ |
| v v |
| KID-->O O<--KID |
| | | |
| v v |
| SK_SA2 SK_SA2 |
+-------------------------------+
The primary SA is used to manage derived data for two independent purposes: content keys for message security between the SAFE endpoints themselves, and as the PRK used to derive secondary SAs between the two SAFE entities.¶
The EDHOC processes which generate the PRK_Exporter secret bind that PRK to all of the transcript hash (TH) data from the EDHOC session, which includes the C_I and C_R identifiers as they are part of EDHOC message 1 and message 2 respectively.
Because the primary SA uses those connection identifiers as the SAI for each side of the primary SA creation, there is no additional context needed to derive the PRK for the primary SA.
The associated EDHOC_Exporter is used once during primary SA creation to derive a seed PRK for the entire primary SA.¶
PRK_SA1 = EDHOC_Exporter(TBA4, '', hash_length)
An application-level derivation function SAFE_KDF is defined with the same logic as the EDHOC_KDF in Section 4.1.2 of [RFC9528] except using the Hash Algorithm of the Primary SA.
The pseudocode defining this KDF is in Figure 17.
This KDF is used within each primary SA to derive content keys (Section 8.2) and secondary SA PRKs (Section 8.3).¶
SAFE_KDF(PRK, info_label, context, length) = EDHOC_KDF(PRK, info_label, context, length)
A summary of labels used with SAFE_KDF and the PRK_SA1 is listed in Table 14¶
| Label | Description |
|---|---|
| 0 | Secondary SA PRK in Section 8.3. |
| 1, 2 | Primary SA content keys in Section 8.2. |
The primary SA key uses take the form of COSE key objects as defined in Section 7 of [RFC9052]. Because the acceptable algorithms are limited to AEAD encryption, the acceptable operations for each key in each entity are one of: encrypt (3), or decrypt (4).¶
When the COSE algorithm is one of the AEAD algorithms, the COSE key SHALL contain the following parameters.
Notably, these keys do not contain a kid parameter because they are not intended to be referenced from outside of the SAFE entity managing the primary SA.¶
kty (1):alg (3):key_ops (4):Base IV (5):BIV_IR (from Figure 18) if the key is for traffic from the initiator side, or BIV_RI otherwise¶
k (-1):K_IR (from Figure 18) if the key is for traffic from the initiator side, or K_RI otherwise¶
Pseudocode used to explain this is shown in Figure 18, where the named parameters are:¶
KID:ARN:PRK_FS:PRK_SA1:key_length:iv_length:context_ck1 = KID | ARN | PRK_FS SK_SA1 = SAFE_KDF(PRK_SA1, 1, context_ck1, key_length) BIV_SA1 = SAFE_KDF(PRK_SA1, 2, context_ck1, iv_length)
The SAFE_KDF is used once during secondary SA creation to derive a seed PRK for the entire secondary SA.¶
Pseudocode used to explain this is shown in Figure 19, where the named parameters are:¶
SAI(i) and SAI(r):ARN(i) and ARN(r):PRK_FS:PRK_SA1:hash_length:context_sa2 = SAI(i) | SAI(r) | ARN(i) | ARN(r) | PRK_FS PRK_SA2 = SAFE_KDF(PRK_SA1, 0, context_sa2, hash_length)
Additional output key material (OKM) specific to the BPSec security context being used is derived from the PRK_SA2 value with integer labels for different, security-context-specific purposes.
It is part of the obligation of each BPSec key use to define what label values apply to key material needed by that context.
An IANA registry for recording these labels is defined in Section 12.3.¶
Pseudocode used to explain this is shown in Figure 20, where the named parameters are:¶
ctxid:context:length:SAFE_OKM(ctxid, context, length) = SAFE_KDF(PRK_SA2, ctxid, context, length)
The ultimate point of establishing a SA is to make use of the derived symmetric keys for BPSec security operations as defined in [RFC9172].¶
When BPSec contexts make use of SAs defined by this document they will require an explicit mapping from the algorithm and operation selectors from Section 3.4 onto the algorithm and operation identifiers specific to that context. For example the default security contexts correspond to a subset of the AES-GCM algorithms of specific key lengths (see Section 9.4) and the HMAC-SHA2 algorithms of specific key lengths (see Section 9.3).¶
All current and future BPSec context bindings SHALL define the following aspects:¶
SAFE_SA2 PRK from the secondary SA.¶
Part of the purpose of establishing a primary SA with a peer is to derive an encryption key (with associated base IV) to enable SAFE message confidentiality in each direction. Similar to how EDHOC cryptographic functions make use of COSE primitives but not COSE message encodings, SAFE reuses COSE primitives for its own end-to-end security.¶
These conditions apply even if there is an existing Primary SA which is being superseded by a new IA activity.¶
While an IA activity is in progress, outgoing SAFE messages SHALL be embedded as EAD items within an associated EDHOC message. Each encoded message byte string SHALL be placed in a separate EAD value with corresponding EAD label TBA5 in accordance with Section 3.8 of [RFC9528].¶
While an IA activity is in progress, incoming SAFE messages SHALL be extracted from the EAD of an associated EDHOC message. These messages are not processed any differently than other received SAFE messages.¶
After the IA activity has completed (initiator has sent, responder has received) step 3, a SAFE entity SHALL encrypt aggregated outgoing messages according to the following.¶
Internally generate and encrypt a COSE_Encrypt0 object as defined in Section 5.3 of [RFC9052] using the following inputs:¶
An encoded map containing the following pairs:¶
A map containing the following pairs:¶
external_aad:safe-pdu-aad (as defined in Figure 11, and using the same encoding as the PDU) No binding to transport source or destination EID?? Should concatenate these in AAD.¶
Use the result to construct the following PDU fields, named as in Section 4.4:¶
partial-iv:rx-sai:ciphertext:Because this encoding does not use AAD to bind it to specific transport parameters, the entire PDU can be retained and retransmitted if necessary (see Section 4.3).¶
Upon receiving an PDU containing a non-null partial-iv value, the SAFE entity SHALL decrypt the aggregated messages according to the following.¶
Use the provided rx-sai to match with the Local SAI of one Primary SA.¶
If no match is found then TBD.¶
Internally generate and decrypt a COSE_Encrypt0 object as defined in Section 5.3 of [RFC9052] using the following parameters:¶
An encoded map containing the following pairs:¶
A map containing the following pairs:¶
partial-iv value from the SAFE PDU header.¶
K_IR or K_RI of Section 8.3 from the Secondary SA for the initiator or responder respectively.¶
ciphertext field of the PDU payload.¶
external_aad:safe-pdu-aad (as defined in Figure 11, and using the same encoding as the PDU).¶
If decryption fails then TBD.¶
For both encryption and decryption, the Base IV (defined in Section 8.1) present in the keys of the Primary SA is combined with the Partial IV byte string in accordance with Section 3.1 of [RFC9052].¶
This section contains logic related to how the Security Mode Selector (SMS), Validity Time Interval, Endpoint Selectors, and Security Operation Selector (SOS) of the Secondary SA (as described in Section 3.4) inform the BPSec entity on both the Initiator and Responder nodes.¶
The SMS value determines at which of the BP Agent interaction points (see Figure 2) the SA is applicable with logic as follows.¶
When the SMS value is end-to-end (1), the node SHALL apply the SA policy at bundle transmission (from endpoint application) as source and at bundle delivery (to endpoint application) as acceptor.¶
When the SMS value is one-hop (2), the node SHALL apply the SA policy at bundle forwarding (to CLA) as source and at bundle reception (from CLA) as acceptor.¶
At the source interaction point, the node SHALL only apply the SA policy when the current DTN time of the node is within the Validity Time Interval of the SA.¶
At the acceptor interaction point, the node SHALL only apply the SA policy when the DTN time from the Timestamp of the Primary Block (see Section 4.3.1 of [RFC9171]) is within the Validity Time Interval of the SA.¶
At each interaction point, the node SHALL compare the Source and Destination EID of the Primary Block (as defined in Section 4.3.1 of [RFC9171]) of each bundle against one of the following.¶
At the source interaction point, the Source EID is compared to the Local Endpoint Selectors field and the Destination EID is compared to the Peer Endpoint Selectors field.¶
At the acceptor interaction point, the Source EID is compared to the Peer Endpoint Selectors field and the Destination EID is compared to the Local Endpoint Selectors field.¶
This section defines how a secondary SA can be negotiated for and used by the integrity context of [RFC9173] with context identifier code point 1.¶
For the BIB-HMAC-SHA2 context the "Key Use Options" field of Section 3.4 is augmented to include the following information.¶
| Name | Description |
|---|---|
| SHA Variant | One of the code points defined in Section 3.3.1 of [RFC9173]. |
| Integrity Scope Flags | A value with bit flags defined in Section 3.3.3 of [RFC9173]. |
For the BIB-HMAC-SHA2 context the "Key Information" field of Section 3.4 is augmented to include the following information.¶
| Name | Description |
|---|---|
| TX Key | A byte string for the security source role. |
| RX Keys | One or more byte strings for the security acceptor role. |
The BIB-HMAC-SHA2 context uses existing code points to identify key use options.¶
$safe-kus /= [
ctxid: 1,
options: kus-options-ctxid1 .within safe-proposals
]
kus-options-ctxid1 = kus-map-ctxid1 / [+ kus-map-ctxid1]
kus-map-ctxid1 = {
; SHA Variant values from Section 3.3.1 of RFC 9173
1: uint,
; Integrity Scope flags from Section 3.3.3 of RFC 9173
2: uint,
}
¶
The secondary SA key uses for context 1 take the form of raw symmetric key data. Because the acceptable algorithms are limited to HMAC, there are no other options beyond the symmetric key.¶
The raw symmetric key SHALL be either CTX1_KEY_IR (from Figure 21) if the key is for traffic from the initiator side, or CTX1_KEY_RI otherwise.¶
CTX1_KEY_IR = SAFE_OKM(1, 'key_ir', key_length) CTX1_KEY_RI = SAFE_OKM(1, 'key_ri', key_length)
When each security operation for context 1 needs to be applied, as defined in Section 9.2, as the security source the node SHALL perform the following:¶
When each security operation for context 1 needs to be applied, as defined in Section 9.2, as the security acceptor the node SHALL perform the following:¶
This section defines how a secondary SA can be negotiated for and used by the confidentiality context of [RFC9173] with context identifier code point 2.¶
For the BCB-AES-GCM context the "Key Use Options" field of Section 3.4 is augmented to include the following information.¶
| Name | Description |
|---|---|
| AES Variant | One of the code points defined in Section 4.3.2 of [RFC9173]. |
| AAD Scope Flags | A value with bit flags defined in Section 4.3.4 of [RFC9173]. |
| IV Counter | An integer counter which initializes to 0 at SA creation. |
For the BCB-AES-GCM context the "Key Information" field of Section 3.4 is augmented to include the following information.¶
| Name | Description |
|---|---|
| TX Key | A byte string for the security source role. |
| TX IV Counter | An integer counter which initializes to 0 at SA creation. |
| RX Keys | One or more byte strings for the security acceptor role. |
The BCB-AES-GCM context uses existing code points to identify key use options.¶
$safe-kus /= [
ctxid: 2,
options: kus-options-ctxid2 .within safe-proposals
]
kus-options-ctxid2 = kus-map-ctxid2 / [+ kus-map-ctxid2]
kus-map-ctxid2 = {
; AES Variant values from Section 4.3.2 of RFC 9173
1: uint,
; AAD Scope flags from Section 4.3.4 of RFC 9173
2: uint,
}
¶
The secondary SA key uses for context 2 take the form of raw symmetric key data. Because the acceptable algorithms are limited to AEAD, there are no other options beyond the symmetric key.¶
The raw symmetric key SHALL be either CTX2_KEY_IR (from Figure 22) if the key is for traffic from the initiator side, or CTX2_KEY_RI otherwise.¶
CTX2_KEY_IR = SAFE_OKM(2, 'key_ir', key_length) CTX2_KEY_RI = SAFE_OKM(2, 'key_ri', key_length)
When each security operation for context 2 needs to be applied, as defined in Section 9.2, as the security source the node SHALL perform the following:¶
When each security operation for context 2 needs to be applied, as defined in Section 9.2, as the security acceptor the node SHALL perform the following:¶
This section defines how a secondary SA can be negotiated for and used by the COSE context of [I-D.ietf-dtn-bpsec-cose] with context identifier code point 3. The derived keys are suitable for use with COSE encryption or MAC operations between the nodes hosting the SAFE entities.¶
For the COSE context the "Key Use Options" field of Section 3.4 is augmented to include the following information.¶
| Name | Description |
|---|---|
| COSE Algorithm | One of the code points defined in the "COSE Algorithms" registry of [IANA-COSE] for either AEAD encryption or MAC operation. |
| AAD Scope | A map structure defined in Section 2.2.2 of [I-D.ietf-dtn-bpsec-cose]. |
For the COSE context the "Key Information" field of Section 3.4 is augmented to include the following information.¶
| Name | Description |
|---|---|
| TX COSE Key | A COSE Key object for the security source role. |
| TX Partial IV Counter | An integer counter which initializes to 0 at SA creation. This field is used only for confidentiality services. |
| RX COSE Keys | One or more COSE Key objects for the security acceptor role. |
The COSE key structure is defined in Section 7 of [RFC9052].¶
The BPSec COSE context uses existing COSE code points to identify key use options.¶
| Label | Description |
|---|---|
| 3 | One of the code points defined in the "COSE Algorithms" registry of [IANA-COSE] for either AEAD encryption or MAC operation. |
$safe-kus /= [
ctxid: 3,
options: kus-options-ctxid3 .within safe-proposals
]
kus-options-ctxid3 = kus-map-ctxid3 / [+ kus-map-ctxid3]
kus-map-ctxid3 = {
; COSE alg header values
3: tstr / int,
}
¶
The secondary SA key uses for context 3 take the form of COSE key objects. Because the acceptable algorithms are limited to AEAD encryption and MAC, the acceptable operations for each key in each entity are one of: encrypt (3), decrypt (4), MAC create (9), or MAC verify (10).¶
When the COSE algorithm is one of the MAC algorithms, the COSE key SHALL contain the following parameters.¶
kty (1):kid (2):alg (3):key_ops (4):k (-1):CTX3_KEY_IR (from Figure 23) if the key is for traffic from the initiator side, or CTX3_KEY_RI otherwise¶
When the COSE algorithm is one of the AEAD algorithms, the COSE key SHALL contain the following parameters.¶
kty (1):kid (2):alg (3):key_ops (4):Base IV (5):CTX3_BIV_IR (from Figure 23) if the key is for traffic from the initiator side, or CTX3_BIV_RI otherwise¶
k (-1):CTX3_KEY_IR (from Figure 23) if the key is for traffic from the initiator side, or CTX3_KEY_RI otherwise¶
CTX3_KEY_IR = SAFE_OKM(3, 'key_ir', key_length) CTX3_BIV_IR = SAFE_OKM(3, 'biv_ir', iv_length) CTX3_KEY_RI = SAFE_OKM(3, 'key_ri', key_length) CTX3_BIV_RI = SAFE_OKM(3, 'biv_ri', iv_length)
When each security operation for context 3 needs to be applied, as defined in Section 9.2, as the security source and the COSE algorithm is one of the MAC algorithms, the node SHALL perform the following:¶
A BIB result for COSE_Mac0 (17) SHALL be constructed in accordance with Section 2.3.1 of [I-D.ietf-dtn-bpsec-cose] containing the following parameters.¶
An encoded map containing the following pairs:¶
A map containing the following pairs:¶
external_aad:When each security operation for context 3 needs to be applied, as defined in Section 9.2, as the security acceptor and the COSE algorithm is one of the MAC algorithms, the node SHALL perform the following:¶
A BIB result for COSE_Mac0 (17) SHALL be extracted in accordance with Section 2.3.1 of [I-D.ietf-dtn-bpsec-cose] and verified to have the following minimum parameters.¶
An encoded map containing the following pairs:¶
A map containing the following pairs:¶
kid parameter from one of the COSE Key of the TX Key Information of the SA¶
If the required header parameters are missing or invalid, the procedure is considered failed.¶
The extracted COSE_Mac0 is then verified using the following parameters:¶
external_aad:If the verification fails, the procedure is considered failed.¶
When each security operation for context 3 needs to be applied, as defined in Section 9.2, as the security source and the COSE algorithm is one of the AEAD algorithms, the node SHALL perform the following:¶
A BCB result for COSE_Encrypt0 (16) SHALL be constructed in accordance with Section 2.3.2 of [I-D.ietf-dtn-bpsec-cose] containing the following parameters.¶
An encoded map containing the following pairs:¶
A map containing the following pairs:¶
external_aad:When each security operation for context 3 needs to be applied, as defined in Section 9.2, as the security acceptor and the COSE algorithm is one of the AEAD algorithms, the node SHALL perform the following:¶
A BCB result for COSE_Encrypt0 (16) SHALL be extracted in accordance with Section 2.3.2 of [I-D.ietf-dtn-bpsec-cose] and verified to have the following minimum parameters.¶
An encoded map containing the following pairs:¶
A map containing the following pairs:¶
If the required header parameters are missing or invalid, the procedure is considered failed.¶
The extracted COSE_Encrypt0 is then processed to decrypt using the following parameters:¶
external_aad:The decryption modifies the target block in place as a detached payload. If the authenticated decryption fails, the procedure is considered failed.¶
The parameters of the derived COSE keys already intrinsically restrict their use based on the requirements of [I-D.ietf-dtn-bpsec-cose] and [RFC9053], so no additional checks are specified in this document.¶
TBD with a new extended key use for this protocol. Profile of [RFC5280] allowing C509 [I-D.ietf-cose-cbor-encoded-cert].¶
This section separates security considerations into threat categories based on guidance of BCP 72 [RFC3552].¶
Because the SAFE protocol uses EDHOC for its initial authentication activity and messaging and uses primary SA data for confidentiality afterward, the only information which is exposed in plaintext are the Security Association Identifier (SAI) values (which are also EDHOC connection identifiers) and SAFE confidentiality partial IV (Section 4.4) values.¶
Both of these values are used strictly for uniqueness and can either be generated by a SAFE entity deterministically or randomly. Neither value contains data derived from or correlated to any outside information, so visibility to a passive attacker is not useful to degrade SAFE security. Their visibility could be used by a passive attacker for SAFE traffic analysis.¶
The sizes of ciphertext values in all forms of SAFE PDU can be used by a passive attacker to estimate the types of SAFE activities being performed. To mitigate this threat, it is possible for a SAFE entity to use EDHOC padding EAD (see Section 3.8.1 of [RFC9528]) during the IA activity or SAFE confidential PDU plaintext padding item (see Section 4.4).¶
The SAI values are necessary to correlate EDHOC messages and to decrypt SAFE PDUs, so must be in plaintext and any on-path attacker modification of these values will cause either the EDHOC negotiation to fail or the SAFE decryption to fail.¶
The IV values are already part of what would be sent with the associated ciphertext, and any modification will cause the SAFE decryption to fail.¶
Both of these conditions are detectable by the receiver being attacked so there is no possibility of the attacker causing undetectable changes.¶
The behaviors described in this section all amount to a potential denial-of-service to a participating node. The denial-of-service could be limited to an individual node, or could affect all entities on a host or network segment.¶
TBD¶
Registration procedures referred to in this section are defined in [RFC8126].¶
Within the registry group of [IANA-URI], the registry titled "'ipn' Scheme URI Well-known Service Numbers for BPv7" has been updated to include the following entry.¶
| Value | Description | Reference |
|---|---|---|
| TBA3 | BPv7 SAFE Messaging | [This specification] |
Within the registry group of [IANA-EDHOC], the registry titled "EDHOC Exporter Labels" has been updated to include the following entry.¶
| Label | Description | Reference |
|---|---|---|
| TBA4 | Derived BPv7 SAFE Secret | [This specification] |
Within the registry group of [IANA-EDHOC], the registry titled "EDHOC External Authorization Data" has been updated to include the following entry.¶
| Name | Label | Description | Reference |
|---|---|---|---|
| BPv7 SAFE | TBA5 | A single message for BPv7 SAFE | [This specification] |
A new registry group "Bundle Protocol (BP) Security Associations with Few Exchanges (SAFE)" has been created at [IANA-SAFE].¶
Within the registry group of [IANA-SAFE], the registry titled "SAFE Security Modes" has been created with registration procedures from Table 25 and initial contents of Table 26.¶
| Range | Registration Procedures |
|---|---|
| -32768 to 0 | Reserved |
| 1 to 255 | RFC Required |
| 256 to 32767 | Specification Required |
| Value | Name | Reference |
|---|---|---|
| -32768 to -32641 | Reserved for experimental use | [This specification] |
| -32640 to -1 | Reserved for private use | [This specification] |
| 0 | Reserved | [This specification] |
| 1 | end-to-end | [This specification] |
| 2 | one-hop | [This specification] |
| 3 to 32767 | Unassigned |
Within the registry group of [IANA-SAFE], the registry titled "SAFE Activity Types" has been created with registration procedures from Table 27 and initial contents of Table 28.¶
| Range | Registration Procedures |
|---|---|
| -32768 to 0 | Reserved |
| 1 to 255 | RFC Required |
| 256 to 32767 | Specification Required |
| Value | Description | Notation | Reference |
|---|---|---|---|
| -32768 to -32641 | Reserved for experimental use | [This specification] | |
| -32640 to -1 | Reserved for private use | [This specification] | |
| 0 | Reserved for Initial Authentication | IA | Section 5.1 of [This specification] |
| 1 | Capability Indication | CI | Section 5.2 of [This specification] |
| 2 | Event Notification | EN | Section 5.7 of [This specification] |
| 3 | SA Creation | SC | Section 5.3 of [This specification] |
| 4 | SA Teardown | ST | Section 5.4 of [This specification] |
| 5 | CK Prekey | SP | Section 5.5 of [This specification] |
| 6 | CK Creation | SR | Section 5.6 of [This specification] |
| 7 | CK Discard | SR | Section 5.6 of [This specification] |
| 8 to 32767 | Unassigned |
Within the registry group of [IANA-SAFE], the registry titled "SAFE Message Data Items" has been created with the following initial contents. Each entry in the table indicates which messages are valid for containing the associated data item and the map label by which the item is identified. The registration procedure for this registry is identical to the corresponding "SAFE Activity Types" entry from the first column.¶
This registry includes only well-known data item types; private use labels can be used to include any other data items in a message.¶
| Activity Type Notation | Label | Description | Notation | Reference |
|---|---|---|---|---|
| all types | -32768 to -1 | Reserved for private use | [This specification] | |
| all types | 0 | Error Type Enumeration | ETE | Section 6.1 of [This specification] |
| IA | this activity does not use data item labels | |||
| CI | 1 | Concurrent Activity Support | CAS | Section 6.2 of [This specification] |
| CI | 2 | EID Scheme Support | ESS | Section 6.3 of [This specification] |
| CI | 3 | BPSec Context Support | BCS | Section 6.4 of [This specification] |
| SC | 1 | Security Association Identifier | SAI | Section 6.5 of [This specification] |
| SC | 2 | Additional Key Exchange | AKE | Section 6.7 of [This specification] |
| SC | 3 | Additional Random Nonce | ARN | Section 6.8 of [This specification] |
| SC | 9 | Security Mode Selector | SMS | Section 6.9 of [This specification] |
| SC | 6 | Endpoint Selector at Initiator | ESI | Section 6.11 of [This specification] |
| SC | 7 | Endpoint Selector at Responder | ESR | Section 6.11 of [This specification] |
| SC | 8 | Validity Node Time Interval | NTI | Section 6.10 of [This specification] |
| SC | 4 | Security Operation Selector | SOS | Section 6.12 of [This specification] |
| SC | 5 | Key Use Selector | KUS | Section 6.13 of [This specification] |
Within the registry group of [IANA-SAFE], the registry titled "SAFE Error Type Enumerations" has been created with the following initial contents. These entries are distinct and separate from the "EDHOC Error Codes" registry of [IANA-EDHOC].¶
| Activity Type Notation | Value | Description | Reference |
|---|---|---|---|
| all types | -32768 to -32641 | Reserved for experimental use | [This specification] |
| all types | -32640 to -1 | Reserved for private use | [This specification] |
| all types | 1 | Invalid data item label | [This specification] |
| all types | 2 | Unknown data item label | [This specification] |
| all types | 3 | Invalid data item value | [This specification] |
| SR,ST | 256 | Unknown security association | [This specification] |
This section contains a minimal example of two nodes initializing a primary SA and two secondary SAs with overlapping activities using pipelined messaging. The EDHOC messages in the IA activity are taken from the example in Section 2 of [RFC9529] to avoid duplicating EDHOC example logic here. This example does not include any PDU losses so no retransmission is needed.¶
PDU #1 #2 #3 #4 #5
| | | | |
(IA 0 --- 1 --- 2 --- 3) |
| (CI 0 --- 1 --- 2) |
| | (SC 0 --- 1 --- 2)
=----- time ----->
The encoded PDU #1 (initiator-to-responder) is the following byte string:¶
01f6f50006582031f82c7b5b9cbbf0f194d913cc12ef1532d328ef32632a4881a1c0 701e237f042d¶
The contents of that PDU are following CBOR sequence:¶
1, / version / null, / partial-iv / true, / rx-sai / / message_1: / 0, / method / 6, / suites / h'31f82c7b5b9cbbf0f194d913cc12ef1532d328ef32632a48 81a1c0701e237f04', / G_X / -14 / C_I /¶
The encoded PDU #2 (responder-to-initiator) is following byte string:¶
01f62d5880dc88d2d51da5ed67fc4616356bc8ca74ef9ebe8b387e623a360ba480b9 b29d1c9e2115f057ff0687a41a21a1d7fc4553061357fe93dbef391c83e18a27b29c e24e44a45916fdebe9c5a505abdec132750551154966a67eed27236c093e2774814f 11c5affadf8c0cd96e31fef7deda3398136d3e79419efd86efe646e1606b77¶
That PDU has the following decoded header, eliding the ciphertext message.¶
1, / version / null, / partial-iv / -14 / rx-sai from C_I / / message_2: h'dc88...6b77' /¶
Derived from the shared secrets, the PLAINTEXT_2 contents are the following:¶
4118A11822822E4879F2A41B510C1F9B58407934E54041AE5ACB7C68DE7ED477D947 E4214E84659D99FCD49C4B25033DD92AF50DE0570BC27B72039CEB2F4A4F8F05082F F9739A823C25634FE42BB306F296364F010001A30119040002820102038103¶
That plaintext has the following decoded items.¶
h'18', / C_R /
{34: [-15, h'79F2A41B510C1F9B']}, / ID_CRED_R with following sig. /
h'A9CAAE6BB615B3C50D774AFA0B6297AA3CCDBED1A03A34614DEE8A62216F685DC9
ED1C8DE7291E2C571E1E9DAD39B350869CC7B2658514EB7881E8B03D5C9D89',
-23, / EAD label with following value /
h'010001A30119040002820102038103'
¶
The embedded EAD_2 contains the following SAFE message:¶
1, / act. index /
0, / act. step /
1, / act. type: CI /
{
1: 1024, / CAS: max 1024 /
2: [1, 2], / ESS: dtn and ipn schemes /
3: [3] / BCS: COSE Context /
}
¶
The encoded PDU #3 is following byte string:¶
01f6411858c1e418256972ed10356c2cadc3e72dd86c16e830590972a7fa238c92b3 0c7cb6a030397061de4327b02b5aae7c0e1c6de2d67bd7627b33b8cb8e9bb8303aca 53143aacd8713413becc1a3ad2ad7ac3bee1b56cb576637738787106a415c41ab3c4 b70fe87782994bb93d25c2a7565255948267637511364b2236ae8ddbbfb4321246fc 38ba317216893f9afe59b85a4301e871944d8e3afb7de0278bf2cf7c161ce6fe2ff6 b2e6d8f5666d5ae4c555f07ee534293f4dc85d282bdd35e2676b126eee¶
That PDU has the following decoded header, eliding the ciphertext message.¶
1, / version / null, / partial-iv / h'18' / rx-sai from C_I / / message_3: h'e418...6eee' /¶
Derived from the shared secrets, the PLAINTEXT_3 contents are the following:¶
A11822822E48C24AB2FD7643C79F5840A6F33C8F1FED68F30F83261652D193DC1B29 A5B40A53AA6D695466F8E473B74548914C293F8EB127C71813993338E6573F90A60A BB6F3484FE4172056B645A0A36584D010002A80146235A91D189EA035056B44D9A0F 87538A24CA8EBE49D4FD51040305A10101090106F607F602582031F82C7B5B9CBBF0 F194D913CC12EF1532D328EF32632A4881A1C0701E237F04364F010101A301190400 02820102038103¶
That plaintext has the following decoded items.¶
{34: [-15, h'C24AB2FD7643C79F']}, / ID_CRED_I with following sig. /
h'A6F33C8F1FED68F30F83261652D193DC1B29A5B40A53AA6D695466F8E473B74548
914C293F8EB127C71813993338E6573F90A60ABB6F3484FE4172056B645A0A',
-23, / EAD label with following value /
h'010002A80146235A91D189EA035056B44D9A0F87538A24CA8EBE49D4FD51040305
A10101090106F607F602582031F82C7B5B9CBBF0F194D913CC12EF1532D328EF32
632A4881A1C0701E237F04',
-23, / EAD label with following value /
h'010101A30119040002820102038103'
¶
The embedded EAD_3 contains the following SAFE messages:¶
1, / act. index /
0, / act. step /
2, / act. type: SC /
{
1: h'235A91D189EA', / local SAI bytes /
3: h'56B44D9A0F87538A24CA8EBE49D4FD51', / ARN bytes /
4: 3, / CTX: COSE (3) /
5: { / KUS: /
1: 1 / alg: A128GCM (1) /
},
9: 1, / SMS: end-to-end (1) /
6: null, / TSI: still TBD /
7: null, / TSR: still TBD /
2: h'31F82C7B5B9CBBF0F194D913CC12EF1532D328EF32632A4881A1C0701E2
37F04' / AKE bytes /
}
¶
1, / act. index /
1, / act. step /
1, / act. type: CI /
{
1: 1024, / CAS: max 1024 /
2: [1, 2], / ESS: dtn and ipn schemes /
3: [3] / BCS: COSE Context /
}
¶
The encoded PDU #4 is following byte string:¶
01F62D586492459A97A617FE0176E1040FB1E98A640FBDF104E4839EB576F32EF07C F283B9C8FF4AC2B5B3DC72F15A5CAEC383A366A8310D97E369E1696D4D43BC9BAA99 E63E750D29344A95D9C703B21B7AE796F36F82FDF8798F5428AD8057C2D197B7F6DE 7ADEB6¶
That PDU has the following decoded header, eliding the ciphertext message.¶
1, / version / null, / partial-iv / -14 / rx-sai from C_I / / message_3: h'9245...DEB6' /¶
Derived from the shared secrets, the PLAINTEXT_4 contents are the following:¶
3642010236584d010102a80146a8c046494ebd035043184c4d9f379d2eb35fd2f2f1 1ae27b040305a10101090106f607f6025820dc88d2d51da5ed67fc4616356bc8ca74 ef9ebe8b387e623a360ba480b9b29d1c¶
That plaintext has the following decoded items.¶
-23, / EAD label with following value / h'0102', -23, / EAD label with following value / h'010102A80146A8C046494EBD035043184C4D9F379D2EB35FD2F2F11AE27B040305 A10101090106F607F6025820DC88D2D51DA5ED67FC4616356BC8CA74EF9EBE8B38 7E623A360BA480B9B29D1C'¶
The embedded EAD_4 contains the following SAFE messages:¶
1, / act. index / 2 / act. step /¶
1, / act. index /
1, / act. step /
2, / act. type: SC /
{
1: h'A8C046494EBD', / local SAI bytes /
3: h'43184C4D9F379D2EB35FD2F2F11AE27B', / ARN bytes /
4: 3, / CTX: COSE (3) /
5: { / KUS: /
1: 1 / alg: A128GCM (1) /
},
9: 1, / SMS: end-to-end (1) /
6: null, / TSI: still TBD /
7: null, / TSR: still TBD /
2: h'DC88D2D51DA5ED67FC4616356BC8CA74EF9EBE8B387E623A360BA480B9B
29D1C' / AKE bytes /
}
¶
The encoded PDU #5 is following byte string:¶
01410141185306684BF319BBE5B2237EF71606DB2714E0F992¶
That PDU has the following decoded header, eliding the ciphertext message.¶
1, / version / h'01', / partial-iv / h'18' / rx-sai from C_R / / message_3: h'0668...F992' /¶
Derived from the shared secrets, the PLAINTEXT contents are the following:¶
420102¶
That plaintext has the following decoded items.¶
h'0102'¶
The embedded byte strings contain the following SAFE messages:¶
1, / act. index / 2 / act. step /¶
Thanks go to Leonardo Babun and Cherita Corbett of JHU/APL for pre-draft review and editing of this document.¶
This section is to be removed before publishing as an RFC.¶
[NOTE to the RFC Editor: please remove this section before publication, as well as the reference to [RFC7942], [github-dtn-bp-safe], and [github-dtn-demo-agent].]¶
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC7942]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations can exist.¶