<?xml<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> [
<!ENTITY nbsp " ">
<!ENTITY zwsp "​">
<!ENTITY nbhy "‑">
<!ENTITY wj "⁠">
]>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc iprnotified="no" ?>
<?rfc strict="no" ?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" consensus="true" number="9374" docName="draft-ietf-drip-rid-37" category="std" ipr="trust200902" obsoletes="" updates="7401, 7343" submissionType="IETF" xml:lang="en" tocInclude="true" symRefs="true" sortRefs="true" version="3">
<front> <title abbrev="DRIP Entity Tag (DET)">DRIP Entity Tag (DET) for Unmanned Aircraft System Remote ID (UAS RID)</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-drip-rid-37"/> name="RFC" value="9374" />
<author fullname="Robert Moskowitz" initials="R" surname="Moskowitz">
<organization>HTT Consulting</organization>
<address>
<postal>
<street></street>
<city>Oak Park</city>
<region>MI</region>
<code>48237</code>
<country>USA</country>
</postal>
<email>rgm@labs.htt-consult.com</email>
</address>
</author>
<author fullname="Stuart W. Card" initials="S." surname="Card">
<organization>AX Enterprize, LLC</organization>
<address>
<postal>
<street>4947 Commercial Drive</street>
<city>Yorkville</city>
<region>NY</region>
<code>13495</code>
<country>USA</country>
</postal>
<email>stu.card@axenterprize.com</email>
</address>
</author>
<author fullname="Adam Wiethuechter" initials="A." surname="Wiethuechter">
<organization>AX Enterprize, LLC</organization>
<address>
<postal>
<street>4947 Commercial Drive</street>
<city>Yorkville</city>
<region>NY</region>
<code>13495</code>
<country>USA</country>
</postal>
<email>adam.wiethuechter@axenterprize.com</email>
</address>
</author>
<author fullname="Andrei Gurtov" initials="A." surname="Gurtov">
<organization>Linköping University</organization>
<address>
<postal>
<street>IDA</street>
<city>Linköping</city>
<code>58183</code>
<country>Sweden</country>
</postal>
<email>gurtov@acm.org</email>
</address>
</author>
<date year="2022" month="March" year="2023" />
<area>Internet</area>
<workgroup>DRIP</workgroup>
<keyword>RFC</keyword>
<keyword>Request for Comments</keyword>
<keyword>I-D</keyword>
<keyword>Internet-Draft</keyword>
<keyword>RID</keyword>
<abstract>
<t>
This document describes the use of Hierarchical Host Identity Tags
(HHITs) as self-asserting IPv6 addresses and thereby a addresses, which makes them trustable
identifier
identifiers for use as the in Unmanned Aircraft System Remote
Identification and tracking (UAS RID). RID) and tracking.
</t>
<t>
This document updates RFC7401 RFCs 7401 and RFC7343. 7343.
</t>
<t>
Within the context of RID, HHITs will be called DRIP Entity Tags
(DETs). HHITs provide claims to the included explicit hierarchy
that provides registry (via, e.g., for example, DNS, RDAP) discovery for
3rd-party
third-party identifier endorsement.
</t>
</abstract>
</front>
<middle>
<section numbered="true" toc="default"> <name>Introduction</name>
<t>
<xref target="RFC9153" format="default">Drone Remote ID Protocol
(DRIP) Requirements</xref> describe an Unmanned Aircraft System
Remote ID (UAS ID) as unique (ID-4), non-spoofable (ID-5), and
identify a registry where the ID is listed (ID-2); (ID&nbhy;2); all within a
19-character identifier (ID-1).
</t>
<t>
This DRIP RFC is a foundational document (i.e., all else in DRIP enables or
uses it) of DRIP, as it describes (per <xref target="I-D.ietf-drip-arch"
section="3" format="default" />) the use of
<xref target="HHIT" format="default">Hierarchical Host Identity Tags (HHITs)</xref> as self-asserting
IPv6 addresses and thereby a trustable identifier for use as the UAS
Remote ID. ID (see <xref target="I-D.ietf-drip-arch" section="3" format="default" />). All other DRIP-related
technologies will enable or use HHITs as multipurpose remote identifiers.
HHITs add explicit hierarchy to the
128-bit HITs, enabling DNS HHIT queries (Host ID for
authentication, e.g., <xref target="I-D.ietf-drip-auth"
format="default"/>) and for use with a Differentiated Access
Control (e.g. (e.g., Registration Data Access Protocol (RDAP) <xref
target="RFC9224" />) for 3rd-party identification endorsement
(e.g., <xref target="I-D.ietf-drip-auth" format="default"/>).
</t>
<t>
This
The addition of hierarchy to HITs is an extension to <xref
target="RFC7401"/> and requires an update to <xref
target="RFC7343"/>. As this document also adds EdDSA (<xref
target="EdDSA" format="default"/>) for Host Identities (HIs), a
number of Host Identity Protocol (HIP) parameters in <xref
target="RFC7401"/> are updated, but these should not be needed in a
DRIP implementation that does not use HIP.
</t>
<t>
HHITs as used within the context of Unmanned Aircraft System (UAS) UAS
are labeled as DRIP Entity Tags (DETs). Throughout this document document,
HHIT and DET will be used appropriately. HHIT will be used when covering the technology, and DET for their will be used in the context within of UAS RID.
</t>
<t>
Hierarchical HITs
HHITs provide self-claims of the HHIT registry. A HHIT
can only be in a single registry within a registry system (e.g. (e.g.,
DNS).
</t>
<t>
Hierarchical HITs
HHITs are valid, though non-routable, IPv6 addresses
<xref target="RFC8200" />. As such, they fit in many ways within
various IETF technologies.
</t>
<section anchor="x509" numbered="true" toc="default"> <name>HHIT Statistical Uniqueness different Different from UUID or X.509 Subject</name>
<t>
HHITs are statistically unique through the cryptographic hash
feature of second-preimage resistance. The cryptographically-bound cryptographically bound
addition of the hierarchy and a HHIT registration process <xref
target="I-D.ietf-drip-registries" format="default"/> provide
complete, global HHIT uniqueness. If the HHITs cannot be looked up
with services provided by the DRIP Identity Management Entity
(DIME) identified via the embedded hierarchical information or its
registration validated by registration endorsement messages <xref
target="I-D.ietf-drip-auth" format="default"/>, then the HHIT is
either fraudulent or revoked/expired. In-depth discussion of these
processes are out of scope for this document.
</t>
<t>
This contrasts with using general identifiers (e.g., a Universally
Unique IDentifiers <xref target="RFC4122"
format="default">(UUID)</xref> or device serial numbers numbers) as the
subject in an <xref target="RFC5280" format="default">X.509</xref>
certificate. In either case, there can be no unique proof of
ownership/registration.
</t>
<t>
For example, in a multi-Certificate Authority (multi-CA) PKI
alternative to HHITs, a Remote ID as the Subject (<xref
target="RFC5280" section="4.1.2.6" />) can occur in multiple CAs,
possibly fraudulently. CAs within the PKI would need to implement
an approach to enforce assurance of the uniqueness achieved with
HHITs.
</t>
</section>
</section>
<section anchor="terms" numbered="true" toc="default"> <name>Terms and Definitions</name>
<section numbered="true" toc="default"> <name>Requirements Terminology</name>
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "NOT RECOMMENDED",
"MAY", "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "OPTIONAL" "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119" /> <xref
target="RFC8174" /> when, and only when, they appear in all
capitals, as shown here.
</t>
<t>
The document includes a set of algorithms with a guidance on and recommends the ones
that are recommended to should be supported by implementations. The
following term is used for that purpose: RECOMMENDED. <bcp14>RECOMMENDED</bcp14>.
</t>
<!-- <dl newline="true" spacing="normal">
<dt>RECOMMENDED</dt>
<dd>
RECOMMENDED, as used here instructs implementors which
choice (here only of possible algorithms) the authors
advise be used. Implementors are recommended to research
the choices to make an informed decision.
</dd>
</dl> -->
</section>
<section anchor="notation" numbered="true" toc="default"> <name>Notations</name> <name>Notation</name>
<dl newline="false" spacing="normal">
<dt>| </dt>
<dd>
Signifies concatenation of information - information, e.g., X | Y is the
concatenation of X and Y.
</dd>
</dl>
</section>
<section numbered="true" toc="default"> <name>Definitions</name>
<t>
This document uses the terms defined in <xref target="RFC9153"
section="2.2" format="default" /> and in <xref
target="I-D.ietf-drip-arch" section="2" format="default" />. The
following new terms are used in the document:
</t>
<dl newline="true" spacing="normal">
<dt>cSHAKE (The customizable SHAKE function <xref
target="DOI_10.6028_NIST.SP.800-185" format="default"/>):</dt>
<dd>
Extends the SHAKE scheme <xref target="DOI_10.6028_NIST.FIPS.202"
format="default"/> scheme to allow users to customize their
use of the SHAKE function.
</dd>
<dt>HDA (HHIT Domain Authority):</dt>
<dd>
The 14-bit field that identifies the HHIT Domain Authority
under a Registered Assigning Authority (RAA). See <xref
target="HHIT_Format" format="default"/>.
</dd>
<dt>HHIT</dt>
<dd>
Hierarchical
<dt>HHIT (Hierarchical Host Identity Tag. Tag):</dt>
<dd>
A HIT with extra
hierarchical information not found in a standard HIT <xref
target="RFC7401" format="default"/>.
</dd>
<dt>HI</dt>
<dt>HI (Host Identity):</dt>
<dd>
Host Identity.
The public key portion of an asymmetric key
pair as defined in <xref target="RFC9063"
format="default"/>.
</dd>
<dt>HID (Hierarchy ID):</dt>
<dd>
The 28-bit field providing the HIT Hierarchy ID. See <xref
target="HHIT_Format" format="default"/>.
</dd>
<dt>HIP (Host Identity Protocol)</dt>
<dd>
The Protocol):</dt>
<dd>The origin <xref target="RFC7401" format="default"/> of HI, HIT, and HHIT. HHIT <xref target="RFC7401" format="default"/>.
</dd>
<dt>HIT</dt>
<dd>
Host
<dt>HIT (Host Identity Tag. Tag):</dt>
<dd>
A 128-bit handle on the HI. HITs are
valid IPv6 addresses.
</dd>
<dt>Keccak (KECCAK Message Authentication Code):</dt>
<dd>
The family of all sponge functions with a KECCAK-f
permutation as the underlying function and multi-rate
padding as the padding rule. It In particular, it refers in particular to
all the functions referenced from <xref
target="DOI_10.6028_NIST.FIPS.202" format="default"/> and
<xref target="DOI_10.6028_NIST.SP.800-185"
format="default"/>.
</dd>
<dt>KMAC (KECCAK Message Authentication Code <xref
target="DOI_10.6028_NIST.SP.800-185" format="default"/>):</dt>
<dd>
A Pseudo Random Function (PRF) and keyed hash function
based on KECCAK.
</dd>
<dt>RAA (Registered Assigning Authority):</dt>
<dd>
The 14-bit field identifying the business or organization
that manages a registry of HDAs. See <xref
target="HHIT_Format" format="default"/>.
</dd>
<dt>RVS (Rendezvous Server):</dt>
<dd>
A Rendezvous Server such as the HIP Rendezvous Server for
enabling mobility, as defined in <xref target="RFC8004"
format="default"/>.
</dd>
<dt>SHAKE (Secure Hash Algorithm KECCAK <xref
target="DOI_10.6028_NIST.FIPS.202" format="default"/>):</dt>
<dd>
A secure hash that allows for an arbitrary output length.
</dd>
<dt>XOF (eXtendable-Output Function <xref
target="DOI_10.6028_NIST.FIPS.202" format="default"/>):</dt>
<dd>
A function on bit strings (also called messages) in which
the output can be extended to any desired length.
</dd>
</dl>
</section>
</section>
<section anchor="HHIT" numbered="true" toc="default"> <name>The Hierarchical Host Identity Tag (HHIT)</name>
<t>
The Hierarchical HIT (HHIT) HHIT is a small but important enhancement
over the flat Host Identity Tag (HIT) space, constructed as an
Overlay Routable Cryptographic Hash IDentifier (ORCHID) <xref
target="RFC7343" format="default"/>. By adding two levels of
hierarchical administration control, the HHIT provides for device
registration/ownership, thereby enhancing the trust framework for
HITs.
</t>
<t>
The 128-bit HHITs represent the HI in only a 64-bit hash, rather
than the 96 bits in HITs. 4 of these 32 freed up bits expand the
Suite ID to 8 bits, and the other 28 bits are used to create a
hierarchical administration organization for HIT domains.
Hierarchical HIT
HHIT construction is defined in <xref target="ORCHIDs"
format="default"/>. The input values for the Encoding encoding rules are
described in <xref target="HCGA" format="default"/>.
</t>
<t>
A HHIT is built from the following fields (<xref
target="HHIT_Format" format="default"/>):
</t>
<ul spacing="normal">
<li>
p = an IPV6 IPv6 prefix (max 28 bit)
</li>
<li>
<t>28-bit Hierarchy ID (HID) HID which provides the structure to
organize HITs into administrative domains. HIDs are further
divided into two fields:</t>
<ul spacing="normal">
<li>
14-bit Registered Assigning Authority (RAA) (<xref
target="RAA" format="default"/>)
</li>
<li>
14-bit Hierarchical HIT HHIT Domain Authority (HDA)
(<xref target="HDA" format="default"/>)
</li>
</ul>
</li>
<li>
8-bit HHIT Suite ID (HHSI)
</li>
<li>
ORCHID hash (92 - prefix length, e.g., 64) See <xref
target="ORCHIDs" format="default"/> for more details.
</li>
</ul>
<figure anchor="HHIT_Format">
<name>HHIT Format</name>
<artwork name="" type="ascii-art" align="left" alt="">
<![CDATA[
14 bits| 14 bits 8 bits
+-------+-------+ +--------------+
| RAA | HDA | |HHIT Suite ID |
+-------+-------+ +--------------+
\ | ____/ ___________/
\ \ _/ ___/
\ \/ /
| p bits | 28 bits |8bits| o=92-p bits |
+--------------+------------+-----+------------------------+
| IPV6 IPv6 Prefix | HID |HHSI | ORCHID hash |
+--------------+------------+-----+------------------------+
]]>
</artwork>
</figure>
<t>
The Context ID (generated with openssl rand) for the ORCHID hash is:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
Context ID := 0x00B5 A69C 795D F5D5 F008 7F56 843F 2C40
]]>
</artwork>
<t>
Context IDs are allocated out of the namespace introduced for
Cryptographically Generated Addresses (CGA) Type Tags <xref
target="RFC3972" format="default"/>.
</t>
<section anchor="Prefix" numbered="true" toc="default"> <name>HHIT Prefix for RID Purposes</name>
<t>
The IPv6 HHIT prefix MUST <bcp14>MUST</bcp14> be distinct from that used in the
flat-space HIT as allocated in <xref target="RFC7343"
format="default"/>. Without this distinct prefix, the first 4 bits
of the RAA would be interpreted as the HIT Suite ID per <xref
target="RFC7401" format="default">HIPv2</xref>.
</t>
<t>
Initially, for DET use, one 28-bit the IPv6 prefix should be listed in <xref target="prefix"/> is assigned out of for DET use. It has been registered in the IANA "IANA IPv6 Special Purpose Special-Purpose Address Block (<xref target="RFC6890"
format="default"> </xref>).
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
HHIT Use Bits Value Registry" <xref target="RFC6890"/>.</t>
<table anchor="prefix">
<name>Initial DET 28 TBD6 (suggested value 2001:30::/28)
]]>
</artwork> IPv6 Prefix</name>
<thead>
<tr>
<th>HHIT Use</th>
<th>Bits</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>DET</td>
<td>28</td>
<td>2001:30::/28</td>
</tr>
</tbody>
</table>
<t>
Other prefixes may be added in the future either for DET use or
other applications of HHITs. For a prefix to be added to the
registry in <xref target="IANA_DRIP_reg" format="default"/>, its
usage and HID allocation process have to be publicly available.
</t>
</section>
<section anchor="HHIT_Suite" numbered="true" toc="default"> <name>HHIT Suite IDs</name>
<t>
The HHIT Suite IDs specify the HI and hash algorithms. These are a
superset of the 4/8-bit 4-bit and 8-bit HIT Suite ID IDs as defined in <xref
target="RFC7401" section="5.2.10" format="default"/>.
</t>
<t>
The HHIT values of 1 - 15 map to the basic 4-bit HIT Suite IDs.
HHIT values of 17 - 31 map to the extended 8-bit HIT Suite IDs.
HHIT values unique to HHIT will start with value 32.
</t>
<t>
As HHIT introduces a new Suite ID, EdDSA/cSHAKE128, and since because this
is of value to HIPv2, it will be allocated out of the 4-bit HIT
space and result in an update to HIT Suite IDs. Future HHIT Suite
IDs may be allocated similarly, or they may come out of the additional
space made available by going to 8 bits.
</t>
<t>
The following HHIT Suite IDs are defined:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
<table>
<name>Initial HHIT Suite Value
RESERVED 0
RSA,DSA/SHA-256 1 [RFC7401]
ECDSA/SHA-384 2 [RFC7401]
ECDSA_LOW/SHA-1 3 [RFC7401]
EdDSA/cSHAKE128 TBD3 (suggested value 5)
]]>
</artwork> IDs</name>
<thead>
<tr>
<th>HHIT Suite</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>RESERVED</td>
<td>0</td>
</tr>
<tr>
<td>RSA,DSA/SHA-256</td>
<td>1 <xref target="RFC7401"/></td>
</tr>
<tr>
<td>ECDSA/SHA-384</td>
<td>2 <xref target="RFC7401"/></td>
</tr>
<tr>
<td>ECDSA_LOW/SHA-1</td>
<td>3 <xref target="RFC7401"/></td>
</tr>
<tr>
<td>EdDSA/cSHAKE128</td>
<td>5</td>
</tr>
</tbody>
</table>
<section anchor="HDA_OGA" numbered="true" toc="default"> <name>HDA custom Custom HIT Suite IDs</name>
<t>
Support for 8-bit HHIT Suite IDs allows for HDA custom HIT Suite
IDs. These will be assigned values greater than 15 as follows: IDs (see <xref target="suiteIDs"/>).
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
HHIT
<table anchor="suiteIDs">
<name>HDA Custom HIT Suite Value
HDA IDs</name>
<thead>
<tr>
<th>HHIT Suite</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>HDA Private Use 1 TBD4 (suggested value 254)
HDA 1</td>
<td>254</td>
</tr>
<tr>
<td>HDA Private Use 2 TBD5 (suggested value 255)
]]>
</artwork> 2</td>
<td>255</td>
</tr>
</tbody>
</table>
<t>
These custom HIT Suite IDs, for example, may be used for
large-scale experimenting experimentation with post quantum post-quantum computing hashes or
similar domain specific domain-specific needs. Note that currently there is no
support for domain-specific HI algorithms.
</t>
<t>
They should not be used to create a "de facto standardization".
<xref target="IANA_DRIP_reg" format="default"> </xref> states that
additional Suite IDs can be made through IETF Review.
</t>
</section>
</section>
<section anchor="HID" numbered="true" toc="default"> <name>The Hierarchy ID (HID)</name>
<t>
The Hierarchy ID (HID) HID provides the structure to organize HITs into
administrative domains. HIDs are further divided into two fields:
</t>
<ul spacing="normal">
<li>
14-bit Registered Assigning Authority (RAA)
</li>
<li>
14-bit Hierarchical HIT HHIT Domain Authority (HDA)
</li>
</ul>
<t>
The rationale for splitting the 14/14 HID split into two 14-bit domains is described in <xref
target="HID_Split" format="default"/>.
</t>
<t>
The two levels of hierarchy allows allow for Civil Aviation Authorities
(CAAs) to have it least one RAA for their National Air Space (NAS).
Within its RAA(s), RAAs, the CAAs can delegate HDAs as needed. There may
be other RAAs allowed to operate within a given NAS; this is a
policy decision of each CAA.
</t>
<section anchor="RAA" numbered="true" toc="default"> <name>The Registered Assigning Authority (RAA)</name>
<t>
An RAA is a business or organization that manages a registry of
HDAs. For example, the Federal Aviation Authority (FAA) or Japan
Civil Aviation Bureau (JCAB) could be an RAA. RAAs.
</t>
<t>
The RAA is a 14-bit field (16,384 RAAs). The management Management of this
space is further elaborated described in <xref
target="I-D.ietf-drip-registries" format="default"/>. An RAA MUST <bcp14>MUST</bcp14>
provide a set of services to allocate HDAs to organizations. It
SHOULD
<bcp14>SHOULD</bcp14> have a public policy on what is necessary to obtain an HDA.
The RAA need not maintain any HIP related HIP-related services. It MUST At minimum, it <bcp14>MUST</bcp14>
maintain a DNS zone minimally for the HDA zone delegation for
discovering HIP RVS servers <xref target="RFC8004"
format="default"/> for the HID. The zone Zone delegation is covered in
<xref target="I-D.ietf-drip-registries" format="default"/>.
</t>
<t>
As DETs under an administrative control may be used in many
different domains (e.g., commercial, recreation, military), RAAs
should be allocated in blocks (e.g. (e.g., 16-19) with consideration on of
the likely size of a particular usage. Alternatively, different
prefixes can be used to separate different domains of use of HHITs.
</t>
<t>
The RAA DNS zone within the UAS DNS tree may be a PTR for its RAA.
It may be a zone in an HHIT specific a HHIT-specific DNS zone. Assume that the RAA
is decimal 100. The PTR record could be constructed as follows
(where 20010030 is the DET prefix):
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
100.20010030.hhit.arpa. IN PTR raa.example.com.
]]>
</artwork>
<t>
Note that if the zone 20010030.hhit.arpa is ultimately used, some a
registrar will need to manage this for all HHIT applications. Thus Thus,
further thought will be needed in the actual DNS zone tree and
registration process <xref target="I-D.ietf-drip-registries"
format="default"/>.
</t>
</section>
<section anchor="HDA" numbered="true" toc="default"> <name>The Hierarchical HIT HHIT Domain Authority (HDA)</name>
<t>
An HDA may be an Internet Service Provider (ISP), UAS Service
Supplier (USS), or any third party that takes on the business to
provide UAS services management, HIP RVSs or other needed services
such as those required for HHIT and/or HIP-enabled devices.
</t>
<t>
The HDA is a 14-bit field (16,384 HDAs per RAA) assigned by an
RAA and is further elaborated described in <xref target="I-D.ietf-drip-registries"
format="default"/>. An HDA must maintain public and private UAS
registration information and should maintain a set of RVS servers
for UAS clients that may use HIP. How this is done and scales to
the potentially millions of customers are outside the scope of this
document, though
document; they are covered in <xref target="I-D.ietf-drip-registries"
format="default"/>. This service should be discoverable through
the DNS zone maintained by the HDA's RAA.
</t>
<t>
An RAA may assign a block of values to an individual organization.
This is completely up to the individual RAA's published policy for
delegation. Such a policy is out of scope. scope for this document.
</t>
</section>
</section>
<section anchor="EdDSA" numbered="true" toc="default"> <name>Edwards-Curve Digital Signature Algorithm for HHITs</name>
<t>
The Edwards-Curve Digital Signature Algorithm (EdDSA) <xref
target="RFC8032" format="default"> </xref> is specified here for
use as HIs per <xref target="RFC7401" format="default">HIPv2</xref>.
</t>
<t>
The intent in this document is to add EdDSA as a HI algorithm for
DETs, but doing so impacts the HIP parameters used in a HIP
exchange. The subsections of this section document Sections <xref target="host_id" format="counter"/> through <xref target="hit_suite_list" format="counter"/> describe the required
updates of to HIP parameters. Other than the HIP DNS RR (Resource
Record) <xref target="RFC8005" format="default"/>, these should not
be needed in a DRIP implementation that does not use HIP.
</t>
<t>
See <xref target="HHIT_Suite" format="default"/> for use of the HIT
Suite in the context of DRIP.
</t>
<section anchor="host_id" numbered="true" toc="default"> <name>HOST_ID</name>
<t>
The HOST_ID parameter specifies the public key algorithm, and for
elliptic curves, a name. The HOST_ID parameter is defined in
<xref target="RFC7401" section="5.2.9" format="default"/>. <xref target="hostID"/> adds a new HI Algorithm.
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
Algorithm
profile Value
<table anchor="hostID">
<name>New EdDSA TBD1 (suggested value 13) [RFC8032]
]]>
</artwork> Host ID</name>
<thead>
<tr>
<th> Algorithm
profile</th>
<th>Value</th>
<th>Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td>EdDSA</td>
<td>13</td>
<td><xref target="RFC8032"/></td>
</tr>
</tbody>
</table>
<section anchor="HIP_EdDSA_Parm" numbered="true" toc="default"> <name>HIP Parameter support for EdDSA</name>
<t>
The addition of EdDSA as a HI algorithm requires a subfield in the
HIP HOST_ID parameter (<xref target="RFC7401" section="5.2.9"
format="default"/>) as was done for ECDSA when used in a HIP
exchange.
</t>
<t>
For HIP hosts that implement EdDSA as the algorithm, the following
EdDSA curves are represented by the following fields: fields in <xref target="fig2"/>
</t>
<figure>
<figure anchor="fig2">
<name>EdDSA Curves Fields</name>
<artwork>
<![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EdDSA Curve | NULL |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Public Key |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
EdDSA Curve Curve label
Public Key Represented in Octet-string format [RFC8032]
]]>
</artwork>
</figure>
<dl><dt>EdDSA Curve:</dt><dd>Curve label</dd>
<dt>Public Key:</dt><dd>Represented in Octet-string format <xref target="RFC8032" /></dd>
</dl>
<t>
For hosts that implement EdDSA as a HIP algorithm algorithm, the following
EdDSA curves are defined; recommended defined. Recommended curves are tagged
accordingly:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
Algorithm Curve Values
EdDSA RESERVED 0
EdDSA EdDSA25519 1 [RFC8032] (RECOMMENDED)
EdDSA EdDSA25519ph 2 [RFC8032]
EdDSA EdDSA448 3 [RFC8032] (RECOMMENDED)
EdDSA EdDSA448ph 4 [RFC8032]
]]>
</artwork>
<table>
<name>EdDSA Curves</name>
<thead>
<tr>
<th>Algorithm</th>
<th>Curve</th>
<th>Values</th>
</tr>
</thead>
<tbody>
<tr>
<td>EdDSA</td>
<td>RESERVED</td>
<td>0</td>
</tr>
<tr>
<td>EdDSA</td>
<td>EdDSA25519</td>
<td>1 <xref target="RFC8032"/> (<bcp14>RECOMMENDED</bcp14>)</td>
</tr>
<tr>
<td>EdDSA</td>
<td>EdDSA25519ph</td>
<td>2 <xref target="RFC8032"/></td>
</tr>
<tr>
<td>EdDSA</td>
<td>EdDSA448</td>
<td>3 <xref target="RFC8032"/> (<bcp14>RECOMMENDED</bcp14>)</td>
</tr>
<tr>
<td>EdDSA</td>
<td>EdDSA448ph</td>
<td>4 <xref target="RFC8032"/></td>
</tr>
</tbody>
</table>
</section>
<section anchor="HIP_DNS_RR" numbered="true" toc="default"> <name>HIP DNS RR support for EdDSA</name>
<t>
The HIP DNS RR is defined in <xref target="RFC8005"
format="default"/>. It uses the values defined for the 'Algorithm
Type' of the IPSECKEY RR <xref target="RFC4025" format="default"/>
for its PK Algorithm field.
</t>
<t>
The new EdDSA HI uses <xref
target="I-D.moskowitz-ipsecme-ipseckey-eddsa" format="default"/>
for the IPSECKEY RR encoding.
</t>
<!--<t>
The new 'Algorithm Type' value and EdDSA HI uses encoding are assigned per <xref target="RFC8080" format="default"/> for
the IPSECKEY RR encoding: target="RFC9373" format="default"/>.
</t> -->
<!--<artwork name="" type="" align="left" alt="">
<![CDATA[
Value Description
TBD2 (suggested value 4)
An EdDSA key is present, in the format defined in [RFC8080]
]]>
</artwork> -->
</section>
</section>
<section anchor="hit_suite_list" numbered="true" toc="default"> <name>HIT_SUITE_LIST</name>
<t>
The HIT_SUITE_LIST parameter contains a list of the supported HIT
suite IDs of that the HIP Responder. Based on the HIT_SUITE_LIST, Responder supports. The HIT_SUITE_LIST allows the
HIP Initiator can to determine which source HIT Suite IDs are
supported by the Responder. The HIT_SUITE_LIST parameter is defined
in <xref target="RFC7401" section="5.2.10" format="default"/>.
</t>
<t>
The following HIT Suite ID is defined:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
HIT
<table>
<name>HIT Suite Value
EdDSA/cSHAKE128 TBD3 (suggested value 5)
]]>
</artwork> ID</name>
<thead>
<tr>
<th>HIT Suite</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>EdDSA/cSHAKE128</td>
<td>5</td>
</tr>
</tbody>
</table>
<t>
<xref target="table_hit_suites" format="default"/> provides more
detail on the above HIT Suite combination.
</t>
<t>
The output of cSHAKE128 is variable per the needs of a specific
ORCHID construction. It is at most 96 bits long and is directly
used in the ORCHID (without truncation).
</t>
<table anchor="table_hit_suites" align="center"> <name>HIT Suites</name>
<thead>
<tr>
<th align="right">Index</th>
<th align="left">Hash function</th>
<th align="left">HMAC</th>
<th align="left">Signature algorithm family</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="right">5</td>
<td align="left">cSHAKE128</td>
<td align="left">KMAC128</td>
<td align="left">EdDSA</td>
<td align="left">EdDSA HI hashed with cSHAKE128, output is variable</td>
</tr>
</tbody>
</table>
</section>
</section>
<section anchor="ORCHIDs" numbered="true" toc="default"> <name>ORCHIDs for Hierarchical HITs</name> HHITs</name>
<t>
This section improves on <xref target="RFC7343"
format="default">ORCHIDv2</xref> with three enhancements:
</t>
<ul spacing="normal">
<li>
Optional
the inclusion of an optional "Info" field between the Prefix and ORCHID
Generation Algorithm (OGA) ID.
</li>
<li>
Increased
an increase in flexibility on the length of each component in the
ORCHID construction, provided the resulting ORCHID is 128
bits.
</li>
<li>
Use
the use of cSHAKE, cSHAKE <xref target="DOI_10.6028_NIST.SP.800-185"
format="default">NIST SP 800-185</xref>,
format="default" /> for the hashing
function.
</li>
</ul>
<t>
The <xref target="Keccak" format="default">Keccak</xref> based
cSHAKE XOF hash function based on <xref target="Keccak" format="default">Keccak</xref> is a variable output length hash function.
As such such, it does not use the truncation operation that other hashes
need. The invocation of cSHAKE specifies the desired number of
bits in the hash output. Further, cSHAKE has a parameter 'S' as a
customization bit string. This parameter will be used for
including the ORCHID Context Identifier in a standard fashion.
</t>
<t>
This ORCHID construction includes the fields in the ORCHID in the
hash to protect them against substitution attacks. It also provides
for inclusion of additional information, in particular information (in particular, the
hierarchical bits of the Hierarchical HIT, HHIT) in the ORCHID
generation. This should be viewed as an update to <xref
target="RFC7343" format="default">ORCHIDv2</xref>, as it can
produce ORCHIDv2 output.
</t>
<t>
The follow sub-sections following subsections define the general, new, new general ORCHID construct
with the specific application here for HHITs. Thus items like the
hash size is are only discussed as it impacts in terms of how they impact the HHIT's 64-bit hash. Other
hash sizes should be discussed in any for other specific use uses of this
new ORCHID construct.
</t>
<section anchor="HCGA" numbered="true" toc="default"> <name>Adding Additional Information to the ORCHID</name>
<t>
ORCHIDv2 <xref target="RFC7343" format="default"/> is defined as
consisting of three components:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
ORCHID := Prefix | OGA ID | Encode_96( Hash )
where:
Prefix : A
]]>
</artwork>
<t>where:</t>
<dl newline="true">
<dt>Prefix</dt><dd>A constant 28-bit-long bitstring value
(IPV6 prefix)
OGA ID : A 4-bit long
(IPv6 prefix)</dd>
<dt>OGA ID</dt><dd>A 4-bit-long identifier for the Hash_function
in use within the specific usage context. When
used for HIT generation generation, this is the HIT Suite ID.
Encode_96( ) : ID.</dd>
<dt>Encode_96( )</dt><dd> An extraction function in which output is obtained
by extracting the middle 96-bit-long bitstring
from the argument bitstring.
]]>
</artwork> </dd>
</dl>
<t>
The new ORCHID function is as follows:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
ORCHID := Prefix (p) | Info (n) | OGA ID (o) | Hash (m)
where:
Prefix (p) : An
]]>
</artwork>
<t>where:</t>
<dl newline="true">
<dt>Prefix (p)</dt><dd>An IPv6 prefix of length p (max 28-bit-long).
Info (n) : n 28 bits long).</dd>
<dt>Info (n)</dt><dd>n bits of information that define a use of the
ORCHID. 'n' can be zero, that is which means no additional
information.
OGA
information.</dd>
<dt>OGA ID (o) : A (o)</dt><dd>A 4- or 8-bit long identifier for the Hash_function
in use within the specific usage context. When
used for HIT generation generation, this is the HIT Suite ID
[IANA-HIP]. When used for HHIT generation generation, this is
the HHIT Suite ID [TBC_DRIP_REGISTRY].
Note to the RFC Editor: Please replace [TBC_DRIP_REGISTRY]
with the pointer to the IANA registry created in
Section 8.2.
Hash (m) : An <xref target="HHSI"/>.</dd>
<dt>Hash (m)</dt><dd>An extraction function in which output is 'm' bits.
Sizeof(p bits.</dd>
</dl>
<t>Sizeof(p + n + o + m) = 128 bits
]]>
</artwork> bits</t>
<t>
The ORCHID length MUST <bcp14>MUST</bcp14> be 128 bits. For HHITs with a 28-bit IPv6
prefix, there are 100 bits remaining to be divided in any manner
between the additional information ("Info"), OGA ID, and the hash
output. Consideration must be given to the size of the hash
portion, taking into account risks like pre-image attacks. 64 bits,
as used here for HHITs, may be as small as is acceptable. The size
of 'n', for the HID, is then determined as what is left; in the
case of the 8-bit OGA used for HHIT, this is 28 bits.
</t>
</section>
<section anchor="Encode" numbered="true" toc="default"> <name>ORCHID Encoding</name>
<t>
This update adds a different encoding process to that currently
used in ORCHIDv2. The input to the hash function explicitly
includes all the header content plus the Context ID. The header
content consists of the Prefix, the Additional Information
("Info"), and the OGA ID (HIT Suite ID). Secondly, the length of the
resulting hash is set by the sum of the length of the ORCHID header
fields. For example, a 28-bit prefix with 28 bits for the HID and
8 bits for the OGA ID leaves 64 bits for the hash length.
</t>
<t>
To achieve the variable length output in a consistent manner, the
cSHAKE hash is used. For this purpose, cSHAKE128 is appropriate.
The cSHAKE function call for this update is:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
cSHAKE128(Input, L, "", Context ID)
Input := Prefix | Additional Information | OGA ID | HOST_ID
L := Length in bits of the hash portion of ORCHID
]]>
</artwork>
<t>
For full Suite ID support (those that use fixed length hashes like
SHA256), the following hashing can be used (Note: this does not
produce output Identical identical to ORCHIDv2 for a /28 prefix and
Additional Information of zero-length): zero length):
</t>
<artwork name="" type="" align="left" alt="">
<
Input := Prefix | Additional Information | OGA ID | HOST_ID
L := Length in bits of the hash portion of ORCHID
Hash[L] := An extraction function in which output is obtained
by extracting the middle L-bit-long bitstring
from the argument bitstring.
]]>
</artwork>
<t>
The middle L-bits are those bits from the source number where
either there is an equal number of bits before and after these
bits, or there is one more bit prior (when the difference between
hash size and L is odd).
</t>
<t>
Hierarchical HITs
HHITs use the Context ID defined in <xref target="HHIT"
format="default"/>.
</t>
<section anchor="HITv2_Encode" numbered="true" toc="default"> <name>Encoding ORCHIDs for HIPv2</name>
<t>
This section discusses how to provide backwards compatibility for
<xref target="RFC7343" format="default">ORCHIDv2</xref> as used in
<xref target="RFC7401" format="default">HIPv2</xref>.
</t>
<t>
For HIPv2, the Prefix is 2001:20::/28 (<xref target="RFC7343"
section="6" format="default"/>). 'Info' is zero-length (i.e., not
included), and OGA ID is 4-bit. Thus, the HI Hash is 96-bit 96 bits
in length. Further, the Prefix and OGA ID are not included in the
hash calculation. Thus, the following ORCHID calculations for fixed
output length hashes are used:
</t>
<artwork name="" type="" align="left" alt="">
<
Input := HOST_ID
L := 96
Context ID := 0xF0EF F02F BFF4 3D0F E793 0C3C 6E61 74EA
Hash[L] := An extraction function in which output is obtained
by extracting the middle L-bit-long bitstring
from the argument bitstring.
]]>
</artwork>
<t>
For variable output length hashes use:
</t>
<artwork name="" type="" align="left" alt="">
<
Input := HOST_ID
L := 96
Context ID := 0xF0EF F02F BFF4 3D0F E793 0C3C 6E61 74EA
Hash[L] := The L-bit output from the hash function
]]>
</artwork>
<t>
Then, the ORCHID is constructed as follows:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
Prefix | OGA ID | Hash Output
]]>
</artwork>
</section>
</section>
<section anchor="Decode" numbered="true" toc="default"> <name>ORCHID Decoding</name>
<t>
With this update, the decoding of an ORCHID is determined by the
Prefix and OGA ID. ORCHIDv2 <xref target="RFC7343"
format="default"/> decoding is selected when the Prefix is:
2001:20::/28.
</t>
<t>
For Hierarchical HITs, HHITs, the decoding is determined by the presence
of the HHIT Prefix as specified in <xref target="IANA_DRIP_reg"
format="default"/>.
</t>
</section>
<section anchor="HITv2_Decode" numbered="true" toc="default"> <name>Decoding ORCHIDs for HIPv2</name>
<t>
This section is included to provide backwards compatibility for <xref
target="RFC7343" format="default">ORCHIDv2</xref> as used for <xref
target="RFC7401" format="default">HIPv2</xref>.
</t>
<t>
HITs are identified by a Prefix of 2001:20::/28. The next 4 bits
are the OGA ID. The remaining 96 bits are the HI Hash.
</t>
</section>
</section>
</section>
<section anchor="HHIT_RID" numbered="true" toc="default"> <name>Hierarchical HITs <name>HHITs as DRIP Entity Tags</name>
<t>
HHITs for UAS ID (called, DETs) use the new EdDSA/SHAKE128 HIT
suite defined in <xref target="EdDSA" format="default"/> (GEN-2 in
<xref target="RFC9153" format="default" />). This hierarchy,
cryptographically bound within the HHIT, provides the information
for finding the UA's HHIT registry (ID-3 in <xref target="RFC9153"
format="default" />).
</t>
<t anchor="IDtypes">
The ASTM Standard Specification for Remote ID and Tracking <xref
target="F3411-22a" format="default"/> adds support for DETs. This
is only available via the new UAS ID type 4, "Specific Session ID
(SSI)".
</t>
<t>
This new SSI uses the first byte of the 20-byte UAS ID for the SSI
Type, thus restricting the UAS ID of this type to a maximum of 19
bytes. The SSI Types initially assigned are:
</t>
<ol spacing="normal" type="SSI %d" group="SSI">
<li>
IETF
<dl>
<dt>SSI 1:</dt><dd>IETF - DRIP Drone Remote ID Protocol (DRIP) entity ID.
</li>
<li>
3GPP ID.</dd>
<dt>SSI 2:</dt><dd>3GPP - IEEE 1609.2-2016 HashedID8
</li>
</ol> HashedID8</dd>
</dl>
<section anchor="DET_Nontransfer" numbered="true" toc="default"> <name>Nontransferablity of DETs</name>
<t>
A HI and its DET SHOULD NOT <bcp14>SHOULD NOT</bcp14> be transferable between UA or even
between replacement electronics (e.g., replacement of damaged
controller CPU) for a UA. The private key for the HI SHOULD <bcp14>SHOULD</bcp14> be
held in a cryptographically secure component.
</t>
</section>
<section anchor="CTA_Encode" numbered="true" toc="default"> <name>Encoding HHITs in CTA 2063-A Serial Numbers</name>
<t>
In some cases, it is advantageous to encode HHITs as a CTA 2063-A
Serial Number <xref target="CTA2063A" format="default"/>. For
example, the FAA Remote ID Rules <xref target="FAA_RID"
format="default"/> state that a Remote ID Module (i.e., not
integrated with UA controller) must only use "the serial number of
the unmanned aircraft"; CTA 2063-A meets this requirement.
</t>
<t>
Encoding an a HHIT within the CTA 2063-A format is not simple. The
CTA 2063-A format is defined as follows:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
Serial Number := MFR Code | Length Code | MFR SN
where:
MFR Code : 4
]]>
</artwork>
<t>where:</t>
<dl newline="true">
<dt>MFR Code</dt><dd>4 character code assigned by ICAO
(International Civil Aviation Organization,
a UN Agency).
Length Code : 1 Agency).</dd>
<dt>Length Code</dt><dd>1 character Hex encoding of MFR SN length (1-F).
MFR SN : US-ASCII (1-F).</dd>
<dt>MFR SN</dt><dd>US-ASCII alphanumeric code (0-9, A-Z except O and I).
Maximum length of 15 characters.
]]>
</artwork> characters.</dd>
</dl>
<t>
There is no place for the HID; there will need to be a mapping
service from Manufacturer Code to HID. The HHIT Suite ID and
ORCHID hash will take the full 15 characters (as described below)
of the MFR SN field.
</t>
<t>
A character in a CTA 2063-A Serial Number "shall include any
combination of digits and uppercase letters, except the letters O
and I, but may include all digits". This would allow for a Base34
encoding of the binary HHIT Suite ID and ORCHID hash in 15
characters. Although, programmatically, such a conversion is not
hard, other technologies (e.g., credit card payment systems) that
have used such odd base encoding have had performance challenges.
Thus, here a Base32 encoding will be used by also excluding the
letters Z and S (too (because they are too similar to the digits 2 and 5). 5, respectively). See <xref
target="Base32" format="default"/> for the encoding scheme.
</t>
<t>
The low-order 72 bits (HHIT Suite ID | ORCHID hash) of the HHIT
SHALL
<bcp14>SHALL</bcp14> be left-padded with 3 bits of zeros. This 75-bit number will
be encoded into the 15-character MFR SN field using the
digit/letters as described above. The manufacturer MUST <bcp14>MUST</bcp14> use a Length Code of F
(15).
</t>
<t>
Note: The manufacturer MAY <bcp14>MAY</bcp14> use the same Manufacturer Code with a
Length Code of 1 - E (1 - 14) for other types of serial numbers.
</t>
<t>
Using the sample DET from <xref target="HHIT_DNS" target="S5-DET"
format="default"/> that is for HDA=20 under RAA=10 and having the
ICAO CTA MFR Code of 8653, the 20-character CTA 2063-A Serial
Number would be:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
8653F02T7B8RA85D19LX
]]>
</artwork>
<t>
A mapping service (e.g., DNS) MUST <bcp14>MUST</bcp14> provide a trusted (e.g., via
DNSSEC <xref target="RFC4034" format="default"/>) conversion of the
4-character Manufacturer Code to high-order 58 bits (Prefix | HID)
of the HHIT. That is, given a Manufacturer Code, a returned
Prefix|HID value is reliable. Definition of this mapping service
is out of scope of this document.
</t>
<t>
It should be noted that this encoding would only be used in the
Basic ID Message (<xref target="RFC9153" section="2.2"
format="default"/>). The DET is used in the Authentication Messages
(i.e., the messages that provide framing for authentication data
only).
</t>
</section>
<section numbered="true" toc="default"> <name>Remote ID DET as one Class of Hierarchical HITs</name> HHITs</name>
<t>
UAS Remote ID DET may be one of a number of uses of HHITs.
However, it is out of the scope of the document to elaborate on
other uses of HHITs. As such these follow-on uses need to be
considered in allocating the RAAs (<xref target="RAA"
format="default"/>) or HHIT prefix assignments (<xref target="IANA"
format="default"/>).
</t>
</section>
<section numbered="true" toc="default"> <name>Hierarchy in ORCHID Generation</name>
<t>
ORCHIDS, as defined in <xref target="RFC7343" format="default"/>,
do not cryptographically bind an IPv6 prefix nor or the OGA ID (the
HIT Suite ID) to the hash of the HI. The rationale at At the time of
developing ORCHID was being developed, the rationale was attacks against these fields are
Denial-of-Service (DoS) attacks against protocols using ORCHIDs and
thus it was up to those protocols to address the issue.
</t>
<t>
HHITs, as defined in <xref target="ORCHIDs" format="default"/>,
cryptographically bind all content in the ORCHID through the
hashing function. A recipient of a DET that has the underlying HI
can directly trust and act on all content in the HHIT. This
provides a strong, self-claim for using the hierarchy to find the
DET Registry based on the HID (<xref target="DET_Regy"
format="default"/>).
</t>
</section>
<section anchor="DET_Regy" numbered="true" toc="default"> <name>DRIP Entity Tag (DET) Registry</name>
<t>
DETs are registered to HDAs. A The registration process, process defined in <xref
target="I-D.ietf-drip-registries" format="default"/>, format="default"/>
ensures DET global uniqueness (ID-4 in <xref
target="RFC9153" format="default" />). sectionFormat="of" section="4.2.1"/>). It also provides allows
the mechanism to create UAS public/private data that are associated
with the DET (REG-1 and REG-2 in <xref target="RFC9153"
format="default"
sectionFormat="of" section="4.4.1" />).
</t>
</section>
<section anchor="RID_Auth" numbered="true" toc="default"> <name>Remote ID Authentication using Using DETs</name>
<t>
The EdDSA25519 HI (<xref target="EdDSA" format="default"/>)
underlying the DET can be used in an 88-byte self-proof evidence
(timestamp,
(timestamps, HHIT, and signature of these) to provide proof to
Observers of Remote ID ownership (GEN-1 in <xref target="RFC9153"
format="default" />).
sectionFormat="of" section="4.1.1"/>). In practice, the Wrapper and Manifest
authentication formats (Sections <xref target="I-D.ietf-drip-auth"
section="6.3.3" sectionFormat="bare"/> and <xref
target="I-D.ietf-drip-auth" section="6.3.4" sectionFormat="bare"/>
of <xref target="I-D.ietf-drip-auth" format="default"/>) implicitly
provide this self-evidence. self-proof evidence. A lookup service like DNS can
provide the HI and registration proof (GEN-3 in <xref
target="RFC9153" format="default" />).
</t>
<t>
Similarly, for Observers without Internet access, a 200-byte
offline self-endorsement (<xref target="I-D.ietf-drip-auth"
section="3.1.2" format="default"/>) could provide the same Remote
ID ownership proof. This endorsement would contain the HDA's
signing of the UA's HHIT, itself signed by the UA's HI. Only a
small cache (also <xref target="I-D.ietf-drip-auth" section="3.1.2"
format="default"/>) that contains the HDA's HI/HHIT and HDA
meta-data is needed by the Observer. However, such an object would
just fit in the ASTM Authentication Message (<xref target="RFC9153"
section="2.2" format="default"/>) with no room for growth. In
practice, <xref target="I-D.ietf-drip-auth" format="default"/>
provides this offline self-endorsement in two authentication
messages: the HDA's endorsement of the UA's HHIT registration in a
Link authentication message whose hash is sent in a Manifest
authentication message.
</t>
<t>
Hashes of any previously sent ASTM messages can be placed in a
Manifest authentication message (GEN-2 in <xref
target="RFC9153" format="default" />). When a Location/Vector
Message (i.e., a message that provides UA location, altitude,
heading, speed, and status) hash along with the hash of the HDA's
UA HHIT endorsement are sent in a Manifest authentication message
and the Observer can visually see a UA at the claimed location, the
Observer has a very strong proof of the UA's Remote ID.
</t>
<t>
All this
This behavior and how to mix these authentication messages into
the flow of UA operation messages are detailed in <xref
target="I-D.ietf-drip-auth" format="default"/>.
</t>
</section>
</section>
<section anchor="HHIT_DNS" numbered="true" toc="default"> <name>DRIP Entity Tags (DETs) in DNS</name>
<t>
There are two approaches for storing and retrieving DETs using DNS.
The following are examples of how this may be done. This will
serve
serves as guidance to the actual deployment of DETs in DNS.
However, this document does not provide a recommendation. recommendation about which approach to use.
Further
DNS-related considerations are covered in <xref
target="I-D.ietf-drip-registries" format="default"/>.
</t>
<ul>
<li>
As FQDNs, for example, "20010030.hhit.arpa.".
</li>
<li>
Reverse DNS lookups as IPv6 addresses per <xref
target="RFC8005" format="default"/>.
</li>
</ul>
<t>
A DET can be used to construct an FQDN that points to the USS
that has the public/private information for the UA (REG-1 and REG-2
in <xref target="RFC9153" format="default" />). sectionFormat="of" section="4.4.1"/>). For example, the
USS for the HHIT could be found via the following: assume the RAA
is decimal 100 and the HDA is decimal 50. The PTR record is
constructed as follows:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
100.50.20010030.hhit.arpa. IN PTR foo.uss.example.org.
]]>
</artwork>
<t>
The HDA SHOULD <bcp14>SHOULD</bcp14> provide DNS service for its zone and provide the
HHIT detail response.
</t>
<t>
The DET reverse lookup can be a standard IPv6 reverse look up, or
it can leverage off the HHIT structure. Using the allocated prefix
for HHITs TBD6 [suggested value 2001:30::/28] (See 2001:30::/28 (see <xref
target="Prefix" format="default" />), the RAA is decimal 10 and the
HDA is decimal 20, the DET is:
</t>
<artwork anchor="S5-DET" name="" type="" align="left" alt="">
<![CDATA[
2001:30:280:1405:a3ad:1952:ad0:a69e
]]>
</artwork>
<t>
See <xref target="DET_Encoding" format="default" /> for how the
upper 64 bits, above, are constructed. A DET reverse lookup could
be to:
be:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
a69e.0ad0.1952.a3ad.1405.0280.20.10.20010030.hhit.arpa..
a69e.0ad0.1952.a3ad.1405.0280.20.10.20010030.hhit.arpa.
]]>
</artwork>
<t>
or:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
a3ad19520ad0a69e.5.20.10.20010030.hhit.arpa.
]]>
</artwork>
<t>
A 'standard' ip6.arpa RR has the advantage of only one Registry
service supported.
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
$ORIGIN 5.0.4.1.0.8.2.0.0.3.0.0.1.0.0.2.ip6.arpa.
e.9.6.a.0.d.a.0.2.5.9.1.d.a.3.a IN PTR
a3ad1952ad0a69e.20.10.20010030.hhit.arpa.
]]>
</artwork>
<t>
This DNS entry for the DET can also provide a revocation service.
For example, instead of returning the HI RR it may return some
record showing that the HI (and thus DET) has been revoked.
Guidance on revocation service will be provided in <xref
target="I-D.ietf-drip-registries" format="default"/>.
</t>
</section>
<section anchor="Other_HHIT" numbered="true" toc="default"> <name>Other UAS Traffic Management (UTM) Uses of HHITs Beyond DET</name>
<t>
HHITs will be used within the UTM architecture beyond DET (and USS
in UA ID registration and authentication), for example, as a Ground
Control Station (GCS) HHIT ID. Some GCS will use its HHIT for
securing its Network Remote ID (to USS HHIT) and Command and
Control (C2, <xref target="RFC9153" section="2.2.2"
format="default" />) transports.
</t>
<t>
Observers may have their own HHITs to facilitate UAS information
retrieval (e.g., for authorization to private UAS data). They
could also use their HHIT for establishing a HIP connection with
the UA Pilot for direct communications per authorization. Details
about such issues are out of the scope of this document). document.
</t>
</section>
<section anchor="Reqs" numbered="true" toc="default"> <name>Summary of Addressed DRIP Requirements</name>
<t>
This document provides the details to solutions for GEN 1 - 3, ID 1
- 5, and REG 1 - 2 requirements that are described in <xref
target="RFC9153" format="default" />.
</t>
</section>
<section anchor="IANA" numbered="true" toc="default"> <name>IANA Considerations</name>
<section anchor="IANA-DET-prefix" numbered="true" toc="default"> <name>New Well-Known IPv6 prefix Prefix for DETs</name>
<t>
Since the DET format is not compatible with <xref target="RFC7343"
format="default"> </xref>, IANA is requested to allocate a new
prefix has allocated the following
prefix per this template for the "IANA IPv6 Special-Purpose Address
Registry.
Registry" <xref target="IPv6-SPECIAL" />.
</t>
<dl newline="true">
<dt>Address Block:</dt>
<dd>
IANA is requested to allocate a new 28-bit prefix out of
the IANA IPv6 Special Purpose Address Block, namely
2001::/23, as per <xref target="RFC6890" format="default">
</xref> (TBD6, suggested: 2001:30::/28).
</dd>
<dd>2001:30::/28</dd>
<dt>Name:</dt>
<dd>
This block should be named "DRIP
<dd>Drone Remote ID Protocol Entity Tags (DETs)
Prefix".
</dd>
<dt>RFC:</dt>
<dd>
This document.
</dd> Prefix</dd>
<dt>Reference</dt>
<dd>This document</dd>
<dt>Allocation Date:</dt>
<dd>
Date this document published.
2022-12
</dd>
<dt>Termination Date:</dt>
<dd>
Forever.
N/A
</dd>
<dt>Source:</dt>
<dd>
False.
True
</dd>
<dt>Destination:</dt>
<dd>
False.
True
</dd>
<dt>Forwardable:</dt>
<dd>
False.
True
</dd>
<dt>Globally Reachable:</dt>
<dd>
False.
True
</dd>
<dt>Reserved-by-Protocol:</dt>
<dd>
False.
False
</dd>
</dl>
</section>
<section anchor="IANA_DRIP_reg" numbered="true" toc="default"> <name>New IANA DRIP Registry</name>
<t>
This document requests
IANA to create a new registry titled has created the "Drone
Remote ID Protocol" registry. It is suggested that multiple
designated experts be appointed The following two subregistries have been created within the "Drone Remote ID Protocol" group.
</t>
<section anchor="IANA_HHIT_PRE" numbered="true" toc="default">
<name>HHIT Prefixes</name>
<t> Initially, for registry change requests. DET use, one 28-bit prefix has been
assigned out of the IANA IPv6 Special Purpose Address
Block, namely 2001::/23, as per <xref target="RFC6890"
format="default"> </xref>. Future additions to this
subregistry are to be made through Expert Review (<xref
target="RFC8126" section="4.5" format="default"/>).
Entries with network-specific prefixes may be present in
the registry.
</t>
<table>
<name>Registered DET IPv6 Prefix</name>
<thead>
<tr>
<th>HHIT Use</th>
<th>Bits</th>
<th>Value</th>
<th>Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td>DET</td>
<td>28</td>
<td>2001:30::/28</td>
<td>RFC 9374</td>
</tr>
</tbody>
</table>
<t>
Criteria that should be applied by the designated experts include includes
determining whether the proposed registration duplicates existing
functionality and whether the registration description is clear and
fits the purpose of this registry.
</t>
<t>
Registration requests MUST <bcp14>MUST</bcp14> be sent to <eref
target="drip-reg-review@ietf.org"/> and are be evaluated within a
three-week review period on the advice of one or more designated
experts. Within the that review period, the designated experts will
either approve or deny the registration request, communicating this and communicate their
decision to the review list and IANA. Denials should include an
explanation and, if applicable, suggestions as to how to make successfully register the
request successful. prefix.
</t>
<t>
Registration requests that are undetermined for a period longer
than 28 days can be brought to the IESG's attention for resolution.
</t>
<t>
The following two subregistries should be created under that registry.
</t>
<dl newline="true">
<dt>Hierarchical HIT (HHIT) Prefixes:</dt>
<dd>
Initially, for DET use, one 28-bit prefix should be
assigned out of the IANA IPv6 Special Purpose Address
Block, namely 2001::/23, as per <xref target="RFC6890"
format="default"> </xref>. Future additions to this
subregistry are to be made through Expert Review (<xref
target="RFC8126" section="4.5" format="default"/>).
Entries with network-specific prefixes may be present in
the registry.
</dd>
</dl>
<artwork name="" type="" align="left" alt="">
<![CDATA[
HHIT Use Bits Value Reference
DET 28 TBD6 (suggested value 2001:30::/28) [This]
]]>
</artwork>
<dl newline="true">
<dt>Hierarchical HIT (HHIT)
</section>
<section anchor="HHIT_Suite_IDs" numbered="true" toc="default">
<name>HHIT Suite ID:</dt>
<dd> IDs</name>
<t> This 8-bit valued value subregistry is a superset of the 4/8-bit
"HIT Suite ID" subregistry of the "Host Identity Protocol
(HIP) Parameters" registry in <xref target="IANA-HIP"
format="default"/>. Future additions to this subregistry
are to be made through IETF Review (<xref target="RFC8126"
section="4.8" format="default"/>). The following HHIT
Suite IDs are defined:
</dd>
</dl>
<artwork name="" type="" align="left" alt="">
<![CDATA[ defined.
</t>
<table>
<name>Registered HHIT Suite Value Reference
RESERVED 0
RSA,DSA/SHA-256 1 [RFC7401]
ECDSA/SHA-384 2 [RFC7401]
ECDSA_LOW/SHA-1 3 [RFC7401]
EdDSA/cSHAKE128 TBD3 (suggested value 5) [This]
HDA IDs</name>
<thead>
<tr>
<th>HHIT Suite</th>
<th>Value</th>
<th>Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td>RESERVED</td>
<td>0</td>
<td>RFC 9374</td>
</tr>
<tr>
<td>RSA,DSA/SHA-256</td>
<td>1</td>
<td><xref target="RFC7401"/></td>
</tr>
<tr>
<td>ECDSA/SHA-384</td>
<td>2</td>
<td><xref target="RFC7401"/></td>
</tr>
<tr>
<td>ECDSA_LOW/SHA-1</td>
<td>3</td>
<td><xref target="RFC7401"/></td>
</tr>
<tr>
<td>EdDSA/cSHAKE128</td>
<td>5</td>
<td>RFC 9374</td>
</tr>
<tr>
<td>HDA Private Use 1 TBD4 (suggested value 254) [This]
HDA 1</td>
<td>254</td>
<td>RFC 9374</td>
</tr>
<tr>
<td>HDA Private Use 2 TBD5 (suggested value 255) [This]
]]>
</artwork>
<ul empty="true">
<li> 2</td>
<td>255</td>
<td>RFC 9374</td>
</tr>
</tbody>
</table>
<t>
The HHIT Suite ID values 1 - 31 are reserved for IDs that MUST <bcp14>MUST</bcp14>
be replicated as HIT Suite IDs (<xref target="IANA_HIP_reg"
format="default"/>) as is TBD3 5 here. Higher values (32 - 255)
are for those Suite IDs that need not or cannot be accommodated
as a HIT Suite ID.
</li>
</ul>
</t>
</section>
</section>
<section anchor="IANA_CGA_reg" numbered="true" toc="default"> <name>IANA CGA Registry Update</name>
<t>
This document requests that this document be has been added to the as a
reference field for the "CGA Extension Type Tags" registry <xref
target="IANA-CGA" format="default"/>, where format="default"/>. IANA registers has the
following Context ID: ID in this registry:
</t>
<dl newline="true">
<dt>Context ID:</dt>
<dd>
The Context ID (<xref target="HHIT" format="default"/>)
shares the namespace introduced for CGA Type Tags. Defining
new The following Context IDs follow ID is defined per the rules in <xref target="RFC3972"
section="8" format="default"/>:
</dd>
</dl>
<artwork name="" type="" align="left" alt="">
<![CDATA[
Context ID := 0x00B5
<table anchor="context_id">
<name>CGA Extension Type Tags</name>
<thead>
<tr>
<th>CGA Type Tag</th>
<th>Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x00B5 A69C 795D F5D5 F008 7F56 843F 2C40 [This]
]]>
</artwork> 2C40</td>
<td>RFC 9374</td>
</tr>
</tbody>
</table>
</section>
<section anchor="IANA_HIP_reg" numbered="true" toc="default"> <name>IANA HIP Registry Updates</name>
<t>
This document requests IANA to make the following changes to
<t>IANA has updated the
IANA "Host Identity Protocol (HIP) Parameters" registry <xref target="IANA-HIP" format="default"/> registry:
</t> as described below.</t>
<dl newline="true">
<dt>Host ID:</dt>
<dd>
This document defines the new EdDSA Host ID with value TBD1
(suggested: 13) 13
(<xref target="host_id" format="default"/>)
in the "HI Algorithm" subregistry of the "Host Identity
Protocol (HIP) Parameters" registry.
</dd>
</dl>
<artwork name="" type="" align="left" alt="">
<![CDATA[
Algorithm
profile Value Reference
EdDSA TBD1 (suggested value 13) [RFC8032]
]]>
</artwork>
<table>
<name>Registered HI Algorithm</name>
<thead>
<tr>
<th>Algorithm
Profile</th>
<th>Value</th>
<th>Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td>EdDSA</td>
<td>13</td>
<td><xref target="RFC8032"/></td>
</tr>
</tbody>
</table>
<dl newline="true">
<dt>EdDSA Curve Label:</dt>
<dd>
This document specifies a new algorithm-specific
subregistry named "EdDSA Curve Label". The values for this
subregistry are defined in <xref target="HIP_EdDSA_Parm"
format="default"/>. Future additions to this subregistry
are to be made through IETF Review (<xref target="RFC8126"
section="4.8" format="default"/>).
</dd>
</dl>
<artwork name="" type="" align="left" alt="">
<![CDATA[
Algorithm Curve Values Reference
<table>
<name>Registered EdDSA RESERVED 0
EdDSA EdDSA25519 1 [RFC8032]
EdDSA EdDSA25519ph 2 [RFC8032]
EdDSA EdDSA448 3 [RFC8032]
EdDSA EdDSA448ph 4 [RFC8032]
5-65535 Unassigned
]]>
</artwork> Curve Labels</name>
<thead>
<tr>
<th>Algorithm</th>
<th>Curve</th>
<th>Value</th>
<th>Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td>EdDSA</td>
<td>RESERVED</td>
<td>0</td>
<td>RFC 9374</td>
</tr>
<tr>
<td>EdDSA</td>
<td>EdDSA25519</td>
<td>1</td>
<td><xref target="RFC8032"/></td>
</tr>
<tr>
<td>EdDSA</td>
<td>EdDSA25519ph</td>
<td>2</td>
<td><xref target="RFC8032"/></td>
</tr>
<tr>
<td>EdDSA</td>
<td>EdDSA448</td>
<td>3</td>
<td><xref target="RFC8032"/></td>
</tr>
<tr>
<td>EdDSA</td>
<td>EdDSA448ph</td>
<td>4</td>
<td><xref target="RFC8032"/></td>
</tr>
<tr>
<td></td>
<td></td>
<td>5-65535</td>
<td>Unassigned</td>
</tr>
</tbody>
</table>
<dl newline="true">
<dt>HIT Suite ID:</dt>
<dd>
This document defines the new HIT Suite of EdDSA/cSHAKE
with value TBD3 (suggested: 5) 5 (<xref
target="hit_suite_list" format="default"/>) in the "HIT
Suite ID" subregistry of the "Host Identity Protocol (HIP)
Parameters" registry.
</dd>
</dl>
<artwork name="" type="" align="left" alt="">
<![CDATA[
<table>
<name>Registered HIT Suite Value Reference
EdDSA/cSHAKE128 TBD3 (suggested value 5) [This]
]]>
</artwork> of EdDSA/cSHAKE</name>
<thead>
<tr>
<th>Suite ID</th>
<th>Value</th>
<th>Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td>EdDSA/cSHAKE128</td>
<td>5</td>
<td>RFC 9374</td>
</tr>
</tbody>
</table>
<ul empty="true">
<li>
The HIT Suite ID 4-bit values 1 - 15 and 8-bit values 0x00 -
0x0F MUST <bcp14>MUST</bcp14> be replicated as HHIT Suite IDs (<xref
target="IANA_DRIP_reg" format="default"/>) as is TBD3 5 here.
</li>
</ul>
<!-- <dl newline="true">
<dt>HIT Suite ID eight-bit encoding:</dt>
<dd>
This document defines the first four-bit encoded HIT Suite
IDs as defined in <xref target="RFC7401" section="5.2.10"
format="default"/>. These are the new HDA domain HIT
Suites with values TBD4 and TBD5 (suggested values: 0x0E
and 0x0F) (<xref target="HDA_OGA"
format="default"/>). IANA is requested to expand the "HIT
Suite ID" subregistry of the "Host Identity Protocol (HIP)
Parameters" registry to show both the four-bit and
eight-bit values as shown in <xref target="RFC7401"
section="5.2.10" format="default"/> and add these new
values that only have 8-bit representations.
</dd> -->
</section>
<!--<section anchor="IANA_IPSECKEY_reg" numbered="true" toc="default"> <name>IANA IPSECKEY Registry Update</name>
<t>
This document requests IANA to make the following change to the
"IPSECKEY Resource Record Parameters" <xref
target="IANA-IPSECKEY" format="default"/> registry:
</t>
<dl newline="true">
<dt>IPSECKEY:</dt>
<dd>
This document defines the new IPSECKEY value TBD2
(suggested: 4) (<xref target="HIP_DNS_RR"
format="default"/>) in the "Algorithm Type Field"
subregistry of the "IPSECKEY Resource Record Parameters"
registry.
</dd>
</dl>
<artwork name="" type="" align="left" alt="">
<![CDATA[
Value Description Reference
TBD2 (suggested value 4) [This]
An EdDSA key is present, in the format defined in [RFC8080]
]]>
</artwork>
</section> -->
</section>
<section anchor="security-considerations" numbered="true" toc="default"> <name>Security Considerations</name>
<t>
The 64-bit hash in HHITs presents a real risk of second pre-image
cryptographic hash attack (see <xref target="Collision"
format="default"/>.
format="default"/>). There are no known (to the authors) studies of
hash size to impact on cryptographic hash attacks.
</t>
<t>
However, with today's computing power, producing 2^64 2<sup>64</sup> EdDSA
keypairs and then generating the corresponding HHIT is economically
feasible. Consider that a *single* bitcoin mining ASIC can do on
the order of 2^46 2<sup>46</sup> sha256 hashes a per second or about 2^62 2<sup>62</sup> hashes in a
single day. The point being, 2^64 2<sup>64</sup> is not prohibitive, especially
as this can be done in parallel.
</t>
<t>
Now it should be noted
Note that the 2^64 2<sup>64</sup> attempts is for stealing a
specific HHIT. Consider a scenario of a street photography company
with 1,024 UAs (each with its own HHIT); an attacker may well be
satisfied stealing any one of them. Then Then, rather than needing to
satisfy a 64-bit condition on the cSHAKE128 output, an attacker
needs
only needs to satisfy what is equivalent to a 54-bit condition
(since there are 2^10 2<sup>10</sup> more opportunities for success).
</t>
<t>
Thus, although the probability of a collision or pre-image attack
is low in a collection of 1,024 HHITs out of a total population of
2^64, per
2<sup>64</sup> (per <xref target="Collision" format="default"/>, format="default"/>), it is
computationally and economically feasible. Therefore, the HHIT
registration is a MUST <bcp14>MUST</bcp14> and HHIT/HI registration validation SHOULD <bcp14>SHOULD</bcp14>
be performed by Observers either through registry lookups or via
broadcasted registration proofs (<xref target="I-D.ietf-drip-auth"
section="3.1.2" format="default"/>).
</t>
<t>
The DET Registry services effectively block attempts to "take over"
or "hijack" a DET. It does not stop a rogue attempting to
impersonate a known DET. This attack can be mitigated by the
receiver of messages containing DETs using DNS to find the HI for
the DET. As such, use of DNSSEC by the DET registries is
recommended to provide trust in HI retrieval.
</t>
<t>
Another mitigation of HHIT hijacking is if when the HI owner (UA) supplies
an object containing the HHIT and that is signed by the HI private key of the
HDA such as detailed in <xref
target="I-D.ietf-drip-auth" format="default"/>.
</t>
<t>
The two risks with hierarchical HITs HHITs are the use of an invalid HID
and forced HIT collisions. The use of a DNS zone (e.g.,
"det.arpa.") is a strong protection against invalid HIDs. Querying
an HDA's RVS for a HIT under the HDA protects against talking to
unregistered clients. The Registry service <xref
target="I-D.ietf-drip-registries" format="default"/>,
through its HHIT uniqueness enforcement, provides against forced or
accidental HHIT hash collisions.
</t>
<t>
Cryptographically Generated Addresses (CGAs) provide an assurance
of uniqueness. This is two-fold. The address (in this case the
UAS ID) is a hash of a public key and a Registry hierarchy naming. Collision
resistance (more important that it (and more importantly, the implied second-preimage
resistance) makes it attacks statistically challenging to
attacks. challenging.
A registration process <xref
target="I-D.ietf-drip-registries" format="default"/> within
the HDA provides a level of assured uniqueness unattainable without
mirroring this approach.
</t>
<t>
The second aspect of assured uniqueness is the digital signing
(evidence) process of the DET by the HI private key and the
further signing (evidence) of the HI public key by the
Registry's key. This completes the ownership process. The
observer at this point does not know what owns the DET, DET but is
assured, other than the risk of theft of the HI private key, that
this UAS ID is owned by something and it is properly registered.
</t>
<section anchor="post-quantum-computing-out-of-scope"><name>Post Quantum anchor="post-quantum-computing-out-of-scope"><name>Post-Quantum Computing out Is Out of scope</name> Scope</name>
<t>
As stated in <xref target="I-D.ietf-drip-arch" section="8.1"
format="default" />, there has been no effort, at this time, effort to
address post quantum post-quantum computing cryptography. UAs and Broadcast
Remote ID communications are so constrained that current post
quantum post-quantum computing cryptography is not applicable. Plus since In addition, because a UA
may use a unique DET for each operation, the attack window could be
limited to the duration of the operation.
</t>
<t>
HHITs contain the ID for the cryptographic suite used in its
creation, a future post quantum computing safe algorithm that is safe for post-quantum computing
that fits the Remote ID constraints may readily be added.
</t>
</section>
<section anchor="DET_trust" numbered="true" toc="default"> <name>DET Trust in ASTM messaging</name> Messaging</name>
<t>
The DET in the ASTM Basic ID Message (Msg Type 0x0, the actual
Remote ID message) does not provide any assertion of trust. The
best that might be done within this Basic ID Message is
Truncating 4 bytes
truncated from a HI signing of the HHIT (the UA ID field is
20 bytes and a HHIT is 16). 16) within this Basic ID Message is the best
that can be done. This is not trustable; that is, trustable, as it is too open
to a hash attack. Minimally, it takes 84 88 bytes (<xref
target="RID_Auth" format="default"/>) to prove ownership of
a DET with a full EdDSA signature. Thus, no attempt has been made
to add DET trust directly within the very small Basic ID Message.
</t>
<t>
The ASTM Authentication Message (Msg Type 0x2) as shown in <xref
target="RID_Auth" format="default"/> can provide practical actual
ownership proofs. These proofs in a practical manner. The endorsements and evidences evidence include
timestamps to defend against replay attacks. But in themselves, attacks, but
they do not prove which UA sent the message. They The messages could have been
sent by a dog running down the street with a Broadcast Remote ID
module strapped to its back.
</t>
<t>
Proof of UA transmission comes comes, for example, when the Authentication Message
includes proofs for proof of the ASTM Location/Vector Message (Msg Type 0x1)
and a) the observer can see the UA or that b) the location information is validated by
ground multilateration. Only then does an observer gain full trust
in the DET of the UA.
</t>
<t>
DETs obtained via the Network RID path provides provide a different
approach to trust. Here the UAS SHOULD <bcp14>SHOULD</bcp14> be securely communicating
to the USS, thus asserting DET trust.
</t>
</section>
<section anchor="Revocation" numbered="true" toc="default"> <name>DET Revocation</name>
<t>
The DNS entry for the DET can also provide a revocation service.
For example, instead of returning the HI RR RR, it may return some
record showing that the HI (and thus DET) has been revoked.
Guidance on revocation service will be provided in <xref
target="I-D.ietf-drip-registries" format="default"/>.
</t>
</section>
<section anchor="DET_privacy" numbered="true" toc="default"> <name>Privacy Considerations</name>
<t>
There is no expectation of privacy for DETs; it is not part of the
privacy
normative privacy requirements listed in, in <xref target="RFC9153"
section="4.3.1,"
section="4.3.1" format="default"/>. DETs are broadcast in the
clear over the open air via Bluetooth and Wi-Fi. They will be
collected and collated with other public information about the UAS.
This will include DET registration information and location and
times of operations for a DET. A DET can be for the life of a UA
if there is no concern about DET/UA activity harvesting.
</t>
<t>
Further, the MAC Media Access Control (MAC) address of the wireless interface used for Remote
ID broadcasts are a target for UA operation aggregation that may
not be mitigated through MAC address randomization. For Bluetooth
4 Remote ID messaging, the MAC address is used by observers to link
the Basic ID Message that contains the RID with other Remote ID
messages, thus it must be constant for a UA operation. This message
linkage use of
MAC addresses to link messages may not be needed with the Bluetooth 5
or Wi-Fi PHYs. These PHYs provide for a larger message payload and
can use the Message Pack (Msg Type 0xF) and the Authentication
Message to transmit the RID with other Remote ID messages. However,
it is not mandatory to send
sending the RID in a Message Pack or
Authentication Message, Message is not mandatory, so allowance for using the MAC address for
UA message linking must be maintained. allowed. That is, the MAC address
should be stable for at least a UA operation.
</t>
<t>
Finally, it is not adequate to simply change the DET and MAC for a
UA per operation to defeat historically tracking a the history of the UA's activity.
</t>
<t>
Any changes to the UA MAC may have impacts to C2 setup and
use. A constant GCS MAC may well defeat any privacy gains in UA
MAC and RID changes. UA/GCS binding is complicated with changing if the UA MAC addresses; historically address can change;
historically, UAS design assumed these to be
"forever" and made setup a one-time process. Additionally, if IP
is used for C2, a changing MAC may mean a changing IP address to
further impact the UAS bindings. Finally, an encryption wrapper's
identifier (such as ESP <xref target="RFC4303"/> SPI) would need to
change per operation to insure ensure operation tracking separation.
</t>
<t>
Creating and maintaining UAS operational privacy is a multifaceted
problem. Many communication pieces need to be considered to truly
create a separation between UA operations. Simply changing Changing the DET
is only starts the start of the changes that need to be implemented.
</t>
<t>
These privacy realities may present challenges for the EU European Union (EU) U-space
(<xref target="Uspace"/>) program.
</t>
</section>
<section anchor="Collision" numbered="true" toc="default"> <name>Collision Risks with DETs</name>
<t>
The 64-bit hash size here for DETs does have an increased risk of
collisions over the 96-bit hash size used for the ORCHID <xref
target="RFC7343" format="default"/> construct. There is a 0.01%
probability of a collision in a population of 66 million. The
probability goes up to 1% for a population of 663 million. See
<xref target="Coll_Prob" format="default"/> for the collision
probability formula.
</t>
<t>
However, this risk of collision is within a single "Additional
Information" value, i.e., a RAA/HDA domain. The UAS/USS
registration process should include registering the DET and MUST <bcp14>MUST</bcp14>
reject a collision, forcing the UAS to generate a new HI and thus
HHIT and reapplying to the DET registration process (<xref
target="I-D.ietf-drip-registries" section="6" format="default"/>).
</t>
<t>
Thus an adversary trying to generate a collision and 'steal' the
DET would run afoul of this registration process and associated
validation process mentioned in <xref target="x509"
format="default"/>.
</t>
</section>
</section>
</middle>
<back>
<displayreference target="I-D.ietf-drip-registries" to="drip-registries"/> to="DRIP-REG"/>
<displayreference target="I-D.ietf-drip-arch" to="drip-architecture"/> to="DRIP-ARCH"/>
<displayreference target="I-D.ietf-drip-auth" to="drip-authentication"/>
<displayreference target="I-D.moskowitz-ipsecme-ipseckey-eddsa" to="ipseckey-eddsa"/> to="DRIP-AUTH"/>
<displayreference target="DOI_10.6028_NIST.FIPS.202" to="NIST.FIPS.202"/>
<displayreference target="DOI_10.6028_NIST.SP.800-185" to="NIST.SP.800-185"/>
<references> <name>References</name>
<references title="Normative References">
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6890.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7343.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7401.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8005.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8032.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml7/reference.DOI.10.6028/NIST.FIPS.202.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml7/reference.DOI.10.6028/NIST.SP.800-185.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-moskowitz-ipsecme-ipseckey-eddsa.xml"/>
<reference anchor="RFC9373" target="https://www.rfc-editor.org/info/rfc9373">
<front>
<title>EdDSA Value for IPSECKEY</title>
<author initials="R." surname="Moskowitz" fullname="Robert Moskowitz">
<organization>HTT Consulting</organization>
</author>
<author initials="T." surname="Kivinen" fullname="Tero Kivinen"> </author>
<author initials="M." surname="Richardson" fullname="Michael Richardson">
<organization>Sandelman Software Works</organization>
</author>
<date month="February" year="2023"/>
</front>
<seriesInfo name="RFC" value="9373"/>
<seriesInfo name="DOI" value="10.17487/RFC9373"/>
</reference>
</references>
<references title="Informative References">
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3972.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4025.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4034.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4122.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4303.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/>
<!-- <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5730.xml"/> -->
<!-- <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7858.xml"/> -->
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8004.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8200.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9063.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9153.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9224.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-ietf-drip-arch.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-ietf-drip-auth.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-ietf-drip-registries.xml"/>
<reference anchor="IANA-CGA" target="https://www.iana.org/assignments/cga-message-types/cga-message-types.xhtml"> target="https://www.iana.org/assignments/cga-message-types">
<front>
<title>Cryptographically Generated Addresses (CGA) Message Type Name Space</title>
<author><organization>IANA</organization></author>
</front>
</reference>
<reference anchor="HHSI" target="https://www.iana.org/assignments/drip">
<front>
<title>Hierarchical HIT (HHIT) Suite IDs</title>
<author initials="" surname="" fullname="">
<organization>IANA</organization>
</author>
</front>
</reference>
<reference anchor="IANA-HIP" target="https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml"> target="https://www.iana.org/assignments/hip-parameters">
<front>
<title>Host Identity Protocol (HIP) Parameters</title>
<author><organization>IANA</organization></author>
</front>
</reference>
<reference anchor="F3411-22a" target="https://www.astm.org/f3411-22a.html">
<front>
<title>Standard Specification for Remote ID and Tracking - F3411−22a</title>
<author><organization>ASTM International</organization></author>
<date month="07" year="2022" />
</front>
</reference>
<reference anchor="cfrg-comment" anchor="IPv6-SPECIAL" target="https://www.iana.org/assignments/iana-ipv6-special-registry/">
<front>
<title>IANA IPv6 Special-Purpose Address Registry</title>
<author initials="" surname="" fullname="">
<organization>IANA</organization>
</author>
</front>
</reference>
<reference anchor="CFRG-COMMENT" target="https://mailarchive.ietf.org/arch/msg/cfrg/tAJJq60W6TlUv7_pde5cw5TDTCU/">
<front>
<title>A CFRG
<title>Please review of draft-ietf-drip-rid</title>
<author/>
<author initials="N" surname="Gajcowski" fullname="Nicholas H Gajcowski"/>
<date day="23" month="9" year="2021"/>
</front>
<refcontent>message to the CFRG mailing list</refcontent>
</reference>
<reference anchor="CTA2063A" target="https://shop.cta.tech/products/small-unmanned-aerial-systems-serial-numbers">
<front>
<title>Small Unmanned Aerial Systems Serial Numbers</title>
<author>
<organization>ANSI/CTA</organization>
</author>
<date month="09" year="2019"/>
</front>
</reference>
<reference anchor="corus" anchor="CORUS" target="https://www.sesarju.eu/node/3411">
<front>
<title>U-space
<title>SESAR Concept of Operations</title> Operations for U-space</title>
<author>
<organization>CORUS</organization>
</author>
<date day="9" month="09" year="2019" />
</front>
</reference>
<reference anchor="Keccak" target="https://keccak.team/index.html">
<front>
<title>The Keccak Function</title>
<title>Keccak Team</title>
<author fullname="Guido Bertoni" initials="G." surname="Bertoni">
<address/>
</author>
<author fullname="Joan Daemen" initials="J." surname="Daemen">
<organization>Radboud University</organization>
<address/>
</author>
<author fullname="Michaël Peeters" initials="M." surname="Peeters">
<organization>STMicroelectronics</organization>
<address/>
</author>
<author fullname="Gilles Van Assche" initials="G." surname="Van Assche">
<organization>STMicroelectronics</organization>
<address/>
</author>
<author fullname="Ronny Van Keer" initials="R." surname="Van Keer">
<organization>STMicroelectronics</organization>
<address/>
</author>
<date/>
</front>
</reference>
<reference anchor="FAA_RID" target="https://www.govinfo.gov/content/pkg/FR-2021-01-15/pdf/2020-28948.pdf">
<front>
<title>Remote Identification of Unmanned Aircraft</title>
<author >
<organization>United States Federal Aviation Administration (FAA)</organization>
</author>
<date day="15" month="1" year="2021"/>
</front>
</reference>
</references>
</references>
<section anchor="Uspace" numbered="true" toc="default"> <name>EU U-Space RID Privacy Considerations</name>
<t>
The EU is defining a future of airspace management known as U-space
within the Single European Sky ATM Research (SESAR) undertaking.
The Concept of Operation for EuRopean UTM Systems (CORUS) project
proposed low-level <xref target="corus" target="CORUS" format="default">Concept of
Operations</xref> for UAS in the EU. It introduces strong
requirements for UAS privacy based on European GDPR General Data Protection Regulation (GDPR) regulations.
It suggests that UAs are identified with agnostic IDs, with no
information about UA type, the operators operators, or flight trajectory.
Only authorized persons should be able to query the details of the
flight with a record of access.
</t>
<t>
Due to the high privacy requirements, a casual observer can only
query U-space if it is aware of a UA seen in a certain area. A
general observer can use a public U-space portal to query UA
details based on the UA transmitted "Remote identification" signal.
Direct remote identification (DRID) is based on a signal
transmitted by the UA directly. Network remote identification
(NRID) is only possible for UAs being tracked by U-Space and is
based on the matching the current UA position to one of the tracks.
</t>
<t>
This is potentially a contrary expectation as that presented in
<xref target="DET_privacy" format="default"/>. U-space will have
to deal with this reality within the GDPR regulations. Still,
DETs as defined here present a large step in the right direction
for agnostic IDs.
</t>
<t>
The project lists "E-Identification" and "E-Registrations" services
as to be developed. These services can use DETs and follow the privacy
considerations outlined in this document for DETs.
</t>
<t>
If an "agnostic ID" above refers to a completely random identifier,
it creates a problem with identity resolution and detection of
misuse. On the other hand, a classical HIT has a flat structure
which makes its resolution difficult. The DET (Hierarchical HIT) (HHIT)
provides a balanced solution by associating a registry with the UA
identifier. This is not likely to cause a major conflict with
U-space privacy requirements, as the registries are typically few
at a country level (e.g., civil personal, military, law
enforcement, or commercial).
</t>
</section>
<section anchor="HID_Split" numbered="true" toc="default"> <name>The 14/14 HID split</name>
<t>
The following explains the logic behind selecting to divide for dividing the 28
bits of the HID into 2 two 14-bit components.
</t>
<t>
At this writing ICAO writing, the International Civil Aviation Organization (ICAO) has 273 193 member "States", and each may want to
control RID assignment within its National Air Space (NAS). Some
members may want separate RAAs to use for Civil, general
Government, and Military use. They may also want allowances for
competing Civil RAA operations. It is reasonable to plan for 8 eight
RAAs per ICAO member (plus regional aviation organizations like in
the European Union). Thus at EU). Thus, as a start start, a 4,096 RAA space of 4,096 RAAs is advised.
</t>
<t>
There will be requests by commercial entities for their own, own RAA
allotments. Examples could include international organizations
that will be using UAS and international delivery service
associations. These may be smaller than the RAA space needed by
ICAO member States and could be met with a 2,048 space allotment,
but allotment;
however, as will be seen, these might as well be 4,096 as well.
</t>
<t>
This may well cover currently understood RAA entities. There In the future, there will
be future new applications, branching off into new areas. So areas, so yet
another space allocation should be set aside. If this is equal to
all that has been reserved, we should allow for 16,384 (2^14) (2<sup>14</sup>) RAAs.
</t>
<t>
The HDA allocation follows a different logic from that of RAAs. Per
<xref target="Coll_Prob" format="default"/>, an HDA should be able
to easily assign 63M RIDs and even manage 663M with a "first come,
first assigned" registration process. For most HDAs HDAs, this is more
than enough, and a single HDA assignment within their RAA will
suffice. Most RAAs will only delegate to a couple of HDAs for their
operational needs. But there are major exceptions that point to
some RAAs needing large numbers of HDA assignments.
</t>
<t>
Delivery service operators like Amazon (est. 30K (est. 30K delivery vans) and
UPS (est. 500K (est. 500K delivery vans) may choose, for anti-tracking
reasons, to use unique RIDs per day or even per operation. 30K
delivery UA UAs could need between 11M upwards to and 44M RIDs. Anti-tracking
would be hard to provide if the HID were the same for a delivery
service fleet, so such a company may turn to an HDA that provides
this service to multiple companies so that who's UA is who's is not
evident in the HID. A USS providing this service could well use
multiple HDA assignments per year, depending on strategy.
</t>
<t>
Perhaps a single RAA providing HDAs for delivery service (or a similar behaving)
purpose) UAS could 'get by' with a 2048 HDA space (11-bits).
So the HDA space could well be served with only 12 bits
allocated out of the 28-bit HID space. But
However, as this is speculation, speculation and it deployment experience will take years of deployment experience, years,
a 14-bit HDA space has been selected.
</t>
<t>
There may also be 'small' ICAO member States that opt for a single
RAA and allocate their HDAs for all UA UAs that are permitted in their
NAS. The HDA space is large enough that some to use part a portion may be used for
government needs as stated above and for small commercial needs.
Or Alternatively,
the State may use a separate, consecutive RAA for commercial users.
Thus it would be 'easy' to recognize State-approved UA by
HID high-order bits.
</t>
<section anchor="DET_Encoding" numbered="true" toc="default"> <name>DET Encoding Example</name>
<t>
The DET upper 64 bits of DET appear to be oddly constructed from nibbled
fields, when typically seen in 8-bit representations. The
following works out the construction of the example in <xref
target="HHIT_DNS" format="default"/>.
</t>
<t>
In that example example, the prefix is 2001:30::/28, the RAA is decimal 10 10,
and the HDA is decimal 20. Below is the RAA and HDA in 14-bit
format:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
RAA 10 = 00000000001010
HDA 20 = 00000000010100
]]></artwork>
<t>
The left most leftmost 4 bits of the RAA, all zeros, combine with the prefix
to form 2001:0030:, leaving which leaves the remaining RAA
and HDA combined to combine to:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
0000|0010|1000|0000|0001|0100|
]]>
</artwork>
<t>
Which,
Which when combined with the OGA of x05 is: is 0280:1405, thus the whole
upper 64 bits are 2001:0030:0280:1405.
</t>
</section>
</section>
<section anchor="Base32" numbered="true" toc="default"> <name>Base32 Alphabet</name>
<t>
The alphabet used in CTA 2063-A Serial Number does not lend map to
using
any published Base32 encoding scheme. Thus Therefore, the following
Base32 Alphabet is used.
</t>
<t>
Each 5-bit group is used as an index into an array of 32 printable
characters. The character referenced by the index is placed in the
output string. These characters, identified below, are selected
from US-ASCII digits and uppercase letters.
</t>
<table anchor="table_Base32" align="center"> <name>The Base 32 Alphabet</name>
<thead>
<tr>
<th align="right">Value</th>
<th align="left">Encoding</th>
<th align="right">Value</th>
<th align="left">Encoding</th>
<th align="right">Value</th>
<th align="left">Encoding</th>
<th align="right">Value</th>
<th align="left">Encoding</th>
</tr>
</thead>
<tbody>
<tr>
<td align="right">0</td>
<td align="left">0</td>
<td align="right">8</td>
<td align="left">8</td>
<td align="right">16</td>
<td align="left">G</td>
<td align="right">24</td>
<td align="left">Q</td>
</tr>
<tr>
<td align="right">1</td>
<td align="left">1</td>
<td align="right">9</td>
<td align="left">9</td>
<td align="right">17</td>
<td align="left">H</td>
<td align="right">25</td>
<td align="left">R</td>
</tr>
<tr>
<td align="right">2</td>
<td align="left">2</td>
<td align="right">10</td>
<td align="left">A</td>
<td align="right">18</td>
<td align="left">J</td>
<td align="right">26</td>
<td align="left">T</td>
</tr>
<tr>
<td align="right">3</td>
<td align="left">3</td>
<td align="right">11</td>
<td align="left">B</td>
<td align="right">19</td>
<td align="left">K</td>
<td align="right">27</td>
<td align="left">U</td>
</tr>
<tr>
<td align="right">4</td>
<td align="left">4</td>
<td align="right">12</td>
<td align="left">C</td>
<td align="right">20</td>
<td align="left">L</td>
<td align="right">28</td>
<td align="left">V</td>
</tr>
<tr>
<td align="right">5</td>
<td align="left">5</td>
<td align="right">13</td>
<td align="left">D</td>
<td align="right">21</td>
<td align="left">M</td>
<td align="right">29</td>
<td align="left">W</td>
</tr>
<tr>
<td align="right">6</td>
<td align="left">6</td>
<td align="right">14</td>
<td align="left">E</td>
<td align="right">22</td>
<td align="left">N</td>
<td align="right">30</td>
<td align="left">X</td>
</tr>
<tr>
<td align="right">7</td>
<td align="left">7</td>
<td align="right">15</td>
<td align="left">F</td>
<td align="right">23</td>
<td align="left">P</td>
<td align="right">31</td>
<td align="left">Y</td>
</tr>
</tbody>
</table>
</section>
<section anchor="Coll_Prob" numbered="true" toc="default"> <name>Calculating Collision Probabilities</name>
<t>
The accepted formula for calculating the probability of a collision
is:
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
p
<t>p = 1 - e^{-k^2/(2n)}
P Collision Probability
n Total e<sup>{-k<sup>2</sup>/(2n)}</sup></t>
<dl>
<dt>P:</dt><dd>Collision Probability</dd>
<dt>n:</dt><dd>Total possible population
k Actual population
]]></artwork> population</dd>
<dt>k:</dt><dd>Actual population</dd>
</dl>
<t>
The following table provides the approximate population size for a
collision for a given total population.
</t>
<artwork name="" type="" align="left" alt="">
<![CDATA[
Deployed
<table>
<name>Approximate Population
Total Size With Collision Risk of Risk</name>
<thead>
<tr>
<th rowspan="2">Total
Population</th>
<th rowspan="1" colspan="2">Deployed Population .01% 1%
2^96 4T 42T
2^72 1B 10B
2^68 250M 2.5B
2^64 66M 663M
2^60 16M 160M
]]>
</artwork> With Collision Risk of</th>
</tr>
<tr>
<th>.01%</th>
<th>1%</th>
</tr>
</thead>
<tbody>
<tr>
<td>2<sup>96</sup></td>
<td>4T</td>
<td>42T</td>
</tr>
<tr>
<td>2<sup>72</sup></td>
<td>1B</td>
<td>10B</td>
</tr>
<tr>
<td>2<sup>68</sup></td>
<td>250M</td>
<td>2.5B</td>
</tr>
<tr>
<td>2<sup>64</sup></td>
<td>66M</td>
<td>663M</td>
</tr>
<tr>
<td>2<sup>60</sup></td>
<td>16M</td>
<td>160M</td>
</tr>
</tbody>
</table>
</section>
<section numbered="false" toc="default"> <name>Acknowledgments</name>
<t>
Dr. Gurtov is an adviser on Cybersecurity to the Swedish Civil
Aviation Administration.
</t>
<t>
Quynh Dang of NIST gave considerable guidance on using Keccak and
the NIST supporting NIST documents. Joan Deamen of the Keccak team was
especially helpful in many aspects of using Keccak. Nicholas
Gajcowski <xref target="cfrg-comment" target="CFRG-COMMENT" format="default"/> provided a
concise hash pre-image security assessment via the CFRG list.
</t>
<t>
Many thanks to Michael Richardson and Brian Haberman for the iotdir
review, Magnus Nystrom for the secdir review, Elwyn Davies for the
genart review review, and the DRIP co-chair and draft document shepherd, Mohamed
Boucadair for his extensive comments and help on document clarity.
And finally, many thanks to area directors: the Area Directors: Roman Danyliw, Erik
Kline, Murray Kucherawy, Warren Kumari, John Scudder, Paul Wouters,
and Sarker Zaheduzzaman, for the IESG review.
</t>
</section>
</back>
</rfc>